The Security Practitioner's Guide to Going from "No" to "Whoa" Josh Sokol and John Overbaugh

all right i think we should get started what do you think josh let's do it i'm excited hopefully everyone's energized it's day two and it's the afternoon and if i'm not mistaken we're all kind of coming off lunch but uh let's let's let's hope the audience is energized so uh we're glad to have you here and uh we're we're doing our first kind of team presentation josh and i but i'm going to turn it over and let josh kick it off i believe right i i mean i'm happy to kick it off hey everybody i'm jeff stokel i am here to talk to you guys today along with my buddy john about the security practitioner's guide to going from no to whoa and the whole idea of this presentation was we're going from no because you're not on the same page to whoa where we're starting to talk with management and they're actually understanding what we're saying um you know leadership is constantly telling us now as security practitioners uh but it's because you aren't communicating in their language which is the language of business and security issues are often seen by practitioners as binary uh you know is it an emergency will it happen won't happen that kind of thing and so the idea behind this presentation uh what john and i are going to talk to you guys today is how do we go from that state where hey we're being told no all the time to a state where management actually looks at what we're doing as a value add to the business uh and you know we're in a much better position as security practitioners because they're actually listening to what we have to say that's right and to get started i'll introduce myself briefly my name is john overbaugh i'm the chief information security officer for alpine software group we're sort of a private equity company that purchases and runs a number of companies in different verticals i've been in information security since 2012 most of that time in healthcare and really have had a lot of opportunity to learn how to social engineer leadership and that essentially is what we're going to talk about today awesome and i'm josh sokol i'm i used to run the information security program for a big 1.6 billion a year publicly trade organization called national instruments i did that for about a decade uh and then eventually i moved into a role as ceo and cesa simporis and uh simpers is a free open source uh enterprise risk management tool i actually when i was working at ni my bb came to me one day and she said josh i heard about this risk management thing can you figure it out for me i said yeah i can do that i did a lot of research i came across the nist 800-30 framework for risk management i said this is what i want my program to look like but the piece i struggled with was the tool set i started off using excel spreadsheets quickly realized that they wouldn't scale i used a homegrown lowest notes database for a little bit and wasn't dynamic enough and then i started looking at the big grc suites that are out there um eventually i got to the point where i couldn't afford the big grc suites the excel stuff wasn't going to scale for me and so i ended up writing something i ended up releasing that thing that i wrote free and open source for the security community uh and that is simple as so today we're going to talk to you guys a little bit more about kind of what goes on behind the scenes there we'll talk about the management stuff and whatnot but before we get into that let's talk about the atlas cinder uh the atlas syndrome is the no it's the the idea that we are putting all this weight on our shoulders so take a moment think about all the security tools that are currently seeing in your arsenal all the different things that are out there how many are there five ten is there more than that once you have that number in your head i want you guys to think about uh the the alerts the things like that they're coming from your nga v the evr the firewalls the scene right now in terms of those alerts uh sc media did a survey back in 2018 and they said that 55 of enterprises see more than 10 000 alerts per day and 27 saw more than a million alerts per day that's a crazy number when you start to think of it and maybe you guys are seeing that same kind of thing and de misto in 2018 did a state of sword report where they said security teams were were bombarded with a hundred and seven right there we go sorry i i was getting a different presentation coming in over me i was like this is super weird and i just closed the process um so uh that soar report basically said that the security teams were bombarded with 174 000 alerts per week um and averaged about 25 000 per day so regardless of the source we know that our security teams are up against a constant barrage of alerts now since we know about all these different alerts uh when i was at ni we had about a hundred thousand vulnerabilities that were found by our skin and all those different vulnerabilities that were found were waiting to be triaged so if you think about it this was me every platform that i learned every vulnerability that was found these were my burdens to bear and in short this was me i i'd have panic attacks thinking about all the what-if scenarios i sometimes had trouble sleeping at night thinking about which would be the nail in my coffin can any of you guys relate to this john do you relate to this absolutely i mean josh having been in information security for over over 10 years now this is what we deal with day in and day out is that heavy weight on our shoulders of knowing everything that's going wrong knowing where all the skeletons are knowing what's going bump in the night and it is it literally can be physically taxing like no joke but also it's something that hampers us in our performance in our professional advancement and and the success that we have in work if we don't figure out how to manage it and get through it absolutely no i'm guessing the rest of you guys feel that same way as well and what we're going to talk about today is kind of what we do about that john's going to cover that a little bit more the other issue that we run into the thing that we see very frequently is what we call the chicken little effect and we see practitioners going this route all the time the idea here is that with every new issue discovered the sky is falling right every issue that we find is the worst issue possible there's no prioritization there's no way to discern which thing is the most important thing to work on and ends up becoming a constant distraction from work which pays the bills right and that's a big issue there so what happens all right well what if i told you that eventually management is going to start to ignore you you're going to get used to hearing the word no right over and over again because you're now seeing you're being seen as an inhibitor to the business so this is your last chance after this there's no turning back you can take this blue pill and the story ends you guys can go back to work you can continue to feel like atlas you can bemoan your fellow security practitioners about how you're constantly be being told no or you can take the red pill you can stay in wonderland john and i are going to show you how deep this rabbit hole goes and remember what we're offering here is the truth and nothing more right very matrixy but you get the idea you can pick that red pill you're going to go back to the same old way the same binary approach the same atlas syndrome or you can listen to us and find a new way to approach it which is the non-binary way and so i'm going to let john kind take it from here sure thing say thanks josh so we're we're presenting an alternative approach instead of the chicken little atlas syndrome approach we're pretty presenting a new approach to information security management the foundation of that is an entirely new perspective that security leadership's responsibility really is to define assess and contextualize while reporting so the key here is that we have to understand our role as security practitioners and most important in understanding that role is that we are not the risk owners we are risk discoverers and we help teams to understand and respond to or treat that risk so let's jump ahead one more slide here and we want to talk about how we do that well look our companies trust us to conduct risk assessments or maybe the better word is they interest us to conduct risk assessments we start by proposing and working for agreement on a list of controls or on a control framework and then we analyze against those frameworks when we're there to serve the business and to support them in improving security by helping them ensure they're adhering in our compliance to those frameworks to accomplish all of this our program has to be written down and approved by senior management now there's an interesting kind of side conversation that you and i had here john which is this idea of auditors right that now that we've got our framework the auditors are going to come in they're going to say hey you know these are the things that you should do and i i had this happen to me when i was at ni where they said hey um here's the checklist do you do this and i'd say yes check that off and then they'd say do you do this and they i'd be like no and they'd check that off right yeah and i ended up writing a blog post about this that called auditors don't understand security the whole idea is that this checklist approach to risk management just doesn't work right the idea of risk assessment via checklist what are your thoughts on that well that's that's a good question i want to actually drill down a little further into this risk management framework and talk more about it and by the way this risk management framework should not be new to anyone this is what we do all day long and it's a more visual way of looking at what we do as leaders we run parts of the company through a traditional risk management framework or a process what's important in all of this is that the new phase i've added on there the document phase right it's important to provide a clear definition of done for a given control otherwise the business runs out of patience with us or because the definition of done is not clear they always say yeah yeah we've got that we've got that so our program can either be unclear and frustrating to our business customers or our program can be ineffective a paper tiger at best so by having this solid framework where we document our controls and then we assess prioritize plan and tractor remediation vulnerabilities this is a better approach to um to to completing that cycle now josh i want you to tell me a little story about about the last time you did a road mapping exercise yeah absolutely so you know back when i worked at national instruments uh my management kept coming to me and they said josh when is this going to be done when are you done when does security stop and you know the the funny thing about this is we all know security practitioners it never stops right there's always the goal posts are constantly moving uh because our threats our adversaries are constantly changing their approach um so i did this exercise i took the nist cyber security framework and went through it and for each individual item in there i said this is where we're at today and this is where i want to get to basically you know a an assessment of our state and what we looked at for that was the difference between that um you know if there was a big gap that's a big risk if it's a small gap it's a small risk but at the end of the day we were able to basically take this uh exercise that we did and turn it into a road map for our organization we could say that hey if i bridge this gap now we're in the place that we need to be in order to to move our organization forward and the key is to get to that bar josh like you said right so there's there's an assessment of where we are today versus where we want to be and what's important is making sure that senior management is on board with where we want to be once we have agreement there then we can define those gaps we're not the owners of those gaps we're not the bad guys that are bringing bad news our job is to observe and we can now answer that question when does this stop well it stops when we meet the bar that was set by leadership which leadership approved then we we go to work on it now the key is that we work with leadership we start because we're security experts we're the ones that really know what what the right controls are so we'll sit down come up with those controls propose them to senior leadership help them understand the pros and cons of either meeting or deviating from that particular control and eventually we reach that conclusion so part of our job here is to build consensus now go ahead josh do you have something you want to say i was just going to say you know one thing that i wanted to key in on there is what you said this is a proposal we're telling management right this is what we'd like to see but we're not deciding as security practitioners we're not the decision makers because we all know the people the budget things like that yeah that's right yeah as i mean as a ciso for instance my job is very different from what it was you know 10 10 years ago as a director of security today my job is to sit with senior leaders in the company and talk from a strategic perspective about risk talk about what the appropriate control frameworks might look like and talk about the business problems that we're facing that might prevent us from implementing those so it is very much a conversation that we have to have at the leadership level now josh you know i get asked a lot um either within my organizations but often uh uh outside of organizations by by the way i'm really active on linkedin um you can follow me there or uh you know connect with me i'm also pretty active on reddit um a little more anonymously but still same idea i talk a lot about leadership and about security and one of the controversial things i always tell people is i don't care if you have policies or procedures in place i want to see an incident response plan first and there are a lot of people who say no no you can't do that you have to have a policy to dictate your procedure or you can't move forward right so some people really assert that we have to have policy and procedure first others say we have to have controls and it's an age-old argument but what's interesting about this argument is it's actually a trick question right um we need policy and procedure we need controls pretty much at the same time if you want to pop to the next slide josh pretty much at the same time and as we develop one it will feed off the other and we'll be going back and forth oh sorry i skipped a head one didn't i um we'll be uh we'll be we'll be flipping back and forth so just in this approach where we're talking about you know we want to go to senior leadership with a control set well we have to have a policy first they're going to inform one another you're going to write these together if they don't exist today you're going to modify them together if they are in place today that's the important thing so both of them come first and so the real question here is what is our responsibility so really to summarize what we're talking about senior leadership's responsibility rests in identifying and communicating where the risk is that is what a strong risk management program does and then we define the associated processes to correct that program how do we track what decisions are being made and who's making these decisions is another thing we need to tackle when we have that tackle what we're doing now is we are we're setting a bar we're identifying gaps between where we are today and where that bar is then we're we're sharing those gaps with the actual owners of them and then we're also collecting from them their plan to remediate that all along senior management is informed they understand from a metrics perspective as well as an anecdotal perspective where we stand the business may start fighting us on this because what we're doing is we're we're ridding ourselves of the atlas syndrome we're taking that big ball of responsibility for the security work picking it up dividing it and placing it on the shoulders of the business owners who have agreed to the agreed to the controls but have the control gaps and are responsible for the remediation by the way the business might really fight you the first time you try to document their decision not not to fix something but that's okay those conversations are what we need to have and i actually want to talk briefly about that what if they say no so i want to put in your mind this idea that we don't have all of the context of what's going on in the business we don't understand everything around what our executives are making and the issues that they're facing and honestly sometimes it's probably better not to know it's not that leaders don't value security although i will admit there are some who do not but rather that in the context of everything else that information security vulnerability we're talking about that may not be the priority right so for instance as a startup company we may be so so small and have such small revenue that the decision is either we add new features gain new revenue or we go out of business and we don't really have the luxury of addressing some of that security stuff we have to take a risk because otherwise we're threatening the very existence of the company this is where you as the security leader really define yourself you can complain or whine and say my you know my cso is an idiot my ceo is a jerk whatever you want to say or you can accept the answer and come up with an alternative that might help compensate or mitigate the risk and it may not be a full mitigation but it might help to reduce the risk to an acceptable level the key takeaway i want you to have here is that no is not a terminus it's a junction the successful leaders in business today in information security are those who look at noah as an opportunity to get to yes that is the most important characteristic we can have now we want to be able to take all of this information and bring it together and get to yes on the right things we want to be able to filter our highest risks to the top so we can have good effective conversations about those and and deal with those sooner the challenge is how do we do that how do we bring all of our risks together how do we understand what appropriate mitigations are for those risks how do we document the decisions that we have made and how do we ensure that senior management is buying off on those decisions and we can literally prove that they made that decision well now we need tools and as josh pointed out earlier probably the tools we have today aren't enough so josh i want you to take a few minutes and talk more about that yeah absolutely um so when it comes to tools for uh risk management um you know we need good tools uh that enable information security leadership by creating a strong governance foundation we need those frameworks that john talked about we need to develop a strong risk management process something that's easy to understand something that's easy to follow identifying and communicating this risk is where the strong risk management program the associated processes come into play and so this is how we end up getting rid of that atlas syndrome um additionally enforcing separate roles for risk assessment conveyancing acceptance and then you know lastly enabling the business to make informed risk-based decisions and that really is going to be the key thing here our business is the ones making the the decisions and that's going to be a theme kind throughout this presentation now have you guys ever seen a spreadsheet like this these are my favorites oh yeah i mean i i lived th