Episode #88 - New Year, New Insights (New You?)

welcome to the Cyber Rants podcast
where we're all about sharing the forbidden secrets
and slightly embellished truths
about corporate cyber security programs
we're ranting
we're raving
and we're telling you the stuff that nobody talks about
on their fancy website and trade show giveaways
all to protect you from cybercriminals
and now here's your hosts
Mike Ratando
Zack Fuller and Loro Chavez
hello and welcome to the Cyber Ants podcast
first episode back for 2023
hope you are kicking it off with a great year
a lot to look forward to
and we're gonna talk about that
we're gonna talk about some of the things
coming up in 2023
some considerations
and just see where it goes
of course nothing's pre scripted
we just have good conversations about cybersecurity
and sometimes other random topics
but why don't we kick it off with the news Mike
I know you have some good stuff coming up here
interesting things in the news
Happy New Year everybody
first off cybersecurity
there are new things to worry about in 2023
big surprise
today security problems are still being fixed
but evolving technologies in a fast changing world
mean there are new challenges also
first of all
there's a security skills shortage
people and not technology
are always at the core of cyber security
for good and for ill
that focus starts with basic level employees
being able to identify a fishing link
or business email compromise scam
as well as management employing the right
information security team
which helps set out and monitor corporate defenses
cyber threats become more sophisticated
the resources with the right skill set
are what it needed
is needed to combat them
because without specialized talent
organizations are really at risk
additionally
there's an estimate
of new and bigger supply chain threats
while cyberspace has been an arena for international
espionage and other campaigns for some time
the current global
geopolitical environment is creating additional threats
concerns are always driven by real world events
for the last couple of years
we've seen nation state supply chain attacks
and that caused everyone to think
the supply chain risks associated with that
so that's a concern
Web III and IoT
new problems
or back to basics
because something is new
that doesn't mean it's automatically secure
and this technology
such as Web 3 and IoT
continue to make headway in 2023 there
they'll become an even bigger target for cyber attacks
but like any new technology
security is often forgotten about
as software and development rushes
to release products and services
they forget to consider the security flaws
because they're in such a rush to implement it
so those are 3 big things
here's another one
2023 threat predictions
beware economic uncertainty
for the cybersecurity community
I was the end of 2022 nearing
and cybersecurity researchers and vendors
submitting their predictions for what
might be in store for the industry in 2023
like sound sector
the phrase economic uncertainty was often invoked
and maybe the mantra
security professionals say to themselves
when making important decisions
struggling economy
seemed to weigh heavily
on the security pros
and smitter
predictions
to SC media
as many thought
budget conscious decisions
will leave organizations less secure
many also suggested that government regulations
for things such as breach reporting
data privacy
and even software
will be in the works
in the next year
in the near future
and when it comes to protecting against threats
and they said
they still expect
grants and warrants supply to
and attacks
to continue
one other concern
that out of this article
it's a very good article
I highly recommend you read it
there will be
Rediff definition
of cyber insurance industry
says Cody Cornell
co founder G
strategy officer
at Swim Lane
for the last decade
organizations that paid premiums
were able to bail themselves out
when the disaster struck
but as cyber insurance premiums
continue to rise
amid the proliferation of ransomware
insurance companies
are struggling
to manage the cost
and premium relationship
in 2023 we will see a new evolution
of cyber insurance emerge
with specific coverage criteria
tied to cyber hygiene
cyber security teams will be required
to demonstrate
the efficacy
of their strategy
and organizations that fail
to maintain
proper safeguards
will be excluded
from coverage
when the attack occurs
we're already starting to see that
in some of the requirements
to add an additional level complexity
an Ohio court rules
that non physical
software damage
and ransomware attack
not covered under insurance
the Supreme Court of Ohio
ruled that a Ransom
attack against abyss should not be covered by insurance
because he attacked it
not physically
or directly
cause harm to the tangible components
of the software programs encrypted in the incident
after encrypting their system
the hackers
demanded 3 bitcoins
and Ransom payment
for the decryptor
which in 2019
amounts to approximately 35 grand
the company
ultimately paid the Ransom
and file of claim
within sure
less than 24 hours after the attack
to cover the cost
the Ransom payment recovery
but the claims
representative
a sign of the case
rejected this
rejected it
the same day
determined that the policy
did not cover
payment of the Ransom
and the costs associated
with investigating and remediating the attacks
as well as upgrading
security systems
this has sparked multiple countersuits
but check your policies because
that could be a big deal
and lastly for those of you
who are hamburger
aficionados
5 Guys Data Breach
Puts HR Data
Under Heat Lamp
5 guys burger
empire has been hit with
what appears
to be a smash
and grab operation
cyber attackers
busted into a file server
and made off
with the person
of the PII of people
who applied
to work at the chain
this isn't 5 Guys first data breach
5 guys has announced
what if any
showing up for security
plans to do
they plan to do
in the wake of the instant
only know that
engage law enforcement
and cybersecurity firm
and they would provide
credit monitoring
they also haven't announced
how many records
were stolen
other than the following statement
be conducted
a careful review
of those files
and on 8/12/2022
determined that
the files contain
information
submit to us
in connection with
employment process
which would be
social security numbers
and driver's license numbers
birth dates
all that kind of
good stuff so
still good hamburger
there's some good headlines here
but there's one
for all of us cybersecurity professionals out there
there's a new fishing campaign impersonating Flipper 0
to target cyber professionals
so be really careful
it's really picked up this year as fishing and fishing
and there's also
haha Windows has a vulnerability
that's being abused by hackers
so you can read that one
because that's just to be expected
wait what yeah I know
there was also some WordPress stuff but I just
I just got myself to do it this early in the year
you know and just
we're trying to start out with hope that's sad
that's disappointing about 5 guys too you know
I know they should hire
there's 3 guys that do a podcast about cyber security
and they should listen to that podcast
and they all like hamburgers very true
and from that
now we move on to loro's Corner
the first corner of 2023
where we can learn to love
laugh and be better cyber security people
Loro that was awesome
I'm never gonna be as good as announcing myself as
you are Mike
so thank you
welcome to 2023 everybody
and while I think about 5 Guys
and how much I love their burgers
and their bag of fries
I'm a big fan of the bacon cheese hot dog
okay that's enough about my
my food wishes that I can't go get today
because we don't have a 5 Guys
within about 3 hours of us
okay for 2023
I thought it would be important to talk about
some of the scams that are prevalent out there today
and this really stems from conversations that I had
with near and dear family and friends over the holidays
lots of scamming going on for the Christmas season
and it's probably going to continue into 2023
and what I want to talk about is SMS fishing
or text message fishing
or sometimes called smishing
when you put it all together
that just means that someone's trying to
get you to click on a link or a file
by sending you a text message
so I've got 4 easy steps
to hopefully help you and your family members
not fall victim to the fishing lure that comes over
SMS text okay
so when you get his text
they're probably gonna say something like
your Amazon account has been compromised
we're alerting you
you need to click here to validate
that this activity is you
so step number one
don't click on anything
just take a breath just
just breathe
just breathe
and step number one's important
because that's the whole
ploy of how the trap works
is to get you
the viewer to have initiate an emotional response
by going oh
home alone face
and then clicking on the link
and then trying to validate whether or not
your password still works or not
or your accounts been locked out
and that's exactly
how they lure you into stealing your data
so number one
take a breath
don't click number 2
doesn't matter what services it is
Netflix Amazon
whatever they're claiming that has been
the electric company
or electric's about to get turned off
whatever the scam is coming to your phone
just after you
take a breath
find out with us
if it's Amazon
we'll just go over to your nifty difty computer
and try to log on to Amazon
can you still log into Amazon
if you can probably
good chance it's a scam
okay so step number 3
right after you've logged in
you can just go right over there
and delete the text message
free and willy nilly
you don't have to worry about it anymore
and step number 4
make sure you pass this information on
to somebody that you care about
or that you're friends with
or slow shits
somebody that it'll help
and so those are the 4 easy steps
again number one
take a breath
don't click number 2
go to the source
they're saying this
and compromise
to try to log in
number 3 go back and delete the text
once you validated
it is indeed a scam
and number 4
pass the goodwill on to somebody else
so that we can limit the amount of
individuals that are
falling victim to this type of attack
remember no if you
if your account is compromised
they're not gonna tell you it's compromised
you're gonna find out it's compromised
when you go to log in
and you can't
and then you find out
that you've got a whole bunch of weird
stuff on your Netflix
stuff when you change your password
so remember that the IRS is not gonna call you
they're not gonna send you emails
anybody who
cares about calling you is going to leave a message
so if they don't leave a voice message
it's probably a scam
or a telemarketing call
from Silent Sector
so you can go ahead and
ignore that
all right well
that was helpful
shameless shameless
negative plug
I'm just kidding
we don't scam your phone like that
but if we do
you should answer with that
I hope that's helpful
from Laros Corner
back to the greater part of the room
what are we talking about
this week it
just one quick thing
the new iOS
on iPhone does allow you to report those as junk
when you switch
it does yeah
so that's kind of a nice feature
totally nice
Tim Cook yeah
it's part of the reason why
most of my friends can't get a hold of me the day
either well
outstanding
I like what you said there Laro
about sharing the love
you know get
get this get this message out
I think that's critical and
and yeah we don't
we don't phone
spam people
whatever you want to call it but if I
if I had $1
you know being in the cyber security industry
and other people
and with cyber security companies
probably have heard the same thing
but if I had $1
for every person that's
outside of the cyber security realm
doesn't really know much about cyber security
tell me oh well
you guys should just hack companies
so they have to hire you
to fix their stuff
I'm like yeah
that's very
very illegal
and I don't want to be in prison
for the rest of my life so let's
that's not a good idea but thanks
thanks for the marketing tip
to quote office based
that's federal pound me in the ass
present time
yes exactly
watch your cornhole
right another office based quotes
soap on a rope
so hey we're gonna dive in
talk a little bit about 2023
see where the conversation goes
after a quick commercial break
want even more cyber rants
be sure to subscribe to the Cyber Rants podcast
get your copy of our best selling book
Cyber Rants on Amazon today
this podcast is brought to you by Silent Sector
the firm dedicated to building world class
cyber security programs
for bedmarket and immersion companies across the US
Silent Sector also provides industry
leading penetration tests and cyber risk assessments
visit Silent Sector com and contact us today
and we're back with first podcast of 2023
for the Cyber Ants podcast
3 of us ranting raving
talking about things that lots of people
don't want to say
on their marketing materials and fancy websites but
but we hope it's all for the education
of people that need this information
whether you're technology professional
whether you're looking to get into the field
or whether you're a seasoned cybersecurity wizard
we always hope that there can be
good nuggets of information here
in this podcast
we're going to talk a little bit about 2023
what to expect coming up
and I wanted
I wanted to talk about it from the frame
at least start out from the frame of reference of
let's make it the best year ever
in the cyber security field right
let's make it the best year ever
let's put our
everything we have into it
put our best foot forward
because we need to right
we're in an environment where the criminals
I hate to sugar
I can't sugarcoat it right
the criminals
are doing tremendous amount of damage there
and that means they are winning right
as long as they're doing damage to our economy
to other economies around the world
to good people
they are winning
they are getting what they want
so we don't want to pay ransoms
we don't want to let them win
we want to empower our nation and other nations
to really get out and do that right thing
and that starts with
with what every single one of us do every day
so if you look at
any type of ultra successful athlete
or whatever it is in their profession
that indicators of success
are not the
winning the gold medal right
that's a lagging indicator
right that's kind of
the proof is in the pudding
but it's all that work they did leading up to it right
it's those actions
those habits they developed
and those things that they did
day in and day out
that made them better
and the same is true in cyber security
for individuals
and for companies
so I'd love to hear your thoughts on that
as we dive in here a little deeper
talk about what organizations can do
to really step it up
and then cybersecurity professionals
and it professionals as well what
what they might expect
I mean economies change
and things are happening
so I'll pause there
because that's
I've got could talk all day about this stuff
but do you guys have anything you wanted to
kick off with
you're passionate
I like that
you're the bad guys
you know there's no reason that grandma
should be getting the Smsing
smitching attacks to her phone
while she's trying
to bake us all pie for Christmas
there's just
there's just no reason for that
it's a good
personal attack on all of us
poor grandma
yeah so going forward for 2023
there's a couple things that
those of us have been around a long time in this
in the it industry
like Laurel and I
we've seen a lot of things when the economy
you know varies
when it dips
when it raises
when you know
when it's good
when it's bad you know
depending on whatever your perception is of the economy
but inevitably there's going to be layoffs
you're already starting to see it
in some of the big tech companies
which is a concern
just one piece of advice
to those people making those decisions
be very careful on who you eliminate
keep your cybersecurity people in place
if at all possible
simply because
they're irreplaceable
there's a skills gap
there's still a ton of open it security jobs
you're not getting them back
so you're going to have to go and pay consulting
like Silent Sector
more than you would for a fully burdened employee
to replace that employee
and it's just gonna
you're not gonna save money in the long run
in doing it that way
you need to be wise
and what you decide to
to eliminate
that being said
there's a lot of opportunity right now
because the cyber criminals are
they're running wild
there's a lot going on
I think my you know
smishing and fishing attempts have increased about 25%
since December
um so it's getting crazy out there
so be very careful in your cyber hygiene
now if you're building a cyber security
practice right now
or trying to get ramped up
the layoffs are actually an opportunity for you
because there will be resources
out there available for you
one man's trash is another man's treasure
exactly exactly
so so it's good just
just you know
like that one article said
make sure you have the right people
with the right skills in the right place
otherwise you know
you're just victim at that point
that's my you know
little rant here
no that's good
that's good
and I think that there's a lot of security
professionals that might be listening to this that
you know have that
they have that pit of stomach
going into work
right sometime this week
wondering if they're gonna be on the list for layoffs
and you know
like true right
where one door closes
another one opens
I think this is an opportunity to
you know move away from an employer who doesn't value
your skill set
or your you know
your position
and find another organization
that really does appreciate
the skill set and
and the position that they're going to put you in
for cyber security
because you'll be able to tell right now
and like Mike said
we've been around long enough to kind of see the shake
out it's all about shareholder dollars
right and so
companies don't perform
one of the easiest ways that companies show
that back revenue from losses
is to reduce
and reduce staff
so it typically starts with your outsourced developers
and it starts bleeding into it
so if you've got BS
maybe they'll say
you only need 2
or if you've got 5 security guys
maybe they say we need 2
so be prepared for that
and I say don't
if you're a security professional
or even an IP professional
you've got a solid skill set
you're not gonna be without a job
you probably actually already working multiple jobs
Haha so I'm pretty sure you're gonna be okay
so don't fret
this is something that happens
and look at
is an opportunity for you to go to an organization
that will appreciate
what it is that you bring to the table
just good kind of couple
I said that I hate to
I hate to bring
bring up the
the negative
but the reality is too
in economic crunch times
especially in other countries
but right here in the US
those people that feel like they're not making it in
corporate they still need to feed their families right
and they'll do anything to make sure that that happens
and there will be a segment
and hopefully it's a very small segment
in massive layoffs and all that kind of stuff
that go to the dark side
so if you're thinking about that
call us so we can talk you off the ledge
you know but don't jump
but that we can help you
and that's why you see
and we're very blessed here in the US
to have what we have
but that's why
you've seen a lot of impoverished countries
people are doing
they're doing more work on the dark side of things
than they are on the white hat piece
it's unfortunate
but that is part of it
and as such
when there's an economic downturn
that means the
the cybercriminal organizations get empowered
with additional talent
so keep that in mind
it's only going to
make make a higher demand right
for good cybersecurity professionals
protecting organizations
when we saw that during the 2020 lockdowns
to the COVID lockdowns is that
that's really when cyber security
cybercriminality spiked
it really started to spike at that point
and I think there was some statistic
where more data was stolen
in 2020 then there was from 2015 to 2019
something like that
I could be wrong on the absolute number on the years
but it was pretty serious at that time so
but hey let's not be doom and gloom
let's talk about what you can do to survive
during this time
what can you do from a cyber security practice
so there's things you can do
increase your training
you know because criminality is going to increase
increase the training of your resources
even the low level
employees need to know how to spot a fishing attack
how to spot a BC attack
how to know about social engineering
those sort of things
so you can do that
that's a minimal cost
training doesn't cost that much
get an online thing
don't don't just have some guy show up and
give an 8 hour seminar and expect that to stick
you need the actual practice
like Zach mentioned
of identifying these things
and getting the muscle memory in place
keep your patches up to date
keep your you know AV going
don't cut those kind of critical tools now
don't go necessarily up and go buy some brand new tool
that promises to solve the world for you
and that's I think we're gonna see that too
a lot of tools promising that they can
solve all your cybersecurity problems
are gonna be sold during this time
and you still aren't gonna
without people
you still aren't gonna be able to leverage them fully
and I think that's concern right now so
oh super concerned
I mean I think even now
statistically
what we see from organizations we've served and served
is that capabilities
and tool products that are purchased on the budget
are best 50% utilized for capability
it's very difficult to get 100% out of your tool set
and then when you again
like you said Mike
you have that knowledge gap
that might occur too
so that's all good stuff man
I want to throw in there that um
to be proactive for
for 23 if if you haven't already
start a risk register and um
get a cyber security council going at your organization
now this isn't for
you know the massive
you know the Twitters
and the Facebooks of the world that listen to us
and you know
the metas of the world
that come here for advice on Fridays but
or Mondays or whatever
this drops right
this isn't for you
but for everybody who's starting up
trying to get momentum for cybersecurity this year
knowing that this is maybe a New Year's resolution
or to do new things in cybersecurity
maybe get greater budget
what we always say is that none of this
manifests without pointing out the risks first
which is a lot of reasons
that will conduct an enterprise cyber risk assessment
that includes a penetration test
you have to have risks to bring to the table you know
just like a doctor is going to show you elements
after a CT scan you know
we're going to bring this evidence to the table
in the form of a risk registry
just start right now and say okay
we don't have antivirus
risk we don't
we everybody has administrative privileges
to the workshops right now
okay risk let's see
what's another one
oh yeah we're not
we're not looking at any logs
or doing any kind of logging of any kind
or have any kind of SIM or any type of reactive logging
at all do risk
let's see we only have Windows 2003 risk
yeah we have one DBA
and he's got the keys to the kingdom risk
you know what I mean
I got one outsourced it guy
and he's the only one that knows
anything about my business risk
so take all these things
put them on a risk register
and take it to leadership and say by the way
these are the risks
that I've identified for the company
do you agree with them yes or no
if they say yes to any of them
you can just point the finger and say
now you're part of the Security Council at my company
and just do that with the other executives
you know I like to hit the CFO
usually second or 3rd in that
in that line
but if you go to the attorney
the corporate attorney first
or even your CEO
or even the vice president
point out those risks and say hey look
I've taken the opportunity to identify our cyber risks
on this risk registry
I think it's a good idea for us to look at this
at least once 1/4
and try to come up with some form of a plan to
not have these risks as a business
so I think that initial proactive piece
will not only give everybody the same playing field
of understanding of what risk is at the business
but also now you can
you can hold the people accountable
because now they kind of know
once you show them the paper
once you show them the paper they say
we're not doing that
yeah wow that's crazy
I didn't think about that
you're on the Security Council now
we have to do something about it
so the longer best possible
you like it yeah yeah
and everybody
of course in mid market
smaller companies
limited resources
limited budget
so they're going to have to prioritize those
they're going to have to say
hey this risk
it could be the most detrimental to our company
so it's easy to get caught up
and there's a lot out there about threat intelligence
and studying threat actors
and that stuff
and that's all good right
that's all important stuff
but the reality is
just because something's a big threat out in the wild
doesn't necessarily mean that's going to be the most
detrimental type of attack to your company
so you need to think
well what is it that's
really at risk here
prioritize those
and then make sure that you're getting the best
of those resources
based on the risks that you have
so it because it is easy to get caught up
in you know
what's big in
the cyber security news and all that
as far as what's going on out there in the wild
but consider
for your organization
specifically
and I would also just add to that
we have to make
especially with limited resources
we have to figure out early on in the year
well what are the things that are going to be
the most beneficial for our company
and I would say empowering your people
and each one of you
if you're listening to this
you're probably
the type of person that's always growing
continuously improving
in your career and other areas of life
but figure out
what are those things
I'm going to get better at this year what are
what am I going to commit to
how am I going to do that
what am I going to do each day or each week
to work toward that objective
and then same for the team
and obviously for the company
I mean most companies set goals and whatnot
but make sure it's happening at a
at a granular level within your cybersecurity program
maybe maybe that's numerical
you know maybe it's something like a NIST alignment
maybe you're 75%
you want to get to 82% or whatever it is
set those measurable benchmarks
and start working toward them throughout the year
so I know it's basic
basic stuff
but it's amazing that
you know I mean
a lot of organizations don't do that so
no they don't
I think you brought up something good
because CIS version 8 is asking for threat modeling now
for the exact reason you specified
and vulnerabilities
and vulnerability management is a big challenge
especially in organizations that are small
and have few resources
so Mike and I've always talked about the re ranking
of vulnerability strategy
and you do that with
you know we did that before with
with an architectural model of risk for the
for the specific organization that we're working with
CIS is calling that a threat modeling exercise for you
and it's a great exercise because
you know something
that is an example
something like
like not like
Windows would ever have a vulnerability thing
but if Windows did have some crazy RDP vulnerability
that you could exploit
if it was exposed
that would might be a big thing
and you're gonna get this vulnerability alert saying
hey you got a patch
just someone can hack in and get you
well not necessarily
it depends on their architecture
and that's why you do the threat modeling exercise
so you can understand
what exposure you have to external entities
versus what exposure you have to internal
trusted sources
and it'll help you determine the validity
of some of these
you know urgent
critical patches
especially if you're a constraint on resources
patching and that type of activity
can take up a lot of time
especially if systems are sensitive or deprecated
and you've got to do a lot of testing
before you can patch
this can be your entire life
and I can hear the tears coming out of your eyes
as you drive down the road today
I know I feel your pain
so by please you know
do the threat modeling exercise
I think that in CIS
great if you don't adopt CIS
and that way you can do the risk ranking
you know re rank the risk for the vulnerability
vulnerability risk re ranking
so I can't get that out
it's a lot of ours
it's not working today
risk vulnerability risk re ranking
wow that's a lot
love how they keep rebranding things like dev SEC
ops and threat modeling and stuff like that
was SEC ops dev
is it now dev SEC ops I was
and then what's it
threat hunters and you know all that kind of stuff
and it's like
yes the stuff I've been doing since 1993
yeah we just called it work back then
yeah like supposed to do it
it sounds so much cooler though
when you put a new label on it
right that's
well I should be a video game
totally should
and if I can be completely transparent here
with the listeners
our penetration team at Silent Sector is called
the Threat Hunters
Guild of Technical Assessors at silence ever so yes we
we too have adopted the new
it does sound cooler
it's easier to attract talent
when you're a threat hunter versus
you know just doing plain old pen testing
oh yeah when everybody that works for
he's under 25
you kind of gotta
you kind of gotta do that
why still wear Chuck Taylor man I gotta be relevant
you know what I mean
I've got the more mature team
translation older
seasoned with seasoning
one of the things we're still seeing
sorry to switch gears here
no please keep us
but I gotta bring it up I
one of the things that we're still seeing
because we get calls about this all the time right
we get good tech professionals and companies
you know Cios and stuff like that reaching out
and they're like hey
you know we're doing all this stuff and we got a great
you know we got all the fundamentals of program going
and we need to go
uh tour you know
I think we need to go toward sock 2 or ISO 20 7001
and then the the
and so they're ready to go there
they're chomping at the bit to make things happen
and then there's still the leadership still
in this day and age it just
well you know
the leadership of the company is not so excited
they're you know
they kind of want all this stuff to work
but don't really want to stand behind it
so any we should come up
maybe on this podcast maybe not
but maybe we should come up with a new age term
or a methodology
because I think that's one of the biggest things
plaguing organizations
we work with so many smart
tech people in these companies
they you know
they have a great handle on things and what to do
but getting it through
the leadership teams is always
always seems to be a struggle for
not always for most
for lots of organizations
you know it's like
they could have done these initiatives years ago
but know the executive team
maybe isn't giving them the support they need
so any new ag
New Year concepts
anything that you've seen
that's worked extra well in recent times
to translate that message
and get some
get some power behind the
the technical teams
well the cyber
cyber evolution
gatekeeping
that's what I'm gonna call it
there you go
well I was gonna say
so one of the things
you know just a message to leadership
is that you know
the people that got fired at the target breach
weren't the it people
it was the business management people
that didn't greenlight
the threat Protection
so keep that in mind it's
you may not be an it
but if you're signing off on that risk
and you're saying
oh yeah it's fine
what's going to deal with it later
it's your butt on the line
you know it's it's
you're the one that's
they're gonna
the stockholder come after
if you're the decision maker on that so good
and and that's
that's a really good point Mike
and I'm gonna add to that
what a really wise
cyber security mentor of mine once told me he said
you may say cybersecurity engineer in your title
but you're just a consultant
he's like so
write everything you do down
document everything that you suggest
keep every email to leadership
every statistic
keep everything that you know
you've you've tried to portray the story Mike
and I know this battle right
where you tried
you're trying to
to be to gain reason
through cyber revolution right
of the business
and how good that is
and you're getting met with resistance
just keep all that documented
that way when
there's an issue
you can hand over the little folder
and you can go on about your business
hopefully under new leadership
that does you know
follow the evolutionary steps of
cyber security
one thing going back to the risk register too
is make sure you assign the risk to the right people
I mean how many times have we been in companies where
you got some it guy pulling his hair out
because he's got deprecated systems
that he can't replace
because the business won't allocate the resources
to replace him
or the funds to replace him
and they're trying to say
it's your problem
you're the reason we're failing the audit
when in reality
it's the business that holds the purse strings
so that isn't letting them
fix the problem
so I have a theory here
I'm gonna throw out here
I think this is a mindset
I think there's individuals in leadership
that are just
resistant to
anybody else's good idea
if they didn't come up with their own
case in point
my dad drives a truck
large civilian
or commercial
truck that pulls rock to building sites
okay this is his
retirement job
don't ask anyway
so he's working for a
rock and Sam company in Texas
and they have a
that you know
he has this
really like
1978 Kenworth
like day cab truck
problems he's broke
every time he talks to me
he's broke down
on the side of the road
she's when he calls me he's like
Yeah I got time
waiting on the tow truck
and I'm like
what is going on
this company clearly
uses this vehicle
to make money
but they won't care
for the vehicle
in the proper place
so the engine
need to be overhauled
okay I'll be real quick here
I know I'm going off task
but anyways
this is an 8
cylinder diesel
they took it
all the way down
you know what they did
they replaced
2 cylinders
and put it back together
and guess what happened next week
it broke down again
you know and so
it's like they
they're coming up with
these crazy
ridiculous ideas
in their head
on why it's a bad idea
to spend the money
and what the return on investments gonna be
and what's happening is
they're continually
tripping over their own feet
causing not only risk
to be inherent
in the nature
of what we're talking about here
but but also
again responsibility
and like like Mike said
you don't have that plausible deniability anymore
once you've accepted
that you understand what the risks are
especially if your people are bringing you that
so I think it's a mindset
and it's hard to get around that for individuals
so again you know document everything that you have
and try to circumvent those who block you
I remember one of our clients actually told us
don't put that in email
yeah yeah like what
he's like I don't want it written down anywhere
yeah yeah he doesn't want to know
yeah but but we have to yeah
Yep once you know you can't unknow it is there
but you know another thing that can help too
is there are methods to
translate cyber security into dollars and cents
and sometimes this is kind of a
a method to get the point across
is just show
in terms of dollars and cents
what a breach will cost
right and and just because you have cyber insurance
doesn't mean it's
historically speaking
and all the data that's out there most time
it's not going to cover all the cost of a breach
so the organization has to know that it's self ensuring
some amount in the event of a breach
and they're gonna have to come out of pocket
a significant amount
not to mention other things
like brand reputation and that sort of thing
so my advice too would be to translate a lot of
a lot of times technical teams
they talk about what they want right
we want you know this Sam
or we need to
you know do
do you know
we need more help in certain area
but they're talking in their terms
rather than the leadership terms right
so we want to
so start talking in terms of
you know company reputation longevity
brand credibility
shareholder value
all of that
and be able to do some research
show why cybersecurity
cyber risk management is critical to that
you know there's a lot of case studies of breaches
and where you can see companies going downhill
but there's also more and more out there
if companies using cybersecurity to really
put their best foot forward
showcase themselves as industry leaders
a safer bet
for their customers than other solutions out there
and so there's a lot of benefit
that you can talk about in leadership terms
that's not necessarily technical terms
or I need this
I need that right
if you say just
you know I need this
they're not necessarily going to know
they need the y behind it
they need a deeper y
and it's got to be their y
it's got to align with the company's mission overall
and objectives for the year
so so think about that
and then another thing too
that I see in
and just you know
people we interact with all over the country
is that there's a
and this is always evidence in Q 4
there's this thought of
well we're gonna get it done this year
and that may be true
but this year might be me
that might mean December 26th through
through December 31st
and that's when it's got to happen
and everybody's jumping through hoops
when that stuff could have happened back in June
and so think about that
one thing I would encourage people to do
it's actually an excellent
excellent book
it's a book called the 12 Week Year
and it's a concept of breaking the year down into
12 weeks being ultra focused
and very specific on what you're doing
and cranking through fewer initiatives
but much quicker than you would otherwise
there's also
you know you could compare it to 90 day sprints
and the different methods out there but
point being
let's look at this quarter
let's look at exactly what we can power through
and what can we get done that we historically
wait till the year end
or stuff that catches up on us
what can we start doing right now today
and get that done early
because then that leaves
the later half of the year to really start innovating
creating more capabilities
better training for the team
all of that
if you get some of those must DOS out of the way first
so that would be something
I would encourage people to do
because I just see him
just waiting and waiting and waiting
and it's still got to get done
but then it's almost too late at that point
and it becomes more expensive
because every cyber security firm is just slammed
at the end of the year right
because of these last minute compliance requirements
and stuff that just have to happen
but didn't do it early on
so you might get a better deal too
doing some work early on
so well yeah
that budget you have to burn
you still have it
you have it in January
might as well burn it down
you know by the way
there's another book that you can use to reference
called Cyber Rants
I think it's called that
you know I think you're right
might be valuable as well
available today on Amazon com
she must plug in
well um yeah
that being said
I think we covered a lot of good stuff today
I'm looking forward to 2023
I think we talked about some of the potential
economic shifts and that sort of thing
most of the stuff that I read
that most of the economists out there
see that there's some sort
they believe there will be a shift
but not detrimental
you know not something like we saw back in you know
2009 time frame
yeah 8 o 9 but you know
a correction
I think we're long overdue for it so I
I think as individuals
what we can do is just put our best foot forward
keep going get meticulous with our time
learn constantly
be learning
surround ourselves with good people and
and keep driving forward
but that being said
let's have a great 2023
Mike Laro anything you want to leave
the listeners with before we jump
just please take
take Mike and Zach's words
and do your penetration testing stuff
budget early in the year
so I don't have to work on Christmas again so
please do yes
we love you
we will help you at the end of the year
but Zach's absolutely right like
there's a lot of organizations that wait till the last
last 2 weeks of the year to try to get the stuff done
we will we will I promise
I'll take my shirt off my back and help you
but you can leave it on
that's okay
well thank you for listening to the Cyber Ants podcast
hope you have a great 2023 as always
please if you like our podcast
rate it subscribe
share it with other people that
and peers and such that could benefit from this
and if you go to Cyberrants podcast
com or any podcast platform that you like to use
scroll through the episodes
check out we have
so many episodes on all kinds of different topics
so if you look
if you need to educate leadership on a certain topic
or you need to
or somebody on your team for that matter
whatever it might be
find it in the podcast list and send a link
it's really that easy
and we try to take some dives into all kinds of
different things
so again cyberands podcast com
there's also a web form there
you can submit ideas for future episodes
questions anything like that that you have
and we want to hear from you
so it's our goal to help you grow and thrive
and that's what we're here
that's why we do this podcast really
that's what it all comes down to
so Happy New Year
have a great 2023
we'll see you on the next episode
pick up your copy of the Cyber Ants
book on Amazon today
and if you're looking to take your cyber security
program to the next level
visit us online at
silentsector com
join us next time
for another edition of the Cyber Rants podcast