Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode 11 - Implementation Models

Zach, Lauro, and Mike welcome 2021 by diving into one of their favorite topics, Cybersecurity Implementation Models. They discuss the different ways companies build cybersecurity programs and considerations to find right method for your organization. Whether you're considering a DIY approach, hiring a cybersecurity firm, or getting a vCISO, this episode rants about the types of cybersecurity along with the pros and cons of each.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe! 

welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber security criminals  and now here's your hosts mike rotondo zach fuller  
and lauro chavez hello and welcome to the cyber  rants podcast this is your co-host zach fuller  
joined by mike rotondo and lauro chavez a lot of  interesting things happening in the world won't go  
too in-depth into that right now but needless to  say it's a new year i think we have a lot to look  
forward to i'm optimistic about it i know there's  a lot of craziness especially in politics right  
now but there's a lot of good things happening  as well most of which the media doesn't cover  
but with that said why don't we hand it over to  mike rotondo for the news good day and welcome to  
2021. here's the headlines some bad news for zyxel  secret backdoor discovered inside of firewalls  
and ap controllers and then the companion story  hackers start exploiting the new backdoor in zyxel  
devices apparently there was a hard-coded  credential in there that was used for ftp um that  
hackers are using to exploit zyxel's firewalls so  if you got one patch it gen x pharmacy ransomware  
attack resulted in a data breach gen x and i'm  sure we've all seen those commercials our gen  
rx i should say we've all seen those commercials  they've been hacked some patient data was stolen  
but they were able to fend it off pretty quickly  hey remember ticketmaster guess what they did they  
hacked a rival business hired an employee from  another business and then used them to go ahead  
and hack into that formal business so that's all  cool they did get a 10 million dollar fine for it  
paypal users targeted a new sms phishing campaign  so if you're using paypal and you get an sms  
be careful malware is using the wi-fi bssid  for victim identification they're using this to  
geo-locate you and give you an idea give them  an idea of where you're actually at and then  
tailoring muller for you i didn't want to do a  whole lot of solar winds but there are two pieces  
of solar winds i wanted to talk about today solar  winds hit with a class action lawsuit following  
orion bridge i think it's fair to say that  solarwinds is going to be suited to oblivion at  
some point here and it's uh too bad fbi assistant  odni and nsa blame russia for the solar ones hack  
uh that's gonna happen as well um so there'll  be more investigations into that hopefully  
major gaming companies hit with ransomware linked  to apt-27 apt-27 is a chinese apt and apparently  
they like playing video games most public sector  victims refuse to pay ransomware games which is  
actually really good news it found 86 percent of  public sector respondents targeted with ransomware  
refused to pay which yeah which is great news  unfortunately non-public companies are paying  
out at a much higher rate almost 69 so and lastly  iot cybersecurity act successfully signed into law  
uh this is gonna help the federal government  from deal with vulnerable iot devices  
uh as they go forward so that's the headlines for  today and uh lauro anything you want to add well  
welcome to 2021 right so as we go as we as we  start from the bottom moving upward not a lot of  
major vulnerabilities to be patching for this last  week just a lot of gentoo linux oracle is still  
having some issues so if you're running the world  to check that if you're running gen2 linux check  
that if if also if you're running wordpress  there's a new shell upload that's just been  
published as a working exploit i think it probably  it's probably good to go ahead and make sure that  
you don't have the wp discuss plug-in  running and that's that's the plug-in to  
do discussion board type stuff the version 7.04  is vulnerable and previous is vulnerable to this  
to the shell upload uh which is um pretty serious  and then you're gonna get your uh you're gonna get  
the rest of the server compromised uh just by that  one wordpress shell upload so if you got wordpress  
make sure you look at that and uh that's that's  about it hope everybody had a great holiday season  
what are we talking about today zach take it back  today we have one of my favorite topics which is  
implementation models around cyber security and  so let me back up a little bit and talk about  
why that matters we get a lot of companies that  will reach out especially business to business  
technology companies software as a service system  integrators companies like that they're emerging  
and mid-market companies are growing things  are going well they're getting new clients  
have good revenue coming in and then all sudden  boom they hit this cyber security growth ceiling  
i call it and what that is is when eventually  they start to get the point where they're trying  
to land more and more large enterprise contracts  they're going after the fortune 500 fortune 1000  
companies and they got a big fish on the  line there's their sales people are all  
spun up and and excited ready to go and there's  this million-dollar contract sitting out there  
and then comes the cyber security questionnaire  from that prospect right it's something that  
they're not prepared to answer could be 100 150  detailed questions about their cyber security  
practice and it's at that point they realize wait  we've never actually formalized a cyber security  
program i mean yeah we have firewalls we do some  patching here and there and that sort of thing  
but we don't actually have a formal program in  place so what do we do now and so they come to us  
start to ask or or other certainly other  other companies all over the country right  
cyber security service providers and they try  to figure this out right the first thing is  
that they're kind of in this infinite sea of  options right there's a lot of hype in the  
cyber security industry right now there's a lot  of there are a lot of people selling snake oil  
and there's a lot of good stuff too but for  the people that don't have a background in  
it how do they weed through this kind of  mess of stuff that's available out there  
so today we'll talk about the different models  when it comes to building a cyber security program  
what are your real options right the first obvious  one place where a lot of organizations especially  
the the small organizations start is the diy model  right the do-it-yourself uh there are a lot more  
there are a lot of platforms and things coming up  that are making this a little bit more realistic  
for companies and and some companies that's their  only choice right if you have three or five people  
in an office and you need to need to get there  and build build something a lot of times you got  
to get down and just do it yourself may not have  the the money and resources to know how to find  
the right people to bring to do it so a lot of a  lot of people go after the do it yourself approach  
and there are certainly pros to that right you  could save you potentially save money but the  
problem is what's your time worth right if you're  building your security program uh what what's your  
time worth but a lot of times it's better to do  this and start here than just do nothing all right  
so a lot of people end up doing a little bit up  front the do-it-yourself model and then eventually  
bring somebody in because it does take your your  team's approach from from the their core business  
activities into trying to figure out cyber  security which is probably not their their issues  
so i wanted to cover that part first just get that  out of the way the do-it-yourself model i think is  
pretty obvious but the next comes into the hiring  in-house security professionals i know mike and  
lauro you both wrote a lot and spoke a lot about  bringing people in-house um certainly beneficial  
and i think every company should try but what are  your thoughts what are the struggles companies are  
are running into when it comes to that approach  but if they're going to bring people in house how  
should they go about doing that well the number  one challenge with that is simply scarcity of  
resources i mean finding a cyber security resource  that would be one to come to a small shop full  
time is going to be minimal because and the other  thing is are you going to be able to find someone  
who is senior or who knows the strategy but is  also willing to most likely in a small shop have  
to shoulder the burden be it assist with the  network assist with the servers assist with you  
know do the end work that they they're going to  need to augment and most small companies aren't  
going to be able to do that so scarcity and then  you know finding that actual resource and finding  
someone with an actual skill set that will satisfy  that but when you do find that person i mean  
they can be great they have to be supported but  they have to be paid as well and that's the other  
challenge that small businesses find i mean  we see that all the time right yeah absolutely  
it's i i think there's nothing nothing can  truly replace having somebody in-house but  
chances are most companies aren't going to be that  jack be able to find the jack-of-all-trades the  
the kind of savant genius that can do everything  yeah i know i completely agree with what what  
mike's saying and you know the other challenge  is you know knowing your environment and so  
in the case of the small business it's like  you know you've got budget for one person  
you know are you gonna be able to get like  like what you know mike and zach are talking  
about one individual that's gonna be able to  to juggle all of the cyber security tasks and  
actually want to do it when they know most of  the time he or she will know that they can go  
to a large organization and play as a member of a  larger team and then not have to shoulder such a  
burden right in a more organized organization  that may be more of attractive to them than  
maybe making you know 10 or 15 grand more having  to shoulder the majority of the work at a small  
organization because they just don't they don't  have the support and then that may be a question  
you know also for for the security professionals  out there you know is that something you wanted  
to do because there's certainly a lot of  organizations out there that could benefit  
from a jack of all trades that you know wants  to come in and and manage that program and the  
organization is you know the size that's adequate  and with the technology that is simplistic enough  
yet mature enough to warrant defense and depth  and be able to to sustain a model in such with  
one human or two humans involved in the majority  of the cyber security work it's certainly possible  
especially with the tools and technologies we  have today but the mindset from the individual  
is gonna be right and that's gonna be something  they really wanna do because some organizations  
don't realize the amount of work and the amount  of burden that it's going to take especially if  
you're not going to support the individual  they're going to realize that it's it's a  
more common talked about topic i think these days  that cyber security professionals don't sometimes  
get the support from leadership internal that they  need uh especially to be successful at their job  
so they they'll understand that's a fact  and they may ask you the interview process  
like do we do we have a budget dedicated  for this and you know i expected to get  
extra help in a certain amount of time i'm  going to be able to hire a team in the next year  
what is the vision of cyber security if the  question doesn't get answered you might not  
know that you may lose a talented individual  because they realize they may be getting um  
you know set up to kind of walk off into the off  the end of the dock if you will yeah absolutely  
another consideration for this particular model  of bringing an in-house security professional  
or or multiple security professionals first  i would certainly encourage it right nothing  
nothing beats the human element boots on  the ground right so that's with that said  
it's not always the right option for for every  organization but organizations that are a little  
bit larger more sophisticated maybe have uh maybe  have an i.t team of of seven to 12 or 15 people  
they might not have a security professional  in the house well in the interim at least  
chances are one of those it professionals maybe  have been maybe some background in security or  
has been studying security or wants to make that  transition so that may be that may be another  
approach we've certainly seen that done in uh with  client organizations that we serve successfully  
and that way you already have somebody  that has experience with the organization  
but now you get to kind of pull them off and  and start allowing them to work on building  
the security practice now just keep in mind the  main thing with that if you go with that approach  
you're still going to need outside help so when it  comes if you're thinking about budgeting and that  
sort of thing you're still going to need people  to come in and do the third party risk assessments  
and penetration testing evaluations they're going  to need to fill in the gaps where that particular  
professional that maybe you pulled from the  it team or maybe a newer security professional  
that you hired can't handle uh internally  they just they just can't do they they don't  
not necessarily just because they don't have have  the skill set or tools but but also some of those  
things you you need to have a third party do  to make it really valid and hold weight like  
penetration testing audits that sort of thing  so when you're when you're thinking about budget  
if you're going to br do the in-house approach  just keep in mind that there's going to be an  
additional side needed to that and and more than  just hiring the person which brings us to the  
next kind of the next model that people  follow right which is that that managed  
service provider or managed security service  provider so mssp or msp approach that people  
that people take and so they're like anything  pros and cons msps can be tremendously valuable  
for a lot of organizations and offload a lot of  the burdens but i would go ahead and say that  
it's not necessarily a full solution  most time at least from what we've seen  
in the marketplace you guys seen anything  or have any examples you want to share  
if not i'll dive right into kind of some of the  pros and cons that i i know right off the bat when  
it comes to msps so one of the downsides right  we'll start i guess we'll start with that is that  
when you have a truly a third party an msp or mssp  generally the you have to look at the business  
model right what what is that what is their their  business model look like well more often than not  
and there there are certainly exceptions out there  there's good ones and bad ones just like every  
in every industry in every business but generally  as a rule of thumb most msps and mssps are focused  
on reselling products and tools and the services  side is more of a management of the outputs of  
those from a remote sock or something like that  from their their office location with their team  
right so when you when you look at that what the  tools really consist of it's not so much the it's  
not so much a holistic security program right it's  great to have tools and technologies but they're  
certainly not everything you still need the  human element somebody still needs to go through  
and actually build out the security program  formalize it with all the corporate governance  
and and whatnot to make it actually hold right  because tools and technologies are not we i won't  
beat a dead horse because we've talked about  that a lot on previous episodes but the uh one  
of the pros of course is that they have a lot  more uh resources available that they're using  
on a on a wide scale across multiple clients so  generally you can get in and you can get something  
done a little bit more in a more cost effective  manner than you can with trying to build out those  
capabilities on your own so i think there's a  good blend there as far as mssps or msps with  
in-house or other out outside third parties  right it's not kind of one or the other  
i i would i would think you'd be hard-pressed  to find somebody that's really going to just  
do all the cyber security for  you it just doesn't work that way
ah normally not and also the thing to consider  when you're using mssp services like security  
operations center or sim as they're calling it  these days right and then incident monitoring  
and management you've got to ensure that that  business model as zach was talking about a sound  
because you're going to be sending all of your  logs and kind of sensitive information about your  
technologies to that organization in order for  them to triage that data like they have to know  
a lot about you and you also have to understand  how is that data being stored on their end  
um is it you know obviously probably going to be  a multi-tenant environment how do we ensure that  
that organization doesn't get breached because  it would give a lot of information to an attacker  
so it's just one of those risks you have to throw  in when you're looking at outsourcing some of the  
services what specific services mean the most to  you and what specific services also present risk  
as well as reward because there there is a lot of  reward to that event incident management response  
uh but it doesn't come free there is a level of  risk that you have to accept in order to to have  
a mature service in that particular aspect when  you're looking at risk too a lot of a lot of the  
to kind of move into the next approach that people  so let me comment real quick just keep in mind  
that um you can never wholly transfer risk right  you have to continue to accept risk regardless of  
whether you transfer a third parties manager or  not you still own that risk to a certain extent  
maybe a lesser degree but you still own the risk  absolutely yeah because you made the decision to  
outsource right right i can't tell how many times  we deal with people that are like what's in the  
cloud it's fine it's like no it's not i mean  cloud's great security and cloud can be great  
but that doesn't mean you've offloaded all of  your risk and all your concerns to the cloud you  
still have your own piece that you want i i hope  that paradigm of thinking is starting to sunset  
but yeah you're initially that was the every every  leader in the in the world thought that that was  
the acceptable move was to transfer risk to the  cloud technologies yeah they're they they don't  
seem to think that their their customers gave  their that company their data they don't care if  
that company's cloud service got breached or not  their data's still exposed they're going to blame  
you know who they trusted with their data so  yeah that's going to be that's what it's all  
cloud is just somebody else's computer that's  right that's right well another option of course  
is the virtual cso or cso as a service goes by  different names and that's become very common  
in the industry you see a lot of people  that are are security professionals from  
you know maybe maybe they're retired or maybe  they've started their own consulting practice and  
they do the virtual cso approach which i think can  be a good thing for a lot of companies and uh it's  
important though to understand the limitations  right because again as we talk through each of  
these we want people to understand that there are  there's there's not necessarily a right answer it  
depends on the company but there are limitations  to each so that when you're thinking about this  
think about it from a more holistic perspective  right and understand where one organization  
or one company one vendor cuts off and you  have to fill in a gap with another right so  
virtual cso is great they're going to come  in give you time and support to mostly around  
strategy for the the organization figuring out a  framework and that sort of thing to get aligned to  
they might do some some high-level gap analysis  against those frameworks maybe uh compliance  
work to help you get aligned with compliance maybe  even some some of the uh the corporate governance  
side of it but where the where the limitation  what most companies run into is that they're  
they're most of your your vcso type services  are going to be structured in a way that is  
set up to basically tell you what needs to happen  and then you need to make it happen right so a lot  
of the hands-on technical work and the the support  that a lot of mid-market organizations need that  
they don't necessarily have resources for in-house  are are a lot of times not covered for a virtual  
by a virtual cso by themselves now a vc so  should have different vendors right for for these  
different areas to cover down on what they can't  do themselves but again back to budgeting back to  
planning take that into consideration when  you're out there you're looking at different  
organizations to work with different services  and such make sure that you're you're looking  
at it holistically not just hey they're going to  charge me this much and everything is going to be  
good across the board all right make sure they're  they're filling in the gaps and telling you what  
they're not going to cover what else you're  you're going to likely need in order to have a  
a security program any other comments  on vc so well yeah i mean the other  
you know all good stuff zach and you know i  think the other thing to mention is that they  
they're not empowered to make change  um you know i can't stress that enough  
um you know they they're gonna you know  if they if they conduct a gap assessment  
and they create a roadmap and they've got  a list of action items that need to be  
conducted in order to close those gaps and  maintain a more compliant state with the framework  
they can't they can't conduct those activities  those activities may include something that  
you need a technology for right like  centralized logging or vulnerability scanning  
um they can't just set up a scanner in their  garage and scan you right it's going to have  
to be a service you purchase so there's going to  be certain orders stand up yourself right there  
there's going to be certain activities that are  going to be coming out of that report that the vc  
so is going to say okay here's your list of action  items let me know when you've got some stuff done  
number two that vc doesn't mean be  security engineer but in the seat
yeah v for everybody out there wondering it's  virtual so i mean it's very important to make sure  
that that's defined and and not the expectation  of well because vc so he's here sitting with me  
yeah yeah so but no i mean it's also it's not  a cso it's not a security engineer he's not  
going to be he's not going to be monitoring  things for you he's not going to be you know  
that all could be negotiated but the  expectation has to be set properly  
with whoever you choose as a vendor i need  my viso and vc so in the corner office  
monitoring logs yeah right yeah i mean  that but we've seen that right i mean  
the expectation is oh well it's you know you've  recommended these architectural changes you're  
going to go ahead and implement them right and  it's like no we that's not what we do you know so
great so you're the vc so now so we'll  see you uh five days a week for lunch  
yeah all right exactly on zoom the final model  i'll talk about maybe maybe some others will  
come to mind but really the the primary one  is really a combination of both now this  
this talk about it from a lens a little bit  larger more sophisticated organizations that  
maybe have a couple a couple security  people in maybe they're they're new  
security professionals and they're handling  some of the fundamental activities but again  
the organization still lacks a formalized cyber  security program we call this a partnered security  
service provider model or pssp that's kind  of our own term that we coined but there  
are different ways to go about doing it there's  other some organizations offer staff augmentation  
different levels of support needless to say it's  basically a combination to of having your in-house  
professionals uh at a minimum and i t team but  but maybe a few security professionals and then  
having a third party come in either remote or  or even maybe on site on occasion to help build  
out the program and mature the program and really  make sure that you have that going uh that is it's  
important to realize it's not the same as like  it's not truly the same as staff augmentation  
and that these people are maybe in and out even if  they're inside or in on-site at all but it it can  
certainly help to augment bits and pieces with  with people again i think the common element  
here is is the human element right it's not about  plugging more technologies in buying more stuff  
it's about putting those resources toward  the right people with the right expertise  
to to cover your security posture another  another thing that we'll touch on briefly today  
is the age-old question of oh well we have an  i.t company can't they just do our cyber security  
right so i don't know you guys want to comment  on that as well but uh it's it's very very  
prevalent especially in the uh small business  world which in many small business cases that  
um yes a lot of times their it companies will  handle some some level of cyber security whether  
they build a formalized program or not um i'd say  that's more of the exception rather than the rule  
but that can be a a option for small  business now as soon as they start  
to get into kind of mid-market emerging a  little bit more sophisticated organizations  
and that they need to answer what going back  to the earlier point about these sophisticated  
cyber security questionnaires coming down and  requirements like sock 2 audits and such generally  
your your i.t company is not going to do that  you're going to need to have specialists to make  
that happen totally the i mean you know to answer  that question right i think we said it earlier on
everybody's part of cyber security all right  everybody at the company is part of cyber  
security so if you if you don't have a cyber  security uh leader in your organization and you  
may have a very smart person or working in  network or in you know software engineering or  
you know even in even in you know the server  workstation area that really just has a knack  
for the stuff promote them or promote yourself  you know take leadership because again doing  
something's better than doing nothing if you know  what needs to be done and no one else is doing it  
just take responsibility and do it again it's  everybody's job right everybody's gonna play a  
role in the organization the organization simply  just needs a leader set now that's not gonna  
tell you you're gonna get money for anything but  documents are free right creating process is free  
creating an organized method of understanding what  risks are there that's all free that's stuff that  
you can just do um so if you're one of those  individuals um that has that capability then  
i encourage you i think we all would encourage  you to you know stand up in the organization and  
go forth and create and fight the good fight  now for reaching into the organization for  
somebody to lead or telling i.t to to conduct to  those types of services i t needs to a either go  
back to what i first said and identify an  individual that's strong in that area set  
or again i think that's why the the pssp model  was kind of coined by us because i think that  
that partnership of expertise coaching  creates a paradigm in the organization where  
you don't have a com you don't have a firm  that just comes in and does a job and leaves  
you have a firm that comes in and instills some  form of practice and procedures and training  
for the individuals to then carry on that long  after the organization is is the third party is  
now gone and and working with other organizations  there's valuable data and and roles and process  
that are left behind for the organization to still  live off of if you will right that mentality of  
teaching teaching someone the fishing act  as opposed to just hanging out the fish  
i think the main thing too for organizations that  are looking for outside help the main thing to  
your point lauro is your service provider should  never function in a bubble and unfortunately  
that's that's too common in our industry your  service provider should be like an extension of  
your organization almost like part of your team  yeah they may not transfer parents yes but yeah  
it's go goes to that that train the trainer model  right they should be empowering your organization  
internally to uh get better and better at building  out those that those defense and depth measures  
right every level of the organization they  should be working with your executive team  
talking with the board they should be educating  them on areas that they don't know why cyber  
security is important what the real risks are  to the company and at the technical level too  
helping people understand okay why do we do this  why do we look at security the way we do why is  
this important right so that everybody has buy-in  and that's going to be a good service provider  
for you if they say okay yeah we're just going  to take care of this we'll call you next month  
that's probably not the right approach well  and then going back to what you were saying  
it's important to educate people on why cyber  security is important the old adage of well i  
don't have anything anybody want to steal or you  know those kind of things that we still run across
yeah we're too small we don't have  anybody want to steal we're you know what  
we're just one location how are they  going to find us blah blah blah blah  
what they don't understand is that you know you  have people out there just like that zyxel article  
they're just scanning they're just looking  for the ssh and then they're trying to brute  
force it or they're looking for a specific  vulnerability it's spray and prey and that's  
how they're finding victims and if you're out  there and you're on the internet i mean that's  
why it's so important to educate and have someone  who's dedicated to cyber security or at least  
cyber security aware inside your organization  and then augmented by someone who does know  
cyber security uh just to ensure the safety i told  my neighbor the other day that they need to treat  
all their technologies connected to the internet  of everything as if you look out your door once a  
day and you know that the robber is going to walk  down the street to see who's home and who's not  
yeah yeah that's good good point well said well  a quick recap there's really there's no right  
answer for every organization right we talked  about some of the pros and cons of the different  
models and the different ways people go  about building a cyber security program  
fact of the matter is it takes people to do it  and it takes time and resources unfortunately  
there's no there's no way around that but nothing  really beats the human element boots on the ground  
and it's also important to know that nothing  truly offloads risk like you were you're talking  
about mike is not there there's no organization  there's no company that's just going to basically  
uh do everything and even if they even if they  were able to it still doesn't offload right  
the risk is still yours as an organization so  fact of the matter is you need to build out a a  
formalized cyber security program it's probably  going to take multiple resources to do that but  
the first at least my advice would be the first  order of business is to find if you don't have  
a good clear understanding of what it takes to do  that find somebody who does find an organization  
or service provider somebody that can that  truly understands how to build a formalized  
security program not just plug-in tools not just  cover bits and pieces or just do the strategy  
what not but actually the the the spectrum  of both strategy and technical knowing that  
okay your i.t people are also going to be involved  you may or may not need additional tools or  
technologies depending on what what you have today  but there are additional aspects even if you get  
even if you get both strategic and technical help  so hope this i hope this supports you in your  
endeavors and we thank you for listening join  us next time take it easy we'll see out there  
take care good luck happy hunting