The Southern Fried Security Podcast
Join Andy Willingham, Martin Fisher,Steve Ragan, Yvette Johnson, and Joseph Sokoly as they discuss information security, news, and interview interesting people. Get in the discussion at www.southernfriedsecurity.com.

Episode 206 - The Front Porch….

 

Welcome to the first of an occasional series of episodes featuring conversations with a variety of interesting people from both inside and outside of information security.

 

In this inaugural episode you get to listen to dinner conversation between Wendy Nather, Mike Rothman, Wolfgang Goerlich, and Martin Fisher that happened in Atlanta at the Atlas Restaurant. We cover a lot of topics that I’m sure you’ll find interesting.  

 

And, for the record, the “Aristocrat” cocktail at Atlas is something you must try.

 

I appreciate Duo Security and CBI for helping to make this dinner possible.

Direct download: SFS_Podcast_-_Episode_206.mp3
Category:general -- posted at: 2:24pm EDT

We recorded this episode as the closing keynote at BSides Atlanta on May 5th, 2018.

We want to give a big round of thanks to the organizers, volunteers, sponsors, and attendees of BSides Atlanta for a great venue and event.  It was a great time and we hope to be there again next year.

Direct download: SFS_Podcast_-_Episode_205.mp3
Category:general -- posted at: 7:22pm EDT

Episode 204 - Evaluating Your Security Program: Communications Plan

 

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. If Education & Awareness are how the employees engage the program then Communications is how the management team engage the program
    2. In business life, like everywhere else, if people don’t know who you are or what you do then they aren’t going to be willing or able to support you in times of crisis or need
    3. The higher up in the org you want to communicate the more deliberate your plan needs to be
  3. Why Even Consider Communications?
    1. Each sub-org needs to be considered
      1. CIO-org
      2. CFO-org
      3. COO-org
      4. CMO-org
      5. CCO-org
      1. Unless you report to the CEO the next person down in your chain is going to have to likely carry that water
      2. We will address the opportunities and dangers of directly engaging a CEO at some other podcast
    2. Notice that there is no “CEO-org”
  4. Determine the Audience(s)
    1. Updated status reports are better than a ‘newsletter’
    2. Compelling progress reports (especially if validated by a third party) can be a huge gain
    3. If you invent something new it better be hugely valuable
    4. “Communication is what the listener does”
  5. Leverage Existing Comms Before Inventing Something New
    1. Get over yourself
    2. Really.
  6. “But this is just playing politics!”
Direct download: SFS_Podcast_-_Episode_204.mp3
Category:general -- posted at: 4:37pm EDT

Show Notes

 

Episode 203 - Evaluating Your Security Program: Threat Mapping

 

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. How is this different from threat modeling?
    2. Threat modeling is listing what could happen to you.
    3. Threat mapping is mapping the holes in your program.
  3. What is “Threat Mapping”?
    1. Must have a assessment management program
      1. you can’t protect what you don’t know about
      2. This isn’t “I have a CMDB”.  It’s actually taking actions based on what you know about what you have
      1. Map assets to known threats
        1. industry
        2. entry points
        3. technology
        4. Online threat maps
      2. What are you doing to know this?
      3. What controls do you currently have in place to mitigate or reduce the risk?
    2. Understand what your “real” threats are

      1. Apps
      2. Infrastructure
      3. 3rd parties
      4. etc
    3. Scope and prioritize - break down into areas to tackle
  4. How To Get Started
    1. Scorecard (KRI)
      1. What is important and helpful
    2. Risk Registry
  5. How To Measure
    1. Use your risk registry or GRC tool to track progress and keep management updated. You need them onboard to improve.
    2. once you have some areas mapped don’t ignore them
    3. implement solid change control and change management processes
    4. keep risk scores updated so you aren’t focusing on unimportant things
  6. How To Improve/Modify
Direct download: SFS_Podcast_-_Episode_203.mp3
Category:general -- posted at: 7:40pm EDT

Episode 202 - Evaluating Your Security Program: Awareness & Education

 

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. What do you think you do?
      1. Mandatory CBLs
      2. CyberCyberCyberStuff (Posters, Email, Swag)
      3. Briefings and Classes
      4. Phishing Awareness
      5. $NOVEL_IDEA
      1. How many people is it designed to engage?
        1. Not how many people took the awareness, how many people were ENGAGED?
      2. How many people were actually engaged?
      3. How did they do? (CBL completions, % phished, reviews, etc)
        1. If CBL_Completion = 15(clicks) then you may want to rethink that
        2. 0% phished is not a sign of a great security program...more likely a sign of a bad phishing program
        3. If there is no way to allow for anonymous reviews of training/briefings/etc then you’re not likely to get fully honest reviews (Who wants to piss off security?)
      4. Are you being honest with yourself?
    2. How do you measure it?
  3. Measuring Awareness & Education
    1. Don’t change the measurement...change the program
      1. The key to long term success is consistently measuring the same thing over time
      2. You may want to update goals (up or down) but be able to explain why especially if you are making the test easier
      1. Big changes in delivery will skew the numbers in ways you likely will not like
      2. Constant large turmoil is counter to most corporate cultures
      3. Small changes take advantage of previous investments best
      4. “Iterate small and grow larger” - doing too much too fast almost always ends is highly suboptimal results over time
    2. Don’t make drastic changes until Year 3 unless you have to make drastic changes
    3. Clearly failing components should be axed and replaced and not tweaked around the edges - especially if there’s a compliance or safety aspect
  4. Adjusting The Program
  5. If this feels like “Wash, Rinse, Repeat” it’s because is it “Wash, Rinse, Repeat”
Direct download: SFS_Podcast_-_Episode_202.mp3
Category:podcasts -- posted at: 6:31pm EDT