Security Risk Assessments vs Certifications

Unsecurity Podcast

An in-depth conversation from Brad and Evan about vendor risk management. Together, they discuss audit-style certifications, security risk assessments, and the differences between the two. Hopefully, this will help both vendors and those in charge of managing vendor security navigate better. Check it out, and let us know what you think at

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: All right, welcome back. This is episode 64 of the Unsecurity podcast. I’m your host this week, Brad Nigh, today is january 27th and joining me is my co host, Evan Francen. Good morning Evan.

[00:00:33] Evan Francen: Good morning. You said I’m supposed to say something energetic and uplifting.

[00:00:37] Brad Nigh: I wrote this last night

[00:00:38] Evan Francen: getting a little, it’s like, oh shoot, I forgot to write. It’s hard to have energy on monday. So, um,

[00:00:47] Brad Nigh: yeah, hey, at least it’s gonna be warm this week.

[00:00:49] Evan Francen: Right. Did you see what I wrote in the show notes about our party because things went so fast last week we had our party, we had our year end. Uh huh. You’re in first quarter. All hands. All hands. So we had like 80 some, you know, so many people. It was awesome. Yeah. So that was, that’s uplifting. That was awesome.

[00:01:13] Brad Nigh: It was good seeing everyone. There’s a lot of really, yeah, it’s always fun out of a, you’re catching up with people. You don’t, it’s hard to get stuff done sometimes, but that’s a good thing.

[00:01:26] Evan Francen: It is a good thing.

[00:01:27] Brad Nigh: So well before we really get going on. I know you and I had talked uh, 11 day at the end of last week, but all the stuff that was going on and you made a lot of really cool things that are coming down the pipe, anything you wanted to kind of update or talk about.

[00:01:44] Evan Francen: Uh Yeah well last week it was a blur. I mean we created the level zero assessment which is going on in the platform, the security studio platform soon, that’s pretty cool. One of the things we, you know, one of the areas of focus for us is schools, K through 12 and when you look at the full S. Two or assessment, you know, it’s overwhelming. I think for a lot of people that maybe don’t have, you know, information security programs already established. So we had to create, you know like a level zero we’ll walk them through A level zero onto a level one assessment onto a level two and then eventually the level three which is the existing as to our assessment. So you know the S. Two R. Has been wildly successful, I think we’ve done Over 1000 ish of them over the years. Uh So now it’s just bringing it down to A level trying to meet people where they’re at. So that was a big thing. Um the Air Force were doing some potential work with the Air Force. That’s yeah that could be really neat. We’re taking the s to me assessment, the personal information, security risk assessment and potentially using that for troops. Right, so the theory is the same person behind the ipad at home is the same person behind you know, the workstation or the laptop,

[00:03:13] Brad Nigh: you know, I feel sensitive information.

[00:03:16] Evan Francen: Yeah. And then, uh, I just wrote a bunch of stuff. So yeah, it was a crazy week. Lots of meetings. I had a meeting on saturday I even worked on, so I forgot about that because you just asked me before we started the podcast and what I did this weekend saturday, I had a meeting with a recently promoted see. So with a big healthcare organization. Yeah. And we were just talking shop, you know, they say, you know, I think he used the word mentor, but it’s, it goes both ways, right? I mean, I get to learn what he’s kind of struggling with. Um, so that was really cool to, how about you? What was your week

[00:03:54] Brad Nigh: a blur. Yeah, I know, right. Um, you know, it’s funny how you have like your week planned out and then someone comes up last minute and just blows everything out of the water. And so that happened and just spend a lot of time working on. That was good. But just puts you behind the, the ball and everything else. So lot of catch up this week

[00:04:17] Evan Francen: Jeff and mayor,

[00:04:19] Brad Nigh: uh, I had a couple, a couple of triage is came in more around those networks are networks, net scaler vulnerabilities and a couple of active ones on that, but it wasn’t too bad. So that’s

[00:04:36] Evan Francen: good. My beard keeps sitting there and all you have to screen.

[00:04:40] Brad Nigh: I did keep have to adjust it so it doesn’t hit it. It’s a beard problem.

[00:04:47] Evan Francen: Yeah, It sucks to be us.

[00:04:48] Brad Nigh: Yeah. Right. All right. Well, you know, good weeks though. Yeah. One of the things that did come up and, and this is why we were talking about this is, is vendor risk management. Uh, you know, and we had, uh, obviously I can’t mention any names, but we have a client that had done the S tuareg and submitted that as evidence of the risk assessment as a vendor and there was the organization accepting or that was requesting. It had some questions about it. And then I was like, you know, there, it just feels like they’re missing the point. So I wanted to talk about that a little bit here today. So you know, what’s the difference between an audit based certification? So you know, the big ones, I think that really jump out at people or you know, if it’s a sock two or an ice or a high trust certification versus having a risk assessment such as the stu Oregon kind of, what are the big differences between the two. Um, so one of the big things that really jumped out at me that I think that they were missing the picture on is when you do those audit certifications, you define the scope and it’s certifying that scope and that’s it, you know, versus, hey, let’s do a holistic assessment of the security program of the organization as a whole. Yeah. Do we say we need to see evidence of the logs of your endpoint protection on these dates over these times over the past year. No, but we do look and make sure that, hey, do you have this in place? What’s going on? And I think that was a really big sticking point that like the client is, could not grasp. I just didn’t seem to get, hey, just because they’ve got high trust or they’ve got a sock too. Doesn’t mean that they’ve got a good like fully secure program.

[00:06:46] Evan Francen: No, no. In and I heard a little bit about this conversation on friday from somebody else who was involved in the conversation and it reminds me of part of what we talked about on saturday with the, this newly appointed see? So it’s, what are you trying to accomplish? I mean, what are the goals, what’s the objective of third party or Ventress management now? I like, I’d like to get literal because if we’re using these terms, what do they actually even mean? Right. So a lot of times people will say vendor risk management. And then, so I’ve talked to non security people about, you know, hey vendor risk management, They’re like, they’re thinking something totally different. Non security people, they’re thinking things like, um, you know, financial risk, you know, had financial audits. They’re thinking about reputational things, uh, you know, all in the procurement process. Yeah. So I’d like to and that’s why, you know, literally, it’s not necessarily just vendors, it’s all of, you know, if you want to do this right? It’s all of your third parties. All your third party relationships should be assessed for risk, right? And information security risk specifically. So what’s the objective? If my objective is just to check the box, fine, show me your sock to and I won’t even read it. I’ll just check the box that you had one or isO certification or complete my um, you know, my custom questionnaire, Complete my sig questionnaire. And God, how many different things do we run vendors and third parties through the so if it’s just, you know, I just need to check the box then yeah, let’s just get a sock to where you can define scope. But I’m not gonna check, I don’t care what your scope is. You define your illustrate, illustrative controls, you can game the system as much as you want, whatever. I don’t care if that’s the objective. Great. Right, Dere Sok 2s. Uh and there are good Sock 2s as well, right? But you actually have to read, it doesn’t account for the risk that I’m looking for.

[00:08:53] Brad Nigh: And same with high trust, you just get a report saying that their high trust certified, but you can get certified and and have nothing in certain areas

[00:09:01] Evan Francen: for sure. Absolutely. Have taken stock two’s where, well you’ve done a risk assessment like an S to Oregon, an organization that has a sock to and you’re like, oh my God,

[00:09:12] Brad Nigh: Because they wo they did it on one department or one process.

[00:09:18] Evan Francen: Are they defined their illustrated control so loosely, you know, So yeah, I know about this conversation that took place with this company that you are not mentioning. And this is somebody, it was obvious from the, from what I heard that this was a junior level type of information security analyst who was told that this is what they have to have. And so when they didn’t get what they have to have, which in this case would be a sock two or something similar. I’m going to push back and say, well, where’s my sock too? Right. It’s great that you got this thing and this thing might be better. Right, let’s talk to.

[00:09:56] Brad Nigh: Yeah, Yeah.

[00:09:57] Evan Francen: And where’s my I trust or where’s my eyes? You

[00:10:00] Brad Nigh: know, and that was, you know, that was part of it is, hey, sure. I’ve got a hydro certification. Do you push for specific details of every area of their hydrate? No, nobody does that. Well, how is? Right. Well we’ll get to that. Looking in a little ahead of ourselves. But

[00:10:18] Evan Francen: you know, that’s the frustrating part is people jump so far to just a specific thing. Why are you asking for your thing? You know, if you can’t define the objective, if this doesn’t fit with specifically what you’re trying to accomplish, then you’re wasting everybody’s time. Well. And if you can’t answer that question, go back to the basics,

[00:10:40] Brad Nigh: right? Well, we’ve seen health care um breaches where they’ve come in and said no, you were doing a risk assessment on certain areas, but because you didn’t have segmentation in place because you weren’t doing anything in the non healthcare specific rights of finance. HR those types of areas, there was a breach in one of those that lead to data loss. Well, it’s the same thing where you got to have the security across the organization, not just blindly trust. And you know, I’ve never seen an organization get their entire company Hydra certified or suck to certified. It’s always narrow the scope.

[00:11:28] Evan Francen: Yeah. Which I get it right. I mean, if the if the objective is just to check the boxes just to get my certificate, just to get my thing, then do it as cheaply as possible, right? The objective is not to be secure. The objective is to get my thing right. And so it goes back to again, you know, what are the objectives, what do you really want to accomplish with this? If you really want to know what the information security risk is in this vendor or third party relationship. That’s something totally different. And that’s frustrating. It’s frustrating for everybody. It’s frustrating for vendors,

[00:12:03] Brad Nigh: vendors never know, right? Note, it goes back to the fundamental issue, nobody speaking the same language of what is expected and no two requests are exactly the same. And it’s because it does get frustrating

[00:12:19] Evan Francen: well in, you know, you’re you’re stuck kind of between a rock and hard place when you have, when you are the third party because you’re limited in how much you can push back. You know, when I’ve been reminds me of a conversation I had with a big global company And it was somebody that they had just hired. Right? So he was like 30 years of information security experience. He was he had the experience and he came in and said we need to get a sock too. I’m like, I’m sorry why? Well, because we have to, who said I’m not doing it unless it’s going to make us more money or it’s going to serve our mission better. I’m a security person. But I understand that we’re in business to make money. He’s like, well you have to have one? And I was like, well, I don’t know, I don’t need to have one. Then he says we need it for PC. I compliance. I’m like, what the hell are we talking

[00:13:13] Brad Nigh: about?

[00:13:16] Evan Francen: You’re mixing your mixing things now. And then somehow I saw certification got into that conversation as well. But it was buzzwords, it was things that this person over 30 years, believe it or not that where he came from. He was so stuck in his ways and so stuck in this big company that he was in where you had a sock to you had an extra certification because they can afford to do things wrong. Uh So then he comes to this other company where well You have to have one. No, you don’t. Just because you had one somewhere you came from. It doesn’t mean you have to have one.

[00:13:49] Brad Nigh: It should be a valid business justification. Right?

[00:13:52] Evan Francen: It’s just a crazy conversation.

[00:13:55] Brad Nigh: Yeah. Well you see that all the time too. And I think it goes back again to what are as a as the client setting expectations correctly and understanding what are you trying to get out of this program? He said if you’re just trying to check the box, check the box, just accept it and move on. But you know, I think I guess that’s a good question. Is as the, as the client, what should be the end goal? What what are you trying to accomplish? You know, what would be a best practice if if when you’re reaching out to your vendors?

[00:14:32] Evan Francen: Well for me, I mean most organizations you need to back all the way up and this is the same thing. I was talking to the new C. So on Saturdays, you need to define what you want to accomplish as the sea. So as somebody who is responsible for really only two jobs, you know, we can over complicate everything. I think I think a seesaw has two jobs. one, I consult you on information security, risk you being the business. That’s job number one. Job number two is once you make those risk decisions, I implement those risk decisions to the best of my ability. That’s my job to things, right. But in order to do that, you kind of have to define. So bring this to venda risk management. If I haven’t define those things for my overall information security program, you’re shooting in the dark with your vendor risk management program. Right. One feeds one comes first. So a lot of times let’s take you all the way back to that now for organizations that just don’t have any idea what they want to do with generous management. I think the best thing is just offense ability, you know that something bad is going to happen, chances are good based on studies that you read that the bad thing that happens will probably come through a vendor. Right. So, being prepared for that when the bad thing happens through a vendor who becomes your enemy, your customers opposing counsel regulators. So did I do enough to not be negligent. I do have something to stand on or might just bend over and take it. Right. So my vendor risk management program would start probably there if I haven’t to find all these other risk things and gotten really

[00:16:08] Brad Nigh: understanding. Exactly. Yeah, yeah. I think you’re right. You need to know what is the classification of the vendor where do they have access to? Right, right. That’s that’s the first step. Well beyond, you know? Well, I guess going back one now, I know your vendors are, is the first step.

[00:16:27] Evan Francen: Oh yeah, we over complicate that process to write four steps and vendor risk management or third party risk management, inventory classification.

[00:16:37] Brad Nigh: Yeah. Yeah. So yeah, what do they have access to? Is it is there somebody that’s a low risk. Right. Is that the guy that comes and stocks the vending machines that there is? You need to be aware of it and that goes to part of defense ability. You can’t just pick and choose which vendors you’re gonna classify. How did you just defend that decision? Right, right. So, and I know we’ve had that conversation with other very large, you know, national companies and in the past around. Well, we think these are the we think these are the 100 or so. Well, how many do you have? Hey, time out? How do you how are you picking these? 100? If you don’t even know who you have. So anyway. Yeah, I know your vendors classify and understand it. And then, you know, the the next step is depending on that classification.

[00:17:33] Evan Francen: Sure. Yeah. It doesn’t make any sense whatsoever. To send 600 page questionnaire to a lower risk vendor. Yeah, I

[00:17:40] Brad Nigh: mean, you feel stig shouldn’t go to the

[00:17:42] Evan Francen: probably not

[00:17:44] Brad Nigh: to everyone.

[00:17:45] Evan Francen: Uh well and a lot of this experience comes from, I mean, this isn’t, you know, third party information security management isn’t anything new. You know, large companies companies that have received, you know, quite a bit of regulatory pressure. You know, like big banks, they’ve been doing third party information security management for a long time. They don’t do it well, but they’ve been doing it. The driver has been compliance for them. You know, whether it be the zero cc. Or F. D. I. C. And then, you know, I think the most famous breach of all time through a third party had been the target breach. Right? And so then everybody sort of rushed and they saw a bunch of companies, sort of start these Ventress management things. Right. High trust became a big thing or bigger thing. Sock to some, you saw probably a big bump in business there because people are still scrambling with like, what the hell am I supposed to do? And if you just simplify it, right. We’ve already talked to phase one is just inventory, Right? There’s two parts to inventory. There’s the initial inventory of like what, who are my 3rd party relationships and then there’s the ongoing inventory. The ongoing inventory depending on what kind of turn you have in your third parties. If you have low churn just reconcile your third party inventory on an annual basis. All right, fine. I’ll have to stay

[00:19:11] Brad Nigh: alive. Right. And it’s, if you do it correctly, the first time where you’ve identified the relationship owner internally, that’s an easy thing to do. Exactly. Hey are we still doing business? Are these is this still a yes or no? Has anything

[00:19:25] Evan Francen: changed? Step two We call, you know being security people. We like to use our fancy words. It’s inherent risk. Right? That’s that’s how you classify your vendors. We don’t account for any controls. There are 5 to 10 questions that anybody should be able to answer that. Your vendor relationship managers should be able to answer their basic things like how are we using this vendor? They come into our office. Do we connect to them? I mean just stuff. Right. And then, you know, based on that classification, I I like to keep it simple, high medium or low, high risk vendors. You’re going to get a lot of scrutiny, you know? But Out of my, you know, that might be 5% of all my vendors might be those high risk vendors. And then uh you know, once you’ve gotten through the assessment itself, which can be a questionnaire, there’s nothing wrong with questionnaires wrong is questionnaires that are subjective. Open ended,

[00:20:20] Brad Nigh: you don’t want to go through no. And reading through open ended questions trying to interpret how they wrote things that make themselves look better.

[00:20:29] Evan Francen: Right, answer, ask yes. No questions that anybody should be able to answer. If you know your environment, you can answer, you know something as simple as do you have an asset inventory?

[00:20:42] Brad Nigh: Right. Right. And then please describe your asset inventory process.

[00:20:46] Evan Francen: Right? And then after that question then I will ask you, so it gets a little bit longer. The question here gets a little bit longer because I have to ask more binary questions after that first one. But it also makes it easier to score, set thresholds do comparisons. I do objective assessments. Uh And then you make the you know the decision that’s step for right? You suck at security. I’m sorry. You can have to remediate or we can’t do business. Right. Right.

[00:21:13] Brad Nigh: And yeah. And I think you’re right. Everybody people just think it’s overcomplicated because they may be just don’t understand or Uh huh. Mhm. They just don’t know what the right tool is. Maybe. I’m not sure

[00:21:27] Evan Francen: there’s so many different polls in so many different directions, right? Yeah. You you have lots of people doing sock too and there dead set that that’s the right thing you ask. Any accounting firm, they’re not gonna scare you away. They make money doing something too. So there are going to say sock to Yeah that’s there. You go. And established. You type to you know make more money

[00:21:52] Brad Nigh: and that’s not to say that the controls and like the points of focus and everything are bad. That’s not that’s not the issue with it said as an organization undergoing it, you define what they’re looking at. If you’re if you do it correctly, there’s no reason you should ever fail a sock

[00:22:08] Evan Francen: too. Well that’s the I mean sock too is just a tool, right? Just like any other tool. And if you use the tool correctly right? It’s a great tool if you use it for something that’s not intended for.

[00:22:19] Brad Nigh: Yeah you can it’s I mean realistically yeah. Yeah it could be manipulated to do what you want but correct if it’s if it’s done correctly yeah. It is an assurance that people are doing what they say they’re doing.

[00:22:34] Evan Francen: And so if you’re using sockets for the check box, that’s not the right use for the tool. You actually need to read the sock to report right, ensure that whatever it is you’re doing with this offender or third party is in scope within the sock to write that the illustrative controls are interpreted correctly. To address the risks that you’re concerned about. You know, it ends up being believe it or not, if you use a sock to the way it’s intended to be used. It ends up being more worked a lot to read through those. It is, you know, because then and then you’re also relying on the subjectivity or the interpretation of the person reading the report right to determine whether or not it’s adequate, right? So it’s no matter how black and white they try to make it as an audit, you know, it’s a pass fail, right? So you get the unqualified opinion from the C. P. A. But that’s his opinion. You have to interpret stuff to interpret his or her opinion

[00:23:28] Brad Nigh: and and they’re interpreting and looking at evidence on their C. P. A. S. Not technology or security people. So yeah you have a C. P. A. Interpreting right? Security that’s not always. And and the good ones will fully admit that hey this isn’t our strong area.

[00:23:48] Evan Francen: No. Right So yeah so I may have socked too is I don’t think they are inherently bad. It’s just you’re not using them. Right?

[00:23:56] Brad Nigh: Yeah. Yeah people just say oh good. They got their stock to all accepted.

[00:24:00] Evan Francen: I mean if I were to receive a sock too. So you know this is maybe something that I would do if I had of interest management program that Uh you know I would use the S. two R. Because it’s a tool that I understand it’s true or false its objective. I can set thresholds. It’s completely defensible. Excuse me. All those things are great. But if I had a third party that said you know we’re just not we’re putting our foot down we’re done doing any other questionnaires done doing any other assessments but we have a sock too will you take it? Yeah I would take it I would review it. I would say you know it would take me a little bit of time to read it and I might even take that what I read in the sock to and interpret that into their questionnaire so I can stay within my own process but it’s not invalid.

[00:24:48] Brad Nigh: No, no. And I think you know it’s interesting we’re starting to see a lot more um clients that are asking us to help uh fill out questionnaires. So

[00:25:03] Evan Francen: like I’m getting away time.

[00:25:05] Brad Nigh: Right? Well right. But the nice thing is with, you know, these are ones that have done s to Oregon we’re on, you know, so it makes it a lot easier. But yeah, they’re they’re you know, I’m thinking of one I talked to couple weeks ago And he was getting 4 – six questionnaires a month. Imagine filling out A Stig four times a month. Right fraud. Right? Because it’s not like you can Yeah or custom questionnaires or whatever, right? But yeah, if you have a standard that’s to organize case it makes it really easy to just kind of ripped through it a lot faster.

[00:25:46] Evan Francen: So. Well that’s it. I mean I think there’s so many in there in our industry, we argue with ourselves so much right? Like which one is better wall must suck to guy, woman. High trust guy woman? S two or guy and I’m a this guy or that guy or whatever. It’s like seriously just pick one and then use interpretations. So allow people to do what they feel comfortable doing and it’s our job as an industry to figure out how we can consume it and use it. It’s uh it’s just really frustrating because at the end of the day who really suffers is the small business that gets these questionnaires and can’t afford to fill them out. Right?

[00:26:24] Brad Nigh: Right, Well,

[00:26:25] Evan Francen: and it’s hours of wasted

[00:26:28] Brad Nigh: work. How long does it take to fill out a stick or a stick? Like a couple hours each?

[00:26:33] Evan Francen: Uh The sake. It’s

[00:26:34] Brad Nigh: A delight the lights a couple because that’s what 90 something questions and it’s not yes.

[00:26:40] Evan Francen: Well, yes, and that’s why we created. So the s to organize itself is 687 questions, but their true false questions to the are yes, no or whatever. It’s easy to answer those. It’s funny, I was talking to some guy who never even looked at it okay from the S two vendor tool, received an S. Two or assessment and said we’re not going to fill it out. And so he’s telling the customer of this, you know, like will you talk to him something? Sure, I’ll talk to him. Like why? Why won’t you fill it out? And he says, well, it’ll take too, it’s too much wasted time. How much time do you think it will take? Well six hours? Like, I’m sorry, 687 questions divided by six hours. You do the math and you find out, it’s like yeah, whatever it was, it was like a minute and a half per question. Like it takes you a minute and a half to answer a true false question. He’s like, well, yeah, you have to read the question like it takes you a minute and I have to read true false question and

[00:27:40] Brad Nigh: they’re not like paragraphs, it’s like a sentence. Yeah. Do you have a security, do you have information security policies? Yes or no?

[00:27:48] Evan Francen: Right? It was funny because because because then I got to the point where it’s like, okay, let’s just play this out. I’ll give you an example, just question not even security related. And then we’re gonna wait, You know, a minute and a half to wait 90 seconds for you to answer that question, are you wearing underwear today? Don’t answer. Hold up. Yeah. And I’m looking at my clock and looking at my watch, he’s like, well that’s not how it works. Like that’s exactly how it works. And if you don’t know your information security program well enough to be able to answer true false questions about your information security program, then you have work to do. You kind of suck at your job.

[00:28:28] Brad Nigh: And there are areas you’re gonna want to pull in. They, you know, the owners of that within the organization. HR and uh the CFO for insurance and financial stuff. But even then it’s right there, they’re gonna typically know that stuff.

[00:28:49] Evan Francen: Well the things that we need to focus on where we find most of the risk is fundamentals, right? It’s the basics, right? You’re not asking a detailed question about, you know this specific configuration or this specific log. Right? So even those true false questions on the basics, the fundamentals most people should be able to answer.

[00:29:09] Brad Nigh: Right? Right. Yeah. Do you do you do background checks on your employees? That’s an HR focus question. Right? Everybody in the organization should probably knows that as you’ve had to sign the sheet that says I let you do this,

[00:29:25] Evan Francen: right? And there might be some vendors like extremely high risk vendors meaning inherent risk not residual risk that there so impactful to your organization that you will want more. Right? I’m not going to take your word for it on the 687 questions. I’m not gonna take your word for it. I don’t believe you or ID validated whatever reason. Then send somebody to validate the assessment. But what you’re validating our true false questions that apply to information security risk which are not validating his interpretations of questions, right? So if a question says all because I’ve run into this many times to the question says blah blah blah blah blah all blah blah blah. They say well we do it. Yeah we do that. It’s like for all. Well most it’s not the same. It’s not what the question says. The question says all you know, that’s different than most. Uh So that that’s one of the things I think over the years with information security becomes so literal.

[00:30:23] Brad Nigh: Well, I mean you have to

[00:30:25] Evan Francen: specifically, what are you asking for? Right? Yeah, you do have to because there’s so many different interpretations of a word like information security, what is information security? And people are like, well, it’s, you know, access control. Like actually when you build an information security program, you find access control. If I were building it, like I was building a house access controls, like third

[00:30:48] Brad Nigh: floor. Yeah, that’s well because it is fully dependent on. Right? Yeah. As it and identity. Right?

[00:30:57] Evan Francen: I’d like to start. I’d like to start. So tomorrow I’ll be in new york talking to a board of directors. And it’s interesting how, you know, you just just a basic conversation about what are we trying to do? We’re spending millions and millions of dollars on information security in this organization. What are we trying to accomplish?

[00:31:18] Brad Nigh: We’ll be safe, were gonna be secure.

[00:31:21] Evan Francen: Right. What what does that mean? Yeah, let’s be as specific as possible. And let’s compare the mission, you know? So most organizations have a mission statement. How many information security programs are c cells have a mission statement. And does that mission statement aligned with the organization’s mission statement? Doesn’t enable it.

[00:31:41] Brad Nigh: Right. And they should be supporting it.

[00:31:43] Evan Francen: Yeah. Right. So sometimes you have to get sort of rudimentary and the mechanical, you know, as you go through this stuff. But my God, if you want to do it. Right, do it right. Yeah. We get paid pretty well. Most, most security people get paid pretty well. Yeah. No, I figure it out.

[00:32:01] Brad Nigh: So one of the, you know, it was covered most of those bullet points, but at the end of the day, well I guess that’s kind of combining two there. But uh, what, what should a vendor share? Not share what level it would be acceptable? And at what point do they kind of say that’s why can’t share that? What, how do you think they should handle that?

[00:32:23] Evan Francen: Well, that’s, that’s, it’s a good question. Um, it depends on the relationship, you know, really? I think with the, with your customer, you have a tight relationship where you feel like you could be transparent.

[00:32:38] Brad Nigh: It’s an existing relationship. Yeah. Yeah. But it’s, it’s there, it is. That’s a risk that you as an organization have to make, hey, I’m going to give the blueprint for all our strengths and weaknesses to somebody else.

[00:32:53] Evan Francen: Well, and what we advise our clients is give them the S to score. Right? And so if they, and then if they ask, well what’s the S to score, You know, then we can go into more detail about what that encompasses what the score represents, how the math is, calculated what the score actually means without going into the details of your individual answers, your individual weaknesses.

[00:33:15] Brad Nigh: They would say that that executive report is about it because that’s going to give them a good understanding across there administrative, physical and technical. And then within the main areas of each where are we at?

[00:33:29] Evan Francen: Right? Including a maybe even a publicly consumable or you know, out of the results of the S to order the S to score. I mean it’s the same thing when you think about personal credit, right? If I if I’m doing business with you, I can ask your credit score and you’ll probably give it to me, right? Because I’m going to loan you money right now. In some cases, I may want to pull that credit report so you have to give me authorization to pull that credit report. So I get to see more. I still don’t see the details of a lot of the things that you do on a day to day basis, I can just see the results of those things, right? So, you know, I’d keep it, you know, and then, but then you have some vendor relationships where maybe, well I guess this is, this would be my ultimate advice, define what you share with your customers put it in policy somewhere. So whatever that’s going to be, if it’s just going to be the s to score or it’s just going to be the stock to cover page or whatever it is that you’re willing to share nothing else. And then if you have vendor relationships where you’re tighter, you’re closer, you’re more friendly just read a waiver, you know, and maybe share more so you can be more transparent with them. Yeah.

[00:34:48] Brad Nigh: Especially if you’re doing well,

[00:34:49] Evan Francen: we should tout it. Right. I mean that’s the thing. Security has been treated as a cost center forever. Can we use information security as a business driver? Can we make more money because we do security? Well, hell yeah, you can. I mean, if you’re spending a couple million bucks on information security, you better get a damn return out of it.

[00:35:10] Brad Nigh: Yeah. Well, and that’s always something that’s so hard to to prove to write. How are we doing? So you wrote, I don’t know. Have you published this yet? No. Okay. So

[00:35:22] Evan Francen: create a pretty, I’ve never done an infographic. Have you ever created an infographic before? No. Yeah, me neither. I’m not creative enough.

[00:35:29] Brad Nigh: So funny enough, so I wrote the notes for the podcast, you know, yesterday evening, come in this morning. You’re like, hey, look what I wrote last week. Right. And it’s seven must haves for third party information security risk management, which is, you know, just kind of funny, we’re Oh yeah, on the same page

[00:35:48] Evan Francen: here. And these are absolute must have if I was going to build an information to a third party information security management program. I wouldn’t do without these things.

[00:35:58] Brad Nigh: No, And Immediately I haven’t, you know, I’ve, I’ve had this for about 10 minutes before

[00:36:04] Evan Francen: the podcast. I printed it out right before the podcast in here.

[00:36:08] Brad Nigh: All right, so let’s go through these. Is that okay with you? Let’s do it. All right. Must have number one adequate coverage. So must account for administrative, physical and technical risk period makes sense. It has to Well, we’ve defined information security as those three things.

[00:36:26] Evan Francen: Exactly. And you know that the most significant risk is always people. So if you’re only focused on technical controls, right, you’re missing the biggest risk and physical, you can’t just discount it. It may not be huge because you’ve got stuff out in the, in the cloud, you got an azure or whatever else. You still have an office in that office, there’s some sort of, you know, communication between that and the cloud. So you have to take into account physical risk.

[00:36:53] Brad Nigh: Well, we get that question a lot too, is what we have a lot of remote workers. So how do you Well, that’s a whole another physical risk that for sure. Do you have remote worker policies, things like

[00:37:03] Evan Francen: that. Yeah, I mean, do you define, do they have to keep, like when I worked at Wells Fargo, uh, the way they accounted for physical risk, you know, for teleworkers was you had to have a dedicated locked office in your house if you were going to work in your house, it would seem legitimate and they had a clean desk policy for the house and all those things because they don’t want kids coming in and take things and God knows what happens,

[00:37:30] Brad Nigh: loan application has like a smiley face on it and crayon,

[00:37:34] Evan Francen: right? But this is the one, so this must have the adequate coverage is the one place where people are most likely to take their shortcut right out of the gate. They assume that some scan some vulnerability scan, whether it be our bit site or security scorecard or whatever. Check the box. I’m done. Mm. No, I almost had a bad word right there. That’s not true. Uh, you have to do administrative, physical. Those are great tools, right? It’s just like any other part of

[00:38:04] Brad Nigh: great,

[00:38:04] Evan Francen: just like any other tool, understand the tool and master its use

[00:38:10] Brad Nigh: their good for what they do. But what you

[00:38:13] Evan Francen: do exactly. Any time I see somebody using bit site, I’m not, I don’t cringe at what time I cringes when you’re using bit site

[00:38:21] Brad Nigh: it, I’m with you. Um, so no shortcuts. Uh must have number two automated workflows. Manual processes with spreadsheets and calendars are air prone, costly and ineffective. Yeah. And I guarantee any security person that’s been doing this for any amount of time. It’s not in their head going, oh yeah, tell me about it.

[00:38:46] Evan Francen: Um It’s amazing how many times I still see it

[00:38:49] Brad Nigh: though. Oh we get, I answer our questionnaires that we

[00:38:52] Evan Francen: get and they’ll make the and they’ll make their, I’ve seen um, I’ve seen questionnaires in in workbooks, excel but they’ve gotten so fancy with them too. I mean, they’ve got macros. I mean it’s just like a beautiful it’s like it’s still a piece of crap because it’s still manual

[00:39:11] Brad Nigh: and and as practices we’re gonna disable macros and read from third parties unknown sources. I’m not running your macro. Sorry.

[00:39:20] Evan Francen: And there’s there are many automated workflow tools and automated workflow enabled tools on the market for third party information, security, risk management. Obviously we have s to vendor that we use on security studio, but I’d be remiss to tell you that there wasn’t there’s not many others. So

[00:39:39] Brad Nigh: Yeah. one and again, we’re obviously a little bit biased and thinking that it’s good all that, but it’s not always going to be the right fit for everyone. Find find the right tool for you and your organization, but find a tool.

[00:39:55] Evan Francen: So I must have number one. no shortcuts Must have #2, automated

[00:40:01] Brad Nigh: Workflow. All right. # three distributed workloads. So no one person can do it all is really what it comes down to. So I think

[00:40:11] Evan Francen: not Well anyway. Yeah,

[00:40:13] Brad Nigh: yeah, I think I liked what you had here is, you know, if you have like a vendor risk manager that shouldn’t be the person who does everything, they should be managing the program, working with the relationship owners within the organization, your generous manager shouldn’t be classified. All your vendors that’s there’s no way they could possibly know that they can make sure that all your vendors are classified. All your vendors are answering questionnaires, making recommendations, but they shouldn’t be doing the whole thing.

[00:40:45] Evan Francen: No, no, not unless it’s a real small company with only one or two vendors were the actual risk manager nose these things. Because the key is for, you know, that classification is knowing how you use the vendor. Are you the only way you’ll know how you use the vendor is if you work with the vendor?

[00:41:05] Brad Nigh: Exactly, yeah, yeah. I think that’s a good point though. Small, really small organizations where, you know, excuse me, you may not know everything that makes sense. But as you get larger and more vendors, you can’t possibly

[00:41:20] Evan Francen: even in this organization. Right. I mean, we’re getting close to 100 employees. I don’t know how many vendor relationships we have, but I don’t think one person can do it. We’ve got Jeff, who does it? Who has a bunch of vendor relationships you have

[00:41:35] Brad Nigh: HR relationships we have. Yeah.

[00:41:37] Evan Francen: Who who is the office manager now, Danielle. So she’s got office office see stuff, stuff. I mean, I know that there’s always coffee. There’s always things here. Right. Yeah. So even in this organization of 100 ish employees, we

[00:41:54] Brad Nigh: have, we have way more vendors

[00:41:55] Evan Francen: than Right and then they have to be surprised and that’s one of the push backs I’ve heard before is well, we don’t we don’t have any vendor relationships. There’s no organization in the world. that doesn’t have any relationships unless you made your own office furniture, you made your own computers, made your own operating system,

[00:42:12] Brad Nigh: right? Who does your maintenance? Who does? Right? Any yeah. Any of that stuff that those are, those are all vendors who we have a plumbing issue. Who do you call the plumber? There you

[00:42:23] Evan Francen: go. That’s another one.

[00:42:24] Brad Nigh: People don’t think about that. Alright. So number three, don’t try to tackle third party information, security risk alone. Exactly. Number four quantification, uh, easier to defend. A process or systems and defend a judgment. I think you’ve talked about this in terms of from a legal perspective is what were you thinking on that day or whatever? So, uh, that was six years ago, right? That’s hard to defend versus well they said yes or

[00:42:57] Evan Francen: no. Yeah, yeah. When you’ve been, when you’ve sat across from opposing counsel and they’re asking you difficult questions, this one hits you pretty hard and you never ever forget it

[00:43:07] Brad Nigh: being deposed is no

[00:43:08] Evan Francen: fun. No. So if you haven’t been here, um great good for you, you might and you probably will at some point, I would assume, I don’t know. But you’ll be glad that you did this. You’d be glad that you used a system a process. I

[00:43:24] Brad Nigh: did the same thing for everyone.

[00:43:26] Evan Francen: Exactly. That’s why I’m such a stickler on if it says it in policy follow the policy. And then when you deviate from the policy, right? A waiver. So you’ve got that education.

[00:43:37] Brad Nigh: Why did you change this? Well, I’ve got this document right here that says exactly why.

[00:43:42] Evan Francen: I can’t remember what I did last thursday. Alright. Let alone what I did last year. And so if you ask me, why did you make this decision with this third party to this vendor? I won’t remember. Right? And if you do remember, you don’t have enough work to do

[00:43:55] Brad Nigh: problems. But yeah, you better have a documented somewhere why you deviated from. Right And qualification? Well, and I think everybody, you know, people kind of complain about it and but documentation about procedure and like we need to have a repeatable process the same thing every time. It’s not super exciting. But absolutely will save you in the long

[00:44:19] Evan Francen: run. Right? And so when you quantify something and a lot of times people when you think when people think quantification, they immediately go to dollars thinking that that’s the only way that you can quantify something that’s apparently false. Right? I can quantify anything that I can measure. Right? And so um its implementing some form of measurement setting a an appropriate threshold. Right? So if your vendors or third parties in their questionnaires or whatever assessment you’re doing if they exceed that threshold of minimum risk, right? That’s good. If they are deficient there below that threshold and you may go further, you may ask additional questions, even if they do exceed the threshold. That’s not the point.

[00:45:03] Brad Nigh: They say they’ve got everything personal like. Perfect. I mean you have to have some thresholds top and bottom. Right? Exactly. All right. So uh number five is objectivity. Binary decisions are more efficient, easier to defend and score a ble So again, you want to take that subjectivity out. Like we just talked about why did you accept this answer? Uh because at the time that there wasn’t that vulnerability out there, like that’s a really hard thing to defend. So

[00:45:37] Evan Francen: yes. No. All the time. Right. Yes. No true false. Uh The open ended questions anytime you see that in 3rd party or any you know information security risk management function. It’s open for interpretation. Right?

[00:45:50] Brad Nigh: Right. And then it’s been in on who’s writing the answer? Who’s interpreting that response? Are they at the same level? Yeah.

[00:45:59] Evan Francen: And as a as a vendor who used to receive, you know now we have other people who receive these questionnaires. But when I used to receive these questions, I like to open ended questions

[00:46:08] Brad Nigh: that can put whatever I want. But it’s also a pain

[00:46:11] Evan Francen: well, but I liked it because I could tell you the truth and massage.

[00:46:15] Brad Nigh: Right? Oh no. I’m

[00:46:17] Evan Francen: if you ask me if you would ask me a true false question I’d have to say well that’s actually false. But if you say, you know like tell me about your information security program. Awesome. I’m gonna tell you all the great things about my information security program. I’m not gonna tell you anything about the bad stuff.

[00:46:33] Brad Nigh: Use an administrative, physical and technical controls to protect the boom

[00:46:37] Evan Francen: done, then you’ll be all impressed and passed me and I don’t have passwords on anything. Right?

[00:46:43] Brad Nigh: Eight characters. No complexity. Alright. Uh must have six number six inventory management. And this is not just four third party information security risk, but garbage in garbage out. If you’re not getting everybody then yeah, it’s not a good program.

[00:47:03] Evan Francen: It’s so frustrating To because you’ll ask people questions, you know, Fortune 500 company vendor risk manager. I asked him how many vendors do you have? This is about 600. Like about right, A better answer to that would have been as of the last time we did a vendor inventory or you know, it was 627 that stands up in court. Much better than about

[00:47:32] Brad Nigh: 600. And I will say, I could see myself going, well just over 600. And you’re like, uh then, but then being able to come back and say, well, okay, exactly, is this much, but I didn’t know how detailed you want it, but that wasn’t

[00:47:46] Evan Francen: his response.

[00:47:48] Brad Nigh: So yeah, I understand what it is and it’s ongoing. Right? At least annually you need to go through revisit all the existing ones, make sure you haven’t missed anything. This is an ongoing process.

[00:48:02] Evan Francen: Well, and depending on like a sort of mentioned it, depending on the turn in your third party relationship could change. It’s pretty stable then maybe an annual reconciliation is plenty fine to keep that inventory up to date. If you have a lot of turn, then you need to integrate it into your on boarding process with your vendors, right? Procurement process something And then pay any 3rd party unless they’ve got an S to score for instance.

[00:48:25] Brad Nigh: Yeah, they have, we can’t sign a condom and we do see that from some of our customers are like, well, hey, we we signed this but we can’t actually do anything until we realized you’re not in our third party risk management. You know what? I don’t mind those. That’s a good sign from an organization that there they do have this kind of institutionalized of we’ve got a good process in place that catches these things, so it doesn’t happen a whole lot, but it does happen, it makes me happy. And then number seven, this is again, it’s funny how many of these are, are just good security principles in general, uh simplified processes, complexity is the enemy of information security. Yeah, don’t don’t make this harder than it needs to be.

[00:49:15] Evan Francen: No, once you systemized this and operationalize this, it just becomes part of doing business. Yeah, four steps, man. Sometimes you recycle between step four and step three, but it’s four steps

[00:49:27] Brad Nigh: still. Yeah, well, hopefully that was uh hopeful for everyone, both people receiving questionnaires and the one sending it out and trying to manage a third party or a vendor risk management program. So just fresh on on the top of my head. So that was a good yeah, good conversation today.

[00:49:51] Evan Francen: Well, we’ve done it for years and I understand that it’s not second, it’s not second nature for many people. Um, once it becomes second nature, it’s just part of doing business, you know, you think twice about it.

[00:50:04] Brad Nigh: Yeah. And yeah, institutionalize it right. Get buy in from the organization and actually stick to your guns. If you’re if it says, hey, we can’t do business with someone where we can’t actually pay them until they’re in the program in in the program, right? Actually follow

[00:50:22] Evan Francen: through one of the business isn’t going to back you up, you know, because you do run into that to where the business is like, well, they’re so important that we need to do business with them anyway. Even if they’re not going to fill out the questionnaire, that’s fine. Well then the business is accepting that risk. Yeah, I’m about ready to write another article where the title is not my risk because the business makes those decisions and if you don’t enable and consult the business to be able to make those decisions, then what, you know what the last thing you want to do is accept the risk yourself or just

[00:50:57] Brad Nigh: Yeah. Get getting on paper.

[00:50:59] Evan Francen: Scrip it under the rug.

[00:51:01] Brad Nigh: It’s your job as like you said the sea. So to advise and guide and provide that knowledge to the business for them to make that decision. Right. Right. We can’t we do it all the time. It’s the virtual see. So I cannot make a risk decision on your behalf. I can tell you what I would do. I can give you the pros and cons ultimately, that’s your call. I’ll tell you if you don’t, if you if I don’t agree with it, that’s fine. As long as it’s documented. I’ll do whatever the organization is made. Their decision to

[00:51:35] Evan Francen: be. All right. So if the business isn’t going to sign off, the business isn’t going to enforce this with you. Just ask them to sign a waiver. Usually puts that usually makes them think twice. You know when I go to the C. I. Or I go to the Ceo and say that’s fine. I get what you’re saying. I just need you to sign the waiver so that we, you know, dot our I’s and

[00:51:56] Brad Nigh: people don’t want their their name on the line either. Weird.

[00:52:00] Evan Francen: Right. Well, if you’re expecting me to

[00:52:02] Brad Nigh: Probably Yeah, exactly. So All right, Good discussion. Let’s knock out some news real quick here. Um, we’ll go into a whole lot of detail on these. But the first one is from threat post uh ransomware cost doubled in Q4. Uh They were saying uh fourth quarter of 2019, average ransomware payment rocketed skyrocketed to $84,116 up from 1 41,098 in the third quarter. So more than doubled and we’re not seeing that slow down so

[00:52:35] Evan Francen: don’t worry about it. Just you got cyber insurance. Yeah,

[00:52:39] Brad Nigh: yeah. And then, yeah, the other one is now you’re starting to see exfiltration and if you don’t, even if you don’t, he recover and don’t pay their threatening to release your data,

[00:52:51] Evan Francen: don’t worry about it. You get cyber insurance.

[00:52:54] Brad Nigh: So yeah, fun. Um, God, yes, that’s the answer to everything, right? So the second article was from Krebs on security thought this was kind of funny. The DDOS mitigation firm founder admits to Adidas, so Georgia man who found co founded service designed to protect companies from DDOS attacks, has pled guilty to paying for DDoS for hire service to launch attacks against others. I mean, that’s one way to drive business.

[00:53:25] Evan Francen: We’ve talked about, you know, it’s usually, it’s a very, very, very short conversation, but back in the day when, you know, you’re struggling for business, it’s like, well, one way you could get business would be just to hack somebody, right? You know, if you hack them, then they’ll be like, oh yeah, we do. We need your help shoot, I should say the same kind of thing. I mean, your service must have must not have been that good if you can’t figure out ways to sell it without cheating. Right?

[00:53:52] Brad Nigh: Yeah so

[00:53:53] Evan Francen: So throw the book at this guy. 22 years old. Yeah Tucker

[00:53:56] Brad Nigh: Preston 10 up to 10 years in prison and a fine of up to 250,000 dollars or twice the gross gain or loss from the offense.

[00:54:05] Evan Francen: How much prison time do you think you’ll actually get

[00:54:09] Brad Nigh: you know it’s a good question. They it feels like they really throw the book at the computer crimes.

[00:54:18] Evan Francen: You know it because the only reason why you’d punish is I mean you’re not the only reason but the primary reason is deterrent. You want to deter people from following the steps of tucker here.

[00:54:33] Brad Nigh: I’m gonna guess he gets a very large fine and And not the full 10 years.

[00:54:41] Evan Francen: So he pled guilty in a New Jersey court. He’s from macon Georgia.

[00:54:45] Brad Nigh: Yeah that’s a don’t don’t do that is the advice.

[00:54:50] Evan Francen: So the company he co founded is called back connect security LLC. He developed the unusual habit of hijacking internet address space. Uh huh. It didn’t own in a bid to protect clients from attacks. So I mean his whole business was just B. S. Yeah not just not just hiring Ddos Attackers to attack but it sounds like he also had some other issues.

[00:55:19] Brad Nigh: Yeah not good. Um

[00:55:23] Evan Francen: Do you ever read those cases, do you ever read like the actual

[00:55:26] Brad Nigh: you know when they come out I’ll try to I agree to some of those are really interesting. Oh he pled yeah, he pled guilty. So sentences in May,

[00:55:36] Evan Francen: so yeah, it’s going to be less than the maximum

[00:55:39] Brad Nigh: basic plan. He’s yeah, I would say that’s where he’s going to get some jail time, just like you said as a deterrent, but I think my guess is the majority of this is going to be in a monetary fine. That’s going to be the crippling, Especially for 22 years old, have hundreds of thousands of dollars in fines that you can’t dismiss.

[00:56:01] Evan Francen: Yeah, interesting. Mhm.

[00:56:05] Brad Nigh: All right. Uh third story today is from G B. Hackers, snake ransom. Where written and go along. Language removes backup. Shadow copies and encrypts Windows files, so that’s um not ideal. Uh less than targeting Windows users to encrypt the system files and remove volume shadow copies that the U. S. Uses for backup so you can no longer count on your local backups too, keep you safe. Uh

[00:56:36] Evan Francen: Yeah, ransomware is a service.

[00:56:39] Brad Nigh: Yeah. Yeah. And they’re saying they’re using a S to 56 R. S A 2048 for the keys. So, good luck cracking that.

[00:56:51] Evan Francen: Yeah, so targeting this is the snake ransomware is targeting specific platforms such as Scada enterprise management tool, system utilities and also some of the specific target applications include VM ware tools. Microsoft, System operating. Our Cinder used to call that mom now just Operations Manager now it’s Systems Center. Operations Manager. Nimbus Honeywell, h me web and flexing it. Yeah, it would suck to him. You have a skater system get hit I suppose it was a controller.

[00:57:27] Brad Nigh: Yeah, well those things are never out of date and always patched um

[00:57:31] Evan Francen: so

[00:57:33] Brad Nigh: what was interesting? Yeah, yeah, what I thought was interesting was that, that it actually writes the note 2, 2 different locations dependent on if it was executed as administrator or a standard normal user. So you know, if you’re doing an Ir it’s pretty quick to understand. Mhm Well you’ve got some issues. Why was all where we’re all your users? Local admins.

[00:58:01] Evan Francen: Right, well that’s a good, it’s a g b hackers that are good. Right up on this. If you do get a chance to get and read it the title, snake ransomware that that written in Geelong language removes back up shadow copies and encrypt window

[00:58:16] Brad Nigh: files kills like sequel server schooler Yeah, see, you know, a lot of wind BNC so it kills a lot of processes that so it can, you know, might have things locked. Um the next one and just thought that’s not surprising by any means, but from information uh info sec magazine over half of organizations successfully fished in 2019. Uh 55% of surveyed organizations dealt with at least one successful fishing attack in 2019 I think the most um Surprising is it was only 55

[00:58:56] Evan Francen: that were successful, disagree with that.

[00:58:59] Brad Nigh: But it was surveyed organization so does and that’s the only issue. It doesn’t really say, you know, a lot of it and it was this is a report by proofpoint, but

[00:59:13] Evan Francen: two. they sell? What do they sell? Yeah.

[00:59:17] Brad Nigh: Yeah. Data using from nearly 50 million simulated phishing attacks sent by proofpoint to end users over a one-year period. So it is from it is they’re using they’re automated systems.

[00:59:31] Evan Francen: Look at proof points. Uh, homepage,

[00:59:34] Brad Nigh: say to the

[00:59:35] Evan Francen: fish. It’s like, yeah, by my shit. Excuse my language. I just swore.

[00:59:41] Brad Nigh: Anyway, I would say, you know, it is obviously it is depending on on them in their system and maybe

[00:59:49] Evan Francen: did you hear me swear?

[00:59:50] Brad Nigh: Yes, I did. I was going to ignore it though. Okay. I never swear.

[00:59:55] Evan Francen: No. Um Right. So 55

[00:59:59] Brad Nigh: using automated fishing tools. Way low. Yeah. But you know, not, not terribly surprising that again, people are the the weakest length as it were

[01:00:11] Evan Francen: so we can tell that through a vulnerability scan. Probably

[01:00:13] Brad Nigh: yes. Absolutely. Right. Um, and then the last one on naked security by so foes uh, and you know, there’s a lot to kind of digest, but Nist actually released new privacy rules and what you need to know. Um, I thought this was a really good right up of it. There’s a bunch of articles out there, but I thought they did a really good job of kind of just breaking it down and understanding it. So, you know, identify p involves spotting an understanding privacy risk govern uh to find the rules to deal with them. Control is the function manage data in line with your governance structure and then communicate those and then the final is protect and that’s kind of where it ties back into the CSF. So, um but there’s, you know, the privacy uh rules and then the CSF do really tie together. So this is something that is, you know, out there and they said it’s not the same privacy and security are different, but they do overlap. So I thought it was a good right up and something that is definitely coming more and more right,

[01:01:25] Evan Francen: I think yeah, more to talk about that later. That would be a good future podcast to to talk about how they are the same or different or where they overlap

[01:01:36] Brad Nigh: and all that stuff.

[01:01:38] Evan Francen: Good discussion. I think a lot of people don’t know, a lot of people treat them as separate.

[01:01:44] Brad Nigh: You know, we get questions about privacy specific and it’s like, well, you know that it’s more of a legal question around that versus the security piece of how you actually enforce controls to ensure privacy. Right? So, kind of they dubbed like it says in there, they dovetail together really well, Alright, well that’s it, episode 64 is a wrap. Thank you to our listeners. Keep the questions and feedback coming, send things to us by email at UN security at proton mail dot com. If you’re the social type socialize with us on twitter, I’m @BradNigh Evan is @EvanFrancen. And lastly, be sure to follow @StudioSecurity and FR Secure @FRSecure uh for more goodies. That’s it. Talk to everyone next week.

[01:02:32] Evan Francen: Thanks.