Unsecurity Podcast

Today, state and local government Chief Information Security Officers (CISO) are playing a game they can’t win. A Government CISO face many obstacles and are losing focus of their roles and responsibilities. So, how do we change the way we play the game? Evan and Brad attempt to answer this question in this week’s UNSECURITY episode. They also touched on: Apples recent IOS 14.7 and 14.7.1 and advisors listeners to get the update as soon as possible for their own good and safety.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right, welcome listeners. It’s good to have you join us. Thanks for tuning in to this episode of the unsecurity podcast. This is episode 100 41. Yeah, Wow. I’ve done show notes in like last three weeks too busy.

[00:00:36] Brad Nigh: Yeah, I know it’s been crazy.

[00:00:40] Evan Francen: Uh well the date is July 29. It’s nothing I can’t I can’t believe already done with july man.

[00:00:48] Brad Nigh: I know,

[00:00:50] Evan Francen: thank you. Thank you. If you look back at the year, I mean, look at all the shit that happened this year so far,

[00:00:58] Brad Nigh: I think. Yeah, it’s just a blur last eight months yet solar winds half to him, cassia like now all the Microsoft stuff is going on. It’s been from a work perspective, just bananas

[00:01:15] Evan Francen: on the colonial pipeline. Right?

[00:01:17] Brad Nigh: That was the other big yeah, government coming out. Did you don’t know if you saw the cybersecurity requirements that are now are being required for utilities, which is a plus.

[00:01:30] Evan Francen: It’s a plus. But the one thing that we get wrong tonight and this will lead to somewhat, we’re going to talk about today because we’ve got really two topics today. One is uh caesars so often and too often I think are set up and again that they can’t win. They just can’t wait. Mhm. When you look at it from, you know, an objective perspective uh and that’s one of the benefits of being, you know, kind of an outsider is is a former C so myself and you know, virtual see so many times you as well. Ah and being a consultant, I’m not in the day to day, like, like a lot of them are. And yeah, it just dawned on me last in the last few weeks, like I was talking to the sea so and Washington Washington state’s see, so the nod unbelievable. I mean, there’s not enough good things I could say about him, you know, just in our conversations that we’ve had, but he set up to fail.

[00:02:37] Brad Nigh: I mean, well it realistically it’s not just security, its I. T to like if you think about it like, well I know coming up through the rings, it was always why isn’t it working? What’s wrong or everything is working, what are you guys doing? It’s always a cost center. It’s always, well, not always, but the vast majority of the time.

[00:03:05] Evan Francen: Yeah, totally, man. And the I know you know, this isn’t news to people that Csos have a difficult position, but what I’m saying is I think the new kind of spin on it is you’re set up to fail. I mean it’s like it’s a game you cannot win.

[00:03:26] Brad Nigh: Well, yeah, it’s not a matter of if it’s when so you’re always, you know, it’s coming at some point.

[00:03:33] Evan Francen: Well, right, and and that’s the that’s the game I mean and that’s the game right? So if we define the game if my job is to facilitate information security here right? Or I like to use the simple and I wish people would take notes and that’s more because so far I haven’t had anybody disagree necessarily simplify the CSS roll right? Simplify the job. Two jobs that’s it. You consult the business on information security risks that they’ll make good risk decisions and then you implement those risk decisions to the best of your ability. That’s it.

[00:04:14] Brad Nigh: So funny enough you you say that because yesterday as a matter of fact a one of our incident response, you know they had an incident and the I. D. And security was like I need help, what do I tell them to get MFA enabled? Right? And they finally see okay yeah we should do this. So how do I present that? And what basically you know I was like well what is the organizational risk tolerance because that without knowing that I don’t know how to approach it. And he was like basically like they were like and so I was like okay here’s my here’s what I would do and we talked through all the options about like what they would do. So I said here’s your bare minimum if nothing else you have to have a M. F. A. On VPN every external facing application and you know all the settings then go presented with three options that then your recommendations and saying, hey look this is the best practices what we should be doing and then give them a heavy handed one of like absolutely walk down, right. You know, because it’s a minimum you’re gonna win in terms of, hey, we’re gonna, You know, eliminate 90% of the risk by doing this external piece, right? Yeah, maybe you’re not internal, but let them make that decision, give them those options, let them decide and implement what they are, that it’s not your responsibility. And you could just were it wasn’t video that you could I could see the like realization that light bulb over the like in his voice. Right? Oh wait, I don’t have to O

[00:06:15] Evan Francen: one C and so and so that’s the game, right? So the game so and the ultimate game is risk management. Right? Right. That is the game. So then within that realm of risk management, you know, obviously I need to assess risk. I need to make or facilitate these good risk decisions. So there’s the game itself which is risk management and then there’s the roles of the people who play the game with you right now, if you’re playing the game by yourself as I see. So you know, forget about it. You can’t win that game because you’re playing roles that are, that you’re not supposed to play and or you’re playing roles that are just missing, right? There’s nobody there to play the game with you. Yeah. So if you look at like this, don I mean, numerous conversations this week, so I’m just using the one conversation with, uh, you know, the state of Washington. But I mean, I could use the same thing with the State of New Jersey who has a both of these guys. What I don’t want anybody to ever think is that these are not good, highly skilled. See, so that are in the right position. They’re the right people for the job. They’re amazing people. I would never take their job because I don’t like to lose, they take the job because there are amazing public servants. And I had actually asked Bernadette, You know, he’s running at 40% capacity right now. You know, that’s a staffing level. He’s fighting battles, not really fighting battles, but trying to to do, you know, all the security stuff. You know, when you look at all the things in a state that you need to secure some states are different than other states,

[00:07:58] Brad Nigh: I mean, I’m with you that uh hats off to those guys because yeah,

[00:08:06] Evan Francen: when I asked him straight out, I’m like, why are you doing this man? You can’t win this game. He’s like, because I’m a public servant. I’m like, oh man, I you’re the kind of, see, so that I would work for, you are in uh, you know, mike garrity out in New Jersey. But I think the thing that they, that we can do to help is a couple of things. Um, So if the game is risk management and my job is to make risk recommendations, right? Give the people who are responsible for making the risk decisions, good information so they can make good risk decisions. That’s job one then job too is to implement those risk decisions to the best of my ability. The problem is to take our backyard. I know our state probably better than any other because it’s my backyard like So there are 80, 90 different government agencies. You have 87 counties. Not be responsible for securing 87 counties, but they are within the state. There is such a close integration.

[00:09:14] Brad Nigh: Yeah, it impacts, right? It’s the same as a business unit.

[00:09:18] Evan Francen: Right? Realistically then you’ve got state and then you’ve got cities and municipalities and then you get departments have been all these things, right? So you sit up here as the sea. So for the state and you’ve got a you can’t incite a staffing issue. What I think it is is it’s a distributed accountability issue.

[00:09:42] Brad Nigh: Well, yeah, I think yeah, roles, responsibilities and understanding who and where and what and that’s not well defined and that’s not that’s not just a state or public issue either by any means.

[00:10:00] Evan Francen: No. And that’s the reason why I’m bringing that up because that’s where I’ve been working so much in the last, you know, six months is we figured out these issues with state and local government.

[00:10:09] Brad Nigh: Well, it’s also easy for everyone to understand, right? It’s a concept that I think everybody gets versus you know, we needed the private sector, it can get a little bit more muddied in terms of terminology and phrasing and all that. So it’s it’s a good example. Yeah,

[00:10:28] Evan Francen: well it’s and I brought this up, so I had a discussion earlier this week, I think it was Tuesday maybe with Tony Sager, you know, he’s senior Vice President, chief evangelist, whatever is C. I. S. Mhm. And so we’re talking about, you know, because things that we can do better together C. I. S. Is in it for the right reasons. You know, they’re trying to help as well. They run the M. S. Sx and also the stuff and and we were talking about this very same thing, I think he’s only working two states right now. So I think, you know, we’ve been working with a little bit more states from just from different angles, but the I was telling him how this distributed accountability and that was distributed accountability came from the discussion I had with Jim O’Connor at at Cargill. Uh I was like, what’s your biggest challenge? You know, you sit in this kind of the pinnacle of cso jobs, right? Almost uh what’s the biggest challenge, He said accountability. And so then we got to thinking, you know, and then we white board it for a long time and then came out with this, the construct of distributed accountability and I think this is how it works and this is how we need to deploy it, you know, because you can’t possibly secure Cargill, you know, without it, write something like this, people have to play their roles. And so I took that, you know, security, security, I think we get our wrestles wrapped around the axle. So much like security at home is the same as security and Cargill. It’s just, I’m a different scale with a lot of more stuff to it. Right,

[00:12:14] Brad Nigh: right. Well, I mean kind of a good segue. There is, I did a webinar yesterday on old school and why it still works like the fundamentals and it’s the same thing like you didn’t set it on, this is nothing new. You have to have asset management, you have to have good backups and a good process for it. You have to have a good isn’t response plan and test it, you know, And then, you know, one of the questions was, what do you think is the, what do you think machine learning and ai will do uh for the fundamentals? I was like, you know, will it make life easier in terms of parsing logs and those types of things? Yeah, most likely. I mean it can do it much faster than humans, but at the end of the day we’re still programmed by a person, there’s going to be a bias? We’ve talked about there’s gonna be bugs. We see that. So if you’re thinking, hey, I’m gonna put in machine learning and ai and problem solved, you are sorely mistaken,

[00:13:17] Evan Francen: right? I wish people was listen more because you would have you find yourself in a much better position right now. Had you been listening? I mean the sooner you start to listen, as soon as you start to do these things, the fundamentals, the better off your life is going to be sooner and think about your success or the person who comes into the position after you, the better off their job, their life is going to be right. You know, and we get wrapped. Uh and so even beyond, you know, and that that’s one of the things that really, you know, the traditional approach to information security was you had kind of an autocratic approach, right? You had a C. So who would say these are the rules for the company, right? And dow shelter, whatever what have you. Right. And so instead the right way to do it is distribute accountability and autonomy. Right? So uh I had, its funny how all these discussions sort of come together. Like I had a discussion with Cornell University on I think Tuesday as well. And uh then I’m like, help me understand how Cornell works. You know, I’m not going to give you an advice on how to make things better because I don’t even know what, how you do stuff.

[00:14:44] Brad Nigh: So isn’t it funny how companies and not to derail you, but how many companies go? I need, how do I do this? And you’re like, uh I don’t know. It depends.

[00:14:56] Evan Francen: Yeah. They

[00:14:57] Brad Nigh: just expected to be able to give them on almost like, you know, that easy button.

[00:15:03] Evan Francen: Well, that’s been a barrier, you know, in talking to state CSOs to they, I think a lot of times if they really knew what we’re trying to do, I think more of them would accept the phone call, but it’s not good that they haven’t because my hands are really, really full right now with, you know, the five I’m actively working with. But you know, when you really, they realize that I’m not I’m not trying to sell you anything, I’m trying to solve a problem. Like In Washington, you have 40% capacity, you’re trying to do the impossible. Maybe there’s a way we can change the way we play the game to put you in a better position to win. Same thing with with Cornell, you know? So it was explained to me how the school works and I was like, wow, that’s pretty fascinating. It’s amazing school. You know, you’ve got research faculty, right? And you’ve got PhD there in our one research, I think that’s what we call it, our one research university, which means right? That wins, right? even over the undergraduate stuff, right? It’s is the research

[00:16:18] Brad Nigh: top tier, right?

[00:16:20] Evan Francen: Millions and millions, maybe billions of dollars of research money, you know, going to really cool things and you cannot get in the way of that stuff. And so, you know, as I was talking to this to this guy and Cornell, I was was like, you know, this stuff, it translates so much to what we’re trying to do at states to, you know what I mean? Yeah. And so the parallels are like nuts man. So for instance, you are complaining, you know, he was complaining. You’re complaining about the fact that you can’t get these research faculty to do the things that you think they should do. Well, how about if you gave them the autonomy to decide to themselves what they want to do and how they want to do it. And you just account for that risk and the overall picture of things, Right? So, and you don’t force it, right? You say I’m going to let I mean, who wouldn’t like this in terms of like faculty, Like I’m gonna put you in control. I’m gonna let you call the shots and now you tell me how you do security, how you want to do security here, no judgment, we’re going to risk create it, you know, and we’ll put things into context, will put, you know, the scoreboard of all, whatever this is where everything scores and then let the provost or the Board of Regents or whoever is ultimately responsible. Let them ask those, you know, ask those questions.

[00:17:48] Brad Nigh: Yeah. Well, I mean, it was so funny to hear you. I mean it’s sustainment community college, right? And not to put, I want to sound dismissive but regular colleges and universities, not those top tier only, but it’s the exact same thing. It’s and the same arguments and it’s always my advice. Always. Just don’t be the no man, right? Yes, but you

[00:18:18] Evan Francen: let them, I don’t even make the decision. I’m not yes, but I’m like, here do an assessment. And the reason why I want you to do this assessment is because it translates into everything else, right? It’s the same language

[00:18:33] Brad Nigh: I like that

[00:18:34] Evan Francen: rather than you speaking german and me speaking spanish, let’s just speak the same language. You do your assessment and then you’re going to do your own roadmap. I’m not gonna tell you what to do. You make your own risk decisions, you’re an autonomous piece of this bigger thing.

[00:18:52] Brad Nigh: And so at that point this he says just there is a an advisor, right? If they have questions they can come to them that type of thing.

[00:19:00] Evan Francen: Job number one, right? My job number one is to is to give you the best information to make the best risk decisions and then you will make, you will make so many risk decisions that I would disagree with if I were in your seem shoes. But that’s why I’m a C. So and that’s why your department head or you’re the whatever you do because you know take this another example I was talking to somebody oh the same guy the Cornell guy. He was like S. And M. P. Version two right turning it off on printers and blah blah blah. And I was like you know how that affects your part of the world but you don’t know how it affects because you think printing is like not a big deal because you don’t print much. But what about the research people? Yeah maybe this is a really really big deal and you can’t turn off SNP version two and S. And M. P. Version three isn’t available on their printer. So

[00:19:57] Brad Nigh: you’re breaking. Yeah. You know that’s really interesting. Like I’m thinking as you’re talking I’m like thinking back to you know all my past experiences and yeah I mean to some extent not nearly that level but yeah but it makes sense. I think it’s it’s that next level up from that. Yes but right now

[00:20:19] Evan Francen: it’s like hey

[00:20:21] Brad Nigh: sure you can do that but here are the risks of it and here’s some options. You make the decision right? It’s taking that piece off of your plate as a C. So I’m giving it to the business unit or whoever. It’s interesting.

[00:20:42] Evan Francen: Yeah and then that way I’m now more of an ally a consultant to you. I facilitate your risk decisions If you you have questions. Yeah I’m here to answer those questions. If you want my opinion From a security perspective I can give you those opinions. But at the end of the day you make the risk decision for your research department. Not me. You wouldn’t let me anyway. Right. I mean even if I tried my hardest to like no you must do this. I always lose that game because you have the money. I don’t. Right?

[00:21:15] Brad Nigh: So in that model they would their responsibility would be to conduct that risk assessment, make those decisions and then report that up to the C cell so that they can take that into account.

[00:21:29] Evan Francen: Well exactly. So I yeah so I can put this into context because who I report to will be the provost of the board of regions or the you know in a company the Ceo. So I’m going to take all this information so that the Ceo can make their good risk decisions as well. And they might see that your department, your research department is glaring red. That’s fine. And uh and then the president or the Ceo or the provost of the border regions will ask me why is that one red? I will tell you and I will tell you because that research department makes their risk decisions that an autonomous within the bigger picture an autonomous entity. One of the things we cannot do from a security perspective is get in the way of their mission. Yeah. So these so these are the risk decisions that they made. We support them. I can’t not support risk decisions you make. It’s not my risk tolerance. So I may be like I would never accept those risks but I don’t live there. It’s not my risk, not my house. Right?

[00:22:37] Brad Nigh: As long as you’ve accounted for it in the overall picture. Right? Like I think yeah, that’s where you you would put in, you know, maybe some pretty significant network segmentation someday. CLS really restrict access in and out of that department within that pod. It’s a free for all

[00:22:57] Evan Francen: or maybe it’s it’s so risky that we just set them up as a completely different entity within this bigger entity. Yeah. You know and so but now I can have this decision. I can have this discussion with the provost to the board or whoever because they can ask why is this one red? That’s a great discussion. Yeah that’s a discussion we would plan. That’s a discussion we would never have before. Right? So now I’m giving them better information to make their good risk decisions. I’m allowing. I mean I’m like the good guy in all this. Right. I’m facilitating I’m moving pieces around rather than me being the person who is trying to do all these risk assessments myself or do a big risk assessment and then force a whole bunch of controls that won’t work anyway. Yeah. Here I can put controls in place that you said you wanted to have in place. You’re probably less likely to bypass them as well.

[00:23:55] Brad Nigh: Yeah. Right. Yeah.

[00:23:58] Evan Francen: So that’s what I’m trying to figure out with these guys.

[00:24:00] Brad Nigh: Would you set any sort of minimum like around hey you got to have passwords that expire and you shared accounts, would you, would you set that or would you just say mhm.

[00:24:15] Evan Francen: Because I think what I would wait to do is I would like to see what risk decisions that are going to make it to see if they make those decisions themselves. So, you know, if you have this department and the like yeah, we don’t even want passwords, blah blah blah. That’s usually a place where there okay, I get it. Life without passwords would be amazing. Trust me. However, these are the reasons why I would suggest that you don’t do that. If you’re still going to make that risk decision, feel free. We’re end up what we’re probably gonna end up doing is locking you out of everything over here. Yeah. Uh

[00:24:52] Brad Nigh: Yeah,

[00:24:53] Evan Francen: but in that conversation with the board and the provost or whoever, I would probably come with a list of hey here are 10 Yeah 15, 20 controls that I think we should implement university wide and this is why but I need your I need your backing.

[00:25:08] Brad Nigh: Well, you know, thinking about it really. This is this is fun. Uh Yo you don’t want passwords. Great. We know there is software and solutions out there. We see it in health care where it’s a badge. It’s an I. D. You swipe it. It’s like a USB connector that connects it. All right, great. You don’t want to, here’s what you can. Here’s your option hard password. Just spend the money on this. Yeah, that would be kind of a right. It’s interesting. Yeah.

[00:25:41] Evan Francen: Yeah. I think it’s your own waiting. Do it. Well, the and then you take like take that same thing to the state of Washington. Put a construct in place where you defined where are sort of my administrative units or you call them organizational units or you call them entities, whatever you wanna call them. And I think there are, you know, just like we went with security studio, there are three different types of entities, administrative entities, physical entities and technical entities. Right. And so figure out where all those things fit in the big picture of things. Like if you have a department that basically has their own policies, their own security, their own everything. Well, that’s an administrative, physical and technical entity. That’s its own entity. But I still need to know from my level, the things that they’re doing an account for it in my overall risk posture. Yeah. And then you have something that just have ghost it. They use our policies, you know what I mean? Okay, great. Have ghost it. I’m not going to tell you not, I’m not going to tell you how to run your business. But what I do need to know is what, what security risks that ghost it brings into the bigger picture of things, Right? Right. Because maybe I need to segment them too and you’ll have to pay for it because it’s your ghost tighty.

[00:27:04] Brad Nigh: Yeah, It’s almost, uh, hey, here’s the businesses minimum if you’re going to have it, so you’re gonna stray outside of that. Well, you’re gonna get cut out.

[00:27:15] Evan Francen: Yeah. Yeah. All right. So I think that’s one of the ways we can try to change the game that we’re playing because the way you’re playing today, the way most six, those are playing the game today. They’re, they’re not going to win. Yeah. You know, and who suffers for it? You know, a lot of people will say, oh, the poor see so, well actually it’s the poor people that trusted the information with the organization. That’s who’s who ultimately suffers, right? You know, take the state of Minnesota. That ain’t the CsoS information, right? That’s mine. It’s yours, that’s, you know, and I think that’s the next place you go when you talk about this distributed accountability is once you get your feet under you on this piece? Well then why wouldn’t you go to the next level. Why wouldn’t you go to, hey brad? These are, these are, these are your responsibilities with information security, your house, your responsibility, the technology you put in your house, your responsibility, how you secure it, the rules, all that stuff. And the reason why that’s important. It’s because your city, your city security or great Security has an impact on everybody else’s as long as we keep connecting people. Because I know you have a lot of people say, well, what about the privacy issues? You gave that crap up, right. If you want to get that back, then you can try to claw that back. But you have no privacy. I don’t know why you think you do? Uh huh. You know, maybe maybe there’s some privacy like the day to day things I’m doing on my computer. But in terms of my social security number, in terms of, you know, my identity information that’s gone. So

[00:28:57] Brad Nigh: on that is there? How do you ensure they’re even doing what they say they’re doing? Would that be part of that job is then to do and an annual audit, Right? Almost okay. You say you’re doing these things. I need to see that you’re doing those things.

[00:29:15] Evan Francen: Yeah. I think there’s, there’s certain baseline information things that you need to make, You need to be sure that they actually do what they say they’re doing or they understand what you’re asking, right. A lot of times we’ll ask them, but this or that and they’ll say yes. And it’s not an outright lie. They just didn’t understand what the hell we were saying.

[00:29:35] Brad Nigh: Yeah. You know.

[00:29:38] Evan Francen: Yeah. So I think asking for that evidence to just validate those things. There are also certain places within, you know, bigger entity that are more impactful than others. Right? Take like the state of Minnesota, the Department of Revenue is probably a really big important thing versus the department of, I don’t know, leave, it’s four weeks or whatever. I don’t know what dynamic. Yeah. Yeah. So, you know, I would probably put a little more scrutiny and even to the point of maybe a third party validation. But I wouldn’t make that call either. I would have the governor make that call. I would have the legislature make that call. You know, legislature, here’s your score card. This is what security looks like in the state of Minnesota today. Uh, you know, the first time I navigate, it might be disappointing, but here are the places we’re working to try to shore this thing up. Uh And then you’ll get to the and then you’ll have those discussions because you have to start with these discussions. They’re just not happening. None of them.

[00:30:47] Brad Nigh: Oh, no. I mean, again, it’s it’s like, you know, we talk about security isn’t an IT issue, but they are so tightly tied together and especially from how most organizations view them, you know, So, yeah, it’s what we gotta do.

[00:31:08] Evan Francen: I think so, and I mean, at least it’s worth a try and everybody’s invited to play and I was talking with you know like I said I was talking with C. I. S. He’s like oh distributed accountability, I like that like I think you know let’s work together. I don’t you know, it seems like a very logical way to play this game or to redefine the game to put us in a position, a better position to win.

[00:31:36] Brad Nigh: Yeah. So it’s interesting. Yeah it’s kind of like because it’s taking that how we been saying to do it can kind of. Yeah. Yes breading that, wow interesting.

[00:31:50] Evan Francen: Yeah. When it’s ironic to, you know because I’m a faithful man and you look at like security studio and how we built the sub entities and I’m like damn it all makes sense now there’s a lot of times You know, as an 80 d. person, you know you you create things and even the way back, subconscious you’re thinking this other thing. And then when that other thing in the subconscious comes to the conscious like oh yeah we built this

[00:32:17] Brad Nigh: what was, you know, of course just because of how unwired is I just seem like running through all these scenarios, it’s interesting because I just um one of my b. c. so the earlier this month I don’t like you said I don’t know what day it is um their international and I was talking to him about disabilities and I was like oh so we could have a europe, we could have an asia, we could have, I was like yeah and then how they run it, Yeah we can put in, okay we know that I. T. Is gonna be the same across the board, just that’s how it works or whatever it is, but then they can put in what’s relevant for them and we can see and break it down and then you have an overall organizational international level and you know the America is the europe all these different and so it kind of aligns very closely with what you were saying. It was it wasn’t I don’t I don’t think I had taken it to the level of it’s up to them, but it was very much in that thought of okay let’s find out where they’re at. Yeah.

[00:33:32] Evan Francen: Yeah. Well because uh and I think it almost has to be up to them because I don’t know what it’s like to sit in your in your chair, I don’t know what you’re, you know, all the intricacies of your that go into, let’s say a marketing department or or the research faculty, whatever department there. I don’t know what things you actually need and it would take me, I don’t think I could ever understand it, you know intimately enough to make good risk decisions for you, right? But I can take that stuff up to executive management so that now they’re like, oh okay this is what security looks like here. I don’t like these three reds. Okay, well let’s go talk to these people with the three reds and figure out ways that we can either make them orange or gray or blue or maybe we treat those reds as like, okay, you’re over here then we’re just gonna block you out of everything else. Yeah. So it hits the fan in your department, it doesn’t affect everybody else.

[00:34:36] Brad Nigh: I mean, you know exactly that hey, you’re you’re you need to do these things or we’re isolating you and your call whatever you want to do. I don’t care. I’m gonna protect the organization at the end of the day

[00:34:54] Evan Francen: and even isolating you isn’t necessarily a bad thing either. Right? I mean you may enjoy being isolated because you get to get your own playground, you own this domain. Ah That’s a good thing to not, you know, we’ll get you your own mail server. You get, you know, you get to do your own.

[00:35:13] Brad Nigh: Yeah, you’re completely segmented on your own. Yeah, interesting.

[00:35:19] Evan Francen: You can have your own I. T. Department. I mean you can do whatever you want to do, but we just have to account for this and you know the grander scheme of things. The and this is where we’re going. So right now I’m working with Minnesota Iowa New Jersey actively on this type of strategy, you know, trying to put them into into a position where you know, they can win. And then we’ll take those case studies as we continue to make good progress. Damn places. Yeah,

[00:35:53] Brad Nigh: I mean, I love the concept, it makes so much sense will be interesting to you how that actually plays out because it is a fairly fundamental shift in a lot of how the majority of people think,

[00:36:13] Evan Francen: yeah, when it gets them into the game to, right? Because we all know that whether you believe it or not, you’re part of the game, you can’t not be part of this game. So what role do you play in this game? And I think, and I think we’ve, we’ve we’ve played the game, we’ve gone so far down the game without ever defining with the rules for the game actually are Oh yeah, no, we definitely now we’re backing up going like, oh shit, how do we play this?

[00:36:39] Brad Nigh: Right? Yeah, there’s a lot of uh winging it,

[00:36:43] Evan Francen: right,

[00:36:44] Brad Nigh: making it up as you go,

[00:36:46] Evan Francen: well in the sad thing, you know, we’ve adopted technology way faster than our ability to secure it and certainly faster than our ability to be responsible with it and people will just continue to be victims until they sort of step up and realize like, oh shit, okay, these are the consequences potentially of me choosing this over that and it’s a long road to hold, but the way we do that is, I think is by empowering them, trying to figure out what language they speak, what motivates them. You know you take the research facility when motivates them is the research not security. They could give two craps about security. Right? Right. So you have to put it into context of like how a lack of security could potentially negatively impact your research.

[00:37:34] Brad Nigh: Yeah. Yeah. You can do those things. It’s a similar I mean it is similar. Hey, that’s fine. That’s your just your decision. Just be aware this could happen,

[00:37:47] Evan Francen: right? And don’t be there will be no I told you so there will be no there will be no, you know, don’t come crawling back to me kind of attitude. These are good. These are the risk decisions that you made. I support them asked me if I agree with him. I’m not in a position to do that. I don’t know what it’s like to run a research facility, a research department.

[00:38:10] Brad Nigh: Right? Like you said. Is it something that I would choose? Probably not, but

[00:38:18] Evan Francen: I don’t run a research department either. Thank God because I’d suck at that. Yeah. Uh huh. So we’ll keep pushing on that I think you know, because I hate seeing see so I hate seeing anybody loose. Especially when you don’t even know the game they’re playing. You know. Uh

[00:38:37] Brad Nigh: Well it’s because yeah, we’re playing this game where there’s making up rules as we go, but we don’t know what winning looks like. But we sure sell know what losing is like there’s no question when you lose, but you know your what? Trying to go upstream all the time. You don’t Yeah, interesting. Uh

[00:39:02] Evan Francen: huh. And I think it would also, you know, solve some of the talent shortage issues, right? So we say talent, you know, we have this talent shortage issue and I think a lot of times because we’re trying to do everything for everybody. I’m trying to make your risk decisions for you. I’m trying to implement this new technology, but you may or may not want, which may or may not be effective, which, you know what I mean? It’s just all this stuff and it’s like, why don’t you get in that game?

[00:39:29] Brad Nigh: You know, that’s it man. It’s still going back to the conversation yesterday. It was, you know, the organization was like until they had this email compromise. And then they’re like, yeah, we need to do a multi factor and okay, great. That. And so I mean that’s exactly what you’re just talking about. Like, okay, oh, you’re ready to do this awesome. Here are your choices,

[00:39:53] Evan Francen: right? Yeah. And, and sometimes because sometimes they’ll bring it up to there will be like, welcome. You never told us. It’s like we did, we did there was this assessment, you made these risk decisions, I was available to coach you and every step of the process. Yeah. You just made a poor decision in this instance. That’s not a bad. You know, it’s not don’t beat yourself up and don’t beat me up. Yeah. What’s our path forward?

[00:40:19] Brad Nigh: Well, yeah, everybody, I mean, everybody makes mistakes, right? It happens. Maybe. Like you said, you made this decision, not understanding what could happen from it.

[00:40:34] Evan Francen: Right. Well, how often do we how often do we grow through pain?

[00:40:38] Brad Nigh: Right. You learn from your mistakes,

[00:40:41] Evan Francen: right? In the long term, it’s actually good for you to have a little bit of pain because now, you know what it feels like, right? That’s good. It’s like almost like a parent, right? You see your child, you’re like, don’t ride your bike that way. Don’t ride your bike that way you’re gonna you’re gonna crash. It’s gonna hurt well again. And then they crash and they hurt night. Okay. You’re not probably not gonna ride your bike that way again. Right. That’s good. I’m not I’m not mad at you unless it’s going to cost me thousands of dollars in doctor’s bills again.

[00:41:09] Brad Nigh: But Yeah. Right. Mhm.

[00:41:13] Evan Francen: All right. Well, good. I like that. I like that. You know, you and I was the first time we talked about it and I think, you know, you’re somebody that I uh I respect. And so, you know, getting that validation, I think certainly helps. Yeah, I’m gonna keep pushing this hard.

[00:41:31] Brad Nigh: It’s definitely in line with how I would approach it. Maybe it’s really interesting think of it. Yeah, I’m interested to see uh if it works right? I would hope so.

[00:41:46] Evan Francen: Well logically I don’t I don’t know any other way to make this. Well, you know, we can’t just keep buying something

[00:41:54] Brad Nigh: has to change, right? Like we’re playing a losing game where we don’t know the rules. Okay, well let’s change how we’re doing it. Why keep banging her head against the wall?

[00:42:04] Evan Francen: Exactly, yep, I’m with it. All right, so the next thing I’ve got Apple had an update. You don’t use Apple devices? I do.

[00:42:12] Brad Nigh: Uh No I I do I am uh ipad

[00:42:15] Evan Francen: and ipad. Okay

[00:42:17] Brad Nigh: And kids all have one.

[00:42:19] Evan Francen: Okay. Yeah, so it’s this is a big deal. Uh And it’s sort of so I actually I’m you know, I’m weird, I’m a security guy so I knew that the 14 71 was coming out for the IOS and the ipad os uh prior to it actually coming out and so I had actually installed it before my systems prompted me to uh there’s some stress. Uh

[00:42:46] Brad Nigh: Yeah,

[00:42:47] Evan Francen: there was some serious security patches in this release. If you haven’t updated, go update. Now. If you don’t know how to update settings, go to settings. General security update, tap, download and install. Do it, trust me you’ll be happy you did it.

[00:43:04] Brad Nigh: Yeah, I have it you can set it to automatically update to without asking if I’m remembering correctly,

[00:43:12] Evan Francen: sort of it’ll download. It’ll still prompt you to like hey do you want to? Yeah. Uh

[00:43:21] Brad Nigh: Really? I don’t use it nearly as much as.

[00:43:23] Evan Francen: Yeah. Right well yeah so there’s two options you know I cannot feel see it on my phone but download IOS updates and install IOS updates so you could do both but you’re still yeah

[00:43:37] Brad Nigh: okay because I was thinking pretty sure I set the kids too automatically your Yeah yeah the installed because Oh why wouldn’t you like not again not that they wouldn’t they just don’t know or understand what the the risk is.

[00:43:57] Evan Francen: Right well it’s kidding little bit. Well it’s not getting it’s always been crazy but uh because after you Depending on how many applications you run on your iPhone or iPad you know you’re constantly updating those. Oh my gosh it’s every day I’ve got 20 or some you know but I run a lot of stuff. Yeah I got like 20 updates to apply various applications every single day.

[00:44:26] Brad Nigh: Yeah I have like yeah I use it for a different reason than you. I use it more for like entertainment kind of down time. But yeah it’s 5-10 every day.

[00:44:38] Evan Francen: It’s nuts. So in that release so there are release notes like like Apple always releases but there’s uh some of the issues are really really important. Attorney including you know Colonel extension uh stuff. The ability to run code on your iphone ipad without any interaction by you at all. Ah Especially that Iowa mobile frame buffer. Uh which is it manages the screen buffer can execute arbitrary code with colonel privileges and it’s already being exploited.

[00:45:19] Brad Nigh: What’s interesting. What the one I mean there’s a lot of it in there and it’s all I’ll say this I don’t necessarily agree with everything that they do, why I was I think they’re released notes and what they include are really probably some of the best. Uh But the one thing that I think was the most interesting to me was that how fast they fixed the um zero click attack that was being or well that people believe was used for that the Pegasus power like holy cow. That’s absurd how fast they turned that around.

[00:46:05] Evan Francen: Right. Well yeah yeah what’s protecting the integrity of their ecosystem. Right. The apple ecosystem.

[00:46:12] Brad Nigh: But I mean think about how long it took Microsoft and I have to look do they even fix print nightmare at this point or is it still a workaround? Because they tried to push out the passion didn’t work, it puts up another one that didn’t work.

[00:46:28] Evan Francen: I’ve become more and more anti Microsoft as each day goes on.

[00:46:34] Brad Nigh: It’s funny I uh so totally off topic that sort of in line with it. I set up my personal laptop, I pulled it out a storage because I I honestly hadn’t done anything with it since we moved so three years upgraded a couple of things but did I put I have a Microsoft license, did I put that on. No my basil s on that actually I just put on Callie because that’s what I’m familiar with and then, yeah, I’ve got virtual machines and everything running, but you know, I’m like, no, I don’t really need it.

[00:47:12] Evan Francen: No, no. Yeah. And the weird thing is too, is, I think a lot of many users don’t realize that Apple had just released an IOS update 14 7 about a week ago. So this is, if you, if you’re thinking, well I already updated probably, you know, Go Check again. You probably have a 1471 update.

[00:47:34] Brad Nigh: The 1471 came out Few days ago. Right? 27.

[00:47:38] Evan Francen: Yeah, Yeah. And uh, it’s crazy how many like 14 7 it’s a pretty good security updates to it. 1471 is more. Yeah. If you’re, if you’re using an Apple, just go, go check it again, go check it and help. Yeah, an update simple. Uh there are those security updates certainly have. Yeah, certainly worth it. That’s all I have for today, man. You got, you got any shout outs for anybody. Uh huh

[00:48:17] Brad Nigh: Gosh, so many uh, just everybody I would say just everybody that’s been supportive of me. Uh just the last few months, six months, whatever because everything, you know, just have it knowing I’ve got people that, that I can trust and lean on and you have support. It’s been phenomenal to so have that and luckily like we were talking about before the show, it seems like things finally kind of turned the corner.

[00:48:51] Evan Francen: I don’t knocking on wood right now, brother.

[00:48:54] Brad Nigh: I know it’s gonna say I don’t want to jinx it. So, but yeah, thank you to everybody that has listened to me so kind of vent. It’s been, yeah, that’s what’s kept me saying to be honest.

[00:49:06] Evan Francen: Well, did you went through some tough times, man and, and, and a lot of people don’t, you know, we don’t share a lot of the personal details on, you know, for your own benefit and mind and whatever, But yeah, right, You’ve got a rough road the last nine months man.

[00:49:22] Brad Nigh: Any time your kids have significant medical problems, it’s, it’s tough and yeah, like they’re talking about and I had the medical issue in november we talked about and I was, yeah, so luckily knock on, like you said, fake wood things are turning the corner and just they get everybody that helped me through it.

[00:49:41] Evan Francen: Yeah, that’s cool man. Yeah, I’ll give a shout out to, I don’t know, Gosh, I hate to do it because he pisses me off so much, but I’m gonna give a shout out to Kevin.

[00:49:52] Brad Nigh: Oh,

[00:49:54] Evan Francen: kevin, Kevin Norton,

[00:49:56] Brad Nigh: He is, I love kevin, we have a few that came up and I’m not gonna go into details, we can talk about it off, but he said back a response and I just lost it. I was laughing so hard. It was like, that is so kevin,

[00:50:10] Evan Francen: Oh yeah, I love them. Or hate a man. That’s where it is. It’s either love or hate. There’s some days I just want to, you know? Yeah, there’s some days where I want to give him a big hug and but he does a lot of stuff keeps he’s kind of the glue for a lot of things. So shout out to him. Yeah. All right, well, the hopefully next week we’ll be back on track again. Today is thursday. So we’re a couple days later and when we normally record, we’ll see if we can get that back on track next week. Um, for those of us, for those of you who like to do social things on social media, you can reach out to us. I become less uh social media because I’m getting ticked off the drama of everything. But you can find me @EvanFrancen. You can find brat at brad brat. You invited brat brad the brats. You can find him @BradNigh.

[00:51:03] Brad Nigh: My kids will love that.

[00:51:04] Evan Francen: Yeah, I bet. Uh, and you can email the show if you want insecurity at proton mail dot com. If you know us personally, you can always find us on linkedin and you probably have already mail address anyway. So, uh, where’s that? In the meantime, have a great week. Stay cool. Be safe. Uh, probably want to get vaccinated. Just my advice. But your call.