Accountability in Information Security

Unsecurity Podcast

Things aren’t always as straightforward as they should be in information security. One thing it tends to be hard to determine is who is accountable for what. On this week’s episode of the UNSECURITY podcast, Evan and Brad provide some tips and tricks for accountability in information security and also life in general.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right, Good morning everyone. Thanks for tuning in to episode 98 of the Unsecurity podcast. Today is September 22, 2020 and joining me is my co-host and friend Brad Nigh. Good morning Brad.

[00:00:34] Brad Nigh: Good morning Evan.

[00:00:36] Evan Francen: How you doing?

[00:00:38] Brad Nigh: Got that beautiful weather out. Can’t complain.

[00:00:43] Evan Francen: Well you can’t complain. But I don’t know. I don’t know if it’s the time of the place. You know what I mean?

[00:00:48] Brad Nigh: I won’t complain about the weather. How’s that?

[00:00:51] Evan Francen: There you go. Well, I think we have a good show planned for listeners this week. The episode is about accountability. I’d like to discuss how accountability works in information security. Who should be accountable for what give some tips for improving accountability. Where we work in maybe in the world around us. So lots to cover on the topic of accountability before we jump in as usual to catch up with brad brad. What’s new

[00:01:20] Brad Nigh: now? Next up the first draft of that, I am a maturity assessment. Uh you saw that. So working on kind of scoring uh behind it Now, the fire team is putting together like the notes and the recommendations and all that stuff. So that’s fun. Uh run out a new version of our I guess the next generation of our fact program. So actually getting that done working, you know, we’ve been doing it for The current version for about two years, Just over two years. So taking that feedback from analysts and customers and yeah, just yeah, you’re taking it making it better. Right? Yeah,

[00:02:07] Evan Francen: evolution. So for people who don’t know, sorry, the fact system is really a VC. So program. Right,

[00:02:15] Brad Nigh: yep. That’s just what we very big. R. D. C. So

[00:02:19] Evan Francen: very cool. And you know, that’s one of the things in our industry, the VC. So just the virtual chief information security officer, that’s um Julie, although the board and the way people do that. So I think one of the things I’m excited to do with the version two that you created and with what I know about security studio, Right. Really a manual on this is how you do VC. So this is how you measure the success of a VC. So, you know, and this is how uh you make sure you’re getting your money’s worth. Yeah, you see. So,

[00:02:52] Brad Nigh: yeah, and that was one of the biggest things that we took away as customers loved, you know, working with the analysts and the expertise and you know, felt like they really better. But how do you actually measure what you’re getting right? Because it’s a lot of it is you’re paying for that knowledge and it’s hard to showing up, you know, that return on. So yeah, part of what we’re gonna do is uh do kind of uh we’ll say it’s a readiness onboarding assessment just to get to know customer a little bit better. Uh let the customers get to know the and also going to be working with just some introductory type of stuff and then identifying uh you know, how comprehensive that next assessment should be and then setting goals and March to say like, Hey, you scored a 400 on this introductory by the end of this third year, we want you to be, you know, doing our, you know, uh mid level assessment and scoring this and then doing quarterly updates and being able to show that actual uh improvement. Yeah,

[00:04:11] Evan Francen: because the one thing people don’t really, I mean then personally, I mean if I was a business owner or leader, you know, I get the paying for knowledge, but knowledge doesn’t get me anything tangible unless I apply it. So I think I like the fact that yeah, the VC, so isn’t you’re not just paying for knowledge, You’re paying for actual value. These are the things that are moving forward and this is how much they’re moving forward, this is the risk that’s left over, you know, that kind of stuff. Um Yeah, makes it worthwhile. I think so.

[00:04:47] Brad Nigh: Yeah. Cool. Yeah, that’s kind of, one of the big ones is and that the other was just being able to be, meet them more customers more where they’re at, Right rather than going in with a 700 question assessment when they have nothing and you can just see them kind of like glaze over halfway through the first morning. Well let’s figure out where they’re at. Get them so that they are in a position to succeed.

[00:05:15] Evan Francen: Yeah. Cool. I’m excited to see that. So when when we’re ready, that should be a show topic really. It should we should talk about what because we’ve done it before. But things have changed now. So what is a V. C. So how do you hold the VC? So accountable? Uh you know what things to look for, what things to avoid? Um Don’t just pay, you know, X. Number of dollars per month to just have a V. C. So. Right. I mean they got to do something,

[00:05:46] Brad Nigh: right. Right. Yeah, tying into the day subject. How do you help have accountability for them?

[00:05:55] Evan Francen: Oh yeah yeah. Yeah. I’ve been terror. So we’ll get into the accountability uh stuff. So you’ve been working on incident response, you first, you’re released an incident response plan template. I think it’s really really good ones long. But you know, plans need to be long sometimes.

[00:06:16] Brad Nigh: Yeah. And there’s a lot of like references to the different PC. I. And hip and all the different regulatory requirements. So yeah, people can take that stuff out if they’re not uh subject to it but rather include it and you can remove it than not included and you don’t have it.

[00:06:37] Evan Francen: Yeah. See that’s a great plan template that you can use, you know, functionally within the organization, but it’s also a good plan template to share with, you know, insulin ancillary members of your incident response team. So your legal counsel should have a copy of your plan and you know it, No, you know, some lawyers haven’t, you know, uh they don’t have a ton of experience in dealing with incidents. And so I think having them have a plan and having in that plan, you know, different regulatory requirements is a good job aid for everybody,

[00:07:17] Brad Nigh: Right? Yeah. Yeah. And that that was really the goal. Get something out there that’s educational, functional and not overwhelming. It’s written in a way, obviously there’s a lot of technical and pretty deep dives in there, but you try to write it in the way that people can understand.

[00:07:37] Evan Francen: Mhm. Yeah. So the if you want to find that the fr security incident response to the incident response template, you can find it on fr secures website or I’ll put it in the show notes to. So the show notes are This is episode 98. So if you want to find the show notes, just go to Evan Uh you know, go to podcast, find episode 98 and I’ll put them in the show notes. Cool. Oh yeah, because crazy man, for me, I mean every week is crazy really. It seems like um they gave a talk to indiana infra guard. That was pretty cool. I got my time zones mixed up. So it didn’t realize, you know, dumb indiana’s in the eastern time zone and we’re in the center times phone. So I sort of showed up a little bit late for my talk. And what I was talking about was, you know, information security in schools. So that all right, you know, whatever. And I think it was it last week that I did the wiser panel, I can’t remember. Uh but there was a wiser pants, you know, wiser training. They’re really cool. Wiser is uh does how much are free training, which is like awesome and it’s great quality. So that’s cool. Gabriel Friedlander’s the founder over there. And yeah, super good guy. Uh, last week, well, security studio, we released version 3.9 of the platform, which is kind of cool. There’s some neat things that are very

[00:09:15] Brad Nigh: cool stuff in that.

[00:09:17] Evan Francen: Yeah, and if you’ve got 10, but I’m not gonna release, am I gonna tell you anything about it yet? Uh we released work work from home security policy template uh which is also in the show notes. Now, this is a different sort of template. I know we have remote access templates, we have tell king policy templates. This is specifically I work from home policy template catered towards the current sort of covid and yeah. Um and what prompted writing this one? Was there was a a news thing that that I read that said should your business have a work from home cybersecurity policy. I was like, uh, yeah, you don’t play games without Right. Right. So you have to have rules, not that everybody has to read them and master them, but if you’re the security person you better. So uh, I understand that a lot of people don’t like policy, but my gosh, there, you know, you talk about accountability I

[00:10:29] Brad Nigh: think. Well, yeah, it’s not the fun or quote air quotes, sexy part of information security, but it’s so critical to establish the rules and the guidelines and how things need to be done. Right?

[00:10:46] Evan Francen: Yes. Yeah. I mean you can’t game without rules. So you and you can’t run a security program without rules. You have to have rules. You can’t have a society without rules. I mean rules. Yeah. Without rules, there is chaos. And so you know, which is, you know, unfortunately a lot of security programs you see are chaos. Okay. So, and then the second thing that I wrote up yet last week because this came from the security shit show. Um, two weeks ago. Well, uh, just accountability, you know, we were really frustrated with, you could sense the frustration and the discussion about ransomware. Like I get, I can cut you slack if you get ransom weird where I can’t really cut, you slack is if you recover from it because then you’ve done really terrible planning. You haven’t done backups or the backups that you’ve done haven’t been well protected. And we’ve been preaching about backups since like forever since there was data I wish. And the importance of protecting Cups. And so, you know, we were discussing, you know, why are we still here? Why are we still having this issue? And so I went my mind went towards accountability because nobody is being held accountable for it.

[00:12:14] Brad Nigh: Well, it goes back to like the policy to right. If it is not documented whose responsibility it is, how are you gonna hold someone accountable? Mhm. All right. If it’s not documented that that’s my responsibility. Do I know I’m supposed to be doing those things? So.

[00:12:30] Evan Francen: Right. And if you don’t have this discussion between executive management and it then you left. Just assume executive management just assumes that I. T. Has discovered or you know the question the line of questioning might be so we’re protected from matter. Right? And it says, well yeah, of course. Okay. But there’s a lot more to it. Yeah. Right.

[00:12:56] Brad Nigh: Go yeah. We got antivirus. So we’re protected. Well, really that’s not the whole picture. So it may not be even less. Right. It’s just maybe they just don’t know.

[00:13:08] Evan Francen: Well that’s it. Right. So so that that’s what led me to create this ransom. My recovery contract. Which is it’s a simple one page contract. And in the contract that no executive management gives us to whoever is running I. T. Whether it be an outsourcing provider or it be an in source you know and inside I. T. Director or something. And so here are I don’t know I think there are 10 things there. Check these 10 things and if you’re not doing one of these 10 things just give a simple explanation or exception. Mhm. And then sign it and return it back to me right? And then I will counter sign it because my part is the executive management person is acknowledge that. Yes these are the most common things. But I do understand that sometimes you know, no matter what, you can’t protected himself against everything right now what I mean? Yep. So there’s this mutual agreement between executive management and I. T. Yeah. Which if I was the I. T. Director I would like it because then I can sort of like brag yes I got all these 10 things done or oh crap. Two of these 10 things we don’t have. So let’s get those things done. So then I can look good for executive management.

[00:14:43] Brad Nigh: The flip side of that too. Is that now if you’re an IT executive management has to support you to get these things done if you don’t have the resources to do you know the backups to match it or whatever it might be. Well right in the exceptions that some executive management to provide the resources to satisfy those requirements.

[00:15:08] Evan Francen: Right. Yeah. So that ransomware recovery contract has been, you know, pretty popular. We haven’t publicized it much, but I think it’s simple. It’s free. I released it under the you know, creative commons license so you can put your IT as much as you want, change it whatever you want to do with it. Um And to go get that contract and to go get the template for the security policy. You know the work at home or work from home security policy template to get the other template, the uh incident response plan template. All those things are you know, in the show notes so you know, grab them, use them, make them yours. Yeah. All right. So now on the accountability, so accountability that’s kind of where it really I mean I’ve I’ve pushed on accountability for it seems like forever. Uh but it really boiled up to you know, kind of a hot topic again. And like I said in the security should show a couple of weeks ago, I believe it was episode 18 of that. Um And so I wanted to talk so let’s talk about accountability. Let’s talk about maybe the lack of accountability in information security. Uh Yeah. And and if you get a chance, go check out the security shoot show episode 18. It’s two hours long. So you probably don’t have two hours to give up. But if you did you can go do that. Ah Well the ransom every contract there’s that. Have you have you had a chance to see that. Yeah I mean not even shared it with

[00:16:44] Brad Nigh: you. Yeah you sent me the draft.

[00:16:48] Evan Francen: Okay good. And what did you think? What are your thoughts on it?

[00:16:52] Brad Nigh: I like it it makes sense.

[00:16:53] Evan Francen: Okay good. Any decisions we need to make to it you know as things you know kind of go where they go. You know we’ll do that just like you guys are doing the uh you know the new revision of the B. C. C. Or the facts program. All right. So on accountability you know we can start sort of anywhere but you know first off what’s the importance you know let’s talk about the importance of accountability. Um Why do we have to have it? Yeah. Well it’s not obvious. It’s not obvious buddy. Right.

[00:17:29] Brad Nigh: Well I don’t know. I think you don’t have accountability. How do things get done? Right. Yeah. If there’s no accountability I didn’t feel like doing it so I’m not going to do it that leads to other issues down the road whether it be system failure or the inconsistency data errors. Whatever it might be. You don’t have accountability. There’s no way to you know make sure people are doing what they’re supposed to do

[00:18:01] Evan Francen: right And there’s different ways to you know enforce and kind of accountability. I mean the first thing you need to do is define it but then the way you implement accountability it doesn’t have to be a strong armed, you know, oh, things went bad. So now I’m gonna beat you up accountability. There’s the accountability of informing people of empowering people, you know, I think a lot of times when I talk to people about accountability there like oh yeah, I guess I didn’t think of that. It’s not like people purposely want to cause harm so they want to do the right things, help them do the right thing

[00:18:41] Brad Nigh: well and and there’s, I mean I’ve seen it a lot where people didn’t even know they’re supposed to be doing something. There was an assumption that they were killed by other team members or management that this person was doing whatever task and that person had no idea that was supposed to be doing it well, that’s an accountability there as well. So it helps you do your job better, make sure that expectations are met.

[00:19:07] Evan Francen: Yeah, yeah, absolutely. And I think so much of a, you know, you just look across the industry, you look at all the organizations we’ve worked with over the years and so often they just continue to make the same mistakes. You know, we talk about ransomware and the fact that here we are many years later and we’re still preaching, you need to back up your data and you need to protect your backups. It’s almost like we should go back to the old DLT tape, you know, I mean, seriously, some people probably have those tape, those big, you know, tape libraries stuffed in a storage room somewhere, pull that sucker back out again and start doing tape backups because it’s going to be hard for your somewhere to get into your tape backups.

[00:20:01] Brad Nigh: Well, I mean, everybody kind of laughed at it. But I mean the last place that I ran the night program, we did back up to disk. So we had immediate restoration local a copy of that to our d our site. And then once a week you did full backups on tape and sent them off site. Mm So we had a kind of a hybrid of that. But if something had happened, we had three different versions Are three different locations to recover from. Yeah.

[00:20:34] Evan Francen: You think it’s safe to assume that are safe to not assume safe to say that if if there’s no accountability, you really don’t have a security program.

[00:20:48] Brad Nigh: Uh well, you can say you have one, but it’s not going to be a successful security program.

[00:20:54] Evan Francen: Well, so what would you be relying on if you don’t have a counter which is relying on luck? Uh, chance.

[00:21:02] Brad Nigh: No, I think, yeah, that’s what you’re saying. I think you would be relying on people to know what they’re supposed to be doing and doing it versus informing people what they should be doing and how to do it.

[00:21:15] Evan Francen: So not so the difference in formal and informal, but Well, we just assumed then that people just know what they’re supposed to do.

[00:21:23] Brad Nigh: Well yeah that’s the issue right? I think there’s a lot going on,

[00:21:30] Evan Francen: right? Yeah. And one of the news topics that we’ll talk about you know towards the end of the show is uh you know last week so many died uh you know as a fairly direct result of a ransomware attack. Yeah that’s going to happen more. Right? Who’s gonna pay the price for that? Who’s supposed to be protecting that person in the hospital? Who’s supposed to be maintaining the I. T. Systems to make sure that that doesn’t happen. Who’s supposed to be you know and here’s another thing that we’ve been preaching since like forever defense and depth, right? Ah segmentation of your network not segmentation but maybe even isolation of your network putting firewalls. You know this is just so many basic basic things it’s like and now somebody else pays the price for your mistake. Yeah and it is your mistake and I know that well you can’t prevent all bad things from happening yet but you can take a lot of precautions to make sure that this stuff is really really really really unlikely to happen. Yeah and no hospitals and haven’t done that whether they don’t have funding or whatever. Somebody’s not being held accountable for this.

[00:22:52] Brad Nigh: Yeah. Well it we’re just having seen the different incidents coming in. I mean yes the Attackers are going to go for the path of least resistance. Right? And we see the incidents come in that it’s like yeah there was no resistance here just do the basic stuff. No, you know and even if it’s just doing external vulnerability scans and closing down what doesn’t need to be opened. That’s a really easy thing to do that can significantly lose your risk.

[00:23:25] Evan Francen: Well you bring up a good point. So when when is the time? Because I had a call yesterday, a friend of mine who was uh you know a ceo of a very large company and he’s you know taken up position at a smaller company I think with maybe It’s a fast growth company but you know 350 for our employees where it came from was like 50,000 and uh you know I was telling me about just the complete lack of information security, the mhm. Uh you know no maturity in their security program at all and they have really really sensitive data. And so he’s like and he’s only been there for a week um sort of like yeah you know we don’t know which mm SSP to go with uh do you think maybe you’re being a little premature? He’s like what do you mean? I go who’s responsible for what even if you got in your hands around like who’s doing out here, what would an M. S. Sp do, what would be their accountability will be their responsibilities, What are yours? What about executive management? Do they know that they have they play a role in all of this. He’s like oh yeah maybe I’m going a little bit too fast and trying to sign a contract that I’m going to be married to for the next 23 years For what?

[00:24:50] Brad Nigh: Yeah without knowing

[00:24:52] Evan Francen: what you’re doing right? I said so what is the M. S. Sp. Gonna do for you? And he’s like well you know uh they’ve been talking about you know implementing M. F. A. And all these other things. You know those are great things. What about your asset inventory? Do you have one? What do you mean what things need to be secured? You know have you done any vulnerability scans? Do you know what things are exposed on the internet and what things are not? Do you even know what things require? Multifactor authentication? Do you already have multifactor authentication? You just haven’t turned it on? Right. I mean like holy crap step back, let’s go back to the very beginning. What about accountability yep. What about who does what here? Right.

[00:25:39] Brad Nigh: And how are you going to inform them of that responsibility? And how are how are we gonna you know hold people responsible for it?

[00:25:50] Evan Francen: Right You said and you can nail this stuff out fairly quickly in a smaller organization, 100-500 employees. You can do this in you know maybe a one or two hour conversation right? Because he’s a negative C. I. O. And he’s got peers who are also executives sit down and talk about accountability. Who is responsible for information security here. Yeah.

[00:26:19] Brad Nigh: I mean, it’s one of the first things we we work on is with that information security uh committee charter defines who is responsible for what and how it’s going to be, you know, managed or upheld or how you’re going to be held accountable. It’s that you have to start with that.

[00:26:42] Evan Francen: Yeah. So that and that was my question, you know, when is the right time to define accountability? It’s like at the beginning uh before you go buy stuff, Yeah. Before you write policies, before you really do anything, you know, who is responsible for what here and then you refine it right, you’ll okay, here’s another set of responsibilities. Who may be responsible for these but at the at the highest level, ultimately, who’s responsible for information security here? Yeah. It’s not the C. I. O. Yeah. Should be

[00:27:20] Brad Nigh: No, no, that’s that’s competing interests with security.

[00:27:25] Evan Francen: Well, exactly. And the CIA is not well equipped to take into account rest of, you know, the rest of the organization in terms of, you know, the financial department, the sales department, the marketing department, beyond and on and on all these things to be sort of incorporated into the design and effectiveness of your security program. I can’t do it in a box. I can’t do it in an office by myself. That’s failure because nobody’s gonna buy in or if they do buy in it’s half asked at best. Right? Yeah. So defining accountability as early as possible, you haven’t find if not really clear in your own organization, get on it, reach out for help if you need it, right. Uh and when you reach out for help on these things, reach out for help from somebody who doesn’t sell product. Right. Right. Someone who’s product agnostic. There are many consultants in the mitt who don’t hawk product. There’s nothing wrong with talking product but understand that if I hawked product, my uh my advice is going to be biased, whether whether whether it’s overt or not, it’s still gonna be biased,

[00:28:44] Brad Nigh: Right? Yeah. Yeah. Things just human nature.

[00:28:49] Evan Francen: Right. All right. So defined accountability immediately and continue to revisit accountability also because and that comes natural because if you’re actually taking your accountability seriously, if it’s actually functional, then you’re always in it, right? You’re always in this accountability. It uh what has become something that you do business?

[00:29:16] Brad Nigh: Yeah, it’s a self feeding cycle, I guess, right. Yeah. It’s a positive way. It just feeds itself and continues to grow,

[00:29:27] Evan Francen: right? And at the beginning, you know, for organizations who are newer to this, it’s awkward. I get it, but you need to fight through it right? Eventually. It becomes less and less awkward. The reason why it’s awkward is because it’s new. It’s not something that just comes second nature to you. It does to me because I’ve been doing it for 20 freaking every years and so have you.

[00:29:51] Brad Nigh: Right. Right. Well even even when we do it right, and it’s easy to, it’s easy, easy for us. I think it’s still difficult to go into an organization and explain that to them because like you said, they’re not used to this. So I think that’s a big piece of it is getting, getting to buy in from the top and being able to communicate with the organization and the business units in a meaningful way. It’ll end in a way that they understand.

[00:30:24] Evan Francen: Exactly. And that’s a lot of things. I think we take grant. It’s just the understanding, uh, because somebody doesn’t understand you doesn’t mean they’re stupid. It means I speak a different language than you do, right translate. Right? So this looking down upon people that’s just going to kill you. Well this

[00:30:44] Brad Nigh: and if you’re trying to get a point across and somebody’s not understanding it, isn’t it on you too that you’re not doing it this job, explaining it like inside a little bit, take some personal accountability,

[00:30:59] Evan Francen: right? Yeah. Maybe you suck it communicating. Did you ever think of that? Hey, it’s possible. I mean, that’s my wife.

[00:31:08] Brad Nigh: I

[00:31:08] Evan Francen: mean,

[00:31:11] Brad Nigh: it’s probably more than likely in a lot of situations, right?

[00:31:16] Evan Francen: So when you look at accountability, you know, there’s kind of macro accountability when you talk about like in tech in the tech industry, this is one of the things that just kind of Yes, it’s weird. Uh we create buggy software and you’ll never have no bugs in your software because we’re human beings, we make mistakes. What’s a tolerable? What’s tolerable? What’s when can I hold Microsoft accountable or when can I hold adobe accountable or any other software manufacturer accountable for the bugs in their software that I suffer from? Yeah, I mean you can’t just like continue to be like, yeah, well you know, your software was written like crap and so it had a vulnerability and that vulnerability was a critical severity vulnerability and you didn’t tell anybody about it. Uh whether you knew about it or not. I mean the fact of the matter is I installed it in my environment and it ended up costing me, you know millions of dollars worth of losses because somebody would defended vulnerability. I have no recourse. Yeah, yeah, that’s broken. There’s gotta be some shared ability there. Otherwise the only reason I mean, what really software companies I think continue to make software the way they make software and people keep buying it and they’re not really going to change much uh because they will convince, you know, we take security seriously who certainly that uh but there’s no, I mean if they do release a bug, You know, maybe if we take a shortcut on this because we are not that the release is going to be available, you know, September 2020 And everybody’s counting on it to be ready by September 2020. Uh, you know, we’re a little bit behind, we can take a few shortcuts on QA maybe. Yeah, yeah.

[00:33:26] Brad Nigh: Gosh, I don’t even, I don’t even know from some of these larger organizations, like when saying that I was thinking more if you were developing software, right? How would you internally do it? Because a lot of companies do that,

[00:33:41] Evan Francen: I mean sure. What’s that too?

[00:33:44] Brad Nigh: So gosh, I’m not sure how you would do that with Microsoft and Adobe or oracle with java or any of those that you really don’t have any recourse, it’s not like you can not use, just not use those products. I mean there’s, you know, SCP and you just, you could go down the list of all these business critical Softwares and there’s just nothing you can really do about it.

[00:34:16] Evan Francen: And what about the software that runs in autonomous vehicles? About the software that runs, you know, insulin pumps and you know, these other things? Yes. Uh, you know, we saw somebody died last week or the week before from ransomware, but there will be more people who die from bugs in software because the software runs something that’s my life, depends on. Yeah. So anyway, that’s a deep subject. I mean we could talk about that one all the time. But the point here is just to bring this up as, hey, it’s a concern. We should start thinking about this or we should think about it more or we should do something more because us as a society are so dependent upon technology, so dependent upon the software that runs everything we use. Yeah. I mean we talk about defining accountability upfront and how important it is at the beginning or early on in the process as possible yet. Tech is 500 miles ahead of us.

[00:35:24] Brad Nigh: Yeah, Yeah.

[00:35:28] Evan Francen: So, and on that same point, man, Did you have you, have you, did you watch the movie the social dilemma yet?

[00:35:34] Brad Nigh: No.

[00:35:35] Evan Francen: Oh God, you gotta watch it bro. All right. Yeah, I’d say tonight.

[00:35:42] Brad Nigh: Yeah. Is this for about the, no, this isn’t the one with the kid for the kids, is it? No, this is it. I haven’t seen this one.

[00:35:55] Evan Francen: Yeah, it’s, I watched it last night and yeah, I’m bought in, man. I need to, we need to do something, uh, to help this, uh, issue. But so go watch out. You know, for listeners, go watch the social mark. Even if you don’t agree with it. Which man, that’d be a good debate for us to have. Uh, uh, it’s, it’s definitely an eye opener and something to think more about it. Made it confirmed a lot of things in my mind that I thought or I, it was pretty sure were true. Uh, it just confirmed a lot of those things, so watch it and then let’s talk about it tomorrow or something, you know, give me a call on, I’d love to hear what you think. Okay.

[00:36:41] Brad Nigh: Yeah, I will put it on the list to uh it might be, might have to be later this week because we’ve got a ton of stuff going on with

[00:36:52] Evan Francen: soccer. Yeah. Life, life, life your life stuff to do.

[00:36:55] Brad Nigh: Cool. And I know, right. Weird. I would definitely.

[00:37:01] Evan Francen: Cool. So who is ultimately accountable? So in big organizations who is ultimately responsible for information security in your mind?

[00:37:12] Brad Nigh: I mean, ultimately executive leadership,

[00:37:17] Evan Francen: yep. And the board,

[00:37:18] Brad Nigh: you know, whoever that top level of management or leadership is. Yeah.

[00:37:24] Evan Francen: Yeah. So if you look at an orc chart, if you’re wondering who it should be, look at an R. Chart and and then uh as you know, evaluate for yourself, you know, if the ceo of best buy or the board of directors of best buy, I’m just, I’m just picked any company, I have no idea. And I’m not going to speculate on how best buy runs their security program, I’m guessing really well because I know people there, uh but the board of directors is ultimately responsible for information security at best buy. So if you ask them, would they agree? Probably. But how about other organizations, do they, do they know that?

[00:38:11] Brad Nigh: Yeah. Uh you know, I don’t know from that Fortune 100, Fortune 500 size. But even large organizations over, let’s just say over 2500 employees. Far more often than not know,

[00:38:29] Evan Francen: right? Because if they did know that, like if you were gonna tell me that I’m responsible for something of this magnitude, I ask for information about it on a pretty regular basis. Yeah, I don’t need to know all the details. I don’t need to know firewall configurations and vulnerability reports. But what I do know need to know is a current at us and I need to know what we’re doing at a high level, yep, constantly, almost like give me a dashboard,

[00:38:58] Brad Nigh: do we have a, have there been any incidents, do we, where we at where we’re going? Is there a road map, are we making progress?

[00:39:08] Evan Francen: Right. And maybe how much is it gonna cost us? Yeah, so you know, that’s where it starts. Oh, you know, in big organizations that have boards of directors, uh somebody has to have this conversation at some point because whether they want to be accountable for it or not, that’s where the buck stops, they are accountable for it. So then defining that and making it known, yep, yep. Uh In small organizations, it’s whoever is the top right? If you have a ceo it’s the ceo if you have a president, it’s the president, if you have an owner, it’s the own, whoever it sits at the top is ultimately responsible for information security, whether they know it or not, whether they practice it or not, that’s the truth.

[00:39:59] Brad Nigh: 100%, you know, and even it’s the same, no matter where you go right, it always starts at the top,

[00:40:11] Evan Francen: right. And so, and we’ve been saying that one of the things that, you know, even after years in information security, that it starts at the top, and I think what, we’ve dropped the ball and we’ll talk about this towards the end of this discussion is what can I actually do about it? Because I’m sort of tired of Yeah, we all agree. Yeah, yep, yep. The board, the board is ultimately responsible yet. What are you doing? What did you do? Well, did they take responsibility, or are they still shirking it? Or do they even know? Did they say anything

[00:40:49] Brad Nigh: that, I think that’s the biggest thing is they go, yeah, sure, we’re responsible, but they don’t know what that means. It’s not to find anywhere.

[00:40:57] Evan Francen: So,

[00:40:59] Brad Nigh: going back to our Security Committee charter, it defines exactly what the board would be responsible for, or the executive leadership or whatever you call it, and, you know, a big part of it is ensuring empowering the committee or the security officer, whatever, whoever is going to be implementing these things has the authority to do it, and is given the resources, either money or staff, whatever it may be to accomplish those goals, so to find what they’re supposed to do, so that they know what that is

[00:41:36] Evan Francen: right. And if you’re questioning, you’re not sure whether or not this is working in your organization. So at the top level if they’re not receiving regular periodic updates on information security, then it’s broken.

[00:41:55] Brad Nigh: Yeah. Now here’s this is always a debate and I obviously there’s gonna be, it’s gonna be her organization. But what’s the right frequency?

[00:42:06] Evan Francen: Well, that’s up to you. What’s not the frequency is never Yeah. What’s not what’s not the right frequency is once what’s not the right frequency is, I mean, you’ll have to defend that, right? That’s part of your accountability. If you if you define once a year, okay, you’ll have to defend that should something bad happen is when you’re Yeah, that’s that’s totally up to you. I was like, what is it quarterly or monthly or weekly or live?

[00:42:36] Brad Nigh: Yeah, no, I was like the the quarterly like email update type of thing, like a written quick update. Hey, here’s where we’re at and then, you know, annual in person, kind of Q and a type of things that way they’re in the loop throughout the year and then there’s an annual accountability really.

[00:42:58] Evan Francen: Yeah, you do. It is really up to you. It’s up to the culture of your organization and those things, but what’s not okay, not finding the accountability and not do we have playing about those rules. So small organizations, same thing a little bit easier to affect change because you’re closer to the problem. You’re closer to that executive, closer to the founder, closer to whoever is ultimately responsible. Ah And and truly I’ve told security people this before that if you fought to get done and feel like you’ve kind of done everything you can, but they just won’t take accountability. They just won’t get involved. Leave, leave the organization, go work somewhere else. Why keep banging your head against the wall?

[00:43:52] Brad Nigh: Yeah. Yeah. Because if something happens and they’re not taking that, you know, they’re not giving you the resources, they’re not doing it. Most likely they’re going to pass the buck to you. If something happens anyway. And you know, we’ve seen that where you work through an incident and you’re working, you know, recovering and doing insane hours and then get let go.

[00:44:16] Evan Francen: Right, Right? Yeah. Somehow became your problem. So, um, and I think good leaders, you know, they say shit flows down. If that’s the truth in your organization, you work in a crappy organization. It’s supposed to flow the other way. Executive management is supposed to take account of the ship. Right? Roll it. Uphill. That’s why they get that’s why they get paid more by the way. So I was one of the reasons I’ve

[00:44:48] Brad Nigh: been told before that quote from the guy or whatever the head of the I. T. Department that quote, I’m not going to take the responsibility to take the fall for this when resources were provided and there was an issue, right. Not not a great organization.

[00:45:07] Evan Francen: No no not at all. Shit. Excuse my language. I’ve been swearing too much. It’s a it’s a crappy culture. So what about public organizations? You know, I was at a had a discussion last week um with uh somebody was writing an article on my behalf for uh application for county and city government maybe uh we’re talking about accountability in a Public ization. And so you know, I was curious our county’s run the same way, you know from county to county and or cities run the same way from city to city. And so I just googled uh city organization chart and then went to images. It’s like oh my gosh, there’s a bunch of different ways that cities are run in and I’d say the most common in the city, the city hall and the mayor who just sits on the city by the top. And uh so I was telling this, you know marketing person that um it’s not somebody who works at fr security security student. You know, it was outside person. Um I was like if you if I was if I was to call the city council city council member today and ask them the question who is ultimately responsible for information security in your city. I’m guessing what they would probably do is forward me onto their I. T. Director.

[00:46:47] Brad Nigh: Yeah probably.

[00:46:49] Evan Francen: And so the person I was talking to was like really you think so mike Sure. Let’s pick a city right now. So I picked Shane. No. Yeah they were champagne Illinois. I said here’s the city council members between, should I call, you know, they’re like, we’ll call that guy. All right. So I picked up the phone call them. So, hey, you know, I’m doing some research, you know about, you know, kind of information now works and things like that. Can you tell me who is ultimately responsible for information security at your city? He’s like, oh I’d have to, I would have to turn you over to our director of it. It was like, okay, sounds good. Uh and then you know, hung up and I said, see I told they don’t even know.

[00:47:41] Brad Nigh: That’s funny. Yeah, it’s unfortunate. I mean it was funny and got it right, but not that they didn’t know.

[00:47:52] Evan Francen: I know. So the city of take one of the biggest, You know, I think most famous breaches in cities in the United States, the Baltimore ransomware attack $18 million dollars was the final price tag? I think oh, who is held ultimately responsible? Do you think the city of Baltimore, do you think the city council members and the mayor of bar alive? I am responsible for information security here in the city. Do you think because I wonder, I’m curious if they have even That’s a good question. That’s even that’s even explicitly defined when we talk about accountability and it costs the city $18 million dollars

[00:48:38] Brad Nigh: well, and the accountability will be with the voters, right? Do they get to keep their office or they voted out?

[00:48:46] Evan Francen: But I don’t think they know either because we’ve tech has gone so fast and we’re moved so far down the path that I don’t think orders even know or can put this into context because they’ve got lives to live and tech has just gone so fast. Do they know that you’re due due to lack of accountability or maybe you’ve got good accountability at the city of Baltimore, but due to lack of accountability, let’s just say it went that way due to the lack of accountability in the city of Baltimore, the likelihood of you spending $18 million again on another attack is, you know? Yeah. Yeah. It’s higher. It’s probably going to happen again. Maybe. I don’t know. Yeah. I don’t think they take that into consideration as much when they’re voting, right? And yet it’s costing so much money and people are dying now, right? How many people need to die before you’re going to be like, I’m gonna hold somebody accountable for this, you know? Yeah. Because I’m guessing you look at the person who died who’s in europe, you’re gonna say that’s, that’s never gonna happen to me. Yes, it is going to happen.

[00:50:15] Brad Nigh: Oh yeah. I mean, you just never, you just never knows

[00:50:23] Evan Francen: right. But I know that without accountability, the chances are much higher. That’s going to happen to me. Yeah. So anyway, in school districts, I think that’s kind of the same way now my heart goes out to schools right now because of the whole covid thing and they’re working their tails off and they don’t do it for them because they love kids. Uh, but in, in a, in a school district who is ultimately responsible. It’s the same in the others. The highest on the order chart. So the highest on the order chart would be your, your, probably your school board and probably in your superintendent. Yeah, I would agree. Uh, So holding them accountable, you know, again informed them that this is the way security works. Uh huh. Yeah. So there’s examples of good accountability, you know, certainly I’ve worked, you know, there’s one that pops in my head, I can’t hear their name because I’m still working under attorney client privilege there. But man, they’re bored is actively involved in information security. It’s part of the regular agenda. Um, They use the audit committee portion of the board to get things done with information. Pretty it’s just a really well run organization or accountability, awesome.

[00:51:55] Brad Nigh: Well, I mean, yeah, I think the one and it’s put on the opposite coast of the one you’re thinking of, right? It’s the, it’s the same thing. It’s like they flew me out to do a board presentation and the board was actively involved asking questions like and hard questions, which is what you want. All right. But just to see that is, yeah, it’s great. It’s rare,

[00:52:30] Evan Francen: but

[00:52:31] Brad Nigh: there

[00:52:33] Evan Francen: when and it just shows that it can be done right? These are. And I think both of these positions that you and I are thinking about our successful and I think they’re probably more successful because they have that sort of ethical responsibility. Um that, you know, it sets him apart from other organizations, not just from a security perspective, but from an overall business perspective, it’s a better way of doing business. Yeah. So anyway, I’m texting, texting the next meeting because we’re running late and I want to be nice. All right. So other things uh so what to do about it? So it starts with discussions, it starts with communications. It starts with asking who is ultimately responsible for information security here. It starts with ah, you know, talk to your manager now if your manager happens to see, oh or the C I O will in great. You have a sea level talk to them about it. Yeah, explain it. Be prepared to defend it if you can’t Yeah, defend this. Then ask somebody asked me, ask you, uh, you know, ask somebody who can go to bat you because the fact of the matter is people suffer when we do things wrong when bad things happen, right? Uh, so we owe it to them to do it, right?

[00:54:13] Brad Nigh: And not only just to discuss the get it in writing, formalize it documented, make sure that everybody understands it and knows what their responsibilities are so that there is it, is there

[00:54:29] Evan Francen: right? And don’t over complicate it. Right. Start with just a discussion and hopefully you can get some time in a meeting maybe to talk about these things to hash it out why it’s, you know, explain why it is a good idea for the Ceo to take responsibility in the boards. Take responsibility versus, you know, shirking it or playing ignorance.

[00:54:54] Brad Nigh: Yeah. And you keep it simple. Like our committee charter is one page. It doesn’t have to be crazy technical, whatever. It’s high level. What are these roles and responsibilities? What does that, what does it mean at a high level? Yeah.

[00:55:14] Evan Francen: Yeah. All right. Well, this is a deep subject and certainly we could talk, I think a lot more about this. I’d love to give a lot more examples. Uh you know, um, there’s just a lot more to this than just this, but it has to start somewhere. This is a start. Um, Everything moves fast. Like I said, you know, a couple times tech has moved much faster than our accountability, much faster than our laws, much faster than our regulations, much faster than anything. So just to assume that well, the law will catch up or regulations will catch up. That’s only going to happen if we can make a conscious effort to do that, or slow tech down now. I think it’s probably unlikely we’re gonna slow tech down. So I have to do the first

[00:56:03] Brad Nigh: not to a degree

[00:56:05] Evan Francen: stop. Right? So for listeners who are wondering about um us doing that series that I mentioned last week about, you know, politics and information security are still, it’s still being considered, it’s touchy obviously, but uh you know, we just have to pull it all together. Uh All right onto the news. I’ve got three news stories to talk about. The first one is about that hospital patient who died uh following a botched ransomware attack and that’s actually the title, This is on grand Chloe’s blog. It’s hospital patient dies following a botched ransomware attack. Dusseldorf Germany uh Yeah, actually, the systems, you know, some of the critical systems were knocked offline uh due to that um Yeah, yeah,

[00:57:00] Brad Nigh: What’s it was horrible. It was, looks like it was intended for the university, not the hospital. Uh Obviously the hospital had vulnerabilities because they got in, but it was interesting to see that once the Attackers were contacted and told that it was a hospital that they provided the decryption key. I was kind of interesting to see

[00:57:23] Evan Francen: that. Well, that’s very nice to them, isn’t it?

[00:57:26] Brad Nigh: I mean, obviously it’s a horrible situation and you never want, but I just found it interesting that they, but they did that right after they’re trying to extort money,

[00:57:39] Evan Francen: I think they did it because they were scared more so than, you know, they’re good people. Oh,

[00:57:43] Brad Nigh: I I don’t think it was a active generosity, but it was just interesting.

[00:57:51] Evan Francen: Yeah, because, you know, criminals. The thing about criminals, you know, Uh huh. There’s there’s just assume they have no scruples because they kind of don’t they’ll defend that. They do. But yeah, So what happened here was uh yeah, they sort of hit the wrong place and a suit seriously or critically ill patient who would have been taken to Dusseldorf instead had to be diverted to another hospital uh in Wolverton Hall and died. So it wasn’t that the ransomware actually took uh you know, critical, you know, dating system offline. It, it forced a diversion to another clip

[00:58:46] Brad Nigh: delayed treatment for an hour.

[00:58:49] Evan Francen: Yeah. So 30 servers taken offline. But again, the end result this somebody who may have lived died. Yeah, Yeah. Sad. Yeah, it is. But you know, we’ve talked about this, right? We’ve talked about this, remember my prediction about a couple of years ago, three years ago?

[00:59:12] Brad Nigh: Yeah. I thought about as soon as I saw that news, I was like, he was off by a couple of years, but called it

[00:59:20] Evan Francen: right? And and and sadly more people are going to die because we just haven’t made the necessary changes, right? Sure that they don’t Yeah, so my next news topic is from threat post and the title is google play men’s stalker wear and quote unquote misrepresentation. Uh, I wasn’t really sure to be honest. You know what stalker where even is. So uh thankfully they provided uh a definition in the article to find his code that transmits personal information off the device without adequate notice or consent and display a persistent notification that this is happening. That stalker wear. So then I got to thinking, yeah, like every app on a phone is dr wear, isn’t it? It seems like it. Yeah,

[01:00:25] Brad Nigh: no. Yeah. Be interesting to see what they end up knocking off and booting.

[01:00:33] Evan Francen: Well, yeah, and it says, you know, effective October one apps that would allow someone to surreptitiously track the location or online activity. Another person will be removed from the google play store, interesting. The

[01:00:52] Brad Nigh: surveillance cameras stealth, audio recorder dash cam minicams.

[01:00:57] Evan Francen: Well, well, google do the google take their own medicine

[01:01:02] Brad Nigh: to be interesting to see like I said, uh if

[01:01:07] Evan Francen: yeah, so you know this be more on the surface. This seems like, oh, this is a really ethical and good thing for google to do. But do you realize how much data google collects about you? Yeah, yeah. Your location. So are they actually being ethical and doing the right thing or are they just eliminating competition? All right, wow. You know, after you watch the social dilemma. I think this will put this in into a different context because I’m thinking that this more to eliminate competition. So google, you know, it doesn’t have all these others with, you know, with data that really that they want to have.

[01:02:00] Brad Nigh: Yeah, I don’t know. I need to read more about that and see what they end up doing right. You got out.

[01:02:11] Evan Francen: So I thought it was interesting that the Google play, they are banning stalker where an effective October one. they’ll be doing this you know regularly. Uh Yeah, just an interesting read there in the last one, which I think is also interesting is from security week. Uh the title is US house passes iOT cyber spiegel

[01:02:39] Brad Nigh: actually like this is good.

[01:02:42] Evan Francen: Yeah, Yeah. This is a bill that was first in 2017 and introduced again in 2019. The thing I like about this is it’s bipartisan, which is like what republicans and democrats were together on something. What’s wrong with them? Did somebody drugged them?

[01:03:05] Brad Nigh: Why

[01:03:06] Evan Francen: would you work together? Just make any sense. Yeah. Yeah. But A lot of tech companies are also supporting the bill be Esa Mozilla Rapid seven Cloud Fair flare terrible.

[01:03:22] Brad Nigh: Yeah. What I like is it basically is going to require miss to do standards for secure development, patching anything management, configuration management which is sorely needed.

[01:03:36] Evan Francen: Oh yeah, we’re so far behind the so that’s Yeah, it is good to see it now. The thing is with every government thing, especially when you put it into N. I S. T. Is this going to go out for comment committee subcommittee back and forth, back and forth. It’s going to be, let’s say this bill was passed tomorrow. If you’re not going to have Yeah, you’re not going to have The actual standard until what? 2022, literally just

[01:04:06] Brad Nigh: at least. Yeah, probably.

[01:04:09] Evan Francen: Yeah. It’s got to be a quicker way man because in that time, how many things have changed in the tech industry? I mean, we just have to go faster than this. I mean, I get it. This is a really good thing passing this. This bill. We need more laws. Uh, but you got to move quicker man. We got we just got to get this done faster. People are people are going to suffer more. Yeah, it makes me sad.

[01:04:35] Brad Nigh: It’s a positive step.

[01:04:38] Evan Francen: It is a positive step. I just want a lot more positive steps a lot quicker. Yeah. All right, Well, that’s about it. Episode 98 is almost wrapped Brad. Any shout outs this week,

[01:04:52] Brad Nigh: I’m gonna do one just uh more in general, but to all the teachers and educators and you know, doing what they love and putting themselves every is to make sure our kids are getting a good education. I know it can’t be easy for them. Yeah.

[01:05:10] Evan Francen: Now I’m gonna give a shout out to a guy named ERIC flick who you know works volunteers his time. He works full time and information. Could be volunteers time at infra guard in indiana. He was the one who sort of arranged from invited to talk there. And uh, just a really good guy whose hearts in the right place who works hard. Uh, so I just wanted to acknowledge that, you know, I certainly appreciate him. All right. So we’re grateful for our listeners and we love hearing female uh, send us messages by email at siete proton mail com or check us out on twitter. We’re @UnsecurityP uh if you want to socialize with me or brad directly, I’m @EvanFrancen and Brad is @BradNigh uh we work for people believe it or not. People who pay us No. Are you getting paid Brad?

[01:06:10] Brad Nigh: Need to.

[01:06:11] Evan Francen: shoot. I wasn’t supposed to say that. All right. Anyway, we do work for people. Uh, if you want to follow those people do uh, security studio is @StudioSecurity and FRSecure is @FRSecure.