Tabletop exercises are critical procedures to learn how everyone will react during an actual attack. Panic is usually the first response, so why don’t we do that when we’re playing our pretend game of getting our business compromised by a nefarious hacker?
This week’s episode of CISO Series Podcast was recorded in front of a live audience in Clearwater, Florida for the Convene conference produced by the National Cybersecurity Alliance (AKA StaySafeOnline.org). Joining me on stage for the recording was my guest co-host, Hadas Cassorla, CISO, M1 and our guest, Kathleen Mullin (@kate944032), CISO, Cancer Treatment Centers of America.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsors
[Voiceover] Biggest mistake I ever made in security, go!
[Kathleen Mullin] I was Tampa Airport’s first CISO, and I introduced vulnerability management scanning. And thought I knew my environment, and instead there’s a thing called a bird deterrent system. You can’t fly if it’s not operational because it makes birds fly away from planes instead of into them. I took it down. And because even though I’d gone through change management, I was unaware of who managed that system. It wasn’t IT. Nobody could figure out why it went down. Bad day.
[Voiceover] It’s time to begin the CISO Series Podcast, recorded in front of a live audience.
[Group] In Clearwater, Florida.
[David Spark] Welcome, everybody, to the CISO Series Podcast. I am your host and producer, David Spark. And sitting to my immediate left is my guest cohost for this episode. It is Hadas Cassorla, who is the CISO over at M1. Hadas, welcome.
[Hadas Cassorla] Thank you.
[David Spark] That is Hadas’ voice.
[Hadas Cassorla] It is my voice.
[David Spark] You will hear a lot more of it during the show. I do want to mention our awesome, awesome sponsors today. We have Terranova Security, KnowBe4, and Cofense all here because we are, as you heard from the audience…we are live in Clearwater, Florida for the Convene Conference, which is something that’s put on by the National Cyber Security Alliance. And they are responsible for the site staysafeonline.org. And this entire conference is about security awareness, so we have created this show about security awareness. I should also mention this show is sold out as well. Very impressed with that. So, before we begin though, Hadas, you mentioned something that we were just chatting a while ago… Because we talk a lot about CISO stress on our show, and you say you’re not stressed out.
[Hadas Cassorla] I’m not.
[David Spark] You’re not a stressed…
[Hadas Cassorla] No, it doesn’t keep me up…
[David Spark] What is your secret to not being a stressed CISO?
[Hadas Cassorla] One, I don’t think I’m built that way. But also I just recognize that there’s only so much I can do, and I do the best I can with what I have. And I’m very good at letting my business know what the limitations are, and we work together to make sure that that’s acceptable. But sometimes bad things happen, and it’s bad. I’m concerned when those bad things happen, but stressing out about them before they happen are jut going to make me unhealthy.
[David Spark] And you’ve had incidents before and you’ve kept your cool?
[Hadas Cassorla] Yeah. Yeah. I’m sober as a judge when it comes to incidents.
[David Spark] I’m impressed.
[Hadas Cassorla] I mean a judge on the be… But maybe that’s not a good example. Anyway. I’m real cool, calm, and collected.
[David Spark] I’m very, very impressed. Well, I want to introduce our guest who is also joining us on stage here as well. She is the CISO over at the Cancer Treatment Centers of America. Please round of applause from our audience for Kathleen Mullin.
[Kathleen Mullin] Thank you. Thank you, and I really appreciate being able to participate with you today, David.
[David Spark] It’s going to be fun.
Close your eyes and visualize the perfect engagement.
[David Spark] So, there are five critical elements for a successful tabletop exercise, suggested Joshua Magady of 1898 &Co. And they are realism, participation, get all the stakeholders involved, time constraints, communication, and debriefing. Now, it’s a pretty solid model here, but when it comes time to do the tabletop, elements can fall apart. So, where do you see tabletops coming apart and being ineffective, and what are the core elements that truly make them succeed? And have you ever seen a real incident play out where you can actually point to the tabletop as the reason you were able to handle the incident? I’ll start with you, Hadas.
[Hadas Cassorla] I’ve seen tabletops fall apart from lack of engagement, but I also think that most tabletops are too scripted, and they don’t have enough element of randomness in them.
[David Spark] Aw, good point.
[Hadas Cassorla] And I’ve actually run tabletops that are RPG type tabletops, role playing game tabletops.
[David Spark] Yes, and I’ve actually participated… ONOS is an open source version of that.
[Hadas Cassorla] Yeah, and you use a 20-sided die, so it brings out the nerd in all of us. And you get elements of randomness because I’ve never participated in an actual incident that followed a script. I have participated in incidents where as soon as 1 incident happened, 17 other incidents are also happening. And most of them are unrelated. It’s just coincident. I think that we don’t do enough of that within our incident tabletop.
[David Spark] Good point. All right. I throw this to you, Kathleen. What can cause a tabletop go to seriously wrong?
[Kathleen Mullin] The biggest thing I’ve seen is when people fight the scenarios.
[David Spark] Oh, don’t fight the scenario.
[Kathleen Mullin] And when they… Yeah, because when they fight the scenario… And then the other thing is when they go down rabbit holes, and you can’t pull them back. So, they go into problem solving mode and basically you kind of time out your exercise.
[Hadas Cassorla] But don’t you find that that’s realistic to how incidents go?
[Kathleen Mullin] Yeah, except for one of the big things is that that next problem, as you were mentioning, it’s the 17 other things that are happening and if they ignore those 17 other things because they’re so focused on the rabbit hole.
[David Spark] No, but isn’t that the whole point of the tabletop? To see how people react. And if all of a sudden you see they’re like, “Oh, we got a bigger problem now.”
[Kathleen Mullin] Oh, no. It is. It really is. And that’s why the debriefing is so important. And a lot of times what it leads you to is we need to do another incident tabletop exercise soon so that you can get past those pieces.
[Hadas Cassorla] I also think that one of the things that tabletops don’t do well enough is create the anxiety that actual incidents will create, which I think is why you need to add levels of randomness in there. Because once the anxiety is actually instilled into that situation, people behave to the extremes of whatever they were doing when it was a scripted tabletop.
[David Spark] Right, exactly.
[Kathleen Mullin] Although sometimes it really kind of depends on the industry you’re in. I’m in healthcare, and when I do tabletop exercises with healthcare providers, they’re so used to having those really high stress that they can react to it and reenact pretty darn fast.
[David Spark] So, going back to the second part of my question – have you actually seen that something that you did in tabletop actually played out positively in an actual incident? Like, “Oh, I can point to… That’s why we had the tabletop. That’s how we should have done it.”
[Kathleen Mullin] Actually multiple times because I’m one of those typical CISOs that moves from job to job. And repeatedly after a tabletop exercise, we have put things in place which have included things like better contracts, better relationship, better management so that you know who you are calling out. All kinds of things that because of it our response has been faster and has enabled the business to stand up faster. And guess what? That really is what you’re trying to do.
[Hadas Cassorla] Yeah. And for me it was the education piece of like, “Oh, this is what an IRP is, and when we go to it, and how we look at it.” And so having run the tabletop, people outside of the actual security department knew more along the lines of what they were going to do. Legal understood how they were going to have to be involved. Our communications department understood better how they had to be involved in the incident. It wasn’t just the thing that security or engineering did.
[David Spark] But that is the whole freaking point of running the tabletop exercise. All right, close out with quick 15-second thoughts from each of you – one thing that everyone should do in a tabletop exercise that is not normally done. Kathleen?
[Kathleen Mullin] I think you really, really, really need to make sure that high level executives are in the room.
[Hadas Cassorla] Use a 20-sided die.
Are we having communication issues?
[David Spark] All right, does the cyber security industry need a complete rebranding as information security? Now, cyber is just really a subset of information security, noted John C. Underwood of Big 5 Sporting Goods. Right now most people use the terms interchangeably. I must say I do that, and this was noted by Larry Rosen of Presidio. But information security is actually more broad. It includes elements such as governance, risk management, data protection, resilience, and security awareness. I’ll start with you, Kathleen. If more people saw it that way, how would security change if at all for that matter, and what could we do to push the rebranding of this field to just information, data security?
[Kathleen Mullin] So, we were information security, and then it became a branding, a marketing term to go to cyber. And what happens is we actually… It’s the self-fulfilling prophecy because a lot of times you will see in order to get a call for [Inaudible 00:09:16] whatever, you had to say cyber. The reality is we are information security. Although I think it’s an argument without a lot of meaning because for the most part knowing whether cyber is part of information security or information security is part of cyber, that’s all about how we make our sausages and the business doesn’t care.
[Hadas Cassorla] Yeah, I guess I really have to agree with that. what are we trying to accomplish by choosing one over the over or having distinctions between the two?
[David Spark] So, I’m solely bringing this up because when this was posted by John Underwood of Big 5 Sporting Goods, it got an amazing amount of reaction. So, yeah, my first response is who cares. But obviously someone does care.
[Hadas Cassorla] Well, it’s not me.
[Hadas Cassorla] I’m sorry. I’ve actually broached this question with different people I’ve worked for and friends of mine who are not in the industry, and they don’t know what the difference is. I couldn’t clarify to them the difference between one or the other. In different places I’ve worked, people say information security or cyber security, but they understand that I’m in charge of data security, and risk management, and all of that. Because I make it clear to them what I am there to do for them. So, I think that this is one of those arguments that just is for people to have something fun to do on LinkedIn.
[David Spark] To complain about. So, then let me switch the conversation a little bit. Because this room, these are all people who are trying to raise security awareness, and they’re trying to fix culture, trying to do branding. Is there another way to describe the overall issue under a different umbrella that may be not cyber information that people could get their talons into?
[Kathleen Mullin] Well, I think part of it is we take things backwards. There’s a gentleman, David Lyoness [Phonetic 00:11:06]. What he talks about is the fact that we really should be looking at what are the business operational needs and laying security to meet those needs. When we just start talking about security and all these security requirements without talking about what the operational and business needs are, we’re having the wrong conversation. So, the business doesn’t care what our components are. They just care, “Can I get to market quickly? Can I get to my customers quickly? Can I deliver?” They don’t really care how we’re doing it.
[Hadas Cassorla] So, if we take this and we analogize it to let’s say human resources that started out in like the 1980’s when there was a spate of high profile sexual harassment issues in the workplace as women became more prevalent in the workforce… And HR really started out as a place to govern the behaviors of people within the company. But then they were like, “Oh, also can you help us with these other things like more insurance focused stuff, more of the culture that we provide now, more of…? And now the people organization…they’ve changed their name from human resources to people, but whatever. Humans, people, that’s the same thing. I think that that’s what’s going on here where as we grow, as we mature as an organization of security we now do have to think about resilience. We do have to think about more than just the zeros and ones in our environment. And that’s okay that our department expands but keeping the same name. I don’t think we need a rebranding at all.
Sponsor Segment – Cofense
[David Spark] Let me tell you about one of our founders, Cofense. We have three phenomenal sponsors for today’s episode. But did you know that up to 94% of business email compromise, credential theft, and ransomware attacks bypass your so called secure email gateways. That’s because technology alone is no longer enough to stop today’s most advanced threats. So, there’s no one thing as we all know. So, Cofense knows that you need a human involved in email security. In fact, they pioneered the idea. Ten years ago, most information security breaches were blamed on humans clicking malicious links, leading businesses to view their employees as liabilities.
We’ve heard that one before – the human, the weakest link. By the way, many of our CISOs see them as the greatest defense. And as does Cofense, but Cofense knows better. They’ve gone out of their way to prove to the cyber security industry that humans aren’t just capable of detecting a phish, they’re vital to your email security. But Cofense didn’t just stop there. Fast forward to today – Cofense’s integrated, intelligent email security solutions are driven by actionable intelligence with insights from a global community. With Cofense, you can leverage threat intelligence from many of trained reporters to instantly remove malicious emails from your inboxes and eliminate attacks with automated analysis and quarantine. That’s intelligent email security. To learn more, go to their sites. Cofense.com.
It’s time to play, “What’s worse?”
[David Spark] All right, everybody. For those of you who haven’t heard the show, here’s how the game is played. I’m going to create or essentially offer up two scenarios. They are both awful. I will just say that.
[Hadas Cassorla] Your music is very jaunty. I have to tell you that.
[David Spark] I like that. I like the music. It’s like old 70’s game show music. They’re both horrible scenarios. But as a risk management expert you both are, you have to tell me which of these two awful, awful scenarios is truly worse. So, I will always make Hadas answer first, so you are going to answer second. You can agree or disagree with her. The first one…
[Hadas Cassorla] He prefers if you disagree.
[David Spark] I always do prefer that you disagree with the host. This one comes from Jason Dance. Here is the scenario. What’s worse, Hadas, your local hospital gets pawned by ransomware, or your local electricity and gas supplier gets pawned by ransomware?
[Hadas Cassorla] Oh, wow. That’s really… Okay, I think I have an answer. So, I’m going to say the gas and electricity ransomware is worse, and here’s why – I can go to a different hospital. Also medical professionals, even though they don’t necessarily have all of my history right there in front of them because they’ve been [Inaudible 00:15:42], they should still be able to do some of the stuff. But the gas and electricity thing, I think that’s the grid, right? That’s putting everybody in danger. No, that’s it. That’s why. That’s why it’s worse. I think that the doctors can overcome.
[David Spark] Okay. Okay. Kathleen, agree or disagree?
[Kathleen Mullin] I’m sorry, I actually have to agree, and that’s because we are in America. And in America, we have what are called downtime procedures. And basically every hospital in America actually has procedures where they can operate completely without their computer systems, and they can actually operate without most other systems. And they can run on generator power for so long, but then they really do need that electricity in order to provide life saving equipment.
[David Spark] Very, very good. All right, we will accept both of your answers there.
[Hadas Cassorla] Thank you. Appreciate that.
[David Spark] I’m going to ask the audience, by applause, how many think that the hospital is the worse scenario of the two? By applause. Don’t raise your hands. We can’t hear it on the microphone. By applause. No one thinks that. Okay. So, by applause how many people think it’s the local electricity and gas supplier?
[David Spark] Literally everyone.
[Hadas Cassorla] I did it.
[David Spark] Although some people are not applauding because they don’t want to play the game, which is not… That’s not how it works. All right. Here is our second scenario. Are you ready?
[Hadas Cassorla] Yes.
[David Spark] Actually you know what? I’ll turn the tables on this one. Kathleen, you’re going to answer first on this one. All right?
[Hadas Cassorla] Whatever you answer, I’m going to disagree with you.
[David Spark] All right, we’ll see how this goes.
[Kathleen Mullin] Okay. All right. All right.
[David Spark] What’s worse, 50% of your staffers, not C-level…that’s key…50% of your staffers regularly compromise… Oh, by the way, this is a different Jason. It’s not Jason…just some other Jason. He didn’t want me to mention anything else. So, 50% of your staffers, not C-level, regularly compromise their machines by clicking malicious email links. So, phishing malware. That’s scenario number one. Or having a C-suite member regularly compromise their machine through the same vectors. Education in both cases never works, and you can’t add extra security layers per individual. Which one is worse?
[Kathleen Mullin] So, I’m going to say that it’s 50% of my employees because I can’t add extra security levels because my C-level, they won’t even notice that they can’t access anything.
[David Spark] Okay. All right, that’s a good answer.
[Hadas Cassorla] I love that answer. That’s a great answer. But I think I am going to disagree with you and really disagree with you. If my C-suite is not on board with security then the entire security culture at the company is broken. And if I can’t get them to buy into the fact that everybody is part of the security team then culture runs downstream. It’s not going to happen. And so I really do think that the C-suite not knowing what to do, when to do it, and that they need to do it is worse.
[Kathleen Mullin] The reason I’m going to disagree with you on that is because it’s a C-suite person. And the reality is if I can’t get funding to fix 50% of my employees, I don’t have C-suite support.
[Hadas Cassorla] I don’t think funding is what’s going to fix your employees.
[Kathleen Mullin] Why?
[David Spark] By the way, it’s not part of the scenario. It’s just this is the situation. It’s how it’s fixed. So, all right, now I’m throwing this to the audience as well. By applause, how many people think the situation where 50% of your employees, non-C-suite, are regularly clicking phishing emails is worse? By applause.
[David Spark] It’s a good number. That is a good number. All right. One very key… And I’ll say it’s either like the CEO or the CFO constantly clicks those phishing emails. How many people thinks that’s worse?
[David Spark] All right, you sadly did not win this round.
[Hadas Cassorla] I won just by getting a few people on my side.
[Hadas Cassorla] Join me.
Sponsor Segment – KnowBe4
[David Spark] Hey, I got another sponsor to tell you about. Stay tuned, everybody. It’s KnowBe4. So, who’s got the advantage in cyber security? Is it the attacker or the defender? Now, opinions differ on this, but the conventional wisdom is that the advantage goes to the attacker. But why is this? It’s not like a military operation where the defender is thought to have most of the advantages. In cyber space, the attacker can just keep trying and probing at very low cost and very low risk, and the attacker only has to be successful once. We’ve heard that many, many times. And as KnowBe4 points out, email filters designed to keep malicious spam out have sadly a failure rate of somewhere between seven to ten percent. So, if your technical defenses are failing one out of ten tries, you’re out of luck, and you may be out of business. Your best last line of defense is your human firewall. You can test that firewall with KnowBe4’s free phishing test which you can order up at knowbe4.com/phishtest. So, let me spell that for you. It’s knowbe4.com/phishtest. Now, KnowBe4, they are social engineering experts and the pioneers of this new school security awareness training. Be sure to take advantage of their free phishing test, which you can find. Remember what I said? It’s at knowbe4.com/phishtest. Think of KnowBe4 for your security training.
Close your eyes. Breathe in. It’s time for a little security philosophy.
[David Spark] All right, so here is a little philosophical thought. I think there may be differing opinions here. Are people the safety net for your security controls, or should your security controls be the safety net for your people? So, I’ve noted that the security awareness industry as you’ve heard from our sponsors sees it as the former way where most CISOs I speak to see it as the latter. They see the security controls being the safety net for the people. So, why do you think there is this disparity? I’ll start with you, Hadas. And how does your security program change? And if you think at all depending on the viewpoint you take.
[Hadas Cassorla] I don’t know that it super matters, but I do think that at first I was thinking that maybe the security controls are the safety net for the people. But realistically security controls came about from the accounting department, and the way that accounting implemented controls was to make sure that you had multiple ways to prevent your accounting department from going let’s call it wackadoodle. So, they set up all of these controls. That’s why SOC2… That used to be from…that is from the accounting industry. And so to make sure that the firm’s money stayed safe, they put in these controls. And so it was to prevent people from breaking their accounting. I think here, yes, the security controls are a safety net for the people and the people are a safety net for the controls. And they work interlinked…linkedly? That’s a word? Sure, interlinkedly. And it doesn’t matter which one is there for which other because it is a symbiotic relationship.
[David Spark] All right.
[Kathleen Mullin] So, slightly different take on the same. And oh, by the way, I used to be a chief audit executive and came up on the finance side. So, yes, controls are interlinked. And yeah, accounting got there first. But we do it better. So, part of it is if you look at security awareness training and reporting on security awareness training, the important thing is in the CISO role, how are you using that information. Are you using that information to make sure that you have appropriate technical controls, appropriate access permissions, etc. as compensating controls for the weaknesses of the individuals who are more susceptible to phish. So, what happens is we have as an industry failed our employees in terms of the fact that they can break everything by clicking a link or because they can open something. we have. we’ve failed them. So, what happens is why can’t we use part of our core mission, security awareness and training, to inform what IT is doing so that we can reduce risk.
[Hadas Cassorla] I think it’s good to reduce risk, and I think that it’s true that the technology is only going to go so far and that our people need to be aware. But I also think that part of the issue is how we’re making them aware. I absolutely hate internally phishing my people. I think that all they want to do is get their job done and get it done well. And when you internally phish them, they feel untrusted. I read…no, I heard a conversation at a conference once where a company who all they do is security. They’re very well known for security. Had done a security awareness training and then a week later did an internal phishing. And 60% of their people failed. Their one job is to do security. And so I just don’t think that that’s the…
[David Spark] So, no, obviously there’s a major culture problem there.
[Hadas Cassorla] Well, I think it’s that people are very vulnerable to social engineering. I think people are very vulnerable to getting their job done in the easiest way possible. And so we definitely need the technical controls, but I think we also need to change the mindset of the people who work for us. Just because you are not reporting to the CISO doesn’t mean you are not part of the security team. And I think… We were talking earlier about neurolinguistic programming. You should all learn neurolinguistic programming. It teaches you how to reframe the conversation you’re having so that the person you’re speaking with understands you very, very well. And one of the things you can teach people in your company is that they are all part of the security team. And as they take on that responsibility and that ownership, they will become more careful because they are providing security. So, I think we’re kind of off track, and I’m sorry for that. But I also feel like, again, it’s a very symbiotic relationship. And the more you can address that and the more you know that your people know that they’re security and that you’re also there for them, the better off you’ll be.
[Kathleen Mullin] But I also think part of it is treating employees so that they realize that they are part of the humanity of the organization. They are important because they are protecting their coworker who didn’t recognize it. So, reporting of phish and problems with phish is actually more important than everybody always identifying it so that that reporting structure and the fact that you value yourself as part of the security culture is really critically important.
What’s the best way to handle this?
[David Spark] On LinkedIn, Gabriel Friedlander of Wizer offered up some interesting tips to spot a fake online shop. They included go to the about us page and copy some text, and Google it and see if it appears in some online shops. Do the same for the email and phone number. Another one was search the company name with the word “scam” or “fraud.” Especially on sites like Reddit or Quora where people tell personal stories. And lastly, do a “who is” look up to see if the site was launched recently. If so, that’s a red flag. So, question to you… And I’ll start with you, Kathleen. What are some investigative techniques you use to determine the legitimacy of a site, email, or anything else online?
[Kathleen Mullin] Part of it is I’ve done way too much O sentence social engineering [Phonetic 00:28:10], so I don’t think I’m the typical person. But part of it is recognizing… I have toolsets that will tell me if it’s a new site or not. There are… And by the way, some of these sites change all the time, but there are sites like URL Void that will look and see how recent. So, some of Gabriel’s suggestions were good, but there are others. But the big…
[David Spark] Oh, yeah, he listed a few more.
[Kathleen Mullin] Yeah. But the other thing is that part of it is I actually care more about reputation. So, when I look at an about, I’m looking at who those individuals are. And then I’ll cross reference over to LinkedIn. And if I don’t know them and I don’t know anybody that they know, I start questioning.
[David Spark] Good point. All right, Hadas, what is your investigative technique?
[Hadas Cassorla] I really want to know what Gabriel was buying that he did this much effort for figuring out the vendor was real or not. [Chuckles]
[David Spark] But we’ve stumbled upon something that looks… Let me see. We have all shopped in other places other than Amazon.
[Hadas Cassorla] Sure. Even Amazon is not always safe. So, yeah.
[David Spark] Well, we hope so. We want to get something there, but then we question should we be putting our credit card number down.
[Hadas Cassorla] For sure. And I understand that. But I also think that while these are excellent investigative techniques and that you should do them if you are that concerned… And you should be concerned. Not everybody is going to, and so adding to this list is not that helpful. I would instead recommend that after you do some of these or if you’re unsure about it, or something looks wonky, trust your gut. Trust your gut. Absolutely trust your gut and ask questions. Is protect your data, protect your information. So, there are companies that now allow you to create one-off credit cards that are used specifically for one-off purchases. You should use that. And that way even if a scammer does get your information, they’re not going to get very far with it. There are ways for you to put protections on your banking through your bank that you should look into. Your financial company will have things that they can assist you with understanding fraud and fraud alerts on your accounts. And I would say that yes, definitely you should do some of these preventive techniques. But to buy some dog food online, nobody is going to go through all of this. So, I would recommend putting the protections on in case this does happen as well.
[David Spark] All right.
[Kathleen Mullin] And there are one-time emails and one-time phone numbers you can use as well.
[Hadas Cassorla] Yes, those as well.
[David Spark] Which they may be using on you as well.
[Kathleen Mullin] Exactly.
[David Spark] So, just to quickly wrap this up, one of the things that I know Mike Johnson who is my regular cohost for this show has said and many others is when you can make it personal… And this could be a personal situation when someone is trying to figure this out. Then they start to care more about cyber security. So, closing on one quick thought. Just 15 seconds each about one way you make things personal for employees.
[Kathleen Mullin] I believe it’s all about WIFM, what’s in it for me. Their favorite radio station. And part of our training programs always are about the individual employees and how to protect themselves and their family. We actually… It’s okay in our organization for us to help them with those issues.
[Hadas Cassorla] Something I love to do is comb through what’s going on in the news and blog about that internally for the company so that it’s not…security is not this really intangible thing that those people in those cubicles… We’re all remote, but whatever. I still have a cubicle at home. In those cubicles do but that it’s something that everybody is responsible for, especially when it’s a social engineering issue that happened at a company and talk about what we’ve implemented to help with that and what everybody who works at my company can do to prevent it as a member of our security.
Sponsor Segment – Terranova Security
[David Spark] I’ve got another sponsor, and I’m thrilled. Terranova Security is also on board. So, you can get free phishing benchmarking data to drive affective behavior change and grow your organization’s security aware culture with their latest edition of the Phishing Benchmark Global Report from Terranova Security. Take it from this year’s Gone Phishing Tournament, this report gives security and risk management leaders the insight they need to strengthen data protection. All benchmarking data is based on a single phishing template deployed only during the two-week event which means readers get accurate real world views on click rates and other end user action, all broken down by region, industry, and more. Now, discover how your organization’s phishing simulation performance stacks up against your peers. Download your 100% free copy of the Phishing Benchmark Global Report by visiting terranovasecurity.com. Now, that’s terranovasecurity.com.
It’s time for the audience question speed round.
[David Spark] All right, I have in my hand a bunch of index cards. And with the time that we have left, I want to burn through as many of these questions as possible. So, let’s get to it. Here we go. First one. This comes from Karli Clark who is with the Idaho National Lab, and she is brand new to cyber security. She came from document management background, and she’s now doing cyber awareness. Her question is. “How would you engage me as a new hire?”
[Hadas Cassorla] Well, what I do first off is find out what interests you, and then I throw a bunch of work your way that would help you grow in that area. And then I make sure that you’re happy and that you’re challenged, and that you understand exactly how your work helps my company, your company, be successful. I make sure that I tie in the day to day job that you are doing with the company’s OKRs so that you understand that what you’re doing affects the company.
[David Spark] Kathleen?
[Kathleen Mullin] I agree with all of that, and I also would probably add in looking at your development plan and seeing if there is any training, especially if I can find free training that will actually help you with that skillset.
[David Spark] Excellent. All right, six more questions. Six minutes. Let’s do it. How do you know if you’ve had a successful cyber awareness program? This is asked by Jerome Berloty, who is the CEO of Riot.
[Kathleen Mullin] I don’t think you actually every do. So, one of the things…
[David Spark] So, he’s at a loss.
[Kathleen Mullin] No. It’s one of those… Your programs are never going to be 100% affective, but if you can measure… Part of it is we need measurements and metrics as to what it is you were trying to train to and have you reduce security incidents. Have you increased reporting of security awareness? So, what was the goal of your training. And whatever the goal of that training was, did you meet it?
[Hadas Cassorla] I do like the metrics part of that answer. What I tell my people is that the more people who come to us with, “Hey, does this look like phishing?” Or, “Hey, I’m a little… This seems wonky.” The more people who engage the security department with questions about things that look weird then that’s how you know.
[David Spark] Excellent. All right, from Cassandra Perry, also of the Idaho National Lab. “One tip for training upper management that has no time.” Now, let me ask you this question – have you had a situation where someone in upper management had one of their underlings do the online security awareness training for them?
[Kathleen Mullin] I can neither confirm nor deny, but what happens is we actually went back and looked at the IP addresses that the training was taken from and were able to validate that they did not take the training. But the other thing is with executives…
[David Spark] So, they did have someone do it for them?
[Kathleen Mullin] Right. But the only thing is with executives, we don’t actually make them do the online training. We actually do in person specialized training.
[David Spark] Okay.
[Hadas Cassorla] That was going to be my advice. I think most of your security awareness training should be in person or should be conversations, or articles, or blogs and not the… The security awareness training platforms you should have. You should have the annual training. But most of your day to day training should be just conversations about security.
[David Spark] So, open conversations. I like that. All right. This one comes from Andrea Kittelston, who is with Rockwell Automation. We actually…this week’s episode of the CISO Series Podcast has the CISO from Rockwell Automation on – Nichole Ford. But Andrea’s question is, “How are you improving…?” And I don’t want a global answer so just give one answer, one tip here. “How are you improving the communications between the incident response teams of your product team and the cyber team?” Essentially how are you getting them to sort of communicate better together about IR.
[Kathleen Mullin] Our teams actually meet regularly. They have open conversations, and we use our internal chat system in order for them to communicate and talk. So, there is no obstacles.
[David Spark] None? Oh, so you got lucky.
[Kathleen Mullin] We did.
[Hadas Cassorla] I make sure that my company stays real small.
[Hadas Cassorla] Just kidding. We all know each other. And part of my team’s job is to reach out and have each person on my team has to reach out and have a half hour conversation every week with somebody that they don’t know or that they don’t talk to in the company. Every single week they have to do that with at least one person so that we have open communications with everyone.
[David Spark] I like that. I like that a lot. All right, this next one comes from an anonymous person. Now, I know who this person is, but I’m not at liberty to say who this person is. All right, “How does your integrity, your company’s integrity, and loyalty shift when you outsource your security?” Now, the person who asked the question thinks it definitely does shift because they think about their partners like, well, “I’m not part of whatever this company’s mission is so I don’t care as much about their security as mine. If I’m thinking that way, they must be thinking that way about us.” So, the CISO doesn’t believe because there’s all these sort of checks and balances in the situation, but the questioner does. What do you think?
[Hadas Cassorla] I think that it does absolutely shift. I think that’s why you do trust but verify, and maybe not even trust that much but definitely a lot of verify. I also think that you have to make sure that when you do the verification that they have things to report to you and that you remind them that you’re paying them to do a job and that you can pay somebody else to do that job. Some other vendor to do that job because there’s a million security vendors out there who want your money, your business’ money. So, you build a good…
[David Spark] Some of them in this room in fact.
[Hadas Cassorla] Yeah. And you build a good rapport with your vendor so that they want to work with you but you also let them know that no contracts are longer than a year, maybe two if it takes a lot of integration in your environment, and that they are always, always on the line for being cut out of your environment if they’re not delivering.
[David Spark] Good way to handle a marriage as well. Kathleen?
[Kathleen Mullin] Yeah, so there is a difference. But part of it is making sure that you actually have reportable SLAs and metrics that within the contract you’ve actually defined what it is that you want them and need them to do. Because at the end of the day, if they’re not doing what you need, you are going to have to break that contract, and you may have to break it fast. And what happens is if you totally outsource, bringing it back in again can be really painful. So, you need to make sure when you outsource that you have not broken your internal first. And then the other thing is the big question that I’ve seen is if you are outsourcing, are you getting rid of your internal resources, or are you repurposing them. And in the organization I’m in, we actually did repurposing.
[David Spark] All right, three more questions. Let’s do these as quickly as possible. These are kind of global questions, so give me snap answers. From Radiris Diaz of National Grid, “How do you get people to care?”
[Hadas Cassorla] I pay them.
[David Spark] No, you don’t. You don’t pay them, do you?
[Hadas Cassorla] I make sure that they understand that the work they do is tied into the…the day to day work they do is tied into what the company is doing. I think that that creates engagement and helps them care.
[David Spark] All right.
[Kathleen Mullin] I work for cancer treatment centers.
[David Spark] Yeah. How could you not get them to care?
[Kathleen Mullin] Yeah. I’m sorry. Everybody cares.
[David Spark] Yeah. [Laughs]
[Hadas Cassorla] I work for a finance company. Everyone cares.
[David Spark] All right. From Sorin Constantinescu of Carrier, “How do you know who to hold responsible for an issue? The systems or the people? What are tell tale signs you look for?”
[Kathleen Mullin] Well, I’m sorry, I go back to the beginning. It may be for the most part it is your systems, your training, your processes. It is rarely your people.
[Hadas Cassorla] I just hold myself responsible. I mean that really sincerely. I celebrate achievements. I celebrate others in achievements and in the good things. And if something goes bad, it’s my fault. And it’s my opportunity to fix.
[David Spark] All right, very last question. This comes from Todd Eberwine. He’s also with Carrier. This is a big one, I think. So, we’re going to close, and you better give me an awesome answer. You’ve been doing great so far. This is your closing question.
[Hadas Cassorla] Thank you.
[David Spark] “How do you make people feel safe to report or ask? Because people have their personal risk that they fear. And how do you make them feel safe?”
[Kathleen Mullin] So, I reward people for reporting, and I let it be known that I reward people for reporting. It is either a training opportunity or it is a solve the problem opportunity. But there is a reward for reporting.
[Hadas Cassorla] I have set up an environment in my company where I blog about issues that we have found, and it started with reporting something that our CEO did wrong. I think that that made people feel real safe because it’s not about who did what. It’s about this is the environment, this is the situation, and everybody can miss a thing. Everybody can be hit.
[David Spark] As Kathleen mentioned at the very beginning in fact. Taking down the runway at the airport. Way to go.
[Kathleen Mullin] Yeah.
[David Spark] Let’s close this sucker up. Thank you so much. I want to thank our audience.
[David Spark] Thank you so, so much. All right, so big thanks to our sponsors who are KnowBe4, Cofense, and Terranova Security. Please go check them out. If you’re here in the room, they’ve got booths here in the room. If you’re listening to this when it’s released, they’ve got websites as well. You know where to find them. And if you go to our blog, you can find links to all their stuff as well. I want to thank Kathleen, who is hiring as well, who is at the National Cancer…
[Kathleen Mullin] Cancer Treatment Centers of America.
[David Spark] Not National, just Cancer Treatment Centers of America. Hadas Cassorla, who is the CISO at M1.
[Hadas Cassorla] M1. It’s a finance company.
[David Spark] It’s a finance company. And you are not hiring because you have a fully staffed security team.
[Hadas Cassorla] I am fully staffed, yeah. M1.
[David Spark] And I want to thank the producers here, Lisa Plagamire [Phonetic 00:43:52] and also Cliff, who helped put this whole darn thing on. So, let’s hear it for them as well.
[David Spark] We greatly appreciate it. The National Cyber Security Alliance, staysafeonline.org. And whenever they have the next Convene Conference… They have events all over the country all the time, so check them out. Please attend. Thank you very much.
[Kathleen Mullin] Thank you.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@CISOseries.com. Thank you for listening to the CISO Series Podcast.