B2B Tech Talk with Ingram Micro
B2B Tech Talk with Ingram Micro

Episode · 3 months ago

How to Improve Cybersecurity Decision Making | Security Series

ABOUT THIS EPISODE

Security professionals have to wear many hats, and on any given day, they may be asked to do any number of different things.

To avoid a mad, chaotic dash to get it all done, the industry is looking towards a more structured and programmatic way of accomplishing things.

Shelby Skrhak speaks with Nathan Wenzler, Chief Security Strategist at Tenable, about:

- The past two years in cybersecurity

- 3 levels of security strategy

- How the framework improves decision making

For more information, reach out to Cole Bauer (cole.bauer@ingrammicro.com).

To join the discussion, follow us on Twitter @IngramTechSol #B2BTechTalk
Listen to this episode and more like it by subscribing to B2B Tech Talk on Spotify, Apple Podcasts, or Stitcher. Or, tune in on our website. 

...you are listening to B to B tech talkwith ingram Micro the place to learn about new technology and technologicaladvances before they become mainstream. This episode is sponsored by ingrammicro security strengthen your security practice. Let's get into it. Welcome toB to B tech talk with ingram Micro. I'm your host Shelby skirt talk and ourguest today is Nathan Wessler chief security strategist attainable. Thecyber exposure company Nathan thrilled so thrilled to have you here today.Really happy to be here to thank you so much for having me. Absolutely well sowe're talking about improving your cybersecurity decision making andNathan of course you have decades of experience designing, implementing,executing security solutions for I. T. And information security companies. SoI'd say you're kind of like the cybersecurity specialist forcybersecurity specialists. So my first question for you is what metaphor forcyber security do you really take issue with or disagree with? What's what'syour pet peeve there? I always fall back to kind of the old tried and truewhen you see the video a lot which is that all security professionals arehackers wear hoodies and live in their mom's basements, eating cheetos and anddrinking mountain dew all day. Which is nothing wrong with. She doesn't do that.But information security as it stands today, we're still kind of growing andevolving as a as a discipline out there. And one of the things that I often haveto remind people is that while we do work with technology it's very core towhat we do because that's where the data lips right? We as securitypractitioners are not necessarily in its function there were really a riskmanagement function in an organization. So this notion that were like the onlything security people can do is hack things is a real big problem. And Ithink there's still that misconception for a lot of folks that use that hoodiemetaphor quite a lot. But the reality is you know the types of folks that arerunning your security programs, folks like myself where risk managers weremuch more akin to your auditors and your financial folks and legal counseland that type of thing. We just happen to be really deep in the technologyspace that we can help help mitigate those risks. So it's it's a bigmisnomer but it's um I think we're starting to see that change as itbecomes more formalized and we kind of grow up as an industry that is startingto change. But that's the one that always gets me. Well I like that youcouch this as a risk management more than I. T. And uh that's key when youlook at the last two years in businesses and and technology space youknow cybersecurity it's just it's more vital than ever. So you're there on thefront lines. What are you seeing and hearing in the industry and how havethe past two years really raised the stakes. Well that's a there's a lot tothat question honestly. And as you know the two years past years have been very,very difficult for a lot of organizations. That has changed so muchfor a lot of folks, remote workforces. When many companies were expected toever support remote workforces. You changes in the way your customer orconstituents, the way they function. I get everything really has fundamentallychanged. Well, what I think has happened more than anything else in theindustry and it's kind of an interesting term because we did what weneed to do two years ago to keep the business is running and securityprofessionals are right on the front lines of that, helping with thatbecause we have to keep the lights on. But now that we've sort of gotten intoa group, everybody sort of learned the new world order for how theirbusinesses operate, how are they going to run? A lot of organizations aretaking the time to step back and take a breather and say, okay, well how do webest deal with risk now that we're here? And this has been a really positivesupport in my opinion, because it's...

...giving security leaders and reallybusiness leaders a chance to rethink how they've done all of this in thepast and really kind of come forward a much more positive view on how we'regoing to mitigate vulnerabilities or deal with ransomware, that type ofthing. It's also forced the conversation around how security needsto be aligned with the business. They need to hear what the business istrying to do, They need to make sure that the goals of the security programaligned with the goals of the business and the last two years really kind offorced that issue. We had to had to secure these things, everything withthe mantra of keeping the business running and keeping customer supportand so on and so forth. So it's a pretty fascinating change for me when,you know, for someone like myself, I've been advising CSOS and CEOS for yearsabout things like you should review your policies at least once a year.Maybe they would do it every two or three if we were lucky. Right, right.That's always see. So say where I started to review our policies over sixmonths, sometimes a recorder because the world is changing so fast. Thebusiness needs are changing so fast. They want to make sure that thepolicies they lay down from a security standpoint continue to evolve as thebusiness does. It's a really important change. As horrible as it's been thelast couple of years, It's, it really is kind of the silver lining that'scome out of that. That organizations are starting to realign their businessis a little bit to make sure their security efforts are right there to Doyou think it's that we feel like we were kind of grabbed by the collar andkind of shook and wake to to what's happening in the world and so whenmaybe before we had been in a comfortable groove of things you knowwe just we let the policies run we let business plans sit as static documentsinstead of living documents. Do you think that that has kind of what'sprecipitating this this change in in I. T. And security professionals andexecutives to realize that we need to keep up with the times because thetimes are changing faster than we could imagine I think. I mean the shortanswer is yes but the challenge still persists in terms of workload. We'lltalk for many years now about the shortage in information security jobs.I think we're still about three million is the estimate in the industry they'regoing to head towards like five million in the next couple of years. Theperspective has certainly changed the leadership perspective. I hear morebusiness leaders talking about security as part of their business strategyrather than just the, I read this thing on the news about some scary databreach. Are we next we moved a little past that point but there's still a lotof work to be done and not a lot of people to do it. So that's still themind shift change is good and more business leaders are willing to supporttheir security teams. I'm seeing that happen more but uh you know we stillhave a long way to go to actually get it done. There's still a lot of needthere. Well, technology and security teams are more challenge than ever toprotect their data ins and assets. So they're really under the gun to makeswift decisions to really effectively mitigate risk. So tenable recentlywrote a white paper titled three levels of security strategy for business riskdecisions. So Nathan, will you tell us, tell us why 10able tackled this topicin a white paper and why we're talking about improving company's cybersecuritydecision making. Yeah, it's an important one and it's very near anddear to my heart to be, to be perfectly frank, you know, if we go back to thisnotion that security teams are really risk management functions right? Interms of mitigating risk, security exists in a very unique position inmost organizations, in that it doesn't really have a sole function. If youthink of, say, your accounts payable to payroll team, it's very operationalkind of thing, you know, day to day function. They do the same sort oftasks every day. There's not a lot of...

...business direction coming out of thatteam. There's not a lot of strategic, you know, ideas, it's an operationalfunction and most business units in an organization, they have a function andthey kind of stay in that spot. Security though on any given day, youknow, is tasked with advising the c suite on where we should be going withbusiness direction of mitigation, but they're also tasked with executingoperational controls around patching or vulnerability management or newcontrols and firewalls, these kinds of things. And then you turn around andwalk out of that meeting, you're educating users, you're educating otherbusiness units about life is important and still having to manage thestrategic direction of your own team where the security efforts toprioritize what's best for the team, what's best for the business, so on andso forth. So it creates this this place where security professionals andleaders have to wear a lot of hats on any given day. They could be asked todo any number of different things. And so the three levels of decision makingas we talk about it is, you know, that executive level C suite C level kind ofwhere do we need to align? It's a strategic level which is, I only haveso many resources on my security team. Where do I prioritize, how do we getthere and make good smart decisions about maturing the program and then youhave a tactical level, right. The actual push button, we've got to get itdone, deploy the patch, implement the control, lock down the firewall,whatever whatever it's going to be From 10able position that we've been in. Thevulnerability management, business for a long time And vulnerabilitymanagement has really changed a lot over the years. We're not looking atvulnerabilities the same way we did 20 years ago. Vulnerabilities now are notjust missing pageants were talking about weaknesses and applications,we're talking about operational technologies that have flaws colonialpipeline. And we just heard in the news recently, it's also process, it'sworkflow vulnerabilities as places where the people start to break downall the processes break down and they expose your organization to risk. So aswe've grown as a company, we really looked at vulnerabilities in a very,very different way. And this is the industry really drives. This was theneed to mitigate these risks is becoming more and more critical, butit's not just these technical risks. It's got to be the business risk, thenon technical pieces of this. So that's where tangibles really stepped in andwhy we wrote this paper because we really think of vulnerability is muchmore broadly than just the latest cd that came out with missing patch. Weare approaching this from that risk management perspective. If you're goingto do that, then we have to make really smart decisions about how we mitigatevulnerabilities and those decisions echo at all three of those levels ofthe organization. So security is uniquely positioned in that way. Theyare having any challenges because of that. And frankly this is the businessthat we've been in for quite a long time. I think we're just starting tofinally put some structure and formality around it so that we canthink about these things in a more programmatic way. And rather than justrunning around crazy trying to get it all done all simultaneously. Right,right. That's the reason for bringing in all these three levels and thinkingabout the decision making process. So let's start with that first level ofexecutives and decision making at that level I guess explain more of thisdecision making concept for executives corner office C suite type individuals.Absolutely. If you look at this from the CSOS perspective, there's reallytwo pieces to the executive level of decision making. One is as that as youdescribe, the advisor to the C suite to the board of directors. Whoever all ofthe business leaders who are trying to...

...also make good decisions on behalf ofthe business but they need to be advised by the sea. So about how to dothis securely to make sure they're not going to data breaches or intellectualproperty loss whatever the core mission is to the business of trying to protect.So Cisco has a really big challenge there to be able to make that adviceeasy digest, easy to understand. It's a common problem. I see with ceases wherethey just bombard a C suite with tons of technical metrics and all kinds ofdata that just isn't relevant to the business. It doesn't because they don'tknow it's not their light at work. So we have to be in a place that we'regoing to assist the executives making good decisions about how they shouldspend resources, how they should apply budget where the direction of thecompanies go and incorporate good security practices in there. The sea soneeds to be empowered to provide relevant information. Business drivenmetrics. Business driven ideas and concepts and translate all of thattechnical information into something that is relevant to people who arelistening. So that level of decision making is really a a translation pieceif you will. Now the other half of that for the C. So is they also an executivethemselves? They have to make smart decisions about how they manage thesecurity too. How are you going to write policies? How are you going towrite your procedures? Where are you going to marshal resources? Where areyou going to ask for budget? That type of thing. So the same kind of thingapplies. We need to take all of that data. We're getting around are wemeeting sls are we patching in a timely manner? Are we stopping data breacheseffectively? If you can't answer those questions, you can't make gooddecisions around where to focus next. So that executive level decision makingboth is to feed the business with relevant business concepts and to feedthe sea so enough relevant information so that they can make smart decisionsaround where they need to focus next to continue the good effort for thesecurity program and continue its being effective. Right. And when you say youhave business driven metrics, those basically mentioned at the top of thepodcast, those should align with the goals of the business. Right?Absolutely, Yeah. And that's where the translation piece comes in play. Themost effective CSOs out there are the ones who understand both sides. Theyhear the business needs, they understand all the technical stuffcoming out of their team and they know the place in the middle where it allkind of comes together to say if we meet this S. L. A. What we're reallydoing is we're meeting this business goal of being able to advise ourcustomers that we take their security seriously. We commit to protectingtheir data. That's where you start to align those kinds of things, depends onthe business the organization obviously. But yeah, that translation intorelevance is key. So the second level of decision making is at the strategiclevel, those directors team leads other mid level managers who really operateand manage those critical assets in an organization. So what's important tounderstand about the decisions made at this level? Well, one thing I want to Iwant to mention before we get to the decisions about this is that in largeorganizations, these functions can often be split out to dedicated people.Smaller organizations though it is not uncommon in a security team to see oneindividual operate at all three of these levels. So we say mid levelmanager Director. That's true in some big organizations, but it is notuncommon to have a c so making decisions at the strategic level. It'snot uncommon for an analyst to have to move up and understand the strategiclevel and answer questions there too. That's what makes some of this verytricky in a lot of ways for security teams is because it's not always welldefined which role has to do it. But training it in that sense of like midlevel management directors gives, I...

...think a general sense of where you'reat and the organization. So the strategical decisions, these are muchmore focused inside the security came itself. This is where we want toidentify places to optimize the program to be more mature to be more effectiveto do whatever the goals are more efficiently, more effectively. So thisis where we're looking at places like S. L. A. Management is really kind of aneasy one to relate to. Are we meeting wrestling? Yes. No. If we're not whyaren't we? And where do we need to fix that? And if we can identify wherethere's some problems, what's our strategy to optimize that? Right. Oneof the things that we often look at on our side of things, untenable is tosort of break out that type of conversation by business units or byfunction. So becomes a lot easier to kind of look down the list and say,okay, disk groups don't find the scripts didn't find out. But my team inFrance is not doing so great. I need to figure out why I need to go in and seeare they missing resources to not have the right tools in place? What's goingon there? That that team is making sls. Conversely, we also want to make surewe identify what's working best, that same kind of premise. I always adviselook at the teams that are absolutely killing it, the ones that are blowingaway there? S L. A. Goals by days and days and days. What are they doing?Right? Can you replicate what they're doing across the organization? Maybe itis a tool, maybe it's the way they're using a tool that no one else is using.This is the kind of data set that when you're in the strategic level you'retrying to identify all those places, where is the program working? Is theprogram not working and either optimist what is working soyou can continue to improve and mature as an organization and then also try tohelp and bolster those places where it's not working again with the goal ofmaturity and optimizes the program. So it's that's really where you're you'redriven at the strategic level to help figure out where do we where do we gonext to make it better? And then this obviously filters down into theexecution part of it which if I'm seeing the questions we're leaving here,we're about to go right to it. You know that strategic level is the next stepinto tactical and you've got to be able to prioritize the work for that group.So the strategic level has to then see the big picture of, I know it's notworking, I can identify a solution to help improve what's not working, butnow I need to get a kind of a prioritized step by step so that when Igo to the tactical folks, they don't have to guess about what this get done.We can go right to what matters most. We can absolutely execute the thingsthat give us the biggest bang for the buck right down the line and let thembe good at what they are good at which is executing the operational functionswhile we manage to maintain that the feds working so that that tacticallevel is that third level of decision making, like you mentioned, what elseis important to understand about the decision making at this execution level.So I think the biggest thing to remember here is that at the tacticallevel it isn't just about wrote execution right. I mean this is notjust deployed patch to move on deployed patch, move on deployed patch, move on.One of the things that gets really tricky for the tactical folks isvalidation. A lot of companies I've worked with in the past have consultedwith in the past, key complaint that I hear from its, operations teams orsecurity operations teams who are tasked with doing this work, taskedwith this, just massive load patches of remediation and all of the things theycommonly don't know. Mhm If what they've done is effective, they'lldeploy the patch but they may not know didn't fix the problem. Usually thatgoes back higher up the chain, they...

...will be able to validate, right? Ohyeah, test that again. But the operational tactical folks don't andthat's a really, really big problem because it creates this sort of workflow loop that can delay any kind of problems from getting remediatedbecause if I deploy Apache at a tactical level but I forget to make aconfiguration changes necessary to also fix the problem. It could be days orweeks before I find out once it goes back through the review process andI've left that system exposed for weeks. If I could have validated it rightthere and then and known for a fact, yep, I can see that it's fixed, it'sconfirmed, I did the right thing. You solve the problem right then and thereand you give the power to that tactical group to resolve the matter immediately.This validation also lends itself to another really important part which isif the tactical folks can see and validate that thing they did worked,then they can also see that that information is being fed back up thechain appropriately so that their work effort is being appropriately seen bythe strategic folks, yep, we're making a difference. And ultimately that'sbeing seen by the executive level folks. If they're watching those, thosemetrics, those business metrics trending in the right direction.There's a direct correlation for those three levels of the tactical folks. Cansee my work effort for the last month, caused r Program maturity to adjust by23 points this way, and the overall risk score of the business went down by12 just obviously there in the numbers,such an important thing for the tackle folks to see that they're beingrepresented properly to management and for them to see that their efforts arenot just being buried under sort of a just trust us, it's working right. It'snot a great metric. So that's where that validation piece is reallycritical for those teams that they can see not just be more effective at doingthe operational work, but to see how there were correlates in business aswell, directly all the way up back up to those levels. So for those directorsthat are listening, it's about giving those tactical level people someownership and some decision making ability where typically they may justbe the cog in the machine, but that's one of the most important things. Soincluding them in the decision making process and also the validation and iswhat they're doing, working and doesn't matter. And that's that's a theme, youknow, that's universal, that's outside of of uh I. T specific, everybody wantsto see that validation. Absolutely permanent leadership perspective too. Imean this is such a great way to keep the morale up for your organization,especially that tactical level you've got system administrators and databaseadmins, very technical people. If they don't feel invested in connected towhat they're doing, they're not going to care, don't go through the motionsbut not as intensely as you might want them to. So getting them to see thatthey have stake in the game, but they're the work matters even if it isby a very simple, easy to see metric, right? The management can understandvery intuitively that I've literally seen this change organizations in veryprofound ways of productivity starts to go up. Patching starts to happen fasterbecause people become encouraged. I do my job faster, I can change thosenumbers faster, which means management sees those numbers change faster andthat being sold. See I'm doing a good job, it's a little bit of aGamification of the effort, but it's uh it's a really really important piece ofthe puzzle if you're trying to build in that kind of optimization for how yourprocesses work, how your workflows happen etcetera. Well, so then bigpicture, why does breaking down decisions to these three specificlevels Help increase teams efficacy and and solving security challenges. Ithink where it starts to help is if you...

...can think about it in these threelevels, it provides a framework right right now. I think a lot of securityteams, especially those smaller ones where you're kind of doing it all, youjust you don't stop and think about it, you just you do what needs to be done,limited resources, you just get it done. But when we can programmatically lookat my decisions at this level, affect this decisions at the next level,affect this other thing. You can start to put yourself in a better frame ofmind to make better decisions about those levels. Did you understand theintent of what you're there to solve in that moment? It also helps make iteasier when you're talking to non security business teams, they start tounderstand a little bit more to write if you can explain to them that thisexecutive, strategic tactical, even if they don't operate in all three ofthose areas, it's a concept, they understand it's not it's not atechnical concept. So when you start to have risk conversations with othergroups, it's much easier to say what we're trying to strategize at thislevel, how we're going to mature a program. Finance teams are going tounderstand what you mean by a strategic level plan. Legal teams are going tounderstand like everyone will start to have a kind of a common language levelset these things. So that structure could be a really, really importanttool for security teams. The more than adopt that mindset just the easier itbecomes to be effective when you're swapping hats and trying to try tojuggle it all on the same day well. So as we start to wrap up, we askeverybody here on the podcast the same question and that's where do you seetechnology going in the next year? Well, I think the trend toward automation isstill going to continue and I think the trend towards cloud based technologiesis obviously going to continue as well. I mean everyone sort of learned thescale and flexibility that's provided when you needed. It was really big. Ido think from a from a technology standpoint, one of the more interestingthings that we're starting to see more of and I think this will continue forthe the more successful companies out there. We're moving beyond this idea ofjust providing raw information and letting humans figure it out. Sometools you get to like sims and and sore platforms, this kind of thing. Theystart to try to give you a filter on date. Alright. We're gonna we're gonnasurface the things that we think you should know about first, but we'removing beyond that with technology to actually start saying, look, this is animportant thing. But let's also talk about how to solveit. Let's actually build in recommendations and solutions into howyou're going to solve this problem because commonly people don't knowthey're not sure what the right thing to do is it may not be as clear aspeople think and so having technologies that don't just identify the problem,but also bring a solution to the table and say, here's what you shouldconsider, right, may not be right for your business, but here's a startingpoint that's going to be a trend. I think you're going to see a lot morewith technologies and frankly with smaller teams, people are demandinghelp, just help us get over that hump. So if you can, if you can provide thatfrom a technology standpoint, you really empower those teams to be moreeffective. You can get right to the solution faster and that's just just somuch more effective way of dealing with it definitely. Well for our listenerswho want to find out more about what we talked about today, how can they reachout? Well for everyone here, if you're working with obviously the good folksingram micro, coal Bauer is you're right person for that. He's veryfamiliar with a lot of these things we talked about today, I can absolutelyhelp you with with solutions around these decision making levels. He can bereached at cole dot our b a U E R quickly at ingram micro dot com.Perfect. Well Nathan, thank you so much for joining me. Thank you so much forhaving. It's been great and thank you...

...listeners for tuning in and subscribingto B B tech talk with ingram Micro if you like this episode or have aquestion, join the discussion on twitter with the hashtag B two B techtalk. Until next time I'm Shelby scare hawk. You've been listening to B to BTech talk with ingram Micro. This episode was sponsored by ingram Micro.Security. B two B Tech Talk is a joint production by Sweet Fish Media andingram Micro, ingram Micro production handled by laura Burton and Christinefan. To not miss an episode. Subscribe today in your favorite podcast platform. Mhm.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (331)