Episode Transcript
WEBVTT
1
00:00:02.480 --> 00:00:07.799
Welcome to the chief of Cyber Security
Podcast, where we discuss relevant information concerning
2
00:00:07.799 --> 00:00:13.000
the cyber security workforce, Business Development
and best practices. Be Possible by see
3
00:00:13.039 --> 00:00:16.559
miss who learn more. At seems
done that. If for a list of
4
00:00:16.559 --> 00:00:24.320
authorized publications, visit Dwayne hardcom.
And now here's your host, Dwayne heart.
5
00:00:24.440 --> 00:00:29.440
Welcome again the way back to another
section of the chief of soyberge security
6
00:00:29.559 --> 00:00:38.920
podcasts, always driving awareness, always
talking about relevant topics in the soybag security
7
00:00:39.039 --> 00:00:44.240
industry. One of the things I
always like to stage is that throughout my
8
00:00:44.320 --> 00:00:52.159
career I've seen a lot of disconnections
when it comes to cyber security, and
9
00:00:53.079 --> 00:00:58.840
that was one of the motivations of
right in the sobergecuty mindset, is that
10
00:01:00.079 --> 00:01:06.359
I wanted to at least raise awareness
on certain topics towards soyb security. Somebody
11
00:01:06.359 --> 00:01:11.840
at the industry could become wiser and
their decision making. Now, speaking of
12
00:01:11.879 --> 00:01:19.560
decision making, one of the errors
that focus is a lot and soybersecurity is
13
00:01:19.599 --> 00:01:26.640
the decisions that are made toward risk. Right now, risk is something that
14
00:01:26.760 --> 00:01:33.719
can cause a potential harm. All
right, so in this cybersecurity world there's
15
00:01:33.719 --> 00:01:42.359
a certain mentality that is this such
as I have not been hacked, I
16
00:01:42.439 --> 00:01:47.599
can't find any problems. All of
our reports are in the green, so
17
00:01:48.040 --> 00:01:53.799
my environment is safe, and this
creates what I call a zero risk mentality,
18
00:01:53.959 --> 00:02:00.120
and today we're going to talk about
having a zero risk mentality now.
19
00:02:00.280 --> 00:02:07.080
Now, zero risk mentality for this
podcast session is about the mindset of saying
20
00:02:07.120 --> 00:02:14.919
that we have no problems, we
are never going to have problems, right,
21
00:02:15.840 --> 00:02:21.639
and all of my reports are showing
in the green, so I'm good.
22
00:02:21.680 --> 00:02:23.840
So I can cross my legs,
I can put it on the desk
23
00:02:23.879 --> 00:02:28.840
and I can feel happy now.
But you know what, and the crevices
24
00:02:28.960 --> 00:02:35.479
of some systems, they are problems. So in this podcast session let's just
25
00:02:35.919 --> 00:02:43.199
focus on zero risk mentality. I
want to bring up something that's very important
26
00:02:43.199 --> 00:02:49.919
here. Is that is that when
we think about combat warfare, right,
27
00:02:50.879 --> 00:02:54.599
and we think about cyber security warfare, and we look at how both of
28
00:02:54.599 --> 00:03:02.319
those operate, we we know that
threats, time, vulnerabilities equal risk.
29
00:03:02.759 --> 00:03:09.560
So when you have a zero risk
mentality, right, you're saying that there
30
00:03:09.919 --> 00:03:17.560
is no risk. Okay, imagine, imagine a battle commander to take care
31
00:03:17.639 --> 00:03:30.159
troops on emission and he always assumed
there are no risk okay, imagine the
32
00:03:30.159 --> 00:03:36.919
complication does compare could happen. So
in cybersecurity itself and on the cyber warfare,
33
00:03:37.319 --> 00:03:42.759
if you're thinking that you don't have
risk right now, now, what
34
00:03:42.879 --> 00:03:49.360
happens is that that you cause more
risk, and they're called human induce risk,
35
00:03:49.400 --> 00:03:54.199
and a lot of times human and
deuced risk happens because people don't have
36
00:03:54.319 --> 00:04:00.680
that defensive mindset to position themselves as
a human fowle wall. Late on we
37
00:04:00.800 --> 00:04:08.080
going to deep dive into those topics
and find out what the defensive mindset and
38
00:04:08.199 --> 00:04:15.039
the Human Fire Wall is all about
in the syber security mindsets. Chapters Eleven,
39
00:04:15.120 --> 00:04:20.800
twelve, thirteen, fourteen and fifteen
are going to expand on this podcast
40
00:04:20.879 --> 00:04:25.800
session here. All right. So, so I go repeat that again,
41
00:04:25.920 --> 00:04:30.720
Chapter Eleven, twelve, thirteen,
fourteen and fifteen, because is because this
42
00:04:30.800 --> 00:04:39.920
podcast session is driven to it that
risk base attitude. There is another term,
43
00:04:40.040 --> 00:04:45.079
which is another technology that is growing
well, which is caused zero zero
44
00:04:45.240 --> 00:04:49.680
trust. Okay, so so I'm
going to break it down here. You
45
00:04:49.720 --> 00:04:54.319
know, what is the difference between
Zero Trust and zero risk? Okay,
46
00:04:54.879 --> 00:05:00.720
zero trust means that you don't you
don't trust nobody on a system. Okay,
47
00:05:00.040 --> 00:05:05.680
and zero risk is saying that I
ain't got no problems. Okay,
48
00:05:06.199 --> 00:05:14.480
zero trust attitude can defeat the zero
risk mentality. So I just want to
49
00:05:14.480 --> 00:05:19.759
bring it up and and and that's
very important. So so let's deep dive
50
00:05:19.839 --> 00:05:25.000
into this podcast session a little bit
more and talk about zero risk and,
51
00:05:25.560 --> 00:05:28.879
you know, let's just go over, go over some of the concepts.
52
00:05:28.959 --> 00:05:31.360
You you know we're going to talk
about. We're going to roll until talking
53
00:05:31.360 --> 00:05:36.720
about a risk management culture. What
is made of a risk management courtron?
54
00:05:38.120 --> 00:05:44.839
We're going to deep dive into a
risk base attitude and then progress into talking
55
00:05:44.879 --> 00:05:51.120
about some of these security risk that
you have when you have a zero risk
56
00:05:51.199 --> 00:05:56.560
mentality. And then last I want
to talk about implement a culture shift.
57
00:05:56.800 --> 00:06:00.680
Okay, how can you really take
a culture and shift it outside of that
58
00:06:01.399 --> 00:06:09.680
zero risk mentality and drive a risk
base attitude? All right, you know,
59
00:06:11.480 --> 00:06:16.079
one of the knowledge is always likely
do use it specially about risk is
60
00:06:16.120 --> 00:06:23.560
that imagine, imagine a car,
right, and imagine that car having a
61
00:06:23.560 --> 00:06:28.399
bad part. Everyone that has a
car knows that when you have a bad
62
00:06:28.399 --> 00:06:32.560
part, sometimes you can still drive
that vehicle right, but eventually that part
63
00:06:32.600 --> 00:06:40.000
is going to fail. But when
we don't know. So take that same
64
00:06:40.079 --> 00:06:45.519
concept and apply it to it and
tie of security. When you have issues
65
00:06:45.839 --> 00:06:51.879
that are growing and and just continue
to evolve on the system, if you
66
00:06:51.959 --> 00:06:58.600
do not take care of those issues, eventually something kind of scarfe's going to
67
00:06:58.680 --> 00:07:03.959
happen. And if someone has a
zero risk mentality, this is the outcome.
68
00:07:04.439 --> 00:07:12.839
All right. So in order to
really focus more so on zero risks,
69
00:07:14.959 --> 00:07:20.360
someone has to understand how compliance work, because compliance saying okay, then
70
00:07:23.199 --> 00:07:28.800
you know I reach my benchmark.
But then you have to instand compliant because
71
00:07:28.839 --> 00:07:31.120
their benchmark score is that you get
right. Let's say, for instance,
72
00:07:31.160 --> 00:07:38.240
if you had an assessment and if
you fail, let's say if you've passed
73
00:07:38.279 --> 00:07:44.600
the assessment right and let's say the
score was ninety percent, well, you're
74
00:07:44.639 --> 00:07:46.240
not supposed to go in your office
and put your feet up on your desk
75
00:07:46.319 --> 00:07:51.800
and say I passed all right,
that is a zero risk mentality. What
76
00:07:51.959 --> 00:07:58.839
should happen is a person should extend
their risk base attitude and say, okay,
77
00:07:58.879 --> 00:08:00.959
I passed one or nine, two
percent, but I need to keep
78
00:08:01.000 --> 00:08:05.839
my feet on the paddle. One
of the other factors is that risk discovery
79
00:08:05.879 --> 00:08:16.600
an opportunity provide advanced insight. So
when you have a risk base attitude,
80
00:08:16.680 --> 00:08:22.160
you are always thinking, okay,
although I do I found risk on the
81
00:08:22.279 --> 00:08:28.720
enterprise. I know that I have
problems, but I'm going to take this
82
00:08:28.839 --> 00:08:35.879
moment to improve operations or cyber security
for the enterprise, because a lot of
83
00:08:35.879 --> 00:08:39.679
times organizations are scrapped to believe that
when they find issues, that is bad.
84
00:08:39.879 --> 00:08:43.399
Yeah, yeah, it can be
bad, but also too it's an
85
00:08:43.399 --> 00:08:50.600
opportunity of success. So if someone
has a zero risk mentality, then right,
86
00:08:52.080 --> 00:08:58.600
and if they find issues, then
primarily what is going to happen,
87
00:08:58.879 --> 00:09:05.480
okay, is that they may get
a little hostile, all right, and
88
00:09:05.600 --> 00:09:09.799
say the Oh man, we got
issues up here now, okay, because,
89
00:09:11.039 --> 00:09:15.200
you know what, we shouldn't have
any issues. Okay, because I
90
00:09:15.200 --> 00:09:20.399
don't believe we have any issues.
You know it. That's okay, but
91
00:09:20.519 --> 00:09:24.240
keep in mind that this is a
place where you can gain insight into your
92
00:09:24.360 --> 00:09:30.159
environment, because with a risk base
attitude, then you always thinking about,
93
00:09:30.279 --> 00:09:33.039
hmm, if I find problems,
it's going to give me a chance to
94
00:09:33.080 --> 00:09:37.320
fix it and I'm going to make
it a lot better the next time.
95
00:09:39.720 --> 00:09:43.279
One of the other errors to here
is that security court will suggest risk base
96
00:09:43.600 --> 00:09:50.759
on unknowns and assumption versus mdepth analysis. So when you have a zero risk
97
00:09:50.799 --> 00:09:54.399
mentality, you just looking at the
surface. Okay, everything is in the
98
00:09:54.440 --> 00:10:01.039
green. Oh yes, the green
means that I passed right. So we
99
00:10:01.159 --> 00:10:05.759
know that there are certain organizations,
or there are certain people that love to
100
00:10:05.799 --> 00:10:09.120
be in the green and in order
to get in the green, then they
101
00:10:09.120 --> 00:10:16.000
would do little clever things like move
printers off of their reports so they can
102
00:10:16.799 --> 00:10:22.200
study styn called that metrics to go
and reach a certain level. Okay,
103
00:10:22.440 --> 00:10:28.039
this is that zero is mentality in
place. All right. One of the
104
00:10:28.120 --> 00:10:35.279
outcoms to is that for zero risk
is that it create more risk. Is
105
00:10:35.360 --> 00:10:39.879
faronts versus proacting engagements. So that
means that when you have that zero risk
106
00:10:39.960 --> 00:10:46.320
mentality in place and you saying that
hey, we do not have any risks
107
00:10:46.360 --> 00:10:50.399
on the enterprise, okay, you're
going to spend more time trying to respond
108
00:10:50.440 --> 00:10:56.039
to issues. But if you dispel
that and move it under the way,
109
00:10:56.559 --> 00:11:01.440
you become proactive and saying that hey, although we haven't find any issues,
110
00:11:01.480 --> 00:11:07.120
I still think that we need to
assess this enterprise. This is zero risk,
111
00:11:07.200 --> 00:11:13.759
one and one. Now Zero risks
has a doc relate direct relationship to
112
00:11:15.120 --> 00:11:18.600
the risk management courtre. So,
so let's talk about the risk management courtre.
113
00:11:18.679 --> 00:11:24.919
Now, what is the risk management
courture? Okay, it is a
114
00:11:26.039 --> 00:11:31.799
place where you can identify manage risk
across the enterprise, because it's a holistic
115
00:11:31.840 --> 00:11:37.879
way of looking at the enterprise and
looking out where your weak points are and
116
00:11:37.919 --> 00:11:41.440
try to look out what your gaps
are and try to come up with some
117
00:11:41.200 --> 00:11:50.039
solutions to reduce risk on the enterprise. It also provide integrated management reporting.
118
00:11:50.480 --> 00:11:56.519
So let's go back to going in
a green. These are reports that are
119
00:11:56.639 --> 00:12:03.679
established for management to review. But
if an organization has a zero risk mentality,
120
00:12:03.759 --> 00:12:11.200
there sometimes a green may not be
true. Reduce Vulnerability to adverse events?
121
00:12:11.360 --> 00:12:16.080
Yes, because we know that risk
is equal threat time vulnerability. So
122
00:12:16.320 --> 00:12:20.360
in order to reduce your risk on
the enterprise, so you have to reduce
123
00:12:20.399 --> 00:12:26.799
your threats in your vulnerabilities. Some
of the other factors is that ability to
124
00:12:26.840 --> 00:12:31.879
align the risk appetite and strategy.
Okay, what's your risk appetite? This
125
00:12:33.000 --> 00:12:35.799
is amount of risk that you can
deal with and what's your strategy toward the
126
00:12:35.919 --> 00:12:45.440
risk? So, with this zero
risk mentality here, right, imagine the
127
00:12:45.480 --> 00:12:50.320
appetite. All right, so you
know, the appetite is probably large now,
128
00:12:50.399 --> 00:12:54.240
right large, but if you have
a risk base attitude, then appetites
129
00:12:54.279 --> 00:13:00.279
gets really low because you don't want
risk to be around. Some of the
130
00:13:00.320 --> 00:13:07.120
other factors to here's that help to
seize opportunities. Yeah, when you have
131
00:13:07.279 --> 00:13:16.519
a risk management culture you are looking
at avenues to seize opportunities. This goes
132
00:13:16.559 --> 00:13:24.200
back to chapter fourteen of a sober, scrpy mindset, responsible actions and ownership.
133
00:13:24.759 --> 00:13:30.879
Someone has to take responsibility, someone
has to take ownership for sigh security.
134
00:13:31.039 --> 00:13:35.039
And if no one takes responsibility and
ownership then it's just like leaving a
135
00:13:35.080 --> 00:13:41.399
system out there by itself as grand
it and see that happens a lot with
136
00:13:41.559 --> 00:13:46.679
a different technology teams, because you
were here, familiar terms such as it's
137
00:13:46.759 --> 00:13:52.240
the responsibility of the networking team,
but that's responsibility of the health does team.
138
00:13:54.480 --> 00:13:56.720
Well, it's not my ticket.
Well, it's not my job.
139
00:13:56.799 --> 00:14:00.320
Yeah, that's true, but I
think that should be some type of involvement
140
00:14:00.799 --> 00:14:07.399
and push from others just to make
sure that you get things done. Something
141
00:14:07.480 --> 00:14:13.840
else. Zero risks mentality defeats the
Risk Management Court. You see now in
142
00:14:13.879 --> 00:14:20.480
the purpose of a risk management culture
is to manage risks and to reduce risk.
143
00:14:22.559 --> 00:14:26.759
So if you have a zero risk
mentality, then you're not helping out
144
00:14:26.799 --> 00:14:31.440
at all. Okay, because that
mentality is saying that we don't have any
145
00:14:31.480 --> 00:14:37.759
problems. Every it personnel that have
workings OB security. Know that in the
146
00:14:37.799 --> 00:14:46.480
crevices of every environment that's always risk
in place. Now, so let's just
147
00:14:46.519 --> 00:14:52.519
move on to do a deeper dive
into that risk space attitude. How do
148
00:14:52.600 --> 00:14:58.879
we honestly build a risk space attitude? I've always brought up the kindcept called
149
00:14:58.879 --> 00:15:03.679
a human fower wall. A human
fire wall is a defensive mindset that someone
150
00:15:03.799 --> 00:15:09.519
has, where whether they become the
protector of the enterprise. Now I'm not
151
00:15:09.600 --> 00:15:15.639
here to say that someone has a
weapon and that's standing outside of data center.
152
00:15:15.759 --> 00:15:18.000
No, no, it's not.
In it's not so much in a
153
00:15:18.039 --> 00:15:24.799
physical form, it is more so
a mentality, okay, which is a
154
00:15:24.879 --> 00:15:33.759
thinking process that states, okay,
I want to make sure that the system
155
00:15:33.799 --> 00:15:37.840
stays protected. Right, in order
to make sure that the system stay protected,
156
00:15:37.879 --> 00:15:41.960
then I need to have that risk
space attitude, and part of that
157
00:15:43.039 --> 00:15:54.480
risk space attitude can be of something
as the defensive mindset is is one okay.
158
00:15:56.639 --> 00:16:00.360
One of the other factors that you
have in place is like negative thinking,
159
00:16:00.480 --> 00:16:07.080
right, because when you have negative
thinking in place right, you are
160
00:16:07.159 --> 00:16:11.679
not going to become a human fire
wall. You're going to be thinking,
161
00:16:11.679 --> 00:16:17.159
okay, cybersecurity, it's really not
important, I don't care. Well,
162
00:16:17.200 --> 00:16:21.759
you know, that's the that's the
job of the networking team. Court.
163
00:16:21.799 --> 00:16:26.799
Your identity is very important, because
what happens is that when cyber security environments
164
00:16:26.799 --> 00:16:30.519
to be able a courtuer, that
is I operating, and there's a buy
165
00:16:30.600 --> 00:16:38.759
in for for Cybersecurity, people become
human fire walls, right, because they
166
00:16:38.799 --> 00:16:47.000
want cyber security to operate. Now, trying to build human file walls a
167
00:16:47.080 --> 00:16:52.320
minal concept, it is a buying
structure. It is it is having a
168
00:16:52.360 --> 00:16:56.200
team of people that really wants to
be on board and to embrace the cyber
169
00:16:56.200 --> 00:17:02.600
security culture, because a lot of
times CIS sols are God it as the
170
00:17:02.639 --> 00:17:08.680
gatekeepers, right, and told that
you are the one that's caving the flag
171
00:17:08.720 --> 00:17:12.839
for cybersecurity. Yes, you know, and so many ways it's true,
172
00:17:12.880 --> 00:17:18.960
but a CIO, CIS so,
cannot survive by yourself, him, him
173
00:17:18.079 --> 00:17:23.720
or herself. All right. So, so what happens is that that CIS
174
00:17:23.799 --> 00:17:29.480
so depends on the culture and part
of that courture is to have a buying
175
00:17:29.599 --> 00:17:34.920
structure that's in place and part of
part of that buying structure is that people
176
00:17:36.079 --> 00:17:40.759
can discourage risk. All right.
Now, that is the premises of the
177
00:17:40.839 --> 00:17:45.240
human fire wealth theory. All right, you, you yourself want to discurb
178
00:17:45.359 --> 00:17:48.880
risk because you don't want risk to
be in place. But when there's a
179
00:17:49.039 --> 00:17:56.000
zero risk mentality there, it kind
of defeats the Human File World Concept.
180
00:17:56.279 --> 00:18:02.559
So, so that's something that's very
important to because what all of this leads
181
00:18:02.640 --> 00:18:08.880
into is complacency. When you think
of complacency, you can think of it
182
00:18:08.960 --> 00:18:18.720
think of it as a laps in
involvement, a laps in understanding the environment,
183
00:18:18.200 --> 00:18:22.759
a laps in being part of cybersecurity. You know, that's a lot
184
00:18:22.799 --> 00:18:36.720
of times when organization use visual with
data to represent risk and sometimes individual depend
185
00:18:36.920 --> 00:18:44.359
more on that visual data then trying
to interpret the data. What that means
186
00:18:44.559 --> 00:18:49.000
is that that if you look at
a dashboard and if you see a score
187
00:18:49.039 --> 00:18:57.079
at nineteen percent, now when you
do an m depth analysis, you should
188
00:18:57.119 --> 00:19:00.200
go through and say, okay,
it's nine percent, but let's see,
189
00:19:00.200 --> 00:19:06.119
how did we achieve ninety percent?
A zero risk mentality is saying, Oh
190
00:19:06.200 --> 00:19:07.559
yeah, we at not a percent, we are good. Okay, you
191
00:19:07.640 --> 00:19:11.920
got to stop there, okay,
because you're not even going to try to
192
00:19:11.960 --> 00:19:17.119
do no research at all. So
I always bring up the concept is special
193
00:19:17.200 --> 00:19:22.480
about visual data, because visual with
data, it just our indicators, right,
194
00:19:22.759 --> 00:19:26.079
it tell us where we are.
But still that needs to be an
195
00:19:26.079 --> 00:19:30.640
indepth analysis on that visual data,
because some times that visual data can be
196
00:19:30.680 --> 00:19:37.920
fed the wrong information. Now this
is where data quality come in place.
197
00:19:37.079 --> 00:19:41.279
All right, you should be doing
data of quality checks. You should be
198
00:19:41.359 --> 00:19:45.200
checking systems, because a lot of
times the application tools may not begin to
199
00:19:45.319 --> 00:19:52.880
right fee and the right information.
So when you have someone that operates ony
200
00:19:52.880 --> 00:19:59.799
the concept of a human file will, they are always searching and prowling to
201
00:19:59.839 --> 00:20:06.640
make sure that something is accurate.
So so, with that said, think
202
00:20:06.680 --> 00:20:15.799
about the zero risk mentality and how
it affects cybersecurity, because there are some
203
00:20:15.079 --> 00:20:21.960
risk that goes along with the zero
risk mentality. One is reputation. You
204
00:20:22.079 --> 00:20:27.319
can descry company reputation with the zero
risk mentality, because if you have partnering
205
00:20:27.400 --> 00:20:33.319
companies and let's say you have an
audit and you tell them, Hey,
206
00:20:33.839 --> 00:20:40.559
we scored ninety percent on our audit
and we're good to go and you never
207
00:20:40.599 --> 00:20:44.480
did and m depth analyedge of that
ninety percent and then laid on your Partner
208
00:20:44.519 --> 00:20:48.160
Company find out that you had a
problem. See, see, that's your
209
00:20:48.200 --> 00:20:55.039
word. See now that's your reputation. Up Screening, down screen compliance,
210
00:20:56.079 --> 00:21:07.519
because upscreen compliance means that that person
be it's responsible with responsible. What the
211
00:21:07.599 --> 00:21:14.839
relationship for a person? A downscreen
compliance mean that person being has a responsibility
212
00:21:14.960 --> 00:21:21.519
with person CE. So imagine person
be having a Zerois some tax, like
213
00:21:21.599 --> 00:21:26.559
they don't care, saying I'm always
right because you know what the system is
214
00:21:26.559 --> 00:21:32.039
still going. So like we don't
have problems. Imagine the type of relationship
215
00:21:32.079 --> 00:21:37.000
that you build. You also can
increase vulnerabilities because when you have a zero
216
00:21:37.359 --> 00:21:42.519
risk type of mentality and you are
always going to increase vulnerabilities because you're not
217
00:21:42.599 --> 00:21:49.799
doing that in in depth analysis of
your systems, in your applications and accurate
218
00:21:49.920 --> 00:21:56.279
tracking and metrics. Okay, when
it comes to metrics and tracking information,
219
00:21:56.720 --> 00:22:00.000
when you have the zero ris mentality, as I said before about data quality,
220
00:22:00.519 --> 00:22:06.279
what are your metrics in your numbers
that you're reporting, especially if the
221
00:22:06.319 --> 00:22:11.519
prent has been taken off the list, it's that really an accurate indication of
222
00:22:11.599 --> 00:22:18.920
your of your see courage status.
A hackers appetite. Okay, you just
223
00:22:18.960 --> 00:22:26.319
fed a hacker a great meal.
All Right, hackers appetite. So I
224
00:22:26.319 --> 00:22:33.880
always like to use that term because
it hackers appetite. It just feeding easy
225
00:22:33.960 --> 00:22:37.839
information to hackers so that it so
that they can cause havoc. So that's
226
00:22:37.880 --> 00:22:44.119
what that means. It also defeats
the Gross Mindset. All Right, think
227
00:22:44.200 --> 00:22:49.599
about in chapter to of the soverage
Kitty Mindset, where what as a written
228
00:22:51.359 --> 00:22:56.039
read description of the gross mindset.
Because the growth mindset states, okay,
229
00:22:56.200 --> 00:22:59.759
we're going to improve this enterprise,
we're going to make it a whole lot
230
00:22:59.799 --> 00:23:03.759
better. But you can't make the
enterprise better if you have a zero risk
231
00:23:03.759 --> 00:23:07.200
mentality, because you saying that there
are no problems. And I stop here.
232
00:23:07.799 --> 00:23:12.839
Right with the gross mindset. You
said, okay, we actually made
233
00:23:12.839 --> 00:23:18.119
our benchmark, but we still need
to asss the environment and to keep our
234
00:23:18.160 --> 00:23:23.400
foot on the pedal. This is
where the growth mindset comes to play.
235
00:23:23.559 --> 00:23:27.000
And over in chapter two of the
soverage kated mindset, I have a long
236
00:23:27.039 --> 00:23:34.839
discussion about the growth mindset. All
right, you know, because I remember
237
00:23:36.079 --> 00:23:40.480
when I was at a conference years
ago and I was speaking to a gentleman.
238
00:23:41.079 --> 00:23:45.200
And so he stated to me.
He said Hey, he said,
239
00:23:45.359 --> 00:23:51.039
if, if I have not had
any risks, if my environment has not
240
00:23:51.160 --> 00:23:56.680
been hacked, he said, I
should not have anything to worry about.
241
00:23:56.799 --> 00:23:59.279
And I tell him, I said
that you got a lot to worry about.
242
00:23:59.359 --> 00:24:00.759
He almost I this coffience. Then
you ask you why? I said
243
00:24:00.880 --> 00:24:07.200
because you always look for continual growth. I said, because you haven't been
244
00:24:07.319 --> 00:24:11.559
hacked or you haven't fund a certain
level risk. I said that doesn't there.
245
00:24:11.599 --> 00:24:15.039
Said me, you're safe. I
said that you always have to keep
246
00:24:15.079 --> 00:24:19.359
your eyes open, and he goes
wow, he said, I didn't know
247
00:24:19.400 --> 00:24:23.799
that. I said yes, I
said sybersecurity is always ongoing. I said,
248
00:24:23.880 --> 00:24:27.720
in the crevices of the unknown,
they'll probably problems. I said,
249
00:24:27.759 --> 00:24:34.000
but you have to have some type
of architect or process in place where you
250
00:24:34.079 --> 00:24:41.039
constantly, constantly, stay proactive.
I said the failure is to become reactive.
251
00:24:41.400 --> 00:24:45.200
All right, now, reactive is
when you got to play catch up.
252
00:24:45.359 --> 00:24:48.319
and Said you want to reduce that. Said you want to be more
253
00:24:48.359 --> 00:24:53.599
so on the proactive side than then
on the reactive side. And after that
254
00:24:53.720 --> 00:24:56.480
he said wow. He said that's
a lot to learn. I said that,
255
00:24:57.799 --> 00:25:03.319
I said yeah, I said that. We all learning. So back
256
00:25:03.359 --> 00:25:08.480
over here to this discussion about zero
risk. Okay, one of the things
257
00:25:08.480 --> 00:25:11.680
that it does is it calls more
labor. You're going to spend more time
258
00:25:11.799 --> 00:25:17.960
working. Think about if organization was
proactive and they and you took care of
259
00:25:17.960 --> 00:25:21.599
yourses early. So that means in
the reactive states, then you don't have
260
00:25:21.680 --> 00:25:23.920
to spend so much of labor out
there working and trying to plead catch up.
261
00:25:23.960 --> 00:25:26.680
I know a lot of people with
all listen to the podcast and know
262
00:25:26.880 --> 00:25:32.680
that it's a havoc when you got
to play catch up, when you have
263
00:25:32.759 --> 00:25:34.920
to catch up on something that could
have been taken care of maybe three,
264
00:25:36.000 --> 00:25:40.279
may be four weeks ago, and
you wonder, did anybody even think,
265
00:25:40.480 --> 00:25:45.880
think about taking care of the issue? Because now now you already task with
266
00:25:45.000 --> 00:25:52.160
high optempo and so much work in
Cybersecurity, but then you have to play
267
00:25:52.200 --> 00:25:56.000
catch up because of that zero risk
mentality. So you spend more labor and
268
00:25:56.039 --> 00:26:03.640
more time trying to remediate issues.
Where is where? If you were proactive,
269
00:26:03.720 --> 00:26:08.559
then you don't have all those problems. Okay, here's the premises of
270
00:26:10.240 --> 00:26:15.319
cyber security. Increase Protection and lower
risk. I got repeat it again increase
271
00:26:15.400 --> 00:26:22.680
protection and lower risk. Okay,
if you have the zero risk mentality,
272
00:26:23.960 --> 00:26:29.200
that defeats the concept because what you're
going to do you're going to lower your
273
00:26:29.200 --> 00:26:33.960
protection and you're going to increase risk. All right, this is exactly what
274
00:26:33.000 --> 00:26:37.559
actually happens, because the whole premise
this again and I say it once more,
275
00:26:37.720 --> 00:26:41.799
is to increase protection and the lower
risk. When you do that you
276
00:26:41.920 --> 00:26:48.359
can mature cyber security programs, and
my conceptual model that I built for the
277
00:26:48.400 --> 00:26:59.119
soybiscating mindset there is a nice diagram
that takes all twenty chapters and it breaks
278
00:26:59.160 --> 00:27:06.079
it down and shows you how they're
correlated together and why increase of protection and
279
00:27:06.119 --> 00:27:14.920
Lower and risks increases the maturity of
your cyber security programs. Am I always
280
00:27:14.960 --> 00:27:22.440
safe? Okay, okay, zero
risk mentality. Am I always safe?
281
00:27:22.960 --> 00:27:29.160
No, you're not. Okay,
this is this is this is very important
282
00:27:29.200 --> 00:27:34.960
here, because with the zero Swiss
mentality, someone thinks that they always say
283
00:27:36.279 --> 00:27:41.200
always safe and you know there are
no problems. So so zerover, some
284
00:27:41.279 --> 00:27:45.960
mentality can be fixed. The first
step is that we have to think about
285
00:27:45.000 --> 00:27:52.839
implementing a cultural shift. Chapter one
or dishyberscated mindsets talk about a cultural shift.
286
00:27:53.160 --> 00:27:57.519
First is you always got to have
a buying structure. Okay, people,
287
00:27:57.640 --> 00:28:03.319
people have to buy into your programs. You always have to brand your
288
00:28:03.319 --> 00:28:06.920
program like you brand these programs to
fit to organization. You know, it's
289
00:28:07.000 --> 00:28:11.759
good to go by a certain standards
that you have and certain fashion, you
290
00:28:11.759 --> 00:28:15.039
know, because you have to bring
the standards on board. But you also
291
00:28:15.160 --> 00:28:21.720
have to brand these programs, and
branding these programs means that that you create
292
00:28:21.799 --> 00:28:26.680
a risk courture that fits your organization. Ownership has to be taken, somebody
293
00:28:26.720 --> 00:28:33.319
has to take over, somebody has
to assume responsibility for taking over that risk
294
00:28:33.359 --> 00:28:40.039
management culture and also to the organization
speaks risk because you can tell it a
295
00:28:40.240 --> 00:28:45.559
monk to your meetings in your team. People have that defensive mindset in place.
296
00:28:45.720 --> 00:28:51.039
Digital modesization and busin transformation is very
important as well too, because when
297
00:28:51.079 --> 00:28:57.920
you modernize your environment you're going to
be looking at ways of taking that culture
298
00:28:59.079 --> 00:29:03.880
and growing them, not not so
much on how to use the tools and
299
00:29:03.960 --> 00:29:10.039
the software programs, but also to
took a have that mindset in place right
300
00:29:10.400 --> 00:29:15.720
where. Why they can also look
at business transformation and say, and how
301
00:29:15.759 --> 00:29:19.799
can we make this better now,
with the zero risk mentality in place.
302
00:29:19.960 --> 00:29:23.599
No one is trying to make it
better. All right, they are happy
303
00:29:23.640 --> 00:29:27.759
exactly as they are, and you
know, their feed upon the deaths and
304
00:29:27.839 --> 00:29:30.480
hey, you know, we're the
best environment in the world, but in
305
00:29:30.519 --> 00:29:37.519
the crevices of those environments they are
always problems. One of the other factors
306
00:29:37.599 --> 00:29:44.079
to is proactive security has to be
in place. I always speak about proactive
307
00:29:44.119 --> 00:29:48.440
security because, seeing we never want
to be in a reactive state too much,
308
00:29:48.519 --> 00:29:56.680
because I realized in certain certain environments
that you have a reactive state and
309
00:29:56.799 --> 00:30:02.079
sometimes that happen because of emergency,
but but you want to be leaning more
310
00:30:02.200 --> 00:30:08.680
to it the proactive side, though. All right now, Miss has a
311
00:30:08.680 --> 00:30:15.839
framework all our mail that that you
can research about and you can look at
312
00:30:15.839 --> 00:30:21.880
all of those security controls that are
in place and it'll go help you understand
313
00:30:22.279 --> 00:30:26.240
why does zero risk mentality should not
be in placed, because there was about
314
00:30:26.279 --> 00:30:32.680
five hundred type of controls out there. You have to define your courtial norms.
315
00:30:32.920 --> 00:30:37.799
You know, how is this courture
supposed to operate? Because you want
316
00:30:37.799 --> 00:30:44.119
to have a culture where people will
embrace cyber security. What people want to
317
00:30:44.119 --> 00:30:51.000
be on board with cyber security.
Trust your cyber senses, Defeats Zero Risk
318
00:30:51.440 --> 00:30:56.559
Mentality. Your sober senses, is
that another level of sense that you have
319
00:30:56.680 --> 00:31:03.960
outside the touch, in the hearing, the tasting and so forth. Now
320
00:31:04.000 --> 00:31:08.279
we all born with this next level
of sens. this with your call,
321
00:31:08.400 --> 00:31:12.799
your cyber senses right, and your
cyber sinses tells you that something is wrong,
322
00:31:12.880 --> 00:31:18.200
that you need to investigate it,
and that will defeat the zero risk
323
00:31:18.200 --> 00:31:22.319
mentality, because the zero risk mentality
is saying that I don't have any problems,
324
00:31:22.400 --> 00:31:26.119
so I'm not going to invest the
gate. Keep in mind that that
325
00:31:26.160 --> 00:31:30.200
you always at risk, all right, and you need to have a more
326
00:31:30.240 --> 00:31:37.000
defensive measures in place, and that
starts with the Human Fire Wall. Okay.
327
00:31:37.119 --> 00:31:41.880
Now, when you have the human
fire wall and place, this is
328
00:31:41.880 --> 00:31:52.079
when your organization can achieve success and
this is when your organization start to grow.
329
00:31:52.200 --> 00:31:57.279
And as your organization starts to grow, and also as an individual,
330
00:31:57.359 --> 00:32:01.359
you're going to grow as well too, because even if you're sitting at home
331
00:32:01.440 --> 00:32:06.720
and if you're not part of an
organization that manage to soyber security and some
332
00:32:06.759 --> 00:32:12.359
fashion, you are affected as well
too. So if you have a zero
333
00:32:12.559 --> 00:32:19.599
risk mentality by sitting at home,
now change it. Do not place the
334
00:32:19.680 --> 00:32:23.519
concept to say, Hey, I've
been logging on my laptop for the past
335
00:32:24.519 --> 00:32:30.720
month and ain't nothing ever happened.
You know, well, half of the
336
00:32:30.759 --> 00:32:36.359
time, if you let someone else
use your laptop, you don't know what
337
00:32:36.480 --> 00:32:39.759
are they practice security like you do
see. That something to keep in mind.
338
00:32:42.519 --> 00:32:47.720
With this cyber security industry. Organizations
are always trying to mature and that's
339
00:32:47.720 --> 00:32:52.559
what it grows. Mindset comes to
play, because cyber security maturity is very
340
00:32:52.559 --> 00:32:58.839
important because if you think about the
conceptual model that I spoke about, which
341
00:32:58.839 --> 00:33:04.880
is for this obberseecutity minds that when
you increase protection and lower risks, you
342
00:33:04.960 --> 00:33:09.559
can mature your soberge security programs and
when you mature your Cyberg security programs,
343
00:33:09.839 --> 00:33:16.079
this's going to give you the opportunity
to be more proactive and less reactive.
344
00:33:16.160 --> 00:33:22.559
It's going to defeat the zero risk
mentality, it's going to build those human
345
00:33:22.599 --> 00:33:27.119
file walls and, and I said
again, you are going to have a
346
00:33:27.160 --> 00:33:34.359
defensive mindset. So cyber security maturity
is very important. So and episode four
347
00:33:34.440 --> 00:33:37.920
we going to be talking about how
to build a successible soyber security model.
348
00:33:38.000 --> 00:33:43.960
I would see you in episode for
you've been listening to the chief of Cyber
349
00:33:44.039 --> 00:33:49.400
Security Podcast, where you have gained
relevant knowledge to enhance your cyber security mindset.
350
00:33:49.440 --> 00:33:53.319
Be Sure to visit dwayne heartcom to
learn more about authored publications, show
351
00:33:53.400 --> 00:34:08.480
notes and discover more information concerning cyber
security.