Information Security Responsibilities and Roles

Unsecurity Podcast

Brad hosts episode 68 as Evan and Ryan “Cola” Cloutier call in from RSA. They pick up where last week left off about information security responsibilities. This time they look a little more granularly at each component of the business and the role that department plays in infosec.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:24] Brad Nigh: All right, Good morning on security podcast listeners. I’m Brad Nigh and this is episode 68. The date is february 25th. We were going to record yesterday on the 24th, but uh, Evan is traveling to our essay this week. So we’re recording on the 25th this time. So joining me by phone is my co host, Evan Francen. Good morning Evan.

[00:00:48] Evan Francen: Good morning brad. How are you?

[00:00:50] Brad Nigh: I’m good. And we also have, oh, go

[00:00:53] Evan Francen: ahead.

[00:00:55] Ryan Cloutier: Well, still early in the morning though. It’s like five a.m. California time.

[00:01:00] Brad Nigh: Oh, you know its dedication right there.

[00:01:05] Ryan Cloutier: Yeah. And I think you were in the middle of already introduced this brian guy who’s sitting in the car with me just to say,

[00:01:10] Brad Nigh: we also have cola with you. Morning Ryan,

[00:01:13] Evan Francen: Good morning, Good morning brad.

[00:01:16] Brad Nigh: You guys are way too chipper for five a.m.

[00:01:20] Evan Francen: This is my radio persona, likes to make awake. The rest of me is very much

[00:01:25] Brad Nigh: asleep. As soon as as soon as we’re done recording, just collapsed back to sleep.

[00:01:31] Ryan Cloutier: You’ve got a meeting

[00:01:32] Evan Francen: after this. I have a meeting after this. It’s gonna be a fun filled day of R. S. A. And shaken and hand sanitizing and energy drinking. A lot of energy drinking.

[00:01:45] Brad Nigh: Well, you guys have fun. I’m not missing that at all. That’s that’s not my thing. All right, So we have a great show plan for today, but before we do dive in, let’s catch up. Crazy week behind us. Another crazy one ahead as mentioned. Uh Ryan and Evan are out at R. S. A. What else? What else do you guys have going on this week?

[00:02:11] Ryan Cloutier: Legal going on. You start

[00:02:12] Evan Francen: um having a really awesome call here later today with the consortium of school networking, uh, make a cozy in a cake chosen. We’re getting ready to release s to school Gateway. The free s to school assessment. So that’s pretty exciting stuff. And I know Evan and I have a few meetings this week with some international organizations. Talk about S. Two.

[00:02:39] Ryan Cloutier: Mhm. And stuff

[00:02:41] Evan Francen: and things. Writing, lots of writing. Yeah, I

[00:02:43] Ryan Cloutier: do have to do some of that. It was a zoo yesterday. I mean there’s a lot of booths, it is able could you get or

[00:02:52] Evan Francen: 400 maybe?

[00:02:54] Ryan Cloutier: I felt like that seemed like it went on forever.

[00:02:57] Evan Francen: That’s huge.

[00:02:58] Ryan Cloutier: So much money, man, some of those boots. Well, when you feel like because you look at our booth and we’re like this underdog, you know, amongst like titans in our industry. Kind

[00:03:10] Evan Francen: of cool. It is cool. I think a lot of vendors are spending a lot of money. Um I think the coolest, coolest booth if you will that I saw with the custom t shirt booth. Yeah, so I’ll take you there later today. I’ll

[00:03:26] Ryan Cloutier: show you

[00:03:26] Evan Francen: uh crowdstrike, I think uh

[00:03:30] Ryan Cloutier: they got money. Yeah.

[00:03:31] Brad Nigh: Well, you guys just saw, did you guys see the news that Dell sold are safer. Two billion in cash?

[00:03:41] Evan Francen: Yes, I did see that. So, no, it wasn’t me. You know, I tried to negotiate with my wife about that, but

[00:03:51] Brad Nigh: we were joking that we came in second

[00:03:54] Ryan Cloutier: held alone show. Okay. I was gonna I was gonna go down around and say speak alone. That’s the biggest load you’ve ever. I’m not gonna talk about that, declined to answer that can only have passed. Good

[00:04:12] Evan Francen: morning kevin if you’re listening.

[00:04:16] Ryan Cloutier: Yeah, it was a crazy week last week and I had meetings, I put some of them on my, you know, on a podcast or not. Right up good meeting with Mike johnson. Mike johnson leads the uh, the uh technology institute at the University of Minnesota. The b the Master’s Program Science Technologies are security Technologies. Um that’s pretty cool chris roberts, we’re going to see him today. He’s gonna stop by the booth at 11 30. So shut up poverty. Thank you listen to our podcast.

[00:04:49] Evan Francen: Well, if he doesn’t, he will after today,

[00:04:51] Brad Nigh: all the cool kids do.

[00:04:54] Evan Francen: Right. He’s listening out if he’s not listening

[00:04:56] Ryan Cloutier: right through good point on that brad. You’ve been kicking some butt on some you showed me some some cool stuff last week on the sea. On some see MMC stuff you’re working on.

[00:05:08] Brad Nigh: Yeah. Yeah that’s kind of the new hotness out there I guess if you’re if you’re looking at it that way uh everybody’s kind of panicking a little bit about oh my gosh. See MMC and what do I do? Um And so we put together a little uh blog post last week were yesterday I guess it went out. I don’t even know I can’t keep track. Um And then you know doing some some reports out of the assessment tool on how it maps to see MMC and being able to show based on the different levels where you would uh fall as you could do some readiness and and getting ramped up for you know what this requirement is going to be?

[00:05:52] Ryan Cloutier: Yeah. Yeah. Now in general now you talk to clients any more than I do and maybe even more you need to co uh leave work for our clients. But what are you hearing? Is there a general sense of I mean what’s the feeling on the street about cmm. See

[00:06:08] Brad Nigh: there’s a lot of confusion I think um we’re getting a lot of calls about, hey I’ve heard about the C. M. M. C. And I’m a you know, D. O. D. Contract or so you know I’m down the line X. Number of slots. You know spots. What does this mean? I needed to do something and I don’t know where to start is kind of the general level. Obviously there’s some variation is some, some companies are a little bit further along but there’s a lot of just what I don’t know what to do.

[00:06:41] Ryan Cloutier: So when you tell them things and you sort of consult them on C. M. M. C. Are they surprised to know that not all the R. F. P. S. From the D. O. D. Will be, you know will contain CNN C. Language until the year 2026.

[00:06:54] Brad Nigh: Yeah there’s a little festival, there’s a little of that. Um you know it’s kind of like, well I’ve got good news for you. You know you do have a little bit of time. Uh The 1st 10 won’t be released till june. However this is something that can take 12 to 36 months to get depending where you’re starting from and what level you need to be at. It’s going to take you 12 to 36 months to potentially get to where you need to be. So I wouldn’t wait till the last minute.

[00:07:25] Ryan Cloutier: Yeah. Yeah. Unfortunately it’s far too common in our industry as people wait to the last minute wait till that RFP has right now the language and then you’re like oh crap I want to respond.

[00:07:36] Brad Nigh: Oh yeah we would we do that. We even with the fires you know, when was that in was at 18 I guess that they had to be done by the end of 18 and we get calls in october and going, we have to be defined as compliant by the end of the year. Can you help us? Good luck

[00:07:57] Ryan Cloutier: right that thankfully people I mean have you heard of any, you know from GDP are right because GDP are the what they call that um is the purview of it. Like the I

[00:08:11] Evan Francen: don’t know the word I’m looking for. The regulatory authority, the governance.

[00:08:16] Ryan Cloutier: Yeah. You know when like I’m not I’m not gonna be able to get this word. Well it is early. It is it’s like wait to jurisdiction. Okay sweet word. You thought they were occasionally generally

[00:08:31] Evan Francen: when telling the officer that he is outside of his jurisdiction.

[00:08:34] Brad Nigh: A different podcast.

[00:08:37] Ryan Cloutier: There is a different podcast but in the now the U. S. GpR do you have some authority over us companies in terms of I mean they won’t be able to see them in us court and things like that but um I haven’t seen any action on U. S. Companies from GDP are

[00:08:56] Evan Francen: other than the tech

[00:08:57] Ryan Cloutier: giant. Yeah but I might be missing something that. Well I know

[00:09:00] Evan Francen: they’ve definitely gone after the tech giant.

[00:09:03] Brad Nigh: It’s the ones that have offices or physical presence in the EU that they’re going after. And I think that makes sense though because like start start proving your point with things that are easy to enforce and then figure out how to do the rest later.

[00:09:20] Ryan Cloutier: Yeah. It’s easier to pull weeds in your backyard than it is your neighbors generally speaking. That’s not, that’s not wise. I

[00:09:27] Evan Francen: think so. We should socialize at the conference and see how people feel pretty deep.

[00:09:33] Brad Nigh: It was a knowledge drop right there.

[00:09:36] Ryan Cloutier: Yeah. So what now did you uh what do you know about, did you hear about what’s bent what Ben is doing? Benjamin on the podcast a couple of years?

[00:09:45] Brad Nigh: Um I’m a little bit, I’ve been helping him with several different projects so I’m not sure exactly which. Well, I don’t know the details of that one you mentioned in the notes other than he found some cool stuff.

[00:10:02] Ryan Cloutier: Yeah. I think he’s on the 16 breeches now terms of data that he’s found, it belongs to people through companies that are left it exposed. He did seem

[00:10:14] Evan Francen: to have more of a spring in his step when I saw him at the office last.

[00:10:17] Ryan Cloutier: Yeah. Well and so I don’t, I don’t know. There’s really no set one way to do responsible disclosure. There’s bunches of different ways. Some companies have responsible disclosure processes that you can follow, you know, on their site. Some have none completely surprised them will just ghost you. I think you’re selling them something. I think that you’re trying to extort something, yep. And some of them will call the cops on you. Yeah. So I think he’s finding out all of those things and it was, it was kind of fun. Um But it got me thinking should all companies have a responsible disclosure ourselves? Should they make it known?

[00:10:57] Evan Francen: I think they should. Um, I think at the very least companies should have a place to report whether that’s responsible disclosure, whether that’s uh consumer, you know, consumer issues, uh, even that they discover, I think companies should have some kind of point of contact for reporting security related events.

[00:11:19] Ryan Cloutier: I think

[00:11:20] Brad Nigh: I agree. I think it’s actually in the company’s best interest to make it easier for the people that are trying to do good to let them know that there’s an issue,

[00:11:32] Ryan Cloutier: right? Because honestly, you know, in the, I don’t know how many incident response plans and programs I’ve built over the years. I don’t think I’ve ever, maybe once or twice I actually built a responsible disclosure process for the company. We don’t account for that enough.

[00:11:48] Brad Nigh: Yeah, it’s a really good point

[00:11:51] Ryan Cloutier: but we’ve learned that, you know, as we talked, so one of the things we set up was a call with, you know, chris roberts who obviously knows responsible and irresponsible disclosure, twitter isn’t

[00:12:03] Evan Francen: responsible way, probably generally speaking tweeting about it is not the best way to go about

[00:12:09] Brad Nigh: it. Did some attention.

[00:12:12] Evan Francen: It got the problem solved

[00:12:14] Ryan Cloutier: there. Yeah, so I was that was all last week and then, you know, getting ready for this week coming out here, we got here yesterday. The Boots all set up the guys made a big stack of books. Sorry for all of them.

[00:12:30] Evan Francen: No, but looks good. I mean, we have some decent traffic yesterday today Should should be even better. Yeah,

[00:12:38] Ryan Cloutier: that’s kind of what we’re up to man. Just, Yeah, yeah.

[00:12:43] Evan Francen: Being awake. That’s half the battle today.

[00:12:45] Brad Nigh: And how late do you guys have to stay at the conference today? Does it go tell five or is it a little early?

[00:12:58] Ryan Cloutier: I thought it was till seven. It was just a welcome reception yesterday. I

[00:13:04] Evan Francen: think it goes about about five ish. I think we should, they won’t start to wind down the exhibit hall.

[00:13:11] Ryan Cloutier: Yeah, but get on the logs. We can tell you the exhibit floor is closed wherever

[00:13:19] Brad Nigh: man.

[00:13:19] Ryan Cloutier: Yeah. You

[00:13:22] Brad Nigh: guys have fun. Like I said, that’s uh, I mean, it’s good to do. It’s important, but that is just not my thing.

[00:13:29] Evan Francen: It’s intense. There’s no doubt about it. But you know, that’s cool to see all the different. You see some good stuff. You know, I saw a few vendors, uh, that I thought were doing it right. Um, and I could tell every time that Evans saw vendor, he thought was doing it wrong.

[00:13:47] Ryan Cloutier: Oh my God. Well, just the one a breach proof. Yeah, there’s some pretty outlandish claims right now. That was the only one I really like, like you were walking by and I’m like, it took like, I don’t know, maybe 10 yards past the Boots before I finally thank him. Like what did I just read? That’s fine. I’ll walk back. Yeah. Reach proof. Yeah.

[00:14:14] Evan Francen: I think there should be, you know, an additional responsible disclosure. I think there should be some responsible

[00:14:18] Ryan Cloutier: marketing when it

[00:14:19] Evan Francen: comes to some of these products. We could talk to chris

[00:14:22] Ryan Cloutier: roberts about that. Okay. He won’t make, it says he wants to carpet bombing is the marketing department she watched, Oh boy. Because especially nowadays man, you know, he can get away with saying things that I probably can’t say. Yeah, carpet bombed out of his mouth, sort of accepted like normal. Well,

[00:14:44] Evan Francen: you see, you gotta just muster more of an accent to what it is accent.

[00:14:49] Brad Nigh: Yeah, Yeah. All right. Well that’ll be fun for you guys. I’m looking forward to next weekend hearing some stories about all the stuff that, you know what Evan ranting on on all the things that are wrong. Yeah,

[00:15:07] Ryan Cloutier: yeah, I’ll see you right. There’s

[00:15:10] Brad Nigh: some that are right, okay. All right. All the things that are right and some things that are wrong. Okay, so let’s shift gears now a little bit. So last week we talked about information security, roles and responsibilities, you know, not the most exciting topic, but really is a critical one. Uh, and putting together a good program And we’re approaching this from two different perspectives from uh, you know, first from that macro level, higher level than a micro level. So last week, part one was the macro level, uh, this week for part two is the micro level, you guys ready to get started.

[00:15:46] Ryan Cloutier: Oh yeah and what do you mean? Not the most exciting governance

[00:15:51] Brad Nigh: is not exciting, let’s be honest, it’s critical,

[00:15:57] Evan Francen: it’s all in your attitude brad. I

[00:16:02] Brad Nigh: enjoy it. Just, most people don’t,

[00:16:06] Ryan Cloutier: I enjoy the part I enjoy about it is defining who’s responsible for what, you know and then helping them sort of either if they didn’t know it, either work into it or in a lot of times it’s an eye opening experience, something they don’t want to do these things that we’re asking them to do. So if they don’t even know that they were supposed to write

[00:16:25] Brad Nigh: right, yeah and oh go ahead. Right.

[00:16:28] Evan Francen: Well I was just going to say, you know, sometimes playing that role and responsibility game makes me think we need to invent security twister, you know, one of the things, one of the challenges, I’m sure you guys have run into this as well. Um trying to get who’s on first, it’s like a bad Abbott and Costello episode, you know, trying to find that that single point of accountability to then build the team from there I think sometimes can be really, really challenging because you’re asking people to take on a level of responsibility that you know to Evan point if they don’t even know they’re supposed to be doing this and you come along and say, well not only you’re supposed to be doing this, but you know, you’re responsible for this and if something goes wrong, there’s consequences. I think that’s, that’s a bit of a challenge for some organizations. Did you guys say that that’s your shared experience as well?

[00:17:18] Brad Nigh: Yeah, absolutely. And and then you have the flipside of people not even wanting to define those because they don’t want to have to worry about people being, you know, putting that pressure on people, right? So if you have those defined roles and responsibilities now there’s accountability, which means you have to actually take action. So it’s almost like the head in the sand approach.

[00:17:44] Ryan Cloutier: Well, it’s funny how I think a lot of companies are, people just assume that somebody else is taking care of something that really you’re supposed to be taken care of. You know, when you sit down and sort of define, you know what, who should be doing what here with respect to information. Can you find a lot of gaps like, oh crap, We don’t even have anybody looking at the logs or we don’t have anybody to call when an incident happens. You know, it’s those basic stuff, but it, I think a lot of times we get this bad rap for it or people aren’t excited because it’s kind of been going about it all wrong just because the standard says I need to have this, I must have this as opposed to, you know how to fit the standard in my, into my company and make it make sense,

[00:18:27] Evan Francen: right? And and that’s, I mean that’s the secret to us, right? Is making making it fit your business. You know, when I think of K 12 schools, one of the big issues we have with roles and responsibilities is delegated authority. So the school board has the ultimate authority. They then in turn have to delegate that to the superintendent, who then in turn has to delegate it further downstream. And sometimes you can run into those political hurdles and challenges. Um and so there can be a challenge just even figuring out, you know, who is the delegated authority that can ultimately then start to select those roles and responsibilities.

[00:19:03] Ryan Cloutier: It’s a good point. And this stuff plays, you know, right? This stuff place, you know, uh not just at work, right? The same thing at home like mom, dad who is responsible for what? And I’ve asked this, I mean I asked this this the basic sometimes the most obvious dumbest questions when I do work with people, you know, one of those, you know, you’ve heard me say a billion times, what’s your definition of information security? Another one is, who is ultimately responsible for information security here, right? Who is the person that’s going to make the call when I come to them with a whole bunch of risks that I need decisions on who’s going to play that game with me because somebody has

[00:19:42] Brad Nigh: to, right? No. And I think that’s a important thing. You know, if you don’t have that ultimate, you know, uh Call maker. Decision maker, I guess uh Everything else just kind of falls by the wayside. You need to have that one person who is making those calls, making those decisions and holding people accountable for therapies. If you just say Evan, you need to do this, but there’s nobody checking on you. And we don’t it’s not really doing anything,

[00:20:18] Ryan Cloutier: right? Yeah. It’s not like you have, you know, and I’m trying to, one of the things we’re trying to do in this book is just operationalize information security. Make it just like every other business process that you use to keep the business running, Right? So in finance, you know, who’s, who’s responsible for your paycheck, don’t you? Was responsible for counting, counting all the beans and putting things together and that person doesn’t play that role by themselves, right? They need the entire company to play ball with them. Right? We have a budget, We have expenses, We have, you know, all these things. And then even then they have a third party come and audit the books, usually on an annual basis. So why can’t we treat information security more like just, you know, maybe the finance function, just part of the business.

[00:21:01] Brad Nigh: I just want to go back to say paycheck. You get paid. I thought we were doing this because we like doing it? No way. You know, a

[00:21:12] Evan Francen: girl a charity program.

[00:21:16] Ryan Cloutier: When did you get

[00:21:17] Evan Francen: paid?

[00:21:18] Ryan Cloutier: Gonna

[00:21:20] Evan Francen: call kevin? I thought that was so and you make really good points there, you know, um and I think, you know, there’s it should be, I mean, I know one of the things that I preach on a pretty frequent basis um is not to treat information security and your cybersecurity program as a separate new thing. A lot of organizations already have a communications team, already have a lot of the large organizations have a risk management team. Right? So you’ve already got folks that are doing bits and pieces if you will and one you know, I try to tell folks that this is just another part of that already ongoing activity. It’s just another bullet in your in your list. So communications comes to mind, right? Don’t create a new communications team to handle your crisis information security, crisis communication train your crisis communication team on how to handle this type of crisis. And I think that’s that’s resonated well. And I think the organizations that I’ve worked with that have kind of implemented that approach have had a greater degree of success in reducing their cost and also increasing their speed at which they can get in front of some of this stuff because there isn’t as much, I’ve got to create a new program from scratch and therefore I need new budget and I need all these things. It’s it’s involving those those other components of your business. And to your point, it’s about just making it part of daily business, just like you guys always hear me preach that this is life, this is daily life, This isn’t some fancy. I think it’s just a basic foundation and I think businesses need to adopt similar thinking. It’ll make it much easier to manage some of this stuff.

[00:23:01] Brad Nigh: Yeah, I think another good example that would be like generous management, right? A lot of companies do vendor risk management or third party risk management from a financial perspective, but they don’t do the information security peace. And then it’s like, well, how do we marry the two together? Well, you already have a process for vetting vendors on part of it. Just add this other piece to what you’re already doing, don’t create a whole new program. Uh and now you’ve got competing interests. Right? So.

[00:23:33] Ryan Cloutier: Right. Yeah. Great. Yeah.

[00:23:37] Brad Nigh: So, uh we have, we clearly have not really followed the show notes, but we’ve already covered several of the topics here. Um the next one on the list. So we do I don’t wanna miss anything because it is important um is why is it important to simplify information security? And how how can people be more successful at that? And I’ll take a first step of that at that one and say, well, we already know that it’s information security is daunting and a lot of people just don’t get it. So if we can simplify it, we’re gonna get better by in and as soon as we get that better by in then the whole program is going to be stronger. What do you guys think?

[00:24:19] Evan Francen: I completely agree. Uh and I would just say it’s simply as the reason to simplify reduce costs, increased speed to respond.

[00:24:28] Ryan Cloutier: Yeah, yeah. And for me it’s you know, when I got in in the information is here to one of the icons in our industry was Bruce schneier and so he’s written numerous times on how complexity is the enemy of information security and really lays out a, you know, really logical path on why that’s true and logically tell you right, it’s easier to secure two things and it is to secure 20 you know, so the marks, the simpler you can keep things uh it’s always easier to secure and it’s not just with technologies with processes with people. Um you know, I consult boards of directors and tell them if information security seems too mysterious for you, it’s too mysterious. We’ve done something wrong. It needs to make sense even though we boil it all up and fold it all up nice and neat for you in the board meeting every quarter. Do you understand the things that go into this? Right? Is it simple enough for all of us to understand because it’s all like all our works right?

[00:25:31] Brad Nigh: Yeah. And I think you know what’s important and we’ll get to that here in the roles and responsibilities but is Yeah, just because we keep it simple from a, at a high level. That doesn’t mean there’s not going to be, you know, when she start really getting down into it, it does get more complex. It’s just the nature of it. It has to but we want to keep that foundation in that framework as simple as we can so that people understand exactly, you know what they should be doing and and what what they’re again, they’re accountability to doing this stuff is

[00:26:04] Ryan Cloutier: yeah, I just want people to be more, much more cognizant of every time I add something new into my environment, whether it be at home or whether it be at work, whether it be at school, be real cognizant of complexity that you might be adding because you’re going to have to account for that somewhere in your security program, you know, because it gets, it gets out of hand on you really quick. You look at just check junk everywhere, you’re like, oh my God, how did we get here? Because you know, you didn’t take this. You know, you didn’t take this into account as you’re building.

[00:26:36] Evan Francen: Well, what’s uh what’s the new projected stat? Is it nine devices per person I think is the current life identity that they’re they’re planning for

[00:26:47] Ryan Cloutier: if you remember the simpler life, I mean a Masonic an old timer now, but back in the simpler day then, I wasn’t connected to everything and and uh you know, I wasn’t being gps tracked everywhere I go and you know, it was a lot easier to secure my life nowadays. Ipad laptop. Yeah. You know, car? Well, we’ll talk

[00:27:11] Evan Francen: about that on the K 12 cybersecurity podcast. One of the episodes is always on, Yeah. And what is this? You know what they’re doing to us, right? And and um we’ll unpack that on on that podcast. But I think you’re right, it’s it’s never have I had to worry about so many vectors in which someone could harm me or steal for me, you know, in the old to gold time here with Evan jump in our in our geriatric machine here. But you know, I used to worry about your wallet being pick pocketed, that was about you didn’t go down the shady alley way, you were fine, right? And now it’s he run into an inverted risk. I mean last night for example, we found a skimmer were trying to leave the parking ramp and you know, here at our at the RSA conference and we’re leaving the parking ramp and lo and behold and it was a pretty poor skimmer job. I posted a picture to twitter. Um but you know, that kind of stuff just wasn’t a thing. 13 years ago. Yeah,

[00:28:15] Brad Nigh: yeah, yeah. It’s uh yeah, keep it, it’s a lot to manage and we already established that most people don’t get it to begin with. So you know.

[00:28:27] Ryan Cloutier: Well that’s that’s it. I mean we’re talking about roles and responsibilities too. How can I be responsible for something? I don’t understand it’s so complex that I can’t get my head around it, I can’t understand it. Then maybe it’s too complex or maybe it’s a skill gap issue. But at the end of the day somebody has to be responsible for some part of information security or all of information security. And if you don’t understand it, good luck, right? You know, simplify especially are underserved markets that we’ve been talking about like S. And B. S. Came through 12 state local government and simplify this stuff so that you can understand it and then once you understand it, the complexity you add to it should, you know, you should also understand that too. Right. Well yeah, it’s kind of like

[00:29:12] Evan Francen: learning to drive a car, right? Most of us learn how to drive a car in a parking lot or on some, you know back country road. And as you got more familiar with operating a vehicle that maybe you tried some side streets, you know, but you didn’t start out on the freeway. I think you’re absolutely right. I think you kind of got to walk into some of this complexity and I think there’s an easier way to do it, but a lot of times less information security people we want to be right and we want to be smart and sometimes I think that’s the enemy of simplicity. Mhm.

[00:29:43] Brad Nigh: Yeah, that’s a good point. So what does the operator operating it can’t even say operational? Izing. It’s way too early for me to uh information security look like. And how do people accomplish it? Uh Evan you want to take that one?

[00:30:02] Ryan Cloutier: Sure. Yeah. So this is, you know, when I think of operationalized, it’s just making part of the operations, right? It’s it’s integrated into everything that you do, just like finances is integrated into, you know what a business does in schools, you know, achievement and safety. It’s just integrated into what they do if you want security to work well and not always be at odds with, you know, whatever the mission is, you have to integrate it. You have to operationalize it, make it part of daily life. You can’t, it’s so much so that you can’t do life without it, right? It’s just part of it now and you know, it feels really awkward I think so as well as as we’re working on this book, it feels really awkward at first like you’re going through the motions. I don’t know if you’ve ever, you know, uh in relationships reminds me of a relationship five years ago, my wife and I were going to, you know, some rocky times because we got busy with other parts of our life, we’ve neglected this other part I’m getting at right. So it reminds me that when we first started dating again, like in our marriage it was so awkward. It was like mechanical is like going through the motions, but once it becomes kind of operationalized this thing, it’s not awkward anymore. But I think for companies when you’re starting off operational izing information security is going to feel awkward like you’re going through the motions like you’re following recipe or you know, but just keep going with it, you know, and understand that the goal is to just make this part of business as opposed to its own separate thing.

[00:31:36] Evan Francen: Right? And that’s a very key point right into it. So operationalized for me is, you know, part of that is integrating it into just the daily worker teen this daily life routine um on the people’s side, right on the personal side it’s things like check your bank statement once a month. Right. I do that when you’re paying your back. I think, you know, as we look at how how do we integrate in businesses and get them to operationalize. I think it’s on us as the information security professionals to help find ways to pair and marry it to existing business process. So you know, procurement comes to mind. So before you procure something from a vendor, some kind of device. What’s the risk assessment done on the vendor? Usually you’ll do some kind of to your point earlier financial risk assessment on the front end. But how do you evaluate that tech before it comes into your environment? If we did that we might get a little headway with some of the internet of disaster. Right IOT

[00:32:36] Ryan Cloutier: Oh date yeah. Well how about you brad when you, when you work with companies, you know, how do you, how do you process?

[00:32:44] Brad Nigh: No, I think you guys really nailed it. Um and I think from a personal standpoint, I wanted to kind of talk about that a little bit too. I think one way that I think I noticed or I realized when I had operationalized it in my day to day is people start looking at you weird because you’re looking at things differently right now like my wife is a nurse who had worked at was working at a hospital and I’d come in and start looking at things and making comments about the papers are in the Unsecured Shred or you know whatever those, those types of things are and you just start realizing and noticing those things that that maybe art as secure as they should be and you, you’re actually, I think have that aha moment of Oh yeah, okay. I am looking at things differently. I am and and then once you do that, it just, it really does translate into the business piece. So you know, I think from from the business yeah just make it part of your everyday and at some point it’s going to become like, oh yeah, we’re doing this. Okay, cool.

[00:33:55] Ryan Cloutier: Right? Remember when you first started, you know, when they mandated seatbelts? I’m not that old. Yeah, it’s uncomfortable for a lot of us at the beginning, right? Remember to put that seat belt on and you know, people who grew up with it so that, you know, you can call them the digital citizens now, they’re used to, you know, have operationalized some of the things, but they love them, have learned bad habits. Do we haven’t happened the safety part things, but now, you know, I get in the car and I just put on a seatbelt, I’m even think twice about it

[00:34:27] Evan Francen: well, and I think in a business context, you know, it’s going to use the seatbelt example. I met a gentleman once and I was giving a talk and I had used automotive safety as kind of my um, my analogy for for why we want to do this. And when I got the seat belts, the guy got pretty upset visibly in the face and afterwards it came up to me because I don’t need nobody telling me about no seatbelt government invading my life, right? And I’m like, oh boy, you’re special. Right? But the reason I say that is because I think in businesses, you are going to have some of those folks

[00:34:59] Ryan Cloutier: who

[00:35:01] Evan Francen: we’re going to have to work a little harder because there may be a little longer in the tooth. Look, I’ve been running my business for 50 years without your stinking information security. I haven’t had a problem yet. I’m sure this is a very familiar story for you guys and a nurse, right? I’ve been doing it this way all along and now you’re asking me to change, you’re asking me to spend money, you’re asking me to do these things that I’m struggling to see the value in because I’ve made it this far. It’s like the guy with no seatbelt, I’m still here, never wore a seatbelt, had a car accident didn’t kill me. Right? So we got to think long and hard about how we’re going to how we’re going to work on some of those resistors because the reality is a lot of those resistors are gonna be farther up in the food chain. So as we think about you know, what are those roles at work? The executive management. Right? See so the I. T. Department, your legal, your communications, you know, just the team members that make up your organization. Um I think it’s important for us to find ways because to seven point about digital digital natives, right? At least speak a different language, right? How we’re going to articulate the need for these roles and responsibilities and their definitions. I think we might have to end up taking 2 to 3 different approaches to hit the different audiences that make up, you know the senior leadership and then ultimately the workforce of an organization.

[00:36:22] Brad Nigh: Yeah, I was just a lot of it. It comes back to communication, right? How are we communicating this message and how are we communicating the importance of it? Um, and, you know, to your point around the incident responses? It happens. You know, I can think of two or three examples off the top of my head where owner of a small business, it was just blown away by what happened and the cost of doing it. And how could this happen? It’s never happened. And why would they come after us? And yeah, it doesn’t matter. It doesn’t matter what size you are, who you are, you have data. If you’re not securing your information and you make it easy, they’re going to find it. So it’s uh that’s always an awkward conversation to when they’re, you know, stressed out and everything is down and they don’t want to pay. Yeah, maybe never had to.

[00:37:20] Ryan Cloutier: So the worst time in the best time to test your answer in response plan under

[00:37:24] Brad Nigh: fire. I tell you assume they have one. All right. So

[00:37:30] Ryan Cloutier: everybody everybody got one is whether it’s a document, uh it’s just updating the main run. True.

[00:37:37] Brad Nigh: All right. So let’s talk about some of those roles and responsibilities at work. Uh starting with executive management. Uh you know, what, what would be a good definition of the role and responsibility for executive management. Um let’s go with right? Or I think go ahead.

[00:37:55] Ryan Cloutier: No, I always think of this as two ways, right? You’ve got Ceos who are tolerate ear’s of information security and got Ceos who are champions of information security. And there’s a big difference between the two. So as an executive management, a good, I think executive team can see how information security as a competitive advantage. They can see that there’s advantages for the business beyond just protecting assets and so they champion it. They want to operationalize it. I think a lot of them struggle with how uh, but it’s their job, right? You run the company, you run the business, you run the school, you run whatever you’re at that level, make sure that information security just like finance, just like legal, just like everything else going on in the organization. Security’s got to see that the table security’s gotta structure securities operationalized. Ah that’s your job as executive management.

[00:38:51] Brad Nigh: Yeah. So go ahead Ryan.

[00:38:54] Evan Francen: Oh no, no. I

[00:38:55] Brad Nigh: was just like, well just on that, I think, you know, you’ve kind of got in my experience three groups of, of that person, right? Let’s say like maybe less than 10% are the ones that just get it and want to do that and that remaining 90% and we can argue about the breakdown of it is either people that have lived through an incident and had a breach and are like, nope never doing this again or have seen someone, you know, we’re at a place where maybe they weren’t directly impacted, but have again been through, uh, you know, some sort of a breach or an incident uh, and seeing kind of firsthand without being again on the front lines.

[00:39:36] Evan Francen: Yeah. And I’ll just say for me, executive management, regardless of champion or tolerate, er, your job is to support that’s it. You need to support, you need to play that support role like, like a good servant leader. Yeah.

[00:39:51] Ryan Cloutier: Active, active support, you know, for sure, not just

[00:39:54] Evan Francen: support, Right?

[00:39:55] Brad Nigh: Yeah. Well, ultimately right. I think at the end of the day, who’s going to be answering the questions on from the media? If if your company has a compromise, right, why didn’t you give the resources needed? Why didn’t you do these things? What happened here? You better you better be involved and understand what’s going on.

[00:40:18] Ryan Cloutier: You know, I’d be interesting at some point grad to get uh, you know, not publicly because they won’t, you know, we don’t want that. There’s some of these incident response, you know, in some ways incident response cases to get quotes from executive management involved in those companies just around these thoughts, you know, did you, what were your thoughts prior to this? And you know, what surprised you, what advice would you have for the next Ceo? You know, we

[00:40:48] Evan Francen: should, we should be talking about this more.

[00:40:50] Brad Nigh: Yeah, I mean obviously I can give you, you know, not direct quotes, but you know a lot of the times it is how did this happen? I thought we were protected and that comes back to a communications issue of they were under the impression of one thing we’ve got these blinky lights so we’re good versus what the reality is and you know we we just wrapped one up and the Ceo and CFO were um they weren’t not combative is not the right word but questioning a lot and it was clear they wanted to understand and they just they didn’t have that knowledge to begin with. And it was definitely and they came around uh and I think the company’s gonna do really good things moving forward. But they were, it was enlightening for them. They had no idea they thought they knew and it was pretty clear and they realized that that what they knew was not enough and where they were at and they were doing that kind of that passive support versus the active support

[00:41:56] Ryan Cloutier: that leads to the next one that needs to the next role in our show notes to write. So because I was or similar right? I mean some organizations meant most organizations don’t have a

[00:42:09] Brad Nigh: name security officer.

[00:42:12] Ryan Cloutier: Yeah. So but you know, two jobs, I think there whether it’s a consulting, you know, whether the sea so is a, you know an outsider, like a third party like if our secure might be a B. C. So or internal, you know, I always think of two jobs want us to consult executive management on what information security risk is and to, you know, so that they start making really good effective risk decisions and then the second job is to implement those risk decisions. Yeah, so executive management doesn’t get it. I’ve always looked at myself in the mirror as the sea. So where’s the problem? Well, I’m not consulting, well, I’m not speaking their language, something is not resonating, right?

[00:42:53] Evan Francen: I mean for me the biggest part of being a C. So um when I’m, when I’m, you know, helping out these disks, I spend more time translating, it really is true for me translation services, this is what this means. This is why you should care about what that is. Um and then, you know, to your point, you know, it’s the implementation side and I think in in larger orders, that’s kind of a dedicated focus. I think as you get into the smaller org’s your actual implementer might be further downstream. And so it becomes more of a coach kind of role translator and and a coach

[00:43:35] Brad Nigh: well, and I think a lot of big issue that we see is it comes back to that assumption where you’ll have, you know, the I T. Director or whatever and executive management assumes they’re going to be the security in charge of security, but it’s not to find anywhere and the I. T. Person is going, you know, there they’re doing the best they can but they’re not given that support. So I think you know it is kind of uh an issue a lot of times for that as well. And that goes back to that why we have to define this. Why do we need to make this formal so that people can right we need to hold executive management responsible and accountable to giving those resources to the person they’ve named. But you have to name the person and give them that support so that you can then hold them accountable for actually doing their job.

[00:44:23] Ryan Cloutier: Yeah I mean the sad thing is I think too many times executive management just hasn’t doesn’t have a clue because the sea so or somebody hasn’t told them in a language that they understand. And I don’t point fingers much executive management because they’re all good they’re all smart you know they’re not idiots. But we haven’t done a good job of explaining what their actual role is here. Right?

[00:44:48] Evan Francen: Well how if it’s business. Yeah. You know because in the in the business they have rolls right? They have roles that align to the business need and function and you know that’s that’s on us.

[00:44:59] Ryan Cloutier: How many street? Yeah I mean how many times have you had that approach? Executive management? Like information security risk is the only risk and they’re so yeah so passionate about their job that an executive manager shuts down there like. No well and that that’s how we get the silo

[00:45:17] Evan Francen: that’s how this becomes a not part of the business issue or business what I call business adjacent issue instead of a core part of the business. And so I think that is that is a huge problem. Is, you know, when we talk about this, we need to talk about it in the greater risk context because they already are familiar with that. If they weren’t, they wouldn’t be an executive management. They wouldn’t be, you know, success business. If they didn’t, they didn’t at least have a basic understanding of risk. So

[00:45:46] Ryan Cloutier: that’s why I’m going back to what we started with brad. You know, that’s why it’s so important for us to operationalize this. We don’t treat information security risk. Like it’s some sort of mysterious genie in a bottle kind of thing. The Gene has never been in the bottle, right? This is what security is. This is how you integrated into your business executive management. This is what level of involvement you should have. When I ask you a question about, hey, tell me about your information security program, They don’t have to master it. But tell me something right with, you know, that shows me that you’re involved with it. Because if I ask you to tell me about your finances in our tax as an S corp c corp they’ll be able to tell me all those answers.

[00:46:31] Brad Nigh: Yeah. And and a good answer is not well we spent X. Amount last year on security.

[00:46:36] Ryan Cloutier: Yeah if only that works right it only works in here and say

[00:46:42] Brad Nigh: yeah so what about I. T. S responsibility?

[00:46:48] Evan Francen: I think it goes back to empowerment continuous learning. I think one of the one of the key responsibilities that that I would put on any I. T. Leader of a non executive type or Cisco type right? Is to say how are you ensuring continuous learning of your team? This is a continuous learning topic. Every time we get good at something the bad guys get better. We’ve got to pivot and adjust to meet you know they’re change. What does that look like inside your organization? How are you keeping your folks up to snuff on the best security practices? Right? Not necessarily latest. The greatest we don’t want to go chasing the bleeding edge but on the core foundation stuff there’s so many people that don’t understand some of the core fundamental foundation blocks of securing an environment hardening in os every one of your admins should be well versed in os hardening. And I would I would guess that that’s maybe 25% true in my experience.

[00:47:51] Brad Nigh: What do you guys that might be a little high but uh no I agree I think a big part of the problem I think is you get a lot of arrogance in in I. T. Especially with the people that have been around in those admins we run into this in the IR situations all the time where we come in.

[00:48:10] Evan Francen: eric and I. T. People

[00:48:12] Brad Nigh: okay well we ran into it where like there defending to the death these you know configurations and while why we have to have it this way we’re like well this is how they got in and how they’re maintaining persistence and here’s the problem, here’s what you need to do and well no prove it to me. Okay here it is. Well I can’t be the case right? So I think that’s that’s a big issue um and you know it’s a mindset that needs to change and I think that does come from above right? I. T. Typically does it’s it’s a thankless thankless job. A lot of the times either there’s nothing going on. So people think well they’re back, they’re playing games or something is down and well why haven’t you fixed it yet? So I think there’s some shockingly it all comes back to communication and and some education about you know where people’s roles responsibilities are what they should be doing and not placing blame just to because we got to point a finger at someone

[00:49:16] Ryan Cloutier: what it is information technology, it’s not information security, they certainly play a big role and they need a seat at the table and all those things but to treat you know information securely like like tonight issues you know sort of catastrophic to the company because you’re missing the biggest risks. Right? So what I what I was

[00:49:36] Brad Nigh: go ahead I was just a IIttie should be implementing the things that security is identifying. Yeah maintaining

[00:49:44] Ryan Cloutier: these things. Yeah. So they get a seat at the table. What I want to know is I want them to know every one of their systems as intimately as possible. Yes. Yes. So the better you know your systems the better I’m going to be able to use you as a C. So to help secure those systems. So if you do secure builds and whenever we deploy those things that usually comes from a security mindset working with I. T. But in lieu of that let’s say you don’t do hard and build. I want you to know how these servers operate so well that you’ll notice things that are off before any system would, right to me we want to be a master of your craft in it. You know your systems better than anybody else ever would and that’s what I want it to.

[00:50:29] Brad Nigh: So if if we ask if they’re doing something via group policy they shouldn’t go with, you know, I don’t know I have to look at that.

[00:50:36] Ryan Cloutier: I think we’ve asked them to do the impossible right? We’ve asked it to you know spec out systems, build systems, maintain systems and then we’re going to throw security on top of you too because you don’t know where else to put it in the organization. So now I. T. Manager, you’re also security manager. Oh and you better train the employees and deal with password resets and I mean

[00:50:59] Evan Francen: very true.

[00:51:01] Ryan Cloutier: Yeah. Put it in what it is meant to be which is to keep the systems technology, you know, running up to snuff whatever. But that’s a partnership with security. Yeah. I just want you to know your stuff man really well.

[00:51:15] Brad Nigh: And that’s what, as far as going with that good Ryan, sorry.

[00:51:20] Evan Francen: Well it just, it just goes back to the foundation fundamentals. What do you got, where is it, how does it work and who’s got access to it the better.

[00:51:27] Ryan Cloutier: you know your stuff, the better you’re gonna be able to secure. Yeah, for sure.

[00:51:31] Evan Francen: Absolutely. Well and I think that segues us to the next piece. Right? Legal. Right, right.

[00:51:38] Ryan Cloutier: And one they have a different sense of humor. I know that or no sense of humor at all. Depending employer.

[00:51:42] Evan Francen: Um, you know, it’s interesting. I run into so many attorneys in the school world who are amazing school attorneys. They do not have the first understanding of what cyber law is and what what type of things they need to be thinking about in their function. You know, what, what are the roles and responsibilities of your legal department when it comes to this topic. And I have had fascinating conversations where dan result was the lawyers like, well I guess I go back to some trainings I guess. I don’t know what I need to know or they end up having did you know all too three outside counsel to get a half decent understanding. Because we asked legal to help us with things like policy. We asked legal to help us with contract and other things where there’s an information security component. But if the lawyer is not at least foundational reversed in the topic, uh best you get bad advice and at worst you get adamant, adamant positions, right? That may be the opposite of what they need to be for reducing the risk to the organization.

[00:52:51] Ryan Cloutier: Yeah. I think the legal legal counsel has, you know. Yeah. Is a lot of those players on the seat at the table. They don’t run security information security people A. C. So, you know, in a larger organization or somebody responsible for information security uh consults with executive management consultant. Chip knows enough about legal to know about legal, right? And then it’s just like, you know, we see all the time. Now now we have google google everything. So is my legal counsel, you know, do we have a communication line that’s uh, you know, open enough honest enough to where I can use them as a conduit to those other legal resources, even if you’re not well versed in great stuff. But the sad thing is, you know, you see so many different organizations that just like, I don’t know where to put security. So we’re gonna put it on I. T. Right? We’re gonna put it in legal, right? Um Yeah.

[00:53:47] Brad Nigh: Yeah. Yeah. And there’s so much fun to deal with in my ours because they want to rewrite everything in a way that fits their narrative not what we actually identified. So that’s always fun to go back and forth. But that’s a different story, right? And so we’re running out of time here. But what about everyone else real quick? And then uh sound looks like we’re gonna make the this is a three part uh serious. Apparently

[00:54:17] Ryan Cloutier: good. We can talk about it at home. Yeah.

[00:54:20] Brad Nigh: Yeah. That’ll be and should be filled by itself. It should be an episode by itself.

[00:54:24] Ryan Cloutier: You’re right.

[00:54:25] Brad Nigh: It is now.

/by