Vendor Risk Management and InfoSec News

Unsecurity Podcast

We took a look back at our recent Hacks & Hops event and summarized its discussion surrounding vendor risk management. In addition, the guys chatted about how you can deal with customers that treat you poorly and finished up with ways that you can stay current on InfoSec news and trends without bogging yourself down. Check it out and let us know what you think at unsecurity@protonmail.com!

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:23] Evan Francen: Good morning Everyone today is april 1st it’s april Fool’s Day. It is. I just asked brad if he was going to do in the april 1st. April Fool’s Day jokes. He’s promised he’s not

[00:00:34] Brad Nigh: no, you’re not. No good jokes.

[00:00:37] Evan Francen: You just showed me one of your family where they had some, what were

[00:00:43] Brad Nigh: they? She had a box of Krispy Kreme doughnuts and then put veggie platter inside of it for her kids. So they opened up the kids. Yeah.

[00:00:53] Evan Francen: Anyway, so today is april 1st, this is episode 21 of the insecurity podcast. I’m your host. Evan francine and joining me today is my guy brad and I brad. Welcome back. Thank you. Do you have a good vacation? I didn’t overall. Yeah, you always had, you know, sort of some

[00:01:11] Brad Nigh: Drama. There’s some excitement but it was fun. It was good to get away for four or 5 days and not work.

[00:01:18] Evan Francen: Yeah. And you didn’t work except I did see that you are like dead. But then you said that that’s not really work.

[00:01:23] Brad Nigh: It was just one post. I was in like a line waiting. So

[00:01:27] Evan Francen: Yeah. Well last week we did a we had a really good show with Sean Sean fill in for you. He’s Yeah. Yeah. He’s got some wisdom to share. We talked about healthy. So it’s kind of ironic that you’re on vacation getting healthy at the same time. We were kind of talking about being healthy. So anyway, you got a good vacation. Uh, do you want to share any of your drama from your

[00:01:52] Brad Nigh: vacation? Yeah, it was, it was exciting. So like Oldest daughter was 13, she, we were going to, so we went to Disney world down in Orlando and she was excited and didn’t get a good lunch and it was really hot at the airport and just got a little overwhelmed and fainted at the gate where we were waiting to get on the plane. So we started the vacation with a a bit of excitement, but she’s fine. She, she ate some food and no, no other issues. But, and then, uh, yeah, my wife lost her ring. We assume we’re not sure what happened. It was in our wedding ring, it was in the hotel room when we left and came back like a half hour later and it wasn’t there and we don’t have proof of whatever happened. So insurance is dealing with, Yeah, with that.

[00:02:41] Evan Francen: This has nothing to do with security, more curiosity. Do you ever take your wedding ring off? I do. What do you take yours off if I’m not home?

[00:02:47] Brad Nigh: Like if I’m at home, I just, when I get home I take it off you.

[00:02:53] Evan Francen: Yeah, some people do. My wife does also, I never take mine off. I think it’s just because I’m, I forget and I don’t even have it on maybe.

[00:03:03] Brad Nigh: Yeah, I’ve seen too many of the titanium and a few something happens. They have to like cut it off. It’s a nightmare. Like your finger. All right, I’m taking that

[00:03:12] Evan Francen: off. Do you ever do this sometimes with my kids? I are, you know, my friends, we go my hand my fingers and in front of them say, you know what these are and they’ll say what moneymakers.

[00:03:22] Brad Nigh: All right. Exactly, lose a finger. That would

[00:03:25] Evan Francen: be a problem. It’s gonna be at least like five words per minute less. Right. And one of those reports, so you can imagine the typos, right? Yeah. What letter do I usually tell you? Like decide miss a lot of these? Probably one of these. Right. All right. So anyway, we’re in buffalo new york, you and I in a hotel room in my hotel

[00:03:47] Brad Nigh: room uh second week in a row. Uh

[00:03:50] Evan Francen: yeah, secondly, you know, right, it’s the second we can roll, we’ve done the podcast in the hotel room last time I was Sean and I in the hotel room, I’m beginning to think something’s weird. How about this?

[00:04:01] Brad Nigh: Just travel and stuff.

[00:04:03] Evan Francen: Yeah, well anyway, we’ll be back in town next week. Um, and uh, we start the, the mentor program next year, is it monday? This monday

[00:04:14] Brad Nigh: starts monday,

[00:04:15] Evan Francen: we should get some slides together. I haven’t even

[00:04:17] Brad Nigh: looked, I know I did some looking and I didn’t see anything major that changed. I didn’t talk to a couple of people that have taken and I said there was some new stuff that they had never even heard of. Okay so it could have been those experimental experimental ones. But yeah I should should uh verify it. But I haven’t seen any new updates for For the c. s. sp any major one since the domain realignment 1800s. Yeah. It’s also high level. It’s all conceptual.

[00:04:51] Evan Francen: True. Yeah that’s true. So historical. Any idea how many people we have signed

[00:04:55] Brad Nigh: up? Uh we have we are at capacity In person. So that’s 25 and I think there’s actually a couple above that and then there’s actually a waiting list to come on site. So okay they’re doing that and I think Justice and there’s 350

[00:05:12] Evan Francen: 350 online online. So we’re gonna beat last year last year 350

[00:05:17] Brad Nigh: three totally. I think we’re we should be right At least close to that. If not beaten it by. I’m not sure if that 350 included the in person

[00:05:27] Evan Francen: or not. We should do, I’m thinking, we should start doing the metro program twice a year. We gotta find, we gotta recruit, we gotta get, you want to do it to do it

[00:05:35] Brad Nigh: right. I mean we

[00:05:36] Evan Francen: can, you know sort of fill in here and there but maybe coordinate it but not have to actually do it. Hey, make this part of your track? Oh yeah, right from analyst to senior analyst, you’re gonna have to have

[00:05:50] Brad Nigh: to partake in the mentor program.

[00:05:52] Evan Francen: That’s not a bad idea because it really, the metro program is all about giving back, it’s all about creating more security people completely free, you know, and I think it’s pretty quality training. I mean that’s, it seems like it, well, I haven’t been on the other side of

[00:06:05] Brad Nigh: it. It’s good training for us to like uh there’s every year, this will be the third year. So the first two years I’m like, oh I forgot about that stuff. Got

[00:06:15] Evan Francen: cold shivers. Yeah, that’s true. Especially when you’re like teaching it like crap. I don’t think I mastered that because I don’t do that, right?

[00:06:23] Brad Nigh: Yeah, I haven’t done that since I never

[00:06:27] Evan Francen: right. Yeah. So today’s topic, Today’s topic for the podcast is dealing with bully customers. And then third party security risk management. I chose these two topics. So you know, as you know, every week we choose topics on to some or you’ll choose your, you know, this week is my, it’s my third week in a row leading because because of the vacation, I just want to stand the odds because odd bits me better than even. Uh but so these topics, the bullying customers comes from, you know, just, we have a bunch of analysts that work at fr secure and sometimes they run into, you know, a customer who’s less than, and I think less than ideal. How do you deal with that? There was actually a conversation I’ve had I think friday before I left for home over the weekend, so it’ll be a good discussion that part. The other one, the third party security risk management piece. We had our hacks and hops last week wasn’t it was really awesome. So if you haven’t seen that uh you gotta hacks and hops dot com, you know, you’ll see, you know some of the stuff, I don’t know if they, if our marketing team post pictures of the event itself or if they’ve done that

[00:07:40] Brad Nigh: yet. I don’t know, I know they’re telling everyone to hashtag it and post it to whatever.

[00:07:46] Evan Francen: So Todd Todd Thorsen from code 42, was there a great guy? First time I’d ever met him,

[00:07:53] Brad Nigh: yep. Same. Yeah, really good. Yeah, I thought he had a lot of really good input.

[00:07:58] Evan Francen: Yeah and then Melinda Ramble Stone who’s a customer virus. She’s over at probation medical and I think that this is the second hacks and hopes that she’s participated in. Okay. Yeah, she was in the first, remember we had to see so oh you’re right, okay. She was that she was at SPS

[00:08:17] Brad Nigh: then so

[00:08:18] Evan Francen: long ago, right? And uh and she was just, I think thrilled with the CSP mental programs. She has five of her employees signed

[00:08:27] Brad Nigh: Up. Yeah, I spent 10, 15 minutes talking to one of them afterwards and you know what to expect and yes

[00:08:36] Evan Francen: And then we had you know my buddy Aaron Brown was also on the panel talking about 3rd party risk management. And he uh he and I go way back because you know I think his company became a customer of ours when we had three employees. So it was Like 2010, probably 2011. And since then it’s just been a good proponent and uh you know a good common sense guy builds good

[00:09:02] Brad Nigh: security program. He’s one of those. He gets it.

[00:09:04] Evan Francen: Yeah. Yeah so it was a cool panel having those three on there erin kept kind of uh not pitching but uh mentioning ven defense over and over again. I was like man I get it, you’re a fan of that plus your friend. But you know. Yeah I started to feel a little awkward.

[00:09:23] Brad Nigh: Yeah but we don’t want to be like all sales you. But it is really one of those things where once you find something that you like oh this is so much better than what I’ve been doing, I get wanting to be like do it. He saved us time. So maybe that’s where he’s coming from.

[00:09:42] Evan Francen: Yeah. And I was surprised because you know when you put on an event about third party security risk management it’s like my God. Yeah come to this event so you can pull your teeth and get a dental

[00:09:55] Brad Nigh: cleaning. But we got to watch you get your exercise. So entertaining.

[00:09:59] Evan Francen: Yeah, that’s I was trying to do is try to make it entertaining.

[00:10:02] Brad Nigh: It was good. I think the, uh, the panellists, they did such a good job and you know, you can tell they been there, done that and understand you know what they’re doing from both sides.

[00:10:18] Evan Francen: Excuse me. All right. So, one topic I want to discuss today in the podcast is, you know, just mean customers or bully customers. Uh, and it doesn’t really even have to be restricted to customers. Mean bullies are bullies, I suppose. But the reason why this is top of mind was friday. When I was leaving, uh, two of our analysts, I was walking towards the cafeteria and uh, one of our analysts, one of our associate analyst said, Hey, Evan got a question for you, my car. Because how do you deal with a bully customers? I was like, all right. Uh, you know, tell me there’s a, what

[00:10:59] Brad Nigh: am I walking into,

[00:11:00] Evan Francen: Right. It’s not just, there’s more to this question than just the question, Right? And then, uh, so, one of our honor, other analysts, uh, sort of chimed in two. And the two of them were telling me about this customer. They have, uh, that truly is just a bully. He wasn’t happy with something. Uh, you know, maybe in the report, but he just wasn’t showing any respect either to the analysts. Think that’s a bigger, much bigger. That’s the bully part. I mean, I get if you don’t like the report or you don’t like what it says, but when you treat people with disrespect, you cross the line. And even to the point where, uh, he didn’t want to have anybody else in the conversation with her. Just he and her,

[00:11:49] Brad Nigh: right? It’s like red flags right

[00:11:51] Evan Francen: away. Big time. Yeah. Like if I say, hey, you know, I want to bring brad into this meeting with me and the client says, no, I want to just talk to you right?

[00:12:01] Brad Nigh: What I was, I’ve been involved a little bit before the meeting and helping get them prepped. But yeah, originally the invite went out to everybody involved on both sides and their person that now could take all those people off on our sides always, you know, project manager and our analysts. And I know I just want the analyst, just me and her and I was like, no, we need somebody there for backing at that point, especially given, you know, a little bit of history around

[00:12:35] Evan Francen: some difficulties. Absolutely. For, I mean, you never want to have somebody feel like they’re fighting alone, right? You know, like there, like they’re just kind of being left hung out to dry. I mean, even if even if an analyst and this isn’t the case here. But even if an analyst did a terrible job on a project, you don’t even make up.

[00:13:00] Brad Nigh: There’s a right way the wrong way to handle it, right? Yeah, we can make it right with the customer and not throw an analyst under the bus, but you don’t get to attack our credibility are, you know, integrity, right?

[00:13:15] Evan Francen: Yeah. So that, so then, you know, it begs the question because I’ve had boy, uh, customers before. I’m not sure if you have. Yeah, Yeah. How do we, how do we deal with that?

[00:13:25] Brad Nigh: You know, I think a big part of it is, Well, first of all, now I just sent over Renee

[00:13:31] Evan Francen: rally and that

[00:13:31] Brad Nigh: awesome problem solved. She’s a man. She’s so good at that. You know, I think a lot of times what I found is is it almost more fear and they don’t understand, they don’t know or there, you know, scared for their job or whatever it is now, that doesn’t make it okay. But understanding that it’s not that there his stick you specifically or they’re trying to go after you. Is that right? In this case, we waited five years and then two months before we had to have it done, we realized we didn’t do anything right. Uh, you know, that’s just kind of saying like failure to play on your part doesn’t constitute an emergency online. We’ve done everything we could, we’ve hit these timelines. But it was there still. Yeah, but I think that panicked almost, I think,

[00:14:28] Evan Francen: well, I think you hit the nail on the head to, I mean, it’s a lot of times a bully isn’t a bully. I mean, there’s it’s a symptom of a lot of a deeper issue, right? And I agree with that completely. You know, the last time I had this was a while ago, but you could you could you could just tell that you don’t you don’t not like me because of me. You don’t you don’t, I mean, it’s like a defense mechanism, right? Something’s kicking in. And then, and so as you start talking through it, you know, and at this point, I mean, if you’re already pissed off at me, I don’t really have much to lose. So I can start, I mean, this is an ideal with that and I don’t know if it’s the right way, but I can just start throwing out things like, are you upset because, you know, because you think this is going to reflect poorly on you and you’re gonna lose your job, Is that the reason why you’re upset me.

[00:15:19] Brad Nigh: And I think in this case, a lot of it came around it ultimately came down to language and the language that was used, it was poor communication on what their expectations were originally to us and what we went in expecting versus what some of the others on their team that weren’t involved in the original scoping and all that. So it really, it came down to poor communication and then I think that kind of

[00:15:48] Evan Francen: exacerbated it. Well I think that’s one of the things I really appreciate about you and that’s the same way I do things is when things go sideways look in the mirror first. You know what could I have done different? You know I know that you know when you mentioned expectations that’s in communications, those are the two biggest problems not you know in projects or just in day to day security work. Right. Not everybody really understands what it is that we do every day, right? We’ll just assume that they do

[00:16:21] Brad Nigh: right and anything to get these this I mean this was a truly a custom one off type project and any time you get that the chances for that miss just go up because again we are already have an issue with the standard air quote stuff and nobody speaking the same language and then you go and really dig into something custom where you’re adding, you know it’s like putting something into google translate and going from like english to spanish german to Russian to english and by the time you get back to english it’s like uh huh

[00:16:56] Evan Francen: offensive Well yeah and I think it takes a certain type of analyst to thrive in custom stuff. You know what I mean? Because I know that you and I I mean I’m probably speaking for you but I enjoy custom stuff because I learned right, I’m doing something I’ve never done before and the customer has never seen it before, so they don’t really know what to expect. So I have some liberty to sort of tell them what to expect and all of it. So, you know, like, I mean, we’re here today, right? We’re here for this week. You’re doing a custom project. I’m doing a custom project and they were cross co leading each other’s custom projects, right? Uh, for a big company, Right?

[00:17:43] Brad Nigh: I love it. I mean, I’m, yeah, you were talking about it yesterday on the trip down. It’s like are over, we have some kind of ideas on how this is gonna go. We won’t know until we actually get in there and start talking to them and then just gotta adjust on the fly and figure it out. And yeah, I love the challenge of that. I’m with you

[00:18:07] Evan Francen: some but some analysts either because that comes with experience to I mean, we’re talking yesterday about how important experiences in an analyst career. It’s not just knowledge, it’s not just knowing everything, right? It’s haven’t been here before and and sort of waited through these waters of uncertainty, right? We didn’t even have an agenda for this week. We still don’t really have an agenda for this week and we’re gonna be walking into a meeting here in a couple hours. Uh, but that’s okay. I mean, we’ve both done this

[00:18:36] Brad Nigh: before. Right. Right. I think, yeah, again, a lot of it is going to be around just understanding the concept, it goes back to good security, right? It’s the foundation the fundamentals. You get the fundamentals right? Everything else builds off of it. It’s the same thing here. You know, what are we looking at? What do we let’s talk about what you’re doing around these things. Yeah. You know, and then look at the evidence and

[00:19:04] Evan Francen: yeah, exactly, we’ll get into the weeds when we need to get into the weeds. Right? Right now,

[00:19:09] Brad Nigh: let’s just figure us out. They don’t know, right, the same thing. They don’t know what they’re, but they’re getting in jail True.

[00:19:17] Evan Francen: So in this case, so this is so that’s a one off case. So going back to kind of the question at hand, you know, how do you deal with a bully customers? Uh, I I think my advice and you know, and see if you agree, my advice is one. You don’t just walk away. It’s not worth it. It’s not worth the stress. It’s not worth ruining your entire day because somebody else is having a bad day or because somebody else can’t deal with bad news, right? You know, that’s that’s okay. It’s an unhealthy situation. And the second thing, if that doesn’t feel comfortable with you is trying to have a maybe wait wait for things to calm down, have a logical discussion about what the issue really is, and maybe the third is get somebody else to come with you.

[00:20:07] Brad Nigh: Well, I think what we try to do at least make it And, and I think, I think we do a good job of it is letting the analysts know if they’re in a position they’re uncomfortable with the customers were there to jump in. I couldn’t make this one. I was on another call. Well, I got that the message that, hey, this is kind of going sideways. Can you help? I couldn’t get out of the cause on, but Renee was able to step in and and help out. Which, but I think from the analyst perspective, that’s huge to know leadership. Hey, I’m uh, this isn’t what I signed up for. I’ve got a problem here and that management leadership has their back. Absolutely. That would be kind of the advice. She got somebody to back you up back you

[00:20:54] Evan Francen: up one here. I mean, we encourage people to try things they haven’t tried before. We encourage people to fail. You know, because we do have your back. Even if if you’re not available and Renee is not available, john harmon’s available, maybe I’ll be available. I mean, whatever it takes, but you never need to feel like, you know, well you never have to be abused. That actually there’s a little bit of anger that actually welled up when they were telling me about this. I was like, who is this guy? Right, Where does he work? Oh, he’s okay. I’m gonna get my car or my truck

[00:21:29] Brad Nigh: drive over there and have a conversation around appropriate behavior with

[00:21:34] Evan Francen: just with people in general, right? And the fact that it’s one of our employees and somebody that I dearly love and then, and there’s, there’s a male female dynamic. I don’t think that can be ignored here. Yeah, I would agree. You know, so it just all around it. It ticks me off and there’s no customer. That’s worth it. I mean, I don’t care if it’s your best customer that ever lived. You’re not going to don’t take your beating very worth it.

[00:22:01] Brad Nigh: Yeah, I know we’ve had a couple where it’s like we’re not doing anything else with them, right?

[00:22:09] Evan Francen: And the thing is, it almost works to your competitive advantage because they’re going to go to one of the competitors and they have to do it. But you

[00:22:15] Brad Nigh: know what I mean? It’s very true.

[00:22:17] Evan Francen: And we have, uh, it’s the same kind of thing that it’s actually the same sort of advice I’ve given my Children. You know, I have five kids. They all grew up with certain, you know, I mean, a lot of these are just relationship dynamic stuff and I’ve always told them, you know, consider the source is the source of whatever berating you’re taking, Does it really matter is their opinion? Really matter. You know, I was doing it as your father, right? Someone who loves you? Yes. That’s, that’s bad. But you know, some, some jackass, you know on the track team is giving you crap because you walk funny, who cares, you know, you have to learn that over time, but they have to feel supported

[00:23:01] Brad Nigh: to Yeah, it’s a it’s a tricky dynamic on that, but yeah, I would agree. I think making sure that there supported and understanding who is this coming from and that that they are, they have support behind, like that support system there. Yeah,

[00:23:21] Evan Francen: when we can and we take it from, you know, and uh, you know, uh, a consultant perspective, right? It’s different because I can walk away and I still have a job, you know, I understand that, but you and I both spent most of our career on the other side of the table where we’ve had to deal with internal politics or internal bullies and things like that, and so, you know, my advice for those situations is really focus on yourself, focus on your own skills, focus on your own confidence, focus on what who you are and when the time is right, if you can’t change the situation,

[00:24:02] Brad Nigh: leave. Yeah, I think get another job a lot of it that I have done in the past is that kind of that active listening response, because you’ll get that emails or whatever from someone demanding this right now and well, I hear you, I understand that this is a critical important to you and we’ll write, we’ve taken that into into the taking into consideration. Yeah. And we’re, well, we will. And the more dress you need appropriately, the more

[00:24:31] Evan Francen: crappy emails you send me, the lower on the list it

[00:24:34] Brad Nigh: goes. So they don’t need to know that. But

[00:24:36] Evan Francen: that’s not the right answer

[00:24:37] Brad Nigh: either. Right? You give them, you give them that kind of, I don’t know if you want to say it’s not really, it’s deflecting their anger and making them feel like, oh, okay. And it buys you time to actually figure out what’s going on. Yeah. So, again, a lot of the time my experience has been, they just don’t understand, right? And they’re frustrated because something is not working and you don’t know what it is yet, because this isn’t, it’s not like, oh, hey, that lights out tap, tap is on. These are complex systems. It takes time to troubleshoot and figure this out. So,

[00:25:15] Evan Francen: yeah, that’s true. And I guess, you know, as you get more comfortable with problem resolution, you know, these things, you realize if it’s somebody who’s just frustrated because they can’t get their task done or their job done versus somebody who is genuinely a toxic

[00:25:35] Brad Nigh: Yeah. Individual.

[00:25:37] Evan Francen: Uh, because, you know, I mean, we’ve all worked with them, you know, so those toxic individuals, it’s either. I mean, hopefully management. I mean, if you’ve got good management, but in some cases, you know, good management. Sometimes managements the toxic Yeah. Right. But a good management would have, you know, hopefully would identify, you know, those toxic individuals and understand do something about

[00:26:00] Brad Nigh: it. Yeah. And I think, man, I’m trying to think of some I’ve always felt like I’ve had pretty good management support overall. Yeah. There’s always Yeah, there’s there’s always been this once that that are untouchable and there’s nothing you can do and just just kinda Yeah, it was granted. Barrett and when it becomes too much you leave.

[00:26:25] Evan Francen: Well, that’s what I did. I mean, I’ve had at one in particular and I’m not going to name names and I am going to name the company. Uh If you look at my resume in my history, you’ll see he was one of the shortest stints. I because it was like that it was it was toxic. We were not committed to doing things the right way. We were committed to doing things politically and protecting each other and doing stripping shortcuts. Yeah. And so I lasted and you can ask my wife about that time. It was the most depressed time of probably of my Life. I mean, I was just I hated my work. I hated it even so I left. It was 10 months.

[00:27:06] Brad Nigh: Yeah. I mean I had similar where it just wasn’t the right fit. Like the manager would literally stand over your shoulder and watch you work, right?

[00:27:16] Evan Francen: Yeah. You’ve had bad manager.

[00:27:18] Brad Nigh: Yeah. Then the same thing. You know, it’s like eight or 10 months I was just like, you know, it’s not the right

[00:27:25] Evan Francen: fit, right? And I had I had to leave and I had five have five kids, five kids at the times and it came down to it. I don’t even care. It was so unhealthy. It’s like I don’t even care if I don’t have another job

[00:27:40] Brad Nigh: lined up. I just need to get

[00:27:41] Evan Francen: out. I just needed out. It’s not helping me or my family. So I ended up going to a contract position but it was a six month contract. Got us through until you find the right position and then the right position I found was awesome. So yeah, there’s always I don’t have any I don’t have a lot of tolerance for for bullies. Yeah. If you can tell the difference between a bully and somebody who’s just having a bad day. Yeah. There’s a difference. There is. Bullies are just when you can tell the but you can even see the bullies in an office. I don’t know if you’ve ever like when you go to a customer to do a project, you can tell who the bully is because when they’re walking down the hall, people walk around them or people will turn, you know to avoid them. You know, and you can like there’s the bully so if you if you’re just paying attention, you know, you know, you can find

[00:28:30] Brad Nigh: them. Yeah

[00:28:31] Evan Francen: without ever having to talk to him.

[00:28:34] Brad Nigh: Yeah. Yeah. Yeah. It sucks.

[00:28:38] Evan Francen: It does. But but you don’t have to deal with it. That’s I mean, I think that’s the key one you’re supportive to. You don’t have to deal with it. Nobody needs to subject themselves. I don’t care how crap you are. You don’t subject yourself to two boy. Right, Okay. All right. So let’s switch gears. That was interesting. Third party security risk management. And this is a topic. It’s weird. I think I enjoy sometimes doing the stuff that nobody else likes to do. Do you feel that sometimes?

[00:29:11] Brad Nigh: Yeah.

[00:29:14] Evan Francen: I mean like the 3rd 3rd party security risk management. I actually enjoy it. Yeah, It’s near and dear to my heart and I know you do because you and I have both built security, built

[00:29:25] Brad Nigh: these programs. Makes sense. It’s logical. There’s tangible value to it.

[00:29:33] Evan Francen: And I think if you approach it right, it actually strengthens the relationship between you and your third party, your vendor. Right? Because I can do an assessment of a 3rd party and there’s different ways I can do an assessment. I can do an assessment like, hey, you need to do this or I can say, you know, I’d like you to fill out or I need you to fill out this assessment so that we can just, you know, and then be more like collaborative the whole process because I can make your if through this vendor risk management thing, I can make your security better. That would help you get more customers in this market to. Right.

[00:30:09] Brad Nigh: Right. And we’ve been on the receiving end of these questions where they the client is basically the bully, right, tie that together, where they’re saying exactly that you have to do this stuff you have to do. There’s no black and white. It’s either there or it’s not like you mentioned the control based approach. Do you have this, this and this? Well, no, because we’re doing These other 10 things instead of that one thing and we’re actually bet, what do you mean? No. Right.

[00:30:42] Evan Francen: I could Yeah, that stuff is frustrating because what it tells you, I think from the, the part in that type of scenario when the customer is being like that is bullying. They don’t know what the hell they’re doing compliance

[00:30:58] Brad Nigh: driven and they don’t know

[00:30:59] Evan Francen: what they’re doing. I don’t know what they’re asking. They downloaded a questionnaire from somewhere at, you know, the same questionnaire or something, yep. And they’re just demanding to deal this thing out. And at the end of the day, they really don’t understand what it is they’re asking because the keyword and third party security risk management is risk, not control its third party security control management. Right. Right? It’s risk management. So what’s the risk if you don’t have this control that I’m asking you about? It’s not pass fail? It’s what’s the risk of not having that control? Do you have other controls that, you know, because everything, I mean, it’s just stupid to put a control into an environment if it’s not meant to control risk. Right? If you control for the sake of having control, that’s

[00:31:43] Brad Nigh: Yeah, exactly.

[00:31:45] Evan Francen: Yeah. I was telling you yesterday when we’re having dinner about this one place and I don’t think they’ll know who who who who they don’t think they’ll know who they are from, what I’m gonna say. But you know, they want to go and get DLP like why why would you want to get the L. P. I mean that’s a good technology. It’s a good thing. It’s not that I don’t understand what DLP is, but you don’t have anything around asset management, no asset management program whatsoever and you don’t have any data flow, understanding you don’t know where data flows throughout your environment. You wanna get DLP

[00:32:17] Brad Nigh: why? You know, well,

[00:32:21] Evan Francen: because

[00:32:22] Brad Nigh: we needed to protect yourself. The checkbox list says DLP. Yeah, it’s it’s a tough, well they still sometimes like

[00:32:35] Evan Francen: it is, I think it’s a lot a lot of its knowledge, a lot of its experience, you know what works. What doesn’t work. Um you know, understanding that like the classic one that I always used to run into when I was doing a third party risk management for Wells Fargo uh was, you know, database encryption is your database encrypted would be the question. And then you say yes. You know, you’d say well no or yes it was. Yes. No question. Right? That’s not a subjective give me a story. So yes. No and you know we’ll know. Okay and that’s what we get noted in the report. No I didn’t make the determination necessarily. It was the risk manager who made the determination of what risks to accept or not accept. But that would be one that because at the time the zero cc. Was putting pressure on encryption encryption was like a big big big kick for them at that time. And uh some people were failing their audits because they didn’t have database encryption and then you’d be like well but can I ask the customs so can I answer yes on this Or is there any way that we can put here? Because they have like super good physical security right? So nobody’s going to steal the disk. And their their data instruction practices are awesome and they’re auditable and all these other things are in place that are more fundamental.

[00:33:54] Brad Nigh: I mean we had the exact thing in the last two years even where it was like working with a customer and they got that and they’re like it’s going to cost us you know basically you have to redo all of our hardware because our existing hardware doesn’t support it for the database encryption and cost you know hundreds of thousands of dollars and they had you had to get through three different layers of access badge access to even get to the data center. The data center had camera coverage. Uh Like you have to have a badge to get into the building badge to get to the I. T. Area and then another badge to get to the server room. It’s like nobody getting there. Right. Well

[00:34:47] Evan Francen: that doesn’t matter right and that’s kind of the I think a lot of people don’t know the reason so encryption is good. I mean I’m a secure. Yeah right I’m all about encrypting everything but where you start with encrypting is in places where you can’t assure physical security of the

[00:35:03] Brad Nigh: media, transit. That would be storage,

[00:35:07] Evan Francen: media or transfer media. You know if I can’t physically secure those things then encrypted. Right That if I can then I have maybe a case against using encryption. Yeah. Yeah. So how long ago did you run into this?

[00:35:25] Brad Nigh: It would have been gosh, Maybe last year was 2080. Year and a half

[00:35:32] Evan Francen: did whoever was asking about database encryption except their story. No you had to

[00:35:38] Brad Nigh: encrypt. They had to put them up with a plan to remediate.

[00:35:44] Evan Francen: Okay well some people don’t understand risk really. Yeah but you know so last week we had our hacks and hops it was thursday loved the event. Did you like it? Those are fun. I didn’t like the parking.

[00:35:59] Brad Nigh: Yeah it’s a little a little or a lot it was there was a little parking. You’re such a positive. There was very little parking. Yeah, it was a little bit of an issue,

[00:36:11] Evan Francen: but yeah, but we learned from that right? It’s the first time we do it at this venue. And uh overall though, To get that many people there to talk about 3rd Party security management at a place where it’s kind of a challenge to get to. Uh It was awesome. The panel, like like you said, I thought was great. Uh if you wanna see some pictures, I guess you can go to my blog, Evan francine dot com and you’ll see some pictures under

[00:36:37] Brad Nigh: the no marketing was taking a whole bunch. I saw him taking a bunch of pictures.

[00:36:40] Evan Francen: So yeah, and I like to uh I like their approach kind of across the the stage, the panelists all talked about risk, you know, they didn’t talk about control based

[00:36:58] Brad Nigh: security. Yeah, there was a couple that actually brought up, right, you know, specifically those types of things, so

[00:37:05] Evan Francen: yeah, which was refreshing to hear because at least, you know, we’ve got four people, we’re doing it that way. Uh so

[00:37:15] Brad Nigh: sure there’s there’s hope,

[00:37:17] Evan Francen: there’s hope. Yeah, and Todd thorson I really liked his approach, he’s very much now his his is a little more hands on and it’s a little more uh time consuming, but it’s much more relational, I mean if you got the time and the dedicated resources to do that. I think that’s pretty cool where he actually has dialogue with a lot of these high risk vendors to figure out, you know, what are you actually doing and what

[00:37:47] Brad Nigh: Yeah, interpreting the answers based on actual feedback. Not just answers typed into a spreadsheet.

[00:37:55] Evan Francen: Yeah. And that’s hard to do because a lot of that lot of those answers that will be subjective and so you’ll have to take those subjective answers because the the big one of the big reasons why we do third party security risk management is to be defensible if something bad happens, what do I have to defend myself if I’m using subjective criteria and I’m using judgment that various day

[00:38:16] Brad Nigh: to day. Right? Yeah. And then you have to defend your judgment that you’re qualified to do

[00:38:22] Evan Francen: it. Yeah. I don’t know if you’ve ever been questioned on something that happened, you know, two years ago? Like God, I can’t remember why I made that decision.

[00:38:30] Brad Nigh: Two years right into two weeks. No. Yeah, absolutely. And then, you know, if worst case something goes wrong now, you’re even higher stakes where you’re maybe under a deposition or and your that happened. I have no idea what what was I thinking And well now I’m interpreting two years later based on my knowledge now, not what happened then. So it’s a different Yeah, that would avoid. I like to avoid

[00:39:05] Evan Francen: that too. That’s why I like object objectivity. I like yes, knows I like OnStar offs and blacks and whites and one of the

[00:39:13] Brad Nigh: girls, Aaron had a good point, you know, because one of the good point conversations was Todd was saying he doesn’t like those yes knows as much he likes that and Aaron was like no, but if it’s a yes, now I’ve done my due diligence now he came back and said you know what? Somebody came up like an 8 45 or something and he’s like, let’s talk right, see there’s still some subject, there’s still subjectivity to it sure if you want to defend that, but

[00:39:43] Evan Francen: I think you always have some sort of subjectivity because you have human beings involved, you know what I mean? If it was just machines then that would be different.

[00:39:53] Brad Nigh: But if you set a score and you know, they have to be at least this, they need to have these five or six things that I’ve identified as being critical for a high risk vendor, they hit those things right? You know

[00:40:10] Evan Francen: when I had that question too about with the panel about, you know what if the vendor lies to you and they felt they all felt uncomfortable with that one didn’t

[00:40:21] Brad Nigh: do. There were there was a lot of deflection on that one. Yeah

[00:40:25] Evan Francen: and I’m like why I’m just, I don’t know, I guess for me I just call a spade a spade.

[00:40:31] Brad Nigh: Yeah, yeah, there are none of them wanted to say I would call them out as a liar,

[00:40:35] Evan Francen: But I mean they wouldn’t call and say, hey you’re lying but you know

[00:40:38] Brad Nigh: you’re lying right? They’ll have good answers. You

[00:40:42] spk_4: scoring 8 50 or at eight

[00:40:43] Brad Nigh: 45. I need to see some evidence of this. Yeah.

[00:40:48] Evan Francen: And you know, well I wouldn’t call it lying. You know, maybe they just didn’t understand. Okay. But if you answer yes, no question with the yes or no and you didn’t understand. That’s still a lie.

[00:41:01] Brad Nigh: You shouldn’t have answered that. You should have gotten somebody who could answer it right?

[00:41:05] Evan Francen: I omission and lies with the commission.

[00:41:08] Brad Nigh: I liked Melinda’s approach of I would call him up and be like, wow, I’m really impressed by your shores. Can you tell me more about it? And kind of catch them a little bit that way? But yeah, she was, she’s pretty funny about no, you know, I don’t want to call him a liar.

[00:41:26] Evan Francen: Right? Well yeah, I mean you don’t want to be like adversarial, right? But you know, you didn’t tell me the truth. Yeah. It’s like my kids, you know, brings me back to my kids. I’ve worked so much in raising kids. You know, my my son would borrow something without permission. I would say I would say some what do you call it when you borrow something without permission? He’s like stealing. Yeah, you’re stealing your thief.

[00:42:00] Brad Nigh: I had my sixth grade teacher, Somebody stole something or took something and we should like it’s not stealing is borrowing without the intent to return.

[00:42:14] Evan Francen: Okay. Yeah. The things we do to justify it

[00:42:17] Brad Nigh: was it was pretty funny. She was she she was joking. She was joking about it. But yeah, I was always, did you take that without asking? No, I just borrowed it without the intent to return, right?

[00:42:29] Evan Francen: Without permission.

[00:42:31] Brad Nigh: Well, you know,

[00:42:32] Evan Francen: so yeah, so the basics of vigorous management, you and I both know it um you know, it’s it’s four phases, right? You start with an inventory, take a lot of people struggle with. But it’s that part actually isn’t just like, you know like most things we do. It’s not hard if you simplify it, you make it simple accounts payable right? Who are you paying? You either paying them through invoices, You’re paying them to credit card statements and paying them through reimbursements. Probably there might be some other back channel way that you’re paying them but you’re paying

[00:43:08] Brad Nigh: them well it’s funny as we are going to go through these but I wrote a blog post forever scare in early 2017. It hasn’t changed in two years. The basics

[00:43:19] Evan Francen: don’t change much do

[00:43:20] Brad Nigh: they? It’s not, yeah, it’s just got to start somewhere and do it. But yeah, exactly inventory. Starting with who have we paid right? Just tell me everyone, I’ll take it from there. Just give me everybody

[00:43:33] Evan Francen: then people also have this propensity I think to want to get things perfect the first time. They don’t want to do anything if they can’t get it right? Yes. That’s like, just do it like policies running the same thing.

[00:43:44] Brad Nigh: D are playing BCP IR plans. Those are those are the ones we really see that. And I wonder

[00:43:50] Evan Francen: how much they do that. Just because is it just an excuse? What do you really want it to be perfect out of the gate? Because you can’t, you always, it’s a

[00:43:58] Brad Nigh: cycle, right? Well, it comes back to, I don’t think they understand that, right? We’ve got to have an incident response plan. So we got to have everything in there. You’re never gonna have everything in there. There’s always going to be something that comes up. It doesn’t matter how long your plan’s been around. Same, same thing, Just start with something, right? Yeah.

[00:44:20] Evan Francen: So, you know, it’s that first phase, you know, starting your vendor inventory, you don’t even need a highly skilled person to do that. We’re thinking about on the security studio, uh, training junior level analyst. You don’t have to have security chops to that. All you need to do is get up, go talk to accounts payable. Can I get a list of vendors, they’ll know what you’re talking about.

[00:44:45] Brad Nigh: And hey, if you can tell me that says, well, that’d be even better. Right? Who’s the owner of that? Great.

[00:44:53] Evan Francen: Well, that’s the case that we start. That’s the second part. That’s a perfect segue.

[00:44:58] Brad Nigh: Yeah, but it just flows

[00:45:01] Evan Francen: right, because the second part is okay. We need we need to classify our vendors, we classify our vendors according to inherent risk. An inherent risk is one of the uh some people like, I don’t know what that means. It’s just the risk involved in using something without accounting for any controls. Right?

[00:45:18] Brad Nigh: Right. That’s your inherent risk. If I give them my data, what is, what am I right at risk of or what what am I giving them? What is the risk of what I’m giving them exactly as they have.

[00:45:30] Evan Francen: Exactly. So the way we traditionally do that is we identify who the business relationship owner is, the person who actually engaged or sponsors that relationship with the vendor. And asked them a series of maybe five questions to help us judge inherent risk. That’s the traditional way. And I think the way we’re going to add a second feature to then defense, we’re going to have the vendors classify themselves, so have the vendors answer what kind of data do you know, Do you uh huh collect from us what kind of uh you know, access do you have logical access? Physical access? You know, just ask those five sort of questions of the vendor to and then have them attest to it. Uh and then maybe even have uh you know have it put into the contractual language, you know, so that way, if it’s too much

[00:46:21] Brad Nigh: work, I mean, you know, I can see that when, when your onboarding a new vendor or looking at renewing a contract, because

[00:46:30] Evan Francen: we know the right way to do it is to have you classify, right? But if that’s too difficult back to our point of not having to get it. Perfect, right? Here’s another alternative. It’s a little less ideal.

[00:46:42] Brad Nigh: Yeah. It doesn’t have to work that they’re there. This is my immediate thought. I’ve dealt with vendors and people bend the truth to make it meet their needs and their that’s a concern.

[00:46:58] Evan Francen: But if they do that, you’re never going to be able to stop that. And so if the, if the goal of this vendor or third party security risk management is defense ability and the vendor lies to me.

[00:47:08] Brad Nigh: It’s no different than I did on a questionnaire.

[00:47:10] Evan Francen: Yeah. I mean, it’s less defensible than if I already knew, like, like, let’s say I have my iphone. Oh, no, that’s that’s gonna be difficult one, because I know I gave you my iphone, right? And I’ve classified you according to that versus you have certainly have access to my house maybe, and you have access to certain things and I don’t know what things you’re taking and leaving, that’s sort of my responsibility because I own the house for me to know what it is that you’re taking and giving. So it’s a little less defensible for you to do it versus me doing it, if you’re the vendor? But it’s better than nobody doing it.

[00:47:45] Brad Nigh: Yeah. I mean, I think the step ideally you get both sides to do it. That’s that’s kind of that that’s the Nirvana. Yeah, because then you can match it up and go, oh, time out, guess what? There’s a miscommunication, right?

[00:47:58] Evan Francen: Whatever happens back to our

[00:48:00] Brad Nigh: right internally, they said you were low risk and you’re saying you have full access to our entire network. What? I didn’t know that. Right?

[00:48:10] Evan Francen: Yeah. So I think, I think so. I think that’s where you end up eventually, but. Right. But in this first, what’s currently in our defense tool is the customer classifies their vendors. I think what we’re going to add next is the option for the vendors to classify themselves. Yeah. And I think where you marry these things up is, you know, the client classifies their vendors and then the vendor confirms that classification. Um but that’s all just inherent risk. And it sounds like it’s really complicated, but that’s such a quick process. I mean the answer those five questions is there

[00:48:46] Brad Nigh: More than 5% questions. It it’s typically pretty

[00:48:49] Evan Francen: fast and then they fall in one of three buckets. Right? High medium or low no sense in making complicated because I’ve seen some organizations like P one P two, P three, P four pay five. Well that’s a P five vendor? Is that good or bad? P five means take the janitor. Okay, so P one, which ones get what questionnaires? I mean,

[00:49:10] Brad Nigh: it just becomes a management overhead nightmare. Right?

[00:49:14] Evan Francen: So don’t over engineered either. The third phase is just the residual risk questionnaire. If you’re a high risk, I ask you more questions and if you’re a low risk, I may not ask you any.

[00:49:24] Brad Nigh: Yeah. And it’s kind of funny because I’m actually on the receiving end of that for our secure right now for some of so many people using their defensive, like wait a minute because I’m supposed to do that to us. Right? But it’s yeah, it’s kind of fun to I like it to be on the other side a little bit.

[00:49:43] Evan Francen: Well, it shows that you’re actually taking this seriously. I mean we have like 1200 customers. How many questionnaires have we gotten?

[00:49:51] Brad Nigh: I’ve gotten three this month or in March,

[00:49:55] Evan Francen: three in March. So that’s probably more than all of last year. Uh, they’re probably all generated from us. It’s our, oh yeah, it’s our own vcs saying, hey, you

[00:50:03] Brad Nigh: should, it’s all sets us. It’s actually all people doing the defense. Actually, we’ve had a couple of vendors that win our clients when we’ve net new, like starting new with them. They’ve had some, some things that have had to answer, luckily that wasn’t me before. Apparently to be mean it now, but it wasn’t me.

[00:50:24] Evan Francen: So then the third phase is doing those assessments, getting the results back. We like objectivity because objectivity, I can score I can also score subjectivity is just a lot harder to do. So keep it simple objective answers. Yes, knows produced scores based on risk and then set thresholds. Right? And so we do that programmatically. But you can do that with spreadsheets. Is to to uh that way you take my judgment out of it. If I say we agree or it’s in policy that we don’t do business with any vendors that score a 700 or less. Well it’s black and white. Right? We scored a 6.50. Right? We have some remediation

[00:51:13] Brad Nigh: to do and that’s like the first part of our manage the RM stuff. Let’s set our policy let’s set our procedures. Let’s set We’re gonna say 660 with they must have a er plan must have training must have policies must have an ir plan. Right? Those four things in the 660 there’s gonna be gaps. We’re not saying you have to be perfect. Right? We’re just saying

[00:51:40] Evan Francen: Yeah. Hey, so don’t lie on the question and tell us your name 50 either by the way. So if anybody’s listening.

[00:51:44] Brad Nigh: Right. Well and that’s the other thing is at what point do we go? All right? We need to Look the other way and say or anybody above a 750 now gets additional scrutiny.

[00:51:55] Evan Francen: That’s

[00:51:56] Brad Nigh: perfect. But it’s all set out. That’s like the first and then but then everyone is consistent.

[00:52:02] Evan Francen: Well yeah and you’ve got data. right? So what you’re saying is start at, You know, anything below 700 without these critical controls we need to do business with. So above that critical controls were good. But then you have those people that are 850s or

[00:52:18] Brad Nigh: Whatever, anything like eight

[00:52:19] Evan Francen: 100. Right? And so you’ll create this trend over time. This is what I’ve underscore. And you’ll be able to identify those outliers as that’s a red flag. High or low. That’s a red flag.

[00:52:32] Brad Nigh: Right? Exactly. That’s what you’re trying to do, right? So that anybody could walk in, look at that and go, oh, I got a problem over here or you know, and then there’s always the this is a critical vendor. They’re the only one that supplies this particular service.

[00:52:47] Evan Francen: Yeah. Those depends on

[00:52:48] Brad Nigh: One out and they don’t have, they scored a 400. What do we do? Yeah. Cry

[00:52:55] Evan Francen: or Yeah. Or by a hell of a lot of insurance or get them bonded. I mean

[00:53:00] Brad Nigh: something, make sure that you can do. You have to do these things by this time.

[00:53:05] Evan Francen: That’s a lot better to know that than the alternative. Which is surprised. Yeah, exactly. Have no idea. Because, you know, we know the statistics, Everybody’s seen them. I think a lot of people bury their heads in the sand. Like I’m gonna pretend they don’t exist. But if 60 ish percent of all your breeches come through vendors directly or indirectly. That’s you better start doing. So that’s the fact, right? It’s like, uh, you know, do you have any risk management program? No. Okay. Well, do you realize that this is true. Yeah. Do you see a disconnect and what we’re talking about here? Big risk doing nothing, right? Yeah.

[00:53:45] Brad Nigh: I think the pluses were starting to see that that turn a little bit and people are finally coming around. It just took

[00:53:55] Evan Francen: well, still, I mean, the biggest bucket of those four, you know, I mentioned, you know, there’s four buckets. These people do nothing. There’s people who struggle, they did with spreadsheets manually. It’s hard as hell. That’s gonna be the biggest one is my hair, that one. No, The biggest one is doing nothing by far,

[00:54:11] Brad Nigh: truly. Yeah. Well, you know, that makes sense because they see looking at doing it with spreadsheets and just. No. So it’s too daunting. Yeah.

[00:54:22] Evan Francen: Well, it’s still the biggest motivators in our industry is compliance. So I’ve been told, I have to, if nobody’s telling you, you have to,

[00:54:29] Brad Nigh: I’m only going to get in trouble if there’s a breach and they give a finding. And at that point, it doesn’t matter. Yeah. They’re going to have a finding anyway, right?

[00:54:37] Evan Francen: It’s the kind of a catch 22 of that compliance based approach to security and I’m gonna do what I’ve been told to do and then you get banged, you know, something bad happens, which is going to because you have no idea where the risks are. And then they come in, you know, they’re gonna ding you anyway. Right? So we’re gonna get

[00:54:56] Brad Nigh: flushed out of this is we got lots of work ahead of us. So

[00:54:59] Evan Francen: Oh yeah, I love it. We’re good to go. Yeah, I’m not complaining about that at all. I just what bothers me is that, you know, and it goes back to my belief that security is all about people. It bothers me that people suffer because you’re not doing it right or you don’t take it seriously because you don’t care. That’s what bothers me. Me. Yeah, I’ll have a career forever.

[00:55:18] Brad Nigh: Yeah, as long as

[00:55:20] Evan Francen: I live right, I get you. As long as I can think

[00:55:23] Brad Nigh: and you don’t lose

[00:55:24] Evan Francen: a finger. Right? So anyway, so those are the four phases, phase one inventory, phase two residual risk, Phase three or classify, sometimes people say Phase three is uh sorry, inherent risk was faced too dicey residual. We certainly start over phase one inventory, Phase two inherent risk, which is classification, these three is residual risk. That’s the actual assessment and then face forest treatment, what am I gonna do? You score? Well, just score bad, do I cycle you through the next year? Um And so when you look at those and you can’t shortcut it. No, I mean that is the essence of what 3rd party security risk

[00:56:05] Brad Nigh: that is, the shortcut version that this as simple as you can make it.

[00:56:09] Evan Francen: Right? And so you know, looking for an easy button, an automated thing which leads us to that third bucket to which is the partial insights, security scorecard. They’re good and what they do just one part of security small part, right? Like I said those four steps, do you have to do those four steps period and then you know, the top bucket is the good, which I think is probably It’s the smallest of the four, but it’s the, I think it may be the fastest growing. I

[00:56:44] Brad Nigh: think it was like the bell curve. The early adopters.

[00:56:48] Evan Francen: Oh yeah, innovators, early adopters. Early majority late

[00:56:53] Brad Nigh: majority were kind of maybe certainty that early adopters phase of that, the innovators, we’re the ones doing this

[00:57:04] Evan Francen: like walls Fargo for now they over engineered it,

[00:57:07] Brad Nigh: but they were doing it forever and doing a good job with it.

[00:57:12] Evan Francen: Yeah, I think a lot of there’s just push through the sec really

[00:57:16] Brad Nigh: hammered on them. But if you if you even if you have a regulatory push for it, but you do it correctly. I mean, I don’t care what if that was your motivator. As long as you’re doing it right, if you’re doing it right. Yeah, I agree.

[00:57:34] Evan Francen: And so you know, and then on top of that, one of the problems and it’s in chapter one of the book, is this translation of language. Right? So if I’ve already had a risk assessment done of me, meaning this is how risky it is basically to do business with me. I have a score that represents that. I should be able to use that score to communicate with other people. And so that’s the purpose behind the face of score and having been defense used the face of score. And Because you know, if I believe in the Vices score, you know, then I can just look at vendors. Oh, here’s four for this one service that scored 700-720. Now, the way we we tackle the the lying part of it is it will clearly show whether this is a validated assessment or a self assessment, right? If it’s a validated assessment that carries a lot more

[00:58:28] Brad Nigh: Weight, right? 3rd Party Party come in and

[00:58:33] Evan Francen: Yeah, yeah. So uh anyway, that’s you know, it was a great event. I enjoyed it. Uh and I think we’ve got a long ways to go listen, you know, with this but it’s exciting. It was a lot of good stuff coming.

[00:58:46] Brad Nigh: I’m excited. Yeah.

[00:58:49] Evan Francen: So anything else, any other advice on third party, if you had one bit of like parting advice on third party security risk management, what would it be

[00:58:57] Brad Nigh: like with you? Just do something to something that you do something?

[00:59:02] Evan Francen: Yeah, anything to do? It just,

[00:59:04] Brad Nigh: just get started?

[00:59:06] Evan Francen: Well, yeah, it’s like bit site and security scorecard are better than nothing.

[00:59:09] Brad Nigh: Yeah, just start with your list of vendors, Do you even know? You know, I would even because how do you know who to put in there? Just just get a list of who you’re dealing with. Exactly.

[00:59:20] Evan Francen: All right. So, we covered bullying. We covered third party security risk management to to probably the most exciting topics ever. Right? Because a lot of hacking and blinky lights and all that discussion uh now under some some news. Um you have time to catch up on the news this week. Do you okay? Because I sometimes do I have some weeks. Right. I can more than others.

[00:59:44] Brad Nigh: Well, I read through those those articles you put out there. I’ve seen a couple other things. But

[00:59:50] Evan Francen: yeah, it’s there’s so much stuff going on because you know, every week is crazy. I mean, you could spend all week just reading the news. There’s a breach here breach there. This happened that happened. I mean,

[01:00:03] Brad Nigh: it’s funny, that’s one of the common things we could ask about. You know, the fact that the VC. So is do you guys help keep us up to date? Like there’s just people are overwhelmed. It’s like, yeah, it’s kind of one of the things we try to do is wrap up weekly and then, you know, send out updates that are relevant. So you’re not just getting spammed with everything, but at least relevant to your organization.

[01:00:30] Evan Francen: Yeah, I think. Alright, analysts do a really good job. Michelle. And is it uh victoria victoria putting them

[01:00:37] Brad Nigh: together now? Victoria?

[01:00:39] Evan Francen: Michelle? Michelle? Michelle. Well, I was thinking, quote 42, you know? All right. So make it. And victoria

[01:00:46] Brad Nigh: victoria’s aren’t owning that now. And

[01:00:47] Evan Francen: they do a great job. I actually look forward to that every

[01:00:50] Brad Nigh: week. Little little their take on it. And it’s it’s fun to watch and see. Yeah, they don’t grow

[01:00:57] Evan Francen: up. It reminds me of like our own flavor of sands. News

[01:01:00] Brad Nigh: bikes. Yes. Yeah, I agree. Yeah.

[01:01:04] Evan Francen: And so for listeners, you know, sands, News bytes is a great resource. Uh,

[01:01:09] Brad Nigh: their internet storm. That five minute. That’s, that’s a good podcast

[01:01:14] Evan Francen: was a large, uh, it was thinking Lars ulrich, he’s the drummer for Metallica. Uhh, I forgot his name. Sorry. You know what I’m talking about? Yeah, he’s good. All right. So, um, yes. Crazy week. This week we’re traveling, we’ll be back next week. This is the first time you and I have ever traveled together on a project. That’s sort of cool. And it’s been over a day and I don’t think you’re pissed at me yet right

[01:01:42] Brad Nigh: now. Yeah. Good, Good. Now that going, it’s funny. We’re both so like laid back. The biggest issue is actually making one of us like we’re like, what? You eat it for dinner. I don’t care. What do you want? What do you? We gotta do something. Where’s my wife? She’s right.

[01:01:58] Evan Francen: Well, it’s it was snowing yesterday. Yeah, We had some good barbecue though in buffalo, shout out to fat tom’s no fat bob’s fat bobs. Three letter name. Yeah. Yeah shout out to fat bobs.

[01:02:13] Brad Nigh: And those wings were probably the best smoked wings were they were just amazing. They

[01:02:19] Evan Francen: were the bomb. They were very very good. All right. Uh Next week we have the like again, we have the CSP mentor program coming up next week. It’s not too late to sign up online, remote access. The in person registrations are sold out. Uh They saw that months ago. But um I mean honestly if you if you just showed up, I don’t I’m not going to kick him out of you.

[01:02:42] Brad Nigh: There’s not going to be a desk for them. But yeah, I think what we saw get on the waiting list too. I think that should be on the website and usually after what for maybe five classes beyond the in person. Seems to thin out a little bit and so we can start, hey, it’s now available. It’s you know,

[01:03:01] Evan Francen: people and you know what I would do, I would just show up and just stand in the corner and stare at somebody awkwardly until I leave intelligently. Then I take their spot. There you go. So if you feel comfortable doing that, feel free. Yeah. All right. So news that caught my uh and if you want to go that it’s fr secure dot com. There’s the events pages where you’d find that CSS being enter programme. If you thought about your C. S. Sp. Before and you want some free awesome training

[01:03:28] Brad Nigh: yourself bread. Is it really free? Absolutely by the book. No strings attached. You don’t have to buy the book. No,

[01:03:36] Evan Francen: just come and listen to listen. uh yeah we started it’s just crazy six students in 2010. I don’t know how

[01:03:43] Brad Nigh: many again. So here’s the weirdest part for me. I’ve had people start coming up and being like, yeah I love you guys. You guys are great. You know and they know us. I have no idea who they are because they spent 14 weeks watching us talk two hours and I are video. Yeah. They know who we are. They feel like a connection. I’m like I’m not used to just go through the blog hug the podcast the same thing. It’s like I’m

[01:04:12] Evan Francen: not used to that. It’s good to hug wish him the best. Yeah. All right, so news that caught my eye this week. Microsoft seized 99 websites used by Iranian hackers for phishing attacks. That makes me happy. I think love them or hate them. Microsoft. They’re good. What I call netizens

[01:04:34] Brad Nigh: citizens Like I think I feel like they’ve really improved uh and done been very proactive with a lot of that stuff.

[01:04:43] Evan Francen: Yeah. So this is you know if you google Microsoft seizing 99 website. So you’ll find all kinds of news about it. But the one that I have here is from hack read dot com. The title is Microsoft seizes 99 websites used by Iranian hackers for phishing attacks. Uh the date is March 29. So this particular news story isn’t that old. But they seized these 90 999. Just one more and you can admit it. Triple digits. You couldn’t have found one more website 99. You just stop at 99. Like we’re so close. I’m done. Good enough. Yeah. Uh so the the Iranian hacker group is known. Uh there’s a lot of names for him, phosphorus Charming Kitten and AP. T. 35. I like charming kitten. I think it’s a kind of a cool name.

[01:05:36] Brad Nigh: They were the ones that

[01:05:37] Evan Francen: were uh if I if I called myself charming kitten, do you think anybody in the office would actually call me? Mr kitten charming kitten circuiting Lord kidney.

[01:05:49] Brad Nigh: Yeah. No, I mean maybe, but they were behind one of the wasn’t But they want the ones behind one of the uh two factor hacks a couple earlier this year. I thought they were charming kitten. Yeah, I don’t know but that the smS uh for some reason. Um Oh anyway

[01:06:18] Evan Francen: yes you’re right. Yeah. They bypassed gmail and yahoo is two factor authentication. They were targeting U. S. Officials. That was december last year. Well it’s because I clicked a link here. I mean it sounded like I really knew what I was talking about the article. Yeah

[01:06:35] Brad Nigh: as you can tell that’s what it was like having that article. I just uh so here’s the behind the scenes totally just

[01:06:42] Evan Francen: skimmed transparent because I could have you could have been like wow you were up on this stuff aren’t you?

[01:06:48] Brad Nigh: Well I just skimmed the articles so I didn’t actually like click links in the article. So

[01:06:53] Evan Francen: Yeah so anyway they took down 99 websites. uh They’ve been Microsoft claimed that they’ve been monitoring this group since 2013. So this was a six year 56 year operation. Uh That’s a real concerted effort. Um But it’s it’s great. I mean take them all down. You know I don’t know if you’ve ever done this before when I was at U. S. Bank. We took down webs websites a lot phishing websites. Yeah it’s like playing whack a

[01:07:25] Brad Nigh: mole. Yeah. Well my first thought was that’s great. It probably set them back. What 45 minutes if that.

[01:07:32] Evan Francen: Yeah I mean it’s it’s how hard is it to set up a new website right in the new?

[01:07:37] Brad Nigh: Well I just figured with 99 it might take a couple of minutes per so.

[01:07:41] Evan Francen: Right well then you’ve also got the fact that you know they’re not using their information to register these websites. You know it’s all stolen data but anyway it’s I like the fact that Microsoft is doing something. I’d like to see. You know More of this kind of stuff but it is like whack a mole pop down these 99 and another 99 will be right behind him. Uh, so that’s good news. Fireeye debuts their Windows commando VM as Lennox as a linda kelly rival, which is nice because this is the first Windows hacking environment that I know of that’s actually got

[01:08:25] Brad Nigh: any Windows treasury the whole Lennox um, yeah, subsystem interpreter or whatever, which, which is good. You’re kind of opening up. Yeah, that was talking, I can’t remember who, but we’re talking about that. And uh, I know some of our pen testers are, we’re already starting to move out of the VM to be able to do because it’s just so much faster right now. I think it starts seeing more of this type of thing.

[01:08:59] Evan Francen: Well, I like, you know, this should bring because, you know, if you want to be skilled penetration tester hacker, you have to know Lennox just have to, um, maybe this makes it more available to more of the masses. Right? I mean, and I don’t necessarily have to know Lennox who

[01:09:18] Brad Nigh: has the hugest, hugest good english, the biggest market share Microsoft. Right? And so the Lennox Philip is kind of where it was at. I think Microsoft saw that opportunity, that’s why they made that interface available. Right? All right, well let’s go,

[01:09:35] Evan Francen: well, it’s nice to have some competition to because offensive security with their Cali Lennox is like the thing, right? There are other platforms out there. It’s not actually the thing but it’s by far and away the most populist. Yeah. And so now you have this, You know, Mandiant creates commando VM and you’ve got a Windows one. It’s nice to have this competition. Yeah

[01:09:55] Brad Nigh: I was reading that and I’m like I would totally do that. I don’t have you know, I couldn’t set up of the with with a lot of guys so that I could do this.

[01:10:06] Evan Francen: Yeah. Right. Yeah. So it’s good news. I like I like seeing it and certainly Mandiant knows their stuff. Right? I mean kevin Mandia and his whole team is just the bomb thankfully there’s so damn expensive. It leaves room for other people to make a living also. Uh Yeah and that’s actually one of the reasons why we’re here is you know, doing stuff after mandy in leaves. Uh not that I think we’re as good as they are just two different things.

[01:10:40] Brad Nigh: Right, complimentary

[01:10:42] Evan Francen: service. We’re very good at the things we do. Mandiant is very good at the things they do and I think together it’s you know, it’s a great it’s a great thing. So anyway, Fireeye Windows, commando Vm. If you’re interested in penetration testing or you want to maybe you have some I. T. Folks you know some you know you manage some people that want to get into penetration testing or security uh pointing that way, you know pointing towards Windows commando VM have them mess around. Uh, last news I have is companies will stop storing data in Australia Microsoft warrants and this all comes from that anti encryption law that us that Australia past. Um, I don’t know if they passed it or not, but it’s called the telecommunication and other telecommunication. When you put other in legislation as the title telecommunication and other legislation amendment tola Act of 2018. So I guess the point in this, the reason why I thought it was interesting this comes from naked security.

[01:11:43] Brad Nigh: I’ve got I’ve turned you around on that you did.

[01:11:47] Evan Francen: So companies will stop storing data in Australia. Microsoft warrants is the name is the title of the article and it’s sort of interesting. Uh, because I disagree with what Australia’s going to

[01:12:00] Brad Nigh: write. Well, that’s what you’re gonna see. Right? Hey, we’re gonna start forcing these backdoors. People don’t know. All right, by right. I mean, it’s

[01:12:07] Evan Francen: not worth it. I don’t trust the government any more than I trust google anymore than I try

[01:12:12] Brad Nigh: even with the best of intentions as soon as you implement that back door. Right? That that risk has just become, it’s not worth it.

[01:12:21] Evan Francen: Right. And how many stories do you hear of government contractors getting busted for stealing and selling sensitive information. I’ve never heard that before.

[01:12:29] Brad Nigh: Right. The other thing it wasn’t implemented correctly. Right. Even if it was a mistake, it wasn’t intentional. Uh, he’s here all the time. Yeah, well they were doing this, but it wasn’t done

[01:12:39] Evan Francen: right? So big warning to Australia because Microsoft, they got a big stick and uh, yeah, we’ll see what happens from that. I don’t hear any news. I mean, I don’t hear anything on the state side. You know that the US is thinking about adopting anything. They’re too busy. You know, we got the anti trump and the trump service still fighting each other. I don’t think they know what they’re doing right now. Uh, ton more news, but I think, you know, we’re just, we’re just about out of time. We could talk about breaches, bugs all day, just about every day if we wanted to um before we sign off brad, any parting words of wisdom, do something, do something that’s brad’s wisdom today, or your security program, do something, do something for crying out loud. Well, it’s great to have you back, man. Even when you’re gone for just a few days, things are different. Um yeah, I think my wisdom today, I woke up at two o’clock in the morning with a thought and I thought was just be yourself. I mean, it was like, I couldn’t and I I couldn’t go back to sleep until I wrote it down. So actually got up, typed it out and went back to bed and I woke up this morning and uh, but I think that there’s so much truth to that just be, you don’t try to be somebody that you’re not and don’t try to impress somebody just be true to yourself because that’s really what the world needs. Any, I need brad to be brad. I need me to be me and you know, so I think that’s my wisdom for today. Uh don’t forget you can follow brad on twitter uh and it’s at brad and I B R A. D. N. I G. H. Or follow me at Evan francine E V A N. F R A N. C

[01:14:29] Brad Nigh: N. C. A great picture of us at the airport.

[01:14:31] Evan Francen: Yeah. What’s the picture? Yeah. Yeah. And I’ll post some more stuff. Usually, I don’t know, I’m probably posting 5-10.

[01:14:39] Brad Nigh: Doing far more than I well,

[01:14:42] Evan Francen: yeah, it’s a big thing. Sometimes you can also email email us on the show. We’d love to hear what you like, what you don’t like, what we can do better at un security at proton mail dot com. Uh That’s all I’ve got. Thanks. And we’ll see you next week.

[

/by