Information Security Roles & Responsibilities

Unsecurity Podcast

This week, Evan and Brad discuss information security roles and responsibilities. One of the foundational components of information security is understanding and implementing information security roles and responsibilities. Part one of a two-part episode, this week talks about information security roles and responsibilities at a macro level.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:23] Evan Francen: Howdy. Welcome to episode 67 of the UN security podcast. Today is february 17th 2020 in this angelic voice. Don’t laugh is uh, you’re hearing is me. This is Evan. Evan Francen. Joining me in studio today is my security bestie. That’s right Brad. I just called you my security bestie Brad Nigh. Good morning Brad. Morning Evan. How you doing? I’m doing pretty well. You got some sleep. Got some sleep. That’s important last week. That was different.

[00:00:53] Brad Nigh: Yes. You didn’t know kid. So sleep sleep this weekend and feel much better.

[00:00:59] Evan Francen: Alright, cool. We have a great show planned today. Before we dive in. We’re going to catch up like we usually do. I want to know more about what you’re doing and uh, what you’re up to. So lay it on me, Give it to me what you been up to.

[00:01:12] Brad Nigh: Just, you know, security stuff and things.

[00:01:14] Evan Francen: This is like, it’s almost like an employment review right on the podcast. No.

[00:01:19] Brad Nigh: Would you say you do hear bread? Yeah, that’s a great question. Uh, spreadsheets. Yeah, lots of spreadsheets. No, uh, you know, just continue looking at it, how we’re doing things? Is there better ways to do it? How can we make it better? What can we do to provide more value with the services. And are we doing things, you know, consistently in the best way possible? Cool. You know, little things

[00:01:45] Evan Francen: when I’m hoping that in the next, uh, in a few months you and I’ll be able to do some more work together, you know? I know we have some cool things that we can create in with relation to our VC, so service with relation to, you know, some of the C C P A C C M K stuff

[00:02:02] Brad Nigh: stuff. Yeah, I’m excited with no C C P A C M M C G D P R. What other acronyms can we throw out there? You know, and some of the new, uh, the stuff within security studio and building out services around that and, you know, Yeah, I’m excited for you. It’s amazing where is coming year and a half, two years of where we’ll be another year and a half or two years.

[00:02:30] Evan Francen: Well, it also shows for me, you know, you just kinda get caught up in the day to day. You have to get intentional about certain things, you know, like you and I hanging out, I was working on the book this weekend, stuff like that. Like collaboration, you know, you just have to get intentional and scheduling and setting aside time.

[00:02:48] Brad Nigh: Yeah, you’re right, it is really easy to just get kind of into the weeds and kind of yeah, miss out on things have definitely found it. There’s some duplicate effort where people working on the same thing and not communicating and working on fixing some of that stuff normal almost things

[00:03:10] Evan Francen: yeah I got to make a trip to bismarck North Dakota last week. How is that? He was bismarck North

[00:03:18] Brad Nigh: Dakota in february. Yeah at least it wasn’t like a blizzard.

[00:03:22] Evan Francen: No it was good, it was a good meeting. Um I brought Jim Nash, our state representative with me so I had to spend too many hours with them, I don’t know how many hours it was but just like 12:13 just in

[00:03:37] Brad Nigh: the car. It’s a long drive.

[00:03:39] Evan Francen: Yeah, no it was fun, we had some good discussion and good talk. Uh you know he’s he’s committed to you know information security uh committed to, you know, from the legislative perspective, you know, being a Minnesota legislator. So we went up to bismarck to talk to uh the state ceo Sean Riley, so very well known kind of leading the country I think in a lot of ways on it and information security and sort of just affecting change in government. Um And then who else? Oh kevin ford their new cso up there and he came from cyber JR X. Okay and then your idea who runs their grc, so pretty good meeting, it was nice to to see what they’re up to uh at the end of last week I had a meeting with Aaron call uh he was already having a meeting with Jim nash erin call was was the Minnesota see so and just some really cool insights from him. I mean that guy knows what he’s doing. So it’s it’s cool to talk shop those guys. Yeah, but I also learned some things about, you know, how the state of Minnesota does information security and just kind of the, you know, I don’t want to be negative and say, you know, it’s all crap but it’s uh there’s some big challenges in state government that I don’t think people realize they don’t really innovate

[00:05:12] Brad Nigh: much. There’s probably seems like there’s that that fear of rocking the boat and then you do have changes in who’s running things. So priorities are constantly shifting right? It would be tough.

[00:05:27] Evan Francen: Well it got me thinking too about, you know, one of the topics for today’s talk is just, you know, roles and responsibilities. It’s one of those things that I think some people just shut down when you say roles and responsibilities, just like uh Yeah, I’ll talk about that, but let’s try to talk about it and like a not wait, you know, in a good way. I think we can do that. Yeah, I think so too. So this came about from talks last week um Oh wait, I’ve got something else in my show notes. I just recognized You have to pick one truth.

[00:06:03] Brad Nigh: I was I was hoping that would slide by. Wasn’t not gonna say anything,

[00:06:07] Evan Francen: we tell the truth around here. So we’re gonna, you know, let’s see if you saw this and

[00:06:13] Brad Nigh: Mhm. Anything. You know,

[00:06:16] Evan Francen: you can even use one that you’ve heard. Well,

[00:06:18] Brad Nigh: the immediate ones are always the you know, you can’t protect me. You don’t know if it’s insecure the course only one, but but well, those are the kind of the some of those ones. But I think the biggest one is that I’ve that we haven’t really talked about because I do want to kind of not say the same things is I think the the biggest truth that I’ve seen is the people that are overconfident are the ones that are typically put in the organization at a lot more risk. All right. All right, well, we’ve got all these tools. We’ve got this. We’re not we don’t have to we don’t need your help. And then those are the ones that we true keep we’ve had multiple where we’ve tried to help them and say, well, let’s do a risk assessment. No, we’re good. We don’t need anything. And then come back months or year later and well, we had an incident and it turns out that no, they were really poorly configured. So, I think if you’re the more overconfident someone is from a security perspective, uh that they’re probably putting

[00:07:27] Evan Francen: so maybe the truth would be pride might be your biggest vulnerable. Are your biggest weakness or something.

[00:07:33] Brad Nigh: Yeah.

[00:07:34] Evan Francen: Well, you have you seen on my desk I have a sticky note and I have two words written on there and stuck to my monitor. What is humility and the others honesty. You know, just to remember that sometimes the security people, we look down on other people. We think what you dumb. You put that link, you know what I mean? That doesn’t help anybody.

[00:08:00] Brad Nigh: No. Well, yeah. Especially when yet when there, you know the whole glasshouse throwing the first stone. Yeah. No, I can’t believe you did this. How did you let your let it into the environment? How did you not have controls to block that militias website? Right. So

[00:08:20] Evan Francen: yeah, so to our listeners stay humble. My friends. Yeah, truly, I mean humility I think goes a long way towards security. It also helps to fend off. Um, you know, maybe the false sense of security. Yeah, I know as a, you know, a reformed social engineer. You know, we’re always social engineers. But you know, I don’t do that as much. One of the great target is somebody who is over confident who’s not, you know, checking the rearview mirror. Another one is, you know, um lack of just situational awareness, which I think those two play off of each other. You know when you’re overconfident and everything. You just let your guard down. Yeah. Yeah. So good truth. All right. I like that one. I’m gonna, what am I gonna say crap now? We gotta come up with the truth. Um I have my favorite one, but, and I’ll just say it because maybe we’ll do this every week. We’ll just share truth. But my my favorite one is information security is not about information or security. It’s about people. And I’ll get passionate about that. I was talking to investors on friday. So last week was a really busy week and they could sense almost the righteous anger, you know, when I said that, uh Because what I what I was saying to them is I know that your motivation might be different than mine. My motivation is the mission. Your motivation might be to make a ton of money, you know? So if I can use your motivation to get my my mission done, right? And you can use my mission to make yourself a lot of money, then it’s a win. Win. Right? So, anyway. Alright, Hashtag truth bam. See my fingers hashtag Do you ever do that?

[00:10:07] Brad Nigh: Hashtag No. No. You know. All right.

[00:10:11] Evan Francen: We have teenage kids.

[00:10:12] Brad Nigh: I do one. Yeah. 1.

[00:10:15] Evan Francen: How old is the next one? How old are your

[00:10:18] Brad Nigh: Kids just turned 14 and 12. Just turned 12.

[00:10:21] Evan Francen: Okay. Next to teenagers. Oh, yeah. Oh, yeah. Well, my 15 year old, we had a good time this weekend. She had a bunch of friends over anyway. Another story. Mhm. All right. So, this weekend I was doing some doing some work on our book and yes, the book is still coming. I think a lot of times. You know, you just get kind of often your and the weeds a little bit and then you’re like, oh yeah, I forgot to tell people that I’m still doing this.

[00:10:51] Brad Nigh: It’s like you have a real job.

[00:10:55] Evan Francen: Well the day job gets in the way. It’s true weird. But for those of you don’t know yet we are writing a really cool book. I think the book is going to be fun. There’s two purposes to the book. You know, these things are starting to kind of kind of become a lot more clear as he starts just sitting down and putting your thoughts on paper. The first is to simplify information security. Yes, it can be done actually. Information security when you think about it is simple. It’s just a lot of simple. So when you look at a lot of simple and you don’t understand the relationships between all the simple things.

[00:11:27] Brad Nigh: It’s confusing.

[00:11:30] Evan Francen: So we’re gonna simplify information security. And the second is we we need to figure out a way to operationalize information security in our underserved markets. So operationalized just makes it just means make it part of your daily operations. It’s not a separate thing that you have to, it’s not mysterious. It doesn’t sit in the corner somewhere. So we need to simplify and operationalize the underserved markets that you know, I think our and this is subject to change as we start working together more state local government Schools, K through 12 and higher. Ad and small businesses in individuals. So there’s four, I think really underserved markets with information security who maybe information security is mysterious to them. The thing is, they don’t have the resources to mess it up. Like big companies to a big company can mess it up. You know, look at Equifax, they’re, they’re doing fine. Look at Target. You know, they’re doing fine. Blue cross, blue shield. Still doing fine. So it’s, you know, these underserved markets, they don’t have a lot of resources to waste. We need to simplify and operationalize. Um, so how do we embed information security in such a way that it becomes a normal part of everyday life and it should in just about every case become a competitive advantage if I want to win in the marketplace, security is a factor in that happening. So the book is being written by me brad and Ryan a k a cola because I can never pronounce his last name. So I just called, you know, cola comes from Marcy. Uh, I’m just about done with the initial outline, which are really just thoughts, but, and soon you and I will be like I said, getting intentional about just setting aside time so that we can work on this together. Uh, but we, we we should be collaborating big time. We should be, I’ll take the outline this week, but we should find some time. You and me, um, and just go through the outline thoughts and and the things that go into that and then you know get your thoughts, get my thoughts, figure it all out and then you know, what do we do next? Which parts of this would you like to start, you know take out and setting deadlines, that kind of stuff. It will be fun,

[00:13:55] Brad Nigh: shivers, deadlines. I

[00:13:57] Evan Francen: know, but they’re good deadline. Yeah. Um, but anyway, this all of that, here’s why it’s relevant today to today’s podcast as I was writing, I had had one thought and one of the foundational components of information security. So if you’re going to operationalize information security, you can’t do it without really defining what roles and responsibilities are, who has, who does what around here respect to security because it doesn’t come. I don’t think it comes second nature to people.

[00:14:28] Brad Nigh: Well, no, no not at all.

[00:14:30] Evan Francen: You sort of and there are right ways to tell them and they are wrong ways to tell them. There are right ways right ways to educate and wrong ways to educate. There are right ways to make it part of your culture and wrong ways to make it part of your culture. Yeah. So um this whole roles and responsibilities, you know kind of popped in um which then led to the idea of doing a two part series which is nice because you do next week and next week if you agree then

[00:14:58] Brad Nigh: that makes the second part.

[00:15:00] Evan Francen: So in part one today I’d like to discuss information security roles and responsibilities is at a macro level. Uh So you know not not the micro like individual people within an organization but more. What is the role of an organization? What is the role of government? What is the role you know these bigger chunkier things um We can discuss information screw uh It roles and responsibilities on a micro level next

[00:15:26] Brad Nigh: week. That sounds

[00:15:27] Evan Francen: good. I like it. See I told I haven’t put in my notes that you’re almost always games. Almost always game. Yeah. Mhm. All right. So let’s get let’s dig in. Uh And this is just opinions. You know I like opinions, opinions create ideas. I don’t want um us to we don’t have all the answers. Right? But I do know one thing for sure is you and I are heart is in the right place.

[00:15:53] Brad Nigh: Yeah. And I think the nice thing is let’s get the conversation started just because what we’re saying, it doesn’t mean it’s gospel truth. But if it gets people talking and we get you know, other people involved and it’s a

[00:16:07] Evan Francen: plus. Exactly. Exactly. So here’s our opinion on something. So the first thing is how important our information security roles and responsibilities

[00:16:16] Brad Nigh: very here we go. Alright next.

[00:16:18] Evan Francen: No mic drop.

[00:16:20] Brad Nigh: Uh It is I mean multiple reasons. First you’ve got you know if people aren’t I don’t know what they’re supposed to be doing. They’re not most likely going to be doing it not because they don’t want to, but because they don’t know, they’re supposed to, you know, you can’t do the right thing if you don’t know what you’re supposed to do.

[00:16:40] Evan Francen: Yeah, I think that ultimately one and if you’ve raised kids, you know how important it is, you know, to define these things and you can leave a wrapper on the floor, you know, in the kitchen and it will sit there for a week. So they’re probably indefinitely until you define whose responsibility it is to pick up the damn candy wrapper, It’s not mine. You know, just like when we came in here, right? I mean, we we found uh an iron, someone must have been ironing their clothes on our table in our studio. It’s like you didn’t put the iron away, right? That was probably your responsibility, not mine, I’m assuming. Uh so whoever, if somebody, if one of our people

[00:17:27] Brad Nigh: didn’t find out exactly.

[00:17:30] Evan Francen: But I think if you don’t define roles and responsibilities, I think you have a number of things that can happen. One is, somebody will assume that something is their responsibility. That’s not. So the overstep. And I think also um just things won’t get done. There are certain things people just don’t want to do

[00:17:51] Brad Nigh: right or yeah, they’ll assume someone else is going to do it and it doesn’t get done. So I think, yeah, both, both of those lead to conflict. Either you’re overstepping and somebody’s getting upset or it’s not getting done and somebody’s getting upset, it’s not getting done because they assume that you know it’s your responsibility. Yeah.

[00:18:12] Evan Francen: And I’m excited to talk about this when we talked to when we talk about the micro level like within an organization, roles and responsibilities. I had a great discussion on saturday with a newly I guess the newly crowned, maybe not a crown, we’ll make a crown of thorns. Uh So you know in a large healthcare organization we met for coffee on saturday and just talking about some of the challenges when people don’t fulfill their roles and responsibilities when they’re not clearly defined especially in you know because you see a lot of organizations that information security is in the I. T. Organization does does the ceo and we’ll talk about this next week. Does a ceo or does the board actually think that this is an IT issue? Yeah because they’re treating it like it is. Right. Anyway.

[00:19:07] Brad Nigh: Yeah. Yeah we can definitely go down some rabbit holes.

[00:19:11] Evan Francen: Yeah but that’ll be fun next week when we can talk about you know specifically those things because if you don’t define those things it’ll just be assumed. Yeah yep. You know and assumptions are usually wrong. Right. Mhm. Alright so roles and responsibilities. I think we both agree. I I don’t understand how you can run information security without them.

[00:19:34] Brad Nigh: I mean not you can’t run it successfully or for, well maybe you can short term, but it’s not a sustainable long term approach.

[00:19:46] Evan Francen: So both we both creates, it’s very important. Um Do you think it’s really important for people to define them formally? Or do people just know

[00:19:55] Brad Nigh: you got to do it formally? Right. I mean, the biggest one I think, you know, we talk about it is it goes to accountability. All right. If it’s not formally defined something happens, what was people’s, you know, uh It wasn’t me. Nobody told me I was supposed to do that. Right? So, you know, if it’s, if it’s not formally defined, it’s, you really don’t have it right?

[00:20:22] Evan Francen: When it’s, you know, it’s like uh you know, I’ve said policies are like rules for a board game. And I think roles and responsibilities are as well. It’s one person needs to document them, read them, understand them and then disseminate them to others, right, in a way that they understand so they can play the game.

[00:20:43] Brad Nigh: Yeah. Yeah. I’m excited for next week because I’m ready to go down

[00:20:48] Evan Francen: another. Yeah,

[00:20:50] Brad Nigh: but yeah, no, I agree. Right.

[00:20:53] Evan Francen: Well, I think one of the things we’re seeing when we talk about the roles and responsibilities at a macro level, we’ll talk about some of the things that I’ve seen happening at the government level with this. Um I agree. I think it’s it’s very important that you formally define them ideally there documented, you can reference them. People don’t like to document these things and people don’t like to formally define these things I think because it makes them think, yeah, they actually have to know what are all the things that need to be done right in information security. And then I got to write them down in english or whatever language I’m speaking and then tell people about them and maybe expose myself to some criticism.

[00:21:38] Brad Nigh: Yeah. Yeah. And and it’s funny how, you know, some of the different business sectors, how much more difficult that becomes

[00:21:48] Evan Francen: writing? Oh all right. So we both agree that information security roles and responsibilities are critical. We both agree that we need to define them formally. Uh Yeah. And because people don’t just know that’s another thing that I’ve learned, you know over the years is empty spaces always get filled and they usually get filled with the wrong stuff. So if if I’ve left a gap in my communication between what I expect, you know what I’m thinking I expect and telling people what I expect, I won’t get what I expect. You know, the outcome won’t be anywhere near what I was hoping for. Right? So let’s talk about roles and responsibilities at a macro level. The one the first to start is government. Um let’s just talk about, you know, what is the role of say the federal government in information security in your opinion.

[00:22:41] Brad Nigh: Um I think, you know, overall probably setting like setting the tone, you know, I think with the knee CSF and some of those setting the overall standards for, you know, what what should be done? They do have Uh huh a lot of pressure for protecting citizen information company information and then obviously the governmental secrets and all the stuff that you know military and all that stuff. So you know, I think yes, setting some standards providing some leadership and guidance on on some best practices because they have the most resources

[00:23:25] Evan Francen: one and one of the things that’s that’s and I agree with most of that. I mean you have to I’ve always viewed the federal government as as somebody who protects us protects our infrastructure and that’s what they do or that’s what they’re trying to do. But now now that everything is connected, where does critical infrastructure stop?

[00:23:50] Brad Nigh: Right, that’s a good

[00:23:51] Evan Francen: point. I mean you could draw the lines of critical infrastructure all the way into my living room if you’re creative enough and you know, you mean you google yourself in there so then it gets kind of scary because then does the federal government have a say in how I protect my own internet access? Yeah. You know or my own um you know, because telecommunications is a critical infrastructure component. Right. Well that’s how I’m connecting to the internet. So

[00:24:19] Brad Nigh: if your if your IOT network at home is a part of a botnet, is that?

[00:24:24] Evan Francen: Well, even if it’s not part of about that, do I have to? Well, the federal government have a day where they can mandate what I do for security regardless of whether I agree about it. I mean that’s

[00:24:37] Brad Nigh: that’s a good question.

[00:24:39] Evan Francen: That’s the scary part of what the government is sort of doing because Sisa came about, you know, not too long ago. They chose kind of a weird name I guess because ceases also uh yeah, certification in our industry. But see, so as part of the Department of homeland Security, cyber infrastructure, something administration and they’re tasked with I think originally with protecting the nation’s critical infrastructure. So this is what they say about Sisa. Sisa is the nation’s risk advisor, working with partners to defend against today’s threats and collaborating to build more secure and resilient infrastructure for the future. Mhm. That’s kind of a scary statement to me. Yeah, yeah. When the federal government is going to become my risk advisor.

[00:25:31] Brad Nigh: Not man, that’s yeah,

[00:25:35] Evan Francen: that’s kind of a big about and I and I get what they’re I get what they may be trying to do it, you can go both ways with that. You can that can be used for good, which maybe is what it was originally intended or it could get

[00:25:49] Brad Nigh: pretty hairy. Right. Yeah. Because you know, I thought providing here’s some best practices here guidances on what you should be doing, It would be the best, but then what you have to do this is the worst. Yeah. Yeah.

[00:26:05] Evan Francen: So I think the federal government definitely has a role. I don’t think it’s really well defined. Yeah. I mean, I don’t know what is the federal government’s role in information security? Is it to set a good example for the rest of us to follow? Is it to intrude upon potentially on us? Let’s say a small business isn’t doing what the federal government says you should be doing to protect information security. That can get kind of scary too. Because does the federal government know everything about protecting a small business?

[00:26:41] Brad Nigh: Yeah, it’s a it’s a, you know, it’s a tricky thing. You know, you’ve got Yeah. So like defarges and see MMC or kind of down that road. But then on the private sector you have the same thing with things like Isil or high trust or some of those where the private organizations are dictating what smaller businesses need to do. So it’s yeah, that’s a tough yes. It’s tough. I don’t

[00:27:12] Evan Francen: know, it’s got to be figured out because you know, and I did like what they were doing. I did like, you know, some of the presidential directive stuff with, you know, that led to the creation of the CSF. I like the fact that you call out what critical infrastructure sectors are. It would have been nice if if maybe we would have called them out with a little more specificity. Um, you know, you have the chemical sector now there’s I don’t think this was one of the originals, but the commercial facilities sector, I’m reading this, I’m reading this off of CSS website. The communications sector. Well, that’s very, very broad. The critical manufacturing sector, damn sector, defense industrial base sector. Which is, you know, to your cmm cd fire stuff which sees a doesn’t do D. O. D. Runs emergency services sector, energy sector, financial services sector. They can get pretty good. Yeah. You know, so essentially what you’ve called out is, I mean, if you you get healthcare and public health sector, you’ve got information technology sector, nuclear reactors, materials, you’ve got all these sectors that all crop, they’re not

[00:28:25] Brad Nigh: It’s like 90% of its like everything,

[00:28:30] Evan Francen: right? So you’re critical infrastructure sectors now have included essentially

[00:28:35] Brad Nigh: everything, Right? Yeah. It needs to be a little bit more clear. Exactly. Right. Yeah. Because isn’t like agriculture and food. Well, does that mean grocery stores are now critical to be able to just, you know, that versus the other. Yeah, it’s pretty, pretty broad.

[00:28:53] Evan Francen: Right? And it’s not that and again, you could go, this is good or it’s bad. It depends on how it’s going to be used. But Having one entity potentially dictate how security is done across all of these. You know, and if it gets too prescriptive, then you’ll know individual controls and that’s even probably a bigger risk. So she said, you know, and I like some of the things that ceases doing, you know, I’m not um ripping on C so by any means, but they’re offering you know now they’re offering free services to critical infrastructure. So you can get your cybersecurity, which I hate the damn word, cybersecurity, cyber security assessment, cybersecurity, governance, cybersecurity insurance, you know, guidance for those things. Um You can get penetration tests, you can get vulnerability assessments and I don’t know if I want that to be honest. I don’t know if I trust the skill level of the people doing the testing if the federal government employees in some cases. I mean there are some very highly skilled federal government employees but you start cookie covering these things

[00:30:05] Brad Nigh: right? Well, and that’s what we’ve we’ve seen is, you know, the checkbox, what we’ve done it, right? And then drives the roll down for every or the quality down for everyone.

[00:30:16] Evan Francen: Right? So I guess, you know, in my mind that the government sets the example, yeah. Sets the environment to foster good information security encourages good information security maybe rewards good information security. But we’re going down a path where it seems like the government may think that they control information security. Yeah,

[00:30:45] Brad Nigh: that’s the next thing. Yeah. And again, I think it has a much bigger question and discussion of, you know, you’ve got banking regulations, well, should there be cyber security or information security or whatever regulations where because if somebody goes down, right? It’s costing it’s harm to the public good. I that’s a that’s a big discussion and then that’s way more than we’re going to cover here.

[00:31:16] Evan Francen: No. Yeah. Well the thing is just, you know, the government, the federal government um as long as it’s under the guise of cyber security, cyber, you know, protecting us from cyber warfare or whatever else they’re going to use. That fear can be a really good motivator to get all sorts of things done that normally wouldn’t get done. Yeah, good and bad. But I don’t know anywhere where it is actually documented. So we talk about formal roles and responsibilities. I don’t think it’s documented anywhere that I’ve seen what the gout role of government is is an information security formally.

[00:31:56] Brad Nigh: Yeah, you’ve got departments within its a different places but departments within that say here’s what are but it doesn’t. Where did they get their directive from? Right. Yeah, that’s a good point.

[00:32:08] Evan Francen: Well, there’s the presidential directive, but even then, I mean, far exceeded with that original attorneys maybe. I don’t know. So, and that’s federal government. Now we’ve got state. Mhm. Right. What’s the role of state government in information security. State government has oodles and oodles and oodles of information about every citizen

[00:32:34] Brad Nigh: business and we’re

[00:32:37] Evan Francen: clearly their movements where they I mean it’s just crazy what they’ve got.

[00:32:42] Brad Nigh: Yeah, I think it’s it’s similar, right? I think, you know, it really isn’t that much different than with all the air quote, more traditional uh the roles of the state and federal government, um and it is being more on a getting more down into that next level down of defining what how do you conduct business in the state? What are the requirements? It’s kind of the same. Mhm. Type of thing. Right.

[00:33:12] Evan Francen: Yeah. And then it’s like, well, do I trust, well, do I trust the federal government? Do I trust the state government

[00:33:20] Brad Nigh: see? I think, well, and to me, it’s more the, I think the federal government should be giving those higher level guidelines, you know, And should there be a overarching, you know? Well, good one that you have uh C. C. P. A. You have the new york shield Act, you have all these different consumer protections where it’s a mishmash, right? That’s where the federal government, I think should step in and say here is for all the citizens, not just individual. And then it’s up to the stage to kind of, you know? Well,

[00:33:55] Evan Francen: I do like that. Yeah, I don’t know. Yeah, I do like it seems like that that would be a good roll,

[00:34:01] Brad Nigh: It starts where the state’s kind of have started doing this and then the federal government can take the best and standardize it

[00:34:09] Evan Francen: right, go through the right process with the legislative process. Yeah. Yeah. So every state that I’ve talked to, or so different than the other.

[00:34:23] Brad Nigh: Yeah, I think that’s yeah, that’s a big problem.

[00:34:27] Evan Francen: It’s a huge problem. So I wonder what would happen if, because the federal government really can’t mandate. I wonder if they can be interesting to see the federal government can mandate what the state does

[00:34:40] Brad Nigh: see. And that, that gets into the level of politics that I’m over my head. And I

[00:34:45] Evan Francen: know, I know well, and, and we have, I think as citizens, you know, these, let’s not forget who works for who, you know, but we, we do, we feel powerless. You know, the federal government issued another law, blah, blah, blah. You do have some power, right, I think. And it starts your power comes from, uh, and you know, learning, understanding what is the federal government actually doing and what are their motives and what could potentially be the bad and the good and all that stuff in the same state government here. I have a little more influence than I do at the federal level because it’s a smaller entity. And then what about counties, counties? You know, the same thing filters, But in a lot of states, county and state government are not,

[00:35:39] Brad Nigh: they’re separate. Yeah, they’re not, Yes. State, county, City, they’re all, they’re not communicating. They’re, they’re all operating independently.

[00:35:49] Evan Francen: I mean, here in Minnesota, we’ve got obviously the state of Minnesota, I think 162 agencies in the state of Minnesota, 87 counties in the state of Minnesota. I don’t know how many cities, but a lot, you know what are, what are, and then you’ve got like these pseudo governmental agencies which would be the

[00:36:08] Brad Nigh: schools and it’s such a mess and nobody’s, yeah, everybody’s like kind of just doing their own thing. Yeah. And nobody wants to like it seems like there’s not a lot of good collaboration a lot of times. Right. Very.

[00:36:26] Evan Francen: Yeah. When there are organizations, I think that are trying to help numerous ones, you know, certainly security studios committed to this and so is our book. But then um, you know, I think CIA’s is doing some things here, try to bring people, you know, more together. But anyway, government, if you guess the, if I were to give any advice on governments would be get informed, get informed to get involved. It’s your government, you know, just as much as it is mine and I mean, I guess try to help where you can, but I would not, I would really advise against just burying your head in the sand on these things. Yeah. Yeah. It’s going to hurt for all of us. You know, I only have 1307 days left before I retire. So we got to hold it together for that long at least. And then you can come hang out with me, you can retire area. Alright, so businesses, what about business is at a macro level. So governments, I don’t think they have good definition now to mess, but we can do more there. I think governments do need to be more involved.

[00:37:46] Brad Nigh: Yeah, I think there’s definitely a lot of uh opportunity for education and the within the governmental space. Right? Businesses, Yeah. They’ve got their customers information, employees. Like you said, you’ve got, I mean, ultimately your ability to do business unless you’re a mega company is dependent on protecting that information. And then that’s not even covering whatever trade secrets or uh intellectual property might have. Right, right, that’s gone And everybody can do it. Yeah. What’s your competitive advantage?

[00:38:33] Evan Francen: Well, that and this one’s a little closer to us because we feel like we can influence a little bit more than we can influence, you know, the federal government. But the same premise is true. I was talking to my buddy on saturday and I wonder how many businesses actually sit and think this isn’t my information. To begin with? Not many. Right? I mean, so if you do a risk assessment and you find out that you’re a 4 20 you might be okay. You might say, you know, whatever I’m fine with that. Take it, I mean just, yeah, conceptually take this 200 customers, would they be okay with it? They’d be okay with a 4 20 because a lot of companies, you know, say, oh, you know, transparency were transparent, honesty will then be transparent what if they found out because when a breach happens unless this is done an attorney client privilege. This thing is discoverable, right? So you know transparently.

[00:39:31] Brad Nigh: Yeah, we don’t we don’t like being labeled poor. Well then do something about

[00:39:36] Evan Francen: it then um pour yourself right? But the same thing goes with the government and I’m going to write a whole another book on this. Just the racket of personally identifiable information because truly the government treats it like it’s theirs until something bad happens. Mm You know what I mean? The social security number, you don’t have a choice. You’re going to get a social security number whether you want one or not and you’re stuck with

[00:40:00] Brad Nigh: it. It’s not easy

[00:40:01] Evan Francen: to switch. And for some reason we decided, well this is your personal identifiable information. Well, if it was then why don’t I have any control over it?

[00:40:09] Brad Nigh: Well and you know, that’s an interesting thing where you know, it’s an identifier and then businesses started using it as a authenticator. Right? And so you know it it was intended as Justin identify this is who I am not

[00:40:26] Evan Francen: your government benefits.

[00:40:27] Brad Nigh: Right. And then you had the private, a lot of the private sector still uses it to say you have two. What is your social security number? How do you prove that you’re you Social security? It’s everywhere. It’s a public basically it’s public information at this point.

[00:40:43] Evan Francen: So next time you decide to let the government just tell you what they’re going to do and you not get involved. This is one of the things that might result. So business is business to business or business to consumer. I think as a let me ask you this if you are Uh did you stop doing business with home depot when they had their 53 million credit cards?

[00:41:07] Brad Nigh: No, but I’ve tried to avoid them. But you know, it’s like

[00:41:13] Evan Francen: or target, right? Or Equifax.

[00:41:15] Brad Nigh: The problem is, you know, you’re limited in some of the

[00:41:18] Evan Francen: alternatives. That’s true. So business has a responsibility and I think it’s a businesses just like the government just like anybody actually, you know, it needs to be held more accountable. It’s not, I’m not, you can never hold anybody accountable for risk elimination, but I can hold you accountable for risk management. What did you do to try to protect my information? And if you didn’t, do you know, if you if you didn’t do the basics, the fundamentals, which will have to define more then are you not only are you negligent, but are you criminal?

[00:41:54] Brad Nigh: Yeah. Yeah.

[00:41:56] Evan Francen: Since I suffer the consequences.

[00:41:58] Brad Nigh: I was reading an article by Krebs about the Equifax hack. A hack and how they’ve arrested or put out arrest warrants are for four Chinese officials. But he was like that doesn’t excuse Equifax’s behavior. Like if you look at what they did, they were it was bad just because who did the attack doesn’t excuse be negligent, right?

[00:42:25] Evan Francen: So it seems from a macro level, we still haven’t really defined what businesses roles and responsibilities are.

[00:42:34] Brad Nigh: Yeah. I think, you know, at this point, every business does it themselves. And it’s it’s like we keep saying If you ask 10 people for their definition of information security, well, same thing here. What is your role and responsibility? Everybody is different. Right?

[00:42:53] Evan Francen: Some. Yeah. So I think we have a lot of work to do here as well, so not only government roles and responsibilities, you know, a better definition, better understanding.

[00:43:04] Brad Nigh: Yeah, defining some of these terms better setting those baselines and and you know, where I think you start to see with like uh like C. C. P. A. Where the governor said you need to take reasonable action to protect this kind of information, right? That’s, you know, it has its flaws don’t get me wrong, but that’s like the step in kind of that right direction.

[00:43:30] Evan Francen: What if you mandated what, let’s say that let’s say that we made security studio, you know, a community driven nonprofit, We just gave it to the community. Then you could say something like just hypothetically that businesses must score a certain level on information security, you already get a business license or something, right? Because there’s so many different ways that you can get there. Some sort of because what doesn’t work with compliance is um you can’t get prescriptive enough if it gets too prescriptive, it’s too restrictive for business to operate.

[00:44:08] Brad Nigh: I think it’s it’s almost, it would be like what is reasonable? A certain score is reasonable, Right? Well, you may not be there to start, but you know, if you don’t have a breach then and you’re working towards its like the plan of action, right?

[00:44:23] Evan Francen: Because certifications also don’t work well because again, it’s too prescriptive and open open to interpretation. If you have a scoring mechanism in place that’s objective, then you take the subjectivity out of it. Yeah. Right. And the community can decide the specific criteria that lead to the scoring the way, you know the way it’s carried out.

[00:44:46] Brad Nigh: Yeah,

[00:44:47] Evan Francen: interesting thoughts because I think business, it’s not that businesses don’t want to do something here. I think there is confused

[00:44:56] Brad Nigh: as anybody. Well, I think the teamwork that I’m starting to recognize this is yeah. There’s a lot of unknown and a lot of confusion and not a lot of and a leadership or guidance that is standardized. That is easy to understand what’s what’s reasonable for California may not be reasonable for new york or texas or whoever what, what is reasonable

[00:45:19] Evan Francen: and there’s so many voices. You know, I mean, so many people with opinions and shouting things and uh All right. So businesses,

[00:45:28] Brad Nigh: they have something to sell with ai and next gen

[00:45:31] Evan Francen: Oh yeah, yeah. Next gen, machine learning chain get it going? So businesses roles and responsibilities. Business to consumer, I think it’s, I mean, isn’t it at this point just to not be negligent.

[00:45:44] Brad Nigh: Yeah. Yeah.

[00:45:46] Evan Francen: I mean, what is negligent doing? Nothing depends on the jury I suppose. Yeah. True. Yeah. I don’t know what else. Uh certainly they drive for compliance. If I were to define specific roles and responsibilities at a macro level for business, I would love to do that and I could preach for a while and I think that those things should be.

[00:46:10] Brad Nigh: Yeah. I mean even yeah, just do a risk assessment on the whole organization, not a specific scope, right? Do a risk assessment and have a plan to remediate. Just have you done those two things? Yes or no

[00:46:27] Evan Francen: one in hip hop tried to do that right? But then there was no, there were no teeth. No.

[00:46:32] Brad Nigh: Yeah. Nobody, they never started to audit. Well they started but then it got gutted. The only time it ever happens is if there’s a breach and then they come in after the fact.

[00:46:45] Evan Francen: Yeah. I think businesses so pc I did a pretty good job to pc. I counsel when he had the credit card companies come together and define their requirements and regardless of the way it was carried out or where it actually ended up morphing into. They banded together to define these requirements before the government acted because if they didn’t, the government was going to step in and take it over. Right? And so it would be nice to see if business somehow could do that. Just all agree upon. These are our responsibilities as businesses in the United States.

[00:47:23] Brad Nigh: Well, but then you yeah, you run into uh, you know, the money grab there. You know, we’ve seen it in health care. Pc to some extent. True.

[00:47:36] Evan Francen: Yeah. This could be, I mean, I would love to have this longer discussion to, you know, on these things I didn’t really expect because we could talk for days on this stuff, you know, But I think that’s what needs to happen. That was what we were talking about at the beginning of the show was the dialogue, the ideas, the thoughts don’t just ignore it, right? You’re not well

[00:47:59] Brad Nigh: defined. You don’t assume someone else has taken care of it. No.

[00:48:03] Evan Francen: So, you know, definitely more discussion needs to be had. And maybe these are topics we just continue to talk about in the future. All right. What about schools? You know, it’s the role. You

[00:48:17] Brad Nigh: know, I think the biggest thing is that they’re protecting minors, right? The information of Children that really don’t have much saying it, right? So if a school gets, has a breach now, you’ve got Children’s health care information, you know, all kinds of sensitive information that could potentially go out there. And I can say the vast majority are significantly underfunded and undermanned and I’ve yet to meet a school that doesn’t want to do the right thing. You know, The people that work at the schools for the most part are I mean, let’s be honest, Payzant great. They’re there because they love kids. Yeah. They make a difference there, Right? Exactly. They’re trying to help and make a difference and there they don’t have the right, they don’t have the budget for tools, they don’t have, you know, the training, a

[00:49:09] Evan Francen: lot of school teachers go by their own supplies,

[00:49:11] Brad Nigh: right? So, you know, it’s kind of it’s frustrating, frustrating to see. Mhm. Something so important where people really are passionate and just, you know, handicapped and were playing from behind.

[00:49:31] Evan Francen: Yeah, Yeah, I agree. And I think schools, it’s not just, you know, I’ve been saying, you know, for a while now that, yeah, you know, information security, privacy and safety cannot be separated anymore.

[00:49:45] Brad Nigh: And I will say I’m talking K through 12, because higher ed is a different story. And that that’s a that’s a mess too, it’s a mess. And that pisses me off when they’ve got a billion dollar endowment and they have no security, no security uh department, right? And it is on a shoestring budget, And they’ve got a $5 billion dollar endowment. Well know, that pisses me off, that’s a different story though.

[00:50:12] Evan Francen: Look at the salaries of the advent of the administrators,

[00:50:14] Brad Nigh: right? Yeah. And that tuitions have gone up, you know? Exponentially more than the cost of living and then Yeah, 10 80 people for, you know, 10,000 employees, right?

[00:50:30] Evan Francen: Yeah, I agree. So K through 12 and higher ed even though there is somewhat integrated, they’re you know, they’re definitely different

[00:50:37] Brad Nigh: and I will say going back, I don’t necessarily feel it’s the I. T. Or the security people at higher ed right there there because they could go somewhere and make more money. They’re there because they believe in what they’re doing in their passionate, it goes to the young leadership.

[00:50:54] Evan Francen: Yeah. Well yeah and I think and you mentioned, you know the K through 12 has a lot of information about the kids that they need to protect. They also there’s some obligation there to teach our Children or help our Children become good internet citizens. Good network citizens, good security citizens, whatever you wanna call them. Good cybersecurity citizens. Because parents are I mean it’s it’s a community, right? Parents have their role but schools have their role to to teach them good skills, what’s ethical, what’s not ethical.

[00:51:29] Brad Nigh: Yeah. Well yeah I figured the majority of parents are, you know, we do it this is part of that whole um cyber safe. I am cyber safe. Whatever the iC squared. Parents are digital immigrants, not we didn’t grow up with devices

[00:51:46] Evan Francen: like that. We’re digital

[00:51:48] Brad Nigh: immigrants. And then yeah the kids are now they got digital natives. This is they’ve just they’ve known. No, no, I wish I did. You know that was from the S. E. Squared. Uh it was safe and secure online. So I think it’s I am cyber safer, cyber aware. But no, it’s, I mean, and it resonates it makes sense. It’s true and unless you’re in the industry, the parents don’t

[00:52:16] Evan Francen: know that’s a good point. So that’s our schools

[00:52:25] Brad Nigh: educating the parents. And I’ll be honest, this is where, you know, I’ve volunteered and I’ve done multiple parents uh presentations and a couple of student ones. But uh it’s like it’s free like come in, let me teach the teachers, let me do the P. T. A. Stuff and you just don’t, they don’t, they’re not what’s the catch. It’s we want to protect. This is the next generation, right?

[00:52:57] Evan Francen: And I think that’s the key really. You know, if you want to talk about businesses and governments and all these things, I think the more digital natives that we have that are well educated, it will bubble up into the rest, you know, so maybe that’s part of what we do is we just continue to foster and push towards better education at schools, better education at home. You know, because if if citizens knew more about what actually happens with information security, they would demand more. Yeah. I mean if you knew what really happens at the state of Minnesota at the state of whatever with information security, you would demand

[00:53:37] Brad Nigh: better. I mean, yeah, at the federal level it doesn’t matter, I would agree.

[00:53:44] Evan Francen: So uh, which would then foster change, which means the legislators would get more involved. You know, things would get, So schools I agree and that’s a big focus, you know, K through 12 for sure uh postsecondary also but K through 12 is you know, I think where your heart’s at moderates at where Ryan you know Cola where his heart’s at will we’ll focus a ton of time intention on schools

[00:54:11] Brad Nigh: well and you know like you said that’s where business and government who do you think they’re going to be hiring those people start educating them early, get them thinking this way with security in mind from the start and you know eventually the rest of it kind of falls into place, right?

[00:54:32] Evan Francen: Yeah. So schools their responsibility educate.

[00:54:35] Brad Nigh: Yeah. Yeah.

[00:54:38] Evan Francen: I think even above protection because I don’t think they’re well pledged to protect

[00:54:41] Brad Nigh: educated. I think that’s the easiest one we’ve had.

[00:54:43] Evan Francen: Yeah I like that Consumers citizens last one. Uh huh. For me this is get educated.

[00:54:52] Brad Nigh: Yeah, I was gonna say question, learn

[00:54:56] Evan Francen: just you know, slow down a little bit. You know, take don’t be in such a rush to get the neatest coolest new gadget, educate yourself, educate on why do I have to have a smart tv what is it I mean where does that day to go? Who am I

[00:55:12] Brad Nigh: communicating with? You know, it was funny we without going into too much detail had a meeting and uh that you had done with uh that s two team and there was about eight other adults and one of the people that had been through it with you was telling him like, hey by the way, Brides a security expert on the internet and stuff. So if you have questions that went into like I went through this thing with, but that’s our secure and uh I needed a new dishwasher and then I realized everything is Bluetooth an internet connected. It’s like you should see the faces of the people that uh yeah my dishwashers on the internet like why? Right. Right. I don’t know. Yeah. I just don’t think about

[00:56:04] Evan Francen: and how can you stop it from being on the internet? Because just because your tv is a smart tv doesn’t mean you have to I don’t you have any of the smartness.

[00:56:12] Brad Nigh: Right? Yeah. It’s frustrating. We bought a new dishwasher and it has Bluetooth and internet. Do you think it’s connected to anything you

[00:56:21] Evan Francen: know? Right. All right. So you know macro level, those are roles and responsibilities will come back to consumers and citizens. I think next week when we talk about the micro level because those consumers and citizens are also employees.

[00:56:36] Brad Nigh: Um So yeah, it really ties

[00:56:39] Evan Francen: in. It does. All right. So I love the discussion man. What do you think? This is funny. Yeah, we could have talked for hours on this. It would have been fun to have a white board here. So we can oh my God some more stuff. But this is this is what things that will be going into the book. You know these yeah. And it won’t have all, we don’t have all the answers, but these are things that we have to figure out as a society, the world changes faster than we’re keeping up with it. We’re connecting more things to the internet faster than we understand the risk.

[00:57:12] Brad Nigh: Right? And you just keep hearing about iot, botnets and vulnerabilities and yet it doesn’t slow down because everybody’s got to be first to market.

[00:57:19] Evan Francen: Right? Can I have my cool thing? All right, so good discussion, man. Uh, we uh, again, I think we take a lot of these things just for granted, we don’t think them through well. And I get it, I’m not blaming anybody. I’m just saying we need to figure it out. It’s a good thing for us to keep in mind as we continue down the path of writing the book, um, cover some news. I have four things to cover. Yeah, for Greece. First thing is Fox kitten campaign. Iranian hackers exploit one day VPN flaws in attacks. The only reason why I picked this one because I ran back in the news again, people should know. So this is this comes to us from security affairs and that’s the title Fox kitten campaign. Iranian hackers exploit one day VPN flaw and attacks,

[00:58:14] Brad Nigh: I mean, and it’s it’s the big names that are being attacked.

[00:58:19] Evan Francen: Right, yep, pulse, secure, Fortinet Palo, Alto, Citrix. VPns, they’re using this Fox kitten campaign, that’s not the name they gave it. It’s the name. All cool. All of the tax have to have a Cool. Right. Right. They also need to have an icon. I haven’t seen an icon for this one but targeted dozens of companies and organizations in Israel and around the world, uh, the most successful and significant attack vector, uh, thus far exploitation of unpatched VPN and RDP services. So how would you fix this bread patch? Thank you. I mean, yeah, news. News for any listener. Yes. You do need to patch please. Probably not the first time before that. You also need to back up your data just saying. Yeah. All right. So, um, anyway, this is just uh, it’s a good it’s an interesting article. Uh, you know, some of the A. P. T. S, everything’s got to be in a PTS or advanced persistent threat. But if you have an unpatched VPN device, it’s not really all that advanced anymore. The exploit has been out. These are one day flaws, which just means that

[00:59:35] Brad Nigh: More than 10 days. Right.

[00:59:39] Evan Francen: Uh, one that usually means there’s a fix for it too. So, um, yeah, good article. If you’re running VPNS, if you’re running a VPN if you’re running any VPN. I’m not just going to say if you’re running pulse secure. 14. Apollo Alto or Citrix VPns. If you’re running any device anywhere update. Right, understand the vulnerabilities in that device and then patch. It doesn’t matter if it’s Cisco doesn’t matter if it’s

[01:00:08] Brad Nigh: one and it’s not just the back in packs, your agents,

[01:00:12] Evan Francen: right? Otherwise you might have an Iranian hanging out in your network. It’s unpatriotic to have any Iranian hanging

[01:00:21] Brad Nigh: out. You probably don’t want checking. There’s probably, yeah, a lot of places you don’t want people hanging

[01:00:27] Evan Francen: out. Here’s another article from Help Net Security. Now, I’m kind of always torn with Help Net security articles because it’s a pay to play right? Or it’s at least a platform that’s used to get the word out on some marketing something else. So this one was the title of the article of sec ops teams face challenges in understanding how security tools work. This was a study according to key site who no surprise uh sells suck ups. Well

[01:01:03] Brad Nigh: yeah, you know that being said, it really doesn’t surprise me. The numbers align with what I would have expected.

[01:01:13] Evan Francen: But I think one of the things that people who are reading news articles in reading studies always consider the source of the study, you know, take it with a grain of salt. I think I do. I also agree with you brad that I think these numbers look in line with what I would expect. But

[01:01:30] Brad Nigh: yeah, it

[01:01:31] Evan Francen: seems taking my face

[01:01:32] Brad Nigh: value. Well, I mean like you can make numbers say anything you want

[01:01:37] Evan Francen: basically, especially when you commissioned this. Right? Alright. So key findings here, organizations are breached often 75% of respondents say their company had experienced a security breach, which means unauthorized. In truth, that’s another word that people, I don’t think a lot of people understand the meaning of the word breach here though. They do defined it for us. Unauthorized intrusion malware heck et cetera. What the etcetera is,

[01:02:04] Brad Nigh: you know those other things,

[01:02:06] Evan Francen: those things that

[01:02:06] Brad Nigh: happened, you know, we don’t know about yet, the Udine.

[01:02:09] Evan Francen: So 75 experienced a breach, 47% 3 or more breaches in the last three years. Almost half Yeah, well I guess if you throw malware in there maybe or hack, I mean what’s a hack is that? Yeah, that’s kind of a loose. Yeah. Uh right. Good security tools don’t always protect as expected. 50% of survey respondents stated that they found a security solution was not working As expected after a breach had occurred. How uh all the time. Yeah, it’s more like 90

[01:02:47] Brad Nigh: Yeah, it’s a

[01:02:49] Evan Francen: Yeah, yeah. And here’s the thing, do not buy a tool unless you understand how it works.

[01:02:56] Brad Nigh: You mean I just can’t put it in and it’s going to fix everything.

[01:03:01] Evan Francen: It’s insane, man. Yeah, I just so people buy up tools so there’s obligations on both sides, there’s an obligation for the person who is pissing away budget on tools they don’t understand or tools that you’re not capable of running, you might understand it, but you just don’t have the time the month, you know, whatever to maintain it. They’re not by the tool unless you are only looking for that 50% effectiveness or 25% effectiveness, which is find a cheaper tool of them.

[01:03:30] Brad Nigh: Yeah, I can’t I can’t imagine have been put in web filtering or email filtering or DLP without monitoring it and testing it and making sure it works and continuous ongoing like and yet you see it all the time. They’re like, well we’ve got this in place, right? Do you look at it? Oh no, only if there’s a problem

[01:03:50] Evan Francen: and here’s the deal man. Every dollar that you spend on an ineffective tool is a dollar less spent on your mission. Yeah. Now if your company has a crappy mission then maybe you don’t care. But most companies have a pretty noble mission. They’re trying to serve something bigger than you. And when you take a dollar away from that, it’s a dollar that can’t be spent on that makes your company less effective. Makes everything less effective. So I

[01:04:19] Brad Nigh: Was gonna say, but I’m 50% less likely than I was before.

[01:04:23] Evan Francen: But it’s my job as a security person to understand these things, right? The biggest one of the best things you can ever do with information securities, understand yourself better if I understood what assets I actually had a good asset inventory. If I understood the tools that I had if I understood how data flowed throughout my environment, if I understood I’d be a lot better at my job. So that just adds more complexity, makes you a lot less better at your job. That’s one. And then you also have the people that sell this crap if you’re selling. So if you know that this that this company is about ready to buy this thing from you, if you know that they’re not gonna be able to use it, don’t you have some obligation, doesn’t something keep you up at night going, You know the commission check was nice but I just took advantage of somebody

[01:05:10] Brad Nigh: far too often. No.

[01:05:11] Evan Francen: Right, so you’re sitting on a beach retired with your millions of dollars knowing you’re a sellout. Think about

[01:05:18] Brad Nigh: that. Okay with that

[01:05:20] Evan Francen: at some point, that’s gonna hit you be like, gosh, I really took advantage of a lot of people but I made a shitload of money so excuse my language

[01:05:27] Brad Nigh: to stuff. Some people

[01:05:28] Evan Francen: are, it ticks me off. So anyway, yeah, that’s where I get really mad. Uh Anyway, good article. Most organizations don’t verify their security is working as it should. So they put it in. Don’t test it. If they do test it, they’re testing it based on some subjective criteria which is ineffective.

[01:05:47] Brad Nigh: We don’t get any alerts so it’s working must be God,

[01:05:51] Evan Francen: I got stories there too. Less than half of organizations practice breach responses. So you’re not practicing for the inevitable, it is inevitable, This is risk management. A breach will occur the function of time and other things, but certainly time. So if you don’t have an incident management process, if you don’t have testing it and you should operationalize it, right? This, you should just nothing frustrating thing for me. See I shouldn’t I shouldn’t have picked this news story because it’s just making me amount that’s not good for monday.

[01:06:29] Brad Nigh: Get you, get some blood

[01:06:30] Evan Francen: falling. Right. Anyway, we can do if you do if you’re falling for any of these things, which according to the statistics, a lot of us must be gosh, get better at your job please.

[01:06:42] Brad Nigh: Well, you know what’s interesting is is you think about it, how many companies are willing to pay for tools and software but not staff

[01:06:51] Evan Francen: and or not a risk assessment right? Because it’s no blinky light, right? But it would keep you from doing stupid crap like this. Right? Yeah, yeah, I get it man blinky lights sexy sells. All right. Another one from security affairs and then we’ll move on here. The universe. The us administration requests $9.8 billion dollars For cyber 2021 budget for the Department of Defense. So this is just just the department of defense. billion.

[01:07:25] Brad Nigh: All they should be able to get a lot done.

[01:07:27] Evan Francen: You would think so that it is the federal government Cybersecurity 5.4. So this is how they broke it down the investments. $5.4 billion dollars for cybersecurity which okay Then he got 3.8 billion for cyberspace operations. I’m like what does that mean? We should define what this stuff is. Yeah $556 million for cyberspace science and technology. That’s not cyberspace operations or cybersecurity. In addition we’ve got to have some artificial intelligence. $841 million AI. 709 and tell us for club. So anyway, lots of money. I don’t know. I I assume some of it is probably well spent hopefully. Hopefully. Yeah I would really like to know the process that went into the budgeting. Like where these risk based decisions are these just like oh yeah we need some of that.

[01:08:31] Brad Nigh: We spend X amount last time. So

[01:08:33] Evan Francen: yeah our our our security operations is a little too salty. We need some sweet let’s get some some security sugar you know need some security sugar, more money anyway. It’s interesting to see what their budget is. Uh Yeah it’s a lot of money. I don’t even know how it’s just a lot but 9.8 billion when you think about the government sometimes I usually think trillion. So at least it’s not 9.8 trillion. True. That’s good to see that there spending something. Alright, last one. Uh This one is interesting so it’s timely uh silicon angle is where this comes from coronavirus fears prompt facebook to cancel conference and IBM has now officially exited the R. S. A. Conference which is next week.

[01:09:24] Brad Nigh: Yeah that’ll be interesting.

[01:09:27] Evan Francen: Our PSA has yet to cancel their conference. IBM was a platinum sponsor. They also had a I mean they had a big presence there.

[01:09:41] Brad Nigh: Yeah. See how. Yeah it’ll be

[01:09:44] Evan Francen: uh That shakes out.

[01:09:46] Brad Nigh: Yeah. Yeah this is I don’t know I think our essays comment on there as is pretty interesting about you know like 80 plus percent 80

[01:09:57] Evan Francen: two. Yeah. Uh huh. I don’t know. It only takes like one. I know right? 82%. Arce says 82% of Our current registered attendees are from the United States as our 82% of our exhibiting organisations.

[01:10:14] Brad Nigh: So you have to think the government’s already put some quarantines in place. So anybody that in theory would be coming from overseas should be going through something some sort of fill of not filtering but uh screen screening. Thank you filtering kita.

[01:10:34] Evan Francen: Yeah. Egress filtering. See actually being ingress. Yeah. Well it’s interesting because Facebook canceled there’s Facebook was expecting about 4000 people. Their conference facebook’s conference was also supposed to be at san Francisco’s Moscone center which is where our say is it’s in place Our essays is next week Facebook’s was originally scheduled for March nine through the 12th. The optics. I mean if if there are some coronavirus outbreak. The things that are. Ece. I mean you gotta play the pr out on this too.

[01:11:15] Brad Nigh: Yeah but you know it’s, excuse me. Yeah that’s that’s a tough tough call

[01:11:21] Evan Francen: right? Especially when you consider the R. S. A. I mean I know some people different than me obviously but I think our essay is all about the money grab and so that’s a so a lot of money that they’d have to be losing out. That’s

[01:11:35] Brad Nigh: probably. Well exactly that.

[01:11:38] Evan Francen: So I think money is trumping. Yeah. Yeah. Yeah that’s a tough

[01:11:43] Brad Nigh: it’s a tough call. Right? Do you kind of give in and cancelled due to a potential threat or move forward? It’s yeah. Risk management.

[01:11:55] Evan Francen: Yeah. I don’t know

[01:11:56] Brad Nigh: say I’m glad I’m not making that decision.

[01:11:59] Evan Francen: Well the math the math supports rss decision really. But the optics which sometimes has nothing to do with the mouth. You know the optics of facebook canceling. There’s at the same location is where our sales have bears.

[01:12:16] Brad Nigh: You don’t know what I guess the big part would be. What was the makeup of the facebook one? Was it 50 50 was it? You know in in the U. S. Out of the U. S. For people out of the U. S. Not going to come because they have to go through the quarantine and screening process. So there’s a lot of unknown still on

[01:12:34] Evan Francen: that. There is. Well I know one of our you know I think we have five or six people going maybe. And I know one of the people that’s going, he’s scared about

[01:12:45] Brad Nigh: coronavirus and just wear a mask. They’ve got some pretty cool ones now. Yeah. Some pretty P. A. Ones. Yeah.

[01:12:53] Evan Francen: All right. Well we’ll see. I’m @EvanFrancen brad’s @BradNigh. And I if you like company stuff, we work for companies, don’t we? Yes. The day job gets him away. It’s weird time security studio is @StudioSecurity and FR Security @FRSecure they post things probably more than you do. That’s it. Uh we’ll talk to you all again next week. Thanks.