Data minimization in the US is changing from a potential policy goal to a regulatory imperative. Maryland’s new Online Data Privacy Act requires any service collecting data to meet the requirement of being “strictly necessary.” So how does this impact the rest of the country? And how do CISOs start getting ready for compliance?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our sponsored guest, Jeremiah Roe, advisory CISO, OffSec.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, OffSec
Full Transcript
Intro
0:00.000
[Voiceover] What I hate about cybersecurity. Go!
[Jeremiah Roe] What I hate about cybersecurity is exactly what I love about it. It’s diverse, it’s open, there’s a lot to it, and it’s super in-depth and complicated.
[David Spark] That sounds like something you would love about cybersecurity. What’s the hate part there?
[Jeremiah Roe] It’s exactly what I love about it is what I hate about it because it’s complicated, it’s difficult, and there’s a lot there. There’s so many things to get into during that.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I’m the producer of the CISO Series. My co-host for this very episode, whether you love him or hate him, I am requiring you to love him right now. It’s Andy Ellis, the operating partner of YL Ventures. Andy, say hello to the audience.
[Andy Ellis] Hey, everybody. How are you doing today?
[David Spark] Is there anyone you know that hates you?
[Andy Ellis] Oh, there’s a lot of people that hate me.
[David Spark] You’re far too lovable to be hated, Andy. That’s what I say.
[Andy Ellis] Yeah, I would like to believe that, but I understand that people have different opinions.
[David Spark] Mm-hmm. They’re wrong. We’re available at CISOSeries.com, where you can check out all of our programs. In fact, by this time, all of our episodes for Capture the CISO have dropped. So, if you haven’t seen Capture the CISO or listened to it, go check it out on our site. Our sponsor for today’s episode is OffSec, elevating cyber workforce and professional development.
A very unique sponsor. We don’t have these kinds of sponsors a lot, and very excited they’re on board, and they’re responsible for our guest today. But first, Andy, I want to tell you that I was just in Las Vegas on vacation with my kids, first time I’ve done Vegas with my kids, and we got to see the BattleBots show in Vegas.
[Andy Ellis] Ooh.
[David Spark] Actually, an old comedian friend of mine is the host of the show, a guy by the name of Bill Dwyer, who hosted the original BattleBots way back more than two decades ago. A, are you a fan, and have you ever seen it live?
[Andy Ellis] So, I’ve never seen BattleBots live.
[David Spark] You’ve seen some of the other ones.
[Andy Ellis] I have seen both 270 and 6270 live, which are the MIT courses, one of which is autonomous vehicles and one which is non-autonomous vehicles that do this.
[David Spark] Fight to the death?
[Andy Ellis] Usually, there’s a competition. It’s not strictly a battle. It’s some sort of game that the bots are playing, but taking out the other bot is sometimes an acceptable strategy.
[David Spark] Well, the thing with the BattleBots is they have to create an arena with very protective glass around it.
[Andy Ellis] Very protective glass because they’ve sort of over-indexed on, “Let’s just destroy the other bot,” which I love. I think it’s a fantastic one.
[David Spark] It’s quite entertaining, and I will just say to our audience, if you’re bringing kids to Las Vegas, this is a very kid-friendly show…
[Andy Ellis] Absolutely.
[David Spark] …super kid-friendly, and it’s actually a blast. My kids loved it, and also my wife loved it as well. So, I highly recommend it.
[Andy Ellis] And it’s very relevant to cybersecurity, getting to see attack and defense happening in the same location. So, you can’t just over-pivot on one or the other. You have to kind of do a little bit of both.
[David Spark] And also, the way they set up the arena, it’s kind of like a Thunderdome because there’s dangerous stuff in the arena itself, like saws spinning.
[Andy Ellis] Yeah, I haven’t seen it in quite a while, but I assume it’s gotten more over the top than since I last saw it.
[David Spark] Oh, yeah, yeah. And they don’t have a weight limit on these bots. There was one bot that was like six feet tall. It was enormous.
[Andy Ellis] Oh, yeah. That’s definitely much more than I remember.
[David Spark] Yeah, they’ve gotten quite big. So, anyways, recommended, was quite entertaining, everyone had a good time. Let’s get to our guest here. Very excited to have our guest on, especially because we’re going to be talking about training, education. Which, by the way, super popular. And I do also want to mention this before we even get into this because we’ll talk about it later in the show.
There is this grand misconception in the industry that if you train the employees, they will take that knowledge and leave. And what we have seen is truly a 180 of that happens. If you train them, they stay. If you don’t train them, they leave. So, it’s the opposite of everybody’s misconception.
[Andy Ellis] Yeah, I think that if you should worry about that if you train them they will leave, that if you don’t train them, they won’t leave is actually what you really don’t want to have happen.
[David Spark] [Laughter] Good point all the way around. Well, let me bring him on. He is the advisory CISO over at OffSec, our sponsor, none other than Jeremiah Roe. Jeremiah, thank you so much for joining us.
[Jeremiah Roe] Thank you for having me. It’s a pleasure to be here.
How CISOs are digesting the latest security news.
4:51.180
[David Spark] The argument for data minimization is about to get some regulatory teeth in the US. Maryland’s legislature approved the Maryland Online Data Privacy Act, which is expected to happen the day we’re recording this episode, April 8th, 2024. The law requires any company gathering, processing, or sharing sensitive information will be required to only collect data that is “strictly necessary” for providing a service.
Maryland isn’t the first state to pass a digital privacy law, but this law sets a new standard for data minimization. Andy, does this law have the teeth to set a standard that could impact the rest of the United States? And if so, what do CISOs need to do to get ready to be compliant?
[Andy Ellis] Well, let’s separate out whether it has the teeth from what it aims to do because sometimes you have one or the other. I love what it aims to do. I’m skeptical that it will actually succeed at that, but I’m really excited to see us actually talking not about data protection, but about data minimization.
What this is really aiming for is this everybody collects everything, shares everything, when they don’t actually need it to do that service. Like, it’s one thing to say, “Look, I’m a retailer. Of course I need to keep track of everything somebody’s ever bought from me as part of my service of making recommendations for them.” Like, I can see an argument for that.
If I’m playing some game on my phone, you basically don’t need to collect any data from me for that game, and you certainly don’t need to go sell it to an advertising network that says, “Oh, I see you are in the doctor’s office. Let me send you ads for whatever doctor’s thing.” You did not need that knowledge for that, nor did you need to do it.
So, I’m really excited to see, like, let’s minimize the data because that’s how you actually protect it.
[David Spark] I think a lot of people are on board. It’s the marketers aren’t too happy about this, but everyone else is. So, does this thing have teeth, Andy?
[Andy Ellis] So, I think that’s what we really need to see is will Maryland be able to sort of swing, and I think there’s two other states who are also looking at a similar model, and what really will happen is most people will probably be like, “Fine, Maryland has this thing. We’ll try to figure out a workaround for it.” The real teeth is if other states jump on board, at some point you can no longer go state by state and say, “Well, we just won’t collect data on users in that state.” Maryland is kind of too small to have the clout that a California has when it first led with, what was it, 1384, the breach disclosure law, but like, boom, everybody had to follow because you couldn’t ignore California.
I worry that Maryland might not have the teeth, but I like that Maryland is out and paving the way for everybody to follow.
[David Spark] Excellent. All right, Jeremiah, I throw this to you. What do you think of this teeth capability minimization? Give me your thoughts.
[Jeremiah Roe] So, thinking about this, I think this is great for consumers. I think it’s not so great for businesses. I think it’s great for consumers for the exact same reasons we just mentioned. For businesses, this is going to be an upshift in re-engineering aspects. We’re going to have to re-engineer our data ingestion mechanisms to be able to account for what it is we’re taking in.
That’s going to cost money. It’s going to cost effort. It’s going to require individuals to scale, and it’s going to be a business expense that is hard to get around. And so, if it does have teeth, again, good for consumers. Me as an individual buying things, I don’t want my information captured for playing video games or for going to the mall and then looking to, I don’t know, buy some swim trunks for my summer vacation.
But for businesses, again, that’s going to be difficult. As to whether or not it has teeth, I tend to align with both of you and what you just said. I don’t know if they have the chutzpah to be able to get through and push it to become a standard across the United States.
[Andy Ellis] But at least we can look at this as potentially a bridge to the future that Maryland can build for us.
[Jeremiah Roe] Absolutely. I think this is a great bridge, and I think it’s an important step when it comes to data privacy. Because in the United States, we’ve looked at data as a commoditization. We are the product, the users. The thing that we’re giving is not the product, we are. And so, how do we change that?
We’ll have a cultural dynamic shift, a paradigm shift, what’s being provided.
Why is everyone talking about this now?
9:17.896
[David Spark] Are we seeing a rise in dedicated detection engineering roles, or is the process of building, refining, and managing detection content just part of the job of working in the SOC? So, this process remains challenging, notes Anton Chuvakin, who actually hosts Google’s Cloud Security Podcast, and he chalks this up to three main factors.
A constant, changing, and messy threat landscape – the fact that we need detection engineering, I should point out – a need to quickly turn around detection content once threat intelligence comes in, and the bevy of sources sending data to analysis in a modern organization. The big question I have for you, Jeremiah, is any of this getting better?
Because it just seems just constant overwhelming. What do you think?
[Jeremiah Roe] I think it is getting better, and I think it’s getting better for a number of reasons. Now, let me, before I get there, it’s going slowly. I think to us in the industry, it feels like it’s screeching by very, very slowly, but it’s getting better. And I say it’s getting better because we have examples of executive orders that are being released that are calling for new cybersecurity laws that are driving zero trust initiatives.
We have the formation of CISA to help lead the way and guide the path in developing some of these frameworks and strategies. We’ve got new implementations from NIST in the cybersecurity framework, the 2.0 version. And so, if we take a look at the big picture back, it’s getting better.
Now, why are these things coming to a head today? Well, I think it all sums up in the form of business risk. And what I mean by that is risk is being absorbed from CISOs, from myself and above. Business leaders are being held accountable more and more. We can’t ignore the fact that cybercrime has exponentially increased over the years.
The cost of a data breach is at, what, $4.45 million per breach. You couple that with cascading events that are around personally identifiable information and the impact it has to the everyday consumer, then yes, I think these things are important. We’re seeing expansions. We’re seeing things drive.
We still have a shift in individuals who don’t necessarily get cyber yet. That’s why we’re here. We’re here to help educate. We’re here to help align and to drive for innovative change in government agencies.
[David Spark] But you guys are doing the education over at OffSec.
[Jeremiah Roe] We are.
[David Spark] Have you seen a rise in, I guess, training or role titles of this sort of detection engineer? Because my argument at the beginning was, isn’t this just part of working on the SOC? Or what do you see?
[Jeremiah Roe] So, from the detection engineering perspective, I think we’re seeing a rise in the need for more blue team style roles. And we would categorize this more kind of in the blue team categorization. So, we’ve got blue team, red team, combination purple team. There is more of a drive to be able to identify the threat landscape.
Now, these are some of the skills that are traditionally focused around offensive-based skills. What’s the threat landscape? What’s my attack surface look like? And how do we discover that, manage it, and continuously monitor it? That information can be absorbed into a detection engineering type role to be able to further refine down into a digestible manner so that we’re continuously looking at these things over a set period of time so it doesn’t all come at us at once through, I don’t know, our quarterly pentest or biannual pentest.
Things that can have real impact monetarily that we haven’t planned for.
[David Spark] All right, Andy, I throw this to you. The issues of detection engineering, the need for the role, and how sort of expansive sort of the problems become, as Anton pointed out.
[Andy Ellis] So, entertainingly, probably my first job in information security would have been called detection engineer today, we just called it information warfare engineer. That was like last millennium, that was the language for it. And I think that what we’re seeing is really sort of more hyper-specialization in the security community, and it’s very similar to what you see in the marketing community, honestly, in IT, and almost every other field.
As you become mature, you have more specialization. So, we now think of detection engineering as this specific role, rather than it being part of the job of a much larger spectrum of, “Oh, you’re doing this in addition to doing incident response and pentesting and all these other things.” Now, we’re like, oh, actually being able to write a coherent detection rule that will run highly performant at scale, will have low false positives, that’s a hard problem.
And you can definitely start to see that that’s a path that people can take that says, “Look, I want to do somewhat of a software engineering job without the heavy…” You’re not building giant architectures, but you better understand how PCRE works.
Sponsor – OffSec
14:25.179
[David Spark] Before I go on any further, I do want to tell you about our absolutely awesome sponsor, and that is OffSec. Discover the power of OffSec, formerly known as Offensive Security, the force behind the renowned OSCP certification and Kali Linux Distro [Phonetic 00:14:40]. Trusted by big hitters such as Cisco, Google, and Salesforce, OffSec is your partner in upscaling cyber talent with extensive training and resources.
The regularly updated learning library includes over 1,500 videos, 2,000+ practical exercises, and more than 800 hands-on labs. Their programs cover a variety of domains, including pentesting, cloud security, incident response, security operations, and a lot more. Their content spans all levels from entry level to advanced.
You can even tailor your team’s learning by exploring various learning paths designed to meet your team’s unique needs and job roles. They’ve got a cyber range that includes simulations for red and blue teams, and tournaments that develop offensive and defensive skills in preparation for real-world attacks.
Speaking of real-world attacks and challenges, OffSec recently surveyed 247 InfoSec leaders to find out what keeps them up at night. Curious what they learned? Go check it out over at their website, offsec.com./insomnia.
It’s time to play “What’s Worse?”
16:10.148
[David Spark] Jeremiah, you are aware of how “What’s Worse?” works, yes?
[Jeremiah Roe] I am aware. I am aware, [Laughter] and I’m dreading this.
[David Spark] Andy is going to answer first. You may agree or disagree with Andy. We will see how that flows. This comes from Jonathan Waldrop, who is a brand-new CISO over at The Weather Company. Here is the situation. You are a CISO at a software-as-a-service company, Andy. What is worse? And I’m going to define these two.
I’m going to give you an A and B very quick, but then I’m going to define what A and B means, essentially, per the submitter, Jonathan Waldrop. A, a check-the-box audit, or a check-the-box security program. Now, let me define what he means by check-the-box audit versus security program. A check-the-box audit would be one where the auditor isn’t performing full testing, or the controls are written very loosely.
Or the check-the-box security program is one where they may have a lot of right tools, but they’re not fully implementing them or very well configured. So, which one is worse of those two?
[Andy Ellis] So, this one’s weird because I have to assume if I’m doing check-the-box security program, does that mean I get a good audit? And if I’m doing a check-the-box audit, does that mean I get a good security program? So, I’m going to assume that’s a yes.
[David Spark] Yeah. Well, let’s not say it’s good. You have a security program, or you have an audit program, and vice versa.
[Andy Ellis] If a security program, it’s certainly better than a check-the-box security program if I’m doing a check-the-box audit.
[David Spark] It’s definitely above that. We’re not saying it’s stellar. We’re just saying that it exists.
[Andy Ellis] Oh, then in this case, absolutely check-the-box security program is the worst one. And the reason for that is you hire assessors to tell you what’s wrong and you hire auditors to get a passing grade. Absolutely getting a check-the-box audit is not a problem, especially if I’ve at least got a decent security program.
[David Spark] You will check some of the boxes with a decent security program.
[Andy Ellis] Well, I’m assuming that with a decent security program, I’m going to pass the audit. The whole goal of an audit as a company is to pass the audit.
[David Spark] Mm-hmm. Right.
[Andy Ellis] You don’t hire auditors to tell you what’s wrong. Failing your audit is a bad thing. Failing your assessment, you can’t do because an assessment is like, “Oh, come show me what I’m doing wrong.” An audit is like I have to now demonstrate to somebody else that I passed the audit. So, I would rather have a check-the-box audit than a check-the-box security program.
[David Spark] Good point. All right, Jeremiah, I think you’re agreeing with Andy on this one. Yes?
[Jeremiah Roe] I think so. I would rather not have a check-the-box security program.
[David Spark] Yeah. Because if you did, you’d have a check-the-box security program and a sub check-the-box audit. Probably. Yes?
[Jeremiah Roe] I think all of that works together in some weird way. Yes.
[Andy Ellis] Yeah. If you have a check-the-box security program, you should probably get your check-the-box resume together.
[Laughter]
[Jeremiah Roe] You should absolutely get that, so you don’t go to check-the-box jail.
[David Spark] Have you ever been in a check-the-box security program situation, either of you?
[Andy Ellis] So, yes. Which is any time that you have to go through a new compliance regime of any kind, you’ll discover that it’s asking you for things that you just don’t think are important to do. But you can’t not do them.
[Jeremiah Roe] I would say in addition to that, the situations I’ve been in in the past where I’m standing up a new security program altogether and I’m given a budget line item, I’m saying, “You can’t go past here. You can only go to here and this is all we can afford.” So, you kind of pick what’s most important at the time.
Please, enough! No, more!
19:49.969
[David Spark] Today’s topic is training for cybersecurity professionals, and I just want to bring up a comment I made at the beginning of the show is it actually is the thing that keeps your employees. It is not the thing that drives them away. And I’m quoting Jesse Whaley, who’s a CISO over at Amtrak, who has a very heavy education program that he does, and he has found humongous retention capabilities through training himself.
So, Andy, I’m going to ask you this question. What have you heard enough about with regard to training and leveling up your staff, and what would you like to hear a lot more?
[Andy Ellis] So, I think I’m going to say what I’m not hearing rather than what I am hearing. I hear training too often is just this thing. It’s off on its own. “Oh, we have a training budget. Maybe we should train some people. We should do some training.” I’m tired of hearing that. Let’s talk about performance development because everybody does performance development and they do it in an awful way, which is they say, “Oh, I have my elite 5%.
Let me give them cool opportunities so they’re like, ‘I like working here. I don’t want to leave.'” And I have my bad 10% and let me give them performance development, aka an impossible-to-meet standard so I can fire them in a justified way. And I’m going to point at my book, which I know you love when I do because one year ago today I got my first hard copy showed up.
Performance development should be applied to every person on your team. Chapter 26, you should all go read this.
[David Spark] That’s 1% Leadership by Andy Ellis.
[Andy Ellis] 1% Leadership. The whole point of training is… Those aren’t my book though, come on. Sorry. Our guest is holding up his books rather than mine at this moment. He doesn’t understand how this works. He’s supposed to pimp my own book. Although we’re very excited to see those as well. But the whole point of performance development and training is these are integrated as part of someone’s career path.
So, you need to have a conversation about every person on your team with what skills do they need to develop across their career, and how are you not just getting them training, but giving them opportunity to put that training in practice in a safe way so that they can actually learn by experience, not just, “Oh, I went to a course.” The courses are important.
But if you do the course without actually doing the work, I will tell you that what you will walk away with from the course is not going to be very helpful for your career. You need to be able to do the work as well.
[David Spark] Jeremiah, I throw this to you. This is what OffSec does. This is your expertise, so you’ve seen the good and the bad of this. I’ll ask you the opening question of what have you heard enough about with online training, professional development, and what would you like to hear a lot more?
And then I have a follow-up.
[Jeremiah Roe] So, for me, I think what I’ve heard enough of is organizations telling employees that they don’t have budget to go get training, and then they require them to still get training.
[David Spark] Oh, yes.
[Jeremiah Roe] I think that’s a load of crap. And I think that as business executives, we have the onus to, in the process of building in our load rates for the employees because we all have them, what it costs the business to have the employee. If we begin to build these into the load rates, just like we do 401k, just like we do medical, dental, all those things, for a training budget, all of a sudden, we’ve now got training that can be associated with the individual employees at the individual level.
And to your point, I don’t think it matters whether or not an employee leaves if they get good training or not. One, you’re going to be looked at as a super awesome business for helping them get training. Two, you might be able to bring in some really exceptional talent, train them up, and help them to become greater.
And then they may or may not choose to stay. If they choose to stay, then you’re doing well as a business. So, any opportunity you get to mentor, grow, and advance someone’s career, take it, and help them along the way. Because one, it’s, I think, a good human being thing to do. And two, it’s a good situation to be in for the business.
[David Spark] And also, it’s a huge employee branding effort in that if you do not train, let’s just say this, if you do not train, not only do all your employees know it, everybody knows it, the whole industry.
[Andy Ellis] They’ll tell people.
[Jeremiah Roe] Oh, yeah.
[Andy Ellis] I’ll go one step further. If you’re one of the companies that Jeremiah was just politely calling out by not naming you, where you require people to get training to advance in their career and you do not provide it, I will point out to you very gently that that has a disparate impact on underrepresented communities.
Either because that highly correlates with economic backgrounds, so they may not have the easy access to funds to go spend on doing this outside, or they have significant labor outside of the workplace that they’re engaged in that impedes their ability to go do this on their own time. So, stop discriminating.
[David Spark] All right. Here’s my follow up question. All good points, Andy. Follow up question for you, Jeremiah. Being that you have this amazing training program over at OffSec, I’m interested to know what you have learned from the people doing the training. Like in terms of what they choose to do, what works best for people, what insight do you have that the rest of us just simply do not have?
[Jeremiah Roe] I think to Andy’s point, funny enough, that we give individuals an opportunity to come in and learn how to think critically. That’s a hard thing to teach. Our programs are specifically built around that aspect to help them with determination, to think critically, to think outside the box, and to think creatively.
And that applies to every form of business, not just offensive operations or defensive posturing. When individuals go through a program that OffSec provides, yes, it exceptionally helps them increase their effectiveness in those roles. But further, it becomes a tangible thing you can rely on to further propagate yourself in your career.
And I know this because I myself have gone through training, and I started my career on the offensive side by conducting training through OffSec to obtain my OSCP.
[David Spark] Is there anything specifically that you have, besides obviously yourself, but that you have seen people who’ve gone through the training program, like in terms of like, “Oh, we thought everyone would do this, but now they’re doing this and now we understand why they’re doing that.” Anything that just kind of surprised you in terms of how people gravitated?
[Jeremiah Roe] What we’ve seen is that it provides an increase in effectiveness for the individuals, regardless of which realm they’re going in, from the blue team side or the red team side or pentesting side. So, when you’re conducting offensive operations, there’s a large scale-up to be able to effectively do that well for the organization.
We’ve seen an exponential increase in effectiveness of individuals who do go through these programs.
Now, one thing further is if you tie in organizational risk to the possibility of being exploited, and then you factor that out for the cost of an exploitation or cost of a data breach, and you correlate that back to the cost of training, you can begin to build out a return on investment for effectiveness scales that are associated with the business for sending the employee to training.
Because there’s always an effective increase, which means there’s always an effective return on investment.
Let’s look under the hood.
27:27.512
[David Spark] Are those that don’t learn from past data breaches doomed to repeat them? Analyzing data breaches in your industry is always good practice, but not without context to help reduce risk, argues Ido Ganor on LinkedIn. He recommended the following three paths. Search for a root cause rather than focusing on symptoms, analyze what actually applies to your company, and lastly, focus on process rather than new tech.
Andy, I’m going to start with you on this one. What specifically have you learned from past breaches that you’ve applied to deal with the next one? And were any of those paths, the three here that are mentioned by Ido, relevant?
[Andy Ellis] Well, the first one is stop looking for “a” root cause. Breaches do not have a root cause. Like, we have complex systems. There’s a number of hazards that interplay. There’s a proximate trigger. And often people think that’s the root cause. Like, what is the thing a person did? And the answer is, sure, they did this thing, but there were 17 failures of process control systems and technical systems that didn’t work that actually made the incident happen.
You can always go and find a person who pushed a button and people like, “We’ll cut off everybody’s hands so they can’t push buttons anymore, and that will save us from breaches.” No, that won’t. That will just mean you don’t have employees that are working very fast anymore because you just cut in half all their abilities to do work.
So, don’t look for a root cause.
What you look for is hazards and say, “What made this worse? What enabled this to happen?” And I think Ido really jumps into this in bullet three, which is focus on process. Like, identify the places where your processes don’t work, where you have process variants. We say, “Oh, when we terminate an employee, we do these 85 steps.” Do you really do all of those 85 steps?
Have you actually instrumented your processes to understand that, oh, when you lay off most people, that’s what you do, but when you let go of your IT administrators, we don’t remember to delete all of their root permissions. That’s a process failure that creates a hazard that someday is going to bite you in a major breach.
[David Spark] Good answer. Jeremiah, same thing. Are any of these paths relevant? And specifically, have you had a breach, did you really learn from it, and did you apply that learning to the next one? And I’d love to know if you got an example for us.
[Jeremiah Roe] I wholeheartedly agree with what Andy said. I would maybe further expand upon that and say, outside of individuals and blaming individuals, if it’s a technology failure, I think we can…
[David Spark] Which, by the way, can I pause you there? There’s a theory that if you fire the individual, the problem goes away. Going back to your concept, Andy, it’s like not at all. It’s a process led up to the individual failing, not the individual. Go ahead.
[Jeremiah Roe] Yes, I would absolutely agree. That’s a training opportunity. Right?
[David Spark] Yeah.
[Jeremiah Roe] Let’s be good to employees here. When it comes down to identifying a specific root cause of a thing, I think we can do that more so with technology failures. We can trace that back. But to Andy’s point is it’s a process problem because there are so many processes – 15, 20, 30 processes that led up to the failure from either not updating or not defining what the requirements are within the system to be able to update it and secure it in a reasonable manner.
So, we take that, we extrapolate it out. Have I individually had a breach? I will shake my head yes and say no. I think we’ve all had these issues. The point is is you have to learn from them. If you don’t, we’re doomed to repeat the same things over and over again. And that’s the definition of what?
Insanity. We all know this.
And so what we have to do is we have to take these lessons, we have to learn from them, we have to grow, and we have to expand upon them. We treat our employees well. We educate them well. We provide benefits. And maybe we gamify the process to be able to help them want to do better in the future.
[David Spark] Good tip. Andy, you want to close this out? Go ahead.
[Andy Ellis] Yeah. So, I think one thing you want to do as you look at every incident is you do want to look at these symptoms, right? The hazards that seemed like they weren’t necessarily like the most important thing. And what you’ll often find is that there’s some hazard that hits you in every single incident, but never bubbles up to be the one thing you fix.
Once you start to see that, “Oh, everything had the same visibility problem or the same process reporting problem. Maybe if I fix that, that’s a sufficient control to stop a handful of these incidents in the future.” Rather than playing whack-a-mole with what I thought were the root causes.
[David Spark] Very good point.
Closing
32:16.706
[David Spark] And that brings us to the very, very end of this show. I want to thank our guest, Jeremiah Roe, who is the advisory CISO over at OffSec. I’m going to let you have the last word. But first, let me thank your company. That’s OffSec, elevating cyber workforce and professional development.
I do know that you do have a trial. It’s available at offsec.com/trial. And what were you going to say additionally about that, Jeremiah?
[Jeremiah Roe] Yeah, so this is a great trial for business to business. Come and check it out. There’s all the details on there. And if you need to reach out to anybody, please let us know.
[David Spark] See what it’s like. You can check it out. I want to thank you, Andy, as always. Now, anything else? I know you’re hiring over at OffSec, correct?
[Jeremiah Roe] We are. Come and check us out. We’ve got several roles that are currently in the process – software development, content creator. We’re always updating our roles as well online. So, please come to our website /careers and you can check it out from there.
[David Spark] And if anyone wants to get in contact with you, they may directly through LinkedIn. Is that good?
[Jeremiah Roe] That’s absolutely good. Thank you.
[David Spark] Excellent. So, we will have a link to Jeremiah’s page as well. Anything else you want to add quickly before we wrap this up, Jeremiah?
[Jeremiah Roe] Ultimately, it’s up to us as business leaders to help our employees grow, to help shape the situation that our own firms are in cybersecurity wise, and to elevate those processes along the way.
[David Spark] Thank you very much, Jeremiah. Thank you very much, Andy. And thank you to our audience. We greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.