CyberSecurity Effectiveness - Do you even security?
Show transcript [en]
more everybody morning that's right thanks for coming everybody get the coffee hopefully yeah I did I'm probably gonna wish I hadn't brought more really excited to be here thanks for coming I'm really excited to be speaking at this event this is a really awesome event I'm sure how many of how many folks have been here is this the first time in a few size Delaware that's a lot that's a lot that's great that's really good yeah my first year was three years ago it was really great I love love the event love how passionate everybody is here and and how how kid-friendly it is really my kids are a little young for this but they'll be in a few years they'll be
interested in some of the some of the events that they set up so that's really cool so today I'm going to be talking about cybersecurity effectiveness I'd really appreciate it if folks would be willing to raise your hand ask questions don't throw anything ideally but you know get my attention I definitely wanna have a dialogue and hear your experiences so how many folks here work in IT security within an organization decent percentage and are there any consultants anybody does IT security consulting so some of this so you know I I do I take conservative security consulting and this is basically just what I've learned over the years is an effective strategy for helping organizations really determine whether
or not the work that they're doing with their cybersecurity program is timeless back in 2000 stuff [Music] this is me there's a little bit about myself c7 founder at rule 4 I said like I said before we do cybersecurity consulting at Drexel dragon my wife is a drexel dragon - she won't admit it she got her second degree at Drexel but she's a blue head of art so she's much more of a Delaware fan cat lover and ex theater beat as you can see this is what I spent my youth doing I didn't get into IT till I was in late high school and I didn't know that hiking was special ability but you could
put it anything you want on a resume so I've been helping clients with their IT security strategy for over 10 years now one consistent thing that I've seen is a lack of metrics lack of an ability to define success in cyber security so he's been a challenge right most business units are required to have some sort of a metric to say here's my plan for the year here's how I'm going to define success over the next year or two years three years five years and cybersecurity has always struggled with that it's one of those you know it's like being a ref you know nobody notices you and tell something bad happens right and you know and I don't necessarily
feel that's fair or true I think that there are methods that you can use to try to create some level of measurement and that's what we're going to talk about here today you know I even had an idea that I asked me you know hey can you send me some talking points for this assessment we want to do so that I can share that with my boss you know it's like it's a challenge for us to convince people at the time that we're spending in the money that we're spending in and the projects we want to do are worthwhile that they're things that we should be spending our kind of money and you know what I'd like to do is I'd like
to help our clients be able to do this be able to measure this you know the effectiveness of their program to be able to communicate the purpose you know the reasoning behind their their initiatives you know without hiring us to help them right so this is my Thanksgiving time so so my takeaway so my my basic point here is that when it comes to measuring return on investment key performance indicators effectiveness as a whole for cybersecurity programs we're mostly just winging it right we don't really have a strong way to actually communicate to management hey this is how we're effective in our jobs like this is how we define success other than you know no
breaches of course right like we have never breach this year that's a success sure but how else can we measure whether or not we're effectively using our budget or are you know that the projects that we're choosing are the right ones so a few definitions terms that I want to make sure we're all on the same page about while we go through this journey effectiveness is to produce the intended or expected result right
oh here we go efficiency so there's so efficiency so one definition the ability to accomplish your job with a minimum expenditure of time and effort I think we all get that right I'm going to tie in efficiency into the effectiveness conversation because I think they're really closely related especially with what we do in IT and IT security is an extension of that I like this definition better and I'll tell you why so the ratio of work done or energy developed by a machine right compared to the energy supplied to it and the reason I like this definition of efficiency better in this context is when we're talking efficiency with NIT a lot of times we're talking about leveraging
automation leveraging technologies to be efficient so in my mind it does function a lot more like this kind of a definition of you know our is our system working efficiently so I created this definition of cybersecurity effectiveness as the ability to measure the value of success of a cybersecurity program against organizationally relevant metrics and you know in my mind that's what we're all striving for and I think that my goal here will be to express to you what I feel like is an effective method for doing a little bit of you know stats about you know this area in general right third of companies you know this is psychotics state of cybersecurity metrics report which is
basically a survey of of executives in you know CEO and CIO type roles so third companies invest in technology without a way to measure it to measure effectiveness four out of five companies are not satisfied with their cybersecurity metrics which makes sense if a third of the companies aren't even investing or a measuring effectiveness in the first place you can't possibly be satisfied with your metrics you don't have any four or five failed to include business stakeholders and cybersecurity investment decisions and that's going to be a theme to will talk about is you know working across teams and 75% that I can know where their sensitive data is located and that's kind of a you know I mean if
you don't know where your sensitive data is located it's going to be really hard to have a cybersecurity program that's effective much less measure effectiveness of it so I thought those were interesting I imagine that 2018 won't be a much different I do not want right that is not the state we want to be in as fast as technology is moving and changing as more and more connected we get as we start moving into these IOT realms as we start leveraging technologies that we understand even less like machine learning it's going to be critically important that we have an understanding of how we can measure that the work we're doing which is incredibly important is effective so not only for
our own selves so that we can feel like we have an understanding and a grasp of what we're trying to accomplish what our goals are what our indicators of success are but also so that we can make an argument to leadership to say hey spend the money this is worthwhile we're doing a good job those orange slides I'm sure you they're blinding you as well but they're really blinding coming out of the thank you yeah this is the only way I'm ever gonna go to Tampa okay so we're gonna go through a couple scenarios here right so step so there's two scenarios I'm going to talk through their generic they're obviously not they don't you
know they're not all-encompassing but the idea here is to set the stage a little bit about what organizations are doing today okay so step one typical cybersecurity program find a checklist or a standard to start with I want so can folks just start shouting out standards checklists identities or standards that they're familiar with cybersecurity standards and I'm going to throw candy at you anybody else PIPP right the cybersecurity framework I trust I trust critical security controls okay I'm gonna stop there before I hurt somebody so we all know security standards right one of their regulatory standards compliance standards are just generic IT security standards that we can apply as we choose to apply them so
okay so we pick a standard follow that checklist or standard right that's how it works right so as long as we have a standard bro okay no and I think you know everybody I don't think this is anything that people here think is crazy okay tell me if you disagree with me I mean for sure compliance does not equal cyber security it does play an incredibly important role right that's where the caveat is not below not myself but I think a lot of organizations as you know okay so what are we going to do we're going to so we have credit card security we're going to follow PCI we our health care organization will follow HIPAA which is
fairly a standard really so that's one scenario so I brought a node to security standards I'm not gonna lie I actually just made went online and found like a poem creator but you know security standards have their place they're important and we'll talk a little bit more about how they fit into that cyber security effectiveness model when we get a little further down scenario to find the next hot tech product right you know machine learning is going to fix all of our cyber security problems right now I'm the next install it right maybe you paid the vendor to help you install or maybe you do it on your own maybe you have the skills in-house to tune it
correctly maybe not it just depends right but a lot of times we're being driven by something that somebody at the executive level heard a term we went and saw some vendor reviews or went to a conference and had some vendors talk to us about the products and and what we're trying to do is we're trying to solve problems but we're solving them through you know in this case by finding a solution putting it in place and hoping that that gives us what we're looking for from a from a protection perspective
the products don't equal cybersecurity either alone they have a place they are important to have access to whether they're a product you pay for or whether they're SAS whether they're in you know on-premise whether they're open-source you know or not we have to have a suite of tools in order to be effective at our jobs but if we start by looking for a product and then go figure out what problems it can solve we're gonna end up in a state where we are spending money that we don't necessarily need to spend and aren't necessarily effectively protecting our environment I was gonna do a limerick and I realized that just enough not something I'm any good at so
okay so those are the scenarios when I kind of set the stage right and I see this a lot but in consulting we get we are brought in on with our clients to help with all sorts of problems whether it's picking a product right sometimes that the client will come and say hey help us select this this solution for SSL and so the first thing we'll do is say take a step back what are you which is probably when you're trying to solve what we want to SSL that's not the problem you're trying to solve you have an identity management problem or an access management problem or whatever well what's that look like in your
organization before we start laying products over the top of it right and so that's you know that's kind of the point behind those scenarios is to remind us all okay well we need to start from the right place before we can really leverage things like tools or performing and effectively leverage standards and compliance regulations so how do you know share if you want how do you measure effectiveness of your program right if you're in a place to do that like do you have a method that you use do you feel comfortable with understanding how well you're doing with your severance program data-driven number firewall make it up right and sometimes just real do it right just to
put together some kind of PowerPoint to say we're doing something right and how often are they really digging into it or really understanding what you're putting
and so you know there's ways that we figured out how to do this and we're trying and we're evolving you know I like to think about you know the folks that are that are really driving these types of conversations in IT security a lot of times who taught themselves all this stuff right like I did like I didn't think I studied some of this in school and I wasn't a security major and certainly back then those programs were not what they are today and and so we're all learning how to do this and coming from a technical background and then being asked to do something like measure effectiveness or figure out what I keep you know what is a KPI and how do I use
it like those are all things that don't come naturally necessarily to to all of us and some people easier than others but definitely challenging my report says I'm compliant so that's when we hear loud like we had somebody come to a report and they said we're good to go my software security has a service - when it's green clearly I'm busy right so if we're like a fire fire drill driven organization which many most are I mean obviously we're all going to have fire drills to deal with but some are crazier than others I have some good stories I'm not going to go into now about that but definitely a spectrum when it comes to to that but
you know so if I'm busy it must be our program must be working I don't know that's a it's a tough question like we just talked it's not an easy question to answer compliant and versus not compliant is one piece of a larger puzzle products are tools they're not solutions in another themselves standards with guides regulations there's scope limited CCI cares about credit card security it could care less a few of availability problems they don't care they just wanna make sure the credit card numbers are being protected there's a better way at least I think there is and hopefully you guys agree and you know super excited to hear your opinions on what we talked
about today and if you think I'm for craft or if you have thoughts on way to ways to improve this but you know my goal is to just to try to help us all think about well how can we more effectively more effectively be effective doesn't make sense but how can we really understand what our goals are from a cybersecurity program and the measuring okay so where do we start foundations are super important if you don't start with a strong foundation a strong understanding of your environment you're going to struggle to make good decisions so step one if you don't have an inventory of your environment system inventory asset inventory including especially data you don't have a clear
understanding of where your data is what kind of data you have you're not going to be able to measure anything effective and that's important and it's you know to some folks this might sound really obvious and it is to some extent but where they don't have full insight because the way that the organization is built right from a process perspective so you've got well I am an IT security but I don't have any control over if the developers decide to go with something an AWS or there's no way for me to know if the marketing team hired somebody to spin up a website or you know those types of things make it really hard for
IT security to be effective at their jobs and so having an understanding of if I'm going to be effective at building this program I have to have some insight I don't have to have control but organizationally we have to make it as a commitment to ensuring that IT security has insight into these processes whatever they are and so sometimes that's easier said than done but definitely importantly without that it's going to be a real challenge for us to be effective we can be effective in bits but not have a full program back to compliance or regulatory requirements if we understand our data we know where it is what kind of data what kind of data
it is we can then make sure that we understand our compliance requirements that's really important we have to understand it in order to make good decisions and we'll talk about why I've been at but I think we're all familiar with you know the dangers of not realizing you have what your PCI data in your environment and then you have a breach suddenly putting your entire organization at risk of not being able to process credit cards or getting fines and things like that no just kidding we're not ready to do that yet there's more than two steps surprisingly to being able to measure effectiveness of your cybersecurity program it's like I really like parts of RAC I don't know if
you can tell so then the next step right threat analysis risk analysis risk indicators it's and this all sounds like a lot of work and you know it is work but it's a it's it's worthwhile to do and so I've worked through these processes with organizations and a lot of times they'll come to a consultant of us or something else whatever because they don't really have the drive or the understanding to do it themselves internally but if we can teach them these tools and let them do it themselves we look forward it allows them as organization to be to take ownership and make better choices and be less reliant on outside parties so I don't mean like this kind of
risk assessment not that these are bad I've done lots of really super detailed risk assessments with lots of calories and ratings and there's lots of standards around risk assessment that give you a lot of options right but this is not what I'm talking about here not today right this is this is more than what we need this is more like what I'm talking about something simple that just says what what are our threats and what is what is the likelihood of that threat being realized within our environment what is the impact of that threat if it were to be exploited right if it were to come to fruition and just having just having an understanding from a low
medium high extreme risk perspective does wonders for our ability to define what is effective for us in our cybersecurity program just those little steps just to be able to say yeah this is a really high risk area we have pH I in AWS that's where our most sensitive data is probably we should spend more money there than on you know an MDM solution when we don't even allow our employees to have access to email or whatever right just defining where is it that we should be spending our time and focusing because we all have budgets we all have limited resources from a team perspective and we have to make hard decisions on where we do decide to spend
our life so then we move on to you know we have we've done this inventory we've insured we have an understanding of our regulatory requirements and we've done a very high-level like risk exercise now we can start talking about well what are our key performance where our key risk indicators that's what we just did right what are our key risk indicators right what types of threats you would be worrying about how do we define that for our business specifically we should come out of that process with a list of you know high you know moderate extreme risk areas and and then how do we define performance so in order to effectively define these especially the key
performance indicators we have to be engaging subject matter experts across the business that's a really important piece of this is we can't be making decisions or or mentoring effectiveness in a vacuum if we're not willing to reach across the aisle engage and just ensure that we're a partner for the rest of our business it's going to be really hard for us to have key performance indicators that are we're going to be have any kind of control over the effect that the success of right you can create a KPI and if you have no control over how that the performance actually is accomplished I mean you might as well not even do it right I mean so you have
to have the body you have to have the business to say come in and say yeah we agree that that's a reasonable thing to measure and we agree that we're going to spend time and energy with you to to try to spend time ensuring that we're securing that or that we're working towards that goal as a team and that's going to take work on our side too right so that's that teamwork piece of it is incredibly important we have to get out of the mindset of security are the people that slow us down and stop us and move more into the mindset of security as an ally security the security team are a resource and we're here to work
together to accomplish the same goals and if you can do that it's that easy if you can do that you're going to be able to create much more effective performance indicators from syndicators that are really gonna be tied to things you can control and that you have buy-in for across the business we've been identifying your priorities right through the work we've done before and then designing those combos and then testing them right you have to be able to test and confirm
just the we're not risk assessments you know I talked about this a little bit but you know they're so they can be simple they can be light they can be easy they don't have to be scary right so I think risk assessments you go Google like how do I do a risk assessment like oh my god you know it's first of all the concept is from like the financial world and then it's overlaid into all these different business areas and then we're talking about IT security and you're trying to fit what can be sometimes a very complex process into IT security which is not it's not an easy week sometimes to go from from to take a look at like if you
look at you know the NIST standard for risk assessment it can be challenging you read that through that documentation and you're like I want to do that like that's insane it doesn't have to be that hard it really were just trying to do a simple exercise to understand at a high level what what does the landscape look like for our business and then you compare so you want to compare your assets your risk indicators against what you're doing today what does your cybersecurity program look like today where are you spending money what resources have you invested in and are they aligned like if you have gone through this exercise and you compare that to where you're spending money
today there should be some pretty clear indicators of whether or not you're spending your time and energy effectively right so you know you used the example earlier you know do you have where as where is your sensitive data is that where you're spending your time and money protecting do you have a problem with access control access management do you have a lot of remote workers do you have data disparate data across a lot of different locations do you work with a lot of vendors that provide it there's so many scenarios that define how you as an organization should be building a cybersecurity program having an understanding of what that looks like that foundation that landscape before
you went out before but and then comparing it to how you're spending money today whether you're doing that during a budget cycle or whatever is it allows you it gives you the tools that you need to to actually effectively say yeah we're spending the money where we should be spending money or we could save somebody right maybe we're spending money on a tool that it was overpowered for us I mean I know it's like sacrilege to say like spend less money on cybersecurity and I'm not saying necessarily we should be going to cut our budgets but there may be opportunities right there about the opportunities to say hey this should be focused elsewhere so is it worth the
effort that I just got there is it worth going through all these steps before you even start creating key performance indicators and things like that if you get it right there's a lot of value here not only have you had to find your critical assets it's much nicer on the eyes not only have you defined your critical assets you understand where your systems and your data reside you've documented and communicated your relevant regulatory requirements you've taken the effort to do this risk process and review and now you have an understanding of what the value is of your current cybersecurity spend if you have this data here you can make an informed decision you're not just going
off of what you know I heard that social is marrying it's the most dangerous attack you know exploit or attack vector today which you know I'm not saying that's not true but maybe for your business it's not as big of a problem you know or whatever but having an understanding of what what the profile for your environment looks like let's you make informed decisions and let you make informed decisions around what to spend around headcount around product and solution selection strategy planning that's a big one when we do a strategy session with an organization the first thing we do is a quick risk exercise you know and we ask for information upfront about assets and
things like that you know we don't necessarily go through this whole process every time but when we can't we do right it's really hard to do strategy planning for one to three years you don't have an understanding of your foundational environment important it lets you make risk management decisions are you going to outsource this part of your business well is there a piece of is there a piece of data or process that would have helped us make a decision from a business perspective on do we want to leverage this vendor or to outsource this part of our business well often there is a talking point there or something that we as cyber security professionals have to add 2 to that
decision to that conversation like yeah ok so you have all these other business decisions in relation to that but here's something else to think about here's what the risk is from a cyber security perspective and if we outsource maybe we reduce our risk or reward or shift the risk to this other organization those conversations I think are often not happening and if we've gone through this process we're already armed with that data to be able to help the rest of the organization make good decisions and you're also then able to communicate vegetables success indicators and the value of your program so for example if you've gone through this process and you have an understanding where the risk of
your business what are the high critical risks threats to your business where's the high 4 equal risk in relation to the threats of your business you can then create a key performance indicators such as you know through the implementation of X tool or X tool suite you know our expectation is that we will have less than two major let or less than one or zero major events defined as in the next twelve months right you can make now you can make those anyway you can just make them up today and maybe we do but if you have data that lets you focus on and define where the risks are within your organization you can the performance
educators you create are going to be better defined and more actually one more measurable over time and so you know I can make up a lot of examples but the important piece of that is that they are based off of the steps we took earlier to really define where the risk is associated with in your business and where you need to be focusing your time attention
well so part of it is you know okay so the brief thing we talked about that and maybe that's not a good great example for sometimes it's hard organizations don't want to codify like we expect to have three breaches in the next four months they just don't to do that right but there are other ways to measure to say you know you can first of all don't use the word breach half the time if you don't use the word people are suddenly okay with using synonyms okay fine you know define it differently but ultimately say like okay here's what we've implemented within our organization you know we have PCI data so yes we're going to focus on reducing
our pcs go through these methods thereby you know so in the next so our key performance indicator from a cyber security perspective would be in the next 12 months or maybe in the next 24 months we're going to eliminate all apart processing where we store card data that's a key performance indicator are we going to accomplish that in the next 12 months that defines whether or not we've been successful in that particular endeavor in relation to that you can have a key performance indicator that says we our expectation is that you know if we did you know if we do periodic risk assessments within our organization you know the overall risk profile of this environment maybe our
PCI environment will be reduced from high today to moderate in the next 12 months and again you can just say that 12 months later and probably get away with it but but if you're really trying to measure like if your environment is if your PCI environment is a high risk right now because you store data or because you're doing you control the form that credit card numbers are - instead of doing a redirect or an iframe or something right those risk reduction methods for PCs specifically if you know that that makes your environment high risk today because you've done all this work to identify what where's our data what kind of risks that are associated with our environment
you can create a key performance indicator that says we're going to reduce the risk of that environment through these steps I need you know the KPI is not gonna have all the steps but you say we're going to reduce the risk of that environment we're gonna assess it again at six months or in 12 months we're gonna feel confident that we're going to change that from a high to a moderate and that gives you an indicator that you can that you can measure against for what your program will do over the next six comments now it's not everything your programs gonna do you can have more than one KPI you can have a wonderful problem but it gives you
something to go back to the leadership and say hey we said we were going to reduce the risk of this or this environment and you know you have to have a risk minute a risk assessment process that's legit so that people are like going you didn't just but you know assuming you have that framework in place with information now you have something you need to come to them in 12 months and say yeah we were able to accomplish that and this is how we did and so there's
how many computers have been reimage this year versus slash holding those better extended time if fishing is the issue training success things like that's a great yeah there's definitely you know back to the engaging with the other business units conversation that's absolutely true right there are indicators within other aspects of the organization that will have could have a direct impact on the work that you're doing right and so yeah if you determine that fishing is a big risk you can take the steps to work with that decision to say how do we define how can we find a definition of success here together as a team and ensure that we have control over that to someone but yeah you can
leverage I think that's great and it fosters that you know communication and integration across teams right and and I think as security is a supporting business you have so many organizations really it should be treated like that that is the right approach right we are our customers for the rest of the business you know and so being able to work with them to define these makes a huge amount of sense percent absolutely and you know and these are foundational challenges that we face the cyber security professionals and I think we're starting to see a change in that as organizations start to understand like hey we can't just wing this right we have to really you know I mean how long
CISOs existed in their current form even as a understand that part of our business or that part of our and part of it does also I think a lot of times we you know have a seat
so you know back to you know we can ask the right questions now right so we have enough data to say what are the highest risks how do those assets align with those risks where are we spending money that we should today really like I'm gonna tell you the secret my my underlying hope behind talking about these things is is to continue to drive to organisations that they need to be thinking about the basic blocking and tackling of IT security before they start worrying about the next big thing right if we can just get folks to and these processes these steps will help do that right this is you know I'm not claiming any of this is rocket science
what I am saying though is that if you do the work I've seen this in actually work that I've outlined right the steps to the asset inventory really understanding that like the risk assessment understanding your compliance requirements and then putting that together and using that data to assess how you're doing with your cybersecurity program with your budget with your you know initiatives that you've outlined you're going to as an organization to reduce the risk period and that's going to draw out things like oh well we should probably focus on patch management we're not doing a very good job now I know we just implemented this really cool you know network monitoring solution which might be great but we're
not even patching and so well maybe we need to focus on the high risk areas and then we'll work our way up to that you know just being able to go in with an informed decision it makes a difference it makes a difference especially when you're trying to convince folks that don't necessarily understand what we do and why we do it what our decision process looks like it makes it helps to this clarity allows you to make better decisions it gives you some effectiveness metrics to be able to really measure okay I these are the initiatives I've outlined this year these are the performance indicators I've assigned in relation to those now I can measure that over time and you know
you're gonna measure that in a bunch of different ways and you're gonna have different steps below you know your KPIs that's not the end-all be-all that's just the high level you know here's we can communicate to management let's say but it gives you something to drive towards and if you create a KPI that's directly aligned with this the projects and things that you're working on it's going to make it it's easier to express how you're being effective in your job and how your program is effective visibility over time right this is a one-time process this is something you have to build in and do on a regular basis and that even includes doing a risk assessment every time you decide to
bring on a new new solution tool or bring out a new system right risk assessment is a multi-layered approach and then efficiency right if you understand where the risk is in your environment you can you don't have to take this blanket approach with a shotgun approach you can be more efficient with where you spend your time and energy and it allows you to spend the time upfront in those specific areas to create efficiencies to let's say okay we have a block management solution and it covers we're a long waiting for a solution and we've got all the logs all the logs got them all they're all coming in it's great centralized log management are you doing
that did how much of that do you need how are those are all those systems high-risk should you be pouring all of that into your can help you make that decision to say hey yeah we're gonna store those other blogs specific systems and that's going to allow us to spend time to to make that more efficient to automate some of that right but not all of its gonna be alerting us or being put into dashboards that we look at making that decision tuning right the exactly as long as you have it that's important and and you have to understand you have to have a good enough understanding that you're not you know shunting something off into for storage for forensic
purposes when you really could be using that data but you don't need all of it and and trying to use all of it is one of the things that we're constantly trying to overcome that's an example but we're often overwhelmed with data and where to spend our time as IT security professionals because there's a million places we can spend our time if we can define or narrow down where we should be spending our time most of our focus it allows us to take to be focused and take our time and then maybe create efficiencies in that area I'm gonna spend the time to create a script to do this action that I've been doing manually because I haven't had
time to write the script because I've been doing 400 other things that are probably really low risk and I should be spending last time on the goal is to be able to give you the empower you to be able to make better decisions and create efficiencies so that you have a healthier program other time other benefits employee engagement and retention if you have a defined program and a plan you'd be astonished how much easier it is to keep people if they feel like the people you work for know what they're trying to accomplish and then you can measure your success as a part of that makes a big difference it's really hard right now all of us know how
hard it is to hire and retain IT security professionals right now if you can create an environment where they feel like they're making a difference in that they can clearly understand how and where and then you have a plan it's gonna make a huge difference to return to touching you know it's not all about the money yeah you can go make a lot of money but if you are and of course everybody wants to get paid a reasonable math right but you know you can go out and get paid 30% more and work for a really bad company and you're probably going to regret that position and maybe you maybe you don't even do that if you decide to say hey I
really like this but I like who I work for I like knowing that I'm making a difference I feel like I understand where I fit makes a huge difference the value of the cybersecurity program will increase within the rest of your organization if you function in these ways show them how a process for this because that's what they do most other business units have a process and this will speak to that right be able to say hey we do this just like you guys do increase collaboration really important continue to hammer that home you know if you're not collaborating with the rest of your business units you're gonna have a lot of time being successful from a
cyber security perspective and it improves your your project and your team velocity your ability to real quickly if you have defined goals you're not just trying to do everything for everybody so with that just suggest that everybody do it just do it right so that's what I've got for you guys today I would love to open up before questions we've had some folks with some really good thoughts and feedback and you know I have more candy if you want to afraid to throw any more of it but we just think thoughts your experiences
not no no not necessarily but what I do is I look at I missed dread stride whatever and I take the pieces that I like from it and I take my own I feel like if we understand what we're trying to do what we're trying to accomplish we don't have to be we don't have to read the whole standard we just need to say what you know just a really basic level super simple definition of risk assessment you have threats and you have the impact of those threats and the likelihood of those threats in the context of your business and then out of that you know you rank those by moderate and high low and then you come out with
a risk level I mean that's super simple you know very and there's a million ways to make that more complex and maybe that's something you get to do next year or something you know but if you start with the simple definition of at least go through that effort that process that's worthwhile versus getting wrapped around the axle around do I really know how to do this risk assessment am I you know it doesn't have to be quantitative you know it can just be I need to have a rough understanding at a high level for my organization so you know I'll take you know bits and pieces from each of those but for the most part I try to go
really and I also try to curate it when I'm doing those for a group of people if I can get people in a room to do a risk assessment like different business units and have them involved in it and you have to keep it simple and light
segue into nanosec
what about pushing the security not even requirement with the security goals
what success what's what's ways to do that and you talked about engaging with them but how do you get it into purchasing this so it has to start from the top not that you can't I mean obviously bringing ten yourself but but say hey we're gonna have a security culture because you're right security is everybody's responsibility you might have people that are experts in it that help drive the you know initiatives or specific tasks that they manage or or or whatever but really it is an organizational responsibility and their responsibilities differ depending on your role your department but it hasn't need to be organizational in a you know in the perfect world but that's hard to
achieve because it's we're talking about organizational cultural change and that is a challenge right when we come in we've done virtual C so projects forever and and the first sign of success or failure is whether or not leadership feels like buying in are they gonna really push this and they going to talk about it are they going to back you up and and then you can define really quickly like hey guys this is having to work right if you aren't supporting us I'm just the consulting guy that nobody has to listen to or doesn't to listen to and it's the same thing with security if you don't have the support from the top down to say hey work this is something
that we think is important for everyone and we're not asking you all to become security experts but we are asking you to engage and be a part of the process and so if you can create and awareness programming for that it can't be successful in there are we have seen it be successful obviously a lot easier in smaller organizations much easier and organizations that are in the technology field but definitely doable regardless I mean I've walked into organizations we've done social engineering and organizations that do you know marketing basically rank data you know they do data analysis and can even get in the front door because the front desk woman's like I don't think so
I know how this works you're not a real printer fixer person we don't even have much going for it you're like wow like they've taken the time to create that culture and everybody has a role and they embrace it and they believe in it and it's positive reinforcement and and so I think that you do need to put be able to push that out to the whole organization but that's a much longer process and it's a
you know we're saying hey XYZ used to be right better segmentation of network whatever the case might be sometimes certain people don't understand why right they're just doing it why just do it I know I built the network I spin up the servers I don't follow as hardening list and I know my ass I think it makes sense I'm going to make it and that's a great you know a great point right you can make a difference at that level if you take and I think the challenge that we face is a lot of times those of us that are in these roles maybe are the type of people that are you know used to going
out and training people on how to do stuff rightly part of it is like a cultural piece and so who's that birth right now so it's hard because it takes us out of our comfort zone right to say like oh now I have to sit down and like you know I'll be honest like when I you know I help you right it's like being able to have that patience to help people understand the concept that they don't necessarily have experience with is not something we all have naturally right we're not all natural teachers and and that's what I think is a really important missing pieces that being able to do that work do you love a teach why
this is important work express it in more than just a transactional so I work at a really large firm and just kind of like it was kind of thinking there's so many different vectors and stuff to go ahead and have a unified way of getting all of it and getting the assessment and stuff they're going to be we're gonna be out of sync a lot of times you might get one part that has been metrics and then six months later or a year the other side gets and you just never have a clear picture and it's not in a continuous way of maintaining what I saw there I don't see how you're gonna have a at a given time
one of my staff shot if it's just scale well and you know at the level that we talked about you're right right so we're talking about at the very highest level creating those kind of metric metrics that might be measured over the course of six months or a year or two years but below those metrics you would dig in and you would create actionable goals passes projects you know you would flesh it out to the point where you would be able to more easily more granularly measure success now how about aligns with other business units or other teams or you know even if you're talking about within your own security department the you know you have it segregated out by
network security versus server security versus you know I don't know what else whatever but you know that just takes constant communication and that doesn't mean cos of meetings and anti meeting but it does mean the ability to communicate across groups and have you know whether that means are you know the output of this is put into some sort of a visual form that we put somewhere that people refer to a lot or some place that week you know like having providing people with that data and the constant reminders is peace of a part of it and the other part of it is making tree knowing who you should be communicating with if things start to get out of sync
right if you have different teams with different initiatives how do we ensure that we're all driving back towards that key performance indicator if we haven't joined it's not easy but you know these are very high level you would then drill down and try to create goals that that are a little bit more actionable on a shorter time but it isn't like you know you can't probably go through this process necessarily and then in a month how am i doing you know my 25% there it's not necessarily that granular but you would get more granular as you kind of build out your strategy below it yeah yeah the really high level is feasible to do relatively quickly basically and
then when you decide okay I'm going to do my high yeah all right I mean so that's the idea is like if you so we're all making decisions we're all picking projects to do we're all doing it were busy but are we starting in the right place we're making those decisions based on the right data that's really what this is about all the other stuff you're probably already doing and maybe there are things you need to do better with how you approach them or not but really the key here is are we starting with the right foundation so that we're so that we really can being effective not beyond to say yeah we implemented that tool as we said we
were doing to I mean it's really dependent on like how much it was like you can you know take but you know I mean you want it to start as you can probably apply these concepts in more than one way right so if you wanted to apply the same concept on a horse goes down so for instance you can go through this process strictly for your PCI environment yeah if that's easier if you have different teams different resources or if they're very clearly different you know defined there's no reason why you couldn't break this up as long as you're keeping organizational like you know rule Department or whatever rolling them up to some sort of higher level
yeah there's you can absolutely break it up because yeah I mean this could be a several week process in the right organization and that's not really what you want to do right so yeah absolutely
so take a little bit more are you saying like you can sort of like if somebody
that's hard I mean part of that is organizational culture part of it is part of it is how you create those KPIs creating them in a way that is less prone necessarily to manipulation so maybe not all of them are but maybe some of them are right maybe one of them is pretty all I'm good so for you to your point like you maybe you create a bunch of KPIs and they're all met and you're still you know kind of target and you're still hacked right anyway somehow your PCI compliant and you still are not P second play right like there are ways to get around any kind of data point you created like you said but what you're
trying to do is is well first of all you should be creating the KPIs so that you can show your value to others and hopefully you're doing that from the right place because if you're trying to make up KPIs that are easy to hit and not necessarily value that to the organization that will come out at some point and unfortunately probably in a really negative way but if you're creating KPIs to try to force other people to do things you're going to have that's harder right - you know this is really more about you as a leader than organization saying I want to have an understanding of how I can express my my team is doing a good job and so that's
that is a challenge that kind of goes above and beyond that and it's more about you know holding people accountable
just onto that part of the success of larger organization part of the success for our KPIs and indicators have been senior leadership communicating down that if you are reporting that you're meeting all theater KPIs and are all well and good that means really hard on the additional headcount you probably don't need additional budgeting so to tell the story not just this morning that you're succeeding and this is my value but it's also an indicator to show whether or not your team's struggling as well so a lot of times that's always that's typically good the messaging from senior leadership and if there's areas where i working on internal audit department senior leaders will actually reach out to us and say they can do a
deep dive of this area to see how these metrics actually bubbling up and you actually do more hands-on assessments to either validate or invalidate whether those metrics are being reported up accurately we've come across a lot of instances where numbers of fudged and really tear point of those people favorite was being driven to the green on the dashboard to meet the KPI is not necessarily communicated up what's actually going on in an organization so it was probably weak and company I work for a large earn able to either get outside Council or turn all the department in to do a deep
well I really appreciate you guys taking the time and being a great audience and asking a lot of really good questions and you know I hope you got something out of this I certainly enjoy talking about this topic and I feel like there's a lot of value here if it's not the sexiest topic we're going to talk about over the course of this conference I'm excited to go see some other talks thank you guys really appreciate it
Related talks
31:02
28:25
48:45
22:25
40:35
43:08