Cybersecurity Overview for IT Professionals

TOM: Welcome, everybody. My name’s Tom Kirkham. I’m CEO and founder of IronTech Security. We are a managed security services provider, and we’re going to get into a little bit of what that means to you and what it means for your IT staff or your IT guy or gal, or maybe you’re using an MSP. We’re going to draw hopefully some very clear distinctions on what IronTech is versus whatever you’re using, whether it’s internal or external or you’re outsourcing your IT. We touched on this last week but basically, IT and security are two completely separate things, and they have a baked-in conflict of interest.

For those of you that were here last week, we do have some new information. It is a little bit repetitive, but I think that today’s presentation is even better and makes a clearer distinction. For those of you on the webinar that do IT, hopefully you’ll understand what we do is not only generally outside of the scope of what you provide, but also, we partner with internal or outsourced IT. So we work together to make sure we’re balancing security with IT needs, and we’re going to explain why all of that is very, very important to do.

Where’s my divers at? I lost my divers. There we are. I’ve got to have the animation in there. Going down, going down. All right.

Like I said last week, information security, or as we like to say, infosec, is not information technology. And in fact, it’s not even a specialization within IT itself. Last week we talked about IT – you’ve got programmers, database administrators, network administrators, help desk technicians, all of these different jobs in IT, and it’s a huge, huge industry.

At one point, I think, back in the ’90s and 2000s – and it may still be true today – most of the planes that I rode on – I was in IT – it was estimated like 30% of the passengers on an airplane was in IT in some way. They may be sales, but they were selling IT. Especially if you’re flying to Austin or San Francisco or perhaps Chicago. Not quite so much. But these hotbeds – Los Angeles, Seattle, these places where there’s a lot of IT there. But even the regular ones, too, even going to Atlanta, 10% or 20% of the people on any given plane was in the IT business in some way. So it’s a huge, huge industry.

In many ways – I need to look this up, but it’s got so many specialties. I like to use the analogy of the health professional industry. You’ve got your rheumatologists, neurologists, neurosurgeons. There’s a world of difference between a neurologist and a neurosurgeon. Perhaps that’s the best way I could compare the two with IT versus security specialist or infosec people. Neurologists don’t do surgery, and neurosurgeons are not neurologists. They’re two completely different things.

And just like in neurology, those two specialties have different principles and objectives. In fact, infosec people have to have a different mindset. Many of us are born with it. We may not want to do a heist, like an Ocean’s Eleven heist, or steal from a bank or boost a car like in Gone in 60 Seconds, but we sure love watching those movies and wondering, “How can I do this?” It’s like every attorney knows how to bribe a jury, but none of them do. It’s just a fascinating part of security and how it relates to IT. But infosec is a part of security overall. It has IT components to it, but first and foremost it is a security specialization, and that’s what makes it not an IT role. Or at least not at a very high level.

In fact, a security specialist has a conflict of interest with the rest of the C-level suite with the exception of the CEO. There’s a conflict of interest with marketing, operations, chief information officer, or your IT guy if you’re outsourcing IT or you have an internal IT team or an internal staff member. You can kind of view those as a CIO role.

Now, if you follow Harvard Business Review and you understand the principles of business administration, or maybe you have an MBA degree, you know that no matter how small your organization, those leadership and management principles really don’t change. You may have one person in your office that does three of these roles, and then maybe there’s one other that does something else, but even in the smallest organizations – you may do everything – if you don’t delineate these roles and understand what the principles and objectives of each role are, you’re really not fulfilling the proper management of your organization.

Even if you’re the chief, if you’re in charge of everything, whether you’re a president or executive director or manager or whatever that is. If you’re the chief – and I think probably most of us on this call are going to answer to a board of directors – you answer to them, but you’ve got to make sure you do your job right. So you need to think about those roles even if you’re in charge of them.

Now, in our business, that particular person is called a CISO, or a chief information security officer. Not just a CIO, but a CISO. Let’s talk about how that organization chart looks. Just stay with me; it’ll pay dividends for you, I know. I know there’s no Fortune 1000 companies on the call – or at least I don’t think so – maybe some of you have worked in that role and you’ll get this real quick. So just stay with me. I promise it’ll pay off.

What we frequently see when we’re talking to just about anybody, really, whether it’s somebody in health or law, water utilities, whatever it is, most people have a tendency to think of the CISO, or the chief information security officer, as maybe answering to the head of the IT department. But in reality, because they do have a conflict of interest, they have to work together because the security guy is 100% focused on security and privacy and everything it has to do with. He has nothing to do – his number one job is not to make widgets if you’re in manufacturing, not to deliver water if you’re a water utility, not to do courtroom trials. It’s all about keeping everything as tight and as secure as possible. No data leaks out. Nobody hacks into the organization.

An IT guy’s primary responsibility is to keep the network up and running, to apply both software updates and patches, and they overlap. There are security patches. But an IT guy is going to be, “Oh wow, I know marketing needs this particular feature inside of Outlook.” Maybe there’s a feature they need in Outlook. A security guy, that’s irrelevant. But a security patch inside of Outlook is relevant.

Now, it’s a conflict of interest because the IT, the CIO may come to me and say, “We can’t do this patch to Outlook because it crashes a lot of computers.” We go, “We really want to have that security feature enabled. It’s a very big problem.” So it’s a conflict of interest, and if we can’t work that out between us, then we’ll both go to the CEO and let them make the decision because ultimately, the CEO is responsible for all of these things.

I didn’t see that note until just now. Is my sound okay now?

KINDSEY: Yeah, you’re fine. You’re good.

TOM: All right. Sorry about that. I was on a roll, too.

Anyway, this is the way your organization chart should look. Even if you’ve got one person doing three of these and maybe one other else, or you’re doing two of them, you’ve really got to separate IT from security. Those two do need to be separate. Or you need to think of them separately because they have different objectives and principles and a different mindset, just like the finance guy or gal. Certainly the marketing director has different objectives than the security director. So this is the way the modern organization chart should look.

Now, this is relatively new. This has really come on in the last three years for forward-thinking or thought leaders in the business. But there’s another phase coming, and it’s coming quicker than we all realize, that we’re going to talk about in a later slide. But let’s take a look at this CIO role.

If you’ve got an IT guy or gal, or maybe you’re using an MSP – it’s an outsourced IT, whether they just come in when something’s broke or you’ve got somebody fully managing your backups and your patches and making sure your server doesn’t go down and all of that stuff. For the sake of the call and the webinar, we’re going to call that a virtual CIO. You’re outsourcing them. These same things happen to internal IT as well, and you’ll see where I’m going with the virtual CIO thing in a minute.

But let’s look at their roles. They typically furnish a help desk, or they are in charge of outsourcing the help desk if you’re a very large organization. They’re going to do things like desktop management, deployment, configuration, staging. They’re going to manage the entire network to make sure the network doesn’t go down. They’re going to determine server requirements. Like, “What’s it going to take to run this piece of software on this server?” That’s their job.

A good IT company, they’re not in charge of being specialists on the marketing software, the customer relationship management software for your organization, but they are in charge of making sure that software doesn’t go down and works flawlessly and works as quick as possible. They don’t underspec the devices, whether it’s the server or the workstation, the laptop, the iPad, whatever it is. That’s their job: to make sure that the equipment that’s in place, the network that’s in place, is running as efficient and has minimal downtime. Ideally, it’ll never go down.

So that’s the role that you should expect from your IT company. Now, what you should not expect, because of the conflict of interest, is the CISO role to be filled by the CIO. Since a CISO, or a computer information security officer, is security-first, they are going to be worried about things like security awareness training. These require soft skills. They require cooperation with the COO. The COO maybe have got HR under them, or maybe he’s just interested in making sure the widgets get out the door. Well, that’s cutting into his productivity. If I go in and say everybody, every month, has got to have an hour with the security awareness training, he goes, “That’s cutting into my productivity.” So we work together to make sure that we balance security needs with manufacturing, or security needs with marketing, whatever it may be.

A CISO is also in charge of detecting intrusions, and they’re in charge of preventing. IT, especially an MSP that doesn’t have a security component to it, really aren’t in charge of intrusion detection. It’s changing now, but many, many of them are going to wait for a help desk call to come in that says, “Hey, I got a virus warning” or something like that. They’re not really into – in the business it’s called IDS, intrusion detection system. For those of you that remember the three types of controls, that’s one of our technical controls that we deploy along with the technical tools that we put on there. Many of them have an IDS or are able to detect an intrusion.

And then another role that we play is we’re monitoring it, often 24/7, so we respond immediately. It’s a security response that is outside the scope of an IT guy more or less. Now, if they’re doing some of this stuff and they’re doing it all the time and that’s their primary responsibility, yeah, they are fulfilling the CISO role some. But we don’t see that very much.

A virtual CISO is going to work very closely with the IT company, the MSP, for disaster recovery and continuity management. Many of you know this as business resilience. They’re all basically the same. So if you’re looking at or have looked at your AWIA requirements, you’ve got to have a business resilience plan. In the industry, it goes by a number of different names.

Another thing is identity and access management. That typically does not fall under the IT person’s responsibilities. Privacy rarely does. That is very important because as a security officer, privacy equals security, and security equals privacy. We’re going to talk about that in an upcoming deeper dive and go into more depth. Maybe we’ll hit 10 fathoms on that, I don’t know.

And then a virtual CISO, whenever there is a security event, we do what’s known in the industry as a postmortem. After it’s all over and everything’s all cleaned up – and sometimes it starts during the event itself because we’re gathering information and we want to see that storyline – that’s what it’s called in the business: what is the storyline of the event? What happened here, what happened here? It’s like an airplane crash. There’s never one single cause. Almost always, there’s some human element into it. Then there may be a part that failed, or there’s a design flaw. Airplane crashes typically may have three or five, seven different things that go wrong, and the culmination of all those is what creates the disaster.

The Shuttle disaster, the first one. Well, both of them, actually, but the first one, there were many, many things. There was a culture problem at NASA. Lackadaisical security precautions as far as safety goes. Failure to heed warnings. The culture was really the biggest culprit if you look back in history and study it. I had a chance to talk to the guy that was head of the investigation of that. It was pretty fascinating. He went through what all they had to go through.

But that’s what a virtual CISO will do. That’s what an MSSP will do for your company, and they will work with whoever or whatever’s doing your IT.

Let’s take a look at some examples of conflicts. Marketing officer, they may see nothing at all wrong with everyone having access to customer data, but I’ll tell you, a security officer’s going to come in and say least privileged access. If they don’t need access to it, I’m cutting down on my vulnerabilities to customer information, because if customer information gets out there, it can be very embarrassing or even worse. If you’re a doctor, if you’re financial services, in that industry there are some very serious fines that could put you out of business and bankrupt you if that data gets out. And that’s pretty obvious.

Like I mentioned earlier, IT guy wants to make sure the network doesn’t ever go down. The financial officer, the bean counter, he’s going to automatically knee-jerk and say “Cybersecurity costs too much. We can’t afford what Ford Motor Company does or what Amazon does.” Well, no, you can afford it. It’s a risk analysis that gets you to that point, and our stuff’s very affordable. If you bought everything we had, which you shouldn’t – because you can never get 100% secure. In fact, that’s another thing a good CISO does and a good CEO does. They understand that. We’re going to talk about that in a minute.

The operating officer is going to say security hurts productivity. Not just your security awareness training, but “My gosh, why do I have to have multi-factor authentication and punch in these six digits in addition to my username and password, and maybe a PIN on top of that?” Well, that’s what we’ve decided as a team that you’ve got to do to make sure your organization is secure.

I’ve got a story that illustrates these conflicts of interest. In fact, somebody on the call is internal, and he’ll know this story very well. We have a client that is an oral surgeon, and we got an alert there was an intrusion. We’re on top of it and we’re watching it multiply, and we realize that we’re not mitigating this quick enough. So our guy reached out and said, “You’re going to have to shut your office down.” Now remember, they’ve got appointments scheduled, they’ve got surgeries scheduled. This is a big, big call. But we can’t stop the attack unless you shut it all down. You’ve got to shut it down. And they said no.

It was escalated internally, and our boss and their boss basically communicated and we said, “We don’t care, because if we don’t shut this thing down now, you may be down for days, weeks, and furthermore, we have no idea what kind of data loss could get out in the wild. We’ve got to shut it down now or else you could potentially be sued, pay horrible fines, and be out of business. Not to mention your reputation being destroyed.”

It’s hard to make those calls. Now, as a result of that, we shut them down. It took a few hours, but by the end of the day, they were limping along. This was a really bad attack. This is very rare for us to have to shut somebody down like that. But sometimes it has to happen. And if you don’t have security awareness first and foremost, or you’re not a security-first environment, you don’t understand what can really happen and what the fallout can be.

I really think that had we not been there, it would’ve been a lot worse, and tragic probably. At least they were an oral surgery, so they weren’t doing critical healthcare, but we would’ve responded differently if it was something like that. So once again, it’s a balance. Let’s say there’s one computer in the hospital that’s doing a heart and lung machine for a transplant that has to be done immediately. A security officer says, “Let’s get this balance right. We can’t take it down or somebody’s going to die. But we can’t just throw our hands up and not try to mitigate the attack and make it less worse than what it will be.”

So it’s always that conflict of interest, and ultimately the CEO has got to break any ties, and the CEO has to be informed and understand the risk/reward between all the C-level suite, or the managers or the directors or however your organization is laid out.

Just like IT, there’s all these specialties inside of security. There’s red and blue team specialists. This is kind of fun; the red team are really penetration testers and the blue team are on our side. They’re trying to defend against somebody trying to hack in. They play these war games, and there’s people that specialize just in these war games. That’s what their job is. Play war games. Offense and defense. Some of them flip teams just to get a different set of eyes on it.

Penetration testers as a career choice, or a specialty, actually has a conflict of interest with IronTech Security. We don’t do penetration testing. There’s a big difference between penetration testing and vulnerability assessment. We want to have an outside company actively hack our security protections and then tell us how to improve them, whereas if we just do a vulnerability assessment, we look at open ports and unpatched systems and then we’re going to do security awareness within your office, what’s the maturity of your company. That’s what our job is. So we actually have a conflict of interest with penetration testers.

In fact, all the best penetration testers, that’s all they do, and the best ones are independents because it’s a very well-paid field. But we don’t do penetration testing and we never will.

There’s people that specialize just in security operation center administration, where the people are actually seeing the threats coming in and then responding immediately. You’ve got risk analysis. There’s experts in business resilience, continuity, and backups, because there’s many different ways you can do those things. It’s a function of time and money. The less time down, the more money it costs, generally speaking.

And then most importantly of all is the security specialist create, maintain, and then make sure everyone understands what the administrative controls are. Technical, physical, and administrative controls – none of this works – in fact, it doesn’t work with any role, but in security, the most important thing we do is have really tight administrative controls.

So looking from a boss perspective, right now, like I mentioned earlier, in the last couple years, infosec is a C-level. It reports directly to the CEO. But that’s changing, and a lot of businesses that have boards of directors are also seeing that it’s a board level awareness and hold the CEO accountable. There’s actually a handbook out there just for board members to increase their administrative controls and their knowledge and their awareness as a board member of why they have to create security and properly advise the CEO or the executive director or whatever that may be.

And that’s coming. That’s coming very quickly because the nature of these threats is especially formidable. The complexity and the speed of evolution is phenomenal. It’s accelerating at an exponential rate, just like all of IT is. It’s changing much quicker than any industry. The potential for financial, competitive, reputational damage can destroy the entire company. So this is board level stuff. This is the same thing that boards have been doing for hundreds of years. Their number one deal is to make sure everything’s done in the best interest of the shareholders and/or the organization, maybe the customers. All of these things the board has to look at and make sure all of this stuff is being covered.

Not only CEOs, but board members also understand that total protection is an unrealistic objective. Now, we can sit here and tell you that if you use what we recommend, it’s going to dramatically increase your security posture, but you’ll never hear one of us say you’re not ever going to get attacked. What we are going to say is if you get attacked, we’ve got multiple layers and multiple procedures and all these different things. We’ve got multiple safeguards, and you guys have been through the onion layers plenty of times to know that that’s it. But the technology and the social engineering and all these things are improving on the bad guys’ side at exponential rates.

So, having said all of that, does anybody have any questions? Got any questions? Anybody out there?

KINDSEY: Does not look like we have any.

TOM: All right. Well, if you do, if you think of some after this – hopefully you took plenty of notes – but if you do come up with some questions, you can drop us an email, give us a call, whatever. The typical things that we talk about, it only takes 10-15 minutes to do a discovery call, get you an idea of what the ballpark numbers are looking like, what your risk level will end up looking like. If you go, “Oh, I’ve got the budget for that; what else can we do?”, we’ll talk about that with you. Do you have SCADA devices connected to the internet? Well, you’re going to need another tool. Do you really need it? That depends on your budget. It’s a risk analysis.

I want to encourage anyone that’s on the call that hasn’t signed up for a trial of our security training – 30 days, you get a real good taste of what that is, and I think that’s the number one most important thing you should do as an organization. Do that first, and we’ll help you with that. We don’t just say “Here it is and here’s the emails” and all that. We actually specialize in walking you through operating that training as a manager so you can see how everyone in your organization scores.

It’s a really good taste of it. You pretty much learn everything you know about it in the 30 days you’ve got it. And we make sure you work at it, so if you’re serious about signing up for it, know that it’s a commitment of probably about 30 minutes to an hour for that month or so. 434-1400. I’d be happy to discuss any of these things with you.

And I forgot to put a slide in here, but yes, for outsourced IT, we do have a partner program because we need you guys and gals. We work closely with you and relieve some of the burden. I want you guys to concentrate on what you do best; we want to concentrate on what we do best. But if you’re a partner with us, we’ll use you to help deploy our tools. We can do it without you, but we’ll help you deploy the tools, make sure you’re ramped up, increase your security awareness, and you’ll have a good idea for what’s on your network to make sure it’s not impacting the productivity.

We think we’ve done a good job with that, but not every environment is the same. So there may be a surprise one day, and we need your help to make sure it’s not impacting productivity or marketing or up time or whatever that may be.

Give us a call if you’ve got any other questions. I think that’s it, and I think that’s all the questions. Any questions, Kindsey?

KINDSEY: Nope. I think that is all.

TOM: Joseph? Joseph is the one that was involved with the oral surgeon, so he might drop something in chat if he’s got something to say. But I’m going to have to close it off. Thank you guys for attending. We do these every week. We’re here every Tuesday, 2 p.m. Central. We’ll see you next week. Thanks a lot.