A Cultural Shift Defeats The Zero Risk Mentality

WEBVTT 1 00:00:02.480 --> 00:00:07.799 Welcome to the chief of Cyber Security Podcast, where we discuss relevant information concerning 2 00:00:07.799 --> 00:00:13.000 the cyber security workforce, Business Development and best practices. Be Possible by see 3 00:00:13.039 --> 00:00:16.559 miss who learn more. At seems done that. If for a list of 4 00:00:16.559 --> 00:00:24.320 authorized publications, visit Dwayne hardcom. And now here's your host, Dwayne heart. 5 00:00:24.440 --> 00:00:29.440 Welcome again the way back to another section of the chief of soyberge security 6 00:00:29.559 --> 00:00:38.920 podcasts, always driving awareness, always talking about relevant topics in the soybag security 7 00:00:39.039 --> 00:00:44.240 industry. One of the things I always like to stage is that throughout my 8 00:00:44.320 --> 00:00:52.159 career I've seen a lot of disconnections when it comes to cyber security, and 9 00:00:53.079 --> 00:00:58.840 that was one of the motivations of right in the sobergecuty mindset, is that 10 00:01:00.079 --> 00:01:06.359 I wanted to at least raise awareness on certain topics towards soyb security. Somebody 11 00:01:06.359 --> 00:01:11.840 at the industry could become wiser and their decision making. Now, speaking of 12 00:01:11.879 --> 00:01:19.560 decision making, one of the errors that focus is a lot and soybersecurity is 13 00:01:19.599 --> 00:01:26.640 the decisions that are made toward risk. Right now, risk is something that 14 00:01:26.760 --> 00:01:33.719 can cause a potential harm. All right, so in this cybersecurity world there's 15 00:01:33.719 --> 00:01:42.359 a certain mentality that is this such as I have not been hacked, I 16 00:01:42.439 --> 00:01:47.599 can't find any problems. All of our reports are in the green, so 17 00:01:48.040 --> 00:01:53.799 my environment is safe, and this creates what I call a zero risk mentality, 18 00:01:53.959 --> 00:02:00.120 and today we're going to talk about having a zero risk mentality now. 19 00:02:00.280 --> 00:02:07.080 Now, zero risk mentality for this podcast session is about the mindset of saying 20 00:02:07.120 --> 00:02:14.919 that we have no problems, we are never going to have problems, right, 21 00:02:15.840 --> 00:02:21.639 and all of my reports are showing in the green, so I'm good. 22 00:02:21.680 --> 00:02:23.840 So I can cross my legs, I can put it on the desk 23 00:02:23.879 --> 00:02:28.840 and I can feel happy now. But you know what, and the crevices 24 00:02:28.960 --> 00:02:35.479 of some systems, they are problems. So in this podcast session let's just 25 00:02:35.919 --> 00:02:43.199 focus on zero risk mentality. I want to bring up something that's very important 26 00:02:43.199 --> 00:02:49.919 here. Is that is that when we think about combat warfare, right, 27 00:02:50.879 --> 00:02:54.599 and we think about cyber security warfare, and we look at how both of 28 00:02:54.599 --> 00:03:02.319 those operate, we we know that threats, time, vulnerabilities equal risk. 29 00:03:02.759 --> 00:03:09.560 So when you have a zero risk mentality, right, you're saying that there 30 00:03:09.919 --> 00:03:17.560 is no risk. Okay, imagine, imagine a battle commander to take care 31 00:03:17.639 --> 00:03:30.159 troops on emission and he always assumed there are no risk okay, imagine the 32 00:03:30.159 --> 00:03:36.919 complication does compare could happen. So in cybersecurity itself and on the cyber warfare, 33 00:03:37.319 --> 00:03:42.759 if you're thinking that you don't have risk right now, now, what 34 00:03:42.879 --> 00:03:49.360 happens is that that you cause more risk, and they're called human induce risk, 35 00:03:49.400 --> 00:03:54.199 and a lot of times human and deuced risk happens because people don't have 36 00:03:54.319 --> 00:04:00.680 that defensive mindset to position themselves as a human fowle wall. Late on we 37 00:04:00.800 --> 00:04:08.080 going to deep dive into those topics and find out what the defensive mindset and 38 00:04:08.199 --> 00:04:15.039 the Human Fire Wall is all about in the syber security mindsets. Chapters Eleven, 39 00:04:15.120 --> 00:04:20.800 twelve, thirteen, fourteen and fifteen are going to expand on this podcast 40 00:04:20.879 --> 00:04:25.800 session here. All right. So, so I go repeat that again, 41 00:04:25.920 --> 00:04:30.720 Chapter Eleven, twelve, thirteen, fourteen and fifteen, because is because this 42 00:04:30.800 --> 00:04:39.920 podcast session is driven to it that risk base attitude. There is another term, 43 00:04:40.040 --> 00:04:45.079 which is another technology that is growing well, which is caused zero zero 44 00:04:45.240 --> 00:04:49.680 trust. Okay, so so I'm going to break it down here. You 45 00:04:49.720 --> 00:04:54.319 know, what is the difference between Zero Trust and zero risk? Okay, 46 00:04:54.879 --> 00:05:00.720 zero trust means that you don't you don't trust nobody on a system. Okay, 47 00:05:00.040 --> 00:05:05.680 and zero risk is saying that I ain't got no problems. Okay, 48 00:05:06.199 --> 00:05:14.480 zero trust attitude can defeat the zero risk mentality. So I just want to 49 00:05:14.480 --> 00:05:19.759 bring it up and and and that's very important. So so let's deep dive 50 00:05:19.839 --> 00:05:25.000 into this podcast session a little bit more and talk about zero risk and, 51 00:05:25.560 --> 00:05:28.879 you know, let's just go over, go over some of the concepts. 52 00:05:28.959 --> 00:05:31.360 You you know we're going to talk about. We're going to roll until talking 53 00:05:31.360 --> 00:05:36.720 about a risk management culture. What is made of a risk management courtron? 54 00:05:38.120 --> 00:05:44.839 We're going to deep dive into a risk base attitude and then progress into talking 55 00:05:44.879 --> 00:05:51.120 about some of these security risk that you have when you have a zero risk 56 00:05:51.199 --> 00:05:56.560 mentality. And then last I want to talk about implement a culture shift. 57 00:05:56.800 --> 00:06:00.680 Okay, how can you really take a culture and shift it outside of that 58 00:06:01.399 --> 00:06:09.680 zero risk mentality and drive a risk base attitude? All right, you know, 59 00:06:11.480 --> 00:06:16.079 one of the knowledge is always likely do use it specially about risk is 60 00:06:16.120 --> 00:06:23.560 that imagine, imagine a car, right, and imagine that car having a 61 00:06:23.560 --> 00:06:28.399 bad part. Everyone that has a car knows that when you have a bad 62 00:06:28.399 --> 00:06:32.560 part, sometimes you can still drive that vehicle right, but eventually that part 63 00:06:32.600 --> 00:06:40.000 is going to fail. But when we don't know. So take that same 64 00:06:40.079 --> 00:06:45.519 concept and apply it to it and tie of security. When you have issues 65 00:06:45.839 --> 00:06:51.879 that are growing and and just continue to evolve on the system, if you 66 00:06:51.959 --> 00:06:58.600 do not take care of those issues, eventually something kind of scarfe's going to 67 00:06:58.680 --> 00:07:03.959 happen. And if someone has a zero risk mentality, this is the outcome. 68 00:07:04.439 --> 00:07:12.839 All right. So in order to really focus more so on zero risks, 69 00:07:14.959 --> 00:07:20.360 someone has to understand how compliance work, because compliance saying okay, then 70 00:07:23.199 --> 00:07:28.800 you know I reach my benchmark. But then you have to instand compliant because 71 00:07:28.839 --> 00:07:31.120 their benchmark score is that you get right. Let's say, for instance, 72 00:07:31.160 --> 00:07:38.240 if you had an assessment and if you fail, let's say if you've passed 73 00:07:38.279 --> 00:07:44.600 the assessment right and let's say the score was ninety percent, well, you're 74 00:07:44.639 --> 00:07:46.240 not supposed to go in your office and put your feet up on your desk 75 00:07:46.319 --> 00:07:51.800 and say I passed all right, that is a zero risk mentality. What 76 00:07:51.959 --> 00:07:58.839 should happen is a person should extend their risk base attitude and say, okay, 77 00:07:58.879 --> 00:08:00.959 I passed one or nine, two percent, but I need to keep 78 00:08:01.000 --> 00:08:05.839 my feet on the paddle. One of the other factors is that risk discovery 79 00:08:05.879 --> 00:08:16.600 an opportunity provide advanced insight. So when you have a risk base attitude, 80 00:08:16.680 --> 00:08:22.160 you are always thinking, okay, although I do I found risk on the 81 00:08:22.279 --> 00:08:28.720 enterprise. I know that I have problems, but I'm going to take this 82 00:08:28.839 --> 00:08:35.879 moment to improve operations or cyber security for the enterprise, because a lot of 83 00:08:35.879 --> 00:08:39.679 times organizations are scrapped to believe that when they find issues, that is bad. 84 00:08:39.879 --> 00:08:43.399 Yeah, yeah, it can be bad, but also too it's an 85 00:08:43.399 --> 00:08:50.600 opportunity of success. So if someone has a zero risk mentality, then right, 86 00:08:52.080 --> 00:08:58.600 and if they find issues, then primarily what is going to happen, 87 00:08:58.879 --> 00:09:05.480 okay, is that they may get a little hostile, all right, and 88 00:09:05.600 --> 00:09:09.799 say the Oh man, we got issues up here now, okay, because, 89 00:09:11.039 --> 00:09:15.200 you know what, we shouldn't have any issues. Okay, because I 90 00:09:15.200 --> 00:09:20.399 don't believe we have any issues. You know it. That's okay, but 91 00:09:20.519 --> 00:09:24.240 keep in mind that this is a place where you can gain insight into your 92 00:09:24.360 --> 00:09:30.159 environment, because with a risk base attitude, then you always thinking about, 93 00:09:30.279 --> 00:09:33.039 hmm, if I find problems, it's going to give me a chance to 94 00:09:33.080 --> 00:09:37.320 fix it and I'm going to make it a lot better the next time. 95 00:09:39.720 --> 00:09:43.279 One of the other errors to here is that security court will suggest risk base 96 00:09:43.600 --> 00:09:50.759 on unknowns and assumption versus mdepth analysis. So when you have a zero risk 97 00:09:50.799 --> 00:09:54.399 mentality, you just looking at the surface. Okay, everything is in the 98 00:09:54.440 --> 00:10:01.039 green. Oh yes, the green means that I passed right. So we 99 00:10:01.159 --> 00:10:05.759 know that there are certain organizations, or there are certain people that love to 100 00:10:05.799 --> 00:10:09.120 be in the green and in order to get in the green, then they 101 00:10:09.120 --> 00:10:16.000 would do little clever things like move printers off of their reports so they can 102 00:10:16.799 --> 00:10:22.200 study styn called that metrics to go and reach a certain level. Okay, 103 00:10:22.440 --> 00:10:28.039 this is that zero is mentality in place. All right. One of the 104 00:10:28.120 --> 00:10:35.279 outcoms to is that for zero risk is that it create more risk. Is 105 00:10:35.360 --> 00:10:39.879 faronts versus proacting engagements. So that means that when you have that zero risk 106 00:10:39.960 --> 00:10:46.320 mentality in place and you saying that hey, we do not have any risks 107 00:10:46.360 --> 00:10:50.399 on the enterprise, okay, you're going to spend more time trying to respond 108 00:10:50.440 --> 00:10:56.039 to issues. But if you dispel that and move it under the way, 109 00:10:56.559 --> 00:11:01.440 you become proactive and saying that hey, although we haven't find any issues, 110 00:11:01.480 --> 00:11:07.120 I still think that we need to assess this enterprise. This is zero risk, 111 00:11:07.200 --> 00:11:13.759 one and one. Now Zero risks has a doc relate direct relationship to 112 00:11:15.120 --> 00:11:18.600 the risk management courtre. So, so let's talk about the risk management courtre. 113 00:11:18.679 --> 00:11:24.919 Now, what is the risk management courture? Okay, it is a 114 00:11:26.039 --> 00:11:31.799 place where you can identify manage risk across the enterprise, because it's a holistic 115 00:11:31.840 --> 00:11:37.879 way of looking at the enterprise and looking out where your weak points are and 116 00:11:37.919 --> 00:11:41.440 try to look out what your gaps are and try to come up with some 117 00:11:41.200 --> 00:11:50.039 solutions to reduce risk on the enterprise. It also provide integrated management reporting. 118 00:11:50.480 --> 00:11:56.519 So let's go back to going in a green. These are reports that are 119 00:11:56.639 --> 00:12:03.679 established for management to review. But if an organization has a zero risk mentality, 120 00:12:03.759 --> 00:12:11.200 there sometimes a green may not be true. Reduce Vulnerability to adverse events? 121 00:12:11.360 --> 00:12:16.080 Yes, because we know that risk is equal threat time vulnerability. So 122 00:12:16.320 --> 00:12:20.360 in order to reduce your risk on the enterprise, so you have to reduce 123 00:12:20.399 --> 00:12:26.799 your threats in your vulnerabilities. Some of the other factors is that ability to 124 00:12:26.840 --> 00:12:31.879 align the risk appetite and strategy. Okay, what's your risk appetite? This 125 00:12:33.000 --> 00:12:35.799 is amount of risk that you can deal with and what's your strategy toward the 126 00:12:35.919 --> 00:12:45.440 risk? So, with this zero risk mentality here, right, imagine the 127 00:12:45.480 --> 00:12:50.320 appetite. All right, so you know, the appetite is probably large now, 128 00:12:50.399 --> 00:12:54.240 right large, but if you have a risk base attitude, then appetites 129 00:12:54.279 --> 00:13:00.279 gets really low because you don't want risk to be around. Some of the 130 00:13:00.320 --> 00:13:07.120 other factors to here's that help to seize opportunities. Yeah, when you have 131 00:13:07.279 --> 00:13:16.519 a risk management culture you are looking at avenues to seize opportunities. This goes 132 00:13:16.559 --> 00:13:24.200 back to chapter fourteen of a sober, scrpy mindset, responsible actions and ownership. 133 00:13:24.759 --> 00:13:30.879 Someone has to take responsibility, someone has to take ownership for sigh security. 134 00:13:31.039 --> 00:13:35.039 And if no one takes responsibility and ownership then it's just like leaving a 135 00:13:35.080 --> 00:13:41.399 system out there by itself as grand it and see that happens a lot with 136 00:13:41.559 --> 00:13:46.679 a different technology teams, because you were here, familiar terms such as it's 137 00:13:46.759 --> 00:13:52.240 the responsibility of the networking team, but that's responsibility of the health does team. 138 00:13:54.480 --> 00:13:56.720 Well, it's not my ticket. Well, it's not my job. 139 00:13:56.799 --> 00:14:00.320 Yeah, that's true, but I think that should be some type of involvement 140 00:14:00.799 --> 00:14:07.399 and push from others just to make sure that you get things done. Something 141 00:14:07.480 --> 00:14:13.840 else. Zero risks mentality defeats the Risk Management Court. You see now in 142 00:14:13.879 --> 00:14:20.480 the purpose of a risk management culture is to manage risks and to reduce risk. 143 00:14:22.559 --> 00:14:26.759 So if you have a zero risk mentality, then you're not helping out 144 00:14:26.799 --> 00:14:31.440 at all. Okay, because that mentality is saying that we don't have any 145 00:14:31.480 --> 00:14:37.759 problems. Every it personnel that have workings OB security. Know that in the 146 00:14:37.799 --> 00:14:46.480 crevices of every environment that's always risk in place. Now, so let's just 147 00:14:46.519 --> 00:14:52.519 move on to do a deeper dive into that risk space attitude. How do 148 00:14:52.600 --> 00:14:58.879 we honestly build a risk space attitude? I've always brought up the kindcept called 149 00:14:58.879 --> 00:15:03.679 a human fower wall. A human fire wall is a defensive mindset that someone 150 00:15:03.799 --> 00:15:09.519 has, where whether they become the protector of the enterprise. Now I'm not 151 00:15:09.600 --> 00:15:15.639 here to say that someone has a weapon and that's standing outside of data center. 152 00:15:15.759 --> 00:15:18.000 No, no, it's not. In it's not so much in a 153 00:15:18.039 --> 00:15:24.799 physical form, it is more so a mentality, okay, which is a 154 00:15:24.879 --> 00:15:33.759 thinking process that states, okay, I want to make sure that the system 155 00:15:33.799 --> 00:15:37.840 stays protected. Right, in order to make sure that the system stay protected, 156 00:15:37.879 --> 00:15:41.960 then I need to have that risk space attitude, and part of that 157 00:15:43.039 --> 00:15:54.480 risk space attitude can be of something as the defensive mindset is is one okay. 158 00:15:56.639 --> 00:16:00.360 One of the other factors that you have in place is like negative thinking, 159 00:16:00.480 --> 00:16:07.080 right, because when you have negative thinking in place right, you are 160 00:16:07.159 --> 00:16:11.679 not going to become a human fire wall. You're going to be thinking, 161 00:16:11.679 --> 00:16:17.159 okay, cybersecurity, it's really not important, I don't care. Well, 162 00:16:17.200 --> 00:16:21.759 you know, that's the that's the job of the networking team. Court. 163 00:16:21.799 --> 00:16:26.799 Your identity is very important, because what happens is that when cyber security environments 164 00:16:26.799 --> 00:16:30.519 to be able a courtuer, that is I operating, and there's a buy 165 00:16:30.600 --> 00:16:38.759 in for for Cybersecurity, people become human fire walls, right, because they 166 00:16:38.799 --> 00:16:47.000 want cyber security to operate. Now, trying to build human file walls a 167 00:16:47.080 --> 00:16:52.320 minal concept, it is a buying structure. It is it is having a 168 00:16:52.360 --> 00:16:56.200 team of people that really wants to be on board and to embrace the cyber 169 00:16:56.200 --> 00:17:02.600 security culture, because a lot of times CIS sols are God it as the 170 00:17:02.639 --> 00:17:08.680 gatekeepers, right, and told that you are the one that's caving the flag 171 00:17:08.720 --> 00:17:12.839 for cybersecurity. Yes, you know, and so many ways it's true, 172 00:17:12.880 --> 00:17:18.960 but a CIO, CIS so, cannot survive by yourself, him, him 173 00:17:18.079 --> 00:17:23.720 or herself. All right. So, so what happens is that that CIS 174 00:17:23.799 --> 00:17:29.480 so depends on the culture and part of that courture is to have a buying 175 00:17:29.599 --> 00:17:34.920 structure that's in place and part of part of that buying structure is that people 176 00:17:36.079 --> 00:17:40.759 can discourage risk. All right. Now, that is the premises of the 177 00:17:40.839 --> 00:17:45.240 human fire wealth theory. All right, you, you yourself want to discurb 178 00:17:45.359 --> 00:17:48.880 risk because you don't want risk to be in place. But when there's a 179 00:17:49.039 --> 00:17:56.000 zero risk mentality there, it kind of defeats the Human File World Concept. 180 00:17:56.279 --> 00:18:02.559 So, so that's something that's very important to because what all of this leads 181 00:18:02.640 --> 00:18:08.880 into is complacency. When you think of complacency, you can think of it 182 00:18:08.960 --> 00:18:18.720 think of it as a laps in involvement, a laps in understanding the environment, 183 00:18:18.200 --> 00:18:22.759 a laps in being part of cybersecurity. You know, that's a lot 184 00:18:22.799 --> 00:18:36.720 of times when organization use visual with data to represent risk and sometimes individual depend 185 00:18:36.920 --> 00:18:44.359 more on that visual data then trying to interpret the data. What that means 186 00:18:44.559 --> 00:18:49.000 is that that if you look at a dashboard and if you see a score 187 00:18:49.039 --> 00:18:57.079 at nineteen percent, now when you do an m depth analysis, you should 188 00:18:57.119 --> 00:19:00.200 go through and say, okay, it's nine percent, but let's see, 189 00:19:00.200 --> 00:19:06.119 how did we achieve ninety percent? A zero risk mentality is saying, Oh 190 00:19:06.200 --> 00:19:07.559 yeah, we at not a percent, we are good. Okay, you 191 00:19:07.640 --> 00:19:11.920 got to stop there, okay, because you're not even going to try to 192 00:19:11.960 --> 00:19:17.119 do no research at all. So I always bring up the concept is special 193 00:19:17.200 --> 00:19:22.480 about visual data, because visual with data, it just our indicators, right, 194 00:19:22.759 --> 00:19:26.079 it tell us where we are. But still that needs to be an 195 00:19:26.079 --> 00:19:30.640 indepth analysis on that visual data, because some times that visual data can be 196 00:19:30.680 --> 00:19:37.920 fed the wrong information. Now this is where data quality come in place. 197 00:19:37.079 --> 00:19:41.279 All right, you should be doing data of quality checks. You should be 198 00:19:41.359 --> 00:19:45.200 checking systems, because a lot of times the application tools may not begin to 199 00:19:45.319 --> 00:19:52.880 right fee and the right information. So when you have someone that operates ony 200 00:19:52.880 --> 00:19:59.799 the concept of a human file will, they are always searching and prowling to 201 00:19:59.839 --> 00:20:06.640 make sure that something is accurate. So so, with that said, think 202 00:20:06.680 --> 00:20:15.799 about the zero risk mentality and how it affects cybersecurity, because there are some 203 00:20:15.079 --> 00:20:21.960 risk that goes along with the zero risk mentality. One is reputation. You 204 00:20:22.079 --> 00:20:27.319 can descry company reputation with the zero risk mentality, because if you have partnering 205 00:20:27.400 --> 00:20:33.319 companies and let's say you have an audit and you tell them, Hey, 206 00:20:33.839 --> 00:20:40.559 we scored ninety percent on our audit and we're good to go and you never 207 00:20:40.599 --> 00:20:44.480 did and m depth analyedge of that ninety percent and then laid on your Partner 208 00:20:44.519 --> 00:20:48.160 Company find out that you had a problem. See, see, that's your 209 00:20:48.200 --> 00:20:55.039 word. See now that's your reputation. Up Screening, down screen compliance, 210 00:20:56.079 --> 00:21:07.519 because upscreen compliance means that that person be it's responsible with responsible. What the 211 00:21:07.599 --> 00:21:14.839 relationship for a person? A downscreen compliance mean that person being has a responsibility 212 00:21:14.960 --> 00:21:21.519 with person CE. So imagine person be having a Zerois some tax, like 213 00:21:21.599 --> 00:21:26.559 they don't care, saying I'm always right because you know what the system is 214 00:21:26.559 --> 00:21:32.039 still going. So like we don't have problems. Imagine the type of relationship 215 00:21:32.079 --> 00:21:37.000 that you build. You also can increase vulnerabilities because when you have a zero 216 00:21:37.359 --> 00:21:42.519 risk type of mentality and you are always going to increase vulnerabilities because you're not 217 00:21:42.599 --> 00:21:49.799 doing that in in depth analysis of your systems, in your applications and accurate 218 00:21:49.920 --> 00:21:56.279 tracking and metrics. Okay, when it comes to metrics and tracking information, 219 00:21:56.720 --> 00:22:00.000 when you have the zero ris mentality, as I said before about data quality, 220 00:22:00.519 --> 00:22:06.279 what are your metrics in your numbers that you're reporting, especially if the 221 00:22:06.319 --> 00:22:11.519 prent has been taken off the list, it's that really an accurate indication of 222 00:22:11.599 --> 00:22:18.920 your of your see courage status. A hackers appetite. Okay, you just 223 00:22:18.960 --> 00:22:26.319 fed a hacker a great meal. All Right, hackers appetite. So I 224 00:22:26.319 --> 00:22:33.880 always like to use that term because it hackers appetite. It just feeding easy 225 00:22:33.960 --> 00:22:37.839 information to hackers so that it so that they can cause havoc. So that's 226 00:22:37.880 --> 00:22:44.119 what that means. It also defeats the Gross Mindset. All Right, think 227 00:22:44.200 --> 00:22:49.599 about in chapter to of the soverage Kitty Mindset, where what as a written 228 00:22:51.359 --> 00:22:56.039 read description of the gross mindset. Because the growth mindset states, okay, 229 00:22:56.200 --> 00:22:59.759 we're going to improve this enterprise, we're going to make it a whole lot 230 00:22:59.799 --> 00:23:03.759 better. But you can't make the enterprise better if you have a zero risk 231 00:23:03.759 --> 00:23:07.200 mentality, because you saying that there are no problems. And I stop here. 232 00:23:07.799 --> 00:23:12.839 Right with the gross mindset. You said, okay, we actually made 233 00:23:12.839 --> 00:23:18.119 our benchmark, but we still need to asss the environment and to keep our 234 00:23:18.160 --> 00:23:23.400 foot on the pedal. This is where the growth mindset comes to play. 235 00:23:23.559 --> 00:23:27.000 And over in chapter two of the soverage kated mindset, I have a long 236 00:23:27.039 --> 00:23:34.839 discussion about the growth mindset. All right, you know, because I remember 237 00:23:36.079 --> 00:23:40.480 when I was at a conference years ago and I was speaking to a gentleman. 238 00:23:41.079 --> 00:23:45.200 And so he stated to me. He said Hey, he said, 239 00:23:45.359 --> 00:23:51.039 if, if I have not had any risks, if my environment has not 240 00:23:51.160 --> 00:23:56.680 been hacked, he said, I should not have anything to worry about. 241 00:23:56.799 --> 00:23:59.279 And I tell him, I said that you got a lot to worry about. 242 00:23:59.359 --> 00:24:00.759 He almost I this coffience. Then you ask you why? I said 243 00:24:00.880 --> 00:24:07.200 because you always look for continual growth. I said, because you haven't been 244 00:24:07.319 --> 00:24:11.559 hacked or you haven't fund a certain level risk. I said that doesn't there. 245 00:24:11.599 --> 00:24:15.039 Said me, you're safe. I said that you always have to keep 246 00:24:15.079 --> 00:24:19.359 your eyes open, and he goes wow, he said, I didn't know 247 00:24:19.400 --> 00:24:23.799 that. I said yes, I said sybersecurity is always ongoing. I said, 248 00:24:23.880 --> 00:24:27.720 in the crevices of the unknown, they'll probably problems. I said, 249 00:24:27.759 --> 00:24:34.000 but you have to have some type of architect or process in place where you 250 00:24:34.079 --> 00:24:41.039 constantly, constantly, stay proactive. I said the failure is to become reactive. 251 00:24:41.400 --> 00:24:45.200 All right, now, reactive is when you got to play catch up. 252 00:24:45.359 --> 00:24:48.319 and Said you want to reduce that. Said you want to be more 253 00:24:48.359 --> 00:24:53.599 so on the proactive side than then on the reactive side. And after that 254 00:24:53.720 --> 00:24:56.480 he said wow. He said that's a lot to learn. I said that, 255 00:24:57.799 --> 00:25:03.319 I said yeah, I said that. We all learning. So back 256 00:25:03.359 --> 00:25:08.480 over here to this discussion about zero risk. Okay, one of the things 257 00:25:08.480 --> 00:25:11.680 that it does is it calls more labor. You're going to spend more time 258 00:25:11.799 --> 00:25:17.960 working. Think about if organization was proactive and they and you took care of 259 00:25:17.960 --> 00:25:21.599 yourses early. So that means in the reactive states, then you don't have 260 00:25:21.680 --> 00:25:23.920 to spend so much of labor out there working and trying to plead catch up. 261 00:25:23.960 --> 00:25:26.680 I know a lot of people with all listen to the podcast and know 262 00:25:26.880 --> 00:25:32.680 that it's a havoc when you got to play catch up, when you have 263 00:25:32.759 --> 00:25:34.920 to catch up on something that could have been taken care of maybe three, 264 00:25:36.000 --> 00:25:40.279 may be four weeks ago, and you wonder, did anybody even think, 265 00:25:40.480 --> 00:25:45.880 think about taking care of the issue? Because now now you already task with 266 00:25:45.000 --> 00:25:52.160 high optempo and so much work in Cybersecurity, but then you have to play 267 00:25:52.200 --> 00:25:56.000 catch up because of that zero risk mentality. So you spend more labor and 268 00:25:56.039 --> 00:26:03.640 more time trying to remediate issues. Where is where? If you were proactive, 269 00:26:03.720 --> 00:26:08.559 then you don't have all those problems. Okay, here's the premises of 270 00:26:10.240 --> 00:26:15.319 cyber security. Increase Protection and lower risk. I got repeat it again increase 271 00:26:15.400 --> 00:26:22.680 protection and lower risk. Okay, if you have the zero risk mentality, 272 00:26:23.960 --> 00:26:29.200 that defeats the concept because what you're going to do you're going to lower your 273 00:26:29.200 --> 00:26:33.960 protection and you're going to increase risk. All right, this is exactly what 274 00:26:33.000 --> 00:26:37.559 actually happens, because the whole premise this again and I say it once more, 275 00:26:37.720 --> 00:26:41.799 is to increase protection and the lower risk. When you do that you 276 00:26:41.920 --> 00:26:48.359 can mature cyber security programs, and my conceptual model that I built for the 277 00:26:48.400 --> 00:26:59.119 soybiscating mindset there is a nice diagram that takes all twenty chapters and it breaks 278 00:26:59.160 --> 00:27:06.079 it down and shows you how they're correlated together and why increase of protection and 279 00:27:06.119 --> 00:27:14.920 Lower and risks increases the maturity of your cyber security programs. Am I always 280 00:27:14.960 --> 00:27:22.440 safe? Okay, okay, zero risk mentality. Am I always safe? 281 00:27:22.960 --> 00:27:29.160 No, you're not. Okay, this is this is this is very important 282 00:27:29.200 --> 00:27:34.960 here, because with the zero Swiss mentality, someone thinks that they always say 283 00:27:36.279 --> 00:27:41.200 always safe and you know there are no problems. So so zerover, some 284 00:27:41.279 --> 00:27:45.960 mentality can be fixed. The first step is that we have to think about 285 00:27:45.000 --> 00:27:52.839 implementing a cultural shift. Chapter one or dishyberscated mindsets talk about a cultural shift. 286 00:27:53.160 --> 00:27:57.519 First is you always got to have a buying structure. Okay, people, 287 00:27:57.640 --> 00:28:03.319 people have to buy into your programs. You always have to brand your 288 00:28:03.319 --> 00:28:06.920 program like you brand these programs to fit to organization. You know, it's 289 00:28:07.000 --> 00:28:11.759 good to go by a certain standards that you have and certain fashion, you 290 00:28:11.759 --> 00:28:15.039 know, because you have to bring the standards on board. But you also 291 00:28:15.160 --> 00:28:21.720 have to brand these programs, and branding these programs means that that you create 292 00:28:21.799 --> 00:28:26.680 a risk courture that fits your organization. Ownership has to be taken, somebody 293 00:28:26.720 --> 00:28:33.319 has to take over, somebody has to assume responsibility for taking over that risk 294 00:28:33.359 --> 00:28:40.039 management culture and also to the organization speaks risk because you can tell it a 295 00:28:40.240 --> 00:28:45.559 monk to your meetings in your team. People have that defensive mindset in place. 296 00:28:45.720 --> 00:28:51.039 Digital modesization and busin transformation is very important as well too, because when 297 00:28:51.079 --> 00:28:57.920 you modernize your environment you're going to be looking at ways of taking that culture 298 00:28:59.079 --> 00:29:03.880 and growing them, not not so much on how to use the tools and 299 00:29:03.960 --> 00:29:10.039 the software programs, but also to took a have that mindset in place right 300 00:29:10.400 --> 00:29:15.720 where. Why they can also look at business transformation and say, and how 301 00:29:15.759 --> 00:29:19.799 can we make this better now, with the zero risk mentality in place. 302 00:29:19.960 --> 00:29:23.599 No one is trying to make it better. All right, they are happy 303 00:29:23.640 --> 00:29:27.759 exactly as they are, and you know, their feed upon the deaths and 304 00:29:27.839 --> 00:29:30.480 hey, you know, we're the best environment in the world, but in 305 00:29:30.519 --> 00:29:37.519 the crevices of those environments they are always problems. One of the other factors 306 00:29:37.599 --> 00:29:44.079 to is proactive security has to be in place. I always speak about proactive 307 00:29:44.119 --> 00:29:48.440 security because, seeing we never want to be in a reactive state too much, 308 00:29:48.519 --> 00:29:56.680 because I realized in certain certain environments that you have a reactive state and 309 00:29:56.799 --> 00:30:02.079 sometimes that happen because of emergency, but but you want to be leaning more 310 00:30:02.200 --> 00:30:08.680 to it the proactive side, though. All right now, Miss has a 311 00:30:08.680 --> 00:30:15.839 framework all our mail that that you can research about and you can look at 312 00:30:15.839 --> 00:30:21.880 all of those security controls that are in place and it'll go help you understand 313 00:30:22.279 --> 00:30:26.240 why does zero risk mentality should not be in placed, because there was about 314 00:30:26.279 --> 00:30:32.680 five hundred type of controls out there. You have to define your courtial norms. 315 00:30:32.920 --> 00:30:37.799 You know, how is this courture supposed to operate? Because you want 316 00:30:37.799 --> 00:30:44.119 to have a culture where people will embrace cyber security. What people want to 317 00:30:44.119 --> 00:30:51.000 be on board with cyber security. Trust your cyber senses, Defeats Zero Risk 318 00:30:51.440 --> 00:30:56.559 Mentality. Your sober senses, is that another level of sense that you have 319 00:30:56.680 --> 00:31:03.960 outside the touch, in the hearing, the tasting and so forth. Now 320 00:31:04.000 --> 00:31:08.279 we all born with this next level of sens. this with your call, 321 00:31:08.400 --> 00:31:12.799 your cyber senses right, and your cyber sinses tells you that something is wrong, 322 00:31:12.880 --> 00:31:18.200 that you need to investigate it, and that will defeat the zero risk 323 00:31:18.200 --> 00:31:22.319 mentality, because the zero risk mentality is saying that I don't have any problems, 324 00:31:22.400 --> 00:31:26.119 so I'm not going to invest the gate. Keep in mind that that 325 00:31:26.160 --> 00:31:30.200 you always at risk, all right, and you need to have a more 326 00:31:30.240 --> 00:31:37.000 defensive measures in place, and that starts with the Human Fire Wall. Okay. 327 00:31:37.119 --> 00:31:41.880 Now, when you have the human fire wall and place, this is 328 00:31:41.880 --> 00:31:52.079 when your organization can achieve success and this is when your organization start to grow. 329 00:31:52.200 --> 00:31:57.279 And as your organization starts to grow, and also as an individual, 330 00:31:57.359 --> 00:32:01.359 you're going to grow as well too, because even if you're sitting at home 331 00:32:01.440 --> 00:32:06.720 and if you're not part of an organization that manage to soyber security and some 332 00:32:06.759 --> 00:32:12.359 fashion, you are affected as well too. So if you have a zero 333 00:32:12.559 --> 00:32:19.599 risk mentality by sitting at home, now change it. Do not place the 334 00:32:19.680 --> 00:32:23.519 concept to say, Hey, I've been logging on my laptop for the past 335 00:32:24.519 --> 00:32:30.720 month and ain't nothing ever happened. You know, well, half of the 336 00:32:30.759 --> 00:32:36.359 time, if you let someone else use your laptop, you don't know what 337 00:32:36.480 --> 00:32:39.759 are they practice security like you do see. That something to keep in mind. 338 00:32:42.519 --> 00:32:47.720 With this cyber security industry. Organizations are always trying to mature and that's 339 00:32:47.720 --> 00:32:52.559 what it grows. Mindset comes to play, because cyber security maturity is very 340 00:32:52.559 --> 00:32:58.839 important because if you think about the conceptual model that I spoke about, which 341 00:32:58.839 --> 00:33:04.880 is for this obberseecutity minds that when you increase protection and lower risks, you 342 00:33:04.960 --> 00:33:09.559 can mature your soberge security programs and when you mature your Cyberg security programs, 343 00:33:09.839 --> 00:33:16.079 this's going to give you the opportunity to be more proactive and less reactive. 344 00:33:16.160 --> 00:33:22.559 It's going to defeat the zero risk mentality, it's going to build those human 345 00:33:22.599 --> 00:33:27.119 file walls and, and I said again, you are going to have a 346 00:33:27.160 --> 00:33:34.359 defensive mindset. So cyber security maturity is very important. So and episode four 347 00:33:34.440 --> 00:33:37.920 we going to be talking about how to build a successible soyber security model. 348 00:33:38.000 --> 00:33:43.960 I would see you in episode for you've been listening to the chief of Cyber 349 00:33:44.039 --> 00:33:49.400 Security Podcast, where you have gained relevant knowledge to enhance your cyber security mindset. 350 00:33:49.440 --> 00:33:53.319 Be Sure to visit dwayne heartcom to learn more about authored publications, show 351 00:33:53.400 --> 00:34:08.480 notes and discover more information concerning cyber security.