Change The Conversation For Greater Infosec ROI - Part 2

January 12, 2022 00:32:27
Change The Conversation For Greater Infosec ROI - Part 2
I See What You Mean
Change The Conversation For Greater Infosec ROI - Part 2

Jan 12 2022 | 00:32:27

/

Show Notes

In our second episode, Rick Dudek and I resume discussion of "digital everything" risks and harm, including how good the bad guys are at what they do. Rick describes the value of mentorship to infosec operations, and we both reflect on how the most enduring lessons we learned from mentors - especially early in our careers - had nothing to do with the technical aspects of our jobs. We talk about the value of learning to collaborate and work as a team, and Rick follows that with a compelling discussion of why infosec teams need "whole people" on them, not just technical experts. Rick's observations and insights make great take-aways, and here are some of my favorites:

10:34 - You can easily miss good mentoring as it happens, but you can look back 10 or 20 years and see what a gift it was.

15:06 - You want people bringing everything they are to a job, especially in information security - volunteer work, being a lifeguard, ripping an old computer apart to see what you can do with it. It's all evidence of aptitude and affinity relevant to work.

17:26 - Why it's better for an infosec team to have "whole people" catch and respond to threats.

24:42 - You can have a risk register and use a risk management framework, but their effectiveness is no greater than the quality of the conversation you have about risk - with lines of business and the C-suite.

View Full Transcript

Episode Transcript

Speaker 1 00:00:06 I love the anecdotes and experience and solutions I talk about today are my own professional experiences and my own professional opinions. And not necessarily the opinions of my current employer or past employers. Speaker 2 00:00:26 All someone needs is a point of entry where the, where they go after that or what harm they can do. Isn't limited to the place they entered. So a customer could be hurt by a supplier, could be hurt. A partner could be hurt. And in terms of a security posture, security practices, parties realized we're different organizations, but we're, if we're the more we link up digitally to go back to your point about digital everything and where we connect digitally, the more we're mutually exposed and we need to be mutually protected. Speaker 1 00:00:56 Totally. And not only that, but you know, some of the digital tools that we have not only become used to, but can't imagine life without the things that we need to divest ourselves, you know, over, over 74% at no matter what statistics I looked at, I've never seen below 74%, but 74% or above of successful cyber attacks, originate with an email, be it efficient email, or, you know, uh, it could be any form of social engineering. It could be, uh, an executive spoof, uh, that allows them that entry point that you mentioned. And then once in they do what they do bad is, are not stupid as are not lazy. They are in fact, pretty brilliant people. They're intelligent. They have a passion for this. They have the same aptitude and affinity for technology and their chosen career path that I wish more and more young people had for cyber security. Speaker 1 00:02:11 They're really highly motivated. And they, you know, sometimes it's just sport to them. Uh, but the, but the damage that they can do is, is pretty drastic. And one needs to look no further than, than the MITRE attack attack stands for adversarial tactics, techniques, and common knowledge. But the MITRE attack defines all of the, uh, tactics and techniques and know, and you could even use it to see, you know, which type of attacks be they ransomware or, uh, uh, phishing attack or it's, uh, they're trying to exfiltrate data or get credit card numbers or something literally any attack that you could think of and MITRE can show you which tactics and techniques are used to, uh, to pull it off. Yeah. You know, this is through how they embed, right? They move laterally, how they go download, they find opportunities and, and, uh, you know, lapses in technical configuration in order to go download more malware or to set up a beaconing site, uh, and to communicate, uh, sensitive and secret and confidential data back to a C2 server. Speaker 1 00:03:33 So, you know, they, they really are good at what they do. They are not playing games, even if to them, uh, the funnel it's just sport. They're not looking to make money doing it. We don't, we don't ever underestimate what they can do. So your, your point about that first entry point being, you know, the point where now you can, can, uh, you know, double face Palm and just shake your head. And it is, it is that initial entry point. And that's what a lot of, uh, information security teams focus primarily on. We need to stop the initial, the initial attack. We need to stop the vector Speaker 2 00:04:16 Well. And the other thought, the other approaches assume they're in, right. Always assume they're inside. Speaker 1 00:04:24 I looked on the inside too, because if they're not there now, uh, they could be, and you don't need to go figuring out who to point fingers at movie's fault. It is, it is because they are very good at their job. And they run their companies like fortune 100 fortune 50. They don't, they're not like a loose group of dudes that just know each other Speaker 2 00:04:54 At working out of their basement. Speaker 1 00:04:56 You know, part of the crisis in cyber security is the lack of people with experience. And I don't know if you've heard in the news, there's, there's a lot of concern right now throughout the world, not just the country in terms of, we have a lot of people. Uh, in fact, there is an abundance of people with, uh, degrees and it degrees and believe it or not information security, which is available now to CRA and masters in cyber security or cryptography or whatever their, you know, area is, but companies aren't ready yet to get back on board with what works so successfully to build this country. And that is apprenticeship style relationships. And, you know, I, in one of your podcasts, there was some discussion of TQM. As in fact, you brought it up. And I have experience with that too, when I was younger. Speaker 1 00:06:05 And while I don't disagree with anything, I saw the reaction of the coworkers, especially the guys who are 10 and 20 years older than I was as to this is another program without teeth. But at the same time, I got lucky enough to have some people who were 10 and 20 years older than me. And without even discussing it, we, we kind of got into this mentorship situation. And, and I, I really feel like if, if there are good characteristics to my work nowadays, to my ability to relate to people nowadays to the diligence that I put towards, you know, delivering in order to satisfy, not just what the requirement was, but, you know, for the whole team, yeah. It came from some, you know, good advice, good guidance. And it even started in college where some of the older students would, you know, show me, Hey, you can't say things like this. Speaker 1 00:07:18 So even in college, I was fortunate enough to be surrounded by upperclassmen and grad students who, because most of the courses that you take your senior year in electrical engineering are in fact masters courses. And, uh, but you were around these older people and not only do they give you advice that you could not have come by yet, at least not firsthand. Right. But you've also learned to trust these people. You've learned, you've seen their success. You see how diligently they work now, fast forward, you know, maybe 15, 20, 25 years. And it became really popular, uh, for, uh, not just in, uh, you know, the federal workspace, but also in private industry to try and structure, mentor and mentee programs. And I don't know how you would gauge success or failure. I'm sure that really positive long-term relationships were developed, but, but again, it, it would have been a forced situation. Speaker 1 00:08:30 And in fact, the mentor could have been paired up with, with somebody that yeah, they can teach them what they know, but they're not really sure how to get to on the same page in terms of, this is what this younger individual needs to help sharpen their focus on their career. What do they need to do to achieve their goals? What do they need to do, take a step back? What do they need to do to define their goals? How did they even know what they want to accomplish out of career right now? And, you know, I had these people around me and I think a lot of companies did a really good job and a really good thing implementing programs, uh, like that. So then you're closing the generation divide a little bit and that, and at the same time, you're getting back to, to something that, again, as we made technology progress, even way before the digital age, you had a, a lot of not just hands-on skills, but, uh, you know, real good professional skills that you, you would apprentice for three years and you would be learning from somebody equivalent to, let's say, let's call them a master, like a master of something like this. Speaker 1 00:09:50 And you got to ask all the questions in the world, and you were looking over their shoulder in the beginning, and then they were looking over your shoulder when you were showing them, not only were you paying attention, but you've got this. And, and it's at that point where, you know, they graduate to a role where they can independently perform these services. Speaker 2 00:10:14 You raised an interesting point that I hadn't thought of, uh, mentorship both from the standpoint of some personal goals or objectives, but also more technical mentorship. And some of the best advice that I got from people that I worked for, like a direct supervisor, was the mentoring kind of advice. You, you, your, your comments that made me think about what that meant to me, how valuable it was, and Speaker 1 00:10:34 You might've, you could easily miss it while it's going on. And, you know, a decade or two later look back and see just important. What was gifted to you was to, uh, maybe not just your career, maybe you're the person that you are. And I think we both know enough about corporate structures and three, and five-year plans to know apprenticeships don't seem to make sense, especially to a busy CEO. Who's got a million other things on his mind and trying to tweak the company to accommodate something is, uh, it doesn't seem like a big value add at the moment, but the cool thing is it's only slight adjustments to the organizational model that allow you to start introducing a practice. You can call it whatever you want, and you could even use co-op programs, which I participated in when I was a student in electrical engineering or internships, uh, you can call it whatever you want the long. Speaker 1 00:11:44 And the short of it is you're going to have younger people who come to you with no experience, maybe not even any. And it, I, I can tell you that I would be able to take those people. And I know a company like the one I'm at right now would be what we would know what to do with those people. We would know. And if you want to see core, uh, employee loyalty, shoot off the charts, do this because people don't forget who really gave them a chance. People don't forget those who came out and said, I understand where you want to go. And I want to help you get there because as it is right now, it is, they are typically very sterile transactions of get experience, get your academic education or whatever you require you fit in. You know, like, like the models currently show you can fit in this level. Speaker 1 00:12:42 You're a level three accountant currently, and we're going to put you here and you're going to do this. And then you could either get promoted or you move on. And if you move on, we're two weeks out from another cog that fits in your space. And you know, that's very impersonal. I don't think people do it with Avaris in mind. I think that that is, you know, that's part of, of the not understanding that we can balance all of these things. We can balance quicker to market and new functionality and cyber security and protecting our data and information. At the same time, we can also keep the velocity of a sprint team, high wall, bringing in younger people to who, like I said, might have zero experience, but darn they are going to appreciate the opportunity and they're going to make good on it. Speaker 2 00:13:34 Well, and you know, something that's critical to a high functioning team, to a culture of teaming, a culture of collaboration, things that are critical to go far beyond technical knowledge and skill. So let's take any project where you've got people who know something about the product and service. You've got someone who knows who's from it or, or InfoSec human resources. So finance a high functioning team. Isn't just the compilation of their sprit, technical subject matter expertise, knowledge and skill. It's how they work together. And the question of how they work together, which is of where I got my best, whereas mentored in ways that meant the most to me, that I learned the most from and, and carried on in my life, had to do with more of the human interaction, the communication skills that you and I are talking about. But my first job out of college was in a community mental health center. Speaker 2 00:14:31 And it was a great, it was amazing job for a lot of reasons. It was, it taught me some things in my twenties that have stayed with me for 40 years. When you were working with severely, mentally disabled adults in a community setting and group homes, you have to be tight as a team team. Wasn't a, a word label. You had to function as a team because if you, the client suffered the client pay for it. And we're working three shifts, 24 7, 365. So you had to be tight as a team. And I learned as a young professional, what that meant that had to do with collaboration, communication. Speaker 1 00:15:06 And I completely agree with that, and I'm glad you brought it up. It has everything to do with their life experience and you know, which is, which is a good thing because you want people bringing everything that they are to, to a job, especially in information security. I have told anyone who will listen, everything you've done, not just jobs, volunteer, work, uh, work as a lifeguard research projects or playing downstairs in your basement, ripping apart an old computer to see what you can do with it. This is evidence of aptitude and affinity and everything that somebody brings into a job, uh, potentially has value to the entire team and to the enterprise. And, and you, you need to be aware talking to people, let them open up about their past and their history. And, you know, let them say things like, oh, well I have this one job and it's irrelevant. Speaker 1 00:16:13 It's not even on my resume. It was so stupid. And you hear, cause everybody's had either a really bad experience at a job or, you know, it wasn't what they expected. Wasn't what it was advertised. Or they were too young when they were doing it and stuff. I think that that's looking at it improperly. I think that what that, what we really need to do is to let people understand that your capabilities, not just as a employee, but as a human are the sum total of all these different things and all the different feelings that they've given you and all the different emotional responses and thoughts that go along that are linked intrinsically to these, you know, experiences that you've had. Now, we're going to put you in this situation and we've gauged, you know, you used to seem to have an aptitude and affinity towards lighting, liking to build things or put them together, or maybe they're the opposite person. I'd put them on a demo team. Well, what else? Speaker 2 00:17:15 What makes it, what makes it important to InfoSec the department and the function to have whole people in there on that, on that team? Speaker 1 00:17:26 It's maybe the most important thing. And the reason is what we do it on an adverse act team. What any cyber professional does for, uh, for a living, even if, even if they're currently pigeonholed working on the photography algorithm or something, the entirety of the field that is, is sharing several things. We're all sharing, known risks. We're sharing the fact that there are unknown risks. Okay. There are threats out there that, that we don't know, we're hopefully doing a mature job of, of risk management, but when people are working, for example, get an alert. So your dashboard fires off an alert, and it looks like there was a suspicious request made into one of your web servers. And you're not sure what happened, uh, but you're going to go check it out. Well, chances are real good that you may have seen something similar, but this one is unique. Speaker 1 00:18:37 It has, this is, this is unique. And, and it is, it is the affinity towards an investigative nature that, that drives professionals to really think and think deep what's going on here. What could possibly be going on that I don't see yet? Where should I go next to see if this is getting worse? Oh, how far did they get before my dashboard alert something, something went horribly wrong. How terrified should I be? But we have to have this, this nature about us through a lot of experience that we've had through all different sorts of jobs and all different sorts of life experience, where when we're responding to an incident or responding to a situation that we, the first thing we think of is there could be a lot more going on here than I'm being informed of. And I need to, I need to investigate this and I'm going to use every last skill I've ever learned in my life. And a very curious brain to get to the bottom of it. And even, even a bulk of people in information security would love to get a score on it when they're done. How did I do? Speaker 2 00:20:01 You said nature of a person. I think that answered my question a lot. So something about the nature of a person will make him or her well-qualified for an InfoSec role or less well-qualified for an InfoSec. Well, they might be very well-versed in all of the technical aspects of the, of, uh, of the position, right? But you want someone who is more curious than less curious. You want someone who's more concerned and less concerned. You want someone who can communicate better with others around the enterprise, not just with you on a spectrum. You want a more, well-rounded like you want a liberal arts major with an InfoSec master's degree. Speaker 1 00:20:41 Uh, one of the very best, not just programmer, but, uh, software integrators I ever got to work with is a political science major. It was never formally trained or, or diploma in, in any of this. Uh, he had an aptitude and an affinity and he drove, he drove that Speaker 2 00:21:03 Very, very interesting. We were talking about the apprenticeship concept and apprenticeship. It's not much of a program anymore. Can it be more of a program? What would be the benefit of having more of a actual apprenticeship program? I did not serve in the military. You and I both worked with someone who did Bob, Natalie and Bob talked, uh, could talk in detail about the concept that they lived there. He did, I suppose some do and some might less. So the succession plan he taught, he could talk in detail about succession planning and what it meant because so many people in the military rotate into different positions over time that that was incumbent upon leadership to train the next person in their role. Our discussion made me think of comments that Bob had made. If you care about the position and what it means within a team or a unit, you want them to do the best they can. You want them to be as well as prepared by being as well-rounded as they can. You would be thinking and paying attention to the more holistic kinds of things that you talked about earlier. When you talked about the whole person, that nature of a person, Speaker 1 00:22:10 Glad you brought up. Bob Natalie, one of my favorite people and Americans, Bob not only had the ability to mentor large groups of people without them knowing they were being mentored. And that is a complete, uh, highest level compliment that I can pay an individual. Well, I, and, and everything that, that he brought was important. Chester, Barnard talks a lot about the parallels and the alignment between, uh, you know, how the military operates and how businesses can best perform using a lot of, of those, uh, techniques and behaviors and, and what Bob would, would come into an organization and do that. A lot of people, uh, still today struggle mightily with, and that is transition plans. And I know you have a, have a lot of successes under your belt, transitioning large scale transitions for organizations. And, and to me, that skill is, is one that if you, again, if you can find people who, who are really interested in all these moving parts and not just getting to be, but what are we going to do to get there? And what are all these challenges that we're born to run into those somebody who's excited about overcoming challenges? Yeah, that's, that's a good team member. And, and I guarantee you that excitement about overcoming challenges came from their past experience and they actually became passionate about things that were complex or overcomplicated and how to make them simpler. Yes. Speaker 2 00:24:00 Then another couple of weeks I'll release an episode where Bob and I spoke. Okay. So watch for that. And Bob and Tom oats, and I are scheduling an episode for the three of us to talk, Speaker 1 00:24:14 Oh, I can't wait. I'm going to tune in. As soon as you do that. Speaker 2 00:24:17 Well, Bob and I talked a lot, you know, Bob's real big on commander's intent. We talk a lot in our interview about the leadership approach of using commander's intent. The Tom had talked in our interviews, you might remember about intent-based leadership and they overlap, but they're slightly different. And so we thought we would do one episode where we would get those two talking together. Speaker 1 00:24:37 That's going to be good. Speaker 2 00:24:38 I am very interested in the whole risk management concept. Speaker 1 00:24:42 Everybody has cyber concerns right now, the more information that we can share. And it's not just companies. I mean, I, I do our security orientation briefing every Monday, and it is different every Monday, the slide decks the same, but you know, we talk about different things and I'm not in the room with people anymore, which is sad because I used to be able to read micro-expressions and I used to see what type of phone they got. And I used to, and I'd throw out things to help them with their personal online usage. But as far as companies and CEOs and attracting, you know, top C-suite risk management really is the cornerstone. That's the foundation. If, if you have risk management going on right now, well, Bravo, I don't understand how you would do without it. You've got to, uh, mature your risk management day by day by day. Speaker 1 00:25:39 But there's more because when you start talking about a risk register, if I went to a webinar or a seminar with a thousand people, and I stood up and I said, raise your hand. If you don't have a risk register, how many people do you think they don't know? Nobody, everybody's got a risk register question is what are you doing with it? Right. And are you checking it? And are you updating it? And are you using that with the proper language to communicate threats and risks that you're in the language that your C-suite looks at and goes, oh, crap, stop, drop, roll. We need to take care of this right now. Right? And like, cause risk management framework or just your, you know, whatever run of the mill. If you want to stick with sands or NIST or whatever program you want to implement, risk management is like a serious topic that also solves a lot of problems that companies are dealing with now that they don't know are related to the lack of risk management. Speaker 2 00:26:46 Just a quick background. In the last couple of years, I had, I've been rebranding my practice for a while. The pandemic was very disruptive to me. I had, I was on a path and then I had this shift during the pandemic. And I developed a little bit of pandemic related material, which were really about having conversations in your company about the matrix of knowns and unknowns. Okay. And how to have a conversation to convert more knowns unknowns into knowns, blind spots, biases, whatever it was and what to do with the information. And you mentioned knowns and unknowns in my mind went right to that because I'm fascinated by conversations. People can have that miss things that are there or catch things that are hidden. Right. I love that Speaker 1 00:27:35 Our original plan was to hold this interview in August of 2020. And to talk about, Hey, the pandemic, you, you emphasize conversations. You're right. It, it resonated with me so strong that you can ask people in the summer of 20, 20 Rick, all of a sudden started using the word conversation all the time told me that you need work. And, you know, it's because I believe in it so much. And I see results. I definitely, we've all, we've all seen a project. And you know, the outcome is, you know, the people who chartered it and said, yay, verily, this team's going to go produce this. And then something else comes back and, and you don't even recognize it. Hopefully there's stage gates and controls along the way, but you know, the, the lack of conversations and what we lose when we go to digital platforms and, uh, ways and, you know, remote and internet and all that, you know, but your, your original idea, you know, certainly we may be, the ship has already sailed and prayers, but as far as the pandemic goes, you know, there's an interesting topic for you. Speaker 1 00:28:56 And that is with risk management. Uh, I've been doing BCP and Dr for over 20 years. And I can tell you, every time we wrote down global pandemic as a risk, we all smirked everybody. Oh my God, never going to Harbor, never going to happen, how we got things under control. But, you know, you could even write a book what to expect when you're not expecting. Right. You know, because this is scary, but you know, it, it really brings risk management into a different focus and then seeing how these, these, uh, supports of business continuity plan and risk management, okay. Disaster recovery is a different thing, but there are times where all part of BCP and stuff, and you have incident response and all these other things going on, Hey, that's, that's a whole lot of stuff. And it probably cost a whole lot of money to cobble all that together. Speaker 1 00:30:03 Yes. And yes. And, and the, the fact that the matter is, uh, while it doesn't ensure that your business plan, we're going to do X and gain revenue, it doesn't ensure that that's going to be successful, but at least the unexpected stuff isn't going to tear down what was a great business and a great business idea, right. Is that laying a lot of those cases, it was a beautiful corporate culture that now no longer exists because something bad happened that they weren't prepared for, or didn't, didn't see coming. And, oh, I see you, especially with your transition, uh, skills and experience, uh, because that's part of it, you know, how do you get your culture into, into really thinking in terms of risk management, we're going to do something risk, positive and negative risks. Let's start writing them down and let's go way crazy thinking up ideas. Speaker 2 00:31:01 Rick, this has been a lot of fun, and I've learned a lot. Speaker 1 00:31:05 I appreciate you inviting me to do this. This is, this is a great opportunity. It's my passion and my belief in what, what doesn't work and what does variances that, Hey, we're not sharing those with our peers. If we're not, you know, forget competition, the businesses they're going to do with the businesses do right. But, you know, sharing our successes, sharing the reasons for our successes, that that makes us valuable beyond what we understand with our current value and our current mission. And that's, and that's, what's important, uh, it to be in a person Speaker 2 00:31:45 I've enjoyed your passion back to the ambit days. I still enjoy today. Thank you so much for your generous time and the thoughts you've shared. Speaker 1 00:31:55 I'm looking forward to the next time we get Speaker 2 00:31:57 A check. Me too. Always. Thanks, Rick. Have a good night. Thanks. Bye-bye and that's how we see it. My friends, I want to thank Rick for recording two episodes with me. You can find them at, I see what you mean dot dot com. Plus all the usual places, send your questions and suggestions through an app. Subscribe and give me a five star rating unless you can't. In which case, tell me why and join me next week. When we take another look at how to get on the same page and stay there, unless you shouldn't.

Other Episodes

Episode 0

December 15, 2021 00:26:40
Episode Cover

The Important "Same Page" That Is Federal Acquisition - Part 2

In Part 2, Tim Cooke and I discuss organizational enablers and constraints acquisition professionals face today; acquisition innovation; and who's thinking about the acquisition...

Listen

Episode

April 20, 2022 00:48:59
Episode Cover

I Might Have A Master's Degree In Conflict Resolution, But This Guy's A Master At Resolving Conflicts!

I love knowing people who don't fit typecasts. Analytic types good with emotion. Tough leaders who care for their people. I love working with...

Listen

Episode 0

February 02, 2022 01:01:57
Episode Cover

Getting On The Same Page With Yourself First... And Others, After

When Andy Robinson said he wanted to discuss being true to oneself as a prerequisite to getting on the same page with others, I...

Listen