Once the Panic Subsides You’ll Appreciate This Phishing Test (LIVE in Houston, TX)

Panic subsides
Panic subsides

How should organizations use phishing tests? At best, they can provide context into employee behaviors. But at worst they can undermine trust in the security team, or even cause a public health scare. No one is arguing against building security awareness, but do phishing tests serve to do that?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Jerich Beason, CISO, WM. Joining us is Teresa Tonthat, vp, associate CIO, Texas Children’s Hospital. This episode was recorded live at HOU.SEC.CON.

Got feedback? Join the conversation on LinkedIn.

Here’s a full video of our live recording

Huge thanks to our sponsor, Vorlon

Vorlon helps organizations take back control of their data by providing continuous visibility of sensitive data shared via API across third-party applications. Know what data goes where, when, and how between third-party apps with external threat intelligence. Reduce the complexity of investigating and responding to third-party security incidents with Vorlon.

Full Transcript

Intro

0:00.000

[Voiceover] Biggest mistake I ever made in security. Go!

[Teresa Tonthat] Biggest mistake, I’ve made plenty, but the first that comes to mind has to be my first 30 days at the organization. I was asked to do a board presentation on the cybersecurity program. I went in, thought I had a great presentation, timeline and all, then I shared it back with all of my colleagues and they gave me big stares and said, “How are you going to get this done?” Lessons learned, you can’t do it by yourself, so make sure you engage all of your stakeholders to get your program forward.

[Voiceover] You’re listening to CISO Series Podcast, recorded in front of a live audience in Houston.

[Applause]

[David Spark] Welcome, everybody, to the CISO Series Podcast. We are live in Houston at HouSecCon. I am David Spark. I am the producer of the CISO Series. And sitting to my immediate left, it is none other than Jerich Beason, who’s the CISO over at WM. Let’s hear it for Jerich.

[Applause]

[David Spark] Our sponsor for today’s episode is Vorlon. Take control of your data. You lose 100% control of your company’s data when you integrate with third parties’ APIs. Take control of your data with Vorlon. More about them later in the show, but thrilled. We are here at HouSecCon. This is amazing.

This is the first time they’ve done the conference at this enormous conference hall in Houston. And you’re a local, Jerich. Let me ask you about the heat here in Houston. That’s not imported, that’s homegrown, right?

[Jerich Beason] We don’t have heat, we have a sauna.

[David Spark] You have a sauna here.

[Jerich Beason] Absolutely.

[David Spark] Yeah, it is unbelievably hot here. You’ve been to one of these conferences before. What makes this Houston security event unique and different than any other show you’ve been to?

[Jerich Beason] It’s built and made for the Houston cyber community. We have a number of industries specific to Houston, and this is the only conference that’s tailored specifically to the Houston cybersecurity fight and the challenges that we’re dealing with.

[David Spark] All right, awesome. Well, we’re going to get the show on the road, and I want to bring our guest in. You heard her at the very, very beginning. She is the VP and associate CIO, so actually the CISOs report to her at Texas Children’s Hospital. A big round of applause for Teresa Tonthat.

[Applause]

[Teresa Tonthat] Thank you, thank you for having me.

Is this really the right strategy?

2:31.228

[David Spark] “The key to effective leadership in cybersecurity is not just identifying what could go wrong, but also charting a clear course of action to address it. Now, if you’re constantly coming across as a Cassandra, asking for budget and not trying to align with broader security objectives, you are doomed to fail.” And this is what Michael Winkler of Matthews International said.

And Winkler hits on a theme that we hammer again and again on this show, and that is aligning security with the business. Now, specific areas to align are business goals, revenue protection, cost-benefit analysis, and competitive positioning. Jerich, I know you’ve dealt with this before, but I want you to say with any of these four, can you walk me through specific examples of how you align security with any of those four I just mentioned?

[Jerich Beason] Yeah, absolutely. So, there’s a phrase that we always use, security should enable the business. But the reality is, is security isn’t creating profit, security isn’t driving revenue. But what security does do is enable the business to leverage technology to create revenue and drive profit.

More specifically, the security risks that come along with that technology, our role is to manage those risks and to help them do those things. So, let me give you a couple examples. We are working for organizations that put out products. Our role is to make sure that those products are secure, that the pipeline is secure, that the supply chain is secure.

Another example might be M&A or new markets. We make sure that you can do those in a compliant way, as well as address any unique threats that come along with that. And my new favorite is AI, of course. Every organization is interested in AI, but it’s security’s job to give them the comfort that they can leverage it.

And then they can use AI to be more efficient, to create more focus on some specific new marketing strategies, whatever it may be. And that’s how we align with the business because that’s what the business is trying to accomplish. We help protect revenue and we help drive competitive pricing. The one minor adjustment is in a B2B organization, you are directly in line with the sales, so you actually can increase velocity, increase trust, which once again, creates profit and revenue.

[David Spark] All right, Teresa, I throw this to you. By the way, all excellent examples. Same to you, what have you done to essentially show how security aligned with any of these four?

[Teresa Tonthat] Yeah, I think being in the industry of healthcare is definitely a positive for all cybersecurity and technology leaders. You can always relate back to the why of why you are buying a new technology or implementing a new process for the organization. So, within Texas Children’s, I ask the team all the time, why do you have to buy that new technology?

Why do we have to have that new capability? And if you can’t tie it back to the mission of enabling patient care, protecting sensitive data, enabling secure research, then you really probably shouldn’t be spending that money for the organization. The alignment of your cybersecurity program along with the mission and the vision of the institution is highly critical.

Because if not, you’re going to be viewed as a cost center versus an investment center to the board and to the executive team that highly looks to you as subject matter experts in the field to do the right thing and to be financial stewards of the organization.

[David Spark] So, you said something that my co-host, Steve Zalewski, says all the time. He’s the former CISO over at Levi Strauss, and he used to say, which literally sums up kind of what you were saying about tying to the business specifically, is he would say, how does this help me sell jeans? And so it requires that sort of connection to make.

Are there any sort of good examples, Jarich, maybe you can say, where they’ve said that, okay, here’s the connection it makes to “selling the jeans.”

[Jerich Beason] Yeah, I’ll use an example of single sign-on. We have an organization with a fleet of trucks, and drivers have to log into applications to do their job. Single sign-on helped them not have to look down and push a button and create a safety risk, as an example. So, introducing single sign-on not only helped security, but it also made for a safer experience for our drivers.

Is this benefiting the company or just making my life easier?

6:43.333

[David Spark] So, how often are you actually talking to your users about how security may be causing friction in their job? Now, Lev Lesokhin, who shared Outthink’s Cybersecurity Human Risk Management Report, which found – get ready for this – about 25% of their users intended to follow secure behaviors, but they admitted if they did it, they’d lose productivity.

So, what this sounds like to me is one in four have a problem with security. Maybe someone should talk to them. So, two questions, I’m going to throw this to you, Teresa, first. Give me an example of friction security created with users and how you address the blockage. And two, how do you create a feedback loop, so these issues are addressed in a timely manner, and they actually don’t sit there with users being frustrated, not saying anything, and maybe sidestepping security?

[Teresa Tonthat] Sure, I’ll give a very specific example that just occurred in the past 30 days. And my team is always looking to enhance the security capabilities, and one of those enhancements is around how we use our multi-factor authentication. Done a lot of great job on simulations, on MFA fatigue, making sure they don’t inadvertently let the compromised accounts and third parties in.

But we also use MFA for our e-prescribing for specific prescriptions for our physicians, right? And as you all know, physicians are busy taking care of our patients, and the last thing they want is an additional click or additional action that they have to do to prescribe opioid or much-needed medication to their patients.

One of the things, we recognized it was a blockage and there was friction, but it was so important that we build the coalition with our chief medical information officers. We have four of them across the organization that our physicians talk the language of our providers and also understands technology and the importance for cybersecurity.

So, we went on rounding excursions within all the hospitals and our community hospitals to have them spread the word of why MFA was important for them in their workflow to make sure they secure, not just themselves, the information, but their ability to prescribe very critical medication to our patients.

So, I really think to sum it up is building your extended team to drive the message, and it doesn’t have to be in your words. It can be in the words of the personas of the individuals that you may be impacting because your mission is continue to increase security so that we can deliver on our mission, like I mentioned earlier.

So, extend your communication and your relationship outbound of just your cybersecurity team.

[David Spark] Excellent answer. All right, I’m throwing this one to you, Jerich. Give me an example of you had a moment of friction and how you addressed it. And more importantly, that people don’t be afraid to talk to security when something is driving them nuts.

[Jerich Beason] Yeah, that’s a great point. So, all security controls introduce some level of friction.

[David Spark] Can’t avoid it.

[Jerich Beason] That’s just the nature of it. But what’s really important is if you understand your business, you can limit their friction and reduce the amount of roadblocks that you set in front of people just trying to do their jobs. And Teresa made a good point about leveraging her chief medical information officers.

These are people in the business. I always suggest that you do site visits, or you do ride-alongs, or you actually shadow the people doing the job. And I’ll give you an example of a story where I was at an operating plant and on the plant floor, they run a job, and that job takes about four hours. Well, I noticed that he kept coming back every 45 minutes and even set a timer to just move the mouse around.

And I didn’t understand why. And he explained, “Well, the application times out every hour, so we have to just move the mouse.” Us changing that session timeout to six hours didn’t introduce any risk. It wasn’t externally facing, didn’t have sensitive data on it, but it made a world of difference in their productivity, and it created a champion that we’re still benefiting from today.

[David Spark] That, I can’t stress the importance of that ride-along concept. Jesse Whaley, CISO of Amtrak, we’ve had on before. He did that similar story where something like the engineers had to put their phone here, but they had to go do something over here, but then had to refer to their phone, which was locked up.

And if they weren’t out on the site, they do it. And often they just do it and it’s like, “Oh, but we’re just kind of told to do that and we do it.” And you realize this is a useless point of friction we shouldn’t have created. Have you done sort of “ride-alongs” like that?

[Teresa Tonthat] Yeah. I mean, to Jerich’s example, I thought that was a perfect one. Security professionals and leaders cannot just be black and white. Yes, there’s policies, there’s technical standards, but you really have to understand the workflow of how that control will help increase security, but then also have a balance of not impacting productivity.

So, think about in the ORs for surgery, all of our computers have a 15-minute idle time. Imagine if they’re operating on a patient and they need to look at an X-ray and it times out in 15 minutes. How are they going to move the mouse on that computer? So, that’s a good example of why we have to round, get out of our offices, get out of virtual working, come into the organization to really feel the heartbeat of how your solutions are impacting or supporting our workforce members.

[Jerich Beason] And David, if you do that, you create trust and a symbiotic relationship, and that feedback loop gets a lot easier to establish because they know that you’re actually thinking about their best interests and not just a preset of security controls that you’ve put in place that you just try to apply blanket across the organization.

It’s time to play “What’s Worse?!”

12:25.784

[David Spark] All right, for those of you who are not familiar with “What’s Worse?!” This is a risk management exercise, and I will provide, from actually a listener, a scenario or two scenarios. Both stink, I can’t stress this enough. No one’s going to like any of these. But you have to decide from a risk management perspective, which one of these two is worse.

So, this comes from Nir Rothenberg, who’s submitted many “What’s Worse?!” scenarios. And I will say to all of you, I’m always looking for good “What’s Worse?!” scenarios. So, send them in to me. You can send it directly to me, David@CISOseries.com. I love them, and here’s a good one for you. All righty, Jerich, you will answer first.

Your team has already been replaced by AI. What’s worse? Scenario number one. All the code your engineers write is done with Copilot only. In this scenario, all security engineering is done as code. Fixing vulnerabilities, giving permissions, changing configuration, etc., it’s all code in all your IT environments, including the endpoints.

And all the code is generated by Copilot and cannot be edited. Pretty bad. Agree?

[Jerich Beason] That sucks.

[David Spark] All right, that stinks.

[Laughter]

[David Spark] All right. This second one’s also equally bad, also has to do with AI. All the email, policies, questionnaires, board presentations, and any other internal or external text outputs your team writes is written by ChatGPT, the generic version, and again, no editing. Which one’s worse?

[Jerich Beason] It’s actually really easy. The first scenario is worse. You need a human in the loop at some point in time and to completely outsource everything to code, and you didn’t say we’re all in the cloud. So, this is all code and potentially in a data center. I cannot imagine how horrible that is, but ChatGPT writes better policies than I do.

And quite frankly, this whole audience, if I asked them to raise their hand who actually follows their policies, even though they’re in security, it’d be low. It’d be a low amount of people. So, documents that nobody’s going to read being written by someone else, it’s not that bad.

[David Spark] All right, okay. Teresa, agree or disagree?

[Teresa Tonthat] I was really hoping to disagree, but I 100% agree with Jerich. It is quite scary if our IT and our cybersecurity functions are completely done by AI without any type of human intervention to review the outcomes, to make sure it’s accurate. And I think in the second example, I mean, who reads emails anyway?

So, it really doesn’t matter.

[David Spark] All right, so you’re in complete agreement on these. All right, I’m going to throw this to the audience. Here’s what I’m going to do, I’m going to ask to all of you. By applause, how many people agree with them that the first scenario, all the code your engineers write is done with Copilot only, and that is far worse?

By applause, how many people think that’s worse?

[Applause]

[David Spark] All right, now by applause, how many people think all your emails, policies, questionnaires, board presentations are written in code…or not written in code, written by ChatGPT, and that is far worse? By applause.

[Clapping]

[David Spark] We have a few people. All right, they’re standing strong. All right, a few people disagree with you.

What is Dave’s mom talking about?

15:52.076

[David Spark] This is our new game that we started playing, and my mother is not a security professional at all, but she supports her son and his efforts to create stupid, silly games, and so this is, I interviewed my mother on a series of topics in cybersecurity. None of them she got correct, but she looked at these words for the first time and did her best-guess effort to try to explain what the heck this thing is.

So, I’m going to play a clip of my mother trying to explain something. Again, here’s your big hint, she’s not right in what she’s explaining, but you have to think, “If I heard these words for the first time, and I was not a cybersecurity expert, how would I best try to explain this?” All right? So, here we go, here’s the first one.

Either one of you can jump in and tell me if you can figure this one out.

[Dave’s Mom] It’s coming from some outside source that you were used to, or you thought was safe, and it comes from multiple different directions that you can’t seem to catch onto each one. You try to avoid, but there are too many of them that go after you.

[David Spark] What is my mother talking about? Again, you know what this is, she doesn’t.

[Jerich Beason] I know this is wrong because it’s too obvious, but I’m going to go with third-party security.

[David Spark] Third-party security, no, that is incorrect. What do you think this is? I will give you a hint that talking about things coming from many, many of them, and I’ll also say it’s not DDoS.

[Teresa Tonthat] Oh, because I was going to say that.

[David Spark] Yeah, I know, that’s the obvious one. That would make sense.

[Teresa Tonthat] Whack-a-mole?

[David Spark] Whack-a-mole, no. All right, now I throw this to the audience.

[Audience Member] Antivirus.

[Audience Member] Email.

[David Spark] Antivirus, email, hold on, wait.

[Audience Member] Phishing.

[David Spark] Phishing.

[Audience Member] [Inaudible 00:17:44].

[David Spark] No, no, anyone else want to try this?

[Audience Member] [Inaudible 00:17:49]

[David Spark] No. Spear phishing, no, no. It’s an IoT attack, all right? IoT attack.

[Teresa Tonthat] IoT.

[David Spark] All right, we’re going to go to the next one. Hold on.

[Jerich Beason] Your mom does not know cybersecurity.

[David Spark] No, my mother doesn’t know cybersecurity. I was trying to explain that to you. [Laughter] That’s the point of this game. Yeah, she doesn’t though. All right, try this one.

[Dave’s Mom] Another group at the organization creates stumbling blocks for the other.

[David Spark] Another group from the organization creates stumbling blocks for the other one.

[Jerich Beason] You want to go first, Teresa, while I ponder this one over?

[Teresa Tonthat] I’m thinking. Network segmentation?

[David Spark] No.

[Teresa Tonthat] Step-up authentication.

[David Spark] No, no, no. So, all right, I throw this to the audience. Anyone want to make a guess at this?

[Dave’s Mom] Insider risk.

[David Spark] Insider risk…

[Dave’s Mom] Blue teaming.

[David Spark] Blue teaming is correct! Who got that? Very good. Michael Farnham got that one right. Good job, that is correct, Mike. All right, here we go. This one I feel you can get. Again, I feel you can get this one. Here we go.

[Dave’s Mom] Sewing on your dungarees with holes.

[David Spark] Come on, you got to get this one.

[Jerich Beason] Can you…

[Crosstalk 00:19:04]

[David Spark] Sewing on your dungarees with holes.

[Jerich Beason] Oh, patching.

[David Spark] Right, correct, patch management. All right, good job, good job. All right, last one, here we go.

[Dave’s Mom] Somebody of some importance, or several people of some importance override a legitimate pronouncement of some kind. And they’re really not, or their names sound like somebody important, and they pretend to be somebody important to impress you.

[Teresa Tonthat] Impersonation?

[David Spark] No.

[Jerich Beason] Spoofing?

[David Spark] No, but the “somebody important” is kind of key to that.

[Jerich Beason] Somebody important.

[David Spark] All right, I’m going to throw this to the audience. Audience, what do you think?

[Audience Member] CEO impersonation.

[David Spark] No, not impersonating. What?

[Audience Member] [Inaudible 00:19:49].

[David Spark] No, not, you’re thinking too literally here on this.

[Audience Member] [Inaudible 00:19:54].

[David Spark] No, it’s credential stuffing. You see, you follow that? Oh, people.

[Jerich Beason] We were destined to fail, everybody.

[David Spark] Oh, God, I was having so much high hopes for all of you. What happened?

[Teresa Tonthat] [Laughter]

Sponsor – Vorlon Security

20:08.552

[David Spark] Our awesome sponsor, Vorlon Security. Let me tell you about them. So, you ever wonder why data is called the new gold? It’s valuable, it’s hard to find, and even harder to protect. Now, unlike gold, data doesn’t just sit in a vault, it moves, sometimes on purpose, sometimes by accident, and sometimes it’s plundered by digital pirates, causing serious harm to you, your organization, and your customers.

The worst part, not knowing who took it or what they took. Now, third-party APIs make this even trickier. You need to track your data’s journey and manage the secrets that keep it moving. Now, this is where Vorlon comes in. Vorlon provides continuous visibility into enterprise third-party API landscapes, allowing enterprises to know where data is being transmitted and accessed, and to take action, all without needing an agent.

Vorlon, the gold standard for third-party API security. Now, for more, just go to their website. It’s vorlonsecurity.com.

Is this a cybersecurity disinformation campaign?

21:28.354

[David Spark] “People are the hardest thing to secure, and most cybersecurity training sucks because people are lazy.” Now, that was the most upvoted comment in the cybersecurity subreddit, asking about misunderstood cybersecurity concepts that security professionals struggle to explain. Now, other tough ones that most non-security people do not understand are security is a cost prevention center.

There is a difference between the CVE, the common vulnerabilities and exposures, the CVE severity, and actual risk to your organization. Stakeholders need to understand the risk and accept it if that’s what they want to do, and least privilege is for everyone. We do not make exceptions for managers, directors, and executives.

So, I will start with you, Jerich. Do you have any favorites from this post, and what are some security concepts you actually struggle to explain?

[Jerich Beason] Yeah. So, first of all, it’s risky and ill-advised to consider your users lazy. The reality is, is they’re just trying to get their job done as easiest as possible, and we do the same thing. I’ll give you a simple example. I took the HOV lane today when I shouldn’t because I needed to get here in time, right?

I broke the rules because I needed to. If there was five more lanes, then I wouldn’t have had to do that. And I think that’s the same thing. We need to make the secure way the easy way. What I find hard to explain is cybersecurity hygiene. It sounds so simple and so easy, but that’s why it’s so hard to explain because we all struggle with cybersecurity hygiene.

Things like asset management and patching have been around for eons, and so our executives and our leaders are constantly asking, “Why is this so hard? It’s just a patch. It’s just keeping track of your assets.” But the reality is, that’s one of the hardest things to do, but one of the most important things to do.

So, I’ve struggled with that one.

[David Spark] All right, that’s a good one. All right, which of these do you struggle with, and do you have a favorite here too, Teresa?

[Teresa Tonthat] Sure. I did want to first address the cybersecurity training sucks.

[David Spark] All right. [Laughter]

[Teresa Tonthat] And I think the reason why people may feel it suck is because the content, they cannot resonate to it. They don’t understand why you’re teaching them MFA is important, or why single sign-on is important, or why phishing is important until they witness it themselves. So, one of the things to address there is to work on simulations, and then do a quick training afterwards so that it’s top of mind, and then they remember, and that’s how you make it stick.

Think if you talk about the security concept that you struggled to explain. I mean, I agree with Jerich. I was thinking about asset management, but it’s all things cybersecurity hygiene. It’s very easy for you to pitch why dark web monitoring is important, or why network segmentation is important, or why certain incident response capabilities are important, but it’s hard to say, “I have to take your system down every Sunday to apply a patch.” They don’t understand the why.

But one way to flip that is whenever there’s a scenario, when there is a zero day, or another organization, unfortunately, falls victim to an unpatched system, you use those nuggets of opportunities to then tell the story of why we have to do what we need to do.

[David Spark] Let me ask you, because we were talking about ride-alongs, and have you made other departments do ride-alongs with you in a sense? Like do you know what we see? Like what’s the behavior? I think, and I know some people have said, “Let me show you how a hacker actually hacks it, let me do it and show you.” Have you done that for anyone?

[Jerich Beason] Yeah. So, for the high-profile attacks, we give them the anatomy of the attack, and then insert our current posture, our current controls in there, and say, “Hey, this exact thing could have happened to us. This is why we’ve been pushing for these types of things.” You should never waste someone else’s breach, and that’s one of the ways that we kind of go about doing that.

[Teresa Tonthat] We do the same thing as well. We have a standing weekly newsletter that we incorporate storytelling and videos of examples of situations that our teams responded to. We also have a lot of forums. The hospital is very collaborative. There’s lots of forums with physicians, nurses, and business leaders, so we use every opportunity we can to show them what truly happened in our environment and how we stopped it or what they can do to help.

[David Spark] Have you had a situation though where, and we’ve talked about this before, where there’s an employee that just doesn’t get it, and they still sort of behave a little too recklessly, and you have to create some kind of padded environment for them? Have you ever had a situation like that in any job?

[Jerich Beason] So, when an employee doesn’t get it, it’s usually it’s a part of our communication to them, so I like to use analogies. So, I talk about enabling the business, and I use the Secret Service all the time. The Secret Service enables the president and vice president to be mobile, right? Wherever they want to go, they make sure they can do so in a secure way, and there may be a risk.

You’re talking about CVEs and threats and exposures. Maybe there’s a risk of a pack of dogs is running loose. That’s not going to prevent the president from going, though there’s still a vulnerability there. I look at that as like a CVE. Now, if there’s a rooftop 200 feet away with nobody on it and no one around it, all right, now that’s a risk we need to address.

But there’s a good chance that the president still says, “I still want to do that,” and we don’t think that they should. That’s when we have the risk acceptance. “All right, sure, you can go and do that thing, but here’s the risk of it occurring, and here’s what we’re going to do to mitigate it as much as possible,” but the reality is is the chances are much higher of that thing happening, right?

So, when you use analogies and you explain it like that, it makes it a lot easier for them to understand what they’re trying to do.

[David Spark] And do you have, by the way, do either of you struggle with getting risk acceptance, like exactly what you described, okay, and they’re like… And you get to the point where they say, “Yes, I understand what you’re explaining, I’m accepting this risk.” Does it come down to that very logical moment or no?

[Teresa Tonthat] No, I mean, I think that’s the responsibility of management across an enterprise, right? The security leader’s responsibility is to highlight the risk, the possible mitigations, and then the residual risk, and let the organization decide if they want to accept that risk or not. I would say in the healthcare space, the risk tolerance is extremely low.

So, the percentages of risk being accepted when we bring it up to that level is relatively low, I feel, based on experience, and they’re always looking at other ways to accomplish the problem statements without assuming additional risk for the hospital.

[Jerich Beason] Yeah, I would say it’s easy to get someone to say, “Yeah, I accept this risk.” Now, it gets a little harder when you say, “And I’m going to take all the risks that are accepted to the board. Are you okay with them knowing that you accepted this risk?” That’s when you start to see people say, “Oh, well, how much was it?

What is it going to cost for us to do that thing?” Right? So, when you start creating that accountability, and then you also say, “Let’s get this in writing because the SEC seems to look through our emails when things bad occur,” right? And them to be able to see that they accepted that risk in email, you changed the game, and it’s much easier for you to have those conversations.

[Teresa Tonthat] And the key is not one individual can ever accept the risk for the entire organization. It’s a committee.

What’s the starting point for a CISO?

28:38.173

[David Spark] How do you know when your phishing test has gone wrong? Maybe when you have to publish a blog post that says, “Please be assured that there are no cases of Ebola in the campus community.” So, this actually happened recently at UC Santa Cruz, which prompted users to click on a phishing web form for “contact tracing” the faked infection.

Now, we’ve talked about phishing tests doing more harm than good, but the university pointed out that there’s nothing stopping a threat actor from using a phishing lure like this one from the hot zone to trick users. I’ll start with you, Teresa. Is there any silver lining to this type of phishing test, or is a security awareness training that panics your organization always a bad idea?

[Teresa Tonthat] I don’t believe it’s a bad idea at all.

[David Spark] Okay.

[Teresa Tonthat] I feel that threat actors are monitoring the organizations that they want to attack. So, when there is a vulnerable moment within the organization, they do not wait until the organization calms down and then do the phishing campaign. They take that opportunity and go straight in and do a campaign.

We do it, actually our teams take advantage of a lot of the changes that happen in the organization and purposely target phishing campaigns around the situation that just happened. Yes, when I know it goes wrong, I wouldn’t say go wrong, but when I know people are not happy, is when I get a call from the hotline and someone is upset that they were being tricked, and then we have an intentional conversation with them to let them know why we did it and how they can help be an extension of our team going forward.

So, we flip the dilemma a bit and say, “This is how you can help us going forward to be a cybersecurity advocate.”

[David Spark] So, I want you to know, Teresa, many of our – before you jump in, Jerich – many of our guests actually disagree with you, but I’m thrilled that you answered this way because of all our guests, I don’t think any of them came from a healthcare organization where you deal with this very specific problem of possible panic issues all the time.

All right, Jerich, jump in. How do you feel about this?

[Jerich Beason] Yeah, so when I look at phishing tests, I believe that it’s really about three things. One, creating that muscle memory, introducing them to the types of threats that they’re going to see, and also reducing the noise that my SOC has to deal with. So, I’m in the camp that doesn’t believe that security awareness training and phishing tests are about getting people down to zero clicks.

It’s more about establishing instincts in them that they can use when a real attack occurs. But if you look at every cyber attack that’s ever occurred, no one ever says 10 people clicked on a phish, it’s always 1 person. And if you do 200 people get phished, one person is always going to click.

So, if your strategy is around making sure that nobody clicks, it’s broken. But what you don’t want to do is introduce panic, right? And so it’s important that you notify the help desk, you notify the leaders, all the places that they’re going to call when they see this email that says Ebola is spreading, make sure that all of those people are aware so that they can quench it as fast as possible when it does create any type of emotional response.

But Teresa’s point, the adversaries, there’s no Geneva Convention for cybersecurity. They’re going to do whatever they have to do to get you to do the bad thing, and so it’s on us to prepare our users for that.

[David Spark] All right, so the argument that we get, Teresa, from the CISOs who disagree with you, is it creates a bad relationship because you “trick” the users. Like you said, you get the call. How do you move it from, our goal was not to make you look like a fool, our goal was not to trick you, but our goal was to improve our sort of response and behavior.

How do you sort of quell that response? And I’m assuming you’ve had things like that.

[Teresa Tonthat] Yeah, sure, and I think the intention of the simulation is each time someone falls victim to assimilation, it’s not just, “We got you,” right? And now your boss is going to know. It’s saying, “Here are some…” It’s a teachable moment right away for them to identify the red flags, if you will, within that email communication that they, some reason, were at a vulnerable moment and had to click.

And I’m not saying there’s lots of calls to the desk complaining. There’s usually that one or two that feels that they were being tricked. But we then reach out to them and have one-on-one training with them so they feel that they can be part of the cybersecurity hygiene that we need for the larger organization.

But I mean, we do simulations frequently, right? And you’re right, we’ll never get to zero because it only takes that one click, but the more we can educate through simulation, that is something that we do at the organization.

[Jerich Beason] If a phishing test creates a bad relationship, you never had a good one, right? I prank my wife all the time. She still loves me, I think, right? And so it’s not necessarily about creating a bad relationship. If you have trust and if you’ve created that symbiotic relationship like we talked about earlier in the episode, a phishing test is viewed as something that’s helping them in their personal lives as well as their work lives and not something that tricks them.

Now, it’s important we don’t publicly shame them, we don’t put their name on a list, or any of those types of things because that will degrade trust over time. But ultimately, if we’re enabling the business, that means they know that we’re trying to help them all steps of the way.

It’s time for the audience question speed round.

33:48.522

[David Spark] I have here in my hand a series of questions that we got from our audience. With the time that we have left, we’re going to burn through as many of these possible questions we can. And looking for quick answers to this. So, this first one comes from Josh Dray, CISO over at San Jacinto College, and Josh asks, what’s your best budget cut tip?

I like that one. One tip, give it to me.

[Teresa Tonthat] First thing that comes to mind if I need to cut budget is negotiate with your key partners and see if they can sharpen their pencils on some of the managed services or renewals.

[David Spark] Oh, so okay, that’s a good one. What about you?

[Jerich Beason] Yeah, this is a cliché, but consolidation. Sometimes we go for best of breed, sometimes we go for the platform approach. The platform approach may give you a good enough but not the best, but you’d much rather consolidate than lose a whole capability altogether.

[David Spark] Good tip, all right. This one comes from Ehsan Arami of Zscaler, who asks the classic question, we see this all the time – I just want to know when someone asks you, “What’s your advice for breaking into security?” What do you say? Because I know all paths are different. I’m sure everyone in this room, their path was different.

What do you say to the person desperately trying to break in?

[Jerich Beason] A lot of people are trying to break in right now, and as a result, there’s a bottleneck. Find the path that doesn’t have the bottleneck. Find the new technology, find the new thing that people are trying to move forward, and going through the back door. If everybody’s going through the front door, find a window, find a chimney.

You don’t have to follow the same path everyone else has followed. So, the reality is, don’t listen to anything I’m saying. Find your own path and don’t try to follow other people’s path.

[David Spark] Hack the process. We’ve heard that before. Teresa, what’s your advice?

[Teresa Tonthat] I guess I would just add to be proactive and try to upskill yourself and develop your competencies. And then it’s really, at the end of the day, to Jerich’s point, it’s who you know. Build those relationships and go try to get in through referrals and relationship-based interviews.

[David Spark] All right. Good tip. All right. This one’s come from Taylor Harrington of IC Consult. What’s the issue in identity that you don’t think enough people are aware of? Just one issue in identity. Because identity, I’m sure there’s a bazillion vendors talking about identity on the show floor.

What’s one aspect of identity more people need to be paying attention to?

[Jerich Beason] Hackers don’t hack in, they log in.

[David Spark] Yeah.

[Jerich Beason] At the end of the day, they’re after an identity, whether it be a privileged identity, a human identity, a non-human identity, that’s what they’re after. And so it’s on us to disrupt that process as much as possible and just make it harder and have enough signal to detect when they’re trying to disrupt that process.

[David Spark] Great tip.

[Teresa Tonthat] Make sure you continue to revisit the process, your help desk, your service desk, and your Teams use to validate the identity of hybrid workers when they call in. How do you know they are who they are, to make sure we have the right people, process, technologies in place to validate their identity when they call?

[David Spark] Ooh, good tip. All right. So, we talk a lot about the relationship between CISOs and vendors, and Cheryl Rogers over at CyberArk asked this question. What vendor sales marketing or marketing technique have you seen recently that’s actually impressed you? Pick one. I know that there’s probably just hundreds right now you’re trying to think of.

[Teresa Tonthat] I will say what not to do. Don’t cold call and email.

[David Spark] Oh, I know. I know you’ll give a lot of lists of what not to do. I want to know the one positive thing, the one thing you’ve seen that’s good.

[Teresa Tonthat] I think a vendor that was trying to break through that got my attention was he intentionally brought together other colleagues within my industry and cross-industry and made kind of connections, and it wasn’t a sales meeting or a conversation. And then that’s how he started building relationships with me and others, and then I built that trust with that individual.

And then maybe a month or two later, he never even pitched it to me, I started asking, “So what’s in your portfolio? What are things you’re helping other organizations with?”

[David Spark] That’s the best.

[Teresa Tonthat] And it kind of naturally progressed to that level.

[David Spark] I must say, I always say this, the people who are the connectors in your environment, you have very warm feelings toward those people. And if they’re the ones responsible, that like you do want to sort of build relations with them. All right, best technique you’ve seen recently. Jerich.

[Jerich Beason] For me, it’s a vendor that approaches my team instead of me. I won’t make decisions if they’re not on board with it. And so the vendor that recognizes that the CISO, if they are an empowering type of CISO, is not going to solely make a decision. It shows me one, that they’ve listened to things I’ve said publicly and not publicly.

And two, they are valuing the people that are actually going to be harnessing and leveraging these tools.

[David Spark] All right, from Linda Bough White at 319 Insight, we’re talking about third-party risk management here. Pick one because, by the way, everyone’s struggling with this topic. But Linda asks, pick one measurable improvement we could all make right now to third-party risk management. What could we do?

[Teresa Tonthat] Not necessarily related to cybersecurity, but I think it’s very critical when organizations move forward with a third-party solution or a capability, we have to push them to think about business continuity planning. We know third parties are being targeted for attack that impacts your organization, and it can be very impactful to the operations and process of the group.

So, business continuity planning is an area of much focus needed.

[Jerich Beason] Stop selecting vendors based off of the likelihood that they’re going to have a breach based off of the maturity of their program, and more so think about what are we going to do when they have a breach? Because it’s not just if but when for us, it’s if but when for them. So, how do we build resilience to the fact that they’re going to have a bad day one day?

I think that should be part of our onboarding process more than are they going to have one because the reality is, they will.

[David Spark] Very good point. All right, last one from Manooch Hosseini of Silverfort. What percentage of your budget is allocated to people and what should it actually be?

[Jerich Beason] Shout out to Manooch. I know Manooch very well, actually. What percentage of my budget is allocated, that’s a little bit of a tough one because we have managed services and contractors as well, but I would say probably about 30% of my budget is allocated to human and labor.

[David Spark] All right, what do you think?

[Teresa Tonthat] I think my CISO’s in the audience somewhere, hopefully. We have managed services and people as well, and I would say in the upwards of 40 to 50%.

[David Spark] Forty to 50%, that is a lot.

Closing

40:23.920

[David Spark] Well, that brings us to the end of our show. Thank you.

[Applause]

[David Spark] I want to thank my guest, Teresa Tonthat, right here from Texas Children’s Hospital. Let’s hear it for her.

[Teresa Tonthat] Thanks for having me.

[Applause]

[David Spark] My guest co-host, Jerich Beason. You’ve probably heard him on the show before. Let’s hear it for Jerich.

[Applause]

[David Spark] And I want to thank you, the audience, and I want to thank also Sam and Michael for essentially developing this phenomenal show, HouSecCon, for, is it 14 years? How long is this? Oh, there. You were there. How’d you get over there? It is like a magic trick. How’d you move? So, phenomenal job, great.

We’re so thrilled that we were invited to this event. I want to thank you so much, and I also want to thank our spectacular sponsor, and that’d be Vorlon Security. Please, go check out vorlonsecurity.com for third-party API security. They can help you with that. Remember vorlonsecurity.com. All right, question for both of you right now.

Are either of you hiring?

[Teresa Tonthat] We are hiring in IT.

[David Spark] In IT, and are you hiring?

[Jerich Beason] Yep, I’m looking for a GRC analyst that’s trying to break into the industry.

[David Spark] All right, and is there any last thoughts you have for today’s audience? Teresa?

[Teresa Tonthat] The threat landscape continues to get worse, I feel. It’s an exciting role, so have fun while you’re doing it. Protecting.

[David Spark] All right, and Jerich?

[Jerich Beason] Enable your business. Get to know them, understand them, and help them make money, and you will win.

[David Spark] All right, and I want to thank our audience, thank HouSecCon. Thank you very much. We greatly appreciate your contributions and listening to the CISO Series Podcast.

[Applause]

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input.

Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.