On October 25, GreyCastle Security hosted our first live #CastleChat Twitter Q&A. Our followers had the opportunity to ask our experts anything they’ve always wanted to know about cybersecurity. You can find the video and a full transcription below. (If you have any questions about cybersecurity not answered in the video, don’t hesitate to email us at firstname.lastname@example.org.)
Paul Robinson: Great. Good afternoon, everybody. Thank you for joining us today for Castle Chat, a service provided by GreyCastle Security to our viewers out there. My name is Paul Robinson, I am Security Solutions Advisor here at GreyCastle. And to the left of me I have three of my fellow knights here at GreyCastle that will be facilitating our discussion today. Right to my direct left is Reg Harnish, CEO and co-founder of GreyCastle Security. Christina D’Antonio, Security Specialist with a focus on risk and compliance. And Brian Didier to my far left there who is our Security Specialist around technical services. So thank you guys for joining us for this conversation.
Reg Harnish: Thank you.
Paul Robinson: Great. So, can’t believe it. 2018 is almost done. It’s crazy to think that we have wrapped up another year here at GreyCastle. And we’ve seen a whole bunch of things come through and are looking towards the future of 2019. So the first question I have for the group here is: what are some takeaways that you might have from 2018 and maybe some initial trends that you’re seeing that’s going to bleed to the new year?
Reg Harnish: Sure. I mean, I think there’s a couple things that have been important for us. I think more and more businesses are accepting that technology is not the entire solution. I wouldn’t say that’s a vast majority at this point, but I think overall we’ve seen enough of a shift to suggest it’s a trend. I think the reality is most businesses, and most human beings, want to … they want the blue pill. They’d like the problem to just go away. And when you sell hard work … I kind of think of GreyCastle as selling gym memberships versus protein shakes which is you’ve got to go do pushups, you’ve got to reduce your calorie intake, you’ve got to … and it’s never done. So I think more and more, just as we’ve seen an explosion in gym memberships truly, more human beings, more business leadership, CEOs and executives are accepting the fact that this is actually hard work. And that there’s no way to escape it. Certainly we can support that with protein shakes and blue pills. But the reality is you want to lose weight, you want to get into shape, it’s going to require some exercise. Everything …
Paul Robinson: Awesome, man. That’s cool. Christina?
Christina D’Antonio: Sure. I think my biggest take away is that some of these bigger companies that experienced a breach over this past year, the amount of money that they’re paying out … you see it on the screen and it seems like a lot of money, but to them it’s like throwing a couple of dollars down the drain. I think the trend, because of what’s happened this past year, and I think we’re feeling it a little bit now and will continue to is wanting to have that cyber-preparedness and not just the technology sense, right? It’s really getting your people focused on how they react, how they respond. More importantly, how they start from scratch right? Protect information so we don’t get to the point where we’re engaging a team.
Paul Robinson: That’s good.
Brian Didier: I think, from a technical perspective, I’m seeing a lot … there’s just more information being put out there. It’s accepted that people are interacting with more portals and services where there will be potentially sensitive information input. And there’s just ever a greater target presented to the outside world. We accept that use more and more, but it also comes with increased risk and also a need to protect it.
Paul Robinson: Interesting. Interesting. Now, there was a common theme amongst what the three of you said and it’s actually one of the first questions that we have here for our panel. Is the size of an organization … We’ll talk to folks that’ll say, “Well, we’re only a 50-person organization, why would anybody want to hack us?” Or, “We don’t have any PII internet-facing so why would anybody want to touch us, too?” The large-scale organizations that are … some of them are dropping half a billion dollars on their security practices and things of that nature. So, from a size perspective, you have the tendency to plug in and play like you said the blue pill, the protein shake. Just plug in a firewall and we can sleep better at night. Let’s install antivirus and we can sleep better at night. But really the hard work of a program. So, around the programmatic fact of cybersecurity and building out your risk-based program, do you feel that size of an organization does matter or should everybody adapt a risk-based program?
Reg Harnish: Well, I think it can be both. I entirely agree that size does matter, but not in the way that we’ve traditionally learned about this. I think certainly small organizations have difficulty with resources. The advantages of course is surface area. There’s just very little to protect, typically speaking. If you think about an organization like Boeing or GE or Walmart, honestly they cannot possibly hope to protect everything that they need to. The surface area is too great. Data volumes the way they are, the complexity of environments and networks like mobility, virtualization, social media, wireless network. I mean, it’s essentially made it impossible for larger organizations to be anymore successful than a small organization. So when I hear these questions I get all the time it’s like, “Listen, if you’re a small organization take advantage of the fact that you’re small. That’s your huge superpower against all the Walmarts is that you have very little to worry about.”
Reg Harnish: And you’re doing exactly the same thing that Walmart might be doing, but you’re doing it on such a small scale. I think to myself, “Wouldn’t it be awesome if all you had was one computer and one person to protect?” I mean, how easy would that be? So I just think there’s a real superpower for small organizations that’s been largely overlooked or undervalued.
Christina D’Antonio: I agree with that. I think, when you think the smaller scale smaller organization to Reg’s point, you can better protect and not have to worry about so much. But at the same time I think the mentality that some of those folks that don’t think, because they’re so small, they need need a cybersecurity program is that … and they forget all it takes is one, right? So if I’ve got one employee and I’ve got one computer with connectivity I’m just as much at risk and potentially exposing the same type of issues.
Brian Didier: I would actually caution in some ways that that smaller organization could even be more vulnerable. If 10 or 100 computers get ransomware at Boeing, so what? If it happens to a small organization that can be the end.
Reg Harnish: True. Yeah. But other than that I think, compounding this, I think cloud services. I think the environment, the economic environment has actually made it less expensive in some ways to get involved. If you’re doing it the right way. So going about cybersecurity the traditional means would mean attempting to hire a team and recruit, train, testing it … that doesn’t make financial sense anymore, but I think the different models of engagement that are out there today … certainly we’re in that bucket, right? So we’re familiar with that. But there’s just that it can be less expensive and less painful for a small organization to engage a third part for a program in ways that really weren’t available 10 years ago.
Paul Robinson: Yeah, that’s a good point. So in preparing, again, small-medium-large organization there’s so many different ways to address building a program. And one of the major things is the actual framework. There are several frameworks that are out there that, in our day-to- day lives, we see everybody that will subscribe to one and say, “This is the end-all-be-all.” And map their program to that. From that perspective, one of the questions that we’ve come up with here is: is there a preferred standard that you would reference organizations to go after? Or how would you have them decide what framework they should build their program on?
Christina D’Antonio: So, if I speak from my experience, typically when we run into clients that are like, “What framework do we use?” Pick something that’s widely accepted. Some industry that’s standard out there. And NIST 800-53 is a great one. If you were to read it you certainly will get lost in the weeds. And a lot of that may not be applicable to your organization so figuring out the scope and what’s really, truly applicable and what you need to “comply” with is important. Outside of that, though, most of the companies big or small that we work with are looking to do the right thing and protect … from a security perspective, but also chase the compliance against multiple regulations. So it’s important to keep in mind to not take the whack-a-mole approach and try to build programs that comply with their … build one that satisfies all of it so that you’re secure, you’re also compliant.
Paul Robinson: Yeah, and it really comes down to the whole thing of being legally-defensible with your program and making sure they can map to an industry standard which is very important.
Christina D’Antonio: To build off that, when I work with organizations the push is, “Well, I need to be 100% compliant right now. I need to show that, I need to prove that.” And it’s going to happen overnight. It’s not quick. But if you can show that you’ve taken the right steps, you’ve done that risk or gap assessment, you’ve prioritized, you have a plan to solve those gaps. That’s good enough for now. So just keep making progress towards building that cybersecurity program in a method that makes sense.
Reg Harnish: I think having a framework is more important than the framework that you select. I think working towards something and having the goal of, essentially, a finish line or just some boundaries for your program just makes it easier for you to know what to pursue or to define what success looks like. Which I think we’ve done kind of a crappy job in cybersecurity is really defining, as an industry, what success looks like. Because, as you’ve said, compliance is not … first of all it’s not a destination.
Christina D’Antonio: Right.
Reg Harnish: Right? It’s not going to happen overnight. So how do we get on this journey where we’re relentlessly pursuing the right things in a way that’s legally defensible and also reduces our risk? But this is a marathon, not a sprint.
Paul Robinson: Yeah, and I think one of the things you touched on over there that’s important is organizational-wide buy in. When you’re implementing a program inside of an organization it just can’t be with technology. So many times we run into organizations, I don’t know if some of the folks out there are challenged by that as well, to where security, programs, awareness training everything is locked into IT. And it’s not expanding out. So, from a culture perspective, one of the questions we have here that I wanted to bring up was: in the successful organizations that you’ve seen that have been able to implement and adapt culture inside of … what are some ways that groups can do that? So if you have a taskforce inside of your organization that’s derived to … they’re driven to put security out there to everybody. What are some steps and ways that they can take to build that culture out?
Brian Didier: I would say that it’s critical to have buy in from all the right levels. So within an org you might have individual groups that can be pretty serious about it and serious about that culture of security, but if you don’t have it on all … and most importantly coming from the top usually is very important. The C-level really should be behind that in addition to other teams that might be more instrumental in implementing certain aspects like IT or risk. Other departments that may actually have the nuts and bolts of those programs put together. But buy in should come from all areas ideally.
Reg Harnish: And I think getting that really requires good translators. There’s so much jargon in this industry and every industry. If you’ve got finance people that can translate complex financial concepts into department into department [inaudible 00:11:07] they’re going to be more successful because they because they understand it in their own terms. And I think again, as an industry, we’ve not done a good job translating even basic fundamentals. Like managing risk which is a super, super simple concept. Why can we not explain this in English to folks who understand this. And then, depending on your audience, of course maybe you’re translating it into dollars and cents right?
Reg Harnish: If you’re looking for budget justification and you’re unsatisfied with what your organization’s investment and such … Well, translate it to them in a way that is compelling. Don’t go talking about ports and protocols and the IP stack. It’s like go talk about dollars and cents. That’s what they live everyday and so trying to educate them on cybersecurity, I think, is a failed concept. You’ve got to move to them. I think that’s really where not only logistical, functional success comes from, but I think the relationship as well. And so that they’re not thinking that here’s these genius nerds in the back here or the basement that are trying to force change on us. But rather, now I actually understand this problem and it makes sense to me.
Paul Robinson: Yeah.
Christina D’Antonio: For me there are a couple of factors that go into it. So I find the best successes happen when we step out of IT, right? They should be the ones pushing out the message, but cybersecurity your program touches every end user in your organization, every functional department. So create a committee with representation that’s responsible for helping to make those decisions. Helps with that translation down to those end users. The other thing, for me, is he talked about buy in and getting the right people at the right level. Some of our most successful clients have, at the top, been the example. Remove admin rights from my workstation. I was able to still do my job, folks. Guess what, we can all do it. Don’t just preach, but lead by example. Show them that it’s possible.
Paul Robinson: Yeah, I had an interesting discussion with someone at one of the local security shows. And a global organization created a position of cybersecurity Program Manager. So, obviously, that is something that we practice here at GreyCastle with our clients. But to actually have an organization that had an FT, designated to them, running the projects and evangelizing risk throughout the organization. Being about the dollars and cents, not zeroes and ones discussion. And, in talking with her, it was amazing the traction that she was getting. So I think that’s kind of where we’re all falling on is to get an organization involved, the organization has to be involved with the [inaudible 00:13:41] So, again, feel free to send your questions to #CastleChat. And you guys get something [inaudible 00:13:48]
Paul Robinson: Okay, one thing that we talk a lot about and there’s mass confusion. You said that we’re doing the community a disservice in a couple different ways. And I think one way that we’ve done a tremendous disservice is around incidents that take place. And being able to intelligently talk through what an incident is. People throw out … we call it “the b-word” here at GreyCastle, it’s not a technical term it’s a legal term there’s your free advice for today. But we’ll say breaches, compromises, things of that nature. Christina, because you are strong in helping organizations develop their plans and in testing their plans through tabletop exercises, can you give a little bit of commentary around how organizations a, should prepare? And, b, when it does come time to press the red button and get the play books involved what pieces of the should be involved and how they should move forward.
Christina D’Antonio: Sure. It certainly starts with documenting a plan, right? It’s great that, whether you’re a large or small organization, that everybody has this wonderful knowledge on how we’re going to respond to the incident. But if we lose Reg or Brian tomorrow and they’re a critical or crucial part of my team the knowledge they had left with them. So that needs to be documented and it needs to follow the phases of incident response. That process works time and time again no matter what type of incident you may face. So being able to document that is critical. But then test that plan. You’re going to put some words to paper, you’re going to put that knowledge down, it likely will fail you to some degree. It’s not going to be perfect. I’d much prefer to learn that in a controlled environment rather than when it hits the fan.
Christina D’Antonio: So make sure that you get the right people in the room and don’t make it that quick compliance check mark where I sat with Reg for two minutes and we said, “Yeah, we handled it. We’re done.” Really get folks engaged. Make sure your team is not just IT. Make sure you have, again, representation from the business. Incident response is part of IT, but is definitely going to involve other parts of the business. It’s a business decision. A lot of what we deal with and a lot of what the lawyers out there deal with are business decisions. They need to have a hand in it. So get all those people in the room and really test them. Something that’s relevant and something that’s real. Make them have conversations, make them engage.
Paul Robinson: Very good.
Reg Harnish: I think managing expectations is also critical. So I’ve had the sort of fortunate pleasure of being involved in a few nationally recognized or visible incidents, some of the biggest incidents out there. And, for me, I think one of the most important things I was able to do was just manage … just calm people down. Remind them that this is going to be a horrible day but it’s not going to be the worst day, that we’re going to get through this and that on the outside of this is a stronger business. I think if you can do what Christina just described, which is have a general sense of what you’re going to do and have a team that’s somewhat prepared. I think with a team in that condition you can come out the other side more resilient. I think the business can resume formal business operations and recover in a way that just creates tougher skin, muscle memory. And there’s a lot of benefit that comes along with that.
Reg Harnish: But you have to go into the incident with these sort of learning moments up front. I think it’s one thing to go and say, “Hey, wasn’t it great over that incident that we sort of discovered this?” Have a commander, have an incident response team leader who says, “Hey listen, guys. This is what’s going to happen.” Right? You’ve got to show up like Mr. Wolf in “Pulp Fiction.” It’s like, “Everything is under control and here’s how it’s going to go down.” And, if you can do that, I think the teachable moments are much more permanent. But managing expectations is absolutely critical.
Paul Robinson: Great. Yeah. Very, very true. A technical question for you, Mr. Brian. Another popular thing that is out there that has a lot of confusion around it is the cloud. We’re talking about AWS, Amazon Web Services, or Microsoft is your environment. And people and their hesitation to it, from a security perspective, and making sure that their systems are safe. Do you have any … one or two kind of tips that you can give folks that are either in the process of moving to the cloud and have security concerns or in the cloud and have some concerns in that environment?
Brian Didier: Well I mean some people just call the cloud “somebody else’s computer” but, in a lot of cases, on their end they’re doing a pretty good job of securing them. That being said it does introduce some additional avenues of potential exploit. So even more care really has to be taken when having those resources. Just when you look at how administrative access and control to those resources can be had from anywhere in the world. So in addition to the normal steps that you would take to secure any publicly-facing asset, in terms of software versions and configuration, additional care to make sure that that administrative access is also adequately secured is very critical.
Reg Harnish: Right.
Paul Robinson: Yeah, I think one thing that kind of gets lost in the sauce with risk and security is that we’re hesitant to take advantage of really good technology and cool technology. Or the idea of virtualizing your environment in AWS or Azure or being able to have access to data on demand. It is really good, it’s just how do you put the locks on the doors and locks on the windows and making sure you’re protecting that environment as well. That’s just one thing. I think there’s a lot of negative connotations in security saying, “Don’t do this and don’t do that.” Or whatever, but it’s securely making sure you can take advantage of these great technologies and advancements.
Reg Harnish: Yeah, I mean I think we all remember 10 years ago no one would move to the cloud. And the reason they wouldn’t is because they are concerned about security. Now everyone is moving to the cloud because they’re more secure. The perception is that they’re more secure. So it’s been an interesting evolution over the last decade to see how security has played a role in cloud adoption.
Paul Robinson: It is.
Reg Harnish: Very interesting.
Paul Robinson: Very interesting. So the last question that we’ll have here for today is 2019. You bring out your proverbial crystal ball and see the things that are ending the year 2018 and coming down the pipe for 2019. Any thoughts around that and we’ll go from there.
Reg Harnish: Sure, I’ll start. I mean I’m generally optimistic about the trajectory that we’re on from a cybersecurity perspective. But there’s one major, acute issue that we’re experiencing today that I think gets worse next year. And that is the supply of talent that can address these things. If you look at all … every source, every authoritative record … whether it’s 350,000 or 2 million globally no matter who you talk to that number goes up next year, right? I think, generally speaking, the demand on talent continues to increase more than linearly and I think our ability to manufacture folks that can do and really deal with this stuff effectively is not keeping pace. And so the gap is just getting wider and wider. So I think, really, I think this is probably going to be the situation for the next two or three years where the demand far outstrips the supply. And it’s just created massive headaches for organizations. And really one of the reasons we exist is to address that talent shortage. And the way we’ve virtualized cybersecurity for our clients I think becomes even more compelling next year.
Christina D’Antonio: I think for me it’s … I wouldn’t say we’re in a good spot. But I think businesses, as a result of some of these larger compromises on bigger companies … We’re finding more that when folks are ready to do that information security, cybersecurity compliance exercise that they’re not just, again, taking that check mark approach. They’re really looking to do everything right, right? Do everything they need to really build a program. So that excites me to see folks understand that from soup to nuts we need to have certain things in place.
Brian Didier: I’m just going to keep it simple and say I foresee myself being really busy.
Reg Harnish: Let’s hope so.
Paul Robinson: Yes, yes, absolutely. And just quickly, Reg, going back to the talent shortage piece of that. The numbers are staggering that are out there. Do you feel, as a community … I’ll go back to a conversation I had with the global CSO. And she said that she’d take 10 PMPs over 10 CISSPs any day of the week and bring them on the team.
Reg Harnish: Absolutely, yeah.
Paul Robinson: To have that ability to, again, educate and evangelize compliance. Do you see companies and organizations starting to think outside the box how to stop the talent shortage? As far as recruiting different places are getting that aren’t necessarily cybersecurity in the fold to help stem the tide for that.
Reg Harnish: I don’t know if I’ve noticed patterns there, but maybe a couple of bright lights have been an organization’s willingness to build those people. And so I think, whether it’s the CISSP or the PNP certification, these things are all helpful in solving these challenges that are just really hard work. So I think that if a business thinks about it creatively they don’t have to be as crippled by this problem as maybe they are today. I think that thinking outside the box and being creative also moves them from a, “Here’s why we can’t do it.” To a, “Here’s how we will do it” mindset. And I think that’s helpful as well.
Paul Robinson: Okay, great. Excellent. Well thank you everybody for joining us. There might be a couple of questions here that we didn’t get to. We’ll come up with a forum that we’ll be able to get those questions answered for you. But thank you for joining us for Castle Chat and we look forward to you joining us the next time.