Cyber 101

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hope your second quarter you are crushing it and taking it to new levels remember you can always do a restart you can always do a pivot but the reality is the clearer you are on what you want to do with your life and your career the more powerful you become welcome to life of aiso I'm Dr Eric Cole your host and we'll be taking you on a journey each week on what it takes to be a siso and what are solutions that you can Implement today if you are currently a chief information security officer or if you want to be one in the future this is life of [Music] aiso welcome welcome welcome welcome you know what time it is feel like I need a little drum here it's time for life of aiso with Yours Truly Dr E is in the house hope you are doing awesome hope your second quarter you are crushing it and taking it to new levels remember you can always do a restart you can always do a pivot but the reality is the clearer you are on what you want to do with your life and your career the more powerful you become and just sort of my quick little motivation before we talk in before we jump into today's siso topic but I'm finding that a lot of people when you start getting around April May and June they sort of start getting in a little bit of a rut I hear things like Eric I feel a little stuck I feel a little numb I'm not really sure what to do and the reality is this when a new year starts there's a lot of energy there's a lot of excitement there's a lot of new goals there's a lot of new resets but then what happens is we TR sort of get back into the same old same old we get back into our routines things that we've always done and that's when that feeling comes in and the reality is this in order to feel energized in order to feel like you are on track in order to feel unstuck and excited and not numb in my experience there's one thing and only one thing that will get you out of all that and that is to have a clear compelling vision for your future if you wake up and you have a vision that in 3 6 9 or 12 months you're going to do X and it excites you and it lights you on fire those feelings go away because you have a purpose you have a reason you have a passion but what happens is when you lose sight of that vision and every day seems like groundhog day and every day is the same old same old and it doesn't seem like if you keep doing this for a year or two years or five years you're not really going to make any massive progress you're going to basically be just treading water and continuing what you're doing when your subconscious feels that way when it feels like Hey we're sort of plateaued here and we're going to stay plateaued and we're not doing anything different or unique we're not pivoting not clear we're not focused we don't have that Vision that's when those feelings of stuck numbness and everything else comes in so if you're one of those people that you're on fire amazing this is a good reminder for several of you I've heard this a lot on my coaching calls where hey I'm just starting to feel that way it happens April May every year just step back and create a blueprint for your life step back and say what is the vision I want what is the vision I want for my life where do I want to be second quarter third quarter fourth quarter and start getting excited because when you have a vision the passion and excitement comes and then all those feelings go away plus you're driven and driven people are very very scary so what I want to do now that we got a little motivation underway what I want to do on this episode is I've noticed with my coaching clients that sometimes this happens where we sometimes sort of lose sight of what we're really doing we lose sight of the basics and we try to focus on such Advanced things that the core foundational things are not getting done and the analogy I give is I remember hearing a story about a basketball coach and he took over this very very talented team and this team they were amazing like they were going in and doing three pointers and shots for Midfield and they doing behind the back dunks and everything and he's just amazed of how talented they were but he noticed something during games when they got fouled and they had free throws they were missing most of them when they stole the ball from an opponent and they had an open net a b basically just a down thec Court simple layup easy two points they were missing it and what he realized is they were so focused on all the advanced Hightech skills that you see the pros do that they never mastered the basics they never learned the foundation and that's why even though they were an extremely talented team they weren't winning because great shots are awesome but you need to get the basics down if you're missing every free throw if you're missing basic layups you're not going to win games so he went back and all he had him do for several months was the basics and the kids were upset parents were complaining everyone was complaining what they realized is by mid-season they started winning and they started winning and all of a sudden all they realized what he did you got to get the foundations down before you do the advanced and I bring that up because I'm noticing with several of the clients I'm working with now on ciso they're trying to go in and do all these event hey Eric we're trying to launch a brand new AI initiative within the organization and we're going in and we're doing all these Advanced correlation techniques and all these new Advanced charts and this and that but some of the basics of well what is your RIS posture what are the top risks to the organization are the executives aware of what the exposures are do they know what the key threats are do they know how to make basic decisions around security are not there so they're doing all these advanced programmatics but because the core foundational pieces are missing they're still getting breached they're still getting compromised and the organization executive team is getting frustrated so as you know with many of these episodes they're based on feedback from you so if you have feedback or topics you want me to cover post them below I hear you I got you I'm on top of you or we can go in and I sometimes just get Revelations and other times it's based on themes that I see from my coaching client so this one is cyber 101 and it's really based on what I'm hearing from our clients so let's just go back and revisit for a second what is cyber security I know those that have been with me for a while hopefully you're like I got this dude move I got this let me let me get this one and you know it but some of you that are newer let me ask you that question I ask everyone what is cyber security and I know it's a weird question and for many people it's sort of like what is the color blue like how if somebody came up to you say what the color blue how would you describe it right you know when you see it but you really don't have a good definition for it the reality though is in order to be good at anything you have to be able to Define it you have to be able to put structure around it so first and foremost you and and all your Executives should agree on the definition of cyber security which is understanding managing and mitigating risk of your critical assets being disclosed altered or denied access that is your job which means there's three pieces there's risk there's critical assets and there's confidentiality in Integrity availability but I know I said a little different because confidentiality is prevent detect deter the unauthorized disclosure of information Integrity is prevent detect deter the unauthorized alteration of information and availabilities prevent detect deter the unauthorized denial of access to information so when I said cyber security is all about understanding managing and mitigating risk to your critical assets from them being disclosed closed altered or denied access that last part is really that CIA confidentiality Integrity availability Triad so now what does this mean to you first I'll start in the middle do you have a list of critical assets for your organization do you have a list of critical business processes in priority order and the reality is if you don't then there's many things that come up first if you don't have a list of critical assets if you don't know what is critical and what is important to your organization my first question is how do you put together a budget how do you know what to spend if you don't know what's important because I don't know about you but I'm going to spend more money on protecting and securing critical assets than I am on protecting and securing non-critical assets so if you don't have a list of critical Assets in priority order how are you able to go in and even assess your budget and then that ties into how do you know what to focus on if you have two competing areas where business unit one says hey we need help here business unit 2 says we need help here and you don't have a list of critical assets how do you know which one to pick how do you know which one to focus on and also how do you know where to put more energy and effort in terms of the protections the security and the layers if once again we don't know what our critical assets are so this is cyber 101 the most foundational basic but I'll tell you don't worry this is the one area that many organizations don't have they skip and it's what gets them into the most trouble it's the reason why you see organizations have a $10 million cyber security budget they have 40 people on the security team and they still get hit with ransomware they're still getting their data stolen they're still getting compromises where they have a 100 million records stolen and the reality is the foundational reason there could be many other reasons but the foundational reason is simple they didn't know their critical assets so they didn't protect the ones that need to be protected because cu the reality is if your database of all your customers pii Phi is the most critical asset you're going to protect it now it doesn't mean you might not get a compromise right because you can't be 100% secure but the reality is you should understand and have a list of what those critical assets are so that's sort of foundational step one do you have a list of critical assets that you and the executive team agreed to and it basically is socialized with the other Executives and Business Leaders across the organization for our company for our organization this is the business process the critical asset number one number two number three number four that has to be done and that has to be done with the input of the executives because here's the reality if you go to a midline manager or you go to the vice president of marketing and you say what's the most critical Asset Marketing if you go to Business Development right they're going to say the same thing so the only people that can truly prioritize and truly put together a list are your CEO coo CFO uh CIO ciso it's the core five they're the only ones for the entire organization that can properly prioritize so they need to be involved with that that has to be done because if you don't have that list you don't know what you're protecting then let's move back to the beginning cyber security is all about man understanding managing and mitigating risk to critical assets we got the critical asset piece so now let's go back to managing risk what is risk risk is the probability of loss it's the probability of something happening in the future which means means unless you have a crystal ball and unless you can predict the future there's going to be risks which means you can't be 100% secure and have a functional business because the reality is simple 100% security equals zero functionality and the law of cyber this is just like the law of gravity whether you like it or not whether you believe it or not the law of gravity is always at play and whether you like it or not or you believe it or not the law of cyber security is always at play and the law of cyber is simple whenever you add functionality you decrease security whenever you add functionality you increase risk however you want to say it but the reality is if you have any fun functionality you can't be 100% secure so any business that's functioning that's making money that's in business by nature is not going to be 100% secure so therefore the next critical thing do your Executives know that have you made it crystal clear that listen breaches are going to happen embrace the breach a breach is not a bad thing now if you have a breach and you don't detect it for 4 years yeah that's different but if you have a breach and you detect it fairly quickly then you're still doing your job and I bring this one up because this is another one that most companies do not understand and how do I know it what is still the Playbook today today pretty much across the board across the industry anywhere you go if somebody has a breach what does the company almost always do within 48 Hours fire the siso that's sort of like the go-to Playbook now let me ask you a question what would be the only logical reason why you're firing Riso because you didn't think they did their job because you believ you should be 100% secure so when you have a breach siso failed and you fire them so if you don't want to jump around jobs right you need to get that one very clear a 100% security doesn't exist in any practical sense we will have breaches but the trick is this prevention is ideal but detection is a must so our goal is not to prevent all attacks it's our goal and objective is to detect attacks in a timely manner to minimize damage that's our overall goal and I know at first when I say this to folks they're like you're really going to do that say that to an executive you're going to be like no matter what we do no matter what we put in place we're not going to be 100% secure and I'm like yeah cuz it's right and here's an analogy to help you is there anybody that's 100% healthy is there anybody that is the perfect perfect specimen of a human 100% healthy never gets sick lives forever of course not now yes we do try to eat healthy take vitamins do things to stay healthy so we do try to prevent from getting sick but the reality is we all know that everybody at some point will get sick but what's our goal to minimize the frequency and the impact so if you're getting sick every month and you're in the hospital yes somebody might say you're unhealthy but if you get sick once every couple years and it's just minor you can can still work you just have to maybe take a little more vitamins and get a little more sleep then you're still considered very very healthy so that's the same approach is cyber security is just like Health we do what we can to minimize but we recognize that breaches will still happen and then we do things to minimize the frequency and control the damage that has to be set to the executives they need to be on the same page with you as that then if cyber security is all about risk it's all about managing risk it's all about accepting some risks and not accepting others don't we need to have a risk posture for the organization don't we need to have a list that says okay these are these are not acceptable because now if you don't have a list of acceptable risk How can any business leader make a decision how can a manager director or vice president make a decision if they don't know what is or is not acceptable risk and here's the problem in the past the old way of doing it where we didn't have RIS postures was we expected them to come to us for everything which they won't and then if they did come to us we would typically say that it was unacceptable and they would do it anyway and it's a broken Paradigm because what happened they had all the authority and secur dat all the responsibility so they would go to you and say we want to put all of our customer records online with no encryption and you'd be like no no no too big a risk after encrypted do this they're like too expensive we'll do it anyway and you're like no and they're like tough you can't stop us and then when they do it and a breach happens you get fired because you had all the responsibility and they had all the authority it's a broken model the new model that everyone needs to follow is you have risk posture and then it's clear you Mr or Mrs manager director or vice president if you are following a risk posture and you are doing things that are acceptable risk awesome we got you we have security we have measures we're protecting you but if you decide to do something outside the RIS posture if you decide that you're going to take an unacceptable risk guess what you have the authority to do that and we are now also giving you the responsibility so you have both and the way we do that is we go to the executive board monthly or quarterly and we give them a list of all decisions that go against our risk posture so just so you know this month these three business units decided to accept this risk on behalf of the company we want to make you aware of it we think it's unacceptable we don't think it should be made but they think it's worth it for business decisions so we just want to make you aware and that's how you run an effective security practice but you have to have a risk posture so that's the second important piece do you have an acceptable risk posture for the organization that the executive signed off on and all mid to uper managers are in agreement and understand it and then tied to that you then train everyone who's a decision maker from managers directors vice presidents to Executives you train them on a simple formula whenever you're making a decision you of course are going to look at the value and benefit that's done already the problem is in most businesses that's the only data point that's used so they go in and they say okay what's the value or benefit of doing this well the value of benefit is we can increase our profit or we can increase our Revenue well that's great so we do it but here's the problem they left out the second piece and this is where you train them in addition to asking what is the value or benefit you also have to ask what is the risk or exposure so now you're training them on what is the value or benefit what is the risk or exposure and then simple question question is the value or benefit worth the risk if the value or benefit is worth the risk to the organization then you take it realizing that if it's above the risk posture you're going to have to explain because you're now taking a risk on behalf of the company but you feel the benefit is so great it's worth the risk and you're willing to accept responsibility for that on the other hand which happens more likely than not is when they realize how big the risk is they're like yeah the value and benefit is okay it's not worth the risk and they don't make that decision so now in addition to having a risk posture you're now empowering the executives to have the tools they need you now are empowering them so they can make proper correct decisions across the organization now we're not done with risk so risk probability loss cover those but what are the components of risk the components of risk are threats and vulnerabilities so risk is comprised of what are threats and what are vulnerabilities threats are things that can cause harm to the organization typically there are things like ransomware data breaches along those lines vulnerabilities are weaknesses that allow threats to manifest themselves so a vulnerability is an unpatched system a vulnerability is a weak password things along those lines now here's the challenge organizations are going to have a large amount of vulnerabilities just by Nature right that there's going to be some weaknesses if you look at a house a house has vulnerabilities somebody could break the the window somebody could Jimmy the lock like that there's always going to be some vulnerabilities but here's the mistake companies go in and they focus only on the vulnerabilities and they start fixing random vulnerabilities like I've heard the craziest things over my career right I've heard things where security officers are like oh Eric we go and fix the lwh hanging fruit because it looks like we're doing a lot if we go in and fix the easy stuff we can show the execs that we're fixing 20 to 30 vulnerabilities a week and it looks great yeah until you get breached because you're fixing the wrong ones right or fixing five vulnerabilities a day the problem is all vulnerabilities are not created equal so we have to go back and say a vulnerability only becomes problematic if there's a threat that exploits it if we have a weakness but there's no threat there's no threat no one's trying to exploit or go after it then we really that's that's a minor vulnerability on the other hand if we have vulnerabilities where there's a massive threat then we want to fix those so it's really threat drives the equation we want to understand what our threats are so then we can go after the vulnerabilities to minimize those threats from causing harm but once again lot of threats so how do we know which ones to focus in and which ones to go after that's where we go in and put in the secret sauce the Dr Cole Secret Sauce is this we layer in likelihood over the threats and impact over the vulnerabilities so now we're looking at what are the threats that have the highest likelihood in which there's vulnerabilities there's a huge impact CU once again if there's a threat even a threat with a high likelihood but it's going to compromise five records not as critical as a threat with a high likelihood that the impact is 50 million records so now what we want to do is we then want to start going in and identifying okay what are the top threats and we rank them by likelihood then we we map them up against vulnerabilities that have the biggest impact and then the vulnerabilities with the biggest impact that have threats with the highest likelihood that's what we go after that's what we focus on and then the last piece of the equation is how do we present this all to Executives because I've seen this time and time again where people like Eric our Executives don't care about cyber they're not really listening to us they don't really pay attention I brief the board but no one's engaged and nobody ask questions and I'm getting so good at this I can predict the problem I look at them and say why are you using a slide deck of over 30 slides and they like what I'm like if you're telling me that your board is unresponsive you present to them they don't listen they don't pay attention I am almost guaranteeing that you are going in with a 40 or 50 SL deck and they like yeah how'd you know because the outcome if you go in with three slides and you do my magic formula you never get those negative results I brief boards all the time they're engaging they're never on their phones they're asking questions and I always deliver in the time period and they always decide to run over and give me more time they'll always say Eric you have 15 minutes or 20 minutes to present and and I cover everything within that 20 minutes but because it's such an interesting exciting critical topic to the business it always goes over and the way you do it is quite simply this you go in and you go over the threat landscape for the industry you're in we're not talking about just generic threats but specific threats so if you're in healthcare what are those threats and if you even go Regional to your specific area what are very specific threats to your Oran organization and you show them that this is real then you have a slide where you refresh 100% security doesn't exist our goal in cyber is to focus on minimizing frequency and likelihood I just want to remind we're all on that same page so we're we're going to manage these risks there and then the third slide is my special formula for column risk Matrix where you basically present four things what could happen what is the likelihood of it happening what is the cost if it happens what cost if it occurs now here's the trick you only present those risks that have a real return on investment for example if there's a risk out there that has a 10% chance of occurring probably not going to cover it if there's a risk that has a 90% chance of occurring but if it occurs it'll cost us $10 and we want a million dollars to fix it once again not a good return what I want to focus on is the risk where there's a high likelihood the cost if it occurs is a lot more than the cost to fix it so a great example is if there's a risk 95% chance of occurring if it occurs will cost us $10 million and I want 200k to fix it that's a good risk so now this episode hope hopefully gives you the Arsenal you want to make sure you have your critical assets you want to have your risk posture you want to make sure they understand 100% security doesn't exist you give them tools what is the value or benefit what is the risk and exposure and is the value and benefit worth the risk and then you put together the risk Matrix where you list what is the risk what could happen likelihood of occurring cost if it occurs and cost of and if you do that you have a solid foundation and you are rock and rolling on the basics and then from there you can continue to grow and expand your security program hope you enjoyed this episode of Life of aiso and look forward to seeing you next week [Music]
Info
Channel: Dr Eric Cole
Views: 653
Rating: undefined out of 5
Keywords:
Id: BjkNiR2Ynzc
Channel Id: undefined
Length: 31min 42sec (1902 seconds)
Published: Thu Apr 18 2024
Related Videos
Awareness (Strength and Weaknesses)
Dr Eric Cole
595
2024 Cybersecurity Trends
IBM Technology
153K
The CISO Paradox
Dr Eric Cole
760
Creating a CISO Roadmap
Dr Eric Cole
389
The Secret to Vulnerability Management
SANS Institute
18K
BEING A CISO
Dr Eric Cole
1.2K
CISO CHALLENGE (Mindset Not Skillset)
Dr Eric Cole
525
Cybersecurity is a great career. (even when it's challenging)
Grant Collins
97K
Cybersecurity Threat Hunting Explained
IBM Technology
63K
C _ _ O + _ I S _ = CISO
Dr Eric Cole
592
Business 101
Dr Eric Cole
671
A Day in the Life of a Cybersecurity Consultant
Accenture
288K
What Do You Really Want (and are you willing to do what it takes)
Dr Eric Cole
344
How to Launch Your Cybersecurity Career in 2024 : Eye-Opening Path
Prabh Nair
10K
Dr. Cole's Journey Part 1
Dr Eric Cole
631
Top 5 Cybersecurity Jobs 2024 ft. @BittenTech | Highest Paying Cybersecurity Jobs 2024 | Simplilearn
Simplilearn
27K
SHOW UP LIKE A CISO
Dr Eric Cole
933
Goals and Time Management
Dr Eric Cole
712
Cyber Security Career - Salary, Jobs And Skills | Cyber Security Career Roadmap | Simplilearn
Simplilearn
362K
Becoming A CISO
Dr Eric Cole
911
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.