Defense in Depth: The “Are We Secure?” Question

When a senior person at your company asks you, “Are we secure?” how should you respond?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our guest Paul Truitt, principal US cyber practice leader, Mazars.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our podcast sponsor, Varonis

Still in the news is REvil’s ransomware attack on Kaseya VSA servers. Varonis is here to help mitigate the blast radius of such attacks. Want a step-by-step guide on what you should be looking for? Learn more about how to prevent ransomware.

Full Transcript

David Spark

When a senior person at your company asks you “Are we secure?” How should you respond?

Voiceover

You are listening to Defense in Depth!

David Spark

Welcome to Defense in Depth. My name is David Spark, I am the Producer of the CISO series. Joining me for this very episode is Steve Zalewski. Steve, make your presence known.

Steve Zalewski

Hello audience.

David Spark

That is Steve. You’re going to hear his voice a lot more on the show. But first, let me mention that our sponsor for today’s episode of Defense in Depth is Varonis who has been a spectacular sponsor of the CISO series. More about Varonis later in the show but first our topic at hand and this comes from a post that Daniel Hooper, CISO of Varo Bank put out on LinkedIn. And he asked the question, which is the same one I asked in the tease of this episode is, “When someone, usually a very senior non technical person, asks are we secure or are we good? How do you respond?” So Steve, my question, are you still hearing this question because, by the way this is the not first time we’ve brought this up, and more importantly has the way you respond changed over the years?

Steve Zalewski

So yes, the question is still out there. It’s being asked all the time even more I would argue now at the board level. I think it’s a great question to ask because what it tells me is some security vendor has been talking to you and they’re trying to sell you a product so I get to have a really good conversation with you about what that really means.

David Spark

That’s actually a good answer because I usually get the opposite “Oh a security vendor is harassed and you’re making my life more difficult.” But you are seeing the glass as half full, I like that. Let me ask you because you know I’m sure all through your time in cyber security you’ve heard this question, has the way you’ve responded changed over the years?

Steve Zalewski

Yes it absolutely has and I’ll give you the view now which is what that question is really saying is how can I enable the business, how must I protect the business or should I secure the business? So that open question that they’re asking gives you an opportunity to realize what type of CISO are you and who are you talking about C Suite or board level to position the conversation and the metrics appropriately?

David Spark

Well to help us in this very discussion is a brand new guest to the CISO series, glad to have him on. It is Paul Truitt, Principal US Cyber Practice Leader at Mazars. Thank you so much for joining us.

Paul Truitt

Thank you for having me, David, and it’s great to be here.

How do we handle this?

00:02:52:13

David Spark

Ben Harvey at TK Elevator suggested this candid response to the are we secure question? “We’re doing the best we can with the budget and resources on hand. Is there room for improvement? Always. But are we trending in the right direction? Absolutely.” Now what worries you the most, again the person asking the question, about the security of your portion of the business? And Scott Steiner of EVO Payments challenged Ben’s candid response saying “Telling a CXO you’re doing the best you can with the resources provided is expected but doesn’t provide any kind of qualitative or even quantitative answer. You open up with another question of, is your best good enough? And many Executives will key right in on that.” So, what do you think of this exchange right here between Ben and Scott? Steve.

Steve Zalewski

So both are right answers for the wrong reasons. The way I transition is if I am talking to a board member and he asks me “Are we secure?” and I say “We’re doing the best we can.” That is not going to get me a return visit. What they’re really saying is “How can you enable the business, Steve, by managing the cyber security risks?” And you need to be able to say that is how I’m going to answer that question for you because that’s relevant to the way that you think at the board level to how you manage risk.

David Spark

Let me challenge your answer your answer right there. Do you really think they’re thinking that line you said “How are you managing the board’s expectations given our understanding of risk?” You do?

Steve Zalewski

Yes because it gets back to you as a CISO, you really have to have three completely different perspectives. You have to think about are you a profit center, right? Is your job to manage the risks to the lines of business to be able to sell more jeans or are you a lost prevention center? So are you talking to the CIO or the CFO and saying “How must I protect the business?” which means how much do I invest dollar wise? Or if you’re talking to the GRC folks, because you’ve got audit and compliance, it’s how should I secure the business to be able to demonstrate the right evidence of compliance so that we pass the audits and we’re not going to be sued? So that’s why I say it really makes a difference.

David Spark

Also by who’s asking the question, Paul, what’s your take on this exchange between Ben and Scott?

Paul Truitt

Yes I mean it’s interesting because I think Ben’s perspective, while maybe that’s the gut reaction, I think it’s kind of a cop out to answer the question with, you know, we’re doing the best we can with the resources we have. It spins it into a negative fashion where you’re sort of saying I don’t have enough resources and if I did have more I could probably protect you better.

David Spark

And I think what you’re also teasing right there is if we do have a problem you’re the one to blame.

Paul Truitt

Oh sure. I mean it’s spinning it back around as best as you can and you know, the reality is this is an opportunity. One, it’s maybe a missed opportunity that you should recognize that you may not have educated the business well enough on what you’re doing to protect the organization and why if you are building a proper program. But two, the security it not a zero or a one. You’re either secure or insecure. And I think using that an opportunity to help the organization understand what is the framework that you’re following? Why is it you believe that you have a secure program? And how are you growing that over time? You don’t need the maybe 100 resources, you need a good set of metrics, you need a good security score that you’re sharing with leadership. They’re looking for something that’s tangible that they can understand, that says we not only feel that we have a good program in place but it’s growing over time and it’s gaining additional value. So Ben’s partial answer there is that it’s always improving or you’re headed in the right direction is probably more the right answer but I think he started it off wrong.

Why are they behaving this way?

00:07:13:24

David Spark

Julie Viney, of Terra Firma Business Consulting said “I would try to find out what prompted the question by maybe asking is there a particular area of concern for you?” Greg Van Der Gaast, CISO of Scoutbee said “If an executive is asking those questions, unless it’s in the very beginning of your tenure, it looks like lack of engagement to you. They should have a feel of what’s going on through a constant dialog with you.” And Greg brings up an interesting point that we’ve talked about on the other podcasts and that is if your CEO Board is asking how secure are we, you’re not communicating well to them in the first place because they should be asking questions like “What’s the state of our program? Where are we now?” Paul, what do you think to that?

Paul Truitt

Yes I agree completely. I think when you get a question like that it’s either one of two things. The first is you’re not communicating well is a possibility. You haven’t built a program that has likelihood timed the impact with the actual math calculation that shows what your risk really is and how much investment they should be making. So if they have that as a concern you’ve got a lot of work to do I think you’ve got to really build that metric program like I talked about earlier. The other possibility is it’s much simpler than that. Maybe they have great communication from you. Maybe they understand where their threats are. Maybe they trust that you’re actually doing a good job. But, there is something in the news that’s got them spooked. I think we see a lot of things recently around ransomware, we’re seeing it constantly in the news, we’re seeing significant impacts at organizations that affect people personally and you know, you bring that into the business. If you’re doing a good job communicating you need to take that and flip the question around and try to understand what’s driving the concern and how do I alleviate that concern through sharing what we’re doing against particular current threats?

David Spark

That is a good point, hone in on the very specific thing. Steve, you said you’re hearing the question more and I think it’s what Paul is saying, it’s because something in the news spooked them. Separate from this, one of the things I’m noticing that’s changed greatly about cyber media is it used to be that these big stories would break in the trades first and then bubble up to the mainstream, now it’s flipped. It breaks in the mainstream news and then the trades try to make sense of it. The trades are no longer breaking these big hacks anymore and so essentially the CEO and the boards are seeing these first, maybe even before we do.

Steve Zalewski

And they’re doing an injustice to all of us, I’m going to argue, because what they’re doing is they’re selling fear as a sound bite.

David Spark

Well I’m just talking about the general news. They have to report on the news. This is news so, you know, granted you may not like it but it is news.

Steve Zalewski

Yes it is news right and I’m getting back to the are you secure? And so the reality is we are getting asked the question more and more by more and more people in the company at all different levels. Because the news media has done a really good job of bringing the fear front and center regardless of the reason. And so that’s why I say “Are you secure?” is a great question because it’s really opening the door for me to take control of the conversation and start to have the right dialog but be aware of who you’re talking to and what the right dialog is.

David Spark

Then let’s get quick 30 second responses and we’ll talk more about this. What is the way you want to shift the dialog, Paul, and if you can give it sort of a canned quick 30 second response of from the are we secure to a more cogent ongoing conversation.

Paul Truitt

Yes I mean I guess to me the best way to flip that would be to start talking about what programs you have in place. If you can understand what is it that’s driving the question. If it’s a fear or a risk that’s driving the question how do I take that and I’d start talking about how we’re doing table top testing or how we’re doing constant evaluation of active threats in the industry. We know what those are and giving that level of comfort back to the executive that asking the question to begin with to let them know that we are fully aware of what’s going. We are absolutely doing testing, we’re doing evaluation, we’re changing our strategy on a regular basis. Because that’s really what they’re looking for is this a stale program and how do I show them that we don’t have a stale security program, that we are staying active and understanding?

David Spark

Quick 20 seconds to add to that Steve?

Steve Zalewski

I like that. I think that’s great and in doing that you really want to know who it is and change the question because “Am I secure?” is not a question that you can answer. It’s like what metric do you provide? It’s a tough one so you’re on the defensive. What you have to do is translate that to a question that you can answer that is comfortable for both of you to have that dialog. And that’s why when I talk about how do I secure the business? How do I enable the business? How do I protect the business? It’s a much better way to either have a risk conversation, a GRC conversation or a business conversation.

Sponsor – Varonis

00:12:31:04

Steve Prentice

The idea of ransomware and extortion is nothing new to CISOs and their clients. Sadly we hear about them every day. But something that is not always considered when discussing how best to defend against these types of attacks is a company’s blast radius. Here is Brian Vecci, Field CTO at Varonis.

Brian Vecci

Most CISO’s if they are not worried about the blast radius, the users and application accounts and in their environment, they probably should be. We’re at a point now where at least once a month we’re hearing stories about major ransomware attacks often driven by advanced cyber criminal groups.

Steve Prentice

He points out that the blast radius for any given employee is surprisingly large and dangerous.

Brian Vecci

Blast radius comes back to what your users and your applications and your systems account actually have access to. And one of the things that we know here at Varonis, because we’ve been doing this for so long, is that on average a given user and an organization will have access to on day one, 17 million files and more than 20% of the data in the organization. So imagine you’re a CISO, what are you worried most about when it comes to ransomware? We want to make sure that you can prevent it from happening and the best way to do that is to minimize the blast radius, to minimize the number of files, the amount of data that any given account has access to.

Steve Prentice

But he cautions…

Brian Vecci

That’s easier said that done when 20% of your data is open to everybody.

Steve Prentice

To find out more visit Varonis.com V-A-R-O-N-I-S.com.

What’s the issue here?

00:14:09:03

David Spark

So like we just talked about in our last segment, how do you flip this conversation? What is really going on? And I’ve got four quotes here I want to read. One from Darren Argyle of Standard Charter Bank and he said “It’s not about security it’s about knowing your attack service and the ability to withstand an attack,” so resiliency here. He goes on by saying “Shift the conversation to cyber resilience. The threshold you agree is what constitutes as good.” Steven Gill of Russell Holding said “Secure is a state of readiness and operation not a state of being.” David Sterling, CISO over at Zion’s Bank Corporation said “I pivot the question. Instead of are we secure or are we safe, the question you should be asking is how should we feel about cyber security at our firm? And lastly Rebecca Harness, CISO of St Lewis University, who’s also been a guest on this show, said “The question really means are we working on the right things?” So Steve, you’re nodding your head. These are all sort of different takes of what that question means on how you pivot. Where do you fall or would you add to this?

Steve Zalewski

I like all four. Because the question is so open ended look at all the ways you can interpret it. And that’s why I started with I love that the question is being asked and here is why because it gives me great room to be able to figure out which of those conversations is the right one to have, business, cost or technology, because vendors want to be able to sell yourself and they’re going to get to this. What we’re trying to say is “Is it good enough?” my question that I ask myself is “Are we good enough for our responsibility as cyber practitioners to provide the right risk insurance against the key threats to the company?”

David Spark

Paul, what would you add to this and how do you feel about all these different takes on the question?

Paul Truitt

Yes, I mean I like the responses. I think that you know, thinking about pivoting the question is critical. I think trying to turn it back around and almost ask are you asking do we know what the next attack may look like and are we prepared for that and trying to really understand what is it that they’re really looking for? What are they really trying to understand?

David Spark

I mean most of them want to stay out of the news for these reasons.

Paul Truitt

That’s exactly right. Having a great program in place I hope that you’ve already had that conversation with them. I hope you’ve already shared that we’ve got all these controls in place. I think what they’re really looking for is if the attack happens, one, can an attack still happen and I think some of these statements are trying to say “Look, an attack can still happen but here’s the things that we’re doing in order to either quickly respond to it, to know what happened and to address that risk within the organization as fast and as accurately as we can.”

Steve Zalewski

And I’m going to riff on that which was cyber resiliency, which was just introduced, is a great concept. But to Paul’s point too, if you’re going to have cyber resiliency conversation with whoever that is, that means they’ve got to understand that you’re being attacked and that it means you’re withstanding attacks and parts of the business are being hurt. Many people aren’t ready for that conversation at the board level until you can kind of go through the GRC and the cyber risk protect, detect, recover. You’ve got to give them a chance to mature their thinking to realize what we’re really doing. You don’t just want to hit them hard with cyber resiliency, it really is an appreciation for the maturity of the conversations you’ve had with your company, with your executives, to know the right time to introduce that.

David Spark

I mean I would assume they would feel more comfortable with a discussion about reducing the blast radius, because that’s the story that everyone hates to see in the news of one thing happened and the whole kingdom came crumbling down. Can you have a cogent conversation with them about blast radius, Paul?

Paul Truitt

That’s a lot of what we’re saying here is helping an executive understand that a risk can still happen. I know that we’ve got analogies that we can use to try and help them understand that. For example, we get on a plane and the plane could crash but we’ve taken precautions to try and avoid that from happening. Helping them understand that look those precautions, if something bad does happen here’s what we’re doing to make sure that it does get contained, that it does get isolated to a ransomware event or isolated to one host and it’s not going to impact a dozen or the critical keys to the kingdom.

Why are they behaving this way?

00:18:58:16

David Spark

Scott Foote of Phenomenati said “Turn the question back on their part of the business. So, depending on who you’re speaking with, are we financially secure? Are we competitive? Are we legally compliant? Is our sales channel strong?” Jason Core of Coalfire added “Is it safe to drive your car? It’s never really safe but we have some options to reduce risk like having licensed driver, perform regular maintenance and drive defensively.” So Steve, do executives respond to analogies of “Well I mean you don’t know if you’re 100% on these aspects of the either, do you?” Or do they see that as a challenge and you’re being obnoxious?

Steve Zalewski

Personally I find that analogies are incredibly powerful, because it’s unreasonable to expect most people to be cyber security experts or to be comfortable in the terminology.

David Spark

Well you’re having a hard time yourself, Steve.

Steve Zalewski

Yes. I love these two quotes is because that’s how they’re turning the conversation into something that the individual can relate to because they need a way to map the conversation to something they’re comfortable with. Just like cyber resiliency is really a conversation around mission assurance. If you really want to get down to it it’s a military term for mission assurance, what can I do to maximize the reduction of risk so that the mission is always obtained? And there’s a resiliency play. Well again, that is not a conversation you want to have but if you can have it around are we competitive? Are we legally compliant? It’s a great way to be able to bring the conversation to your business sponsor so that they understand the concepts you’re representing in a way that they’re comfortable with.

David Spark

Paul, I had visioned this being kind of a twofold concern and Steve you’re right on target but I think the reason the question keeps coming up is there’s twofold issues. One is most are not cyber security experts. In fact it’s probably the one aspect of the business they know the least about. Then second, when these attacks happen, going back to blast radius, the blast radius is enormous. So it’s lack of knowledge and fear of the worst happening and I think this is why this comes up. So we’ve already discussed having the discussion of reducing the blast radius and also the discussion of educating them on going on cyber security. I think it’s just bringing those two sort of inward, so they understand more and are less fearful of the absolute worse, yes, Paul?

Paul Truitt

Sure. Again it’s an opportunity and you can even talk about the fact that the only way to be truly secure is to disconnect right? And you know, we’re obviously not going to pull the plug from the Internet and make ourselves completely ward off organization. So when we plug in we’ve taken some level of risk and helping the organization in this translated way you’re never 100% on financial security. You’re never 100% on legally compliant just like you’re never 100% on information security or cyber security. And helping them understand that looking at risk in the old school way of saying you either avoid, mitigate it, transfer it or accept it is an opportunity to have that conversation with the executive, because those are terms they understand. They’re making those decisions in many other areas of the business just like we’re making them as a CISO in our organization. The analogy is a really great well to do that because we all make those risk based decisions on an everyday basis and we all understand that we’re not gonna stop driving our cars, we’re not gonna stop flying in plane, well maybe for the last year we’ll stop flying in planes. But some day the world will return and we’ll start flying in planes again because we all did stop for Covid but not for risk.

David Spark

Well no but that was a risk. We wanted to avoid that risk.

Paul Truitt

That’s exactly right.

Steve Zalewski

I want to riff on this too which was how you describe that risk is important. Which is then you get to measurement and metrics. So, if somebody says “Are we competitive? Are we legally compliant?” If I talk to you about the efficiency of the tools or the process that were 98% efficient in what we’re doing, is that really the conversation you want to have or do you want to talk about effectiveness? How effective are our controls at allowing planes to continue to fly given Covid? And so, again, you get back to how do you have that conversation? Most people want numbers, measurements, effectiveness and efficiency and so much of risk conversations in cyber is really wanting to talk about effectiveness because how many times have we used a tool for a year and then thrown it away, because the threats have changed enough that we actually have to bring in some other new people processor technology and abandon what was there because the threat avenues that we’re protecting, like when Covid hit we went work from home, caused us to make some pretty dramatic changes in our strategies, our road maps and our buying procedures over the course of that 18 months.

Closing

00:24:12:19

David Spark

Stative security is always flowing, as you said. That brings us to the conclusion of this conversation here. Now, I’m going to ask the two of you and I’ll start with you Paul, what was your favorite quote here and why?

Paul Truitt

I have a favorite that is probably not the right favorite based on the conversation we just had.

David Spark

You chose it, it’s the right favorite.

Paul Truitt

So I really enjoyed Wes Spencer’s quote of ‘”Let me go check,” It’s a snide response, it’s a fun answer and it sort of proves the point that as I laugh when I say it. I’m not going to go lift up the radar over here and determine that, you know, we’re secure two thumbs up we’re good to go and I think it’s just a smart answer. But the reality is I actually really enjoyed the “If an exec is asking those questions unless it’s the very beginning of your tenure it looks like a lack of engagement.”

David Spark

That’s Greg Van Der Gaast’s comment.

Paul Truitt

That’s correct.

David Spark

I agree because we brought this up. I throw the problem back on the security leader if it’s coming up. Steve, what’s your favorite quote and why?

Steve Zalewski

I thought there were a lot of good ones today, I really liked the one Paul picked because I thought it was pretty good tongue in cheek. From my perspective, he and I are so business-focused at this point I’ve got to give it to Scott Foot from [Fenom Menati] – turn the question back on their part of the business because at the end of the day cyber security is here to be able to enable the business and so the better you can have that conversation by translating it that way, I think as an industry we’re going to be that much more effective at mutual aid against a common enemy.

David Spark

Agree. Gentlemen, thank you so much that was excellent and I think a pretty solid conversation on this issue that comes up again and again and again and it’s not going to go away after this episode airs. So, I want to thank both of you, but Paul I’m going to let you have the last word. I want to first though thank our sponsor Varonis for making this episode possible. Thank you very much Varonis. Steve, do you have any last thoughts on this topic?

Steve Zalewski

I would say continue to leverage the media’s opportunity to give you the discussion point and really know your audience when you have an opportunity to answer that question.

David Spark

Good. And Paul, by the way all our guests we always ask “Are you hiring?” So any last thoughts on this and b, are you hiring?

Paul Truitt

I mean my biggest thing here is I agree completely with what Steve just said, use this opportunity right, you’ve got an executive asking you for a conversation about cyber security and controls and you’ve got someone who probably has some level of understanding of fear or concern and take the opportunity to show them what you’re doing and talk about the program. But, you know, the biggest thing I would propose is it is critically important that you’ve got a foundation that’s based on some kind of a framework that you can use and that you’re measuring that and putting it in terms that the business understands and you may hear this question a little less. Absolutely we’re hiring, always hiring, looking for good cyber folks both in the US and internationally.

David Spark

And where should they go? Is there like a Mazars.com/jobs or something like that?

Paul Truitt

Mazars.us and you can find our job section for hiring.

David Spark

Alright. That was Paul Truitt, the Principal US Cyber Practice Leader at Mazars, thank you very much. And Steve Zalewski joining me as well. And I want to thank you, our audience, for all your amazing contributions whether witting or unwitting, we appreciate them. Thank you so much for contributing and listening to Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.