CISO Competency - Security

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

59 minutes
Video Transcription
Okay. I think we're set to go. Welcome, everyone to compensate for security. The effective See self.
All right, leave. Did you want to take a couple minutes before we get started and just share with the group little bit about the cyber reefer business? I think it's probably pretty consistent with
some of the things we talked about last week. I'd like
You know, I think it would be great for you to share a little bit about that. Then we'll get started with our lecture today. So leave share with us a little bit. Yeah, Absolutely. Thanks. I appreciate it. So as we covered in session to finance administration, sometimes you're looking a lower your budget this time of the year.
One of the ways that you could do that off is by, uh, looking for alternatives to your professional development.
So, for example, the 71 person, too.
Ah, course for a week. Sometimes that cost you, like, $7 you lose that person for only $828 per person for a whole year. You can sign up for cyber for business. It's the fastest growing catalog in the industry. We have over 5000 hours of content
across a number of different work rules.
Over 50% of our content has been created in the past six months, and some of it is from head. Obviously has done a fantastic job. Um, and, uh, we'll reach up to at the end of this call, See, if you wanna win a demo of the product
and looking forward to it
on with that I'd want Why don't you take away? Well, that's great. That's a short and sweet advertisement. I have a lot of respect, Lee, for you on the team, you guys. D'oh!
A nice job. This is such a great experience. For those of you wondering, you probably wonder what
you know I'm doing on these courses. Leaf and I are friends and I found out about Cyber Harry and
this is the second course of Dunning. I love it because it gets me access to
a big group,
and it seems like the people who are part of this community are very like minded here. It's not like there are some things that I've done in the past that have these big audiences, but a lot of times it's a lot of people who may be somewhat adjacent
to our community. It seems likely if you guys have done a good job really reaching the enterprise security professional and that's those are the people who I think enjoy and benefit hopefully benefit
from the material that we go through here. So I put a lot of time into these things, and leaf in the team have been helpful in them. I'm glad you guys were doing. I really do hope you're enjoying the course what I was trying to do.
No, but a lot of people listening here do courses as well. I know this sounds a little weird, but I just always try to create courses that I think I would enjoy. And
maybe that works. Maybe it doesn't, but I was, I think, all right, is this Like I look at every chart. I think this is boring. Is this repetitive? If it's either of those, I get rid of it.
And then you know how when you're giving a presentation and like Chart five is your favorite one you can't get. You can't wait to get to chart five. It's great. There's a great story.
The trick in giving great courses of presentations is if every charter's chart five. Then you love doing
if one through four and the kind of boring but five is great, get rid of one through four and think up more. Five. So it's like Here's I become a millionaire First, get a $1,000,000. I know it's not that easy to dio, but as you do, you teach and cut out all the boring stuff and stick
the things you really enjoy. Make sure it's chart each
each little bit of your lectures, stuff you can't wait to get to. So so again, I hope you guys will,
um, continue a relationship with cyber. Think very fine company now competency for his security. That sounds funny because the S and C so is security.
But I think it's important to recognize that there are a lot of security executives you don't really know much about. Cyber security.
we're in new discipline where this is a new
In fact, I'll bet a lot of you listening are probably in a position in your company
where you're the first person to hold the job that you do right now. That's an interesting thought, right?
Maybe run
incident response for a retail company.
I'll bet you you may be the first person to do that. And you're you're forging new ground. And if you're not, you're probably the second
you know, there are 34 generations of people. In most cases,
we're doing the job that you do right now. So
So it may be that in some cases, recruiting and getting people into positions require some recruiting from adjacent areas. So I want to talk to you today about how you stay up on cybersecurity, what some techniques are to be. You know, here we go to the store, our statement that we always use at the top of our
lectures here, effective ceases, pleased to serve as the senior most eggs expert in cybersecurity for the organization. So that means and again, whether you're see, so are just a part of the management team or anybody. You are seen as an expert,
and you have to be ready. You have to understand stuff like let me give you an example There. There are topics that people just presume
that I must be an expert on because I worked until come, and sometimes they're right like I've had people just stopped me out of the blue and say, Hey, where I'm in an argument about B G P routing. You worked at A T and T, and then they'll say something really technical. And if I know the answer, I'm I'm very happy. But sometimes I don't
It could be real obvious stuff, like somebody asked me
right out of the blue. Hey, we're reading about Sim swapping. Can you explain it? And and I sort it could, But it wasn't my best explanation. I was mad at myself.
I thought. That's what I'm supposed to hit out of the park
explaining Sim swapping. Give me a break, Look. Where were my whole career in Tel? Com. So So There's something to
making certain that you are always ready
as the senior most executive in the company, or just as an executive in the company, with the ability to to do the kinds of things that you need to dio to answer tough questions. Thio. Whether it's from the board or from your management team or from customers or whomever that's it's an important role
as a sea stone. It's something we're going to spend a little time on.
Now, I want to say something kind of fun.
I would walk into your office.
What would I see
on your whiteboard?
What would be there?
And if you walked in mind, you'd probably see something like this.
It is. Really Know what? That is what a B and C are. But they apparently connected to a firewall.
if if you walk into someone's office and you just sort of nose around a little bit, there's
there's something to that. And as a senior, most person in cyber security,
um, pretty good idea to just go in and look around your office and see if you act that way. Maybe, you know, I don't know. You know, maybe you have nothing in your office minutes, corporate art,
um, or maybe have a bunch of books on finance. Or maybe I don't know what you got.
If you came to my office, you see a lot of tech stuff that's May. But when? When there's something very symbolic
aboutthe senior most expert about, or anybody expert in a company,
you know, having sort of in their environments or the visual environment that they work in
some evidence that they do think about cyber security, that it's something that they spend a little time on. Now, in my own consulting business, I created this thing here, actually taught a course Cyberia on this
where I listed out 50 things that I think you need to know.
People say, Is it the NIST framework? Now,
is it a control framework? Now they go, we're sore and
GDR, where's all the things that I see from Gardner? Nice. This isn't fourths isn't a gardener. Things isn't for the vendor industry. This is for you guys. This if you want to be smart and enterprise security,
I really over the last few years have tried to think through What do you need to be able to answer questions on? So let's just take a couple examples. If somebody comes up to you and ask you about the LP and you'II be a
I really hope you know what that stands for, right? I mean, if you don't know what you know, Deal P. But many of you know you'II be a or what if somebody asked you in the cafeteria line?
Hey, um
you know such and such your your RC So what's the difference in U E. B A N u B A
and my answer that I would be There is no difference, that they're just, you know, different companies, you know,
might like to use E because it it maybe gives him entree into the eye ot market like he makes a little comment. And there's generally great comfort that the senior executives and the security team
No things like that. If I went, I don't even know what that stands for. I believe that undermined your whole program. Now, I know that sounds funny, but I really do think it undermines appropriate. You don't know what something is. That's basic.
Then I think you have No, no, no. I think no right to run. The organization isn't dead. Speaking may disagree.
There's a low collage of different opinions about this,
and I throw out some things here that might be a little provocative. You should have an opinion, but, for example, to go down here to, uh, I don't know, multi factor authentication. That's an easy one.
But we all know that their great nuances there
like, is it reasonable to have two or three different forms of multi factor authentication in place across the company. Is that a good thing or bad thing? You might say, Hey, man, why do we have three different multi factor authentication solutions? And you're asked that question? You should know the answer, and the answer might be what we shouldn't.
We really should just have one. We should be using. Duo. Are we just?
Or maybe there's a reason why you have three different ones. There might be some diversity advantage to having three, but you should know something about that. Look, de Mark. I hope you know what that stands for.
And if you're publishing records, great. If you're not, then you need to explain to me why,
you know, and the senior most person needs to know all of this stuff, and I put a bunch of other things and you'd never see
in a frame like like you should know what information assurances? Because that's the
the flavor of cybersecurity done in government.
And if you're anything above a small small business, you are going to be dealing with government. You should understand how information assurance proceeds, say the D O D environment versus cybersecurity. In a banking environment, they're a little different. You should know
the advantages and disadvantages of dealing with evaluated reseller to buy Securities Commission. So
So these 50 controls you get him on my website and leave comm point you to the course I taught in the sun for cyber, but
this is what I This is your crib sheet. You need to know these things. You need to have a kn answer to each of these, in my opinion. Now,
let's go back and and I wanna sort of
bring you
maybe back in time, a little bit too
to this guy. This is, uh this is Mr Tompkins. But here, this is a great physicist. Name is Jorge Gama.
And he may be my my personal favorite physicists and I bring up physics a lot because I was a physics undergrad, and it's still my favorite thing to read. Like if you see me on the beach, I've got some geeky physics book, but,
um, but Jorge Gama lived at a time
when it was considered,
you know, kind of socially unacceptable
to be ignorant of technology and of physics. They say from 1919 30.
But he was very excited by that. If you went to like a premiere
of Charlie Chaplin, movie wouldn't be unusual to see, like Einstein at the premiere in a tuxedo. So people very excited about
you know, the changes in physics. I think we have a little bit of that intact, like we probably worship Alon Musk. And you know, there's a lot about Zuckerberg and others. But in cyber security, maybe not so much. Let me tell you why this is important. What Grandma did in his books, like Mr Tomkins is, he tried to explain,
to allay audience
what these complex technical issues are.
And for you as a senior executive and enterprise security, it's your job
toe have the ability
to explain things in a way that people are gonna get, you know? I mean, look, there's, um
some of the things we do are nestle complicated, like what Grandma did was he invented this cartoon guy, Mr Tompkins
and Mr Tompkins has these escapades where Gamla puts Tompkins and a little scenario, and Tompkins sees the world in an exaggeration of relativity, for example.
So you see what happens when one person's moving quickly, and the other person's moving slowly on the age at a different rate. It's time passes differently or you get thes relativistic kind of use that are exaggerated where, you know, we don't notice these things in our dated existence. But Mr
Tompkins lives in the world where you noticed them,
and it's a beautiful, very sweet book. I'm forced all my kids to read them. They probably were mad when I made them. I hope at some point is they get the
older they'll come back to it.
But I think there's a little bit of Jorge Gama that you need tohave as a chief security officer is a
ahead of compliance in a large organization or just as a manager supervisor doing cybersecurity want to be able to explain things and not using the jargon that makes all of us so darn comfortable. Look, I get it.
I'm a jargon guy too, huh?
We like to talk in things that make ourselves comfortable. Is that the things that
you know some sense are? Uh, um, you know, that's the fun of doing cyber, But let me give you an example, like a lot of times I'll be talking to execs and they'll say I don't get hacking, you know, I don't get why
Why is it so hard
to deal with Hack and stop? Why is that? And here's an example. Something that I've gone too many times. This is an old vintage kendo soda machine. This one works great with board members because board members used put 10 cents in these things and
and buy a soda is the kind of machinery. And get your hand on the tip of the bottle here.
You know, you can get your hand on there. You try and pull it out, but it won't pull up, which with 10 cents and you pull it out. Um, I've always explained sort of cyber security in this context, and I'm showing this to you now. I think I've already shown that I might have even had this on before.
But which one of reprise this one? Because I think it's so important
for your explanation when you show somebody what you could do here to crack this machine. And the obvious crack is you pop the top off the bottle, you put a strong and you drink out all the soda. So when you do that, you don't put 10 cents in you open the store. It popped the top off the bottle, which can't pull out. But, Aiken,
how top Put straw and drink it.
I got it. But the question is, how would you solve this?
And I love posing this two groups
and two executives who don't get cybersecurity. And you go to a white board and you take your marker out and you say, All right,
how would you solve this? Let's say you're not an electrical engineer. You're just a shop owner in a candy store. Tell me what you would do here. What would you do to solve this? And then I wait to see what they say
you know, somebody inevitably will say, Well, how about you put a camera,
but I go Great. All right, you put a camera up here,
and, uh, And what is the camera? D'oh! It points down, and it keeps track of somebody stealing soda
and you go. Okay. Well, I would have to believe that you're actually sitting there monitoring. And if I'm some little dude, little kid, what do I care? Come open the thing. Drink the soda wave to the camera. Walk away. What if you saw them? Furthermore, how much is that camera cost?
And where do you store the tape?
And who are you paying to review the stuff and all to save 10 cents
like, is that really worth it? And by the way, do you hide the camera or do you leave that blinking light so they get some feel? For what?
Detection and monitoring is about some of the issues we were about other people will say things like, Well, why don't you move this thing from the outside to the insides and watch? And then you show that maybe
you might be reducing revenue a little bit if you if you introduce um, impedance
to commerce because of security. This thing out on the front curb of a building like this machine used to be out in front of a gun shop
in Neptune, New Jersey, where I grew up.
By the way, putting a camera outside the front of a gun shop is a little dubious. But you know, there's all kinds of things, and what we usually come to is that the most effective way to stop. This is to put a little sticker, a little sign here telling kids to cut it out.
But yet be careful. You can't say, Hey, you kids quit popping the top off these bottles and drinking all the soda because you just told them what the hack is.
But if you're too vague A you kids, that thing you're doing and you know the thing I'm talking about, stop doing that thing to the thing that you know the way. Like mobsters talking movies.
That doesn't work either. But a little sign that says if you tamper with this with this machine,
then I'm going to call your mother or something like that. That may be the cheapest, simplest thing. I could do it across Nothing. And maybe you cut out half to 2/3 of the problems. You might still have it happen, but you get the point. This is an example of the kind of thing that this guy was doing with relativity creating fun,
kind of appropriate to the era kind of narratives that help people understand a little bit about the cyber security challenge. So you should create and use things that are consistent with that
now, the way I think you should think of yourself
in the context of maybe your aspiration to be in the
the big C. C n roll or to be in one of the senior executive roles is I think you should want to be like this guy, Walter Cronkite. I like Brinkley's
biography of Cronkite.
Here's Walter Cronkite,
who looks to be looking over the shoulder
of a military or space expert in front of a console,
and he's learning enough to be able to report back to others what he learned.
And that's the essence of being the security executive.
I can't tell you how many times
in the last 20 years that's been me leaning over a console
with somebody saying, Oh, Ed, here, look, let me show you. This is the consul I use. Here's how we collect our data. Let me bring up a little map here. This is how we, you know, graft the alarms. And when they do this, we do that. And when we see that we do this and I'm sitting there nodding and taking notes,
and if you're doing it right,
then you absorb it
and you bring it back to others. You get the point like Cronkite is not the guy in front of the console. Look at his face there
he looks engaged. I loved Walter Cronkite, man. I would give anything
toe, have more. Walter Cronkite's back on TV.
I granted. The guy only had 15 minutes. He had to do it every night, four nights a week. So it's a little easier than
then. All the news were barraged with now, but
But I always tried to sort of be like that, to be interested to wanna learn to really, really be emotionally connected. You watched him report during the Apollo mission of the Big One. That power 11.
The guy was basically emotional. Looked like he was gonna break down crying. You so excited, like a little baby there. You should be like that. You should be interested in what your team is doing and let them see that you're absorbing it. And they're really trying to take what you learn
and bring it back toe budgeting
to setting priorities to making sure the organization's headed in the right direction. You need to be a little bit like that Cronkite guy.
Look, I don't want to carry this
analogy too far, but
you probably ought to learn to read off the teleprompter to, um,
if you're doing it right, it probably should be talking to your team via video. Um,
always amazed how many Don't, um,
if you're anything but a team with three or four people, you know, it's you have 20 people, then they're all scattered around 20 people. You got to communicate with them,
I think videos. Good way to do it. And thats why I bring up the Cronkite thing, you know, because he's the obvious things on TV every night. I see no reason why you should be on TV as well or find some way to communicate. I think that building a little studio if you're in a bigger business
is, has now become almost trivial.
I don't know. This may sound ridiculous to you,
but you really could easily get yourself a camera and a backdrop in your office or in a conference room,
and you can stream to your team.
And whenever you have something to say or you want to communicate,
you stream it out. Now to do that, you shouldn't be talking about silly stuff. You could, you know, be like Cronkite. You've absorbed what you've learned again. All this stuff back here.
These are all the things that you're gonna need to do. If you want to be an executive, you need to know what pen testing is and what continuous simulation like reaching attack simulation. You familiar with that? You better be. You better know something about insurance. You better know something about Cloud. You better know something that upset. But I know something of vulnerability. Management better know something about what a wife does
and on and on and on.
But you don't have to be an expert. You can be this guy.
You really can be Cronkite. You could be absorbing it because this guy in front of the console is showing you. And then how do you then push that back out? Are you gonna have meetings and everything? But I think you should also learn to communicate back out with your team.
This way, I I just think broadcasting is such a wonderful way
to demonstrate to your team that you're absorbing and you're pushing back. So that's just an idea. But try to be like him. as much as you can in areas that you may not be expert ID. Now there's another guy's my favorite guy. I I don't think there are any books
that air must reads if you're a technical person,
but this comes close.
So look, I want you to listen to me.
If you've not read this book yet,
then you need to go buy it. So when we're done, when we finish with this lecture,
you know, about 1/2 hour so we'll be done. And I have a very cool guess. Jumping on in 20 minutes that you're gonna love. Good friend. Mine.
Um, when we're done, a two o'clock eastern,
I want you go on Amazon, and by this I'm getting royalties from it. And
Mr Professor Fineman died some every years ago, so I don't know where the royalties go, but it's such a delightful book,
and there's so much about cybersecurity in his book.
It's incredible, like he's a guy who was cracking safes. So let me give you a little brief summary of the kind of fun that you'll see in this book
he noticed back during the Manhattan Project. And, yes, the Manhattan Project meaning the atomic bomb.
He was a young physicist working,
you know, Los Alamos on that project. And he noticed
that everybody had a safe, physical safe in their office.
So those days you didn't have the kind of safe where when you opened it,
it randomly spun the dial, It would just go. You'd open. It would remain on whatever the last number waas that you had turned it too, before he opened it so he could walk in everybody's office,
look at the number
and note that number as more than likely the third number in their combination.
Which means that suddenly,
if he's, you know, over a period of time collecting these numbers,
well, then he probably has a pretty good idea of number three, which means, you know, have a combination that has two numbers that need to be guest. He noticed
that if you did that over a long period of time and you just jotted down the name of the person, the number that was assigned that was there on their safe,
overtime, you probably would get the 1st 2 numbers, too, because people would turn to the firsts number, slide their chair wait. Answer the phone, not go back to it.
And it was his theory. And he proved it in practice that if you did this over a period time, pretty soon you'd have everybody's name and you'd have three numbers on by looking at the frequency of the numbers. It probably had a pretty good idea of what the three numbers were big.
So when he got reasonably confident that he could get into a bunch of safe's,
he would wait because it was regular occurrence that people would forget. They're safe combination. So he started telling people, Hey, I am I No, I I can open Safe's and people would be laughing all you cried, Fineman. You're crazy. Where they would say, Surely you're joking, Mr Fineman, which is where the title of the book comes from. People always thought he was nuts,
but he would say, Yeah, I I can. And then guy would forget his combination. He'd go in, he'd know the three numbers, but he wouldn't tell him how he got it. He put like a stethoscope around up on his ears. He tell everybody to be real quiet. He'd hold the stethoscope up to the safe.
And then he turned to the first number,
then turned to the second number, then turned to the third, telling everybody to be quiet. And then he'd open the state very dramatically to a large gasp from everybody in the room.
And is that hacking one? 01 If you ever heard anything, I mean, that is so funny to me. Like it really is the essence of what the hacker does.
It's it's sleight of hand. It's being mischievous.
It's It's fun, it's it's
It's just a delight. Like if you delight in that kind of hack,
then you do what we all do for a living. I'm going to guess 2/3 of you on this call
were brought to this discipline because you find sheer joy in that kind of thing.
So you're going to enjoy the final thing. By the way, the footnote here where that all ended is he went to military brass and said,
Hey, you gotta tell everybody
we need security awareness training here toe flip the spin, the dial randomly or we need new safe CE or whatever. And what did the military dio? They issued a proclamation to not let Fineman in your office again.
It is exactly the way people tend to treat. You know, hackers. It's just so darn funny. And just such a great book. So So by the by the book
and ah, and share with us, Drop us a note back
and, uh, let us all know what you think about the book. I think if you read it this summer,
you're gonna have a lot of fun with it. So now I said earlier
that, um,
security people couldn't be a little mischievous.
let me say one thing first, I'm gonna talk to you about a couple of books. You should read them. We'll get to the mission. Distant. Look, here's the, uh I feel like I need to show you this.
The steal This book by Abbie Hoffman
Look, E, I'm gonna full disclosure. There's a crazy buck like it's got bomb recipes and stuff in there. So maybe I'm being a little mischievous pointing to this book.
If you're offended by that, Don't Buy was written in 1970
but it's a really spectacular read.
And some of the rial basic things in cybersecurity were invented there. Gabby Hoffman was the guy who said, When you when you're writing a letter, a paper letter and dropping in the U. S. Postal Service, they call that the U. S. Post office, then
I mean, when you do that, if you're you're writing to your mom, then just put your mama's The from you is the two
and don't put postage and they'll return. It's your mother posted John paid, and she'll get the letter you meant to send to her without putting postage. Things like that, like that is pure I peer TCP protocol hacking. It's just it's spoofing. It's so awesome. But again, there's weird stuff in that book.
um, I like is that I'm being a tad mischievous and
recommending the book, and I hope none of you were offended by Don't Bite if you if you think that there's curse words and stuff in the book, whatever. But here's one I wrote with my son
a while back. Don't buy the paper copy of this. It was written to be a Kindle on Amazon. Is this weird thing? When you do a Kindle book, they want to be able to generate a printed version. Has people like to buy the paper back,
and the printed version was terrible to me. A month
to try to reform at it to make it look halfway decent. I had written it
for print. I wrote it for your Kindle and a form that's great on Kindle. The paperback is acceptable now, but you know, I didn't want people paying a bunch of money. It's
bunch of money for paperback you used. You can get the thing pretty free. It's whatever you can nine bucks if you want to get. So I'm not trying to get you buy a book here. I'm just saying that there are a lot of things you need to do. You should be regularly reading books and it shouldn't be textbooks on cyber security. Should be things of
about cyber and things that air.
Interesting sort of sidelights. Like steal this book. If you read it, you're gonna have 100 anecdotes that you can use to help people understand complex topics.
Now, I want to show you one more thing before we get to, um, our case study,
cause we're, uh we're getting close to, uh I want a case study. They want to get to David,
our guest in a few minutes. But
when you're giving presentations, you know, a security expert there is a presumption that you, as the expert,
are going to be boring.
and we're all guilty of that, right? If you are a technical person, if you're a security expert, if you're any kind of expert,
then there is the sad fact that most of the time
your presentations are going to suck. You know, people are going to just think you're
talking over their head. They almost gonna roll their eyes when the quote unquote expert rolls in.
Because you're not gonna understand anything.
Well, you have to combat that a little bit again. The whole idea here is to serve as a senior most expert, but also be approachable.
So my favorite thing when I'm giving presentations, I always have a little joke.
And this is a recent one that I've been doing. Like I'll get up to give a presentation
and I'll start with this
like a comprehensive three Q 2018 detailed year of year enterprise information, security analysis and expert review programs, performance operation, technical trends, cyber threats and best practices.
These are all my fancy affiliations. Document unclassified. This is what you're expecting from an expert.
And after people absorbed that, I always say, Nah, like, I'm not gonna relax. I'm not going
make you look at this nonsense. Don't worry, I'm not doing that. And then I put something like that up. You crazy? Walk through cyber. And then and then they go on. They see that
what we d'oh in cyber security
is fun and mischievous. Look at just a reality. If you're not a little mischievous, you're not doing this right.
You're not an expert here in military radar.
That could be a little dry.
You're an expert in hacking and in cyber security and in tampering with technology.
So you have tohave a little mischievous component. If you're this, that this is what your presentations look like
And God helped anybody has got to be around you every day because you're probably boring them to tears.
That's not the fun of what we d'oh! We were trying to be a little mischievous here. We're dealing in a topic
that is, you know, is about tampering. That's why again. And then I said, Look, we're really gonna do crazy walk
and people generally start laughing. They think, Oh, I get it. This is actually kind of fun stuff. This is not just dry, boring attack.
And that's part of the messaging as an expert around cybersecurity. So what have we set up to this? I've said you got to know all this stuff. There's a lot of just facts that you need to know. If somebody comes up to you and they say, Hey, what air? The water? Recent trends in digital forensics, then
that. Then you gotta somehow, you know, no Snow. Something about that.
You better know what encases you better know. You know, at least enoughto get throw. But at the same token, you want to be doing it in the context of somebody who's absorbed from the experts and you get it in your head and you can report it back.
But you should be doing it
with the spirit of Fineman. We're having fun. This is security. This is not like military guidance systems. This is hacking and dealing with crazy cybersecurity issues. So that is the challenge here as you jockey and try and become,
um, you know, Ah, senior executive, you do need to know Tech. You do need to be an expert, but you could be a Cronkite Take backs for where you absorbing your push back there? Enough. Everybody Got that?
All right,
as we do each week,
we're up to our fourth installment in our
little saga with Emily, um, as she goes through her
Our little discussion with the team.
And let me just sort of summarize this week's case study before we get David in this one. I have Emily again. She's talking to a group of C I ose You can all see the
the narrative here. And I hope you're reading these.
And what happens is she, you know, she
references a friend of hers, Dave. Somebody asked her, You know, how important is it to you know, whether see Says need deeps security knowledge or if they can just hire smart people, do the actual work? Um, and Emily says, Well, I've got this friend
you know, I want to tell you about and took a job became the sea so enough
in an organization where they didn't really know a lot about cyber, but it didn't matter. They told him, no big deal. You're pure manager,
but you'll pick up security, so he's in the position. And then he's got to goto a manager's meeting. I've night flying out the Dallas and the old managers, their management teams there.
And that evening,
all hell breaks loose in their data center
and there's a big attack and a really important application goes down. And for like, 20 minutes, the whole thing is down and then raise going nuts. And it turns out part of the problem relates back to a public he certificate
and about some of your laughing, because I could tell you how many times
public he certificate expirations and things have caused me problems.
But with point is that they're all at this meeting. They get it fixed. But the CEO's pissed.
Everybody's angry. They're all you know. They've eaten dinner, and now they're gonna go have an evening meeting and the CEO calls Dave and says, Hey, listen,
we're gonna be meeting in a few minutes. Would you please come down here? We'd like a little tutorial
on public E certificates and what what broke here? What what is this?
And Dave breaks into a sweat because he really doesn't know
like he's frantic.
He gets on the Internet, is just looking around reading Oh, my God, Oh, my God! Oh my God!
And it occurs to him
that he'd mention to the CEO
that his wife was going for some minor surgery and he thought, He knows it's not today,
but he thinks move.
Do I just say, Hey, listen, I've got an emergency, you know, Exit stage left. Because if I get up in front of these execs and show that I don't know anything about public E certificates,
am I going to look ridiculous?
So I have Dave sitting down. He's got notes on the pad. He's got 15 more minutes to go into that meeting
and he looks in the hotel bathroom. Neary looks at himself
and he decides what he has to do. And again, that's where the case study. It's like what does Dave d'oh
So first you know, the discussions is a reasonable that Dave is a C. I s o
doesn't know what a public he certificate is. Well, but a lot of you would say you should know, like, Look, I have back here.
I have a public he'd infrastructure P k I and C I type
controls as one of the things that you need to know something about.
Uh, where's the air up here? See, a p K I Solutions number nine.
Obviously Dave did not read, You know, my material. If it waas, he would have spent some time learning about what a certification authority is and what what p. K I is and what a certificate is. And he could have gone into this meeting and said, All right, let me give you a little little summary on the difference between conventional cryptography. Public key cryptography.
Here's what a C A does.
Here's why the certificates are used to pass public. He's around and it's kind of a mess because infrastructures tough and you talk about the challenges of P K I. Blah, blah, blah. I could explain that in two minutes, and the whole team would be nodding and going. I got it. But here's Dave, who can't
So So that's the problem. That another question should they go into that meeting? You know, that becomes a real problem.
Um, should he try and get some expert to dial into the meeting and explain it should be
it would be honest and say I have no idea what a certificate is And the question is, What would you do if you were Dave? Would you go in there? And do you think that it's a requirement
that a chief information security officer like Dave
would would be capable of our evening of answering questions that this may not have been a certificate?
It might have been a problem with the firewall,
and, you know, everybody sort of knows at a high level what a firewall is. But let's say it's some weird, you know, next generation firewall orchestration
issue between multiple gateways that air orchestrating policy
Well, then you better be able to explain that if it breaks, and if you don't know how to explain it, then you've got a problem.
So So there is a requirement
that you have some level of technical understanding. You do not have to be a developer. You don't know how that need to know how to write the fire will rules for a Palo Alto
gateway, but you should know how these things work at a certain level. So so that's our case study. And as we always recommend with our case studies. I hope you take these things back to your team.
go through them. Good. Good pizza discussion where you explain a scenario and have people sort of discuss and debate the kinds of things that would make good sense. So with that,
do we have our leaf? Do we have our guest on the line?
Uh, yes. Uh, David,
you wear this. David,
I'm here. Guys can hear me. Ah, we sure can. We sure can. Okay, I've got a picture of you here. Over. Ah, Bed bath, front. David, I'm gonna give you a minute, just maybe introduce yourself a little bit, and then I'm gonna ask you a few questions, but until I tell the folks a little bit about yourself,
Sure. Hi, everybody. I'm David Ortiz. Um, I oversee information security for bed, bath and beyond.
Um, we're located in New Jersey. Um, I've been with the company, um, while in a lot of different roles, I would say predominantly information security. Um, about seven years ago.
That's wonderful on David. I've I've bragged about the fact that you and I are friends because I think you are one of the best in the business. You You have that
A rare combination of technical and management and understanding of complaints. I think you're awesome. Role model. And I appreciate you taking a few minutes
to share with our students. Everybody's a eager to learn from you, so thanks. Thanks for making a few minutes. Really appreciate. Except you're too kind. Well, ball keep being kind as long as you keep doing a great job. So But I guess some in some sense,
you know, we were talking a few minutes ago. You probably listen a little bit
to this. Um, this question of
how deep does your security expertise have to be a cease? All right. You and I both have friends in the business that are super gear heads on. We also have friends that are, maybe not, you know, maybe a little more surface. What's been your experience? Like how? How important is that? You You think you're rolling with you for all of us
tohave a pretty broad understanding of most of the topics that pop up in cyber. What's been your experience? So I'll be honest with you. When I read the case study and I saw the name David Neri did break out into a cold sweat. That was an accident.
Yeah, The irony of us talking today with the case study and the name gave in there in retail as well. I'll sure, all of you. We had no issues with our
with any systems, their applications or websites in the last 24 hours. So that way, all the walk away with that funny collision, I should change it. Pretty, pretty ***.
Um, so I believe you need to be able to research and go deep on a particular topic. I have been in that, um,
certificate conversation. I've been in
other conversations as well. Um, and yeah, you got to keep it high level, but at the same point, you have to be able to go deep.
I would say in your role was he So you're going to acquire the knowledge of security in many areas. And for some of you, I believe as you aspire into this role, you're definitely not gonna have that knowledge at first. But I want
say that cybersecurity business unit. Right? And I always like to say, even if it reports up the information technology, um, I would say treated as a business unit.
And as part of that will you also need to be versed in areas of your business, right? Each organizations a little different, but, you know, some of the ones I would point out our legal, um who sometimes runs the privacy areas. Sometimes privacy goes to the to the sea so itself,
um, risk management is an area I spent a fair amount of time with, as well as finance an internal audit. So those air those are things, you know, you can learn tack, and folks can learn tech. But you have to be able to talk to the finance people, the Internet, all internal audit people as those digital and marketing people as well as if
those airline to business in the organization. So,
um, it's important you're gonna gain that knowledge. But ej point you, you you have to know a fair amount of it. But you're not gonna be that gearhead every single time. There's only a few special people out there that could do that.
David, How important is it to have analogies things that resonate
with with groups of folks like like the ability to explain a complex topic, using
stuff that
people will understand that has that been something you've spent a lot of time thinking about.
So storytelling is a big topic in our industry, and I always like to say, Know your audience
So it's going in to speak. Thio Human resource is, um, and finance. It's probably going to be two different conversations, and you want to know your audience, right? If you're going in to talk to
on executive group ability directors again, No, your audience and Taylor appropriately rate.
Um, tell the story. Try to relate. And it's a story, um, back in the human resource area or some type of you no relation to the finance team when you're trying to get your point across for a particular area,
What what do you do to keep up is, other than maybe just a lot of program briefings from teams. But there's some things that you recommend people do to stay current on
on tech topics and related issues.
Yeah, research, read the news. Talk to other people. Um,
you know, I always keep, you know, third parties or vendors at arm's length. But whenever somebody reaches in for a conversation um, I always have a question I wanted them to answer by having them in the conversation. So if they came in to try to sell you something, maybe, But I had a reason for for having them come in to answer a question for me
that I was researching it
time. But,
um e I definitely stay current on what's going on. There's a lot of information out there and you'll you'll quickly realize what information is right for you and not to get overloaded on that. But there's, Ah, a fair amount of threat information out there, right? There's a lot of ability. Information. Um, there is just news,
right? But I would say it.
It's it's your role to stay current.
I always I always felt like and I still feel like there's there isn't a vendor on the planet
that's not willing to sit down with her and explain what they dio, you know? I mean, it's it's a little rough, like, I'm not suggesting that you take advantage of a vendor if you're really not gonna buy anything,
but But that said, you know, in the job
there probably is not a single aspect of cyber security that I can pick out
where you couldn't find someone
who would be willing to sit down and really lay it out for, you know, if you have you ever had a se of gender, say, now we don't want to come in and talk. Is it happened, right? You had good experience with that, like you. And I know you don't shy away from them just happy to chat with them. But it seems like that's a good
sort of means. And I mean, obviously we're sitting here on cyber Berries from sure Leaf is gonna want
have me reinforced how important it is to do online learning. We'll get to that in a minute, but before we took on line. But do you find that vendors have been very helpful in teaching you things that you didn't know before?
I'm pretty straight with people, you know. People will come in or say they want to come in, and I am sharing with us. I say, Look, I'm not really looking to rip and replace anything out of the environment. If if you want to come in and talk, um, and see where you you can you're a fit.
We can talk to that right, and we can. We can develop a relationship, and that's really what I say. Say to say to some of their parties in the vendors is, Let's let's develop a relationship. I don't have a need for your product right now, but get to learn me and our business. And when there's a fit or I know of you and I need something, I'll reach out. But
and if you want to share some information, that's great.
Um, and it's a balance, right? Some of them are sort of new to the conversation, but some of them get it, and, you know, they send over timely information hand in the,
um, I'm in. I'm in the business of protecting email rights. I'll get some information about that from them. They don't they understand. You know when to do it in the timing around all that. So, yeah, I engaged quite often, and you can easily tell which ones are good at it. Which ones or not?
Yeah, I think that's a great answer. Now let's talk learning a little bit. I know you know in any large company. I think nowadays
it's almost like everything changes so fast that
there's no such thing as just sort of developing institutional understanding of anything. And it just sits with you for a bunch of years and just keep applying. It seems like in every industry,
um, crossed with cybersecurity, certainly that the demand that you keep learning seems just almost insane. What are some tips and do you personally find
a lot of online stuff and, you know, and courses and things how important of those been
to you and your team just to keep up? Because it seemed like a bee, almost a full time job for people like you and I to keep up with everything. You can't do that because you have a regular day job. But what are some of your thoughts on the learning experience and training
in a business environment?
It's really important, and I stress this to a lot of my teams that
it's It's
a career or a profession versus a job, right? It's not really a job. It's a career or a profession that you engaged in, and you have to stay current with the news. It's a big part of it, but you also have to stay current with the technology and the business, right? I want to keep making that point about the business and learning your business.
online training is a big aspect of what we do now. It's tougher and tougher to get in and out of the office, and, you know, like, I jumped out of a meeting, Um,
just talked dead today, and, you know, I'm jumping into another meeting right after this, but, you know, I'm gonna go home tonight, and I have some research that I want to read in the federal fall asleep. I'm gonna read it.
So it's it's that sort of stuff. And I engage with, um a lot of my team members, and
I would say some of them are specialists in some other areas, and we wanted from one another. Where if if we're saying that we're building a road map for an identity and access management solutions future, some people are gonna go deep in that. And so we have them come and talk to us and teach us about it. We have some really great people on that area, and they'll put,
um, some some documentation together for some of the other teams, and we talk about that and they teach us. But I'm old fashioned. I like books. I still read a lot of books. The online training is great.
Um, it's a blend of it all, I would say, but it's it's it's hard to keep up, but it's something that we have to do.
Let's talk a little bit on tech trends. I'm curious. You know, you and I have been talking for so long. Well, last few years and into the future. Any any trends that
you think that folks here should be aware of from the tech perspective in cyber security?
Yeah, This is quite a bit out there. Um,
I'll give you a few that are just top of mind that I've been in a lot of conversations the last couple of weeks.
I would say digital payment, digital payment card fraud and credential abuse, or two topics I talk about almost every week. Um, and I'll get into a little bit of the attack with, um but, um, I would say with the onset of chip and pin based payment card with the onset of chip and pin,
um, technology payment card fraud shifted online to the Web or digitally. Um, in some organizations, this is really pushing physical security teams who handled, um, some of the theft in stores more in the digital area and working with the information security into that response. Teams
who have to respond from a compliance standpoint
more closely together. So we have an intersection of technology,
um, that we use and, you know, one team may use one p attack. Another team may use another piece of tech, but
those areas are blending even more so than they have in the past.
And it's almost a similar conversation that, you know, physical loss prevention team. Maybe in versus, you know, digital information security. It's a response team.
Um, just if you wanted to go out and research a little bit about what I'm talking about, go search for things about this car hacking group and you'll get a ton of information. What's happening out there? It's a daily, um,
conversation. Consumer Web sites are constantly under attack for different things. That's one of them with digital payment card skimming. The other is credential abuse or credential stuffing.
Um, again, it's plaguing consumer Web sites
um, the websites are constantly under attack, and these air with prior stolen credentials that they're being used to access customer accounts on these consumer web sites that either steal data were place fraudulent orders. So this these attacks are typically,
um, performed by box,
um, on the internet and that there were seeing them launch from a variety of once trusted sources A cz well, as untrusted sources. So for us, and I'm sure other folks as well, we put ah fair amount of focus on protection mechanisms and ratings of websites and things like that. So
two trends that we're spending a whole lot of time talking about. And as you know, a lot of organizations talk about digital transformation. It just brings all this out into the forefront
on a digital. That digital transformation is that you see that it both in the front office and back office
technology, like certainly in the e commerce front. And I see it. You guys see that also in the back end?
Yeah. There's a lot of talk. Um, you know about supply chain, um, and physical stores and physical stores air really morphing into showrooming of showroom, right? For a store, so the digital footprints in there are continuing to grow. Um, and they're in the tax office.
Interesting. Interesting.
What about them? In terms of kind of some of the whiz bang things we all hear about, like artificial intelligence and
some of the things that deep learning, it's Wendy. What do you think about that? I know you got a very eclectic background, and I know you. You think about those things. You you ambitious that those things will help us fight cyberattacks. Or do you think maybe some of that's hyper Where's your head? Stand on those things? Um, I
I tend to stray away from some of the marketing terms. Whenever
somebody wants to talk about Cloud. Iose has the question. What kind of club? So for talking about machine learning or artificial intelligence,
I quickly go back to Okay, let's talk about automation, right? We definitely want to automate things, and there's definitely, um, an area for it. I was in a conversation with, um
someone in my organization today, and he was he was letting me know that they're moving forward with automating um,
some of the scanning on our Dev Ops pipeline and I'm very excited about that because that there's a real benefit to that for us to catch things earlier. Um, along the development,
I blind for lack of a better word, but it's gonna help us down the road and save some dot real dollars at the end of day. But that's automation, right? Um, I talked to our secret operations teams, and that's an area that's right for automation, right? I would caution everybody to say it's gonna it's gonna
you can take a human being out of the conversation because I don't think you can. In all instances,
they're still needs to be some kind of oversight in review of critical things. But for the repeatable areas, Yeah, we're definitely heading in that direction. I you know, I caution myself to step lightly, and you know my my colleagues to step lightly and that in those areas,
that is fantastic. You know, they David Well, a couple minutes here. Um, a lot of people in the call here that are
really focused on the career would like to see some advancement, many of whom aspire
to the kind of position you're in right now. If you were sitting with any of them having a cup of coffee,
any any one or two bits of advice that you might have for them, you know, based on you know, your experience that they should think about to achieve those goals
in our industry and anything come to mind.
Yeah, I would say, you know, plan in advance to be well rounded,
understand the scope is information security versus just I. T. Or Cyber Security. You know, there's a lot of good, you know, Data points out there about that that you can read about or talk to other people about. But,
and I said a little bit earlier, right? Understand that your future responsibilities is also going to include, um, talking to the business unit, right? Know how to speak their language, know how to tell the story, connect with um, right. It's not always going to be a text conversation, but businesses air changing so rapidly these days,
and your focus area is going to change from time to time. Just be prepared to be able to, um,
reorganized daily, right? And don't get caught up in the fact that you're reorganizing daily because your business itself is going to have to re prioritize them. And that means you do as well. You're always gonna be aligning with, um the objective is your business, and that's going to help you in the long run.
That is fantastic advice. I hope people love
appreciate how how unique and helpful that those points are. They come from Ah, lot of expertise and a lot of experience. So, David Thanks, man. I'm gonna let you get back to your busy day.
Appreciate you joining us here and for everyone. Listen, we're at the top of the hour here. Oh, uh, enjoyed our
are our here. I'm going to be on vacation for about a week. I think we've skipped next week.
Um, well, make sure you know the date of the next one. Or maybe, you know already, but But we'll be skipping next calendar week
and with our fifth session will come back and pick up where we left off. So behalf of the whole love team. Thanks. Thanks for joining us. And everybody have a wonderful afternoon. Thanks, David.
Thanks. Said Thanks, everyone. Good luck.