M is for Money

/0 Comments/in /by

Fundamentals are critical to the foundation of an information security program (or strategy). Deficiencies in information security fundamentals are analogous to cracks in a fortress foundation. Fortress defenses won’t stand and neither will your information security protection.

The Information Security ABCs are drawn from information security fundamentals. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

TRUTH: If more people and organizations applied the fundamentals, we’d eliminate a vast majority of breaches (and other bad things).

Here’s our progress thus far:

It’s been too long, but the time has come for the letter “M”.

The magnate’s magnitude of moneymotivated myriad manipulation makes mayhem and mess of society’s macrocosmmasqueraded with mentor-less and maladroit management who’s malfunctioning mandates manifest in the malefactor’s monopoly.

The letter “M” is for “money”. It shouldn’t be, but it is.

Our Tribe

Last year (2020) we spent an estimated $123,000,000,000 (that’s $123 billion) on “cybersecurity” worldwide. That’s a helluva sum of money, and it begs to question:

  1. What did we get for all this money?
  2. Was (all/some/any of) this money well spent?
  3. Is this too much money, not enough money, or about right?

At a macro level, these questions are nearly impossible to answer objectively. There isn’t uniformity in how we apply or measure information security effectiveness (although we’re working hard to change that) and we don’t have quality data. When we consider estimated losses (to “cybercrime”), maybe we get an indication of how we’ll we’re doing.

According to estimates/predictions from Cybersecurity Ventures, cybercrime will cost us $6,000,000,000,000 (that’s $6 trillion) this year (2021), up from $3 trillion in 2015. The trend doesn’t appear to reverse anytime soon, with 2025’s losses expected to approach $10.5 trillion.

Are we doing this right? Our cybersecurity investments are growing, but our losses are growing faster.

Who’s getting paid?

Simple. The $123 billion goes into our pockets. The $6 trillion goes into the criminals’ pockets.

The Good.

There are many, many good people making a good living in our industry. They’re “good” people because they do their work for the right reasons, to protect others, and to protect information that’s been entrusted to them.

We all get paid in this industry. I get paid, you get paid, our co-workers get paid, our bosses get paid, the companies we work for get paid, etc., etc. Some of us get paid a lot, some of us get paid less. There’s nothing wrong with getting paid. We have bills and people to support (whether it’s just us, our family, etc.).

According to CyberSeek, there are 956,341 people employed in the U.S. “cybersecurity workforce” and nearly a half million job openings. The supply of talent is “very low” and the demand is high. If you believe the numbers, our job prospects should be good for a long time. According to ZipRecruiter, “the Average Cyber Security Salary”  is $112,974 per year, ranging from $125,664 in New York to $82,936 in North Carolina.

Again, if we agree with these numbers, the average worker in our industry makes good money. We make twice as much as the average U.S. worker. This is good!

The Bad.

The criminals are expected to steal nearly $6 trillion worldwide in 2021. This is a HUGE number, so let’s try to put this into perspective.

  • The worldwide economy (GDP – nominal) is roughly $94 trillion, so cybercrime is costing about 6.38% of the world’s economy.
  • The global pharmaceutical market is roughly $1.27 trillion. Cybercrime has this number beat by a factor of four.
  • Some estimates put the global drug trade at roughly $450 billion. Not even in the same league as cybercrime.
  • Only the United States ($22 T), European Union ($19.2 T), China ($16.6 T), and Japan ($6.2 T) have economies larger than the cybercrime economy.

Cybercrime is expected to grow by as much as 15% annually. There are (at least) three primary reasons why global cybercrime has gotten (and continues to get) out of hand:

  • Lack of accountability. The lack of accountability when it comes to information security is astounding.
    • There’s very little (if any) accountability for the criminals.
    • There’s no accountability for software companies writing crappy code (as long as we keep buying it, they’ll keep selling it).
    • There’s very little accountability for the CEO who ignores his/her responsibility to protect their company’s assets and customers’ data. Compliance is a joke because we stop once the box is checked. As long as nobody really pays the price, there isn’t much motivation to change. Instead of individuals paying the price, the costs are spread across a wide population through higher fees, higher prices, etc.
  • We like our ignorance. Nobody will admit it, but we must not really care. We have the illusion of care, but we don’t really care. If we did, we would nail the basics. We don’t like the basics because the basics are work. The criminals like that we don’t like the basics because they have less work too. We do less work, they do less work. Maybe that’s the twisted win-win here.
  • We adopt technology much faster that our ability to secure it. We live in an easy button, instant gratification, entitlement world where we lust for new features, blinking lights, and hot gadgets. Every day, we add more and more complexity to our lives, pushing good information security further and further out of reach. Complexity is the worst enemy of security.

The cost of cybercrime seems like a cost we’re willing to accept and it’s definitely a cost we’re going to pay. This doesn’t magically go away, and the endgame is actually pretty scary to think about.

The Ugly.

There are the wolves (the criminals) and there are the wolves in sheep’s clothing (those in our industry who take advantage of others in our industry). There’s a population within our industry who doesn’t give two sh*ts about protecting the innocent, but instead prey on their fear and ignorance. These are the vendors and marketers who will keep selling you crap you don’t need, can’t use, or doesn’t work. Some of these players are very big, and I won’t name names, but you know who they are.

The illogical acceptance of vendor BS:

Vendor: “Buy my thing, you need it.”

Ignorant Victim: “OK, if you say so. It looks cool.”

 

Ignorant Victim: “Hey, I think your thing is making me vulnerable.”

Vendor: “Well you have to patch my thing.”

Ignorant Victim: “But it’s your thing, why do I have to patch it?”

Vendor: “Because when you bought it, the liability became your thing.”

Ignorant Victim: “OK. How often do I need to patch your thing.”

Vendor: “We don’t know, maybe monthly.”

 

Ignorant Victim: “Hey, I don’t think your thing works.”

Vendor: “Oh, that’s because you didn’t configure it right.”

Ignorant Victim: “How do I configure it right?”

Vendor: “You can try reading the manual or you can attend our training. Attending our training is recommended, and it’s only $5,000.”

Ignorant Victim: “OK, so I should pay $5,000 to learn how to use your thing that I paid you for?”

Vendor: “Yep, that’s how it works.”

 

Ignorant Victim: “Hey, a criminal hacked your thing and stole a ton of stuff from us.”

Vendor: “That sucks. Oooh. Looks like you didn’t have our other thing that would protect the first thing from criminals.”

Ignorant Victim: “So I need to buy another thing from you to protect your first thing that was supposed to protect me?”

Vendor: “Yep. Times change and we gotta keep up.”

 

Ignorant Victim: “Hey, me again. Looks like somebody compromised the first thing again, even though we had the second thing.”

Vendor: “Yeah, that’s because we don’t support the first thing anymore. You should have gotten the nextgen first thing.”

Ignorant Victim: “But it seems like the first thing should have done the things that the nextgen thing does now.”

Vendor: “Well, not really. The nextgen thing uses this new proprietary technology that nobody knows about or can explain.”

 

Ignorant Victim: “I don’t think the nextgen thing is serving our needs anymore. It’s really hard to use and I can’t afford the manpower to run it.”

Vendor: “Lucky you! We’ve got a new cloud nextgen managed service thing! You’ll love it.”

Ignorant Victim: “Cool! Do I still need the nextgen first thing and the second thing?”

Vendor: “We can get rid of the the nextgen first thing because we moved that to the cloud, but you should keep the second thing. One more thing, we need to add a third thing so we can talk to the cloud through it.”

 

Vendor: “So how you liking this cloud thing? We just released the hypergen version, and I’d like to show it to you. Oh, and by the way you’re still patching the first thing and third thing, right?”

Ignorant Victim: “Patching? Um, yeah, we’re doing that. Tell me more about this hypergen thing.”

 

Vendor: “Oh crap! Our nextgen cloud thing got it. You suffered because you weren’t in our hypergen thing yet. We’ve added a new feature to the hypergen thing that you’ll need too. It’s super cool, it’s a feature that can think for itself! We call it “artificial intelligence”. It’s finally the easy button we’ve all been looking for!

…and the insanity never ends.

 

Some marketers and vendors in our industry are top notch, but there are far too many who will sell you anything to get your money. They don’t care if it’s the thing you should buy or if it’s a thing you can even use. Just buy it.

Somehow, someday, we need to hold information security product and service vendors accountable for:

  • Making sure their products and/or services do what they say they do. False advertising needs to go.
  • Making sure they don’t sell things that aren’t the right fit. Stop selling customers (or victims) things they can’t use, aren’t ready to use, or shouldn’t use.
  • Making sure they’re held liable for damages caused in full or in part because of their faulty products and/or services.

The truth is, any organization who doesn’t understand and practice information security fundamentals is the PERFECT victim for the criminal AND the wolf in sheep’s clothing. What are the fundamentals? Good you asked.

Information Security Fundamentals

I won’t spend a ton of time on this because we could write a book on this. Wait a second. I did, and so have others.

Briefly…

  1. Roles and responsibilities. Who’s responsible for what and what’s expected of them? Once defined, motivate and hold people accountable.
  2. Asset management. You can’t possibly protect the things you don’t know you have. If asset management seems too complex, it’s probably because your environment is too complex, and something’s out of whack. Assets come in three flavors; hardware, software, and data. You could add “people” as an asset too, but you know, people are hard.
  3. Control. Only now can you determine what controls are adequate. You can’t secure what you can’t control, and there’s lots to do here. Configuration control, access control, change control, etc.
  4. Wrap all this is risk management. Information security IS risk management.

Don’t know what risk management is, or not certain? Make it simple:

  • Assess, Decide, Implement/Do, Assess, Decide, Implement/Do, etc.
    • Risk Assessment – good assessments are objective, measurable, comprehensive, and actionable.
    • Decide – only four choices here: accept the risk, mitigate the risk, transfer the risk, or avoid the risk.
    • Implement/Do – do the work it takes to make the decision a reality.
  • Risk is likelihood something bad will happen and the impact if it did. Likelihood and impact are driven by threats and vulnerabilities. (note: you won’t know your vulnerabilities without asset management).
  • If we’re talking “information security”, we’re talking about operational/administrative controls, physical controls, and technical controls. This is NOT an IT issue.

In Conclusion

M is for money. Lots of money.

Some people say this is a dog eat dog world. I like dogs. They’re wonderful creatures. Often the difference between what makes a good dog and a bad dog is how they were raised. I believe all dogs were good at the start, but some got stuck with sh!tty owners.

The good dog – The good dog serves others. They’re loyal, selfless, dependable, loving, etc. Most people in our industry are “good dogs”, myself included. We’re in this for the right reasons, and we make money as a reward for the good honest work we do.

The bad dog – The bad dogs serve themselves. They steal, fight, hurt others, etc. The criminals are “bad dogs”, but sadly so are some people in our industry. They make money by taking advantage of others. Most bad dogs know they’re bad, but some lack the self-awareness to know any better.

Be a good dog. Make lots of honest money AND make a positive difference in the lives of the people we serve!

UNSECURITY Episode 134 Show Notes

/in /by

Alright, welcome back! We had a great run of guests over the past 7 or 8 weeks, and now it’s back to Brad and I for a bit.

If you missed any of the guest episode, here’s a recap:

Memorial Day

Monday, May 31st was Memorial Day. It’s a day of remembrance and gratitude. Here’s the text from one of my Twitter posts:

  • A small table set for one, symbolizing the isolation of our absent service member.
  • The table is round to represent the everlasting concern the survivors have for the missing.
  • The white tablecloth symbolizes the pure motives of our lost service members who responded to our country’s call to arms.
  • A single rose in the vase represents the blood our service members have shed in sacrifice to ensure the freedom of the United States of America.
  • The rose also represents family and friends who keep the faith while awaiting the return of the missing service members.
  • The red ribbon represents our service members’ love of country that inspired them to serve our country.
  • A slice of lemon on the bread plate represents the bitter fate of the missing.
  • Salt sprinkled on the bread plate represents the tears shed by waiting families.
  • The inverted glass represents the fact that the missing and fallen cannot partake.
  • A Bible represents the spiritual strength and faith to sustain the lost.
  • A lit candle symbolizes a light of hope that lives in hearts to illuminate the missing’s way home.
  • An empty chair represents the absence of our beloved missing and fallen. service members.

We are grateful for all our men and women who serve in uniform and we hold those who sacrificed all in the highest esteem.

The Show Must Go On

Visiting with our guests the past couple months has been a lot of fun and we hope it’s been educational and entertaining for our listeners. We hope listeners enjoyed listening as much as we enjoyed hosting!

This week (episode 134), Brad and I are going to take a look at some of the recent news. Lord knows, there’s plenty to cover!

Let’s get to the episode 134 show notes, shall we?

SHOW NOTES – Episode 134 – Wednesday June 2nd, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 134, and the date is June 2nd, 2021. Joining me is my good friend, Mr. Brad Nigh. Good Morning Brad!

[Evan] Welcome back from Memorial Day weekend. It was a beautiful weekend to pay our respects.

What’s going on in the world of “cybersecurity”?

Today, we’re going to change things up a little. There’s so much going on in the world around us, I thought it would be good for us to focus on six news articles and discuss them. Here they are:

That’s a lot to unpack! Hopefully you caught all that.

Wrapping Up – Shout Outs

Who’s getting shout outs this week?

Thank you to all our listeners! Thank you Brad for a great conversation! If you have something you’d like to tell us, feel free to email the show at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure.

That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 133 Show Notes

/in /by

We’re back with another amazing guest this week! It’s our treat to welcome Gabriel Friedlander from Wizer to the show!

The guests from the last month (or so) have been incredible. There are so many great people in our industry who are in this for the right reasons, primarily to serve other people!

If you missed any of these shows, you can find them here:

This week, episode 133, we’re joined by a really cool guy with a huge heart for serving the underserved, Gabriel Friedlander from Wizer!

A quick introduction to Gabriel and Wizer is in the show notes (below).

This will be a GREAT episode for sure!

NOTE: We’re looking for people from other walks of life to share their perspectives too, especially men and women of color. Let us know at unsecurity@protonmail.com if you have suggestions.

Let’s get to the episode 133 show notes, shall we?

SHOW NOTES – Episode 133 – Tuesday May 25th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 133, and the date is May 25th, 2021. My buddy Brad is here, as usual. Good morning Brad!

[Evan] I’m excited to welcome our guest this week. He’s someone I greatly admire, and a true asset to our community, Gabriel Friedlander from Wizer. Welcome Gabe!

Getting to know Gabriel Friedlander

An open and honest dialog with Gabriel about his background, ObserveIT, Wizer, and whatever else comes up in our conversation.

About Gabe – From His LinkedIn Profile

I founded wizer-training.com in early 2019 with a mission to make basic security awareness training free for everyone. Since then Wizer has been rapidly growing with over 6000 organization who signed up for our free training. And in 2020 we partnered with several local counties to offer free Citizen Training. We believe that in this day an age, security awareness should be a basic human skill.

Prior to founding Wizer I was the co-founder of ObserveIT (acquired by ProofPoint) , a company specializing in the detection and prevention of insider threats. I am also the co-author of the book, “Insider Threat Program: Your 90-Day Plan”. For more than a decade I have researched insider threat and trained numerous organizations on how to avoid and mitigate the risk it poses.

About Wizer

Did you know the average human attention Span is 8 Seconds – that’s just 1 Second Less Than A Goldfish! So we created training videos to be around 1 min long, entertaining, and to the point.  Our goal is to train employees on how to avoid today’s most common cyber attacks and to help create a “Human Firewall”.  Since there are officially more mobile devices than people in the world, we made Wizer mobile-friendly so you can access it from anywhere, anytime, with or without sound. Happy learning!  

Gabriel didn’t need another job (or necessarily the income) when he started Wizer. He started Wizer because he saw a need, wanted to help, and was looking for something fun to do. At first, everything Wizer did was free, and Gabriel didn’t have a plan for making money. Since then, things have taken off and he’s had a tremendous positive impact on our community.

News

Guessing we’ll use up the entire hour talking to Gabriel. Maybe we’ll cover some news next week.

Wrapping Up – Shout Outs

Who’s getting shout outs this week?

Thank you to all our listeners! Thank you Brad for a great conversation! If you have something you’d like to tell us, feel free to email the show at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Gabriel, how do you want people to find you?

Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure.

That’s it. Talk to you all again next week!

…and we’re done.