If You Build It, They Will Come: A Guide To Building A Cybersecurity Program

all right so I'll just start with a quick quick intro just to get started by you know by four o'clock I should be done with that and we can get to work here so my name is Paul Robinson um from Rob Chester you know we have some Rochester folks in here uh had the honor and privilege of being in the cyber security community in Rochester for 14 years this coming October uh I'm also aware of this presentation that I have three strikes against me uh so strike one was I told a few of you my daughter's Junior promised last night and she decided to enter personatic ends at 3 30 in the morning and I was at

Richard's house to pick him up at six which was about a 20 minute drive so probably an hour and a half of sleep probably won't remember a damn thing that I'm saying here today um so that's strike one strike two is that it is a sunny day in Buffalo and it's warm out and you've been here all day so that's straight too uh strike three against me at this point is um I'm talking about something that is not that Technical and I'm up against a very popular talk right now um that a lot of people said that they were going to um and that they didn't want to have it said so that's fun that's cool I'm down

with that I get it I get it it's all good so um so again I've had the privilege of being in cyber security for 14 years and uh about five years ago I I came up with the idea that we have a fundamental problem in our industry and you know this could be interactive you know you can agree disagree whatever but the fundamental problem that we have is that we have a tendency as companies and organizations to throw tools and problems without thinking it through I'll pause there after making that statement and see not the pads or shaking no or things like that um but it's it's a problem because we we chase the blanky shiny lights when it

comes to cyber security we get the seventy thousand dollar Gartner report we go top right we're like okay I'm gonna buy that but I'm a 250 employee manufacturing organization and I just bought a tool that takes two FTE to run but I only have one person in my security department the math just doesn't work it just doesn't work and it didn't work for me when I was thinking it through so about six months ago um again I'm from Rochester originally from Brooklyn so there's a lot of crazy in me I said all right there are two things that I have an opportunity to do here it's either a do I try something really wild and crazy

now without having regret 10 years from now that I didn't do it or do I just kind of stay in the background and kind of go along with the proud of what it is so I went crazy and so six weeks ago I started my own cyber security consulting firm independent it's just me I'm not a bar I'm not a systems integrator I'm not plugging with firewalls I'm not doing anything but I really see this being a problem for organizations and leaving them extremely vulnerable by not having a plan for the tools that they have so I wanted to take some time today I got this to about 35 40 minutes hopefully it stays around there to get

you a couple of minutes early enjoy the day but it talks about our programs and our tools centered around cyber security risk so if you build it they will come anybody remember what movie that's from build a dream okay all right good good yep yep it's from Field of Dreams and um what we want to do here is unpack building a cyber security program for your organization and having the program automated by tools and I'll get into that slide in a little bit so I'm going to go a little bit backwards here at the end of the presentation I'm going to talk about some things that I've seen major organizations with successful cyber security programs do to start to

build that program but I want to build the case for experts so like I said the program automates the tools it says ask Jerry so we're going to let Seinfeld talk to us about automating issues Elaine

Elaine [Music] [Applause] oh hi welcome back how are the shows great I had fun where's the TV where's the VCR what they were stolen stolen when okay a couple of hours ago the police are coming right over stolen someone left the door open oh yeah you left the door open oh you know I was cooking and I like you know I came in to get the spatula I'm at the door open because I was going to bring the spatula right back wait you left the lock open or the door open the door the door you put the door open I was gonna bring the spatula right back yeah and well I got caught up watching a soap

opera Bold and the Beautiful [Music] so the doors line up Wild [Music] where were you said Bloomingdale's waiting for the shower to heat up look Jerry I'm sorry I'm you have insurance right buddy no how can you not have insurance because I spent my money on the clapco d29 it's the most impenetrable lock on the market today it has only one design flaw the door must be closed [Music] so after the 13th time watching that episode um I came up with a correlation to our industry and um it's it's a really interesting kind of metaphor into cyber security so Jerry spends all this money on the klepto x-29 lock but something as simple as Kramer coming

in and leaving the door open it didn't matter because the door was unlocked Robert came in cleaned them out it's a whole other mess of an episode great episode if you could actually watch the whole thing through but that kind of goes into what I'm talking about having the program Autumn being automated by the tools so if Jerry had taken time to sit there and talk with Elaine and talk with Kramer and talk with George and say hey I just spent a ton of money on this expensive lock that's impenetrable all you have to do is just make sure you shut the door and lock it that's kind of the program of how to use

that lot so we didn't talk about it he just assumed hey the lock is there and we're going to be fine and we see that so many times in in our industry I had an organization that called me up on a Friday at four o'clock and the guy was upset because he got Riot um blew up the backups encrypted uh fraud complete mess but he was angry because he bought a tool that I won't mention the name but they're in the car racing these days and they have a very high stock price we'll mention anything but um but he said but they said they stopped breaches and they gave me a million dollar guarantee that nothing

will come through here I don't understand what happened and so when the forensics took place and everything took place we looked at the configurations that they did for the for the tool they forgot one important thing they forgot one configuration and that was all the Intruder needed to get in destroy the business and and cause a whole mess another thing I used to have a running joke I used to work for a company that did ir and we would have a side bet on any IR that came in what would be the chances of them being an over 365 shop without having multi-factor Authentication and we're like okay the per the organization that had it on and he still

got hit we're going to buy each other a state dinner we never want to save them it was always the case o365 was spending money on all these licenses but you don't have multi-factor authentication on it S3 buckets there's another one Equifax one of the biggest ones that were out there S3 buckets wide open without without multi-factor Authentication so how do we enforce this well we make it part of our security culture and security culture is something that we're lacking these days where people understand the risk that's involved without executing on our tools probably so building a policy and procedure and saying anything that touches our Network that's connected that we can password protect we're going to add multi-factor

authentication to it just because here's what happens if we don't or if we buy a new security tool for our environment we're going to either get Professional Services for it or we're going to make sure that every eye is dotted every T is crossed to make sure that the tool that we have purchased is going to be to make sure that we are protected and that we're in good shape the next piece of it is that the program needs to be understood understood so ask Garcia so how many of you are familiar with this when you're trying to articulate cyber security to the business [Music] whoa welcome to the 21st century hey technology behold everyone has a new tablet you put on

paperless you're not the doctor of the Dark Ages I went old school for anti-technology Quirk paper files hard copy photos but the Abacus is your responsibility actually not that I don't appreciate your efforts but exactly where did the funding for these come from I did a thing a thing let's not talk about the thing we'll talk about the thing later so this is the beauty of these sides in my opinion you guys and ladies are the best and the brightest Minds in Western New York when it comes to cyber security brilliant it's intimidating standing up here as you can tell how Rowan and Kelsey helped me to fix this out not exactly on par with you guys from the

technology perspective and the knowledge that you have it's the same thing with your organizations um they're not the best and the brightest and smartest and you kind of have to break it down into layman's terms you get them to understand how you're trying to execute on a cyber security program security is an emotional thing there's a lot of emotion that's tied into it I've had csos Cry on My Shoulder I am from Brooklyn I do not do emotions so to have a grown man weave on my shoulders and drape his arms over me six foot four six foot five um was horrific you love the guy like we're best we're best buds now but it was it was horrific

but he was he was scared because he's like yeah you know I I I'm just terrified that I'm gonna go to jail and everything like that but going back to that story he had tried to articulate to the organization the need for an incident response plan and he was just saying guys we just need to have a plan in place or something in case something happens and they buffed it and buffed it and bucked it six months later I get a call from him at 4am we're hard now like we're hard down we're losing money left and right um and we're in trouble so what we want our programs to be able to do is to be

understood by corporate and understand the severity of what a Cyber attack should have what could happen in the Cyber attack I did a pen test presentation at a assisted living facility and 82 percent of the nurse's credentialed into a phishing attempt that was good uh and I was in charge of giving the presentation as to you know the results and what happened so the nurses are sitting there chief medical doctors are sitting there HR is sitting there and they're all laughing they thought it was funny they're like oh I guess we're stupid and I guess oh I guess we're not Technology Center and I pause and I said you do realize you can kill patients

like this like a hush cable game problem people give me 30 looks and they're like what are you talking about I'm like yes I'm like Mr Smith on the fifth floor it takes diabetic medication five milligrams of pill criminals are trying to cause harm to people that you're dealing with so let's say they add two zeros to the script because they got into the network due to your negligence and you get Mr Smith 500 milligrams of them he's killed that's real stuff and it started to play it started to get in their brains oh my goodness this is something that we need to keep an eye on um I did a presentation at a school

district Town board was there and they clearly needed to do some things to shore up their security defenses and again for Brooklyn so I'm kind of you know I got your thoughts we'll we'll leave it to you because this is being recorded I got guns and the superintendent's like well we can't afford it and and and we we can't do anything with the student dating we'll just try our best and whatever I said okay you could have a child killed because of a Cyber attack she was like what are you talking about she's like who are you to say that I'm like okay let's do the scenario database I said do you have health health records in your database here for

the student numbers here yes I said okay do you have children that have antidepressant medication or medication for mental health she says absolutely I said okay let's say a student breaks into the student to the student records and they find out that the captain of the cheerleading team is on antidepressants and mental health drugs and they decide to be a jerk about it and they put out on Facebook that this child is on Mental Health drugs I have I have children that work through mental health and I would be scared to know how they reacted to that it could be catastrophic it could be termination it's that serious and so it started to click so when we're building our programs we

need to make sure that the business understands what it is that we're trying to protect not again you're all Geniuses here so you can get up here and you can talk about cryptography you can talk about 10.10.10 you could talk about the OSI model you could talk about ocean you could talk about all this stuff and it's just going to go over their head because they can't comprehend that but what you want to do is give a real life scenario of what happened here anybody remember the payroll attack that took place about a couple of years ago from the payroll company so Payroll Company got hit um and people went without paychecks all December so

Hanukkah Christmas Kwanzaa New Year's anything else that celebrated costs money presence is expensive meals trips you have no access to that money so that's the type of way that you have to be when you talk with your with your boats is to say listen can we afford to have this happen no absolutely I don't have that that's why we need a program put in place and then once the program is established then we can talk about the tools the program is about the money programs about the money as pet I'm not going to play the video because it's annoying um he's my least favorite character on it but anyway Kevin O'Leary goes on and says money for about 30. he says 34

times and I think it's two minutes or something like that just about how he talks about money and really this is all an exercise in money preservation for organizations so I'll ask a question let's say a magic wand was waived and there was no more monetary value of pii you think we'd all have jobs

um well there are other information assets they're off they're off they're off but would you say that that would eradicate a lot of problems that we had if we took the dollar amount away from I'd have to be satisfied that the reason there are legal protections for certain pii especially thinking minor students K-12 students is more than its monetary value but in the U.S I literally could be wrong no David's one of my best friends in the industry by the way so yeah I knew he'd say something he's always good for that so I appreciate you bringing yes I do start off and I love it we need more damage but um would it eradicate probably not

eradicate 100 but if you told the criminals and you know that we're looking to gain um finances by taking pii stealing it selling it on a dark web monetizing all like that like we would have problems this this is another thing that you should build the programmer now I'm going to go to the executive and board level piece of it so I kind of talked about the business piece of it for the executive and board level piece of it so Kevin CEO he sits on boards and whatever and all he knows about his money like that's all he cares about is money and that's really all the executives and the boards care about is money and how are we

protecting money from for ourselves to give you a story um you know it's an organization in Seattle that I did an incident with uh you know how you get the flyers for pops and for m t bank and they come in the mail all like that they're one of the leading providers of that and they got hit and they were brought to a screeching hall for 32 days couldn't produce anything and um it was very interesting because they were iso-compliant Saku had tested PCI HIPAA High trust because of all the information they were gathering from their from their vendors and their three top vendors that they had all came back to them and they said okay

you did the forensics report and it's going through it's showing us that this came through a password that um that was being that was able to be cracked this doesn't line up with the policies and procedures of the things that you attest to we want to review your all of your policies and procedures and they reviewed them and they said how did you get it how did you castle with ISO audit how did you get socks and test it this is garbage this is absolute garbage and they're like well there was this company in another country I will mention the country it's a company another country and they said for five thousand dollars they could get

a socket to tested ISO audited High trust certified and we didn't have enough money to spend and we just did like that like okay great here's what's going to happen all three companies left them 20 Workforce reduction because they could not afford to pay for employees for the organization because of all this lost Revenue that that happened and it took place and oh by the way they were losing up to 168 thousand dollars a day for non-production multiply that times 38. money is very important in the programs that we built so when we're articulating to our Executives when we're articulating to the boards and we go up with the Nexus Report with the heat maps and the

10 dots and the 255 docs and all this technical jargon it goes over their head and I've heard some security people say oh my board's stupid my executive team's up no they're not still you don't get to that point by being stupid you get to that point because you know how to make money and you know how to generate Revenue so I have a million dollar idea that if one of you steal it please just like send me in my family to an all-inclusive that's all I ask is you know I'm not looking to do whatever and one of you guys will be or gals will be smart enough to put this together we need to come up with like a babble for

cyber security we need to come up with a battle we know about the power a language translator we need a language so it's an application of able fish yeah yes yes yes so we need to have the ability as technical people to have the ability to talk to all facets of our organization so you know when again being smart having our cisps having our scissors great stuff but if we can't take that information and break it down for them then we're in trouble like I took this presentation through my wife my wife is awesome she's great she's smart it's not a security person I had to make sure that this presentation was understandable for her to say okay it's

simple enough to where you all can take some of this information back to your executive teams and have the ability to kind of convey some of the things that you've learned here today an example that I always give is you know I think of a car dealership and you know car dealerships now the FTC rule is coming out yeah they're a little taking a little bit more seriously but you know whatever go to a salesperson at a car dealership and tell them that they have to put multi-factor authentication on the iPad that they have um and watch watch Ms fly all over the place you're going to slow me down I'm just trying to sell cars here I'm not a

security person okay Mr and Mrs salesperson let me ask you something let's say you have a list of 100 clients that you're supposed to call back this month that are looking for cars to buy and your biggest competitor seals that data what happens to you why lose my job absolutely so that's why we're putting this in place for you to make sure that you are preserved your checks are Preserve your checks preserved means that your family eats your family eats means that they're happy happiness at home is a very good thing so again when we take you know the Garcia example we think this example brings some emotions into it break get get to the heart of

the matter and get people to understand how serious this is lastly the program needs to be resilient so this is something that's coming up a lot more often in our in our industry which I'm really glad about and in my practice I really want to get people to start thinking about cyber resiliency anybody remember the John Chambers quote when he was with Cisco it's not if but when when it comes to a Cyber attack and how angry people got from that because they're like oh you're just trying to sell me more ASA as you're a jerk and all like that it was a little provocative back then 10 years ago because it wasn't you know a lot of

these things were imprevelent but it's now out of our control of whether we get attacked or not I just today just today University of Rochester experienced announced that they experience uh data incident we're going to call in some breach is a legal word not a technical word so we don't say breach we'll say it's an it's an internet at this point but their incident took place because of the third party software bumper how do you how do you keep up with that I don't care how big your team is I don't care how big your tool set is how do you keep up with that the the information bulletin that came out from Windows last week

talked about how China is now infiltrated into our telecoms and into our critical critical grid systems people say well you know we're doing what we can and we're okay and everything like that and we're not worried they don't want us it's like okay well if you are an organization that relies on internet phone and electricity and that comes down you don't have controller you do not have control over them that's just going to come down and you're going to be in trouble because someone from a cyber perspective has indirectly impacted your organization so this thought of resiliency and we're moving quick so I'm going to play this real quick so this is in 2005 Hurricane Katrina

and um I got this fact checked by someone that was actually involved in FEMA from that too this is not a a stretch you could fact check me on this one but this is the levy this is the Levee that broke as you can see this the water is just streaming and pouring into neighborhood by the millions of gallons and so what they're doing here right now is they've dropped this inflatable type thing here you can start to see it rising from underneath and there it is and it's stopping it and now we have a patchwork situation in place until we can get something in we're a little bit more fortified so perspective New Orleans knew the risk that they had

already like it's it's not like oh A hurricane's coming we never thought that a hurricane hit here the preparation for Katrina was massive the efforts were massive there were evacuation plans there were storm windows going up there were you know they use the Superdome they had the National Guard on standby hurricane hits no one accounted for the levees of breaking no one accounted for the levee's break and when the levees broke it destroyed neighborhoods to become unrecognizable from a security perspective what happens when a levee is great what are we going to do what are we going to do when we have a rack full of the high-tech Gartner top right corner they took me to

a steak dinner in a Bills game and I loved them so much and that fails us and I go through them what do we do what do we do in that situation we need to build resiliency into our programs we need to say okay not if but when something happens how do we get that 38th day incident that took place down to 12 days and how do we not lose three calls three of our biggest customers have been one of our biggest customers so that we can be resilient how can we survive the the catastrophic impact of an internet has anybody been involved in an incident well it's a weird question because some people like well I can't legally say it

but you know give me the wink of the eye or something like that but I think a majority of us have seen what an incident looks like it it's horrible I have seen Network Engineers sleeping in cops in data centers I've seen people lose time with family I I had a CIO that had um her daughter's senior soccer banquet that she had that she wanted to go to kid played soccer from free through senior year of high school she had a mess up because she had to be on a call with DHS and and um and a couple other three letters to talk about what had taken place either you do that you go you know you're in

trouble like I don't know if it's jail or or something but she had to be that she had to miss her daughter's senior Bank lady and so when we build our plans and we decide on the tools that we're buying we need to have that in mind of okay it's something God forbid or when something God forbid happens how quickly can I get up how quickly can I can I stem the tide how quickly can I stop the bleeding to make sure that we are generating Revenue as quick as possible if it's Health Care making sure that our patients are healthy we had a great conversation about that today of of how Healthcare is how it's double jeopardy

and healthcare because not only do you have the stress of keeping a network that's in total flux going and secure but then you have patient safety anybody remember ucmc from 2016. so the big concern there was there were tier one Hospital so there was actually thoughts and concern around the fact that is this a terrorist attack where they've knocked us out and then someone crashes a plane or someone takes an 18-wheeler and has a major wreck on 90 and we have nowhere to treat people like legitimately can't take care of people and so again the resilient piece of it is is a major importance so as I promised talk about how how we build it

how do we build the program out how do we go back to our organizations or how do we go back today or Monday instead of our desk and say okay we have a plan in place we need to have a program in place that has our company culture that's built inside of it and we have we have the thoughts and minds of our employees thoughts and minds of our clients or vendors and things like that first thing is know your business don't you hate when someone comes up here and they're like did you hear about the target breach I hate when people this was a major retail it doesn't fit it doesn't fit I've been

I've sat in meetings before in healthcare I sat in meetings before in finance I've sat in meetings before in K-12 and the vendor brings up the target Bridge it's a dumbest thing it's a retail environment that doesn't hit home we have to know our business we have to know our business first question I ask people when I talk to them this is the most sophisticated cyber security question I can ask how do you make one start there how do you make money and how do you and how do you and how are you connected and how are you protecting yourself from that from that connectivity so if you're in K-12 know the risk through K-12 that's children if

you're in healthcare know the risk of know the risk in your business patient health now you need to assess the risk and so when I say an assessment I'm not saying Ron a NASA scan on your environment and not to assess talking about a holistic business risk assessment for your environment this is something that you can run internally this is something that you can third-party out but a NASA scan is not going to pick up on the weakness of your policies and procedures a NASA scan is not going to test the metal of your employees and how they're keeping you safe you want to get a full assessment a full 360 assessment of the business and

understand exactly what the risks are holistically so in that in that meeting we want HR in there we want sales in there we want Marketing in there we want operations and we want everybody in there because everybody holds a piece of rest we talk about data security and this this is some guy that I used to work with and he used to say okay who's in charge of data security here and we have a whole table of people sitting around and they say well it's a csos job or it's a dpo's job or you know it's it's you know it's like no it's you it's you it's you it's you it's you it's you our

employees all are in charge of the data so we got to include them in on this assessment and then decide what to do with the risk risk is awesome because no vendor myself anybody can say what you do with the risk yeah you want to mitigate as much risk as you possibly can but you can assume some of this some risk maybe is out of is out of bounds so to take care of I work with so many manufacturing organizations that have their mission critical Machinery on their on their shop floor pre-xp

you have two choices either you you leave it as is and you know that there's risk and you come up with a plan to mitigate as quick as possible or you load a tool in there it explodes business shutdown you can't operate anymore so when you get the risk assessment done then you have a logical conversation with the business and saying okay we can't afford to do to take care of this arrest now but at least we know about it the worst thing and where a lot of tripoffs happen in incident response is the element of surprise it's the it's the Ambush it's the element of surprise why do you think a lot of these things happen at two or

three o'clock in the morning they want to shock you like it's not you know one o'clock on a Monday afternoon whenever it's fully staffed whenever he's there and everybody's it's two o'clock in the morning they want a taxi element of surprise so having a solid program having an incident response plan in place that'll help you to know what's going on and then the risks that could have been exploited at least it's not a surprise and at least you have some sort of plan around them and then you build a business plan of action to model students so I've kind of dumped on tools a little bit and I want to say take a step back here tools are

important tools are very important but when you build your plan of action and Milestones it shouldn't be well we got to buy xdr we got to buy soar we got to buy a firewall we got to buy something to bake bread like whatever they all do the things and I see a lot of organizations take that path like hey what's your cyber security strategy well we got funding we're going to buy all these tools the business plan of action could be actually no cost to the organization to take care of themselves hey we need to do policies and procedures you can Outsource that sure but if you put HR security and operations in the room you might be able

to bang out policies and procedures pretty quickly I'm going to give you a little cheat code checkupt very interesting I put in chat gbt I am a 250 person manufacturing organization that has to adhere to government standards please help me write an incident a written information security plan it got me 80 of the way there it's pretty interesting so it's not 100 but it got to be 80 of the way there and so when you build these plans of an action of actions and Milestones it doesn't necessarily cost you a fortune to do it and it will itemize what you need to do for most important the least important I know a lot of people are like oh I can knock out ten

through seven really quickly really cheaply let me go after that but if you do that and you leave one at the top open as your biggest threat and vulnerability you're in trouble like I talk to people all the time it's like well I'm gonna do a penthouse okay great why are you going to do a 10 test well because we do one every year we have to check the box and we need to show that we've done something okay where is pen testing stand in your cyber security risk strategy let's cyber security risk strategy that's a question to ask so I'm actually helping them save money to say hey maybe that's not number one maybe number one is an incident response

plan that's something that you can do with effort but something that's not going to break the bank and that's going to get you closer to where you want to be from the cyber security perspective get an organization a wide buy-in again as I said I hate when people say people are our biggest weakness in cyber security it's it doesn't sit well with me I know it sits well with some people I don't die on many Hills I kind of die on this hill because it just it just demoralizes people it's like Oh I'm a schmuck okay you know whatever you know and and it doesn't get people excited it doesn't get people interested it doesn't get

people passionate about protecting the organization you know when the ECMC thing happened I was in a meeting with some of the nurses and the nurses were angry and they weren't angry because they had to go back to pen and paper but they were angry because they looked at these criminals trying to kill their patients and they were upset they were mad and they they felt the passion they felt oh we've been attacked we've been attacked and that's the kind of emotion you want to stir inside of your organizations I'm going to protect my organization's assets because if I don't take the time to do that that could cause harm from my fellow workers that could cause harm for

my family that could cause harm for my career so we want to get that organizational wide by one of the best one of the best things I ever saw was I worked on a project and the CEO emailed the csunas he said me CEO was mad as an executive assistant because she's sending him phishing emails 50 times a day because she's just on high alert she got it she got it she's like I have to protect my CEO I'm I'm his guard dog and so you know we've pulled it back a little bit but she got it she got the whole thing and that is wash we're into repeat there is no end to cyber security you

will never be a hundred percent secure it's impossible your program will never be a hundred percent where it needs to be last year at this time at besides who was talking about chai GPT come on don't you say Chad gbt last year I was like what is that now it's the biggest thing now it's driving Security Professionals out of their minds because they're like I don't know what to do so do your policies and procedures and your plan of actions do they now reflect how you're going to do this new thing that's out there we need to make sure that we articulate to our businesses that this is never ending and and you know again Executives

and Boards there's a beginning and an end to a lot of different things like we have this project beginning and we're gonna we're gonna have an end to it cyber security and risk does not end and the sooner that we are able to understand that the easier things will be able to go the more Nimble will the more flexible that we will be the more fluid we'll be because our adversaries that's what they're doing there's a b-sides and I'm not going to say a country because God forbid you know I don't know but there's a b-sides in some country right now where they're all around and they're having business meetings and they're having pipeline reviews of

companies that they can get they're they're always on the move 24x7 365. nation state organizations are motivated to take us down and and to make our lives miserable that's what their motivation is common criminals are motivated by money some countries you can make 35 cents a day by bagging groceries or thirty five thousand dollars a day by cracking into members I like to think that I'm a moral guy that's real money that's real money and so we have to combat our adversaries with the same fervor with the same Precision in building the programs that we have so that is 10 minutes any questions any thoughts I I have a question yes what would you say

about rolling disaster recovery into incident response and making the same plan address both situations in the way of of drive you know because a lot of the risks that you see in a disaster situation is the same type of risk that you would see if your internet's broken for a cyber security reason so you might be able to help your business decide to work on the Cyber Side by also rolling that into the overall business plan of what do we do if the business is you know here we have winter storms you know a blizzard comes in and knocks out power to half the city how do you keep your business operation going during that time

you know who do you call what you call how you do that that could all be rolled into this just as an extension of it or a a pre-portion of this so that's a good point so how I see is a part of the business continuity plan usually this is a different department that handles that right legal legal yeah so technical hands in hand and it has to be a collaborative effort between the IR plan yeah um better continue plan and then the disaster recovery is usually uh infrastructure team right yeah but they're all they all have a lot of the same information kind of an Interlink tree to start with the with the top Center of

their assessed risk so when you do that you're actually going to break that down because there are different systems that the organization already operates right there's a payroll system and there's a manufacturing Erp let's say and then there's a a sales um kind of customer relationship management whatever else there is and each of those you're going to do a process called business impact assessment and you're going to look at each system and figure out what does this mean to the business what if I couldn't use this for a day or a week or a month would I be out of business would I be hurting but I could manage would it be like that's inconvenient but I'll keep

on so you you do that Bia process for each system that the business operates and then from that Bia decides three things an incident response plan that covers each of those systems and a disaster recovery plan that tells you how to recover those systems if you can't operate them the way you operate them now which thank goodness for SAS because it takes a lot of work and finally a business continuity plan that covers other maybe non-it systems like we have an office we have a storefront we have a manufacturing facility how do we keep operating if you know the National Guard shows up it says floods come in you got to get out of here and you can't

literally can't go to it I think because it's a fundamental event that I've heard where they're like well keep the IRP separate from pcdr because we want to highlight cyber security but I challenge that because I say if you roll it in with bcdr ome then the chances then the chance the IR rolling in with BC and Dr you have a better chance for the organization to Rally around that that thing so anyway a Cyber attack on par with an earthquake so if I have a business that's built on the San Andreas wall and my business is worried about oh my gosh if this is a big one we all sink and then we all start you know lagrangea

Season Two um but if we can roll if we can put it on par that situation with hey it's 2 A.M we've just got our backups blown up we just got production knocked down we're not operational the talk is taking for us not to shut our business down I think we I think you can kind of slightly slide it in there and put it on par with it and then and then you get it from that person I think when you separate it then it's that it's all mental there's a lot of mental gymnastics that we're doing in risk and cyber security so if it's separate I feel that it's it's kind of still on its own Island it's kind of

just well this is like you know sneakers or project hats and maybe you'll have it if to your point earlier saying well can we figure out a way to make this comprehensible to the people who would make the big decisions everyone can understand what would happen in a big Casino or an earth yes yes so yes that's your end right there yes it doesn't matter why we're down but now what yes if your organization has a function called risk management it wasn't put there by I.T or the CIO or the CSO it was put there by the CEO and the CEO and the CFO the big three and they pay attention to that function so

if cyber security risk becomes one of the risks that risk management is also attuned to then you will have automatically the attention of the CC c-suite you know I've noticed in in my organization I've done tabletop exercises right ecdr and IRP tabletop exercises and one of the findings that I've seen is in organizations where there's a risk management office the IRP there's players from every part of the business there but when the tabletop exercises for IRP occur or when they're that they attempt to occur we stand in front of this to convince them not to do this but if there's no risk management office what I found more often than not is the room is filled with technology

people exactly and no one knows how to how to handle an ER to show up ransomware about a limited business no one knows how to handle the legal issues no one has yeah the data's getting out so yeah so that's a really good call out so whether there's potential consolidation of those or not if that's an opportunity but I I I think the the game changer I've seen is in the organizations that those are risk management plus he has some yeah so the piggyback on pretty much everything everyone said so far just a little bit Up Here There and Everywhere one way I've seen really successful in the past is there's different types of incidents

so I mean everyone in this room is very acutely familiar with the cyber security incident now let's say you have a you know public-facing business whether that's in healthcare Finance running a bank any or storefronts Etc there's also you know physical security there can be a physical security incident now does cyber security necessarily need to sit in on the physical security meetings on how are they going to respond to an active shooter in the middle of the store but all of that should feed into a overall business continuity Disaster Recovery incident response plan and the cyber security incident response can act as an input into the overall larger business which then go into tabletops is

very helpful you get the cyber folks of the operational I.T folks you set them down they run that part of the tabletop then you know X the number of days months weeks down the line you have the big players sit down and go hey so the Cyber incident people did this here are their inputs into the injections for your guys's tabletop because again necessarily the CFO doesn't necessarily need to have a full understanding of exactly how they trace down the logs but you know hey our estimated time to recovery is going to be three days and stuff like that so it's a cohesive system but still needs to remain separate for benefit so Jeff what you're saying is so cyber

Insurance when I put my iron button and I load in sent open I load in an endpoint tool yeah that's not that's not a uh an IR plan to have just seen so I've never seen I've never seen a tool go through litigation that's exactly right to your to your point and to your point um that's a thing rolling that was a great it was a great thing to bring up because I actually learned something from that because I I've always struggled with that that line of delineation between the two there's I I personally don't believe there should be that much delineation because a lot of the same pieces of information that you need to solve one is the same thing that

you would use to solve the other you know the pr contacts who who is the voice of the company in a PR incident it's going to be the same thing if there's a disaster at the location as it is going to be if it's an um a security threat incident and I come at this from a slightly different angle I come from my backgrounds in EMS I have um a lot of FEMA classes for incident response for uh the drills that we used to do when I lived in Rochester which is what happens if the guinea nuclear plant in Webster has a major incident and they have to shift all of the kids from Wayne

County into Erie County to protect them and that's a disaster test that they do yearly once for the feds and once for the state alternating years and so a lot of the things Logistics that they look at for that massive move I have no idea if any of the businesses in that area know what they're going to do if that happens but they're all still affected and all of their kids are affected and all of those parents are affected because all those parents would have to come into Erie County to go to MCC in this case to pick up their kids because that's the busing destination but I I don't I don't know since I've

only been on the Erie County side of that I don't know what they put out to the parents what you know what is sent out for preparedness and if like the rest of the businesses even make a plan around that level of disaster but it could all be the same type of disaster oh I apologize I said 30 minutes oh yeah I just would like to say that that line is already getting blurred I've been through audits where in the past it was a simple question do you have good backups right yes that needs to be now they're going when's the last time you verified your backups you know does everyone know you know where your Dr plan is stored when's

the last time you did a walk through when's the last time you did actual exercise right so it's it's getting blurred so normally when you sit down with the auditor and talk about the security configuration of the system things like that they're starting to ask about both the BC and Dr aspects of um have you considered how much you can actually cut back and be able to live along from BC or what if you're hard down how quickly can you get back on so there you know the Auditors are starting to look at that in the same breath that they're looking at the system Securities yeah see I'm sorry I said 30 minutes we we

went to the top but that was an awesome discussion thank you so much for participating I really hope you got some good job my goal for this one is everybody gets some value out of it where you can make where you work or if you're working in you know start thinking about these things that you're assuming if there's a place that you work at make something that you can bring a value to make the organization a little bit more secure and risk tolerant of these days so thank you so much I'm humbled by your attendance and uh enjoy the loving thank you