Listen Now

This week's episode acts as a follow up to provide answers to your burning questions following the interview of our special guest, Gordon Rudd of Stone Creek Coaching, who trains and coaches aspiring and current CISO's.    But, how do you know if you want to be a CISO. Heck- What is a CISO? It's in the name, right?    How do we know exactly what a Chief Information Security Officer is? Does the definition change between organizations? Are the expectations the same?    Listen as Joe and Stacy give the ins and outs of what it takes to get the title, what to expect, and why it's needed. 

Gordon Rudd joins us for this week's episode of the podcast. Gordon Rudd is a former CISO, executive coach, author, keynote speaker, and teacher with Stone Creek Coaching. Gordon founded the CISO Mentoring Project in 2012 and is an engaged mentor to many aspiring and active CISOs around the world. He founded Stone Creek Coaching in 2019 to help create world-class, cybersecurity leaders. Gordon is a regular instructor with (ISC)2 an international, nonprofit association for information security leaders, creating educational videos, leading educational events, and creating content for their members. Gordon served as the thought leader in residence for Venminder utilizing his 40+ years of third-party risk management, information technology, information security, third-party risk management and GRC (Governance, Risk Management and Compliance) program development experience. Gordon worked with clients as a third-party risk management and cybersecurity subject matter expert in residence. Gordon began his cybersecurity career while working as a contractor for the defense industrial base in America.  He was instrumental in the formation of the cybersecurity program for a Fortune 50 oil and gas company. Gordon has consulted with some of the world’s largest financial services organizations on cybersecurity and business continuity management preparedness. He has created dozens of business continuity plans for organizations in manufacturing, oil & gas, health care and banking.  He joined Venminder from RCB Bank where he held the position of Vice President, Chief Information Security Officer (CISO). Gordon implemented and managed both their cybersecurity program and third-party risk management program, including managing internal audits, external audits, and regulatory examinations.   Gordon is a recognized cybersecurity expert, and is frequently sought to speak at industry events on information security, GRC and enterprise risk management. Gordon received his B.B.A. in Finance from the University of Oklahoma and an M.B.A. from West Texas A&M University. Gordon was instrumental in my transition from security technologist to security leader and it would have been a rough journey without his coaching, guidance, and mentoring. You can find Gordon online at https://www.linkedin.com/in/gordonrudd.  

In this episode of CISO Dojo, Stacy outlines how she broke through into the field of Information Technology, and, subsequently, Cyber Security. How does one connect the dots from being a Retail Store Manager with an Associate's in Fine Arts to becoming an aspiring Security Engineer with one of the world's largest security companies? Stained shirts and socks with sandals, that's how! What...? Wait just a minute...? Yeah, that's right! But, what does that have to do with IT!? Listen for the full story, down to the dirty details, and gain some insights in how to better build yourself up to take control of your career. 

This episode starts a new series about non traditional paths to information security. This series will post every Monday when we don't have a guest on the show. In this series we will look at ways to get into information security and how to progress in your career.  This pilot starts out with my own path in information security from auto technician, to CISO, to consultant.

Risk Assessments, Frameworks, and Approaches Risk Assessments are the topic for this episode of the CISO Dojo Podcast. What is a risk assessment: The identification, evaluation, and estimation of the levels of risks involved in a situation, with comparisons against benchmarks or standards, and determination of an acceptable level of risk. There are two types of risk assessments we discuss in this episode: Quantitative Risk Assessment: This one uses actual data and amounts during the risk assessment.Qualitative Risk Assessment: “Relative measure of risk or asset value based on rankings such as low, medium or high; not important, important very important, or on a scale from 1 to 10.” Risk Assessment Frameworks We are going to discuss two commonly use frameworks often utilized for risk assessments: FAIR (Factor Analysis of Information Risk) Defines value/liability as: CriticalityCostSensitivityEmbarrassmentCompetitive advantageLegal/regulatoryGeneral FAIR also defines six kinds of loss: ProductivityResponseReplacementFines and judgmentsCompetitive advantage NIST Special Publication 800 – 30 Risk Assessment Framework: NIST 800-30 is a 9 step approach to risk assessments that includes: Step 1: System Characterization  Step 2: Threat Identification  Step 3: Vulnerability Identification  Step 4: Control Analysis  Step 5: Likelihood Determination  Step 6: Impact Analysis  Step 7: Risk Determination  Step 8: Control Recommendations  Step 9: Results Documentation Types of Risk Assessments In this episode we briefly cover a few common types of risk assessments: RIA: Risk Impact Assessment This is the initial risk assessment that classifies the risk level of the system (Low, Moderate, High, Very High) and mitigating controls. BIA: Business Impact Assessment This is usually used during BPC/DR planning and determines the impact of losing your business-critical systems. PIA: Privacy Impact Assessment This one identifies PII that is collected; why the information is collected; and how the data will be used, shared, stored, and protected. DRIA: Detailed Risk Impact Assessment This one is more detailed than a regular risk assessment and outlines more robust security controls that are commensurate with the inherent risks of the system. We aren’t going to get into Risk Analysis, because there’s a larger conversation that needs to be had here. An organization needs understand what their top risks are so they can know here to start the risk assessment process. Top security risks for businesses Let’s take a look at where a lot of organizations are incurring the greatest amount of risk with their security posture, or lack of security posture. Your Organization is a Target Traditionally smaller businesses weren’t an appealing target for threat actors. That changed when ransomware arrived on the scene. Smaller organizations are a more appealing target for ransomeware because they typically have less budget to spend on backing up their data, business continuity, and disaster recovery. When a small business experiences ransomware, more often than not , they are forced to pay the ransom to recover their data and return to normal operations. If it’s not ransomware, the second favorite cyber attack of threat actors is crypto mining malware that runs silently on the systems consuming resources and mining cryptocurrency for the attacker. Cyber Security Budget Many of the organizations aren’t aware if they are over invested or under invested in security. Over investments takes funds away from other strategic business objectives, while under investment incurs too much risk for the organization. Over investment isn’t a difficult problem to solve, but under investment can be challenging to rectify. The best approach to determining where you stand is to map out the maturity of your organization in relation what the industry is doing. I’ll use the NIST Cybersecurity Framework functions to measure the maturity of the security program: IdentifyProtectDetectRespondRecover Next, map the maturity levels of 0-5 using the Capability Maturity Model. 0 is the least mature and 5 is the most mature. Most organizations should strive for a maturity level of 3 across the five functions of the NIST CSF. If you are not at level 3, you are under invested in that particular function. If you are at a 4-5 maturity level for a particular function, you might be over invested in that function. Patching and Vulnerability Management Risk Assessments An effective cyber security program includes patching and vulnerability management. Unpatched vulnerabilities provide opportunities for threat actors to compromise your systems and networks. Even in the best organizations achieve about a 75% success rate. In an organization that lacks patching and vulnerability management the risk for a breach is considerable. A successful patching and vulnerability management program starts with asset inventory. You need to know what assets you have and then you need a way to identify and monitor your patching and vulnerability exposure and remediation progress. Email Security Risk Assessments Breaches often start with malware, phishing, or spam as the entry point into the organization. This indicates a lack of technical controls at the email server, as well as the administrative control of a security awareness program. If you are hosting email in house with no spam filtering, anti-malware, or other technical controls, now is a good time to consider outsourcing email to Office 365 or Google Apps. The benefits are less maintenance, more security, reduced costs and administration time. Data Backup, Testing, and Recovery A lot of organizations lack a backup plan, back up retention, and testing of backups. The problem is usually a lack of understanding of what their mission critical data is. This goes back to the lack of a mature security program. Organizations that are backing up their data usually fail to test their backups due to a lack of time and lack of staff. This is something that should also be addressed in the over all security program for the organization or perhaps outsourced to a third party for business continuity and disaster recovery purposes. BYOD Cyber Security Risk Assessments Mobile devices are growing in popularity as an entry point for threat actors and careful consideration should be given to BYOD programs. While there is a lot of benefit to BYOD (bring your own device) there are also a lot of risks. The main issues are co-mingling of data, eDiscovery, terminations, data security, and mobile device management. Mobile device manage is critical if you allow employees to utilize their own mobile devices for work purposes. You should also include and mobile device threat prevention solution that detects and prevents malware, phishing over text message (smishing), and rooting or jail breaking of mobile devices. Also consider a VPN for secure connections from the mobile device back to the corporate network. No Cyber Security Program This by far is one of the most common problems I encounter when consulting with small, medium, and even large enterprise level businesses. There should be an overarching policy from the executive level that the organization understands the importance of cyber security and will have a cyber security program. A typical cyber security program should include: Security AwarenessBusiness Continuity and Disaster RecoveryPhysical SecurityAcceptable use policies for email, Internet, and mobile devicesPassword policyEncryption PolicyCloud Storage and provisioning policyIncident response policyVendor Management PolicyCyber Risk Appetite Statement The above is not a comprehensive list and will differ from organization to organization. Preventing breaches, business impact, and security incidents starts with risk assessments and a cyber security program. Having a formal security program also means having someone in charge of security to drive it forward. This is usually a CISO or VCISO depending on the size of the organization. The post Risk Assessments, Frameworks, and Approaches appeared first on CISO Dojo.

Employee Retention Strategies for CISOs Employee retention of top talent should be on the mind of every CISO today. Recruiters are focused on coaxing the best employees away from organizations due to the perceived skills shortage in the information security industry. When an employee approaches you about an offer from another company, how should you handle that situation as a CISO? One approach is to analyze the company and the offer with the employee. This helps sort out the pros and cons with making a career impacting move. Questions like is this a lateral move, a step down, or a step up in their career are important to answer. OSINT for Employee Retention Open Source Intelligence will tell you a lot about the rival company. Taking a look a their web site should lead you to their social media presence (if any) and the names of the leaders in the organization. Does the company have a large social media following and are they active in the information security community can reveal a lot about the organization. Things such as culture, company size, and conference involvement can give clues to what it will be like to work in the organization. Go work Here and not There If the research determines that the employee is making a lateral move or a step down move, I would encourage them to apply at their “dream company”. If they are absolutely set on making a job change then they should at least apply at a company they really want to work for. As security leaders we need to understand that people are going to move on from our organization at some point. Part of our responsibility is to set them up for success however we can. Sometimes that my mean encouraging an employee to not settle and go for what they really want. I would even go as far as reaching out to the CEO of the company they are interested in and personally referring them. We have to support our team members in their career development and personal development, even at times when it might not be in the best interest of the organization. Show Notes Featured in this episode is Joe Sullivan who teaches MGT514 Security, Policy, and Strategic Planning for the SANS Institute and Stacy Dunn who works in the information security industry as a technical engineer for a multinational security company. This episode is sponsored by Crossroads Information Security. Crossroads Information Security provides Virtual CISO services, penetration testing, and incident response. The post Employee Retention Strategies for CISOs appeared first on CISO Dojo.

Resume Reviews, Interviewing, and we have a co-host! Meet Stacy Dunn in this episode of the CISO Dojo podcast. Stacy has been working in INFOSEC for the past 4 years in various roles and was a guest on the show previously. In this episode Stacy and I discuss a lot of different topics that include: CultureDiversityWomen in TechInterviewingResume prepFitness As we recorded this episode I was thinking about the idea of offering resume reviews, mock interviews, and interview preparation. Is this something you think would be beneficial to the community? How should it be structured if so? Should it be free, or a paid service? Reach out to us and let The post Resume Reviews, Interviewing, and we have a co-host! appeared first on CISO Dojo.

Managing Teams Remotely Managing teams remotely is a real challenge in this environment. As leaders and managers we need to make sure we are taking the right approach to managing our teams when they are remote. We’ve lost a lot of the daily context of what our team members are facing, how to motivate them, and the convenience of in person communication. In this episode I discuss concepts of leadership, dealing with people, and how to get people to change without causing resentment. These are important concepts to apply which may seem like common sense, but they aren’t common practice. Also check out the new class offerings at www.sans.org All classes have gone remote and online. You can download the material online and get electronic coursebooks! All the concepts I discuss in this episode were taken from SANS MGT514 Security Strategic Planning, Policy, and Leadership. The post Managing Teams Remotely appeared first on CISO Dojo.

Working Remotely During a Pandemic One of the challenges many organizations are facing right now is: how do we secure a remote workforce? In this episode I discuss some of the tough questions organizations face and how they are approaching them. A lot of vendors are stepping up offer free products such as Google, Cisco, and Zoom. We also need to address how to secure newly acquired cloud services, I discuss a few options to help secure and monitor cloud services. There’s also a good article by Lance Spitzner called Top Three Behaviors for Creating a Cybersecure Remote Workforce. Check that out to keep in mind some of the security concerns for a remote workforce. You can also see what other organizations are doing and what events have been cancelled at https://stayinghome.club/ The post Working Remotely During a Pandemic appeared first on CISO Dojo.

Pandemic Policies With the Corona Virus spreading, now is a good time to check your Pandemic Policy. Pandemic Policies help you plan for a large part of your workforce being unable to work due to illness. In this episode I’ll cover some key points from a Pandemic Policy Template available from SANS. If you are considered critical infrastructure by the Federal Government, you might start here: dhs.gov. Things you should be thinking about are IT infrastructure needs such as: BandwidthVPN licensingRemote DesktopVirtual Meeting toolsExtra laptopsMFA Tokens Ideally, you already have your Pandemic Policy in place and are including it in your table top exercises. The post Pandemic Policies appeared first on CISO Dojo.

Strategy Versus Culture It’s been said that culture eats strategy for breakfast, but what does that mean? If your policies, procedures, and strategic plan do not align with the culture, your risk offending the organization and will fail to execute your strategic plan. The post Strategy Versus Culture appeared first on CISO Dojo.