Say Easy, Do Hard - Train How You Fight, Part 1 - BSW #349

Speaker 20s - 25.86s

This week, we air our sixth pre-recorded segment called Say Easy Do Hard WORK_OF_ART. Inspired by my co-host, Jason Elbekirky, we invite Malcolm Harkins PERSON, chief security and trust officer at Hidden Layer ORG to discuss how to train like you fight. How will the lack of preparation impact your organization during a cyber incident? Business Security Weekly ORG starts now.

Speaker 027.68s - 51.04s

This is a Security Weekly ORG production for security professionals by security professionals. Please visit security weekly.com forward ORG slash subscribe to subscribe to all the shows on our network. It's the show where we explore the business of security to improve the security of business.

Speaker 255.86s - 201.52s

Your trusted source for actionable insights on leadership, communication, and innovation. Get ready for Business Security Weekly. Let's talk about something that's becoming increasingly important for enterprise companies worldwide, cyber risk management. Traditionally, cyber risk has been managed manually in silos, separate from the business's core operations. The future is about getting real-time risk insights benchmark against your industry peers through automation. And CyberSaint's CyberSstrong ORG platform is leading the charge.Cyberstrong is not just another point solution. It's a revolutionary platform. It's a quantified top-down risk approach where your unique cyber risks inform C-suite decision-making. To identify your top five cyber risks and thecontrols to mitigate them, sign up for your free cyber risk analysis by visiting security weekly.com forward slash cybersain. High value employees have become the path of least resistance and a key source of compromise for corporations. Attacks against executives can compromise their personal accounts, enable corporate breaches,and can even compromise their reputation, wealth, and physical security. Black Cloak ORG understands that an executive's personal digital footprint is crucial to enterprise security. We provide concierge cybersecurity solutions tailored for executives, safeguarding their personal data, devices, and online presence. Experience peace of mind knowing that your team is protected with Black Cloak Digital Executive Protection PRODUCT. Secure your digital life with blackcloak.io. Visit us now at securityweekly.com forward slashblack cloak. Enterprises today are using hundreds of SaaS applications. Are you reaping their productivity and innovation benefits, or are you lost in the sprawl? Enter Savvy Security ORG. They help you surface every SaaS app, identity, and risk, so you can shine a light on shadow IT and risky identities. Savvy ORG monitors your entire SaaS attack surface to help you efficiently eliminate toxic risk combinations and prevent attacks.So go on, get savvy about SaaS and harness the productivity benefits. Fuel innovation while closing security gaps. Visit securityweekly.com forward slash savvy to learn more. Welcome to Business Security Weekly. This is episode number 349, recorded April 23, 2024, but will air on May 6, 2024 to kick off the RSA conference. I am your host, Matt Alderman PERSON. Joining me for this segment is first my co-host, Mr. Jason Elbekirky PERSON, who this segment is named after. What's up, Jason?

Speaker 3201.74s - 216.96s

I appreciate it. I love these segments, to be honest with you. We get down and dirty talking about the hard things that need to be done. And so often are overlooked. So it's a beautiful thing to have this say easy, do hard be a quarterly event for us. I love it.

Speaker 2217.3s - 355.98s

Yeah. It's kind of paired with my security money segment. Now we have two quarterly kind of stand-in segments we produce every quarter. I'm going to introduce our guests in a second. but first, stay up to date with us on X, formerly known as Twitter ORG, for the latest show clips and updates. Find us at at SEC Weekly and stay connected with your cybersecurity community.Malcolm Harkins is the chief security and trust officer at Hidden Later ORG. In his role, he reports to the CEO and is responsible for enabling business growth through trusted infrastructure, systems, and business processes. Malcolm PERSON is also responsible for peer outreach activities to drive improvement across the world in the understanding of cyber risks as well as mitigate those risks. He is also an independent board member and advisor to several organizations andCISO ambassador for Revealed. Previously, Malcolm PERSON with the chief security and trust officer at Silance ORG and vice president and chief security and privacy officer at Intel Corporation and is a very good friend, Malcolm, welcome to Business Security Weekly ORG. Hey, thanks, guys. Happy to be here. So I invited you, Malcolm PERSON, to this segment because I like to bring in independent folks, right? We've had other CISOs join us in other segments to really dig into the topic, right? And so segment one of this topic is really here to kind of frame up the problem that we're trying to address.And here I think it is really about preparing for a cyber incident and training appropriately. In the second segment, that's the do hard part. So we'll break into like guidance and recommendations and things you have to do to do that. So let me tee this one up for either one of you. I don't, I don't, you guys can pick who wants to go first. But this concept of train like you fight, I think is really important. We actually did a segment yesterday and we were talking through this a little bit. In preparation for this, I thought it was a really interesting case. If you are not testing your incident responseprograms, how do you know how to make decisions in the heat of it, right? And have it prescripted. I think that is a challenge for a lot of organizations is when you're in the throws of it and you haven't practiced it before, the decision's a heck of a lot harder and also more time critical.

Speaker 1358.12s - 417.34s

Yeah, you know, I look at this, you know, broadly speaking, hard work beats talent that doesn't work so hard. So, you know, much like in, you know, physical events and stuff like that, you have to train, right? You have to exercise yourself. Again, I grew up at Intel ORG, right? And Andy Grove was still running Intel when I started running IT security for a, but became a smaller segment of my role over time.And like his book, Only the Paranoid Survive WORK_OF_ART. You have to exercise yourself. You have to, in essence, drill in the extreme to be prepared for the ordinary. And if you're not doing that, you're not going to develop the muscle memory. You're not going to develop the response mechanisms. You're not going to develop the coordination mechanisms. You're not going to developthe coordination and collaboration that's going to need to happen across the company in order to not only be resistant from, but resilient from an event.

Speaker 3419.04s - 495.38s

Yeah, and Malcolm, you know, I grew up in the United States Marine Corps ORG, right? That was my first college was the United States Marine Corps. And? That was my first college was the United States Marine Corps. And, you know, in the military, everything you do is to train how you fight. That's the, that's where this title of this segment came from, train how you fight. It's because in order to exercise in a time of chaos, in order to be able to be effective in a time of chaos, you have to exercise that, right? You have to build that muscle memory, so it's not new to you. And this is something that's so often overlooked because, you know, organizations can say,you know what, we have policies, we have procedures, we know what we need to do. But in the heat of the moment, how are they going to know it's going to be successful, right? At the end of it, going through these exercises allows you to identify where you're strong, where you're weak, aspects of the response that you need to improve, gets people used to that exercise so it's not new to them in the moment, even external needs. What about third parties outside of your organization that you need tobring to the table and have conversations with? They should be ready to respond and they should know the expectations of their response beforehand. So there's so many aspects of this that organizations can tease out in order to get that refined process. It's never going to be perfect, but we're not shooting for perfection, right? It's a time

Speaker 1495.38s - 504.86s

of chaos. Yeah. Well, and, you know, I learned a long time ago, again, whether, because I also ran corporate emergency operations at Intel ORG, I did at silence. I had physical, logical product,

Speaker 0505.02s - 511.24s

much like I do it at Hidden Layer. And, you know, the two things that are most important in an

Speaker 1511.24s - 516.2s

incident are unity of effort and unity of command. You know this from your Marine Corps ORG time,

Speaker 0516.54s - 523.92s

right? And you also need to have your playbook to fight, but you also need to be agile enough

Speaker 1523.92s - 527.36s

to be more like an NNA ORG fighter where anything goes,

Speaker 0527.56s - 534.9s

right? So if you're only staying in a traditional, let's say, old school boxing match with a lot of

Speaker 1534.9s - 555.04s

rules and headgear, well, guess what? You're not training like a real fight. You're training like you fight. And what you need to do is become a lot more scrappy, a lot more innovative. And in essence, have a playbook, but use that as one mechanism, but train in many disciplines.

Speaker 3556.06s - 561.14s

Yeah. No, I love that analogy. And to be honest with you, you know, I look at cybersecurity

Speaker 1561.14s - 565.22s

teams as kind of naturally scrappy. They love to tinker.

Speaker 3567.26s - 567.6s

They know that there are threats out there.

Speaker 1568.96s - 569.34s

You know, they're naturally scrappy.

Speaker 3571.72s - 578.82s

Where my concern is is the rest of the organization. Your finance team isn't naturally scrappy. Your HR team is not naturally scrappy.

Speaker 1580.48s - 580.56s

I don't know about that.

Speaker 3582.74s - 585.12s

Matt PERSON knows this, but I'm a former finance person. So I grew up in the finance ranks.

Speaker 1585.5s - 590.12s

And there's a lot of scrappy finance folks, because if you think about when you're cost

Speaker 3590.12s - 593.72s

cutting and when you're trying to get increased yield and stuff like that, you have to get really

Speaker 0593.72s - 600.36s

innovative and creative. You just got to take those concepts that are applied in their particular

Speaker 1600.36s - 638.92s

domain and figure out how to apply them in the cybersecurity sense. And as we all know, and the other thing that we've got to think about is well beyond the traditional cybersecurity side of things, because there are cyber physical events and physical cyber events. And now that I'm in Hidden Layer, there's also all these AI-related attacks and incidents that are occurring that people haven't even developed a playbook and incident response plan. They haven't instrumented even to alert on attacks against that stuff. So we also have to also stay in front of where the technology and threat vectors are

Speaker 0638.92s - 644.2s

going and start training around those because if we don't, we're always going to be a fight

Speaker 1644.2s - 647.36s

behind versus the fight

Speaker 2647.36s - 652.26s

that's in front of us. Right. Yeah. And I mean, we've got to think about loss of life and the

Speaker 1652.26s - 658.76s

human element in certain industries, right, that also play into these exercises. Because if you're

Speaker 2658.76s - 687.06s

in, I was in nuclear power, I spent a little bit of time in oil and gas. Like, there is loss of life possible in some of these scenarios. Now, not every industry is going to go through that. But that just to your point, I think a little bit, Malcolm PERSON, is it adds a layer of complexity. You have to be prepared for because in the throes of it, losing life could really disrupt any kind of practice that you've ever done because it's super disruptive.

Speaker 1687.6s - 688.14s

1,000%.

Speaker 2688.14s - 692.88s

I mean, almost, you know, most companies, assuming you're not in a company that's fully remote,

Speaker 1693.18s - 725.1s

they have buildings. Well, guess what? Buildings have fire life safety systems in them, right? They have elevators. You know, those things could also be weaponized in different ways to impede a physical event or create a physical event. The other thing I posted this morning, the United Healthcare ORG attack that cost them a lot of money.Again, everything out there is about the ransom and it's about the records that were breached. And I'm like, well, what about the data integrity of my health

Speaker 0725.1s - 730.76s

records? That actually matters more to me. And guess what? Most of the time, anytime you see a ransomware

Speaker 1730.76s - 752.44s

or health care thing, it's, oh, they got ransomed or, oh, my God, the data has been breached and the confidentiality has been exposed. When I actually really care more about the integrity of my health records. And I doubt very much that institutions go into the data integrity. And that actually could have more consequential impact, not only

Speaker 3752.44s - 765.56s

on business processes, but on human life. Yeah. And just to just to click into that a little bit more, that just shows the importance of having diverse scenarios when you're doing these exercises. It's not just always practicing the ransomware attack.

Speaker 1766.38s - 768.02s

No, you're totally right.

Speaker 3768.1s - 772.94s

So I'll give you an Intel example, because again, I oversaw Corpenter ORG and a few other things.

Speaker 1773.24s - 849.46s

Go back, what, 15 years ago. We were doing, we did a 48-hour follow-the-sun exercise across every physical site of Intel ORG, every business unit, and the scenarios were solar flares, think of, you know, what happened recently, that were so dramatic that they started affecting satellite coverage, airlines, communications. We even had people in the Philippines GPE call in and create a mock event because of the power outage thatthen created riots that then caused people to want to come, you know, into the warehouse and stuff like that. So we really tested physical, logical, transportation, stranded employees. And guess what? Six months later, volcano and Iceland GPE erupted. And the plumes of ash then came over Europe LOC and it affected our Amsterdam warehouse and shipping hub. Well, guess what? Because we had actually trained in an extreme, almost far-fetched scenario, we tightened up some things about shipment of product and passengersand employees in different locations. So again, get far-fetched on it. That drill in the extreme to be prepared for the ordinary, it works.

Speaker 2851.08s - 907.72s

Yeah, I mean, even just in basic exercises, because when I first came to CyberSaint ORG, we started an exercise. It was interesting for me because it was my first one, didn't have a ton of time with the company, just getting our arms around what we considerto be critical assets and critical systems even in a basic scenario was eye-opening like super eye-opening right i was like wait a minute if sales force goes down what's that impact like what if the data is deleted like it was just some interesting ways to think about it and we weren't even going super crazy, Malcolm PERSON. We were just trying to run through some scenarios that were susceptible to from our risk profile. That even when you do the basics, you, it is pretty eye-opening to see what you're actually prepared for and what systems.And do we even know who our Salesforce ORG contacts are to get our Salesforce environment back? No, we didn't have them. Like, even the basic stuff.

Speaker 1908.3s - 939.62s

Well, think of how many people were ill-prepared for the pandemic. And guess what? You had to rely on IT systems in that sense. That's why you also can't just pigeonhole to a cyber incident. You have to think about a wide variety of things, including where IT and your security stuff is going to have to scale up in order to absorb a physical event, whether it be a fire, a flood,an ice storm, a pandemic, right? Yeah.

Speaker 3939.76s - 964.64s

And Malcolm PERSON, it's funny that you mentioned that, right? So in a previous organization, you know, we services organization, half a billion dollar in revenue, you know, servicing 35 of the Fortune 100. And we used to have this kind of joke scenario called the zombie apocalypse, literally called the zombie apocalypse. And it was when the stuff hits the fan.Do you know that the majority of those exercises that we went through we used during the pandemic? Yeah.

Speaker 2965.42s - 968.56s

Because we were testing for the zombie apocalypse, right?

Speaker 3969.3s - 972.78s

There's so many people that I talked to that were like, well, we never considered that.

Speaker 1972.84s - 979.08s

And I'm like, look, I helped build Intel's pandemic response plans in 2003. Yeah.

Speaker 0980.46s - 980.64s

Yeah.

Speaker 1980.82s - 982.46s

And SARS happened.

Speaker 0983.02s - 988.92s

And we had, you know, an impact in an Asia location with hundreds of employees.

Speaker 1989.62s - 996.14s

Ebola EVENT happened, and we had, you know, some employees that were in region and then coming back, right?

Speaker 0996.14s - 1007.08s

So, you know, again, thinking beyond just what has occurred recently in terms of the full spectrum of potential risks, and then go tease

Speaker 11007.08s - 1009.1s

those things out because you learn a ton.

Speaker 31010.44s - 1039.9s

So here's a question for you, Malcolm PERSON, because, I mean, we live in this world, right? We live in cybersecurity. We live in technology. For a CIO or a CISO or someone who's not in the technology vertical or cybersecurity vertical, how do you start convincing other C-level executives to want to do this? Because you have to have the buy-in from the rest of the company.You have to have the buy-in from the other C-level executives because they need to be part of these scenarios. So how do you get that, how do you get that buy-in?

Speaker 11040.66s - 1094.44s

To be honest, if you don't have it, don't just go do it anyways. I never ask for permission, right? So if you're sitting back on your heels waiting for buy-in, you're already missing the boat. I think you can wrangle up a bunch of people in an organization, grab them from finance, grab them from HR ORG, grab them from the factory team, grab them from your cybersecurity team, grab them from a few different spots and say, hey, you know, we're going to be doing this. Most organizations of a decent size already have some type of BCPDR, emergency response,stuff like that. And if you don't, it's your opportunity to create it for the company because they're going to need it well beyond cyber. And if somebody goes to shut you down, you know, frankly, it's probably an organization you don't want to work for anyways. That's a great point.

Speaker 31094.94s - 1099.72s

That's a great point. Don't allow, you know, friction from the organization to stop you from getting.

Speaker 11099.92s - 1121.64s

Never wait for permission. You know, hesitation kills. You know that from the Marines, right? Yep. When you hesitate, you die. So keep moving and keep moving forward.And drag, push, pull, kick, however you can, your organization forward.

Speaker 21123.44s - 1150.12s

Malcolm PERSON, when you think about priorities as a CISO walking into a brand new environment, how do you prioritize this over all the other things you have to do? Right? Because look, you can't do it all day one when you walk in the door, right? So where does this fit in your prioritization? How do you think about when are you ready to start doing these types of exercises in preparation compared to some of the other stuff that you'd have to do

Speaker 11150.12s - 1267.2s

when you first want? To be honest, to me, it's all intertwined, right? So you think of what we were talking about, prioritization. I can still rattle off Intel ORG's macro business processes, book order, pay, build, ship, close, and communicate. Anyone of those have a major disruption. Then you go, okay, what are the business processes, right? I'm a former finance guy. You've got the SEC ORG rules. Materiality. Well, guess what? I was doing materiality analysis at Intel 22 years ago because as a former finance person, you know what mydesign goal was for cybersecurity? No material or significant events. Now, once you put that as a design goal, then you go, okay, well, what could cause that? And then walk the chain down. And you could start with, you know, the financial statements. You start with the risk statements that are already in the financial statements. You can go talk to the head of enterprise risk management. It's not that hard to do.What do you think I did in my first week in Hidden Layer? Well, I did a materiality analysis, right? And I'm like, here's the five things that if they happened could cause an extinction level event for the company. Some of them were indirect triggers from a cyber perspective, but I still went and talked to the people who owned them to figure out the direct or indirect trigger to it,and then made sure their business processes were hardened in case something went bump on the technical side that could trigger it. Wasn't that hard. Now, in a startup, you could argue it's a lot easier than going into a 30, 40, 50, 100,000 person company. But at the end of the day, the basics are the same.What could cause a material of significant event, get alignment on that, and then figure out how technology and information flow can directly or indirectly trigger that.

Speaker 21268.42s - 1271.02s

Sounds like top-down risk management.

Speaker 11271.08s - 1271.4s

Yeah.

Speaker 21271.62s - 1272.04s

Wow.

Speaker 11272.14s - 1275.8s

I mean, if I was in a food and beverage organization, what do you think would be my number

Speaker 21275.8s - 1280s

one business risk if I was selling hamburgers all day long?

Speaker 11281.86s - 1282.92s

Food safety.

Speaker 21284.24s - 1289.56s

If, you know, if the hamburger meekos battered

Speaker 11289.56s - 1293.26s

or lettuce tainted with E. coli and people get sick or die,

Speaker 21293.86s - 1297.34s

one physical consequence, two liability and cost.

Speaker 11297.8s - 1322.16s

And guess what? There is a IT cybersecurity component of it, because how do you know the food is safe? It's the data that flows from the slaughterhouse all the way to the point of sale. And if somebody could manipulate that data, they could kill your customers. Okay, not that hard. So now, do you typically

Speaker 31322.16s - 1328s

take some of those extinction level events and start creating exercises around those?

Speaker 11328.06s - 1379.5s

Exactly. Right? Yep. Because our job is to, you know, prevent as much as possible, detect what you can't and respond all in a hopefully a design framework that limits the potential of an issue occurring and the potential for harm or when harm is occurring, limit the blast radius and limit the duration, right? Intercept it as fast as possible. And also, this is a problem that people also screw up.They go, well, the business accepted the risk. Okay, that is a business process. It's not a control. And when you accept a risk, you're also accepting the responsibility and accountability to respond to it if it ever manifest itself.

Speaker 31381.4s - 1390.9s

I mean, just because you accept risk doesn't mean it negates the ability to or the want to respond. You still need to respond to it. You've just accepted it as a risk to the organization.

Speaker 11391.04s - 1397.98s

Exactly. You still have the obligation to respond should it manifest it. Right. And most people realize that. Yeah.

Speaker 21398.06s - 1426.12s

And I think that was part of what we were talking through yesterday a little bit on that SEC reporting stuff. If you're not running through some of these scenarios and understanding what is material and what's not, then you're not going to be in a position to figure out when or when not to disclose if something actually happens, right? And I don't know how people can be prepared for all the new SEC ORG requirements if theyhave not gone through kind of that level of kind of testing.

Speaker 11427s - 1431.58s

I would argue that particularly if you're in a public company,

Speaker 21433.42s - 1436.5s

if you don't know what is material,

Speaker 11436.74s - 1457.7s

you haven't been doing your job. Period. End of story. It baffles me that people go well we don't know if this is a material cyber event or not then what I'm like well what the hell have you been doing in your roleif you don't know what could cause a material event

Speaker 21457.7s - 1462.34s

and what a cyber component directly or indirectly could do

Speaker 11462.34s - 1465.08s

I'm like I just I'm baffled at it.

Speaker 21465.98s - 1472.1s

So, so let's, let's look at the Clorox 8K and a couple of the other ones where the SEC ORG has

Speaker 11472.1s - 1477.76s

actually come out and said, that wasn't material. Why did you disclose it? So I've just,

Speaker 21477.98s - 1487.94s

I'm throwing it out there, Malcolm PERSON, because this is what's happening right now is companies were preparing. They almost were over disclosing. And the SEC ORG came back and said,

Speaker 11488.02s - 1593.52s

was that really material for you to disclose? Yeah. So let's look back in history. I wrote a paper over a year ago that I published called Materiality Matters WORK_OF_ART. I was the first CISO to ever disclose a cybersecurity incident in its 10K reporting, and I did it in 2010.Sarbanes-Oxley LAW made it clear around materiality and disclosure rules. A lot of organizations swept it under the rug, kicked it under the can, you know, whatever. They either didn't know or said, well, nobody else has done it. Then the, you know, 2011 SEC ORG made more guidance. 2018 more guidance.And guess what? People are still not disclosing. So therefore, they ratchet up the requirements. Well, guess what? Now everybody's going on. I'm going to do a CYA, cover my ass.And I'm going to disclose all these things. When the actual 8 PRODUCTK has meant to be reporting of material events only. There are some aspects of the form, and I can't remember the, I think it's number 10 or something like that, that you could have some, what I'd say, potential things that you do, but there's different forms. But the 8K, you know, the one ruling for cyber is meant for just material events that you've determined it, not cover your ass.And again, that doesn't help anybody. That doesn't help investors. And I, and I, it's a shame that people have over rotated versus being understanding it and then appropriately reporting it. Yeah.

Speaker 21593.84s - 1594.36s

Yeah.

Speaker 11594.36s - 1605.7s

And I think when you see some of the action, some of the lawsuits, some of the indictments, people went into a CYA mode in some respects.

Speaker 21605.82s - 1608.3s

Because it put a pretty big target on a couple CISO ORG's backs.

Speaker 11608.66s - 1678.1s

No, I totally agree. And you could argue that, again, was mistakes in communication, mistakes in truing up what you said here versus what you said there. You know, the other thing, and again, we talk about drilling the extreme and fight like you want to fight. You know, again, I posted this and said this many times before.If you haven't done it, get with your counsel and do a mock deposition not only of yourself, your incident responders, your CIOs, and everybody else. Because guess what? When an incident occurs, there's all this fog of war and emotion, banter and all this crap that happens that says, Malcolm doesn't know what he's doing. And Joey is always a pain in the ass. And Jane PERSON didn't do what she was supposed to do. And guess what? Post incident, the plaintiff's attorney is going to graball that communication and weaponize it against you to increase your liability. Not only as a company, but potentially for you. So you also really need to think about that aspect of your drill preparedness and do those type of exercises. That's a great recommendation.

Speaker 21678.46s - 1685.22s

So let's take a quick break here. And then we'll come back and we'll dig into how to actually prepare for an incident.