Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall


Episode #70 - Securing Complex Organizations and Subsidiaries

Building and managing a cybersecurity program can be confusing for organizations with multiple product lines, subsidiaries, or industry divisions. How do you manage security across all business units? What can you do to set standards that the entire organization follows? How do you control the quality of the cyber risk management practices through different cultures? This week, the guys answer these questions and more, discussing the various aspects of implementing, assessing, managing, and normalizing cybersecurity across a complex organization. 

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe!


Mike's Headlines:

POOR PASSWORD CHOICES CONTINUE INTO 2022: Don't use these passwords: These are the 10 logins most regularly found for sale online

Bluetooth Signals Can Be Used to Track Smartphones, Say Researchers
Chinese Hackers Distribute Backdoored Web3 Wallets for iOS and Android Users
New Vytal Chrome Extension Hides Location info that your VPN Can't

Linux Malware Deemed ‘Nearly Impossible’ to Detect

Microsoft Office 365 Feature Can Help Cloud Ransomware Attacks

Citrix fixed a Critical Flaw in Citrix Application Delivery Management (ADM), Tracked as CVE-2022-27511, That Can Allow Attackers to Reset Admin Passwords
Cisco Secure Email Bug Can Let Attackers Bypass Authentication

Gallium Hackers Backdoor Finance, Govt Orgs Using new PingPull Malware
HelloXD Ransomware Operators Install MicroBackdoor on Target Systems
Using WiFi Connection Probe Requests to Track Users
Kaiser Permanente Data Breach Exposes Health Data of 69K People
SeaFlower Campaign Distributes Backdoored Versions of Web3 Wallets to Steal Seed Phrases
Strong Passwords Still a Priority Strategy for Enterprises
Russia Warns of Military Action If US Attacks Infrastructure
Researchers Discovered a New Golang-Based Peer-To-Peer (P2P) Botnet, Dubbed Panchan, Targeting Linux Servers in the Education Sector Since March 2022.



welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly embellished truths
about corporate cyber security programs we're ranting we're raving and we're
telling you the stuff that nobody talks about on their fancy website and trade show giveaways all to protect you from
cyber criminals and now here's your hosts mike rotondo zack fuller and lauro
chavez hello and welcome to the cyber ants podcast this is your co-host zach fuller joined by mike rotondo and laura
chavez and today we're talking about a subject that is near and dear to a lot
of companies a lot of leadership and that's for those companies that have a lot going on a lot of different
subsidiaries entities they're multifaceted they have different departments product lines
and they need to understand how to run cyber security across the
organization as a whole as opposed to bits and pieces so we're going to be talking about that how to normalize
standardize your security practices and really look at organization wide cyber security when
you have people working all over the world different entities different structures different management styles
for these subsidiaries all that good stuff but before we do mike we kick us off with the news support password
choices continue into 2022. don't use these passwords these are the 10 logins most regulated found for sale online and
so basically in 2022 one would hope computer users would understand the value in creating slash using complex
passwords to protect their online identity from cybercrime statistically that assumption is numerically false unfortunately
cybersecurity researchers analyze stolen password repositories located on the dark web that are offered for sale over
24 billion of them not only did their analysis determine that the volume of stolen accounts has risen at 65 percent
of these marketing places but only 6.7 billion accounts were unique meaning that over 17 billion of the accounts
were duplicates further the most common passwords were simple ones like one two three four five six and query so
change your password a little scary here bluetooth signals can be used to track smartphones say researchers researchers
warn bluetooth signals can be used to track device owners by a unique fingerprinting of the radio the technique was presented by a paper
presented at ieee security and privacy conference last month by researchers at the university of california san diego
the paper suggests that a minor manufacturing imperfections and hardware are unique with each device and cause
measurable distortions which can be used as a fingerprint to track and track a specific device chinese hackers distribute backdoor web 3
wallets for ios and android users technically sophisticated threat actor known as seaflower has been targeting
android and ios users as part of an extensive campaign that mimics official cryptocurrency wallet websites intending
to distribute backdoor apps that drain victims funds said to be the first discovered in march 2022 the cluster of
activity hints to a strong relationship with a chinese speaking entity yet to be uncovered based on the mac os username
source code comments in the backdoor code and it's a lens abuse alibaba's content delivery system targeted apps
include android and ios versions of coinbase wallet meta mask token pocket and im token
a new vital chrome extension hides locations info that your vpn can't a new
a new google chrome browser extension called vital prevents web pages from using programming apis to find your
geographic location even when using a vpn while vpn will hide the ipad address of your device unless your physical
location it is possible to use javascript functions to query information directly from a web browser to find a visitor's general geographic
location last night a developer named zoc shared the new vital chrome extension on
y combinators hacker news asking readers to provide feedback on the
functionality vitalcan spoof your timezone locale geolocation and user agent the data can be used to track you
are or reveal your location explains an hm post vital utilizes the chrome debugger api
to split this data this allows the data to be spooked in frames web workers and during the initial loading on the website and also makes the scooping
completely undetectable it might be good if you want to be snooping around stuff that uh you shouldn't be looking at
uh linux attention do we trust extensions i don't know we talked about that last time is is it trustworthy i
don't know man it's just somebody this is google's not writing this this is just a guy some hacker named doc so
yeah probably what probably a bad idea to install this this extension right
without without extensive reverse engineering of the code so you can make sure you know what that extension's doing you're better after using vpn and
torah if it's you know you want to be that secretive so yeah linux malware deemed nearly impossibly
detect a new linux malware that's nearly impossible tech called symbiote discovered in november parasitically
infects running processes so it can steal credentials gain root kit functionality and install a back door for for remote access researchers from
the blackboard bury a research and intelligence team have been tracking the malware and the earliest detection of
which is from november 2021 security researcher joachim kennedy wrote the blog post on the blackberry threat
vector blog published last week what makes symbiote different is that it needs to be needs to infect other
running processes to inflict damage on infected machines instead of being a standalone executable file that is run
to infect the machine it is a shared object library that is loaded into all running processes using ld underscore
preload and parasitically infects the machine symbiote's behavior isn't the only thing that makes it unique researchers said it's also highly
evasive to such a degree that it's extremely difficult to know if it's even being used by threat actors at all
so symbiote some of the basic types of tactics it uses is that by design it is
loaded by the linker via the ld preload directive which allows it to be loaded before any other shared objects so this
thing is pretty nasty um and there is no way to fix it that we uh that i saw in the article but check it out a lot of
linux and with that there's a couple other headlines there's a office 365 feature that can help cloud ransomware
attacks there's a citrix fix the critical flaw in citrix app dev manager
uh system secure email bug can let attackers bypass authentication there's all sorts of bad stuff going on out
there but anyway with that laura what do we got uh we've had a we've had quite a bit of things uh move forward in the
exploit realm since uh since we last uh since we last had an episode but before i get into the uh to the exploits for
today i just want to remind everybody that the reason that we give this exploit information is so that if you are overwhelmed
with the vulnerability remediations and you've got you know you've got your scanners running and they're coming back with just just a lot of information and
you're over you're essentially over um overworking your it teams to just focus on patching
i like to bring the exploits into the conversation along with with mike's you know awesome news
because what really makes a vulnerability dangerous there's a lot there's lots of vulnerabilities vulnerabilities are always going to be
found in software right there's always software bugs software weaknesses especially with my with my yeah with that vendor so keep that in
mind and what really makes a vulnerability dangerous is when you have the exploit code that that allows for
the taking advantage of the vulnerability so i like to i like to use um an analogy like a vulnerability is
like having a window in a house a glass window okay that doesn't really mean anything if you live on the planet
rubber where nothing's hard however the moment that you find something hard like a piece of steel or a rock that'll break
the window now it truly becomes a risk because in in the you know in the
environment that we have we have something that can that can take advantage of that vulnerability and and
break into that um into that piece of software that that has this vulnerability with its exploit so keep that in mind if a vulnerability is out
there you certainly want a patch but you want to also try to alleviate your team's overwork overwork by by doing
some vulnerability re-ranking and this hopefully this exploit news helps you with that so you know there's a
vulnerability important to patch yes um if it has an exploit with it more
importantly to patch so keep that in mind as you as you kind of structure your vulnerability work inside so let's get with some of the vulnerabilities um
that have exploits this week i've got two for you to talk about one the first one here is from confluence so if you're
familiar with the atlassian suite of products confluence data center is something that's used for um you know
data backups and data aggregation those sorts of things and there's a really really really
clever remote code execution payload that's been created in python uh by a
notorious hacker ebox and this is out there available for everybody to download and use against confluence data
center so if you're running confluence 7.4 all the way to 7.18 you're vulnerable to this remote code execution
this is unauthenticated so somebody gets an idea of of how your your confluence uh system is set up
they're probably going to be able to exploit this if you get indexed on showdown or something like that so keep that in mind if you're running confluence from atlassian make sure that
you're updating the other one i want to talk about briefly um is from one of the vendors that i just i love talking about
so much because they're they're so perfect um this is from microsoft you might have heard of the felina this is a
microsoft rich text file document that has hidden html in it that
using a preview will download so this is a zero day that microsoft has still yet to patch big surprise so make sure that
you're at least making your people aware to be leery of any types of documents that are coming down in rtf format and
even set up maybe some of your filters to start blocking documents that are in this rtf format to help you
with the felina attack so as always um patch your systems and make sure that
you're looking for the exploitable motor abilities because those are the ones that are really critical and uh with that zach
what are we talking about today something fun something something has to do with with companies that are in a
very interesting situation with a lot of subsidiaries all around the world maybe yeah that's the that's the the standard
now right as companies grow and a lot of them kind of keep their i.t and security
professionals where they are and not giving them a lot of extra resources
so especially in the changing economy you have these companies that struggle with this right they they have maybe a
small it team and they have a bunch of different subsidiaries different locations each
company each one of their their companies that they own and a subsidiary model or they have a joint venture with or whatever
might have its own its own structure right its own culture the way it runs and some are
more stringent than others different industries even right where you have different compliance requirements so the
question today is how do we tie it all together from the top level
right from the parent company that's often providing it and security services to all these subsidiaries how do we look
at that from from the top how do we manage across these different cultures different environments so we're going to
dive into that but before we do let's take a quick commercial break want even more cyber ants be sure to subscribe to
the cyber rants podcast get your copy of our best-selling book cyber rants on
amazon today this podcast is brought to you by silent sector the firm dedicated to building
world-class cyber security programs for mid-market and emerging companies across the us silent sector also provides
industry-leading penetration tests and cyber risk assessments visit and contact us today
and we're back so we're diving right into how do companies manage across their different subsidiaries different
cultures all of that and i wanted to start with assessments and get your thoughts get your your your wizardry
uh your your you know insight into how do we take an organization with a lot of
subsidiaries that's very disjointed or not just not disjointed wrong word but very separated geographically and even
by industries and such and how do we look at cyber security as a whole starting with the assessment side how do
we assess that organization and understand what's what across the board in order to
create a road map to improvement any thoughts there
uh sure i certainly have a few thoughts on that i think um you know as a as the
parent organization right if you've got a lot of subsidiaries the first thing to do is to to put all of those those
subsidiaries in buckets right are they are they you know are they fintech are they government tech are they just
business to business tech and once you can kind of throw them into where they they fall with their silo of business
then you can kind of start to be prescriptive with the type of um governance framework that's going to
apply to that organization makes sense and then would you recommend then um treating it treating an assessment as
uh per per product line or subsidiary or would you run an assessment against a
major framework say nis csf or iso 27001 would you run it across
the organization as a whole what are the what are the pros and cons of each method well the first thing i would do is back
up and say where is our infrastructure right is it a centralized infrastructure that everybody uses or do they all have
their own and it will depending on the answer to that question that will determine how you're going to
be able to proceed with a risk assessment so if you've got you know
a makeup company owns a fintech company that owns a you know movie studio
you're gonna have decentralized we would hope you would have at least decentralized um
systems and infrastructure other than perhaps they may have shared a d they may have you know it all depends on how the infrastructure
is built and and determined now you're going to take each
subsidiary based on whatever whatever governance is required but you're still going to have to go back to that parent company
again based on the infrastructure so um the primary focus or initial focus for
each subsidiary is going to be physical security they'd start there and then build out and then you're going to look at the infrastructure of the parent and you're gonna assess going down from there and then um at least that's the way i would that's
the way i would carve it up yeah no good stuff mike i think you know doing you know you'd asked about the
pros and cons doing a massive a framework you know gap assessment against everything that you own might be
too much to bite off not that it's not possible but it's going to show your risk you know being really high in a lot of
areas more than likely and so you know there's there's the pro that that to to that approach to at least give you
you know a total oversight of all the businesses and where they fall against a given framework
the truth is that may not work if you've got a lot of subsidiaries and you know we've we've had clients like this in the past that have lots of subsidiaries in
all different places and some of them in tech some of them in you know software delivery um software development things
like that and so um you know maybe taking a uh you know kind of a pie approach right where you
slice the pie up and you do you know you do these small assessments against these organizations determine where they are
from a risk perspective get them a an improvement plan you know moving forward and then go to go to the next one and as
you you kind of do these little slices all the way around eventually you'll have you'll have a total understanding
of where the risk lies with these organizations but you make a good point mike where's the infrastructure being taken care of and i think a lot of times at least in the experience we have with some of the clients we see a lot of the infrastructure is owned by each
individual subsidiary they're doing their own thing they've got their own budgets they've got their own software
they've got their you know their own personnel and their own kind of methodologies that they use to keep their business moving and this
overarching you know kind of governance is certainly owned by the the
parent company but they they're kind of like a you know they're kind of in a position where well we know we need to
we need to secure these businesses we need to get them aligned but they're making money right now for us so i don't
want to shake things up too much because right now the money's flowing so how do we do this
how do we do this holistically that makes sense that doesn't you know stop these companies that you own from from
you know making that that that money for you and i think that's you know we're hopefully going to get to in this
conversation at some point but i agree with mike you know you got to figure out where the it's being managed if everybody's
managing their own i.t this is going to get complicated and um unfortunately you're probably if that's
the case you're probably going to have to start looking at these organizations individually with with an assessment a
framework assessment that fits the type of business fintech defense tech that sort of thing right yeah exactly the other thing is so if we
flip this how would i design security for that i think you need to have a centralized security and then
command where you have an overall philosophy that's communicated and saying you know this is this is our
information security plan and process this is what these are the you know the 10 things that we focus on
and then depending on your resources you need to have security teams if the infrastructure is unique to each
individual subsidiary you need to have security in each one of those subsidiaries if
they're not then you need to focus essentially and and i and i'm just keep reminded of a company that you and i
worked for laurel that you know had grown massively by acquisition
and they had you know but they had no overall and everything was aligned they all did the same thing so it was all
software development but they had no centralized security planning they had you know center in
canada somewhere and they had a center in washington somewhere and one in california and then they had a bunch of
distributed people like laura and i all over the country that were trying to do security and the times you know based on the little
fighters that it developed over well i i'm from this company and this is how we do it here and this is how we do it here
there was no no overall strategy so you need to define a top-down strategy for security it can't be
left up to each individual little uh subsidiary because at least the philosophy of it because otherwise
management's different security philosophies are different and you can get your mind upset you wind up getting yourself a hold off trump whole lot of trouble no great that's a super good point you certainly you know the parent company needs to
you know in a basic way say you know our information security policy is going to dictate you know that we need to have
controls based on you know industry industry best practice frameworks
and industry best practice cyber security protocols but you need to leave it generic enough that then you
know hopefully the um hopefully the subsidiaries can then apply themselves
in accordance with that right so maybe your your your very top level security policy that you have at the parent
company says that each subsidiary is responsible for you know instilling a framework that is you know applicable to
the type of business or something generic like that and then you can kind of go down to those organizations and do
a gap assessment um on a framework that does make sense for the organization if they're if they're doing department of
defense or government work and scsf is a great one to use right and that'll give you some form of
a sense of of understanding of where that security posture is where they are in risk management
and you're probably going to be scared i'm sure i'm sure that the data coming out of this works can be terrifying to
you right because you've just acquired a bunch of businesses or your business is in the business of acquiring businesses and just like mike said that we come from a place that did that and it's a nightmare um you know in the moment that you acquire a business you you
essentially assume all that risk right because once it comes comes under the business name as a as an owned entity a
fully or a wholly owned entity now now you're in trouble now all that risk that that company has is now belongs to you
so you need to do a very good um analysis before the acquisition to understand what type of risk you're
going to take on and then have a plan ahead of time to start getting you know getting getting that taken care of when
this company does on board so you know i think out of this you know out of this question is going to come well there's
going to be gaps and i think you know it's important to understand that you need to you need to do
framework assessments based on what what's appropriate for the businesses but also now you're going to have to
recommend remediation that's going to be more difficult because i think it you know you know the
the greater part of this question is is is there a is there like one budget that the parent company owns that everybody's
a part of or do each of the organizations get their own budgets you know how did that
how that structure works and then how are you going to prescribe remediations as an example if you've got you've got
100 subsidiaries and 60 of them don't have administrative control over the desktops or laptops as an example
everybody's just running them up with admin controls how are you going to make all of those businesses
align to some form of technology or control state that redacts that administrative privileges
and leaves the user with the user privilege but allows them to elevate those privileges part of a process how
do you a facilitate the process to elevate permissions and b how do you facilitate the technology to all of
these organizations so um you know that might be uh everybody kind of buys in a little bit or you know we realize we're
going to need you know 10 000 licenses so you know you're going to split it up cost amongst each one of your
subsidiaries you know depending on how many people they have how many seats they need they take a bigger chunk of that maybe but there's a lot of kind of questions that are going to come out of the gap assessment because you're going to find things especially if you just
acquired businesses and that's been you know the bulk of your work for you know 10 years you're going to acquire
businesses that have outdated technologies that have little to no processes that have no alignment to any
type of framework whatsoever and um you know you're gonna have to to to be able
to not only identify the framework do the gap assessment find the anomalies write the security plan forward but then
prescribe those technologies as the parent company i think that's where it's going to get complicated well i think that brings us back to star
wars right where we have to have a death star to manage everything we have to have the death star to manage everything
everything you know yeah exactly the debate is are you
better to have a death star which can't be everywhere at once or like in the last movie last skywalker where you have
a bunch of star destroyers with death star tech and the ability to blow up a planet which gives you greater control
what's your budget that's well it's gonna say the empire has unlimited budget because they just you know i mean they just take everything so yeah I mean but but in reality those those budgets are gonna look ridiculous i mean i think everybody
knows i mean everybody listen to this podcast knows that cyber security's you know it's going to cost you money right
it's going to cost you money to make up for the mistakes that that you didn't you know these businesses right not
necessarily your fault but you know everybody inherits problems right all the new security leadership all the new
business leadership they're all inheriting problems for the last you know leadership administration right
so um this stuff is going to cost money and um unfortunately
a lot of organizations don't don't plan right they don't they don't bake this type of stuff in right and
um you're you're you're 10 years down the road and you realize that there's all this stuff you should have been doing this whole time that you're not
doing and now it's this you know big giant race to get it retrofitted in um so that we can reduce the risk for the
organization and so that budget's going to have to come from somewhere probably you know i mean you can ask senator
palpatine i'm sure he'll loan you a couple million yeah whole strategy
it won't be free but uh you know like they say once you're in senator palpatine's pocket you're not ever
coming out [Laughter] cyber security also can make you money i
would i would rather there's a book i'd recommend here shameless plug
but it actually talks about that and how to turn it around get a return on your investment so if you're looking at it
the right way shameless plug um we've seen it do amazing things for companies
but going along these lines i mean we have just you know playing devil's advocate
here i guess we have these um subsidiaries they've been rolled up or whatever the case is you know even
different um don't even have to be subsidiary different product lines different groups working on different things and they have their own culture well if you're overseeing that and you're responsible for security across this organization um you might have you
know one group that's all about it they're they are maybe they do dod work and they're you know they hey we i know
we got to do this we're on it we're you know and then you have another group that's um maybe they're you know um
some unregulated form of you know construction or something that's not dealing with um dod or or health care or
anything like that and and like nah we're just gonna kind of do our own thing how do you i like the idea
about the overall philosophy how do you encourage them uh gently or with force to uh to get in
line with the overall philosophy i felt well you can use it
you could you can use the prison method where you just shank someone
electricity that's hard to do it over go to meeting or zoom or teams you know
these days with the remote workforce so that's out the window unfortunately well but with the gig economy
you may be able to find someone oh there you go uber here's your pizza
so that's a really good question and i think we run into this a lot
with some even our own clients where we have parts of the
into the organization principles that the business is trying to align to and it's really a cultural issue you
know you you're always going to have and everybody listen to this knows you can think of at least two people in your organization that you don't like working with like right now i know two people i love working with it's like mike and zach he's gonna say there's only three
of us on there there's only a few of them this is going down real quick it is but i guarantee
you you can think of at least a couple people in your organization that are you know just gonna say no just because they
have the freedom to say no and that's that's a cultural problem that you the hurdle that you've got to get over and i think the only
recommendation i have there is is just repeated messages repeated messaging and then having you know meetings with
leadership because uh once leadership buys in that it doesn't really matter what you know the you know the engineers
and the software developers and all those things because management's bought on now and management's not going to protect you from your bad decisions anymore management's going to try to align up they're going to try to manage up and if that philosophy is in place if
that security policy and those those frameworks are in place in in the right positioning at the top of the organization the trickle-down effect is inevitable um but again you know there are going to be individuals that will refuse to drink the kool-aid now this isn't the jim
jones cool it's going to kill you this is like zach said this is going to make the organization better more efficient more secure and most certainly more profitable because if you're a parent organization that owns 100 subsidiaries and you think oh i'm worth you know 100
million dollars or a hundred billion dollars or a trillion dollars it doesn't matter because if somebody comes in to
acquire those and they do an actual risk assessment and they do the the pre-work for the acquisition they're gonna say
yeah that's a real nice car you got there buddy but uh it's leaking oil um
we've got you know we've got bad axle bearings i'm pretty sure it needs a starter from the sound that it made when i tried to turn it on so they're gonna start hassling you now you know that hundred billion dollars is going to start looking more like 10 million to
you know values perceived and if uh an acquiring organization does the work
um or a lending firm does the work to determine what the real risk is there
for your your organization in total you'll probably be shocked to find that it's a lot lower than you think it is
because there's inherent risk there that nobody wants to pay for right because it's something that anybody who buys it
it's gonna have to tackle if i buy that car i know if i want to drive it every day it's going to need new tires get any new wheel bearings it's going to need
new shocks it's going to need a new starter right and so i go down this list in my head i'm like i'm going to spend all this money and that's what a smart
investor is going to do in a smart investment firm that's partnered with somebody like silent sector that's going to help you
identify all the weaknesses before you make the acquisition well i mean so
top-down security programs are the only ones that work and that comes from my soccer ic squad says the same thing that
basically the only way you're if your senior management doesn't buy into it it can't be a bottom-up push
right it has to be a top down and the entire entity has to buy into it
um otherwise it's not going to happen you know we run into issues every once in a while especially with small companies where we go through and we put
together these you know third-party assessment plans and you know security processes for embedding vendors and then
the ceo signs off on something that is that nobody's even looked at you know to
so it has to be you know a top-down decision and uh so that's why
you know you need to have a centralized security planning somewhere and then with marching orders
down and you keep the security you know the other way to manage that is to keep the security organization
separate from the subsidiaries i t organization so it is not that i that security resource is not answerable to
whoever is running that subsidiary they are answerable to the cso in wherever your
headquarters is that's yeah that's that's the that's the chain of command right that's a that's a
super good idea um to make sure that you have that separation of duties between it and cyber security especially if
you're the you're the parent company that should probably be rolled up to you so that all the subsidiaries are looking
upward for that guidance in the cyber security realm um certainly and i know mike mike and i
know we've spent years screaming from the bottom up it's just falling off deaf ears and so
we know we feel your pain um yes the trick is to get management you know you know executive leadership
you know company leadership to to adopt these protocols and again it has to start there and the trickle down so if
you're if you're the parent company and you have all these subsidiaries you absolutely have to draw a line in the sand and say look we're we don't know
what to do so we're going to lie to this 853 and everybody else is going to do
something that makes sense to them that's it they have to do it right so i think as long as you're you're you're
picking some you have to pick a team right you have to pick a jersey wear the jersey and and just wear with
pride and then everybody else in the organization is going to see that and they're going to start wearing
jerseys too right they may not be the same team because they may have the new mist or they may have to do pci but
they're going to be wearing that cyber security jersey and it's going to reduce risk for the whole organization but until leadership adopts that concept
it's not going to be possible with as easy as it should be i'll say that
i love it changing the chain of command you know
we've seen we've seen sophisticated organizations do that where you know the
the cso or chief risk officer reports directly to the board rather than the ceo um that's that's an excellent
excellent combination with changing the philosophy so you just go go ahead mike sorry i interrupted you there oh no i
was just going to say you know it was a smart outcome if you're fighting that bottom-up battle for security there's
only one cure and it's scotch yeah yeah you've got to be the drunken master of your environment fighting a an uphill battle in the sand yeah it allows you to sit through meetings of massive stupidity and be like but i like scotch better so well outstanding this has been excellent and hopefully it's been tremendously helpful for those people with uh within these organizations
that have a lot of complexity hopefully it helps you understand how to navigate that and please reach out with any
questions has all the information of course you
can check out our book and all that but you can you can reach us through the website and then please rate share
do all those great things help us spread the word but before we jump off mike lauro you have any final remarks
anything else words of wisdom yeah i've got some remarks you probably
don't want to hear them but uh let's okay mike yeah so no in all fairness there if you if you do if you are a parent company you have a lot of subsidiaries again you know pick a jersey to wear pick a framework that makes sense to the to the top level businesses that might be easily you know transmutable if you will to to your other subsidiaries but understand that you need to tackle it one slice at a time don't try to boil
the whole ocean it's just gonna be a nightmare try to do little cups at a time and then try to be prescriptive to
the business type remember that if they're the department of defense they probably need a nist driven if they're gonna be payment related you should probably work with pci if you they don't fall into any of those you know pick something like a cis but take little
chunks at a time to make sure that you're you're giving yourself a less stressful environment but
eventually you're going to build that picture over time right that risk picture for the whole organization over time just understand that you don't need to do it all at once do as much as you can buy it off yeah and the other thing is inactivity is not an option
you have to do something yeah yeah i was going to say remember conan pushing the pushing the giant the
giant wheel right you got to keep one foot in front of the other yeah no action is not acceptable
didn't we brand the ostrich strategy before i think we did the security isn't
that so that's that's not a function i guess well my final thought is that the reason that the board doesn't want the
the the risk officer or or the chief information security officer there is that they don't want to be terrified again they have ostrich syndrome they'd rather bury their heads in the sand than actually you know understand reality um because you know nobody likes to be
scared nobody likes to panic nobody likes to think their business is in high risk but sometimes you have to hear
those things at the highest level so that you can provide the budgets that create action for these people to make the changes
that are necessary to reduce that risk yes yep now that i know about it i have
to do something about it right that's that's always the the fear plausible deniability is not an option
exactly no longer well thanks for listening everybody uh send us your comments what you want for topics on the
next discussion and we'll see you soon