DownTheSecurityRabbithole #198 What Legal Counsel Wishes

Down the Security Rabbithole #198
Rafal Los
James Jardine

Guest – Dawn-Marie Hutchison

[…]
DMH: So this is the tricky spot because this is the place where the rubber meets the road on security; professionals becoming security leaders and understand the language of the other people tasked in your mission to protect the organization.
RL: And that’s great. Gosh, we’ve gone through that topic a couple times. Before we dive in, give us a little background on you, who you are and, uh, where people find you.
DMH: Where people find me? So you can find me, uh, generally in Maine. I am a Mainer in exile, I grew up on a small island off the coast of Portland, so if you can’t find me, I’m most often there. I have been a security practitioner for nearly 15 years, um, but most recently I was the head of security at Urban Outfitters. I was there during a very difficult time for retailers. I held this spot during the year of the retail breach and I found myself kind of logically and physically walking my perimeter every day, and when not doing that I was in the fetal position under my desk, going, “There has to be a better way to keep ahead of this stuff.” But the place that I acknowledge that we were most weak, or that most organizations were most weak was in breach management. And so I sought out to become a breach expert. I felt very strongly that I was a solid security leader already but that was my Achilles heel, and so I went after that information and, uh, here we sit today; I’m on Optiv’s CISO team, and I was actually introduced last week as one of the best “Breach Coaches” out there, and I thought that was a very nice accolade to receive.
RL: Breach coach? Man, that’s like a, that’s like one step away from being a life coach. Careful!
DMH: I know, I know. But you know what it is? You’re helping people at their most vulnerable time, you know? And you can be a great calm, cool, and collected leader, uh, but we’ve seen some people fall apart, you know, when the heat really turns on, and having all this planning up front, and that’s kinda what we’re gonna talk about today is; you know, What You Need To Know That…er…What CISOs Don’t Know That They Should.
JJ: So when you, you know, you throw out “breach coach,” is that something that you’re waiting until like, I would engage a breach coach when I get breached? Or, before-hand like, “Hey, let me engage a breach coach so we can understand what we’re gonna do to get things in order,” so that way, in case it does happen?
DMH: Well, so I’m told that that’s an actual thing, “breach coach,” in the insurance provider, cyber liability insurance space. And that’s, uh, kind of, it sounds to me a bit like a project manager, so post-breach. I think where I provide most value is before-hand, you know, I’m giving you all this stuff, if I’m telling you what you’re gonna get out of today after you’ve been breached, you know, it’s a little bit a day late and a dollar short. So I think I’m most effective in uh, helping teams prepare; not just in your table-top exercises and, you know, how do you make sure your team’s ready for a technical incident, but making sure they’re ready for everything, right? The time to practice a fire drill isn’t when the house is on fire. And so this is what we’re doing; so we’re practicing our breach response fire drill.
RL: Hey, on that note, we were kicking around the idea of naming this episode, and I probably will, “Things Legal Counsel Wish CISOs Knew.” In line with what you just said, how many, how many of the security leaders, they’re not always CISOs, how many security leaders do you talk to in your time, actually have a reasonable handle on more than just a technical IR?
DMH: You know, I think the numbers are really slim, Raf. And I think the reason for that is their accessibility to their General Counsel. And I like to point out to people that, uh, in the organization there’s only two executives tasked with protecting the company; and that’s the General Counsel, protects from legal risks, and the Security Officer is protecting from information risk. So, you know, when you put those two people together, if GC isn’t accessible to the CISO, then the CISO’s going to be blind to those requirements. And so I think it’s a new way for the CISO to start engaging conversations with the business, but they have to be organizationally permitted to do so.
RL: Is that something that’s evolving? Cause I’m seeing CISOs report to CFOs, I’ve seen, a couple cases, I’ve seen the CISO reporting to General Counsel or head of legal, head of risk. Is that something you’re seeing more and more? Cause CISO used to report to like, the CTO, CIO. Is that shifting faster now?
DMH: I think the shift is slower than I had hoped, but it is happening. You know, the Chief Operating Officer, Administrative Officer, and Compliance Officer also are kind of in that mix, but you know, we’re already seeing the development of Chief Privacy Officers because it’s a requirement for anybody who’s doing business in Europe. So, uh, you know, if that person, the Chief Privacy Officer has that direct connect to the C-Suite, logically the Security Officer should as well. My complaint about the Security Officer reporting to the Information Officer or Technology Officer is, uh, in most cases the CISOs in a position to tell his boss his baby’s ugly. Right? It’s just not gonna create a great working relationship if you constantly have to tell your boss, “Jeez, listen. Uh, this beautiful architecture that you’ve created, or, the idea that you’ve spawned, you know, has some flaws we need to work on, and you need to give me some allowance to do the work to clean that up.” It just doesn’t create a good working environment and so I think that’s how we end up with these blind spots down the road, or limitations to communication.
RL: Yeah. “Hey, that’s a great idea, but you’re putting the company at risk. Stop it!” Right? So it’s a conflict of interest. I remember seeing that quite a bit when I was, I lived in IT many years ago, uh, James Christiansen talks about the Chief Information Risk Officer, is that like the collision between the two?
DMH:  I do, and I think that that’s the right word for it, because I think, you know, yes we’re managing technology risks, but we’re also managing how data is collected, used, and transmitted. It’s not just the infrastructure any more, it’s not just securing the data. Right? It’s about the risk to the data and how we’re managing it, because it’s just not reasonable to really secure it. I think that that’s uh, you know, Jerry Garcia, “Happiness is a way, not a destination?” You know, security is a way, not a goal. So, taking that one step further you gotta say, “Alright, that means we’re managing risk, that’s an ongoing thing that we can understand.” And so Risk Officer, I think, is a more logical title. But I don’t know that we’re gonna get there.
JJ: I was going to say, is that something you see it going away, where CISO starts fading away and we see more of the CRO, kinda filling that void since it’s kinda broadening its scope anyway, is what they’re covering?
	DMH: You know what? My real fear, though, is in that, if we go with the Risk Officer kind of approach, that we end up having more folks that are, um, in more of a position to manage, like, compliance risks and regulatory risks, and then they toss security in there, and our security leaders still remains too far down the stack. So that’s my only real concern about that evolution from Chief Security Officer to Chief Risk Officer or Chief Information Security Officer to Chief Information Risk Officer, is uh, frankly, I think it’s just too much, um, for the business community to handle right now, too much change. I just will be happy to see them move up the stack.
RL: So, we talked about, before we hit record, you know, the idea that Things That CISOs Should Know, lessons passed down from their legal counterparts. What are some of those? Let’s talk through some of that stuff.
DMH: Um, sure. So, you know, I think about the breach or incident management component in kinda, three ways. You’re gonna have Coverage Counsel, who’s managing how you interact with your cyber liability provider. You’ve got your forensic team, and your outside forensic team that’s gonna come in and help you figure out what happened, get it cleaned up, and write the report that’s going to support you when this eventually goes to litigation. And then lastly, you have Breach Counsel that’s going to manage all of those things. Those three relationships are most typically handled through the GC. So, you know, in that we kinda cover the things that, uh, that I have asked, I’ve gone, I’ve got a good friend of mine is Coverage Counsel, and he and I sit down on a regular basis just to talk about what it is he’s seeing that insurers are not covering, or the reasons why they’re not covering those issues. Uh, you know, my better half is Breach Counsel and so, you know, we have just kind of some really interesting conversations around, “Gosh, I really wish, uh, the Security Officer knew this,” or, like, or just to the extent that he wishes they understood that everything that happens from the moment they discover an incident is all going to be reflected upon by lawyers, and they are going to pore over every decision, and every idea, and how it was documented, and what you did. And so, there’s things that he always says, “I really wish they knew.” And then there’s the forensic team, I think everyone just expects to be able to call 911 and then get an ambulance to their house as quickly as they would if they needed medical attention, but that’s not how forensic teams work.  I keep hearing over and over again from forensic teams, “You need a retainer. I’m not just going to show up on your doorstep instantaneously because you called. I gotta know more about your organization.” So in those three conversations we get the list of, Gosh, The Things I Wish You Knew.
RL: Well, yeah, there’s, that list is probably hugely long. You know, one of the things I keep hearing over and over from friends that have been, unfortunately, through that breach cycle is, they get so focused on the response and making the pain go away, they do, it’s often fairly easy to forget about things like evidence preservation.
DMH: Yes. Evidence preservation and communications are probably the two biggest things. Um, you know, I think, uh, we wish, one of the things I hear all of the time is, “I wish they understood that all of their emails and every one of their text messages that they engage in during the course of the breach will be discoverable in court.” And so, if Scott sends an email to Jim, or a text message to Jim, that says, “Geez, Raf’s a real jerk. I told him about that problem six months ago,” bet your buttons that’s coming out during your breach litigation course.  And I think that that’s one of those things that I hear from breach counsel, “I really wish the CISO understood and knew, and trained his team on how to communicate together, because all of those text messages and emails will arrive in court, and it won’t look good.”
RL: Is there some template somewhere? I mean, is there like a list of leading practices? Is there a document that…or is this a ‘make it up as we go along’ pretty much every time, like everything else in security?
DMH: Right, and I think that’s very true, it’s a bit like ‘reasonable’, you know, we keep hearing from regulatory bodies that security ‘has to be reasonable’. And then every time there’s a breach, we discover a new definition of what’s reasonable. And I think that list of things is growing, um, but there’s some best practices, and I bet if I sat down and put pen to paper I could promise that out for our team, because I have the information, kind of through conversations and notes that I’ve gotten from these folks. I think it would be very valuable if just put that, you know, took this podcast and put it down on paper.
RL: Yeah, that would be kind of interesting, maybe we could put a link to it. I know lots of people probably would be interested in that because they’ve gone through, you know, the big breach response, incident response companies, um, probably , you know, have their list, have their, um, they have their checklist of things that they go through and stuff like that, and things to do, things not to do, but, we’ve discovered, through the beauty of reality, everybody gets to play that ‘I’ve been breached’ card almost at least once, whether you want to or not, right? So the reality is, a small company that’s never thinking, “Oh, I should prepare for a breach, you know, we’ve got four people on the cash register, there’s no way, right? What am I thinking about? Sales! Customer service! Paying my employees! Not a breach. Who thinks about that?” Um, but yeah, it’s that worst-case-scenario when the time comes, man, what do you do?
DMH: Right, and a lot of what I have here that we can talk about a little bit more has to do with the stuff that you need to know before that third party, you know, helping team steps up. Because each of the, you know, your coverage provider, your insurance provider, your forensic team, and your breach counsel, all have their set of steps that they’re gonna kick off, and they’ve done this a hundred times, and it’ll be clean and neat. But the problem comes that you didn’t know, as you’ve used the example, as evidence preservation; it doesn’t matter how good their process is if you tamper, you know, if you had a problem with evidence before they got here, there’s nothing they can do to help you.  So that’s in that category of, you know, “Jeez, I, uh, you know, I really wish that you knew that you had to call the insurance provider before you called anyone else.” So a lot of organizations will call after the fact, and say, “Hey, you know, we had an incident and this is what we did.” And the insurance provider goes, “Oh, that’s awesome, uh, but we don’t have to cover it now.”
RL: So, there’s been a lot of talk about that lately, I mean, there’s been cases, there’s been one, I just posted the article on this to my twitter feed, like, two days ago maybe, that, uh, you know, there was a court case where the insurance company didn’t want to pay out, and they lost and they had to pay under their policy. Are you seeing breach coverage, um, suites, you know, like, in court over what’s covered, what’s not, or is…cause I would have thought that that would be pretty darn clear, um, but maybe I guess not? I don’t know.
DMH: No, there’s a whole profession of lawyers, and there’s a very small group, um, that handle just…they’re called ‘coverage counsel’. And their role is to insure you get maximize your benefits out of your cyber liability policy, you know, by following the right processes, using the correct providers, you know, there’s that, to use the medical system way, there’s a preferred provider list, you know, there’s in-network, out-of-network? (RL: Yeah) Yeah, depends on how much gets paid? Well, your coverage counsel helps you make sure that you’re making the best, the right best steps to insure maximized coverage. And everyone says, “Oh, gotcha, well, now I have to hire another lawyer. You know, this is gonna cost me a fortune.” Coverage counsel is going to run you a couple hundred bucks an hour, but they’re going to save you, they’re going to insure millions of dollars comes back to your organization in payouts from your insurance companies. So seems to me like, you know, that’s a good couple thousand dollars probably in total for their services, so I think that’s a very valuable position that most organizations are unaware of.
RL: Yeah, that is interesting. I mean, that whole…I think we’ve talked to…James I think Shawn Tuma brought this up when we had him on, by the way Dawn, uh, Shawn Tuma is our resident legal eagle, he’s a CFAA lawyer down in Dallas that we talk to on the show quite a bit, and uh, he’s brought that up a couple times, like we’ve all actually brought, we actually have an entire episode, if you go back, gosh, I want to say fall of last year, fall of ’15 maybe, on, um, you know, cyber liability and all the kind of legal stuff that goes with it. Those guys talked about the importance of having an attorney to not only help you select, but then make sure that it, you know, it gets paid out. Um, but there’s this whole, there seems to be this whole slew of things, there’s so many misconceptions on, on, um, gosh, on the, you know, what liability insurance, from the cyber perspective, will give you, and what it’s used for, and how to get them to, how it’ll pay out, and all this stuff, and it, and it’s not just like this, it’s not like, you know, it’s kinda like any other kind of insurance, where you have to meet minimum requirements, otherwise, it gets, if you’re a terrible driver, sure, you can get car insurance, but it’s going to be expensive. Right? So if you’ve got a bad history of not doing the right, you know, what’s, was it necessary and proper? Is that the right language, legally speaking, uh, for security? You’ll get what’s, quote, “reasonable,” you’ll get expensive, you know, coverage that will be, uh, won’t be very useful for you later. This is an area which is developing, I think, that’s just, it’s got so much confusion in it right now.
DMH: Yeah, absolutely, and I, I think, you know, the bigger part of just your whole legal case, uh, comes down to, uh, has the organization been transparent in their breach response or incident response efforts? You know, it has a lot to do with transparency, and getting, uh, you know, the same way a father can’t operate on his child in the emergency room? You know, get your CIO out of the breach response effort, because it just, it creates a conflict. And so that transparency, um, probably filters down to each one of those groups that I talked about, your coverage counsel, your breach counsel, and your forensic team, are all counting on the client-side team to provide full transparency to maximize benefits, reduce litigation, and improve the efficacy of the forensics report.
JJ: Is there training offered, I mean, you know, you talk about the three different kinds of entities you deal with during a breach situation, uh, you know, where there’s the forensic side, or, you know, whatever, do those, like, even insurance companies provide, besides the documentation, any type of training out there to say, “Hey, you’re a customer of ours, this is how this process works”? Or are CISOs and anybody else involved from the organization side just kind of spitballing? Because I know you said, you know, “Oh yeah, they’ll go in, they’ll contain everything, and then they’ll call insurance, they’re like, “Yeah, great, you did this in the wrong order.”” I mean, what kind of training from the…or is there even a responsibility from their side to say, “Hey, look, we’re gonna actually train you on how to use this stuff, to get you through this,” versus, “Well, I hope you do it wrong, so that way we don’t have to cover your claim.”
DMH: No, I think there is, yes, so the breach binder, uh, your policy binder is pretty explicit on the rules and coverages, um, and they’ll, and once you declare a breach, you kind of have this reservation of rights that, just as a letter that defines, ‘what are your conditions of coverage,’ you know, ‘these are the things you have to do.’ And so there is some element of coaching, but kind of coming back to my original point, if the security officer, or we’ll just say the security team, uh, doesn’t have accessibility to that cyber liability insurance coverage conversation, he is going to miss out on that information. And it may not become an organizational priority without him being closer to that conversation, so there tends to be a gap. I think the business knows they need liability policy, but I don’t think that they recognize the intricacies of an incident response and what all could go wrong, or how we could slip up, and that’s that communication barrier between those two parties.
JJ: Right. Do you see, you know, we talk a lot, you know, the debate of whether there’s cyber security talent shortage, and all that, and you know, you can pick any different angle of it and say that, but you know, you see a lot of people saying, “oh, if you don’t have a CISO, you know, you’re not being secure,” and you know, well, they have that argument there, there’s no way to sit there and say, “look, every company can bring in a CISO.” So, you know, you gotta imagine there’s a bunch of people coming into the CISO role, don’t have a lot of, maybe, experience from that aspect. You know, so, I guess kinda back the templating that Raf brought up, you know, what kind of resources are available that, you know, when we get CISOs into these positions, especially if it’s someone new to the CISO role, to help them catch up on, hey, here’s the stuff you need to know, and here’s why you need to be so ingrained with the GC, and the different parts, and why the liability pieces is really important that you’re involved with it. Because I can see, I mean, even just from this aspect, I mean, how overwhelming it is just from a breach aspect, never mind everything else they’re doing as their regular duty.
DMH: Yes, so this is, this is where I think really, and we started by saying this is where the rubber meets the road on a security practitioner becoming a security leader, and, um, you know, we talk a lot at Optiv about that opportunity for the office of CISO to mentor and help build those transitions. Um, I also see that there’s starting to become a growing trend toward CISOs getting, uh, business degrees. You’re seeing that kind of, and I agree with you on the, uh, security talent shortage, I think, you know, there’s two, it’s a very different type of personality, a different skill set, resume, for the security leader verses, um, a security practitioner.
JJ: And we’ve had multiple conversations, you know, Raf, on some previous interviews, you know, where there’s talk, you know, does it make more sense that your CISO or your CSO and that level is coming over from a COO-type position or another executive position and not necessarily, uh, the technical side of things. You know, so it just opens up that, you know,  we’re filling these positions from, kind of, different backgrounds, so, you know, some people may have much more into the business side and understand these things, then you have other CISOs that may be, you know, very technical side of things and not really understand the other side, but at the same point, people trying to fill the position and say, “We need a CISO, so we’ll put you there.” “Now, where do I go?” you know, “How do I get to that next step to become that leader that I’ve stepped into?”
DMH: Yeah, that’s unfortunate that I think there’s a lot of that just comes from, uh, learning by doing. You know, and, you know, and some degree of just initiative. Like I said, I, I came by this by simply saying, “I don’t want to have, I don’t want this to happen to me badly” Um, but that, uh, that comes, I think, in investments by the company in conference attendance. You know, I think it’s almost embarrassingly, uh, slender, the number of, kind of that middle-tier manager that we see at conference events where they can pick up this information. Whether it’s from me, or, you know, James Christiansen, you know, you go to conferences to visit with thought leaders and learn things. But our security budgets aren’t enabling those people to get out and come to those conferences right now.
JJ: And is there a good resource list for, cause, I mean, that’s a different level conference than most of your security folks are going to. Like what those conferences, I know that there’s, you know, some cities I’ve been to, like a CISO event, you know, where it’s very tight-knit, small little grouping, lots of workshops. Is that more what you’re seeing around that side, and is there a reference out there for CISOs to be able to say, “Here’s a list of the key conferences that are gonna get me that data, or, you know, the insights that I need,” versus, you know, your typical, “oh, you know, we’re going to BlackHat or we’re going to DefCon,” you know, something that’s more along that leadership side, and a little bit less around the technology side?
DMH: Yeah, I think I see that come out of ISAGs but mostly, uh, I’m seeing it just in the local networking opportunities. It’s like, that’s where they start talking about them.  Some cities have, you know, fantastically successful, local security executive events, and I’ve been to others, branded by the same company, that are an eipc fail. And I don’t know what makes one better than the other, except that all of them have a local, kind of advisory board for those events, and the local advisory board is ultimately a networked group, and how well they work together and communicate, I think, tells us how good that event is going to be. And that’s where we’re getting that first question, or I get, usually the call comes to me that says, “Our advisory board hears you, uh, have a really good talk about managing a breach. You know, we’d like to have you here.” And that’s, kind of, how we’re getting that information out.
RL: Hey, we..Can I ask, maybe in a slightly different direction, um, from the, you know, none of us are lawyers on this show right now, but one of the interesting things I think I hear a lot about is: policies and procedures need to be aligned with, um, corporate governance on, um, on legal aspects of what’s important. Right? Are we, are you seeing policy alignment, uh, with general counsel, you know, inside counsel, sort of contributing to this? I mean, this pertains to not only just breach response but preparedness, um, everything from the way we issue IDs to how we vet employees, background checks, that kind of stuff. Are you seeing more of that happening with, with sort of, the complexity of, of well, everything kinda ratcheting up?
DMH: Yeah, you know what, so that’s an excellent question and a really good topic because it’s on my list of Things They Wish You Knew. Um, so what ends up happening is, uh, the, the lawyers have a list of kind of policy statements that they want put out. Uh, and they create them and often times I see from organizations, you know, “we got this from our outside counsel, you know, this came from our legal department,” but, often times, what the lawyers come up with can’t be operationalized. So what end up happening is now the CISO has this list of policies that are, by and large, fictitious. Because it may say…
RL: Like what?
DMH: Um, so, you know, I’ll give you, it could be anything from background checks.  Uh, you know, background checks, we can say that’s, uh, that’s pretty easy to do, everybody has to have a background check, uh, you need a financial check, blah blah blah. Well, how does that work in California? How do you operationalize background checking if you’ve got, um, employees in California where background checks are not allowed? So now you have a policy that directly conflicts with what you can do operationally. I’ll give you another example.
RL: Yeah. Or if you’re a company that does business in Europe.
DMH: Right! Another one. Right? So Europe was the next example I was going to give you. Well, a customer has the right to be forgotten in Europe, meaning, uh, “Yes, I did business with you once, I don’t intend to do business with you again. Uh, please delete me, uh, forever from your records. Never contact me again.” Well, that’s great, until you start thinking about backup tapes. How do I go get that customer off those backup tapes? Now that’s a policy statement that we just can’t operationalize. You know, another way of looking at is, ok, well, how do I, as an organization, remember that you would like to be forgotten, if I’m not allowed to keep record of you, even to keep record to the extent that I have to say you would like to be forgotten? Because as soon as you interact with my company again, you’re going to be back in my database, and I have not forgotten, I have not fulfilled the right to be forgotten because I couldn’t write down that you wanted to be forgotten. So that’s a break in the, this is what the policies the lawyers are saying you need to do, and the security officer simply saying, “Awesome, but that’s just not operational.”  Uh, the litigators, the lawyers, litigators would tell you, you know, “We arrive we and say, ‘is this your security policy?’” “Yes, it’s our security policy” “And you do everything in this policy?” “Yes, we do everything in this policy.” And then when they start really getting into it, they go, “But what about this, you know, Twenty-Three A, One, B? You’re doing that?” “Well, no, that’s future state, that’s coming with this project.” It’s like, “Ok, so, so you’re not doing that.” So the lawyers get frustrated because security officers have policy statements that they haven’t operationalized, whether they’ve put in there because it’s ‘best practices’, or they’ve put it in there because someone on a legal or compliance team insisted that it be in their policy. Either way, if it’s not operationalized, it becomes a liability, uh, when they get to court.
RL: Well, uh, ok, so that’s, that’s, I can just hear people scrambling to grab their policies right now and read through them. Um, you know, interestingly enough, that’s something that’s come up a couple of times is, uh, as I’ve, there’s a lot of new CISOs out there, you’ve probably met some of them, I’ve met some of them. Right? The challenge becomes, “Hey, I’m a CISO of a company that’s never had a CISO before, they told, the board told me, or the CEO told me I need to come up with all my policies, you know, like what policies I want. I’ve never written policy statements before. Where can I get templates?” And they go out and they download, like, what they can find on Google, and all of a sudden, you know, they’re trying to, uh, adopt some of this stuff. And it’s like, “Eh, it’s close enough.” And I, you know, perfect is the enemy of good, and so you have the option of either never doing it because you don’t know what is good, or doing it and it being non-applicable, like, or as you just said, not actually usable because it’s not perfect. So how do we, gosh, what do people do? Is there like, policy stuff out there that’s.. Does everybody just call a lawyer, I mean, at this point? I mean, do we just call lawyers for everything? Cause I’m starting to see that, like, lawyers and infosec were never a big thing, and over the last five years, I think every one of us knows somebody that’s an attorney that lives in the information security, information risk, uh, world, because it’s become more than just technology.
DMH: Yes. And I think you’re right, I think, I don’t, I don’t think we’re all calling lawyers to get policies, um, because there is that secondary pitfall of, uh, lawyers not knowing enough about the technology or the environment to understand whether or not it’s doable, they’re just giving you what everyone else is doing.  I think the best place to get policies is by talking to your peer group. Who else is in your industry? Talk to the folks in your ISAG and get, uh, get their policies. You know, so that you, you know, most people are willing to share with you, what their policy on something is. Um, so talk to your peer group, uh, find other CISOs, say, “What do I need to be on the lookout for?” And, you know, worst-case-scenario, you hire a security firm to do that work for you, somebody that all they do is security.
JJ: It sounds like there’s a lot of discrepancy between, you know, Company A, which might do business overseas, not do business overseas, they may do business in California, you know, a lot of those where it becomes nonoperational, you know, you really have to have a firm understanding of what your business does, where it does business, you know, and, you know, go to the local companies around you, and, you know, how many of those meeting that same criteria that you have, that may do business in the same areas, it seems like it just makes it that much more difficult, but really puts an emphasis on, you have to understand your business, much more than just , “Hey, this is what security does” You know, we talk about this all the time, in security, you know, you have to understand context, you have to understand more than just security ideas. You really have to know that business to know where you’re doing business everywhere, and what things can be operational, what can’t.
DMH: Right. And you need that same context because the policies are a risk mitigation tool. And if you don’t know where the risks in your business are, you can’t write a policy to mitigate against some of those risks. You know, QA in manufacturing is a good place where I think a lot of people overlook. You know? Well, what happens if there’s a compromise on your QA system that changes how it reads the fungus monitor, and you turn out having fungus in a product that has significant recall affects for not only your company, uh, you know, but fifty-two of your nearest and dearest best customer clients that have it in all of their products. So, uh, really understanding the business is the key, you know, first to understanding risk, and then you’re writing your policies off of risk. And that kind of comes down to, what’s your strategy? And do you understand how to align your strategy to your business? Because I think, to Raf’s point, is that new security officer just runs out to the internet and pulls down everything he can find about security in the whole widgets, or widgets, let’s just lock up the borders sort of way, instead of taking the time to invest in “What’s going on and why do I care about this stuff?”
RL: Hey, let me ask you, uh, so the thing that’s been bugging me quite a bit lately is, I’ve had, I’ve been observing trends across this industry, and I think we go in, um, ever extending cycles; our cycles between implementing technology, so getting tech heavy, and then policy heavy. Tech heavy and policy heavy, going back and forth. Um, that cycle seems to have gone from, like, twelve months, to twenty-four months, to forty-eight months, I think we’re like five, like, three to five years now, uh, you can’t get any longer than five because tech doesn’t barely last three, but, as we enter what I think is another cycle where we’ve got all, as much technology as we can possibly stand, we’ve bought it all, not to say everybody, but lots of companies are at the point where they’ve bought just about everything they wanted, and now they’re staring at it, going, “What do I, how do I show value? What am I doing with all this stuff?” Do you see that out in the field, doing, you know, doing advisory every day? Are we actually in that cycle right now?
DMH: I think that the cycles are shorter than you might think. Uh, the problem I see more common, that extends the length of the cycle, is getting overly prescriptive in policy, um, so that we end up getting hung up on how we implement it. Right? So instead of saying, you know, “You need to have, uh, password controls,” we end up putting, you know, the procedures and guidelines into policies. You know, everybody’s seen that organization that their policies are just like, you know, their information security policy is like a hundred and fifty-two pages, because they have all of their procedures and guidelines in there with it. And that’s giving you those longer cycle times, I think, of like, policy-heavy, technology-heavy. And so, you know, that back and forth. I also think that we end up getting technology-focused, um, because if we don’t have a strategy, like if we haven’t quieted the vendor noise and focused on what we want to do for our business, then we end up buying whatever we want, and we build policies to justify our buying new stuff. And I think that happens far too frequently. It’s like, “Well, we’ve got this problem. Create a policy that says we need to manage or monitor something.” And then that gives you justification to go buy a new tool, and you end up in one of those tech-heavy organizations that actually has become so complex that it wouldn’t know if it would, you know, if it was hacked, if the hacker was sitting at a desk in their office.
RL: And sometimes they are, sadly enough.
DMH: Right, right.
RL: Hey, um, because I’ve got some friends that listen to our show that work in law firms, have you seen, uh, a lot of the, the legal firms out there freaking out a little bit, because, look; we saw, you know, retail felt the first major wave of breaches, the second major wave of breaches has been healthcare and hospitals and such, right? And providers, um, and insurance companies. I think the third one is coming, government irrespective, because they’re always in every wave, but the third wave I think is coming, or is already being felt in, um, the legal area of the world. Are you seeing that?
DMH: Yes. So, uh, I completely agree. And so there’s, it’s funny because in, you know, all of my, uh, law firm friends, uh, that live in the tech and breach sector, you know, I often say to them, you know, “Could you just go have a conversation with your partnership, like have a security and awareness day to promote your practice, so that all of those people then get a better sense of what they need to do from a security perspective to protect themselves and their clients?” So, what I mean by that is, I find law firms to be the furthest behind, um, in technology adoption utilization. Um, and kinda ‘gripitey’ about it? And so I just, you know, I, I do see that the law firms all of a sudden are starting to pick up on the ISO certifications and get rolling that way and build programs around that, um, but I think it would be really great if instead of focusing their security awareness and training around what we traditionally train on, you know, we as security pros train general users, I think the breach lawyers have such good stories, and have such great information, that if they sat down in a partnership meeting and started talking about some of the stories and where these breaches are coming and the trends that they’re seeing, I really think that’s the best form of security awareness for lawyers. So that they can understand, you know, in M&A work, never use the acquisition target or acquiring company’s name anywhere. Don’t put it electronically anywhere.  Figure out what the codename is and use it instead. You know, and those kind of, just basic controls that we think seems really obvious to us, but it isn’t always very obvious. But I think it’s a great opportunity for that community to start sharing information within itself, and generally just doing better for their customers and clients in information security.
RL: Well, that’s helpful. I mean, I think that could be said just generally speaking, right? It’s not, it’s not just the lawyers, the doctors, and the, uh, and the cashiers, uh, that get targeted. It’s everybody. And I think what we’ve seen, uh, the evidence to that is how many information security professionals, uh, in target companies, or just in the community, have been targeted and popped, like everybody else. It turns out that just because we work in this industry doesn’t mean we’re any better at it than anybody else. That, I think that bugs me probably more than anything else, just from a reality perspective.
DMH: Yeah, the cobbler’s kids have no shoes. It’s that kind of a thing, it’s, you know, I don’t know if it’s an arrogance or, you know, an oversight, um, but… (RL: Both?) Yeah, it could be both. Uh, but definitely I think that we’re, you know, kind of in your ‘where is the trend going?’ You know, I’m looking for the next tech giant to go down. You know what I mean? Like, RSA stumbled not long ago, um, and they’ve really recovered, and they’re building up, uh, but that was a hard, that was hard for them, uh, to work on, and so I really want to see, er, I’m really fearful that we’re gonna see another big, uh, important security product, uh, suffer the losses of a security incident.
RL: Yeah, that’s never good to see; a technology that we use to defend ourselves with be taken down to its core, uh, at the company level, right? That’s always, it makes you think, uh, is the, is the code trustworthy? What part of this is working? Uh, that, of course, sparks the conversation of third-party risk management, how do you even begin to have that? I’ll let Mister Christiansen address one that so I’m not going to get into it, but that’s an entirely different place where lawyers are involved.
DMH: Right. But I, I feel like, you know, we saw Heartbleed happen, right? So but when, when the tool that we have built our security, you know, infrastructure around falls down, what do we do? And so I feel like our, the trend that we have to look out for, or that we as professionals have to be mindful of is, we went through a whole phase where we focused on defense in depth, and we made our networks as complicated as possible. And what we ended up doing is we created more risk in its complexity. And so, you know, I would love for organizations to take a hard look and say, “Let’s just, let’s just take a minute, and let’s look our architecture, look what we have in place, you know, identify where we have, uh, you know, redundancy in our tools, where we have like three tools that do the same thing, but we don’t have it turned on? Or we do have it turned on but we don’t have it tuned?” Because my concern is, how long did we see, uh, patches for Heartbleed? You know, like, two years it took people to find where that vulnerability lied within their organization. So I think it’s a good opportunity, it’s a good exercise for every security team to ask themselves, you know, “What tools do we have, which ones do we use, and how do we harmonize our environment to reduce risk by complexity?”
RL: Yeah, and realistically, you know, Heartbleed is still out there, which is kinda nutty, right? I mean, people are still patching it, they’re still finding it in products.
DMH: Yep. And they’re, my guess is that, that there’s more to come. And that’s just a scary reality.
RL: Well, uh, unfortunately, we are out of time. I can’t remember, I can’t believe where the last forty-five or so minutes have gone, but uh, this has definitely been informative. Thanks for joining us on the show.
DMH: No problem, and I will make that list so that we can link to it, so we have the, The Things We Wish You Knew in written format, and we can attribute it to the, uh, to the folks that shared that information with us.
RL: That’d be fantastic.
JJ: That’d be awesome.
RL: I like getting the ability to provide stuff like this because it’s not something, you know, that happens a lot, we don’t share well in this industry. Any time we’re successful we make it a point to not tell anybody how we did it, right? I mean, we’re successful, or we fail, and we’re not very good at sharing how we did it, what we did wrong, what others shouldn’t do to make the same mistakes. Maybe, uh, maybe we can contribute to that just a little bit and make it better by actually providing some of that knowledge out.
JJ: We don’t have any problem sharing exploits, Raf.
RL: Yeah, no kidding.
DMH: Right? But more than that, I want to be challenged, you know? I want to make this list, you know, you’ve got listeners that can contribute to the list, you know, I think, uh, by sharing it we have the opportunity to make it better, because by all means, I don’t expect that my list is comprehensive, you know, or, you know, by and large, it’s somebody’s opinion. So I think sharing the information gives us the opportunity to better the information. If anybody’s open to being corrected, you can really do some great things. You know, is it Harry Truman that always said, “Can you think about what could be created if we stopped worry about who gets credit?” And that’s where a list like this or sharing really is valuable.
RL: Yeah, that’s awesome. Um, hashtag #DTSR, folks, if you want to contribute to this conversation, uh, you can find her on twitter at @CISO_advantage, right?
DMH: Yes, that’s correct.
RL: And, uh, you all know where to find James and I. Um, so on that note, we’re gonna uh, we’re gonna say goodbye, thanks for listening folks.
[…]