What are they training for?

 

Ugh, working out and training! Is there anything less lazy than that? I don't think so, and my physique shows the proof of how much I hate hitting the gym. About the only way I can convince myself to engage in exercise is to find ways to make it fun. So, I do have a gym membership, but it's so I can PLAY racquetball. I may sweat while doing so, have sore and aching muscles afterwards, but I'm not working out, I'm playing.

Fun and games. For most people, that's the easiest way to get them to do the hard stuff. This goes back to early childhood even, when parents have to play "airplane" to get their kids to eat. Something as basic as the need for nourishment has to sometimes be assuaged with an entertainment factor. And that concept carries forward through the rest of our lives. 

When my kids were babies, I actually loved feeding them. It was an opportunity for me to provide for them directly, engage with them on a one-to-one basis, and it was always a challenge to see just how much food I could successfully deliver. But, as much as I enjoyed the experience, I knew it wouldn't be wise to let it become a habit that lasted forever. Of course, their own need for independence ensured they would not let me continue to be the one in control forever, so either way, our time together in this type of interaction would eventually have to end.

So, I did what any parent does, and tried to teach them how to use their tools properly. First we focused on the basics, using our hands to pick up the food and then shove it into our mouths. As they got more motor skills, we progressed to spoons (no forks yet, as that could lead to a painful eye gouging experience). As they got older and older, more tools and techniques get added to the table. From forks to butter knives to steak knives and so on. Now, my kids are all experts not only in the rudimentary skills needed to feed themselves, but also at more advanced meal prep (giving me a break from cooking duties at least one or two nights a week).

This is the real truth of training. It didn't happen overnight, and of course there was coaching needed along the way, and some of that coaching was laborious. Sometimes still we have to remind them not to eat with their fingers anymore, or that a sharp knife shouldn't be waved around excitedly when telling a story at dinner, but the concepts are now deeply ingrained in them and part of second-nature.

This is where I think most Cyber Security Awareness Training falls down. We either spoon feed far too long, continuing to always hold onto the tools and make our users "open wide" for the "training choo-choo," or we lay out a full formal place-setting on day one and expect our users to know the difference between an oyster fork and a fish fork, and when to use which appropriately.

Please memorize this chart and don't make a mistake. The fate of the company depends on it!

We have to do better than this. Training in a gym (ugh!) is about making our bodies better. We strive for improvements and condition our muscles to become leaner and more effective, growing stronger with each repetition of the effort, eventually moving to more challenging exercises. Why should our CSAT be any different? We have to empower our users to learn and then put their new found skills to work.

The good thing is, a lot more companies are seeing the need for the "fun and games" needed to get users engaged and motivated. Gamified training has been a HUGE boon to the CSAT world, as has non-traditional training methods. 

One of my favorites is turning training into a team event, rather than a hostage situation. Bringing 6-10 users into a room and letting them "play" at security training has resulted in way better results than me droning on and on over a PowerPoint presentation. 

Other great advances in CSAT are the companies creating short, entertaining, but relevant content that can act almost as an amuse-bouche for the heartier training materials.

As I'm sure ANYONE who works in security can attest, we get multiple daily reports of "Suspicious" emails, websites, phone calls, or texts from users. In some companies, we have a way to report these into our Secure Email Gateway and that tool then "learns" from them to get better at spotting, and hopefully stopping, them in the future. Sometimes, unfortunately, you don't have this integration, and an analyst has to do the spot checking and validation.

In either case, the user is looking for validation if their suspicion was correct. Automated or not, this confirmation is necessary, but often overlooked. This is the moment when the user is picking up their Soup Spoon and casting their gaze towards their host to see if they are about to commit a grave faux pas. 

Unless you want to always be the hand that feeds, you have to find ways to make your users more confident in the skills you've been teaching them. Of course, phishing simulations and Annual Training certifications are great for doing this, but too often these methods only provide minimal faith in their own abilities. 

If you want to create smart, aware, users, you have to reward them along the way as they take those steps towards self-reliance. Let them know they did indeed spot a phishing email, and more importantly remind them how to trust in their own abilities to verify actual "good" emails. Give them that one on one interaction early on in their training, and you will see their reliance on your input falls away. 

Of course, have those back-end tools at the ready for the inevitable slip-up, but those should be your safety net. 

A well educated, and confident, user base is ALWAYS going to be your best first line of defense.

.

C-3POh no you R2 Didn't!

I've now written a few blogs about being a Lazy CISO, and realized that I have yet to make a Star Wars reference in a single one. So, considering this is the Fourth blog post, it's definitely time I swing my meme searches to include some old stalwarts that are near and dear to my heart.

I want to talk about AI and ML, but not the way most people do.

For my purposes, I'm going to move away from the definitions of AI and ML that you know. Instead, I'm rebranding them as "Article Intelligence" and "Multiple Labs." Both of those revised definitions apply very well to the droids in question here, and also a lot of Security practitioners Ive worked with in the past. 

C-3PO embodies AI and is all about facts and figures. He knows all the details one could possibly learn, and spouts that knowledge at any given moment. He even turns out to be a fairly good storyteller in the end, with some coaching.

R2-D2, on the other hand, learns from experience in the laboratory of "life." His experience has been built over many years, and he applies his time in these lab environments onto his next predicament. His heroics often lead to praise, but tempered with caveats about his attitude. 

Many times in my career, I've come across analysts who thrive on AI. They are constantly studying texts, taking certifications, and are the first ones to pipe up with the "facts" around any given security discussion. To be honest, these are also the team members who are more impressive to management the fewer times they interact with them. They seem to have a huge wealth of knowledge, they volunteer their information (and opinion) freely during meetings, and they can quickly answer questions about how things "should be done" to combat all the threats they've just revealed in your enterprise. However, they also often lack the ability to not provide every relevant piece of information they know.

On the other side are the R2s of the InfoSec world. They tend to sit back, wait for everyone to express their concerns and engage in the head-scratching exercises of how to fix an issue, and then bound into action to implement a solution they just happen to have worked on at a previous company. The problem is, they often do so with the grace and charm that you would expect from an AstroMech Droid.

I used to loathe the C-3POs and loved having R2s on my team. The lazy part of me felt it took too much time and effort to memorize all those facts and figures, and held disdain for anyone who put that much work into always being "right." I also relished the idea that, during a crisis, all I needed was to deploy my trusty R2 to save the day. Who cares if they rolled over some toes along the way?

Of course times, and perspectives, change. Now I see you really do need the pair to be successful. The knowledge is what's important. Whether its a deep bank of information, or just practical knowledge that comes from being on the frontlines, all of it is valuable. You just have to understand when each is needed and how to temper your expectations about how you can use that knowledge.

So here's to the unsung heroes of the InfoSec community. The AI and ML are powerful allies when facing down the Sith, aka malicious attackers, and without them we're all just bullseyeing wamp rats in our T-16s.

Can't knock the hustle

Before you start thinking I might just be cooler than I am, the title isn't a nod to Jay-Z. 
Let's just say, I'm of an age and demographic that still believes Weezer is culturally relevant, so there you go.

I realized that I often make comments that seem very "anti-sales." I don't respond to direct messages on LinkedIn from frontline sales people, I don't answer my phone when an unknown number comes across, and my junk mail filter has been finely tuned to spot a cold call a mile away. All of this is admittedly designed to keep me from having to waste time and effort responding to yet another pitch for a product I'm just not looking for at the moment.

I'm not anti-sales though, just lazy. As a matter of fact, salesmanship has been a big part of my entire life. I grew up with a parent who worked in sales, and I myself started my own working life as a door to door salesman before I was in Jr High. 

When I was a kid, comics would have some of the best sham advertising you could find. Sea Monkeys, X-Ray Specs, Nunchucks, you name it. If it wasn't expressly illegal, you could buy it via mail-order from an ad in a comic book. I wanted a LOT of what was being sold in those pages. However, I didn't have a lot of disposable income laying around either. So I turned (literally) to the other type of ads in comics, which was the Christmas Cards Sales.

Remember to ask for Peggy

With no type of screening or experience, I was able to sign up to become a bona-fide representative of the Olympic Sales Club. It was easy, send in your info, get sent a catalog of products. From there, it was up to me how to hustle enough sales to earn the "prizes" that were associated with how many items were sold. Since we lived in a relatively safe suburban setting, with lots of friendly neighbors, I walked my pudgy little butt to every door within a 5 mile radius (and then some) and learned the art of the sale.

I devoted months at a time to this occupation. I developed a system for tracking the houses I'd been to (who bought, who said no, and who wasn't home when I rang). I beat a path around the neighborhoods and developed my territory. I created repeat customers who I could count on year over year, and I knew where the scary dogs that liked to chase kids lived, and cut a large swath around them.

At the end of each season, I deliberated about what I would choose as my hard earned reward. Sometimes I went into the year with a goal in mind, sometimes not. Most times I would choose one or two items, and then "cash out" for the rest ($1 per item sold, cash - woohoo!)

I stayed a "salesman" for several years. Finally giving up only when it started becoming apparent that I was not being fairly compensated for all the hard work I was doing. In other words, I was the the one being hustled by OSC, and when I figured that out, I looked for better ways to make money.

"I'm counting to one hundred today, so I'm gonna need those numbers on my desk asap!"

The lessons I learned in those years about how to open a dialogue, get people to give up a few minutes of their time, how to find their need and then offer a solution that could fill it, were all important skills that I will use for the rest of my life. Honing those skills made the difference later between constantly working too hard to get my points across or working smarter to achieve my goals.

The world has changed a lot since then, obviously. I don't know if Olympic Sales Club even exists anymore, but I do know that if they do, they surely have changed their operating model by now. Heck, even Girl Scouts rarely go Door to Door to sell cookies, but instead send out emails with a clickable link for placing your order. We, as consumers, have become accustomed to looking for the things we need or want, and no longer rely on someone knocking on our door to introduce us to that missing product we can't live without. (Take the hint Vivint!)

I wouldn't have gained the skills I did if this was the case way back when, but as a Lazy CISO, I have to admit, I prefer it this way. I already invest a great deal of time and effort into knowing my security program, understanding its strengths and weaknesses. On top of that, I have frameworks, audits, and assessments that continually pinpoint and highlight the areas where I need to focus and make improvements. I know what gaps need to be covered, and I have a fair idea of what is available in the market to address those gaps. The likelihood that a cold call is going to provide me with a life changing solution I have never dreamt about is pretty low, and honestly that notion can be downright insulting. 

"Phishing emails and Ransomware are the top threats out there? I had NO IDEA!"

But what about emerging technology, or up and coming game changers looking to topple the current market in any given area? Yes, it is good to understand these factors, and I certainly am not going to stay as up to date on every new player as I may want. So, I understand the need to keep my ears, and mind, open to new introductions. I just don't have the energy to devote to the constant influx of those introductions.

The lazy solution I've found is to partner with someone who makes it their job to stay up to date, and leverage them when I need to do so. By having someone I can trust to go to with questions, learn about the ever changing field of security offerings, and who knows my program's needs as well as I do, I don't have to be the one opening the front door when some shiny faced kid in a suit rings the front door bell.

A trusted partner is your Tom Hagen, your consigliere.

Having this key resource is a great way to keep your mind focused on the task at hand, while also staying up to date and informed. A true partnership in this way goes way beyond the Value Added Reseller relationship and is like adding headcount to your team. Once you have this partnership established (or partnerships - as Tom found out, sometimes you need a separate war-time consigliere) you start to develop a rhythm that helps keep you above the crest, rather than floundering in the wake, gasping for air. 

Of course, you'll still get the cold calls and people wanting to introduce their product or services. Those sales teams still have to work to get their numbers. Respect their effort, while also respecting your own time. 

That's one thing I'm working to do more, respecting the hustle. Acknowledging, when I'm able, the time they took to reach out, but politely declining to further the conversation if I know it's not going to lead anywhere. If there is something they have to offer that is on my radar, then I bring in my partners pretty quick to help manage the conversation. And, later, if I need to reach back, I make sure to communicate my needs and expectations early on so there's very little misunderstanding (hopefully). 

Letting your trusted advisor do their job makes it so much easier to sit back and focus on what's important in your program. And that's something you really can't knock.

What keeps you up at night?

 

What keeps you up at night?

Spend enough time wearing the Security badge and you will eventually be asked this question. I'm pretty sure this isn't something that's unique to the InfoSec realm, but I do think it's given a lot more traction when the person asking knows you have something to do with keeping the business secure.

I don't believe I was ever once asked this question when I was working in theatre, and I lost a LOT more sleep in that world than I do now. We'd be 6 weeks out from opening night, and not one single person at any of the production meetings would come anywhere close to asking this. We all knew there would be set backs, unforeseen emergencies, unplanned outages, etc., but no one was ever brazen enough to throw this kind of bad juju into the conversation. Plus, we all knew sleep was a luxury none of us could afford until the show was up and running.

Once I moved from theatre to InfoSec, I started hearing people discussing the "What keeps you up at night" conundrum, and I would dwell on how I would someday answer this mythical question. I also listened closely to my leadership when they would give their answers. How my bosses answered their bosses let me know what I should be focusing on, and looking back now, I think that's a problem.

I've come to really dislike this question. I don't think it fosters an honest discussion between the security leader and the person posing the query. It just feels like fishing to me, and that's because it is.

The world of the Security professional is cloaked in mystery and acronyms that can leave even the best business minds spinning. So most times, the person asking is looking to you to share your expertise with them in terms they can understand. 

Let's distill the question down to its basic meaning. "What is something that troubles you enough about your current Cyber Security program that causes you to have to spend energy 'off the clock' worrying and trying to resolve?" 

If you pick something that has a technological remedy ("our outdated stateful firewall rules" or "our lack of a secure email gateway") then you either get the funding you need to make those purchases, or you don't.

You can answer something a little more ethereal and abstract like "our Risk appetite isn't keeping pace with our growing threat landscape" or "limited user awareness training." 

In either of the above scenarios you're going to now be charged with putting in extra effort around those items, and if that's the entry-point later, then you're toast.

Finally, if you answer "Nothing", then you're going to look like an over confident fool (and you're just inviting Karma to send a Zero-Day to your infrastructure). 

So, how do you answer this impossible question and still manage to convey confidence while also pinpointing the areas where you need more resources? To me, it's about shifting the conversation. When asked "What keeps you up at night?" my advice is to use that as a chance to reply "I'd rather talk about what helps me sleep better."

"When the shoe fits, the foot is forgotten."

- Zhuang Zhou

Use this as a chance to highlight your program's strengths. Talk about how you have protections in place that layer on like the cozy blankets you snuggle comfortably under at night. 

After that, you can explain how, in the event that something happens while you were getting some much needed rest, you have mitigations and playbooks, tools and technologies, plans and strategies to help you come through the crisis. 

Finally, be sure to point out that you have the right people on your team, either in headcount or partners, that are ready, at a moment's notice, to start loosing sleep for a valid reason. 

Make sure leadership understands that it's in their best interest that you NOT be loosing sleep worrying about what MIGHT happen, because you and your team need to be well rested for the events that DO occur. If you have gaps or areas that need improvement, then bring those up as ways to ensure that everyone can rest easier. 

Don't be ashamed when your head hits the pillow that your mind is free from worry, because you've taken the steps needed to earn that rest. 

It's time to be lazy!

I don't know about you, but as a Cyber Security professional, I'm tired. Tired of so many things that go into protecting organizations from the real and not real threats against them. Tired of Zero Days and the long nights they produce. Tired of perimeter defenses around a hybrid infrastructure that has no boundaries. Tired of Security Awareness Training that results in Security Know-It-Alls. Tired of connection requests that only want to connect to my budget sheet. Tired of it being harder to break down the walls of the boardroom to get security topics on the table than it is for script kiddies to breach your network. But most of all, I'm tired of FUD.

Fear, Uncertainty, and Doubt. It used to be that the main dealers in FUD were the technology partners who needed a way to incentivize you to buy their product. "If the SWAG doesn't get them, the FUD will!" But now FUD is everywhere. Dominating our newsfeeds. Coming from the C-Suite and the Board. Motivating the countless inquiries from users who get an email with one word misspelled, so it must mean Anonymous is attempting to steal their identity. When did we get so encumbered with FUD that we can't even pause in our defense building to decide if what we're protecting is even at risk?

When I was in grade school, I met a kid who brought all of his action figures to school everyday. Now, I loved toys as much as the next kid, but I struggled to understand why someone would feel the need to pack up his prized playthings daily and lug them around all day at school. His answer? He wanted to keep them with him in case his house was broken into during the day. And before you start wondering what sort of trauma this boy had experienced to cause him to have such a precautionary mindset, let me assure you he had never experienced a break-in, nor had his toys stolen before. But he had the FUD, and that was influencing his actions.

This encounter led me to understand a key aspect about myself. I was, and still am, lazy. 

There was no way I would EVER go to that much trouble protecting myself against such an unlikely event. (sure, houses get robbed, but when was the last time someone's He-Man and Skeletor dolls were the primary target?) I did not see any value in all that extra work, and no amount of FUD was going to get me to put in more effort than was needed.

Even thinking about being lazy is too much work

See, to me, being lazy isn't about doing as little as possible. Instead, its about making sure that I'm not wasting my time or efforts. If I'm going to put in the hours, if I'm going to devote blood, sweat, and tears to something, I want to make sure there's a darn good reason for doing so. Otherwise, I'd rather sit back and enjoy myself. Of course, I don't do a lot of sitting back. Instead, I spend a lot of my time making things easier for the day when I can be lazy. I work hard to bring as much simplification to the process as possible, so that I don't have to toil at worrying about the FUD. Conquering the Fear, defining the Uncertainty, and removing the Doubt are the ways that I get to be lazy and enjoy my toys, rather than constantly trying to anticipate the next big unknown.

And that's why I'm here. I decided to write this blog as a way of bringing some laziness to this hectic world called Cyber Security. No matter what your title, chances are that if you're reading this, you too have to deal with the break-neck speed that comes with working in this field. Racing to stay ahead of the FUD becomes the default for survival, and that is just too much work. Even if you enjoy the thrill and challenge, we can all benefit by adding some laziness to our lives, if for no other reason than to be able to shift focus to defeat the next big FUD on the horizon.