Russell Eubanks - Beyond Compliance: How to Build a Cybersecurity Program That Actually Works

Hey everybody, amazing to be here. Last year came as an attendee. Delighted to be up here on the stage this year. You know, because of compliance, because of HIPPA, I got to move from being a CIS admin at Blue Cross Blue Shield, Tennessee, just down the road a little bit, to get to work in cyber security. Thanks to PCI, I got to go work at Cox Communications and help them get their PCI house in order. And then thanks to a lot of compliance at the Federal Reserve. I was privileged to be the CISO and CIO of the Federal Reserve Bank of Atlanta for quite some time. compliance really helped me get into the field that

I have. But what I fear is that compliance sometimes, okay, compliance a lot of times can be the goal to achieve, but maybe thinking that that's enough. You know, I get I live in Atlanta, Georgia. In Atlanta, Georgia, maybe you've been to Six Flags Over Georgia. You know, at Six Flags Over Georgia, they have some compliance issues there. Some non techch, non-cyber compliance. And and you probably seen those signs. you must be this tall to ride. You can be taller, but you can't be shorter because, well, if you're shorter, bad things will clearly happen to you and to me and all the folks that we love. So, we're used to this compliance, but what I fear is a lot of times we race to get

there and then say, "I'm good because my auditor, my regulator, uh my supervisor, my uh folks that check out on these particular items, well, they say that's good enough." And I want to make it easier. I've got two things I want to share with you throughout the course of the presentation that I have here. Two actionable things for you to be able to do, maybe even more uh as I talk about this idea of how to build a cyber security program that actually works and doesn't just stop at that pretty green checkbox or good enough or being just tall enough to ride your respective ride. And as we think about this this problem statement, what are the things

that I believe you can take some value from for uh the things I want to talk about here? As you might imagine, as you might know, there's lots of compliance initiatives that are out there. You think of a publicly traded company that send healthc care that made the business decision to take credit cards. You got one, two, three, maybe even more sets of compliance initiatives that sometimes are clear, sometimes maybe ask you to do this or that. and sometimes even conflict with each other. What do you do then? If you think about what does PCI require, what does the SEC require, what does HIPPA require of me as a cyber person or as an IT person or just

someone want to help the company achieve its goals and we think about this idea of maybe we align to one or we do what we're told or we try to track new and emerging trends with regard to how can I show that I'm tall enough to ride. But then I think about all the work and energy to get to compliance. What about actually moving from compliance to assurance that we're not just doing good things? We're not just doing what we're told, but we're doing things that actually perhaps actually higher. Maybe we're a little bit taller. Maybe it's necessary to do things more frequently than what was required. When I go back in my memory banks, my first cyber job

again was at Blue Cross. And I remember one of the requirements that Blue Cross had because they were doing business on behalf of the US federal government. They had to do the NIST 853, the playbook of all the things to secure a federal information system. And I remember there was one task in there that says to do an annual risk assessment. That's a good thing. We should all do at least an annual risk assessment. Hard to argue with that. But what I feared and what I often times see today is that we go and get our checkbox. We do an annual risk assessment, then we set it on the side and it starts to collect dust and we get

busy. We get distracted. We go to meetings. we go to uh bs we do all the things that we do and wait where did I put that because I need to update it next year it's easy to do the things but sometimes it's more difficult to say how can I since I have to do that risk assessment anyway is there opportunity to leverage that perhaps on a more ongoing basis not just to check the box and have dust collect on it and as we think about this there's sometimes you know kind of religious uh attachments to ISO or to NIST or PCI or the compl liance requirements that you have. But then you think about why am I doing

those things and how does the company benefit? How can we increase the odds that the company that we're working at or working for, consulting with or contracting with can do these things to increase the odds that they're able to achieve their goals and at the same time reduce the chance that they're going to have an issue or get a fine or get called out or be on a wall of shame of some kind. Uh that's in there. And as we think about this idea of how do we think about these often times we're kind of like in the picture here. We're kind of well what do we do or we're crowdsourcing or we're looking at maybe

we feel this way of how do I make sure that I'm not just being busy but that I'm actually doing things that add value to the company. not just doing what someone made me do, but perhaps going into a realm of what are things that we need to do, we must do in order to uh be aligned with the mission of our respective organization. And that's one of the things I want to help you solve today with some resources I want to give away and and show you about how to do this. One of the things that we do in our organization, we have a nonprofit. It's called the Cyber Security Risk Foundation. Have you ever heard of the

website called auditscripts.com? We're that we rebranded it to the cybercurity risk foundation. Not just giving away spreadsheets and tools and templates and mappings that we've done year-over-year, but for the last year and a half being able to make a tool and then give it away. Is there tools that we can make in our organization? or the things that we can find valuable that help to meet this need of not just stopping at my checkbox, but ways for you to think about and to do things easier uh than what you perhaps have been able to do today. So, we do an annual study. We look out and see at all the compliance initiatives that are out

there. Every single compliance initiative that we could find so far that number is at 93. So far we found doing research looking and everywhere we can look there's 93 different compliance initiatives that we can find or regulations maybe there's 94 if so we'll add it we have the ability to do that but then we think about all those things in 93 different printouts printouts that say if I print out in a PDF all of those 93 requirements it might fill the stage right here with all just the printouts of the do these good things do these good things do these good things. And we could look at that list and on that list it would say yes

it's important to do a vulnerability assessment. Yes, it's important to do a risk assessment. Maybe annual access review certifications, good things. But if we spread out all those good things, and we were print those out and have little scissors and cut out thing number one and thing number two, there'd be over 4,000 small little pieces of paper littering the stage right here. And 4,000 things. How can we decide what are the things that matter most to my organization? What are the things you can do that understand better? What are the things that matter most for your organization? As we look at this just kind of the idea of how do I keep up? How do I know what's really necessary?

What we decided to do was to make it a little bit easier and kind of put those pieces together better and go from about 4 over 4,000 things to a little bit over 400 things. And the little things that we've created, the words that we created are words that map directly back to NIS-2 or map back to GDPR or PCI or HIPPA or SEC or NYDFS. And again, all of those 93 things, words that we created that make it easier to map to and map back to what's the essence when we look at those 4,000 plus things. How can we consolidate those and make it easier for all of us to be able to understand that?

check our box, make sure that we're in integrity with doing that, and then look at things that perhaps we need to do more of or more often of or more regularly to make sure that we're in alignment with supporting the very reason the organizations we're working for are able to achieve their goals. And so as we think about this, we think about how can we better understand that. So one of the things that we did just in a summary is to look at the different cyber security standards that are out there. What we found is that every year or so, it's kind of like a popularity contest. And I graduated high school, went to UTC, graduated there, and in

high school back in the mid80s, that's the song that started when we came out, you know, kind of a child of the 80s there. Back in the 80s, I was in the high school band. I was kind of a nerd. I wasn't an athlete. I wasn't on a football team. I wasn't one of the cool kids. I didn't have a nice car. Matter of fact, I had an old beater car. So, I was not really in that popularity contest uh that others were in back in the 80s, back in high school. Maybe you were. If so, good for you. Fantastic. But I I'm still recovering from well, not being one of those. But as we think about the

popularity contest, often times that's what's happening in the different compliance initiatives. They're popular for a while. For a long time, I was very involved with the community at the Center for Internet Security for putting together what's now called the CIS controls. Back in the day, it was called the critical security controls. And in fact, the first uh public uh presentation I ever did was back in 2011 at Bides Atlanta. And at Bides Atlanta, I talked about a novel way, a new way to think about complying with the CIS controls by being able to apply most of those without having to spend a lot of money. It's not because I'm a nice person or I'm a noble person or I'm just

going to but it was because a constraint I had. I was the whole security team and I was aware of what CIS was doing, other organizations were doing, some federal agencies were doing and the success they had, but I couldn't hire anyone. I couldn't add more tools. I couldn't do these things. I I thought, hm, based on the constraints I have, I can't hire anyone. I can't buy more tools. I can't go to the vendor show and buy all the things that are there to help me solve those problems. I decided to read the fine manual of the tools that I did have. Were there features that were disabled or features that maybe were dormant or ones that were available that

if you check the box, if you turn on some of those, could that help me creatively solve those problems? So, for a while, CIS controls were very, very popular. A lot of folks were talking about it. Maybe you've implemented those or tried to implement those in your organization or prior organizations. Then you know a new version maybe a PCI comes out and version 4 comes out and it says do these things if you process or store transmit credit cards and the newness of that hey what's new? What's changed? What's going on there? How do we understand that? How do we see what's different? What's someone going to ask me to do more of or to do for the first

time? kind of that's popular when that came out or when the NIST cyber security framework. Did anyone besides me celebrate the 13-month birthday of the cyberc framework version two? Just just me a little birthday cake and happy birthday because literally just before last year's RSA the version two came out and then we got to think of how do we understand these new things. Way back in the day when I was in telecom, I was okay. My boss asked me to, hey, NIST is going to put together this new framework because way back in our memory banks when Barack Obama was our president of the United States. Three years in a row, he talked about the importance of

critical infrastructure for the US government, if not for the whole world. critical infrastructure such as financial services, health care, power and lights. Uh those types of things that the federal government at the time was very curious about, very dependent upon, but still to this day is not fully directly in control of how those critical infrastructures work. So I worked with NIST and I was privileged to be one of about 350 people that contributed to and helped NIST come up with version one. It was the cool thing. There wasn't a cyber security framework before, but you know back then it it came out and then version 1.1 came out to add privacy and supply chain super

important things and then again 13 months ago same methodology at NIST they held community meetings some virtual some in person what do you think how should we change because as it turns out the gap between version 1.1 and version 2.0 O was 8 years again it's really important but I ask you you know what's changed in cyber security in the last 8 years kind of everything a lot has changed a lot of requirements and so it was certainly time for us to have a new version of the NIS cyber security framework version two and now all of a sudden we're looking at hey we need to govern and then identify protect detect and respond and recover

just like we' done in prior versions so kind of a popularity contest. That one's pretty popular right now because it's pretty popular to look at this new thing and perhaps imagine what our new auditors, our regulators, our standards boards, all the people that want us to do good things, what are they going to ask us to do? How can we better understand that? Or perhaps you work in financial services. Perhaps you're familiar with the state of New York. In the state of New York, NYDFS, the Department of Financial Services, has another list of good things to do. good things to do for organizations that want to continue to do financial services work in the state of New York.

And we look at that, we say, okay, get another list of things to do. Now to their credit to the credit of NYDFS the agency uh in their listing of do these cyber security things they're doing something unique something that doesn't exist something I've not seen in other programs they're actually foreshadowing what they're expecting quarter over quarter two years running they're saying here's what we're going to ask you to do more of here's how when we come back for our attestations we come back for the audits we're going to expect you to be a little bit taller and then the next quarter a little bit taller, a little bit taller, a little bit taller. So they

to their credit and nobody really wants to have a new regulation but being able to prepare for make a business case get budget for and equip ourselves as of now to do better at full MFA across our organizations which is the current one that a lot of folks are worried about and tracking towards being able to have some time to make sure that we're good and we can pass our audit. we can be tall enough to ride. Perhaps that's a little bit popular with you like it is with the clients that we work with on a very very regular basis. But the point is this popularity contest. We talk about the new thing. We talk about the

shiny thing, but yet there's still others that sit there and others that ask us to make sure that we're still meeting and complying with our needs. And so as we look at these, you can see some of these that are listed here. cyber security framework, CMMC, maybe maybe your organization has or could have CUI, controlled unclassified information. That's another list of things to do that NIST put out. And we look at these and we see okay well there's another one PCI uh the cyber security risk foundation safeguards one we'll talk about in just a little bit uh as well that helps us to understand how do we navigate through those ISO you know to ISO's credit you know a couple

of years ago three years ago they had the 2022 version something unique to them they actually put a colon and then the year but you can look at the gap there you say 2022 that's really cool what's changed from 2013 to 2022 again just like CSF there's probably been a lot of changes there's probably been a lot happening in our industry uh and so certainly time and certainly opportunity for us to hey what are the new things what are some maybe some things we were doing that perhaps don't need to be done any longer but all of a sudden just looking at some of the highlights the more popular kids more of the cool kids

here even these it's hard to map and maybe you have a full department full of people that try map these things, understand these things. And it seems like perhaps there's a better way. It seems like there's an opportunity well for for us to do better, make it easier for us to get our pretty checkboxes and move on uh to other things as well. So, one of the things we started to look at is for all 93 of those standards, is there any buckets or any categories or any similarities among them? And that's exactly what we found. And we found four different kind of big buckets to put them in to treat them, to label them, to

think about them perhaps in a new and uh novel way as we consider the things that again we're told to do. Uh some of them have different goals. Some of them exist for different reasons. Again, when the business decision is made to take credit cards for your customer so they can get Delta Sky miles and they can be happy and you paying their bill perhaps on recurring payment. When a business decides to do that to process or store or transmit credit cards, they're signing up for the impact of the business decision is they must be this tall to ride based on the PCR requirements that are out there. So, we're we're used to that. We're familiar

to that, but perhaps it's been a while since I have or you have or we have gone back to our business leaders and not challenged their decision to allow people to get Delta Sky Miles because they use a Delta credit card so pay for their bill. That's not it. but to remind them that there's consequences because of the business decision to do that. There's an obligation that we have to make sure that we keep our PCI assessors, don't call them auditors, they really don't like that. PCI assessors when they come in and assess us on a regular basis that we're again tall enough to ride again that connection of the consequences or the why behind the what we're doing

that. Um, and so one of the things we wanted to look at is is there a way just like there was a way to go in and evaluate these standards. Our kids, my son and my daughter were privileged to I was privileged that last year they graduated just about a mile down the road at the University of Tennessee. Very happy, very proud of them, very grateful that they got through that experience and they survived that experience. But if you were to come and ask me, "Hey Russell, how wonderful is your son?" And hey Russell, how wonderful is your daughter? I could go on for much longer than I have to be up on stage here because I care for them.

We help my wife and I help I guess created them. Uh we poured into them and we're just couldn't be proud more proud of the things that they did. And I imagine if you have kids or you've got nieces nephews uncles neighbors you could say the same thing. Certain folks that you're biased towards, certain folks that you like to promote and you couldn't be more proud of. But when I go back to the if I were to go to the professors for my son and my daughter, hey, how good of a student was my son? Hey, how good of a student was my daughter? They probably wouldn't rave on as much as I would because I'm kind of

biased and they have more objective ways. They have like letter grades like an A or a B or a C or sometimes lower grades for how well did they show up in the classroom? How well did they learn that information? How well were they able to pass their test the professor for each of the classes they took? They'd have a different story to tell, wouldn't they? They have an opinion. They have a more qualified view of how well did they earn the right to last May walk through and congratulate that. Now, that was a fantastic moment for my wife and I because we feel like we got a pay raise because there was no more big

checks going to UT, which again, we're great grateful that that happened, but it was a big impact on them and us and we're happy for that. But how does that relate to what we're talking about here? What if there was a way to not just say, "I do PCI because someone makes me do PCI or I do HIPPA because someone makes me do HIPPA, but what if there was a way to evaluate those standards? What if there was a way to have a letter grade for those standards?" And that's exactly one of the things that we did. And I'll show you exactly what those evaluations were. Is there a way to look at not just based on

popularity, but how are we doing? How do those measure up? How comprehensive are those list of good things to do so we can make sure we're not just being busy, but doing things that actually make a material difference? So, let's take a look at these categories as we think about these buckets that we put them in. First one's hygiene. We've all got a lesson the last few years about the importance of hygiene, the importance of doing really good things that keep us healthy. It's funny, my dentist was telling me uh the several years ago, he said, "Russell, you've not been flossing your teeth. You got some potential gum disease. You got to work on these things. Russell, you have to do

better at these things. Russell." Uh, and I'm like, "Yeah, yeah, yeah, I know." And they'll ask the question, "Hey, did you been flossing your teeth?" And of course, I lie and yes, I have. I've flossed my teeth. Everything's good. But then they look and they're like, "I'm not sure." But then my dentist and my hygienist gave me a piece of advice that sticks with me to this day. They said, "Russell, you only have to floss the teeth that you want to keep." All of a sudden, I got fly. I got A+. I was doing that. You know, I feel like I want to keep all of my teeth. I think it's a good idea to do those things. And

maybe you're thinking the same thing. You know, that's a good point. I only the things I care about those basic hygiene measures that we have. How can we understand those, make sure we do those, and perhaps build upon those? If you've not taken a look at the Australian, so the ACSE, uh, amazing. They have an opportunity to do business with the Australian federal government. Turns out there's, and I don't have 35 fingers, but if I did have 35 fingers, I'd hold up 35 fingers and I'd say they have 35 things that thou shalt do in order to do business with the Austral federal government. The ACSC, they have eight of those things. And according to

the Australians, they stopped the majority of all targeted attacks against the Australian federal government's networks. So I'm thinking, that's an interesting list of things, those cyber hygiene things. And it's publicly available. It's on their website. It's a actually an intelligence agency for Australia, but they're very open with how they prioritize and they focus on a subset of those things. Now, do you have to look you have to do business with the Australian federal government to take advantage of those? Of course not. can look at those and say, "hm, what would it look like to consider some of those things like rapidly patching your operating systems or rapidly patching your applications or having the application control capability or

severely limiting who has admin access rights, not to be mean, not to be a jerk, but to reduce the likelihood that a bad thing might happen at your organization, my organization, or others." And you can look at these lists and you can see what that looks like. on the very bottom bottom left hand side of the United States DHS that DHS CDM continuous diagnostics and mitigation. What would it look like if every agency got plus or minus $300 million and was able to replicate what the Department of State did many years ago back 2008 or so when they applied the critical security controls. What would it look like if other agencies were able to mimic the

success at Department of State? Where at Department of State, they were able to reduce vulnerabilities in a sensitive but unclassified network by 89% in the first year. Again, big results, big opportunity. And then trying to what would it look like? What would it look like to imagine doing that there? Or maybe you look at the more comprehensive status, the second of four different categories, more comprehensive in nature, maybe some governance things, maybe some administrative things, maybe some HR things in these different categories, such as the CSF. CSF, turns out there's 108 things that we're supposed to do. 108 shouts that are inclusive in version two of the CSF. And as we think about what those things are,

how can we look through those? What's new, what's expected there? uh CIS controls currently at version 8.1 not been updated in several years and not not been a new version. So hopefully CIS uh continue to work and have a list of prioritized things to do there. We look at these list and kind of see you DSS has a list and then cyber security risk foundation. I'll talk about those here in just a moment more comprehensive in nature and not specific to a particular area. Couple of other areas we think of it like the buffet. You know, this idea of you walk through a buffet line and the first thing there, I want some fried chicken. I want some green beans. I need

some casserole. I need some corn. And then all of a sudden my plate's full and there's no space for my favorite dessert, banana pudding. But you look at these kind of buff, you kind of get to pick and choose maybe things like Cloud Security Alliance or HIPPA or NYC CDR, NYDFS 500. You can look at those and say kind of picking and choosing based on the issues. What are they saying that we should do? How are they communicating that we should be tall enough to ride those metaphorical rides at Six Flags over Georgia? Or maybe there's some things that focus in on governance like Kobit. When I was invited to move from being a CISO to being a CIO, I thought, well,

that's I don't think I want to do that. I don't think my goal is to get to be a IT leader. And they said, Russell, do we tell you how much we're going to pay you and all the influence that you're going to have? And I said, you know what? On second thought, I think that sounds like an interesting idea. Uh, and it was. But what I found for myself was the further I got away from cyber things, the more unhappy I had, you know, frowny faces, frowny emojis because I got farther away from that thing. And uh, ironically, I think that led to me uh deciding to leave because I I wanted to stay in

cyber security. I wanted to do those things. But in it, especially Kobit says, here's how you do it and here's how you do it well. Very prescriptive characteristics and attributes to in a governance standard. How do you govern? How do you run your IT departments? You think of Kobit in that way. And so then we think of, okay, what if we had a letter grade? What if we had different criteria? What if we had like 12 different measures, some very objective, some very subjective? But what if we were able to evaluate the criteria and give literally a letter grade that shows what grade would you get? Just like the my kids when at UT just last year were able to

graduate, they had enough goodletter grades to say congratulations uh and they they are through with that. And so some of those words are shown on the bottom left hand side. Some of the things like operational safeguards. Are the agents that we have are they healthy? Are they phoning in? Has there been a connection to the asset inventory? You do have asset inventory and asset inventory feeds into how well are the EDR agents? Are they lighting up? Are they doing their job? Is there like an agent health capability or an agent health dashboard that lets us make sure not that we pay our bill every year to our EDR vendor? That's a good thing. It's an important thing. But making sure

that we're making using the output of asset inventory as input into where should all those blinky agents be at and how can we make sure that they're doing their job, not just that we're paying our bill to whatever vendor you use for EDR. Technical safeguards. Uh, does it map to does the thing that I'm supposed to be doing map to the safeguards? Does it map to some of the risks that we're facing? Um, does it prioritize the safeguards? Should I start with item number one and then go to item number two and then based on momentum, the momentum that I built, then I'm able to go to item number three and four and five and so on or is it just kind of a

random list of good things to do? It seems like that should matter that and in fact it is one of the criterias that we have or does it say measures or metrics or KPIs to not just do a good thing but how can I communicate that maybe in two slides in five minutes at the board of directors maybe whenever I get invited to go talk to the board of directors is there an opportunity to communicate up the org chart how well are we doing at checking our with all due respect boxes but as you think about these ideas. The first of two promises I made at the very beginning of my talk was how can we use this to build a

program that actually works. One of the resources that we have are freely available open source. We've been giving away things for a very long time under the name of auditscripts.com. Now the last year and a halfish CRF the cyber security risk foundation uh cfsecure.org was a domain that we can buy all the coms everything. And so a name we really was kind of by the domain that we could buy versus what's the name of it. That's exactly what we have here. Several different things that we have in place. Now, initially it was me and my business partner and a couple other folks, but we thought, you know, we're only as smart as what we are. Who can

help us? Who are some people that have specialized skills, different perspectives that can help us to do that? Folks at Ions have partnered, they're on our board. Folks at SANS, they represent from an educational partner perspective. what needs people need to educate or what things can they speak into to make sure that again it's just not the best of ideas we could come up with but adding more friends there Microsoft's there the lead researcher and re uh lead data scientist excuse me for uh the team at Verizon that puts together the data breach investigation report just came out a couple of weeks ago in advance of RSA uh on our board and can give us views and perspectives

and what do we make sure that we're as inclusive as what we can And this idea of how can we even have tagging in place, not just have a spreadsheet that says here's a spreadsheet and here's a tool and you can rate yourself of how well you're doing against the CIS controls, but maybe put tags in there that says hey for small medium business. Is this appropriate for small medium business or cloud uh technologies or IoT technologies or maybe in financial services the ability to kind of label or put metadata towards all these 400 plus tasks to say what matters most for you, me and for those who would want to use tools like this. And again, the net of

it is instead of all these printouts of things on the the uh stage like I mentioned earlier, a little bit over 400 that normalize and go back to and map directly to and back again to say here's the essence of the words we believe that makes it easier and less messy and I guess more eco-friendly than printing out 4,000 plus things about 400 things. What we believe we have here is what we call we we choose to call kind of our Rosetta Stone for standards. How can we unlock and start to understand how to evaluate them? What are they inclusive of? And what are some areas where perhaps they could do better if they were to do better in the future? Again,

for a long time we used Excel. We really wore out Excel and and moved to relational databases. And turns out uh developers for the last year and a half has helped us to have this idea to have this information and then with the tagging and the mapping and just more usability able to offer what we're going to show you here. Now I'm going to give you examples in three different popular frameworks and based on these 12 criteria give you some insights. Now I'm going to talk about first I'll talk about the version two of the NIST cyber security framework. I've been involved with that community from the very very beginning. But my boss says, "Russell, you have to

go to these places. You have to make sure we're doing these things from and represent the telecom industry and even to this day very familiar with very active in understanding and implementing these things in the CSF. I'm not as much as I love the CSF, I'm not going to say it's the very best thing there, but in there my heart is not to point a finger and na na and this why can't you get your act together?" That is not my heart. Please don't think that that's what I want to share. I want to share whenever it's time for NIST to come back and perhaps look at version 2.1 or version 3.0 Oh, if they decide they

want to be more inclusive, more comprehensive, what are some things that they could do in order to do that? That's our goal. So, please, this is not a naming and shaming. This is not a I don't like. This is just a leveraging the things I've talked about over the last 30 minutes to show what this looks like. So, we like to use the word safeguards. Actually DHS and the Center for Internet Security have shifted the vocabulary. Maybe you've seen it. Instead of saying security controls, they're saying security safeguards. A little nuance. And I'm not here to say you have to use one or the other, but just to where that conversation seems to be moving, we decided to do the same

thing. And so we're going to use safeguards instead of use controls. Although sometimes I mess up and say controls myself. But if you look at these 12 criteria, we can see there's some really strong powerful green things. We like green things, don't we? pretty green checkboxes are are very important for all of us. But you can look and you can say as important as network device management making sure that your network devices are running the appropriate config and it's not just uh what you had when you deployed it but on a regular basis validating that that config is correct and accurate and hasn't been changed unless there's a change approval board ticket. It seems like to have a cycript framework it

seems like there should be a focus maybe a better focus on network device management. It seems like there's opportunity. If you were to put your blinders on and you were only to do what NIST says to do in version two of the framework, I'm afraid you'd have some other things that you might want to do and not again not consider that as a completely comprehensive framework. So think about what would it look like to imagine it in these ways. against some areas where it's very very strong, very happy, very grateful. So the changes that they made 13 months ago, but recognize it's not every single thing. It seems like there are some areas where when they convene, when they

get together, there's areas to perhaps consider adding additional areas or maybe even having a pointer, hey, for more information, see another framework that might be more complete and comprehensive in areas where perhaps they would choose to not do that. Then we look at another criteria very objective. Hey Google, Google alerts, Google searches for the last five years. How popular is this particular framework? And we can see that this is copy paste. This is a just a screenshot here that kind of shows how this is doing. One of the changes is version two, they remove the word critical infrastructure. And it turns out the representatives from NIST, they've translated the US-based from a US agency compliance framework to 35

different languages. Turns out more people than have to do this are starting to do this because perhaps they're seeing it's easier for them to do compliance when they leverage and understand a framework to make it maybe make it easier to communicate to boards and executives. How is our cyber and are we doing enough cyber? If you look at a scorecard, again, this is the first of three that we'll take a look at. Um, we all like to get an A. We all want to be on the deans list or but if we were to take these criteria and we were to evaluate CSF version two, there's some areas where they've done very very good work and there's areas like mapping the

threats, the things that are happening and may be happening uh very very soon to these safeguards. That's an area that's room for we believe opportunity to improve the next version. Again, our heart is not to name and shame. Our heart is is there some things to properly and more objectively evaluate the effectiveness of that particular framework. That that's our goal for this. Then let's take a look at ISO. I see the more international organization is, the more likely they are to be able to uh map to this framework versus a US-based framework such as the cyber security framework. You can see again 2022, that's the year in which this came out. Looking at these uh where this

happened. So, if I were to say, hey, does anyone know where ISO came from? Maybe you'd ask a question. I've had prizes. I guess I could give away a prize. The answer is it actually came from Shell Oil. Shell Oil at their internal assessment auditing teams came up with a list of good things to do and they did those good things. They became very popular. Share them with the British government and then now they're the home the home of ISO ISO the organization where for a mere last time I checked $165 US you can download your copy of their list of things to do. And then if your if your boss wants to see that same

list or have their own list, your boss can go to their website and download for $165 US their copy of their list of things to do. That's just kind of how that one works. But if you can look at these, there's some green things such as security program operations. NIST in version two of the CSF, they use the word govern. I like governance. I'm not in charge of NIST for a lot of reasons. I really like program management. Again, I'm not in charge of NIST. Govern is the thing that was added. But here, security program operations. How am I in a CISO chair managing being the best steward of the resources I'm responsible for, the

resources I'm trusted with? How can I make sure that I'm operating my security program? What are some attributes? You can see here that they do very, very strong in that area. Green, almost a perfect score in how they're doing that. But when I look at system monitoring, it seems like I should monitor my systems. It seems like to get my pretty shiny seal from my ISO lead auditor on a one or two or threeear basis, it seems like I should monitor my systems. But again, the lead auditors are not going to ask us to do that. They're going to ask us to perhaps work on and focus on some other areas. And so again, the

opportunity there, should you do this? Sure. Rock on and do it. Should you just do what ISO says? We believe there's opportunity for the next version perhaps a little bit better. We can see Google searches again trends over the last five years. It goes up, it goes down, and especially around 2022 when the new version came out. We can look at the new version. We can see the new version and we can understand what are the new things that we need to see. And we can look at a letter grade and we can see how does that fit on those 12 mostly objective some objective categories. If we, as the professors of my son and daughter did up

until last May, gave a letter grade, what letter grade might we give to this comprehensive scorecard? And then the last and not least at all, again, a initiative I was very very involved with in the very beginning, 2008 or so is version one of the CIS controls. Now at version 8.1, it's a nonprofit. They're now 20 actually they celebrated their 25th birthday last week at RSA. So CIS lots of tools lots of really smart people some of the best and brightest I know work there continue matter of fact one of my favorite and best CISOs I know Sean Atinson is the CISO at CI so again great organization however if it were to be that they

wanted to be more comprehensive uh you can look at some of the green things that we have here system protection system monitoring asset inventory and control again control one and control two it's always been that way the first and second thing they want us to do strongest than any other framework we looked at. But if we say hm security program governance, how do I be the best steward of the time, talent, and resources I'm responsible for when I sit in the CISO chair? It feels like I'm not going to see that and it looks like I'm not going to have those list of things to do from a list that comes from CIS. focusing on these ideas, focusing on

areas network device protection, not the best in the world. Boundary protection, it seems like we should do those things, but again, we're not going to find if we strictly look at the print out of CIS version 8.1 to do those things. Perhaps when committees get together and they do a great job at CIS of convening people to help in there, they can do a little bit better if they chose to focus on those areas. Google Trends that show that and perhaps the one of the stronger resources that we have, the stronger letter grades that we have for this one as we're looking at how to evaluate these different criteria. Again, same criteria. How well do we put a letter

grade? And then a summary letter grade here of a C. My daughter, when she was getting close to being finished, she says, you know, Dad, when I started college, you told me C's get degrees. And so she kind of threw that out on me and I get that and I earned that and I really felt like a terrible dad at the time but still thankfully she had a higher grade than that. But again it's a good thing. It's really strong thing especially compared to the couple I looked at. So what can we do? What would it look like if we were to evaluate the same tool, the same list of, you know, 400 things versus 4,000 things and if we

were to turn those same criteria on the listing that we created. So, we wanted to be in integrity. We wanted to look at our baseline. We wanted to look at how well do we cover all these things. We look at Google Trends. Turns out this is about a year and a halfish or so old. And so, no one talked about us because we didn't have these things. And so we get a bad grade and we deserve a bad grade here because and we're not one of the popular kids. We're not one of the cool kids. Maybe I'll say yet. We look at our grade. We like to have A+es. We want to be on the deans list. Even us

the creators of these words, these statements that make it easier to map for a publicly traded company that's in healthcare that takes credit cards to look at what matters and aggregates those together completely and comprehensively comply once and satisfy many requirements. Even we're not perfect and even we're you holding ourselves uh to a place where we could do better such as the international adaptability or mapping threats to controls. There's areas where we're going to do better, but honestly, we have to look at ourselves and say, how can we make sure that we're holding ourselves and in integrity to the same criteria things we see different trends that we look at of more the popularity contest

against CSF is pretty popular right now, but every day it'll be a little bit less popular. a little bit every day, we'll kind of we kind of be distracted with other possibilities for things that we might do such as NYDFS scorecard here. If we look at some of these comprehensive standards, things that you're familiar with, things you might have certifications in, things you might really wrestle and toil over in your organization, those are good things, but is there opportunity to do better at those things? That's one of the uh areas and topics that we wanted to uh talk about. again kind of the overall uh listing of these things. It seems like as industry and sectors and

communities of people that help put together many on a volunteer basis, it seems like there's opportunity for volunteers to perhaps look at these and hopefully continue to be more inclusive in the list of good things that we need to do. There are some things that are missing from the standards. Again, they're not all complete. You can see here on things such as application development, I have two degrees. Chattanooga State found it in their heart to give me a degree. UTC found it in their heart to give me a degree in computer science. I was learning how to write a mean hello world loop in Java back when that was cool. And that's the extent of my

security programming knowledge. My job was to do what the professor said to get a good grade because I wanted to have a degree and go work at Blue Cross. That was literally my goal uh many years ago. But never once did the professor say, "Hey, while you're banging out that code or while you're out copy pasting from the internet back then be not that anyone does that now." This is so 20 years ago. 20 years ago when we did those things, it was never the focus of hey, while you're doing what you're doing, make sure you don't materially decrease the security posture of our applications. My job was to get my job done, make my boss happy, make them look

good, not is there any chance someone could abuse or misuse the technologies that our programming codes came and and developed for our organization. That concept wasn't there. And in many security standards, it's kind of left up to the devs to figure out how to do dev things. And it's up to us as cyber leaders to go and engage with them and learn them. And perhaps imagine there's a 56-y old programmer I told him who maybe when they went to school maybe they didn't have that focus of how can we make sure that we're not introducing risk they might no one may have never told them of that uh cyber cloud all the things that are evolving things that as

the standards bodies come and reconvene what are the things that they can do to make sure they're accounting for and looking at areas uh such are such as what are shown right here. So, I promise you one thing uh and hopefully that thing again crsecure.org it's free. Everything under resources completely free. We're not trying to sell you anything. Our goal is like we give the analogy if you want to go to Home Depot and you want to buy 2x4s and nails and electric wires and build your own house, you can absolutely do that. If you decide to work with someone else, someone can help you. You can go to a contractor. under contract can go to

Home Depot, they can buy the hammer, they can buy the nails, they can maybe build your house faster than what you could on the side. That's the idea there. Make tools and give them away is what we've done for 17 plus years uh and under audit scripts and now continue to do there for CRF. We like Mandant, we like the Verizon data investigation report put out version 2025 a week before RSA to make sure the website worked and all those updates were there. So, brand new versions and the way that we label it, just like ISO, is the year. So, 2025, there's a bunch of things. It It seems like AI is a cool thing these

days. So, we got a list of things for AI to be considered to add into the CRF safeguards that's in there. But remember, I promised you two things. The second thing is, anyone ever struggle with security policy? Anyone a policy nerd? Love security policies? As I'm looking, I see like exactly one hand. I see you. we we can hang out over lunch. I'm that I started off thinking I don't really want to do that. But if you think about resources, so full disclosure, I've been an instructor with SANS the last 16 years. It's a lot of fun, learning a lot of things, get to travel and and encourage people like I was encouraged back in 2003 at Blue Cross

when they sent me to my first class. I'm I'm grateful for and a product of a lot of investment uh into doing that. But if you go to the SNS website and you go to sands.orgfree, /free there's a bunch of free things that are there and one of the free things is there security policies you can go to sayas.org/free works or for/free look at security policies but tbh those haven't been updated in a while and by a while I mean about six years our lawyers work with the SANS lawyers again SANS is on our board and so we had a chance to talk with them and it kind of imagine what if bless you what if

those policies were to be updated every year what if those policies were clear and crisp or in PDF format and do word document format what if two weeks before RSA SANS lawyers would agree to allow us CRF to give them SANS the content and we hold ourselves in integrity to make sure that those are updated on a regular basis. Matter of fact, it actually shows as of April 15, uh, and by April 15 of next year, if it's the case that you at your organization don't have a software development security policy or a static code analysis policy, we don't want the reason that you don't do that or engage with your 56-y old developers uh, with

how to make sure that that is done. We have that available for you. It's co-branded. It has our logo, has their logo, and again, completely free. You don't have to pay for anything. those things are there and I hope again maybe if you have two computer monitors like I do maybe on one monitor is the policies that you have in place now maybe on the other monitor the SAN's website that shows these and at least copy paste put your logo maybe run it through chat GPT or Grammarly or whatever you do to use version one be a good starting point for having it and then perhaps customizing it to the policy set or policy libraries

or policy governance things that you have at your respective organization. Again, second thing, I hope you find that uh to be super helpful. Again, we're not trying to sell anything. In fact, we made it, gave it away, and we continue to want to do that. Again, thing number two for you there. So, uh next to the last slide, I believe. Yeah, next to the last slide. What are some practical takeaways when you leave here? I guess we go to lunch and then come back. Uh but when you think about hm what are some of the practical takeaways from hanging out? And thanks for everyone here uh for listening putting up with uh these things. What are some things you can do?

I recommend thing number these are prioritize order. Thing number one if your security team does not have a charter a two-page word document or I guess if you print it front and back it's one page to save uh paper and stuff. If you don't have a charter I want you to have one. Now, you're going to say, "Char, is a charter going to stop AP29 from coming in and doing the things that APT29 does?" Absolutely not. What then, Russell, will a charter do? First, for you and your team, you can make a charter that says, "Here's the things that we believe we need to do. We believe we need to do this and that and

the other." And when you agree to those and you have consensus of those, then you have that alignment, then you can pass it up to your security oversight committee or your board or your audit committee. Hey board and audit committee, here's what we think you want us to do. Do you agree? Is it right? Are we doing the things that you think we should do? Perhaps that value of that twopage letter, that two p two-page charter of the reason that we exist could be very valuable for you, for those you're privileged to lead, and very clarifying to people that are supposed to govern and oversee you from a governance perspective. Again, it's not going to stop an attacker, but it's

going to give you an extraordinary level of clarity. One of my favorite authors, Dr. Bernay Brown, in her book, Dare to Lead, she said the words, "To be clear is to be kind." It might be very kind of you to put on your road map before the year's over to have a charter for your security function if one doesn't already exist. Maybe you've agreed, maybe you've inherited an agreement of the security standards that you're going to follow. Maybe by looking at some of the things I've talked about for the last now 52 minutes, we're almost done, I promise. Uh we're going to look at these and say, are we doing inclusively all the things that we thought we're doing? Is there a

chance to perhaps monitor network devices? Even though a lot of standards are not asking us to monitor our network devices, super important. We know it in our brains, it's not necessarily in the standards that you might be following right now. Well, how can you be more inclusive of those things? uh looking at the standards and then having a plan for maybe doing a self- assessment. We get tens of thousands of downloads of our tools and we're happy to do that. People are downloading the tools and maybe they're doing a self assessment. Awesome. Rock on. May the force be with you. All the things. But when you get your score, when you get your rating, when you get your little bar chart and

if it's not green, if it's red or yellow or non-green, what's things that you can do? maybe assigning yourself or making a business case or talking with your leader, your supervisor. Hey, it seems like we have an opportunity to do better. What would it look like if we were to do better in those particular areas? Highly, highly encourage you to do that. And when you do that, you can hopefully be equipped in one, two, maybe even more than two ways. We talked about for the last few minutes of try to build a cyber security program that actually works and doesn't stop at I must be this tall to ride. So that's all I have. Uh

feel free if you questions, comments, cries of outrage. I'm here all day. Uh and grateful to be here uh with us here at Bsides. Adrian.