Kip Boyle: Hi, I'm excited to share that we have a new free bonus just for you.

Jake Bernstein: We've started publishing our very own quarterly cyber risk management journal. It's loaded with over 30 pages of useful content taken directly from our podcast. Here's how we make each new edition.

Kip Boyle: We start by transcribing the four or five episodes that we've published in the previous three months.

Jake Bernstein: Next, we send our editor and designer the transcripts and our supporting materials for those episodes.

Kip Boyle: Then they revise all the text, they put clickable links in for all the resources, and they create the best look and feel for each episode.

Jake Bernstein: And finally, we, Kip and I, make sure the finished PDF is ready for you.

Kip Boyle: Download the current edition now. All you have to do is go to b.link/crmj. That's the letter b.link/crmj.

Jake Bernstein: And if you like it, share it with your friends and encourage them to subscribe to the Cyber Risk Management Podcast. Now on what the show.

Audio: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cyber security council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Jake Bernstein: Kip, what are we going to talk about today?

Kip Boyle: Hey Jake. Today, we're going to talk with our guest Dan Blum, and we're going to talk about the challenges posed by the COVID-19 shutdowns and specifically how it's affecting the cybersecurity professional. And Dan's also going to share information with us about his new book which is called Rational Cybersecurity for Business.

Jake Bernstein: Dan, welcome to the podcast.

Dan Blum: Thank you, Jake and Kip. Great to be here.

Jake Bernstein: Dan, let's start by having you, if you wouldn't mind, please introduce yourself to our listeners and just give us a two minute version of your background.

Dan Blum: Sure. I'm Dan Blum, a cybersecurity strategist and author, and I have a background with Gartner and Burton Group where I worked as an analyst and consultant for many years, starting out in digital identity management and then coming into security and risk management. About five years ago, I set up my own company, Security Architects Partners. Over all this time, I was a very technical type of guy. But as I worked on more and more projects and saw some of the challenges that we typically ran into, they weren't always technical.

A lot of the time they were organizational or political. I ended up deciding therefore to really look deeply into how we could do a better job of aligning with stakeholders during our security projects and programs. And that's where my recently published book, Rational Cybersecurity for Business, came from.

Kip Boyle: That's fantastic. Well, that really resonates with me, Dan, because in my work as chief information security officer, that's an ever-present factor that I've got to pay attention to. Do the senior decision makers see the value of cybersecurity? And specifically, do they see how it helps the business rather than see it as an obstacle, some kind of a log on the road that everybody's got to navigate around, some terrible ongoing expense, financial burden that just can't be avoided?

It sounds like you and I have had pretty similar experiences trying to get senior decision-maker support. Is that about the way you see it?

Dan Blum: Yes, absolutely. Senior decision-maker support is critical because they set the tone at the top. But in a larger organization, you need even more than that. It has to flow all the way down the organizational chart, so to speak. Not just you as the CISO being well aligned with the senior stakeholders and actually not only talking nicely to them, but also figuring out how you can make the secure way the easy way for their business to get the product out or to accomplish their programs, as well as reducing risk.

But you have to get your staff to also do this with their counterparts and corporate administration and all these lines of business.

Kip Boyle: Yeah, absolutely. I see for myself there was a big learning curve because I came up through sort of the systems career field where I started out as a systems administrator and a programmer. And then ultimately I was able to become a chief information security officer.

And that was really the big shock for me was even though my background sort of suggested like the key to success was just knowing how to set things and what to allow and what not to allow and very technical minded person, I had cold water put it in my face about how much people, like the people element of the work and the process aspects of the work and operationalizing the things that you needed to do, such an important dimension, nothing you do will really count for anything unless you have that sorted out.

Jake Bernstein: That's a really good of why I'm even able to exist as a cybersecurity lawyer. While I am certainly more technical than many, if not most lawyers, it really comes down to the fact that cybersecurity is a... What do we say, Kip? It's a team sport.

Kip Boyle: It's a team sport. Everybody's got a part to play. Yeah, definitely.

Jake Bernstein: It's very important.

Dan Blum: And a contact sport is what one of the... I interviewed 60 people for the book and one of them said, "Cybersecurity is a contact sport." I think I have that in the book someplace.

Jake Bernstein: That's great. I like that.

Kip Boyle: Well, when you say that, Dan, what I think of is it's a contact sport unexpectedly. It's like playing golf, and then all of a sudden realizing that you're playing hockey instead.

Dan Blum: Or that you have to play it with social distancing now.

Kip Boyle: Yeah, yeah, absolutely, so let's talk about that. Let's talk about the challenges facing cybersecurity leaders in the face of what's going on, the pandemic, the quarantine, the massive shift to remote work. The news headlines just... There's a steady stream of news headlines saying that major companies that we all recognize are saying, "Hey, remote work is the way that we're going to pivot."

And they're either saying that, "We're permanently shuttering our commercial office space or severely constricting the amount that we have," or at the very least, they're saying, "Look, nobody's coming back to the office for a good solid 12 months," or in one case, I'm aware of an insurance company that said, "Until there's a vaccine, however long that takes, we're not coming back to the office."

That's what we're going to hold out for. Do you think what's going on right now is kind of faddish, Dan? Just something that everybody's really into in the moment, or do you really think this is a permanent change?

Dan Blum: I think it's a permanent change, but let's assume there's a continuum between 100% work from home for those jobs that can be done at home, of course, or none works from home. Whether we end up closer to that 100% or somewhere in the middle is going to depend a lot on the type of work it is and the company culture, as well as hopefully temporary situations that we have now with the COVID-19. Within a year or so, companies will have the option to send people back to the office.

But in the meantime, they will have been forced to make it work from home. I call that forced digitalization and there's trade-offs between WFH and WFO, but WFH is getting better. I know my wife says that the projects that were already in flight are working great, but some of the new projects are struggling with the new people trying to get all acclimated at a distance. But that's all a social and economic issue from the IT and security standpoint. We know that there'll be a lot more of it forever, and we just need to make it work.

Jake Bernstein: It's interesting. I, I look at it as... COVID has really just accelerated, I think, trends that were already in place. I think I read a statistic not too long ago that said that online or eBay, basically online purchasing, online commerce did about a decades worth of growth in three months. I think that that is also pretty accurate with the work from home. I think work from home was already going forward, and there's a lot of benefits to it, certainly flexibility about where you live.

That itself has the ability to potentially cause seismic shifts in culture and society, but COVID-19 really just poured some accelerant on a fire. I think that's what we're seeing. Whether the degree is permanent or not, all of this sudden remote work is creating a huge burden on cybersecurity departments basically across every organization and no matter the size. In your view and what you've seen, what are some of the top challenges that are facing cybersecurity leaders as a result of the pandemic and the surge in remote work?

Dan Blum: Well, some of the major ones are just the disruption to the way companies operate IT and do business and making that work when users have been moved out from the office and are now doing everything from home. There's a lot of from home security deficiencies like router passwords that are still the default password as the name of the password. Cyber criminals have been pivoting to exploit new social engineering and phishing opportunities. I had one friend that got a message saying, "Your VPN account is being deactivated," and she clicked on that message.

And fortunately, it was from the IT department as part of a phishing simulation. But later on, after receiving her stern warning, the group was on it's a stand-up meeting and turned out everybody clicked on that message because they saw their paycheck vanishing with the VPN account, right? Cyber criminals are clever and next they'll have the election, of course. But in the meantime, they're still exploiting the pandemic and the way all the processes that you conduct have been changed.

There's a lot of confusion through which they can slip into the gaps and exploited a concern and get a user to click on that link. And then there's a disruption to the backend IT systems and the network security zoning, and that gets highly technical. But you have to make sure that you haven't reduced perimeter controls too much, or for that matter, when you send users home, you may have inadvertently lost some of the controls that you had while they were in the office. Remote access infrastructures and VPNs may not have the capacity you need.

You're probably bringing in a lot of new suppliers to help you, bringing in a lot of new cloud applications to get your products and services out to the markets, so you have increased supply chain risk. In the meantime, the whole company may be losing money, so the security program could be disrupted and you could have budget cuts. I could go on for days with these challenges.

Jake Bernstein: Yeah, no, I mean, I think it's really important sometimes to just list them all out and recognize the unprecedented nature of the challenge facing all these organizations. It's really interesting. I mean, I think as a lawyer working at a boutique law firm, we're in a I'd say privileged position just because lawyers overall have been able to shift to remote work fairly easily. Almost everything we do happens in pretty basic... In IT terms, it's pretty basic. We need a connection to the document server and we need an email account.

That's kind of it at the core, right? But that is not the case for the vast majority of organizations, particularly in manufacturing or situations where you really need teams of people to get things out. For example, like a book or advertising or a TV commercial such as they are.

Kip Boyle: Education. My wife's a public school teacher, and this has really absolutely appended her world at work. Because not only is it a completely different style of instruction, but her personal experience has changed a lot too. She's used to being in a building. She's used to being on her feet and moving around a lot through the day. And now she's pinned to a chair, which is very strange. Even the physical effects of this on people I think are unexpected.

Ergonomics and health consequences, the cybersecurity stuff seems hard, but there's just so much more going on here as a result of this transition. So much unexpected stuff. But hey, let's go back to the people aspect of this within a cybersecurity perspective and the need to create a culture of security. And anytime we talk about culture, right, culture is just, hey, this is just the way we do things here.

And if people are not seeing each other on a regular basis, they're not going to the same office, then it seems like there's a lot of opportunity for a remote work style to interfere with cultivating a good culture of security. I don't know, Dan? I mean, how do you see that?

Jake Bernstein: Or just the culture period.

Kip Boyle: Yeah.

Dan Blum: Yeah. Well, with work from home, staff are more autonomous. You're working in your own bubble, and the company has much less sort of influence on you or can only exercise that influence at a distance. I mentioned all the work from home security deficiencies, the router passwords, shared computers, bring your own device, all kinds of things. The only way you're going to fix those is by implementing security awareness and training programs to generally uplift the cybersecurity literacy of the workforce.

That also though is an opportunity to improve security culture, because you can make strategic use of user awareness and training programs to improve security culture. And that's something I talk about in the book actually. But the biggest thing that affects security programs in general is staff being disengaged from whatever their security responsibilities are. Because in a company, everyone has some kind of security responsibility, even if it is only to keep their work safe and keep their access to the company resources safe.

They have that responsibility. If your staff are not well engaged, then you have a problem with their being able to fulfill that responsibility and work from home makes them less engaged, unless you act to correct that.

Kip Boyle: Right. Yeah, definitely.

Jake Bernstein: That's a really interesting point.

Kip Boyle: I mean, chapter four in your book talks specifically about strengthening your security culture and different ways that you can do that. Yeah, it's great.

Dan Blum: If you want to promote a culture of security, you have to engage the business. The book, I decided to write it, as I said, because I saw so many projects just struggling because they weren't engaging stakeholders, or they weren't engaging users, or they weren't engaging the IT people that had to work with the tools to do the work.

Kip Boyle: What's a good example of you say project? That's pretty generic description of work. What kinds of projects got you to decide that, hey, I got to contribute to a solution here.

Dan Blum: Well, a great example is a privileged account management. Real quick. If you're not familiar with privileged account management, it's a special class of identity management tool that deals with the privileged users. Now, in any IT environment, it only runs with the aid of system administrators or database administrators or highly privileged users that not only have access to just about all the resources in that environment, but they get to define the access rules for everybody else. There's no access rules for them.

Those are called privileged users. They need a special set of tools. Well, IT people never want to have to use privileged account management because it means that they have to go to some password safe and check out their credentials and go through all these workflow processes before they can even go in and fix the problem.

Kip Boyle: Right, yeah. They see it as a road block.

Dan Blum: You have to engage their managers. It could see delays in delivery. You have to make sure that this tool increases the security, but doesn't slow down their work or prevent them from fixing a critical problem that's hanging up a mission-critical system.

Jake Bernstein: Dan, why would we need to be concerned with privileged user access, privileged account access? I mean, in other words, are the IT people right that they shouldn't have to use these tools? This is obviously a softball. But why is that important?

Dan Blum: Well, think about all the breaches. If you've read the breach reports from Symantec or Verizon or CrowdStrike or any of these companies, they always have the charts and graphs. Typically, it'll show that the number one cause of breaches was credential misuse. Somebody leaked their password to a phishing message or something like that. That should not be enough to cause a breach. There should be some additional layers of defense, because people are going to click on links. All day to do my job I'm clicking on links.

Sometimes I don't click on one because it looks fishy, pun there. But I'm going to make mistakes. My wife described a situation where people got some pretty compelling phishing messages and made mistakes. It's just a tough situation. You cannot depend just on anti-phishing to plug that gap. You have to have additional layers of defense. The privileged user controls the access rules of the system itself. That is a great deep defense to put in place.

Jake Bernstein: I would actually add that everyone wants to think that we can trust everyone in our organization and that everything is kosher and working as intended, but who watches the watchers, right? I mean, that's really what the IT people, what those privileged accounts are. Unless the CEO or the ownership or the board of directors happens to be your IT folks, which is probably not the case, it's important to have visibility and controls into what they're doing.

Certainly, as we have seen over the years, insider threat is kind of a constant level of risk. I wouldn't say that it has necessarily spiked, but it hasn't gone down. It just kind of stayed steady, which says to me that there is always a baseline risk. You trust but verify needs to be particularly important with people who have the keys to the kingdom.

Dan Blum: Yeah. You make a good point that you shouldn't absolutely trust the staff. You should be able to monitor and control to some extent in case of insider risk, but what's even worse is when the staff is perfectly trustworthy, but their password leaked and now the hacker has the keys to the kingdom so easily, just one click away. That shouldn't be the case.

Jake Bernstein: No. Kip, this occurs to me that defense in depth has been a theme in the security industry for a long time. I'm going to accuse the industry of maybe getting bored with it in a way, because it doesn't seem to be as discussed as often as it was maybe five years ago. But I think that's a mistake because I would say that during this pandemic, more than ever, defense in depth is probably your absolute best opportunity to defend yourself from cyber threats.

Kip Boyle: Yeah, I think it's an important security principle and that you should use it as much as you can. I think that it's responsibility of primarily I think of the security leaders, architects, and designers to be trying to figure out how to put those layers of defense in. But I would add to it actually and I would say that there's other principles of design that are related to defense in depth that we should be considering more often, like diversity of defense as just one example of what I'm talking about.

That's where you've got two very different ways to manage your risks. Maybe you have a protective control in place because you've got some sensitive data and you don't want that to get breached. You could have different ways of protecting that information, maybe a process-based way, and then maybe also a technological preventative control. And then maybe you could even add a detective control in there so that if something goes wrong, then you know something went wrong.

That's something that I don't see as much talked about is these principles of design and using them when you're building systems.

Jake Bernstein: They're basic, right? And I think sometimes the basic stuff gets old and boring even though... But it's still basic and it still has to be used.

Kip Boyle: Yeah. Well, that's mastery, right? Mastery is a command of the essentials, a command of the basics. I mean, if you're just a kind of person who likes to play with the latest and greatest toys and technologies and gizmos and every shiny object that comes along has got you taking off to check that out, then yeah, you're going to let go of the basic stuff because it's not as interesting.

Jake Bernstein: Dan, I'm curious, in your practice, in your actual work with organizations, have you seen organizations forget the basics and is one of your jobs would you say to come in and say, "Hey, security 101, defense in depth, what are you guys doing?" Does that happen, or is this maybe a non-concern in the real world?

Dan Blum: They definitely forget the basics. It's hard not to. I think anyone in the industry is at risk of having a myopic focus on some control or some technology that they're proficient in and to forget that that is only one part of a balanced security posture. Just like Kip was talking about and like the NIST cybersecurity framework with identify, protect, detect, recover, and respond, you need all of those control categories to have a balanced security posture.

And then if you take it up a level from that, getting back to the subject of business alignment, these controls may be inherently or theoretically very strong, like encryption can be very strong. But if they're not aligned with the way the business works, then the keys aren't going to be managed correctly or something like that.

And then it's not going to exhibit it's theoretical strength. You have to look at the controls that you're deploying and make sure that not only are they effective theoretically, but that they're tuned to the way the business works. And that's why an even higher principle than defense in depth is make sure that your control architecture is risk informed and that it's aligned with the business.

Jake Bernstein: I think that's one thing I would like to just briefly touch on is, what does it mean to align security and the business? What's a 30 second explanation of that phrase?

Dan Blum: I have a definition in the book, a state of agreement or cooperation among persons or organizations with a common security interest, enabled through security governance structure, processes, communication skills, and relationships. When in a state of alignment, all business leaders, staff, and security related processes act in accordance with clear roles and responsibility to support the program and strategy. I tried to say it a little shorter. It looks kind of long when you read it on a broadcast.

Jake Bernstein: What worries me is I doubt that state is as common as it needs to be.

Kip Boyle: Yeah, yeah. Well, speaking of your book, Dan, let's talk a little bit more about your book as we wrap up our episode here. It's called Rational Cybersecurity for Business. That title sure does resonate with me and I'd be willing to bet that that's also true for you, Jake.

Jake Bernstein: You are, of course, right, Kip. I think the reason I like it so much is that rational cybersecurity sounds a lot to me like reasonable cybersecurity. That's one of our core missions on the podcast and in our work with our clients, Kip, is to help people achieve reasonable cybersecurity programs. Dan, why don't you go ahead and... As we wrap up this episode, please go ahead and describe your book and what people can find in it and kind of generally what it's about.

Dan Blum: Yeah. As I mentioned earlier, I had a lot of experiences that led me to write it. I discovered that a lack of business alignment, as I just described and as we found or agree is a little uncommon, but it has a corrosive effect on every project or program it touches. I'd seen too many of those, so I really decided to dig into it. As I worked on the book, it became such an important message that I decided to open source the book. It's now available through the publisher, Apress, through their open access program.

If you google Rational Cybersecurity Blum or Rational Cybersecurity Apress, you can download it pretty quickly and easily. Anyway, reasonable cyber security is security that's aligned with the business, right? I did more than 60 interviews with CISOs, CIOs, board members, business leaders to get their stories into the book. One of the most interesting ones was someone who'd been an advisor to CISOs for over 15 years. I kind of asked him, well, 15 years ago, we hardly had cloud computing. And now we've got cloud DevOps, all these things.

What's different? What's the same? And he said, "Well, one thing that's the same is I keep seeing companies fail because they don't have a good definition of security." We drilled into that and it's in the book, but basically a definition of security is not just people process and technology, confidentiality, integrity, and availability and all that boiler plate stuff, it's these kinds of things like that definition of alignment that I gave you. And the definition of rational cybersecurity is that it's aligned with the risk culture and capabilities of the organization.

It has to be based on a mission statement and a mandate that's written with the full consensus and knowledge of these executives. And then once it's internalized, so to speak, to the management of the business, that can become the definition from which everything else operates in your whole security program.

Jake Bernstein: Well, I can confirm that it is in fact super easy to download. I have managed to already open it up as an EPUB in the time it took Dan to describe his book. I just got to say, Dan, one of the things that Kip and I talk about all the time is the title of chapter five, which is managing risk in the language of business. We have an entire kind of portion of our Cyber Risk Management program that is designed to do just that. I look forward to having a chance to read through this and appreciate that you did the open access thing.

I think that's helpful for the community. I think there's a lot of information out there and not all of it is actionable or helpful. When you have books like this that are written by true practitioners, not theoreticians, I think it's really valuable. Plus, you talk about William Gibson, which automatically makes it a great book.

Dan Blum: Thanks.

Kip Boyle: And I just want to make a comment too how your book is organized. I really enjoy the approach of the Pareto principle where you're saying, how can security leaders get 80% of the benefit by doing 20% of the work? That's a very strong approach for me in what I do. When I talk about that with senior decision makers, they like that also. I really, really appreciate that you took that approach with just the whole tone of the book, right, has that. I think it's excellent. Anyway, I could go on and on. I really enjoyed your book.

I'm really glad that you are here to talk with us and share with our audience. Really appreciate you being a guest, Dan. Go ahead and tell everybody how they can find you on the internet. What if they want to know more about your work?

Dan Blum: Kip, thanks so much for having me on the podcast. I've really enjoyed chatting with you and Jake. Thank you folks that are listening. You can learn more about me by connecting on LinkedIn, Dan Blum, B-L-U-M. My website, if you can remember Security Architects, the website is security-architects.com. And on the website, there's information about the book, there's information about services that I offer, and there's a blog as well.

Kip Boyle: I even see there's a link in your book where we can download a success plan worksheet that's located on your website. I think that's fantastic. Thank you.

Jake Bernstein: You see, Kip, this is why we need to implement show notes.

Kip Boyle: It's coming.

Jake Bernstein: They're coming. They're coming, listeners. They're coming.

Kip Boyle: There's for tipping the secret.

Jake Bernstein: Yes.

Kip Boyle: Okay, everybody. Well, that wraps up this episode of the Cyber Risk Management Podcast. And today we discussed Rational Cybersecurity for Business, the book, and how CISOs can promote a security culture, even in an intense remote work environment that suddenly snuck up on all of us. We did all that with the help of our guest, Dan Blum. Thanks, everybody. We'll see you next time.

Jake Bernstein: See you next time.

Audio: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.