Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode 3 - Building a Security-Conscious Culture

This week - The guys discuss how to build a Security-Conscious Culture in your organization, along with some of the successes and failures that occur in the process. The team also talks about the cybersecurity steps necessary in how to prepare for a cyber-attack. In addition, they talk steps to implement your security program, beginning with leadership support. Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe! 


welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting raving and telling you  
the stuff that nobody talks about on their fancy  website and trade show giveaways all to help you  
protect your company from cyber criminals and now  here's your hosts michael rotondo zach fuller and  
lauro chavez hello and welcome to the cyber ants  podcast this is your co-host zach fuller joined  
by mike rotondo and lauro chavez and uh have a  good show playing for you today we are going to  
follow our normal format mike you want to kick us  off with the headlines what's going on in cyber  
security today yeah here's just uh the top 10  headlines that i was able to pull out of the news  
this week one of them is that ransomware is  increasing exponentially uh there's an article out  
called ransomware 2020 attack trends affecting  organizations worldwide um there's now up to  
the point that one in three uh cyber security  incidences are basically ransomware so it's just  
increasing exponentially one of the other issues  which are headlines which i saw which is very  
interesting was that you want to stop cyber crimes  tearing through your network first check your  
privileges analysis has been done that that over  50 percent of the people with elevated privileges  
don't need them so we need to refine and we look  at who you're giving access to and why one of the  
interesting things that's racking up is bluetooth  security weaknesses are piling up while patching  
remains problematic as we all have smartphones  bluetooth is becoming more and more prevalent  
in out in the wild and the attacks are  becoming more and more probably relevant um  
dovetailing into want to stop cyber crimes  through your network tearing through your  
network um there's an article that says a fifth  of all privileged users don't need elevated access  
that's just another reinforcement of the  fact that you need to refine your users  
and and validate that they need the access  they have um discouraging one very discouraging  
one is the price of stolen remote logging  passwords is dropping and that's a bad sign  
uh what that basically means is they're just  they're out there and they're easy to get  
um another good one from microsoft over 61 of  exchange servers are vulnerable to CVE 2020-068  
attack so that's uh if you go to microsoft  exchange server check that CDE out there's  
a new ransomware out there called mount locker  ransomware and they're demanding multi-million  
dollar ransoms they're they're targeting  high-profile fortune 100 500 type companies
another disconcerting thing is that new research  finds bugs in every anti-malware product tested  
so i think you're safe with anti-malware then  you're not um there's also an android camera bug  
under the microscope which is basically allows  remote remote users so you to take over the  
camera and even more good news if you're running  hp device manager anyone on your network can  
get admin on your server apparently some  developer trying to make things easy for you  
created a weak password and user account  that easily is hackable so that's the top 10  
headlines in the news today or this week
so anyway lauro cam oh it doesn't surprise me  about the anti-malware stuff though there's  
it's just all just always something so something  for this week for your sev5s these are critical  
critical patches that you you just really need to  stop what you're doing and so there are four of  
them for this week and they're all cisco related  so if you're running cisco you got jabber there's  
there's there's a command injection for that uh  if you're running v manager there's a command  
injection for that um if you're running the sd-wan  solution there's arbitrary file overwrite and then  
there's just kind of a general solution multiple  vulnerabilities as they call it right and step  
5's that essentially are vulnerabilities that have  command injection capabilities so those four check  
those four out if you're running cisco um get  get that stuff patched uh no microsoft i'm just  
getting shocked it's been week two no microsoft  that's okay that's a record it's a record
well great you know diving into today's show it  will really dovetail in the last week we talked  
about building a security conscious culture and  and where some of the successes of failures are  
seen in that process and so this time we're  um uh pulling straight from some information  
in cyber rants the book um about the steps to  implement your cyber security program and um  
like we mentioned last week the biggest failure  is is to is to not make a decision to actually  
build a formalized cybersecurity program and those  are by far the majority of the companies that get  
the uh get to become victims of cyber attack those  ones that haven't made that decision uh but let's  
say you've made the decision um you probably  already have if you're listening to this you're  
interested in this this stuff you're probably  moving forward or already even have a formalized  
security program that you're looking to make  better um so diving right into it you know i mean  
the first step um of course once decisions made  is really got to have leadership support across  
the board and we're not just talking about the  the tech leadership either or the risk management  
leadership right it's it's everybody it's it's  a board of the board of directors your ceo cfo  
ceo everybody in the organization but also at a  management level um mike or lauro have you do you  
have any good examples you want to share of just  leadership successes or failures from what you've  
seen out there in various size organizations  do you want to go first mike oh no go ahead
well i can i can certainly talk about a we can  talk about a failure uh real quick i've got some  
success i mean you know i guess we can we can  really kind of troll this on with a bunch of  
different stories from both categories but i'll  talk about a significant failure um you know  
so so here here's the thing is that you know  like you stated zach you know it's important  
to have everybody's everybody at the top of the  business support and so there's an organization  
i was serving and we had we had a budget for  cyber security and uh we were going to implement  
a remote VPN solution and we were going to  do the basically the deploy the model where  
you don't have the dual honey meaning that  if you're if you're logged in from home  
you're getting forced through the company's  architecture and out to the internet where  
we had a web filter right so we had a bunch of  things blocked well this was you know the it the  
VP of it's idea and um you know we thought it  you know check some blocks on you know the NIST  
worksheet right where we're kind of looking at  this you know from a from a compliance perspective  
anyway well the board of directors didn't didn't  really know about this they had no idea and the  
moment that we turned it live they were just  extremely angry about the whole situation  
and there was not really any amount of explaining  that could be done and so what would it have  
happened we had to take the solution out or tune  it down and um what ended up happening is that we  
we were forcing pretty much everybody that didn't  have a choice right all the employees through the  
solution and all the executives had you  know kind of a a contingency around it  
so you know we we had an open hole at the time you  know and this is this is years ago right we had  
we we had this kind of now we've got this hole  right because in spear fishing and well fishing  
you know those are the those the individuals  you're going to try to go for are the are the  
heads of the organization and so um at that  time you know we we still understood it as a  
you know bad thing but you know it was you know  again i think if it would have been publicized a  
little better and maybe campaigned i guess in the  organization a little better we wouldn't have had  
such a abrupt failure at the end um but you know  to i guess that's one example i'm sure mike maybe  
you can can add to that well you know just double  failing on that such as the nature of the beast of  
our business right since we're doing consulting a  lot of times we come in two instances where there  
is a failure right and all of a sudden leadership  or management or somebody's decided that they want  
to fix it so we see the aftermath we're  brought in we come in and we fix it and  
i think that's really their our model is to  come in and do that augment that solution um  
you know i've seen um successful small companies  that we've helped that you know we've come in  
and we've brought in um you know security  programs that have allowed companies to  
expand get large deals and then eventually get  acquired um and then i've also seen actually you  
know most of the failings i see are in larger  companies although i mean i could think of one  
off the top of my head that it was a software  company that really just wanted to check boxes  
and refused to put more money into it than they  needed to refuse to fix things just wanted us to  
kind of roll over and play dead and check their  box and we refused to do that so um and that was  
from the owner of the company on down it was bc  owned company and they just wanted someone to  
you know check the box and we don't do that um so  though and then i think that company's now out of  
business we wound up firing them so i mean there's  leadership's buy-in is critical to actual security  
and listening to the security professionals is  also critical um and that's where the disconnect  
is i think a lot of times but you know  we're starting to see people that are  
more into it more willing and that's the  people that are engaging silent sectors so  
that's a good thing yeah it's really it's really  interesting to see the dynamic you know they're  
you can kind of tell um among when you're talking  with leadership of an organization whether they're  
whether they have a long-term outlook or whether  they're looking to just you know raise a bunch  
of capital and flip the company sell it off right  because the ones with the long-term outlook they  
look at security a lot differently and in general  this is not not always you know but but in general  
it seems like you can tell just by the uh level of  consideration they put in their security program  
i can give a an example of a of a client it's  a fairly sizable healthcare company and i think  
they've done a tremendous job the company has  a great culture overall and their approach to  
building a security program a few years back was  um probably over over five years now actually but  
was to basically um promote from within and they  had one individual on the i.t team that kind of  
became the the champion of this uh cyber security  program and then grew his team from other people  
within the organization and actually separated out  that security department into a a whole different  
chain of command if you will under a chief  risk officer um so it no longer fell under  
i.t but having come from i.t um they you know  they understood the inner workings within the  
organization they were able to work complementary  very very well i put together a five-year road map  
and grew the company and the internal  security team still continues to expand and um  
because it's under uh the chief risk officer who  actually reports directly to the board um rather  
than the CEO um i think that's an excellent way  to go especially with a healthcare organization  
um holding you know millions and millions of  patient records and such um i i think that's a  
model that a lot of organizations could follow uh  regardless of their industry so long as they have  
a few in-house resources that they could  you know they could could take on that type  
of role and that level of thinking to build  something new um in the organization and for  
smaller companies it can't can't really do that  that's you know that's why companies like ours  
exist of course come in and help support that and  build that out yeah no good good point zach and  
they did and and that healthcare client has done a  really really good job and we have another client  
um you know i was kind of given a personal  experience because i i don't have a lot of  
bad to talk about some of the clients that we've  had um but we've got another small SaaS that  
uh deals in the the licensing and marketing  space and they um they they really you  
know their leadership saw right away that  they needed to to have an edge over their  
competition and they had you know again they had  all that the pretty the pretty app they had the  
great website they had good office space the one  thing they were really missing was that that cyber  
security piece and again it you know it it all  kind of starts with a security questionnaire at  
some point right that's i think that's really  kind of the snowball effect right that that  
initial ball that we roll over the cliff but  they've just done an outstanding job themselves  
over the past six or seven years that we've been  with them to um you know to continually push that  
to push that that that that measurable goal  forward for cyber security and then also to  
set themselves apart from pretty much everybody  in there you know that would be their competition  
in their in their marketing space um and they're  leading that they're leading that space i think  
and getting more clients and maintaining  the really really really large clients that  
they currently have today because of that it's  interesting you bring that up because um that yeah  
i call it the cyber security growth ceiling it's  when b2b technology companies are trying to land  
contracts they they're growing they're doing  well you know they're getting they're getting  
revenue in the door getting some basic  clients and then they start trying to land  
large enterprise contracts companies that are  much larger than themselves and those security  
questionnaires come down and when they don't have  that formalized security program in place they  
kind of hit this this growth ceiling and um a lot  of times in the b2b tech space that's when leaders  
finally decide to come together and say okay now  we realize we have to do this not because it's  
you know risk management but because  it's hindering our revenue generation  
and that that changes the conversation  completely right so if you can show  
how in your organization how cyber security  relates to revenue generation client retention  
profitability that's going to get a tremendous  amount of hold a tremendous amount of weight  
whereas if you're only having the risk management  conversation um there's a lot of unknowns there  
there's a lot of misunderstanding um especially  people that are not technical they don't really  
think through the ramifications of a breach uh day  in and day out like we do so um yeah at excellent  
point um it's a it's an awesome i also think they  don't understand how it's monetized right i mean  
cost of a breach varies from you know forty  dollars per incident or forty dollars per person  
per record loss to you know IBM estimates the  millions of dollars per breach because they they  
look at the oh we lost data well then they also  have to look at the remediation costs the changes  
the architecture changes the insurance everything  else and a lot of people in the larger companies  
that we've spoken to are like oh our stock will  just dip for a month and then we'll be back  
that's the wrong perspective they have to  understand the whole holistic perspective  
and it's talking about the the smaller b to  b type things i mean that's why we started  
keystone audit to do sock too audits because we  see that trend with these smaller companies that  
are trying to land that bigger fish like you were  talking about their growth their growth ceiling  
that need the sock to audit now and that's  why we've got keystone audit and that's one  
of the things that we're seeing as well right  absolutely you know the other thing is when  
you're when you're talking about breaches so you  have the you need if you really want to get cyber  
security ramped up in your organization talk  to the leadership about the benefits and the  
the business development capabilities especially  if you're serving you know if you're if you're  
filling out those security questionnaires and  you're serving clients that are concerned with  
your your security um the other side of that is is  don't ever bring them like the the average um cost  
of a data breach right because i always compare  it to um it's kind of like buying a house right if  
you when you're buying a house you don't look at  the average cost of a house in the united states  
because that's that's meaningless to you right  you look at what um you know what it costs in a  
specific um city specific neighborhood certain  characteristics square footage and finishes in  
the in the property and all that um there are a  lot of considerations so if you can you know take  
that same thought process bring the number to your  organization and there's certain you know tools  
and companies that can help you do this um we can  we can certainly provide some guidance there but  
um bring in bring a definitive number to your your  leadership saying this is what it will cost us  
in the event of a breach um and here's how  it's broken out by you know and how we can  
prevent each piece and what those prevention  measures will cover in terms of dollars and cents  
um essentially a financial risk analysis and uh  that will certainly get their attention the more  
you can customize anything to the organization  for presentational leadership the more they will  
um uh you know look at it and really put  some some serious consideration uh into that  
yeah uh exactly i can agree more and i think that  that drops us right into um into the into the  
second second portion of that chapter right where  we're talking about understanding your current  
risks and vulnerabilities you can't really go and  provide that information to the board until you've  
done that that kind of next part investigation  now that you're the new sheriff you know you  
were the troublemakers you know what what  are the vulnerable technologies where the  
the the sun setting technologies where the  technologies at that you know haven't had SME  
attention for for years or legacy apps things like  that right that that that are going to potentially  
cause problems um is right in line with with what  you're talking about in the next thing we have  
yeah yeah absolutely i mean that's that's  one of those things where you can't  
you can't know what direction to go until  you know where you are right and so um like  
we say in the book you know it's plausible that  plausible deniability is not a not a solution  
not an answer anymore right especially with  executives being held liable for breaches so  
you know the best thing an organization can do  and what we do whenever we start working with  
an organization to build out a security program  it starts with a cyber risk assessment right we  
need to understand the strengths and weaknesses  and uh and be able to go from there so usually  
and different organizations look at this  differently but when we say cyber risk assessment  
in that we're also including technical  testing and penetration testing and scanning  
to ensure that we're taking a technical view  at the at the vulnerabilities and the risk  
surfaces that that rise from those and not just a  paper review right i mean pay-per-view of course  
is important too so looking at all policies  and procedures uh but the uh but you i think  
you have to have the technical side it seems  like a lot of organizations are are only doing  
um documentation policy review and they're calling  that cyber risk assessment you have any any  
thoughts on that oh yeah we're seeing that because  that can be presented to a lawyer and say oh look  
we're doing all this and then what they don't  have is the actual validation that's backed up  
right that's actually backed up in practice  that they're actually doing it that they've  
actually ensured that it's actually functional  working so yeah i mean we're seeing a lot of  
that paper stuff and and i mean i can  think of a client off the top of my head  
that basically told us point blank he's like i  don't want to want this done because i don't want  
to know it and i don't want to be responsible  for it so i mean it it is changing because of  
the awareness that you were talking about  zach but yeah but you see that quite a bit  
yeah right that's that's that goes back to the  plausible deniability right but now i mean we it's  
our job of course in the security world to educate  people that's that's not going to cut it and um  
the the more you know the better but at least even  if you haven't been able to fix everything right i  
think when breaches occur nobody's expected to  be perfect in terms of cyber security because  
nobody is but if you can at least prove that  you've been doing taking the right steps and  
you know running industry best practices starting  with your cyber risk assessments and penetration  
testing activities at least um you know you then  you can justify hey we you know these are risks we  
made a business decision to cover down um on these  vulnerabilities and remediate these issues because  
to us they were the greatest concern at the time  so we had you know we had to make an educated  
guess people are going to give more weight to that  than saying oh well we just didn't even know these  
issues were there right so it's about having a  plan of action milestones documenting that and um  
continuing to keep it to keep it updated any other  thoughts before we wrap up on uh today's show
no make sure that you're doing a uh doing a full  cyber risk assessment looking at all the different  
risk vectors of the business including  the cyber wing and the financial wing  
and if uh you're getting uh  you're just getting a uh you know  
a commoditized uh scan then uh you're  not really getting a holistic view
well i know a lot of people are interested in  in the finer points of cyber risk assessments  
and penetration testing so we will certainly uh  be covering that and in the future and the show  
but for now we want to talk about implementing  cyber security programs so just know that  
getting complete leadership buy-in um is first  thing that needs to happen and then from there  
you have to understand what your risks are  today how how things stand before you can  
plot your route forward so we'll get into the  next steps and future episodes here but to thank  
you for joining us.