Episode Transcript
WEBVTT
1
00:00:02.520 --> 00:00:07.790
Welcome to the chief of Cyber Security
Podcast, where we discuss relevant information concerning
2
00:00:07.830 --> 00:00:13.070
the cyber security workforce, Business Development
and best practices, made possible by see
3
00:00:13.109 --> 00:00:17.670
miss who learn more. As seems
donet if for a list of authorized publications,
4
00:00:17.829 --> 00:00:24.579
visit Dwayne hardcom. And now here's
your host, Dwayne heart. Welcome
5
00:00:24.620 --> 00:00:29.019
to another episode of the Chief of
Cyber Security podcast session. You know,
6
00:00:29.780 --> 00:00:36.369
one of the core elements for Cybersecurity
is to reduce risk. If you talk
7
00:00:36.490 --> 00:00:41.609
to any cyber security professional, they
would tell you that that that's probably one
8
00:00:41.609 --> 00:00:48.090
of the most challenging part of working
in working indie cyber security industry, because
9
00:00:48.770 --> 00:00:55.439
risk always active in a live trying
to draft these reports in to show up
10
00:00:55.560 --> 00:01:02.520
and management that you are putting efforts
toward reducing risk can be kind of challenging.
11
00:01:03.719 --> 00:01:07.150
I myself have been working in Cyber
Secuity for a bit and I tell
12
00:01:07.230 --> 00:01:10.590
you that this is one of the
most challenging areas. And you know,
13
00:01:10.709 --> 00:01:18.269
the reason that it is so challenging
is that because sometimes they fail. So
14
00:01:18.579 --> 00:01:22.859
that's the title of this podcast session. Security, compliance and risk management.
15
00:01:23.219 --> 00:01:27.379
Why are they failed in? And
there as a reason why they are failing,
16
00:01:29.019 --> 00:01:32.379
and in it I'm going to go
over some errors that are going to
17
00:01:32.459 --> 00:01:38.450
focus on some of the challenges,
some of the drawbacks and some of these
18
00:01:38.489 --> 00:01:42.290
solutions and some of the best process
that organization can use to ensure that security
19
00:01:42.329 --> 00:01:48.200
compliance and risk management is successful.
So let's talk about the goals and outcome
20
00:01:48.239 --> 00:01:52.359
of the show. I am also
going to start up by given a practical
21
00:01:52.439 --> 00:01:57.319
definition of security compliance and risk management. So that's straightforward. All right.
22
00:01:57.840 --> 00:02:04.829
Operational use of of its of it
as well too. What is the operational
23
00:02:04.909 --> 00:02:10.909
use of the security compliance and risk
management? All right, and I am
24
00:02:10.990 --> 00:02:16.819
going to talk about some of the
key points to consider. What are the
25
00:02:16.860 --> 00:02:23.539
key points that needs to be discussed? Okay, and I'm going to roll
26
00:02:23.580 --> 00:02:29.020
into some of the security frameworks that
are use. There are some security frameworks
27
00:02:29.060 --> 00:02:35.449
that are used for disc for security
compliance and risk management, and these are
28
00:02:35.449 --> 00:02:39.490
the standards that have to be followed, whether whether you are on the commercial
29
00:02:39.530 --> 00:02:46.080
side or whether you are working for
the government. And then I'm going to
30
00:02:46.159 --> 00:02:49.960
come up with a problem statement,
and that problem statement is, why do
31
00:02:50.080 --> 00:02:54.680
we fail? Okay, why do
we fail when it comes to security compliance
32
00:02:54.719 --> 00:03:00.229
and risk management? And then,
after that, I'm going to to give
33
00:03:00.310 --> 00:03:07.789
some solutions out, because I cannot
leave here without giving solutions. So what
34
00:03:07.189 --> 00:03:12.310
is security? Compliance and rich manicine? If you think about a standard,
35
00:03:13.259 --> 00:03:16.379
when you're working for a company and
there are certain standards that need to be
36
00:03:16.419 --> 00:03:22.900
followed and those standards are driven out
in policies, and what happens is that
37
00:03:23.259 --> 00:03:28.250
every so often those standards have to
be checked. So so if you relate
38
00:03:28.889 --> 00:03:37.330
everything to the security, compliance and
risk management domain, it follows the same
39
00:03:37.449 --> 00:03:43.800
concept. Organizations have to remain compliant
when it when it comes to cybersecurity.
40
00:03:44.599 --> 00:03:50.439
So compliance refers to the Accura of
conformant to a set of standards, regulations
41
00:03:50.560 --> 00:03:57.030
or requirements. In general, compliance
is is a business initiative. Okay,
42
00:03:57.270 --> 00:04:01.990
and there are two errors that that
your compliance focus on it you know.
43
00:04:02.069 --> 00:04:08.430
They are regulatory compliance and their corporate
type of compliance. Regulatory is like your
44
00:04:08.469 --> 00:04:13.979
laws, like the regulations in the
guidelines. What a corporate compliance is those
45
00:04:14.340 --> 00:04:20.019
those internal policies. If you think
about cyber cyber security, there is a
46
00:04:20.139 --> 00:04:25.209
government standard that the nation has to
follow and if you work for a company
47
00:04:25.329 --> 00:04:30.129
such a Bank of America, then
bank America has their own type of compliance
48
00:04:30.129 --> 00:04:35.329
laws that must be in place.
Something else to think about compliant is centered
49
00:04:35.410 --> 00:04:41.439
around the requirements of a third party. Okay, yes, because their industry,
50
00:04:41.439 --> 00:04:47.720
regulation, their government policies. There
are security frameworks and client customer contractual
51
00:04:47.839 --> 00:04:54.230
terms. All right, because when
you write a contract with an organization,
52
00:04:56.430 --> 00:05:01.750
you and that organization has to has
to come up with a certain type of
53
00:05:01.949 --> 00:05:08.860
agreement and you usually put that down
on paper and that is a compliance law.
54
00:05:09.019 --> 00:05:12.379
And and if you work in it, if you're done an audit and
55
00:05:12.540 --> 00:05:16.139
audit before, there are type of
compliance laws that have to be in place,
56
00:05:16.819 --> 00:05:23.089
because these compliance laws are built to
make sure that security operates, because
57
00:05:23.850 --> 00:05:28.209
from company aid to company B,
company a wants to make sure that company
58
00:05:28.290 --> 00:05:33.170
B is compliance and certain laws and
regulation of policies, because company B has
59
00:05:33.250 --> 00:05:40.199
their data, all right, and
if company B do not follow follow those
60
00:05:40.240 --> 00:05:45.600
standards, then that's what risk occurs. All right. Something else is it?
61
00:05:45.920 --> 00:05:49.949
Compliance can apply and domains other than
Iach it, all right. I've
62
00:05:49.990 --> 00:05:55.310
already talked about contracts regulation. At
start, a requirement such as HIPPA.
63
00:05:55.790 --> 00:06:01.389
HIPPA is it's designated for the healthcare
industry and organization have to comply to hip
64
00:06:01.430 --> 00:06:08.060
put standards as well, all right. And something else is that under this
65
00:06:08.139 --> 00:06:11.459
compliance. See, we have risk
management. Now, risk is, it's
66
00:06:11.500 --> 00:06:15.980
a very simple terms. It's the
process identified assets, is in managing potential
67
00:06:16.139 --> 00:06:21.490
threats and vulnerabilities. All right,
because if you notice that the term for
68
00:06:21.569 --> 00:06:27.129
risk management, it states states that
you have to identify assets and manage all
69
00:06:27.129 --> 00:06:30.410
right, it is nothing stated in
the definition that you come up with answers
70
00:06:30.569 --> 00:06:36.319
and that that you have a full, full solution in place that removes risk.
71
00:06:36.639 --> 00:06:42.360
Risk can now but be removed.
Okay, because what you're going to
72
00:06:42.399 --> 00:06:48.470
learn later on in this in this
podcast session, is that is that compliance
73
00:06:48.589 --> 00:06:53.110
operates at a certain level. All
right, let's say, for instance,
74
00:06:53.149 --> 00:06:56.829
if you had a hundred checks that
you have to get done for you,
75
00:06:57.269 --> 00:07:01.300
for like a camp, for a
risk assessment program, if you score an
76
00:07:01.339 --> 00:07:06.459
eighty five and if the benchmark is
said at eighty eighty five, then your
77
00:07:06.579 --> 00:07:13.540
organization is compliant. But you know
what, there's a fifteen percent risk factor
78
00:07:13.660 --> 00:07:15.610
that you got to worry about.
And this it will risk comes to play
79
00:07:15.649 --> 00:07:19.170
a key role and one of the
key problems is that, you know,
80
00:07:19.529 --> 00:07:27.370
certain organization base cybersecurity on compliance versus
risk. But but later on we're going
81
00:07:27.410 --> 00:07:31.240
to die more or into this.
As I also want to transition those over
82
00:07:31.399 --> 00:07:38.720
here to some key points. To
consider compliance. It's association with establish industry.
83
00:07:38.759 --> 00:07:44.829
Regulation Shures augentiations stay protected from unique
risk. That straightforward risk management helps
84
00:07:44.910 --> 00:07:48.269
protect Augen dates from risk that could
lead to non compliance, which is a
85
00:07:48.350 --> 00:07:53.149
risk in itself. All right.
So you see, the relationship is building.
86
00:07:53.589 --> 00:07:59.220
Compliance is often seen as a starting
point for security, while risk can
87
00:07:59.339 --> 00:08:05.459
take on continues improvement. Yes,
because, if you think about this,
88
00:08:05.420 --> 00:08:09.899
all right, continues improvement because you're
trying to make things better, because you
89
00:08:11.060 --> 00:08:16.129
complyed, but you met that benchmark
at eighty five percent, but you have
90
00:08:16.250 --> 00:08:18.769
a fifteen percent factor now that you
have to deal with. This is what
91
00:08:18.889 --> 00:08:26.889
that continues improvement comes to place play
and to surface. Risk activities are often
92
00:08:26.009 --> 00:08:31.600
tied to process. Compliance is connected
to a set of requirements. Yes,
93
00:08:33.039 --> 00:08:37.320
think about that. Compliance goes and
relationship to all these laws and regulations that
94
00:08:37.440 --> 00:08:41.590
you have to follow. All right. So, so what happens is that
95
00:08:43.269 --> 00:08:48.750
that you have to comply to all
these regulational standards, and one of those
96
00:08:50.870 --> 00:08:56.220
is something called like the distance sticks
right, for the for like my friends
97
00:08:56.299 --> 00:09:01.580
and fellow members out there that are
listening, if you have work, when
98
00:09:01.620 --> 00:09:07.820
they work when they work within the
government space. There is something called distance
99
00:09:07.179 --> 00:09:11.129
the states, which is which are
some bitchmark checks. So you have those
100
00:09:11.250 --> 00:09:16.769
set up for for windows assets.
You have it set set up a databasis
101
00:09:18.169 --> 00:09:22.210
and you had them set up for
maybe, maybe for routers and switches,
102
00:09:22.409 --> 00:09:26.200
and there are certain settings that should
exist amongst all those different type of checks.
103
00:09:26.759 --> 00:09:31.600
And if and if they don't exist, then what happens is that your
104
00:09:31.840 --> 00:09:35.960
life become a nightmare. So,
which means that the government stays. Okay,
105
00:09:37.480 --> 00:09:41.190
we want these compliance standards to be
in place. If you work in
106
00:09:41.309 --> 00:09:45.350
corporate America, I'm pretty sure they
are compliance standards that you have to follow
107
00:09:45.389 --> 00:09:48.509
as well too, and it's plenty
of those on the planet out there,
108
00:09:48.549 --> 00:09:50.990
and I'm going to talk about some
of those as we continue to go through
109
00:09:52.110 --> 00:09:56.299
this podcast session. Now. Now, the most important thing to remember here
110
00:09:58.139 --> 00:10:03.179
is that security compliance in and risk
management is at the court of Cyber Security.
111
00:10:05.179 --> 00:10:11.009
If security compliance and risk management fail, cyber security with failed in itself,
112
00:10:11.929 --> 00:10:18.649
because there are three elements that make
up risk, all right, and
113
00:10:18.769 --> 00:10:24.399
it's and it's called threats and vulnerabilities, right, and it's risk itself,
114
00:10:24.159 --> 00:10:28.799
all right. So so when you
think about out risk. These are the
115
00:10:28.919 --> 00:10:33.360
elements that make a risk. If
they fail, type of security fail,
116
00:10:33.279 --> 00:10:39.789
and also your compliance initiative will probably
fail as well too, because if you
117
00:10:39.909 --> 00:10:43.470
fail risk, then where you're not
compliant. Now now you see all of
118
00:10:43.549 --> 00:10:48.230
these work. So let's talk about
some of these security frameworks and compliance standards.
119
00:10:48.629 --> 00:10:54.100
You have Filsma, Fieldsma, it
is a government standard that stands for
120
00:10:54.299 --> 00:10:58.460
Federal Information Security Management Act. This
is where the government has to do these
121
00:10:58.539 --> 00:11:05.250
audits every year on their system to
to make sure that those systems are compliant.
122
00:11:05.409 --> 00:11:09.129
You know, there are certain checks
that are done just to make sure
123
00:11:09.210 --> 00:11:13.210
that ass control standards are in place, which is what the government call your
124
00:11:13.409 --> 00:11:18.210
account management policies, right. Some
of the other checks to is to go
125
00:11:18.370 --> 00:11:24.039
and verify that that that certain systems
are are like isolated, and I speak
126
00:11:24.080 --> 00:11:30.120
of isolated, it's because they are
systems that are that are publicly accessible,
127
00:11:30.240 --> 00:11:39.029
but you know what, those system
should not provide access to the non public
128
00:11:39.110 --> 00:11:45.149
type of domains that the government has. So so FILSMA has a set of
129
00:11:45.269 --> 00:11:50.419
controls to to follows. Some of
those are your common configuration management and,
130
00:11:50.539 --> 00:11:56.019
as has said before, ass control. Let's see. Now you have privacy
131
00:11:56.220 --> 00:12:01.850
you have risk assess and all of
those are check but if a government agency
132
00:12:03.330 --> 00:12:09.809
fails, then then it becomes a
problem as so one is an industry standard.
133
00:12:11.409 --> 00:12:15.649
You know. You know it is. It is close to the government
134
00:12:15.690 --> 00:12:18.120
standard. is well to you know, some of the same checks that you
135
00:12:18.240 --> 00:12:22.759
do in turning with the government or
those same checks that you would follow with
136
00:12:22.200 --> 00:12:28.519
ISO or one PCI, DSS is
for the payment card industry. All right,
137
00:12:30.000 --> 00:12:33.269
those are type of checks that happen
as well our MF, which stand
138
00:12:33.350 --> 00:12:39.750
for the risk managed framework. Every
person that has done work with the federal
139
00:12:39.830 --> 00:12:46.340
government has has used in this our
MF standard. Okay, what what the
140
00:12:46.460 --> 00:12:52.379
RAMF does is it gives you,
gives you what I would call a standard
141
00:12:52.460 --> 00:12:58.049
to follow so that organizational risk management
practice is can be put in place,
142
00:12:58.049 --> 00:13:03.409
ass and making sure that they comply
to the government standard. Okay, one
143
00:13:03.450 --> 00:13:09.610
of the terms that fall on the
UR URFF is it is called your security
144
00:13:11.250 --> 00:13:18.519
accreditation, all right, because systems
have to be accredited. Before any system
145
00:13:18.639 --> 00:13:26.080
is put on the network, that
system has to go through a compliance standard.
146
00:13:26.480 --> 00:13:31.309
So that means that if there's a
brand new laptop, right and if
147
00:13:31.429 --> 00:13:37.269
that laptop has to be network on
a government system. The first thing happened
148
00:13:37.429 --> 00:13:41.740
is that there is a compliant check
done. What is this? A sticks
149
00:13:41.100 --> 00:13:46.899
to go and check and make sure
that certain registry settings up set, to
150
00:13:46.179 --> 00:13:50.500
also make sure that if all was
settings are put it put in a certain
151
00:13:52.980 --> 00:13:58.009
parameter or though. Checks have to
get done right, and then after those
152
00:13:58.009 --> 00:14:03.169
checks are done, that's when the
ramp piece come comes to pray of practice,
153
00:14:03.250 --> 00:14:07.570
because that laptop has to get accredited. All right. So so you
154
00:14:07.649 --> 00:14:13.200
know the government has has a standard
that that they follow, and Corporate America
155
00:14:13.240 --> 00:14:18.240
has a standard to follow, you
know, but disser sticks is out there
156
00:14:18.240 --> 00:14:24.750
as well too. And and for
the corporate industry, there's something called the
157
00:14:24.830 --> 00:14:28.789
CIS benchmarks, all right, and
a lot of these checks you can run
158
00:14:30.029 --> 00:14:35.549
through a compliant check into. If
you have applications, you know, such
159
00:14:35.549 --> 00:14:41.460
as tenable nexus, if you're using
something like crowdscright Falcon, if you're using
160
00:14:43.100 --> 00:14:48.980
something like IBM, way of inspect
or some of those type of applications that
161
00:14:50.100 --> 00:14:56.289
can scan, scan and environment,
well, they would give you information or
162
00:14:56.690 --> 00:15:03.129
pretty much resourts based on pawn whether's
what are your complying to? Not Okay,
163
00:15:03.730 --> 00:15:07.200
and something else is to to's for
software. You know, that's one
164
00:15:07.279 --> 00:15:11.000
called forty five. Forty five is
one one that is used as well.
165
00:15:11.480 --> 00:15:16.440
All right, and all of these
are used by your security folks. So
166
00:15:16.519 --> 00:15:22.950
let's talk about something else. Why
do we fail? Okay, here's here's
167
00:15:22.990 --> 00:15:30.549
something to go and think. They
think about here. Security. Security,
168
00:15:30.629 --> 00:15:33.590
not a prethought. Okay, this
is one reason why we fail. And
169
00:15:33.710 --> 00:15:39.299
it's not integrated into the STELC,
you know. You know the system development
170
00:15:39.379 --> 00:15:43.980
life cycle, because before you bring
a system online it has to go through
171
00:15:45.100 --> 00:15:50.490
the stel C process. It is
a developmental process to make sure that that
172
00:15:50.690 --> 00:15:56.330
system is safe. And sometimes some
organization don't even think about security. All
173
00:15:56.330 --> 00:16:02.610
Right, risk ignorance, all right, people will ignore risk. They don't
174
00:16:02.649 --> 00:16:07.240
think it's important until something happens.
One of the other factors is risk based
175
00:16:07.320 --> 00:16:14.360
thinking. All right, organizations state
at the eighty five percent. What about
176
00:16:14.639 --> 00:16:18.509
that fifteen percent factor? And this
is why the Cyberge cuty mindset comes into
177
00:16:18.750 --> 00:16:25.870
play here, because when the cybergecurty
mindsets comes into play right, you can
178
00:16:25.990 --> 00:16:30.669
and stand compliance. And pretty much
when you stand compliance right, there is
179
00:16:30.750 --> 00:16:37.299
something called responsible actions, in ownership
takes place. Somebody has to take ownership
180
00:16:37.379 --> 00:16:42.820
for risk. You cannot pass it
along. One of the greatest features that
181
00:16:42.980 --> 00:16:49.370
come out of of a risk assessment
is that they are opportunities. Most organizations,
182
00:16:49.450 --> 00:16:52.649
of people may just think, okay, if I find a risk and
183
00:16:52.730 --> 00:16:56.370
it makes me look really bad,
I don't think I need to say anything
184
00:16:56.409 --> 00:17:00.210
about it. It's nothing wrong about
finding a risk, because if you don't
185
00:17:00.210 --> 00:17:03.480
know where you're, where you're at
where, you don't know where to go.
186
00:17:04.359 --> 00:17:08.200
They think about this. If an
organization was to think that they are
187
00:17:08.200 --> 00:17:14.920
a hundred percent safe and they never
ever saw any risk, then all they
188
00:17:14.960 --> 00:17:18.869
are more vulnerable than an organization that
find risk and they are working on risk.
189
00:17:21.910 --> 00:17:25.509
Think. Think, you know,
the organization that have found risks of
190
00:17:25.589 --> 00:17:30.180
probably going to be a lot more
safe. All right, opportunities exist when
191
00:17:30.220 --> 00:17:33.339
you find risk. All Right,
here goes some other reason why we fail.
192
00:17:33.940 --> 00:17:38.460
Menagerement of known risk. People don't
measure a risk appropriately. All Right,
193
00:17:40.059 --> 00:17:45.130
fairs fail to take risks into account. Hey, organizations, people say,
194
00:17:45.130 --> 00:17:49.410
I don't care about risk. This
is where the typerscaty mindset comes to
195
00:17:49.529 --> 00:17:55.809
play and into existence, and this
is where the syberscady mindset brings into exist,
196
00:17:55.930 --> 00:18:00.400
since the inclusive culture, it's having
people to to actually have a buying
197
00:18:00.480 --> 00:18:04.960
process. Failure to communicate risks to
top management. See, now, this
198
00:18:06.200 --> 00:18:11.039
is important. This goes back to
I don't think I want the CIS so
199
00:18:11.200 --> 00:18:15.230
to know that we're having this issue. You have to be openly honestly speak
200
00:18:15.309 --> 00:18:21.390
about it, all right. Failure
to monitor risk. This is part of
201
00:18:21.509 --> 00:18:26.589
continuous monitoring. You. You have
to monitor risk, you have to keep
202
00:18:26.630 --> 00:18:29.980
your eyes open and you have to
be visited. This is what a situation
203
00:18:30.099 --> 00:18:36.980
awhere and this come to surface.
Hey, something else. Failure to appropriately
204
00:18:37.500 --> 00:18:45.369
apply risk metrics. You you have
to apply your risk metrics appropriately. You
205
00:18:45.490 --> 00:18:51.410
have to have a measurement system in
place where you have numbers that are accurate
206
00:18:52.329 --> 00:18:57.440
and the numbers represent the enterprise,
because if you try to gage these numbers
207
00:18:57.759 --> 00:19:02.839
and to push these numbers around so
that everything can go in the green,
208
00:19:03.160 --> 00:19:07.640
that may be a problem. Oh, going in a green. Okay,
209
00:19:07.920 --> 00:19:12.549
here's here's something that's very imported.
Going in a green means that when when
210
00:19:12.589 --> 00:19:18.230
you send up a report, they
are green, yellow and red dots on
211
00:19:18.349 --> 00:19:25.059
that report. You know the red
means bad and the and the yellow means
212
00:19:25.180 --> 00:19:27.500
that, hey, you know what, it's not so bad. What's the
213
00:19:27.539 --> 00:19:32.140
very low risk all right, and
the green means that we're good to go.
214
00:19:32.619 --> 00:19:36.740
A lot of upper management people like
to see Green, and then you
215
00:19:36.900 --> 00:19:41.730
have lore individual that working stopper security
that are forced to go in the green
216
00:19:41.970 --> 00:19:45.250
and they will change these reports to
go into green. But you know what,
217
00:19:45.490 --> 00:19:52.049
risk are still there because you just
stuck a report and change it around
218
00:19:52.410 --> 00:19:56.240
to go make management happy, but
your organization is still vulnerable. This is
219
00:19:56.359 --> 00:20:03.359
the one of the reason why,
why security compliance and risk management is failing.
220
00:20:03.960 --> 00:20:08.029
Okay, accurate data. Okay,
so I'm going to give you some
221
00:20:08.630 --> 00:20:15.109
solutions. That's probably going to help
out, and I say probably because certain
222
00:20:15.150 --> 00:20:19.750
organizations do not on board every solution. But let's just talk about a couple
223
00:20:19.789 --> 00:20:23.980
of days. Bill security early,
not late. So that means that as
224
00:20:25.019 --> 00:20:27.940
soon as you bring a system online, that's when you integrate security, have
225
00:20:29.099 --> 00:20:33.700
or buy instructure. That means sell
that pitch to your organization that risk management
226
00:20:33.900 --> 00:20:41.130
is very important. Do not combine
security, compliance and risk manage they are
227
00:20:41.170 --> 00:20:45.809
totally separate. All right, they
are totally separate. When you do a
228
00:20:45.609 --> 00:20:48.809
when you do a compliant check,
you do a compliant check. When you
229
00:20:48.849 --> 00:20:53.519
do a risk assessment, you do
a risk assessment. All right. Follow
230
00:20:53.839 --> 00:20:57.720
follow your best practices. They are
plenty of guides out there on the planet
231
00:20:57.759 --> 00:21:03.000
that would give you best practices,
that tell you how to carry out a
232
00:21:03.119 --> 00:21:07.630
risk management program the miss has one. You can think of sands has one.
233
00:21:10.029 --> 00:21:12.789
You know, there's so many other
standards out there on on the Internet.
234
00:21:14.630 --> 00:21:18.779
You know that can help you out
because, honestly, when security,
235
00:21:18.819 --> 00:21:23.900
compliance and risk management failed, a
corporation also failed to customers. Okay,
236
00:21:25.259 --> 00:21:30.019
okay, because your customers thinking,
can I trust that organization anymore because I
237
00:21:30.099 --> 00:21:37.930
heard about the audit? Something else. Accurate reporting, data quality management.
238
00:21:37.089 --> 00:21:41.690
They don't quality management means that,
before you send that report up, take
239
00:21:41.730 --> 00:21:45.450
a look at it. All right, see what it's right. This is
240
00:21:45.490 --> 00:21:49.599
where your situation where in this rise
in if you're at a top level management,
241
00:21:51.119 --> 00:21:55.000
when you receive a report, do
your data quality management. Okay,
242
00:21:55.119 --> 00:21:57.680
because you may have to take that
report and to share it with your,
243
00:21:59.640 --> 00:22:03.109
I don't know, customers. Maybe
there's an Sela is written that ridden that
244
00:22:03.230 --> 00:22:07.950
states every time you have an audit, your customers want to see your audit
245
00:22:07.910 --> 00:22:12.230
because they want to maintain trust with
you that you are protecting the data.
246
00:22:14.230 --> 00:22:18.259
And if you send up the wrong
report, it could be bad for your
247
00:22:18.299 --> 00:22:22.900
company. So data quality manage very
reported. Update to bench marks. Benchmarks
248
00:22:22.940 --> 00:22:27.980
come out, plug games come out, because plugins are used for these active
249
00:22:29.019 --> 00:22:33.410
African active application that scan the environments
and look for vulnerabilities and risk. If
250
00:22:33.490 --> 00:22:37.009
you don't update those, that's they're
going to give you some bad data and
251
00:22:37.170 --> 00:22:41.569
goals. Think about Microsoft Patch Joos, these Microsoft Patch stoics is comes out
252
00:22:42.250 --> 00:22:47.240
and if you have the wrong plug
in install, you're going to be scanning
253
00:22:47.359 --> 00:22:52.400
for issues that happened a month ago, all right, and you may go
254
00:22:52.519 --> 00:22:57.750
to your CISO and say, Hey, we don't have any vulnerability for Microsoft
255
00:22:57.829 --> 00:23:00.109
this month. Well, you know
what, you didn't go update the plug
256
00:23:00.190 --> 00:23:04.549
in, because you have to do
that. Testing is not new. Start
257
00:23:04.630 --> 00:23:11.190
early, all right, when we
have these assessments, right, and audit
258
00:23:11.349 --> 00:23:19.299
or audit or an assessment is an
evaluation of what what was supposed to be
259
00:23:19.420 --> 00:23:22.619
happening, all right. So that
means that you should not be running in
260
00:23:22.859 --> 00:23:29.890
an emergency route. You should not
be trying to jump a fence to go
261
00:23:30.049 --> 00:23:34.089
get ready for these assessment. If
you have a continus involvement into the is
262
00:23:34.170 --> 00:23:41.720
cybersecurity workforce and if you have a
continus environment into filing, bridge practices,
263
00:23:41.039 --> 00:23:45.319
all those assessment should be easy,
all right, but the problem is that
264
00:23:47.319 --> 00:23:52.200
people only want to get involved with
these assessments and the tests, testing,
265
00:23:52.720 --> 00:23:56.109
when when it's warrant it, you
should always be in that test mode.
266
00:23:56.190 --> 00:24:02.750
This is part of the cyberscating mindset. Stay proactive. Was reacted? Yeah,
267
00:24:02.910 --> 00:24:06.589
if you proactive, then you're going
to be starting early. You're not
268
00:24:06.710 --> 00:24:10.940
going to wait until something happens and
say that we need to take a better
269
00:24:11.059 --> 00:24:14.099
ham on risk. No, you're
going to be your main vigilant, you're
270
00:24:14.099 --> 00:24:17.220
going to have your eyes open and
you want to be a part of this
271
00:24:18.140 --> 00:24:23.609
security compliance and risk management initiatives.
All right, practice, standards, notus.
272
00:24:23.650 --> 00:24:27.289
Are Written for a particular reason.
Okay, rules are written for a
273
00:24:27.369 --> 00:24:32.609
particular reason. Follow them. It
makes your life easy. Let's just get
274
00:24:32.609 --> 00:24:38.000
us the thought. If you did
not follow the standards and if you try
275
00:24:38.119 --> 00:24:42.920
to put everything in the green right, imagine how much cover up that you
276
00:24:44.039 --> 00:24:48.240
have to do. All Right,
bear with me for a second. Now,
277
00:24:48.359 --> 00:24:53.829
imagine that you followed the standards right
and you actually gave a report that
278
00:24:55.029 --> 00:25:02.150
represented read yellow and green, and
also to you how to just a justification
279
00:25:02.670 --> 00:25:07.819
behind that. Now what you've done
is that you have installed competence, confidence
280
00:25:07.299 --> 00:25:11.779
from from the top level management,
and this is what the inclusively coach is
281
00:25:11.779 --> 00:25:15.660
all about, is having that buying
process. And now what you have done
282
00:25:15.900 --> 00:25:22.690
is that you have went out there
and provide opportunity to go clean up risk.
283
00:25:25.009 --> 00:25:29.970
So so, in Summary, security, compliant and risk manners operates in
284
00:25:30.009 --> 00:25:36.880
unison. All right, all right, make sure, make sure that you
285
00:25:37.000 --> 00:25:41.160
practice them appropriately, and I'm going
to keep stating this over and over again.
286
00:25:41.599 --> 00:25:47.839
The inclusive courture is very important.
Stay proactive, do not get involved
287
00:25:47.920 --> 00:25:53.029
when you think it's appropriate. Look
at somebody key points on why organizations fail.
288
00:25:53.670 --> 00:25:59.029
You know they failed because nobody's acting. Nobody wants to be involved with
289
00:25:59.109 --> 00:26:04.859
this program until something happens. Continuous
moniting is very important, because continuous monitor
290
00:26:06.059 --> 00:26:11.380
is ongoing observation, involvement in too, cybersecurity. This is what the cyber
291
00:26:11.420 --> 00:26:15.019
security mindset comes to surface. All
right, something else to keep in mind.
292
00:26:15.099 --> 00:26:19.369
Extend the compliance mentality. Eighty eighty
five percents is really good, but
293
00:26:19.490 --> 00:26:22.849
you know what, that fifteen percent
fact that you have to worry about,
294
00:26:22.930 --> 00:26:29.289
because that maybe a Trojan horse or
ransomware or something else in that fifteen percent,
295
00:26:29.970 --> 00:26:34.079
because a lot of people reach the
eighty five percent and you know,
296
00:26:34.160 --> 00:26:37.079
they clap their hands and they stopped
working. No, you can't stop working.
297
00:26:37.119 --> 00:26:41.839
You have to continuously stay involved.
All right, think about the cyber
298
00:26:41.880 --> 00:26:47.869
security DNA, because the cregaric,
because security, compliance and risk management,
299
00:26:48.109 --> 00:26:52.269
it's part of the Cyber Security DNA. What is it that we know about
300
00:26:52.309 --> 00:26:57.029
the overage quity DNA? It is
a set of building blocks, and if
301
00:26:57.109 --> 00:27:02.500
you push down one of those blocks, than you descroy the Cyber Security DNA.
302
00:27:02.819 --> 00:27:07.299
If you just if, if you
destroy the Cyber Security Dna, well,
303
00:27:07.619 --> 00:27:12.700
guess what? You descroy cybersecurity.
What is it that we know about
304
00:27:14.059 --> 00:27:21.569
risk? Risk has two factors,
okay, threats and vulnerabilities. Vulnerabilities are
305
00:27:21.650 --> 00:27:26.329
those loopholes that actually occur in a
system. Okay, and so we try
306
00:27:26.369 --> 00:27:33.359
to reduce vulnerabilities to it to like
the lowest level. But some of those
307
00:27:33.400 --> 00:27:37.400
vulnerability management programs do not work effectively. Trust me, I I've been out
308
00:27:37.440 --> 00:27:42.960
on the interest you for a while. They all problems with some vulnerability management
309
00:27:44.000 --> 00:27:48.990
programs. So an episode six,
what's wrong with your vulnerability management program we
310
00:27:49.109 --> 00:27:56.109
are going to be discussing those topics. See You and episode six. You've
311
00:27:56.150 --> 00:28:00.299
been listening to the chief of Cyber
Security Podcast, where you have gained relevant
312
00:28:00.339 --> 00:28:04.579
knowledge to enhance your cyber security mindset. Be Sure to visit dwayne heartscom to
313
00:28:04.660 --> 00:28:11.619
learn more about authored publications, show
notes and discover more information concerning cyber security.
314
-->