Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

 

Episode #81 - An Unreasonable Fear of Cybersecurity Professionals

Unfortunately, there are some IT professionals who feel threatened when a 3rd party cybersecurity team is engaged. While it's the exception rather than the norm, there are both in-house and 3rd party IT professionals who become uncooperative, feeling as if security people are trying to poke holes in their work. While many IT professionals are very accepting of cybersecurity support, it should never be the case that anyone feels threatened. IT and cybersecurity are complementary disciplines. Good professionals not only strengthen the organization, they can even help each other grow in their own careers.  This week, the guys share stories about walls going up and tensions growing, how to break down emotional barriers and eliminate the fear for better collaboration, the different personality types, valid sources of concern among IT professionals, and why nobody should ever feel threatened when their organization brings in quality cybersecurity support.



Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines:

“WECHAT” VENDOR WARNS USERS DATA IS SENT TO CHINA

This 'thermal attack' can read your password from the heat your fingertips leave behind

Intel Confirms Source Code Leak
Fortinet warns that critical authentication bypass flaw has been exploited

Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched
Google Forms abused in new COVID-19 phishing wave in the U.S.

Toyota discloses accidental leak of some customers’ personal information
Caffeine service lets anyone launch Microsoft 365 phishing attacks
LockBit affiliates compromise Microsoft Exchange servers to deploy ransomware
VMware has yet to fix CVE-2021-22048 flaw in vCenter Server disclosed one year ago
A New Wave of PayPal Invoice Scams Using Crypto Disguise

10103417-small

Send Us Your Questions & Rants!


welcome to the cyber rants podcast
where we're all about sharing the forbidden secrets
and slightly embellish truths
about corporate cyber security programs
we're ranting
we're raving
and we're telling you the stuff that nobody talks about
on their fancy website and trade show giveaways
all to protect you from cybercriminals
and now here's your hosts
mike ratando
zack fuller and laura chavez
hello and welcome to the cyber rants podcast
this is your co host zack fuller
joined by mike ortondo and laro chavez
today we are talking about something a little different
i don't think we've covered this before
but it's relationships
relationships
everybody loves relationships right
the good ones
the good kinds right
but we were specifically talking about
relationships between
the it professionals and cyber security professionals
we all know there can be some tension from time to time
some it professionals are very open
and excited to learn from their security counterparts
and others not so much
so we're gonna talk about that today
explore it a little bit
but before we do
we have the newsman that everybody knows and loves mr
mike ortondo
good morning
and welcome to the news
wechat vendor warrants users
data is sent to china
wechat is an extremely popular mobile payment
instant messaging
social media smartphone app that is rapidly become
the world's largest standalone mobile application
it was developed by tencent
in the chinese company
a large number of non chinese induros
use wechat on their mobile devices
the chinese social media platform wechat
is warning users outside china
that their data will be stored
on the servers inside the country
a number of overseas wechat users received
a notification on september sixth
warning that personal data
including likes
comments browsing and search history contents
uploads etc
will be transmitted to china
this one's a little scarier than that story
although that one's a little uncomfortable
thermal attack
can read your password from the heat your fingertips
leave behind
researchers detail an attack technique
combining thermal imaging and ai
in one that increased access to innovative technologies
will be used by cyber
abused by cybercriminals
computer security researchers
say they've developed an ai driven system
that can guess computer and smartphone passwords
in seconds by examining the heat
to ensure that fingerprints leave on keyboards
and screens when entering data
called thermal secure
this came from the university of glasgow
they developed the system to show how the following
price of thermal imaging cameras
increasing access to machine learning
and ai algorithms
are creating new opportunities
for what they describe as
thermal attacks
it's going to be used on computers
smartphone screens and atms
so you put your password in wrong a couple times
intel confirms source code leak
intel has confirmed that the alleged
leak of its alder blake bios source code is authentic
potentially raising cybersecurity risks for customers
last week the firm's bios uefi code
was apparently posted on fortune and github
and repository called ice t bios
this repository contains about six gigs of files
source code
private keys
chain logs and compilation tools
in the statement to tom's hardware
and intel spokesman said
our proprietary uefi
code appears to have been leaked by a third party
we do not believe this exposes
any new security vulnerabilities
as we do not rely on
obfuscation
of information
as a security member measure
this code is covered under our bug bounty program
within the critical
within the project circuit breaker campaign
and we encourage any
researchers who may identify potential vulnerabilities
to bring them to our attention
it is currently unclear
how the surf code was accessed
and who was irresponsible
the leak relates to intel's twelfth generation
intel core processors
fort net one warns that
critical authentication bypass flaw has been exploited
cyber security and infrastructure security agency cissa
has added a fort net critical flaw to
its known exploited vulnerabilities catalog
for now revealed an authentication bypass which is cde
twenty twenty two
four zero six eight four
that a patch last week
was already being exploited in the wild
the firm has released updated updates for ford os
ford a proxy for the switch manager to address the flaw
which affects several of its security appliances
so long story short
patch your stuff if you have fort net
hey guess what
microsoft addresses zero days
but exchange server exploit chain remains unpatched
microsoft didn't fix proxy
not log on in october's patch
tuesday but it disclose a rare ten out of ten bug
patch and and patch two other zero days
including one being exploited
for its october patch
tuesday update
microsoft addressed a critical security vulnerability
which is cve twenty twenty two
thirty seven
nine six eight
and its azure cloud service service
carrying a rare ten out of ten rating
on the cvs vulnerability severity scale
microsoft also passed two important rated zero day bugs
one of which was being actively exploited in the wild
and further
there may be a third issue
and sharepoint that's also being actively exploited
notably however
that microsoft did not
didn't issue fixes for the two unpacks
exchange zero
existing server zero day bugs
that came to light in late september
the new zero day confirmed as being under exploit
is cve twenty twenty two
for one o three three
it's an eop vulnerability
in the windows com plus event systems
it carries a seven point eight cvss score
the windows com
event system service is launched by default with
operating system
is responsible
for providing notifications about log ons and log offs
the ten out of ten bug
which is cb e
twenty twenty two
thirty seven
nine six eight
is an elevation of privilege
and remote code execution issue
that could that could allow an unathanitated attacker
to gain administrative control over azure
arc enabled kubernetes clusters
it could also affect azure stack services
if using these type of containers
with a lower version than one point five eight
one point six one nine
one point seven
dot one eight
and one point one eleven
upgrade immediately
lastly google forms abused
a new covid nineteen fishing wave in the us
covid nineteen theme fishing messages
are once again spiking in the us
following a prolonged summer hiatus
that appears to be over
according to a report by email security company inky
shared with leaving computer before publication
the mall spam
volumes have doubled in september
compared to the previous three months
and are set to rise even more
and the latest attacks
fishing emails
impersonate the us small business administration
abused google forums
to host fishing pages that steal personal datas
details of business owners
the lures used in the fishing emails are for pandemic
financial support programs like paychecks
paycheck protection program
the revitalization fund
and covid economic injury disaster loans
the emails enticed recipients to apply for the program
by clicking on the embedded button that takes into a
google forums page
toyota disclose an excellent leak
of some customer's personal information
there's a service out there called caffeine
that lets anyone launch microsoft
three sixty five
fishing attacks
lock bits going after microscopic exchange
vmware has yet to fix cve
twenty twenty
one two two
o four eight
so keep that in mind
and there's a new wave of paypal invoice scams
using crypto
disguise with that laurel
thanks mike
well got a couple things for exploits today
and i'm gonna tag one on that
you were just talking about the authentication bypass
it's out there for the fortinet
fortigade and fort proxy
this is the web application system
this part of this
is going to allow you to log and manage these devices
i've seen some exploit codes out there
to bypass the application on these
so if you're exposing these gateways
you should not be exposing these gateways out
to the public internet
if things right
you should have vpn access
before you can get access to these particular things
so it does limit the threat to internal only
but if you do have those
as mic stated please
please patch your ford net devices
and seconds a day is for pulse secure
there is a unauthenticated denial of service out
for several of their products
if you're using the avanti connecticure
or the neuron zero trustee gateway
those sorts of things
you're gonna want to patch
so get with pulse secure
find out what the most recent update is
it looks like it's gonna be twenty two or twenty three
r something
so it doesn't
it's kind of not specified here
but i have seen the payloads for two of the products
including the zero trust gateway
and the avanti neurons
so make sure you are patching those
these are typically
exposed to the public internet of things
and these are unauthenticated attacks
meaning that they're
doesn't need to be any authentication place
for an attacker
to reach out and cause a denial of surface
to these applications
that may simply require a reboot
and that may
in some cases
destroy data
when you reboot
so make sure you patch those systems
and that is all i have for experts today
zach interesting topic for the day
feels right
yes yes feelings
emotions well
thank you gentlemen
as always excellent job
and we are going to take a quick commercial break
and right back
want even more cyber rants
be sure to subscribe to the cyber rants podcast
get your copy of our best selling book
cyber rants
on amazon today
this podcast is brought to you by silent sector
the firm dedicated to building world class
cyber security programs for bin
market and immersion companies across the us
silent sector
also provides industry leading penetration tests
and cyber risk assessments
visit silentsector com and contact us today
and we're back with cyber rants podcast
if you haven't checked out the book
cyberrants com
has a link to amazon
and you can get your book there
but we're going to talk about something
today that i think is affects
affects a lot of different people around the country
and we see it because of the nature of our business
being cybersecurity professional services
but we'd love to hear
from various it professionals
your thoughts as well
so this is one of those episodes
we just like
always love your feedback
love to hear about your experiences
but the issue is this
most of the time
going into an organization
they're in house it team
or they're welcoming and
ready to go
especially those more sophisticated
more mature
it departments
they know that cybersecurity
is complimentary to what they do
and enabler to help them
implement quicker
in a safe and secure manner
sometimes the emotions run
run high and there are certainly situations
and i would
i'm curious to hear what you guys think
but i think it's
more often with the small business realm
with certain managed service providers
or certain individual it consultants
where we see some hesitations
some walls go up
things like that
and i could
i could understand why
i could put myself in their shoes
and they're probably thinking well
cybersecurity people are gonna come in
and they're just gonna try to poke all these holes in
my work you know
they think that's what we're incentivized to do
or something like that and
and so i want to start by saying
first of all that's not
not the case at all
our objective today is to dispel that myth
and talk a little bit about how we work together
so as we dive in
do you guys have any particular observations
or any situations that you want to share
that you've seen out there
that kind of hinders progress and such
when you get that
maybe that tension that sometimes occurs between it
and security professionals
well as an expert in feelings
i can tell you that
i've seen that a lot
just the way you say that mike
i can tell you're an expert in feelings
yes i am all about touchy feely
warm fuzzy anyway
long story short yes
we see that every time i come into a client
well not every time
there's always some sort of apprehension or attention
when you come in and you're dealing with a client
that has an msp in place
or in house it
that built their entire infrastructure
and is very proud of what they've done
and all of a sudden
the security company shows up
and they're like oh
they're gonna check everything
and i miss something
and i don't you know
or there's fear
or there's just flat out just
i don't want to work with you
i'm gonna ignore you
i'm gonna talk you
talk about you behind your back
because that's happened too
that that is something that is prevalent
in the industry and
and and unfortunately
that is one of the biggest hurdles you have to overcome
when you come into a new company so
feelings what can you say
yeah i think that
i certainly think that there is a natural
there's a natural
i think there's kids okay
for an it professional or a firm
to have a natural apprehension to having someone
and come in with a looking glass
because i think that
that is one of the nature of our jobs
right is to
we have to understand the risk to the environment
and that that does involve some of the it
flow print ride
quite a bit of it
that from the network architecture
to system architecture
software delivery
we're looking at all these processes
and so no one's perfect
and you know
we shouldn't
we can only really achieve to be a hard target
where risk is reduced enough that we can
we can at least
put it over in the corner and focus in just enough
right where we know that the one weak spots over here
and we understand it
versus having no weak spots
which is probably hard to get to
so i think that they're there
there's a you know
there's a nervous setting that they have
when we come in in times
because they feel like we're like my
except we're gonna poke holes and everything
but i also think that there's the other thing where
i think a lot of it's inherited
and so i do think that we do get pushed back
when some of the it teams are small in nature
and they've been with the company
for a really long time
and they've built the architecture from scratch
and it's had several evolutions
and i think those seem to be more
i guess resistant
to allowing
the integration of cybersecurity and
information technology
to better reduce the risk with a business
companies that inherit it
and individuals that come in
and they're
they're doing it systems administration
and they tend to have
have to have inherited a lot of this
i think they're a lot more willing to accept
cyber security professionals to come in
because they're looking for help
and identifying
because it's too much for them to analyze at the time
they're simply keeping the lights on
and so we can provide that extra lens to
where the other places of high risk may be
that they may not have been able to see yet
yeah you know i have
there was a
gentleman i know from one of the scar shops i go to
an expert in training people
he was one of the
in the seventies and eighties
and did a lot of research on how people interact
and one of the things that
one of the comments he's made
that always sticks with me
is that it people would rather have you
tear them down personally than attack their work
and i think that's something we come across
when dealing with the msps
yeah so yeah i mean it's
i have to credit that to frank hilton so
but he so yeah
you know i do want to dispel the myth
you know we're there too
and we're professionals right so
we're used to dealing with difficult it personalities
we're used to dealing with all types of personalities
because we're all
we see you know
we're all in the same team right
we're all moving to the same goal
and we just need to
you know we just need to get you
you know into the uniform in that whole bit
so we're very excited to be on board
and i do want to displace them
just like zach said
we're not there to poke holes and things
we're not there to be critical
about the mistakes that you've made
that's not constructive in what we're doing
if we come in and
or if a cyber security professional friend comes in
they start tearing you down
this isn't the firm you want to work with
you know mistakes are going to be there
there's a way to identify those mistakes
and talk about why it's important to fix them
without belittling the individuals that may or may not
have even had a role in making that mistake
again a lot of these things are inherited
and you got to understand
also that it and cybersecurity are
unfortunately
i don't want to call it that
but there are hot targets for the business
because the big business is trying to sell something
they're trying to make money
and it can sometimes be a gatekeeper
for that money to be made in a quick manner
because of things
and there's a lot of it
professionals that are out there screaming
the cyber street needs to be done
in the business
is telling them to shut up
and we need to do speed the market
because we're trying to make money
and make investors happy right now
so a lot of the professionals that come to us
are from the it
realm that say hey look
we need assistance
because we need to make this important to the business
they're not listening to us
and so a lot of them want us to come assist them
and do a risk assessment
and then present that to the business
so that they can have that third party
at the station to say okay look
the it team's giving me the info
these individuals give me the same info
i probably need to make a decision here
that's not gonna
you know so it doesn't cause the demise of this company
so we are there to integrate with your teams
we are there to work well
and we are there to
even work with the difficult personalities
but we certainly do it in a manner that doesn't
call out the mistakes
in a way that point fingers and belittle people
because that does not make progress happen at all
yeah the yeah
the other thing too
there there are
there are certainly
those cases where there are attention
but there are a lot of times as well where will
where we are
are welcomed with open arms
because the it professionals
whether it be in house or third party
or independent consultants
whatever it is they
a lot of them do realize that hey one
nobody can be an expert in everything
right and two
if a breach does occur
then i'm the only one to blame
right now right now
if we have a third party security firm come in
then we can say yeah
we've done best efforts
we've looked at all the bases right
and that way
it doesn't all fall in my lap if something happens
and then of course
we run across just the passionate it
practitioners out there that truly want to learn
and cybersecurity is part of that
and so they're excited to have
an additional lens on things and additional support
so i wanted to just point out kind of the different
i guess the different mindsets that people come from
when we do go in to organizations
sorry mike go ahead
completely lost my train of thought
but what you said was very eloquent and important
there are those that do welcome us with open arms
but there's always gonna be some apprehension
but yeah some
some are very happy to have us there
because they know they're in over their head
and they know they're in
they need this done
and they need this for the business survive
they have a compliance requirement
they have a regulatory requirement
they have requirements that say
you know you've got to get this done now
and they know they don't have the expertise to do it
and they really are grateful for us being there
it just seems that there are sometimes
there's just people that are
you know this is the way it was from doing
and i've been telling everybody this is this works
we get that a lot from msps
and not to back on msps too badly
but you know
occasionally you do run across those that
you know the guy that owns the company's brother in law
is taking the cis sp class
so they are a security provider
that is not the case so um
there are so you have to just
you know be very careful with who you select
but you know
i can tell you from a sound sector perspective
we don't want to be an msp
so we very much wanted to stick to the security
side of the house
right we're very interactive you know
with things like questionnaires
if you know
we follow the whole
teach a person to fish kind of methodology
versus just throwing fish at you to cook or to eat
i also think that
you know maybe some use cases are good here
because one of the
i think one of the reasons that it professionals
could be you know
resistant is because they're doing naughty things
and they know that they're doing kind of
and i won't call them naughty
like they're not committing fraud in most cases
but they're certainly not doing best practices
and an example
one of the organizations that approached us
for some work
the it individual
again very resistant
one of the services that was selected
was internal vulnerability scanning
to keep up with compliance and for new threats
and making sure that we're up to date on patches
and we can do accurate risk assessments
and acid inventory and all this stuff
and they were very resistant to that
so the moment that we actually installed the scanner
we identified that the reason
probably part of the reason why they were resistant
is that the business wing didn't really know
what the development team had been doing
they had an environment
and the development leader
in this case was being resistant was
was telling the business one thing
once we got the scanner installed
we discovered
that the operating systems were still being used
were windows two thousand and three server
which is infinitely
dilapidated to say the least
i mean not only is it microsoft it's old microsoft
so that's probably why the individual resistance
so once this all came out then a plan had to be
had to come off of these operating systems
which meant more work
and so i think that's one of the use cases
and then another one
mike i think maybe you should talk about
you know the
you know i know you've got a good one
that's turned out really well
and so i gave the
i gave you the negative one
go for it well yeah
i mean we came into an environment where
someone had transitioned from being a development
lead into running his entire riding
the entire infrastructure
and was very resistant
because it's one of those things that
you know i talked about out
you know it
people don't want to be criticized
or not criticized
but you know
don't want their work reviewed
and criticized or critiqued
i think it's a better word
had built the entire environment out and
and was very resistant to anything that we suggested
why does this have to happen
why are you doing this
what does this mean
what you know
and a lot of questions initially
and after the first six months
i broke down
everything started getting better
and now they're just a star client for us
and they love us
we love them
and you know
the environment is really very
very secure
as far as i can tell
based on our pen test games analysis
so you know there are those that will
are willing to learn and those are the
everybody should be willing to learn
you know nobody knows everything except laura and i
but other than that
you know i'm laughing on mute
so but yeah
i mean nobody knows everything
and then and
but you know that there are certain instances
what i've seen where security companies come in
and they just talk down to the people that are there
and belittle them
because they know one more piece of information
than this other person does
and to be careful with that
and i don't like that
as kind of a black eye for our industry
i think at times and
and you know
when someone walks in from the big four and
you know they're wearing a suit
and they're impressed with themselves they
they tend to be
have a carry the attitude with them
especially when you're dealing with in house
it security
not that i have any scars from the past but anyway
so anyway long story short
before i turn this into a therapy session msps need to
we need just need to
don't be afraid
we're just here to help
that's really what it comes down to
i care about your feelings
i really do
i'll send you a mic here
you're such a sweetheart mike
you know i just
that would be the word of the day to describe you
i think but
yeah you're right on i think
and don't one of our clients call you honey
i'm just saying
we're not gonna talk about that
in all fairness too
you know a lot of these organizations
i think what you said
bike is true
there there
that could be going on
that could be prevalent out there
where people have been burned in the past you know
a security contractor or services company comes in and
and tries to undermine everything they're doing
in an effort to
to get thinking it's gonna get a more business right
and and that's
that's another thing that's
why we are vendor neutral
technology agnostic
you know there's not an incentive to go in and say
hey we got to sell you this technology stack
that you don't have
we're not interested in that
you know we'll make the most of what you have
what you've already built
already invested in
and if you're short
you know help you do some analysis and understand
what some options might look like out there for you
but you got to consider that as well
and i think what a lot of
it providers and such run into
is that they'll do an excellent job in the it side
and getting the network set up configured
getting the day to day operations handled all that
but a lot of times
their clients will go elsewhere
to an independent security firm
even if they offer cybersecurity services
what we see
because most of our clients will have it services firms
or a combination of in house and third party
working together
and a lot of times
they'll still go to a third party
security services provider
so in it world
you have to expect that even if you offer those
the organizations want that separation of duties
they want checks and balances there
and if that's the case
and an organization comes in
a security firm comes in
and is not working with you on the technology side
but just going straight to the customer and saying
hey look at all the stuff that's wrong
that's a poor approach
that's terrible approach
they should be working with you first
because one
unless it's an issue that requires additional budget
or something
that's some serious overhaul
there's a lot of this
a lot of the small stuff you can work out together
the client doesn't even
really need to be concerned with it
why i mean why should they
why should you waste their time
just you know
seal up the vulnerabilities and
you know put work with them to
to get it done
it's not you know
not necessarily a big deal
so just consider you know
if you're one of the it professionals out there
that's dealing with a security firm that is just
trying to tear apart everything
whether it makes sense or not
there's probably an issue there
so might want to look around for other firms
relationships
this is like
this is like dating
i'm not saying that we're the best to date but we're
we tend to stay in long term relationships
longer than other firms
that i wouldn't really consider to be competitors
but seem to try to be
largely because we're real people
you're not talking to them
yeah things like that
is this a sales pitch or
yeah a sales pitch
no i'm just
i'm not saying that mike is warm and fuzzy in real life
i'm just saying he's really warm and fuzzy in real life
but um i i think it is it's a relationship
and like you said zach
i think that it professionals need to shop around
there's no you're gonna get quotes from everybody
that's great
talk to the people that you're gonna be working with
um make sure that that relationship is
is good for you
because it is there is a
there are work spouses
i got wanna be correct anyways
but yeah there are work relationships that tend to be
you spend a lot of time with these individuals
and you know
you're going to spend a lot of time
with your security practitioners initially
because there's going to be
this risk assessment that's going to need to be done
and so you're gonna initially
spend a lot of time with this person
so you certainly want to make sure
that you're working with a team that you like
and working with
you know the best would obviously be choosing us
but there are others out there
and so if you can't
we don't have room for everybody
i'm just saying that
like we can't
we can't get in relationships with everybody
but i'm sorry
i'm sorry but there are
we are polyamorous to an extent
we are yes you know
but you know what that goes
that goes both ways
we've fired clients before because of their
we have we have you know
yes of course
yeah yeah that is absolutely true
make sure yeah there's
that's what always kills me when organizations say hey
give me a price for this
it's like well
you know if that's what you're looking for
if no basis of understanding
or anything that goes on behind it
then we're not gonna work well together right
no we don't work like that
right i appreciate though
on the other side of the coin
or those organizations
and say hey
i really want our teams to connect and
you know get to know you guys
and oh hey we read your book or whatever
not plugging the book
but that's the kind of stuff we like to see
that hey you know
this organization actually is looking for
a long term relationship
you know not a one night stand
and they put value in there
in selecting the best vendors for their company
we're not gonna be the best vendor for every company
that's just flat out tell you that
but there are
organizations that we align with extremely well
and that's what we want as service providers
fortunately
we're in a space
we can be somewhat selective
right we can
we don't have to take work with everybody
but if you're out there looking for
a security services firm to work with
keep that in mind too
there are a lot out there
just a ton of stuff going on in the marketplace
so make sure that
it's more than just what the statement of work says
that's why we don't even
bother responding to things like rfps
right it's whose paper looks better
whose stack of documents looks better
i mean to us
that doesn't make any sense right
that's not the type of relationship we want to start on
we want to know you
not only the leadership of the organization
but the it practitioners
we get to work with along the way
and when we do that
it's excellent
because we can bring in additional value
things that
connections with people that we know
opportunities that we see
and vice versa
our clients bring us different
resources and such along the way
so that's the type of relationship we like
and if you don't have that
it's time to think about moving on to
a new cyber security spouse
it is um you know
you feel vulnerable when that happens right
it's like i'm standing out on the corner with my laptop
and you know some
some individuals come by and like a fifty three bomber
and they hit the switches and they're like hey
how much for a pen test a
and i'm like oh man
i feel real strange right now anyway so yeah i don't
we don't want to be those people
so we're not
is that funny do you like that i'm just panicking
that's okay
yeah so so really
you're on one
one side of the coin or the other
if you're if you're
or somewhere in the middle i guess
but if you are it professional like a lot out there
that just say hey yeah
i want to learn more
i want some support
i want somebody else to help
make sure that something doesn't happen to us
so it's not just falling in my lap
my room over responsibility
awesome you're on the right track
you're the type of organization
that good security firms will want to work with
and type of individual as well
but if you're on the other side of that fence and
yeah really
really resistant and really hesitant
i would say
get to know the security
the actual security professionals
that you'll be working with
spend some extra time outside of just work stuff
or whatever the case may be that you're doing
spend some extra time
just get to know them as individuals
and i think you'll see that those walls can come down
and you'll see that if they're any good
if they're worth anything
they're there to help you
not to hinder you
not to make you look bad
in fact quite the opposite right
they want to make your team
your it organization
look like the rock stars
and all this right
as security professionals
very thankless role
and that's just fine right
it's when nothing happens that's
that's when things are good
so we don't need to be the face of anything
right but but
but you should get the credit for all the work
that you're doing
to keep the organization up and running
so that's all
i have any last minute words of kindness or wisdom
you don't want to be an msp
we're here to help
and you know we will do everything in our power
to make you look good in the long run
so just be careful with what you're dealing with
there's a lot of flyby night out there
and i think there's a lot of msp's out there
because they could connect anything
that cable think there
technology expert
so just be wary
but yeah i mean
be work with your security people
and make sure you're working with people
that you like to work with so
yeah certainly
certainly there to help
right i think that's the most important thing
is that there's a constructive way
to manage the risk that you have the day
without pointing fingers
and our job really
and we do this a lot
we congratulate to the business
the good work that it does
because a lot of times
we're pointing out things that need to change
we don't have a lot of the change power
so a lot of that work does come from it
almost all of it does and so
it's only fair that the business understands that
hey these people that you trusted to do this
they're doing their job
that you paid them
even better now
so they're learning and they're evolving
and this is a cyclical process
it'll just continue
and so you definitely
definitely give praise to the it team
because they are the individuals that
are essentially boots on the ground making the changes
absolutely and
there's nothing like a third party coming in and also
pointing out all the stuff that's going very very well
you know that's you as iq professional
you could say that all you want
but having that independent third party come in and say
yeah they're just doing awesome things here that's
that's highly beneficial
so thank you for listening to the cyber ants podcast
hope you enjoyed this episode
we would love your feedback
if you have any stories about this
good or bad or indifferent
we'd love to hear from you
hit us up on linkedin
cyberrants podcast com has a web forum
you can submit topics and all that good stuff
please rate the episode
share it with your friends
help us get this information out of the world
and we will see you next time
pick up your copy of the cyber ants
book on amazon today
and if you're looking to take your cybersecurity
program to the next level
visit us online at silentsector com
join us next time
for another edition of the cyber rants podcast