The UNSECURITY Podcast – Episode 49 Show Notes

OK, late again. Show notes before the show recording though, so it’s not terrible.

Lately, Brad and I haven’t seen each other much (or at all). I’ve been on the SecurityStudio Roadshow (#S2Roadshow) and Brad’s been swamped running his part of the FRSecure business (solutions development, sales support, innovation, IR support, and Analyst team support, etc.). Brad’s got a lot of stuff!

FRSecure won another award last week, which is super cool! The company was ranked #22 of the 50 fastest growing companies in the Twin Cities! In addition to being the 22nd fastest growing company, FRSecure was also the highest ranked information security consulting company on the list. This is the 3rd consecutive year that FRSecure has made the Fast 50 list, and I AM SUPER PROUD of this team! HUGE CONGRATULATIONS on a great accomplishment! They are all amazing, top to bottom!

When you get out of the way, incredible people to do amazing things. This is how FRSecure works.

Let’s get to some show notes, shall we?


SHOW NOTES – Episode 49

Date: Monday, October 14th, 2019

Show Topics:

Our topics this week:

  • Quick Catch-up/Roadshow Week #2
  • IT Security, Information Security, Cyber Security, and Physical Security
  • Cybersecurity Maturity Model Certification (or “CMMC”)
  • What it takes to do this job
Opening

[Brad] – Hi UNSECURITY Podcast listeners! It’s me, Brad Nigh. This is episode 49 and the date is October 14th. Evan’s here too. Say “hi” Evan.

[Evan] I oblige. I’m nice.

[Brad] It’s been a couple weeks since you and I have been in studio together. Last week, you and John Harmon hosted episode 48 while I was traveling. This week I’m back!

[Evan] It’s good to have you back man! I’m excited to catch-up and record this episode with you!

[Brad] Holy cow, we’ve got a jam-packed show today. Is this what I get for letting you write the show notes?

[Evan] 😉

[Brad] OK, let’s catch-up quick. Let’s chat about the stuff I’ve been up to, and some of the stuff you’ve been up to.

Quick Catch-up/Roadshow Week #2 Discussion

[Brad] Good things. We receive good questions from our listeners each week, and this past week is no exception. There was one question in particular that I wanted to cover with you. It was nice to here that the listener  has adopted our definition of information security in his policies, but he struggling with the term “IT Security”. He’s not alone I guess, because he also provided a link to a CompTIA article titled “What Is the Difference Between IT Security and Cybersecurity?“.

[Evan] Yeah, this can be confusing for some people. Words really do matter, especially when we struggle with using them correctly.

[Brad] The CompTIA article is sort of confusing, as the author covers different approaches to the definitions of IT Security, Information Security, Cyber Security, and Physical Security.

In one diagram, he arranges information security, cyber security, and physical security inside of IT security. In another diagram he drops IT security altogether and puts cyber security and physical security inside of information security. 

He then poses the question “So, which is best? Who is right?”. His answer leaves us hanging and then he a attempts to address whether terminology even matters. Let’s discuss this and address our listener’s question.

IT Security, Information Security, Cyber Security, and Physical Security Discussion

[Brad] Glad we settled it. Maybe we should make a diagram too. Later.

[Evan] Pretty sure we’ve got one or two of these somewhere.

[Brad] Alright. Another listener emailed us this week and asked us about the new(ish) Cybersecurity Maturity Model Certification (“CMMC”). Should we talk about this quick?

[Evan] I’ll agree because I agree.

Quick Cybersecurity Maturity Model Certification Discussion
  • All companies conducting business with the DoD must be certified, regardless of the use/presence of Controlled Unclassified Information (CUI)
  • Initial implementation of the CMMC will only be within the DoD
  • The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity.
  • CMMC is intended to serve as a verification mechanism.
  • CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes.
  • accredited and independent third party commercial certification organization to request and schedule your CMMC assessment
  • Some of the higher level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
  • Your certification level will be made public
  • The government will determine the appropriate tier, contained in sections L & M of future Request for Proposals
  • On October 3rd, the DoD posted the RFI for the CMMC Accreditation Body.
  • The draft CMMC v0.4 is posted.
  • The draft CMMC v0.6 is expected for public review in November, 2019.
  • Finalization of CMMC v1.0 is expected by January, 2020.

[Brad] Lots to say about that. Last week, you mentioned me in a Twitter conversation you were engaged in. The tweet that started the conversation was “Lol lots of people whining about empathy in infosec this morning… what, are you all on the same sensitive mailing list or something?”

[Evan] Yeah. The author had a point and I thought it could be a good conversation about what it takes to be good at what we do from a slightly different perspective.

Discussion about what it takes to do this job

The Twitter thread:

Continues…

Good stuff to discuss, and shoutout to @c0Bchik for engaging in a discussion.

[Brad] Alright, let’s wrap this up with a few news stories.

News

[Brad] I’ve got three news stories to discuss this week:

Closing

[Brad] There you go, episode 49 is a wrap! Like many of you listening, we’ve got another busy week ahead.

Thank you to our loyal listeners! Thank you for your tips and feedback. Send us your wisdom, questions, advice, whatever, by email to unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan’s @evanfrancen. Also, follow SecurityStudio (@studiosecurity) and the #S2Roadshow hashtag.

That’s it! Talk to you all again next week!

#S2Roadshow Recap – Week Two

Orange County, CA and Madison, WI

Mission & Purpose Revisited.

The purpose of the SecurityStudio Roadshow (#S2Roadhow) is to meet people and make partners. We want to meet people*, understand their businesses, and help them grow using simple, fundamental, and compliant solutions (S2Score, S2Org, S2Vendor, and S2Team/S2Me).

John and I

John Harmon and Evan Francen, two guys known for our beards, our love of people, knowledge of security stuff, and our BBQ prowess. We both work for SecurityStudio, and we’re working hard on the mission. Follow us and you’ll get to know us pretty well!

Roadshow Summary

A quick summary of where the #S2Roadshow has taken us so far, and where we’re going next:

  • Week One in Central Pennsylvania exceeded our expectations
  • This last week (Week Two) we visited Orange County, California and Madison, Wisconsin
  • Next week (Week Three), we visit Chicago, Illinois and Dallas, Texas

This post is about Week Two.

Partners – Orange County

My two(ish) days in Southern California were full of really good meetings. Just like last week in PA, I met amazing people with really cool stories. For the sake of brevity, I’ll give you some highlights here.

Startup Consulting Company – Framework Security

My first meeting after landing in Santa Ana was coffee with Jerry Sanchez. Jerry is the Managing Partner and one of the founders of Framework Security, an expert-level information security consulting company. The company was established earlier this year (2019), and growing any company is hard.

Jerry has a strong background in this industry and his company is doing a great job serving customers (you know I would tell you if it weren’t so). His challenges include standing out from the noise, acquiring new customers, providing cost effective solutions (ones that SMB clients can afford), and engaging with customers relationally versus transactionally. I can sympathize with the struggle, especially given experiences in growing FRSecure over the years.

He shared a vision to grow his company, possibly employing as many as 50 people in the next few years. What impressed me the most was his ethics and credibility. He doesn’t just want to grow Framework Security, he wants to do it right.

SecurityStudio can help Jerry grow his business, and we’re excited to work together. Jerry can use our solutions to offer his customers and potential customers a wide variety of options, from free self-assessments to integrated full assessments (with higher margins) leading to long-term vCISO (or fractional CISO) relationships. Partnering with SecurityStudio will benefit him, his company, his customers, and our industry.

Jerry is a good guy, establishing a good company, and he will certainly make a difference!

Contact Information

Franchiser – TeamLogic IT

I had an initial collaboration meeting with the President of TeamLogic IT, Dan Shapero. Honestly, I had no idea who TeamLogic IT was until I started preparing for this meeting. Turns out, TeamLogic, Inc. is a leading managed IT services franchiser and has independently owned and operated TeamLogic IT offices located throughout the United States.

There are ~180 franchises in 38 states, and I had no idea! I feel so sheltered and ignorant of things outside of my little kingdom (Minnesota) sometimes. The #S2Roadshow is a real eye-opener to all sorts of new things!

I know I sound like a broken record, but this was another awesome meeting! Dan has been in the IT industry for many years and he’s willing to share his hard-earned wisdom with others (including me). Our discussion focused on understanding the TeamLogic IT business model and exploring how SecurityStudio could help all his franchisees serve their customers better. Our discussion also focused on other longer term collaboration opportunities between our organizations.

Dan and I came to a quick agreements on how SecurityStudio can help his business, his franchise owners, and their customers. We’ll be doing some cool and exciting things together in the future! It’s sort of funny that I didn’t consider how a franchise network could benefit from SecurityStudio’s platform. After this meeting, it’s an obvious business model. This relationship will be very valuable to all parties (our mission and theirs).

Contact Information

Established Consulting Company #1 – CISOSHARE

Seriously, another great meeting?! Yes, it’s true. Every meeting I’ve had has been great!

This meeting with CISOSHARE’s CEO Mike Gentile was like having a meeting in the mirror. We both see security the same way, he have similar experiences, and we’ve both earned our stripes building security programs for 100s of clients, big and small. When he said something, I could have finished his thought for him, and vice versa. Collaboration is a helluva lot easier between two people who understand information security deeply when they are driven to do things right and can put their egos in check.

We met over lunch at a local BBQ joint. The BBQ wasn’t great, but the conversation was! Thank God.

The discussion was fluid and included topics such as our careers, our past experiences, our businesses, and our philosophies about security, among other things. The parallels between Mike and I were sort of scary. He’s even an author like me. Our lunch ran long, but we got down to business too.

CISOSHARE is Mike’s third company and he’s building a great one. According to their website “CISOSHARE is the leading provider of cyber security services for rapidly growing organizations. Located in Southern California and recently ranked in 2019 as the 3rd fastest-growing private organization in Orange County, our team establishes a culture of continuous learning and teaching in security program development for ourselves, our clients, and our community.

Prior to the roadshow, I hadn’t really heard of CISOSHARE. Another example of being a bit sheltered in Minnesota I guess.

CISOSHARE is company that does things right, at least from what I can tell! They are a great partner candicate. We walked away from our meeting knowing that there are at least two or three ways in which our organizations (CISOSHARE and SecurityStudio) can (and probably will) work together. A CISOSHARE/SecurityStudio partnership will definitely help our mission!

Contact Information

Established Consulting Company #2 – Tevora

One major differentiator between CISOSHARE and Tevora is who they target as customers. CISOSHARE scales down to small companies and up to the Fortune 500. Tevora focuses solely on the Fortune 500. There are many other differences in between these two companies, but their target market is one that sticks out immediately. SecurityStudio can work with both of them, regardless! Everyone benefits from simple, fundamental, and compliant solutions.

I met with Tevora’s CEO, Ray Zadjmool for lunch. He’s built a cool company and he’s done it through innovative approaches to delivering services to clients and employee retention. Ray’s a go-getter who 1) knows what he wants and 2) knows how he wants to get it. His company focuses on helping large companies achieve compliance more than information security or risk management for the sake of information security or risk management.

The way Tevora approaches information security (or “cybersecurity”) isn’t the same way I would philosophically speaking, but it works for them and their clients (obviously). Fortune 500 clients are much different than SMBs, and Tevora is filling a nice niche.

He’s running a very successful company. I respect him and what he’s doing and I think the respect is mutual. We have next steps and we have opportunities to work together. I’m pretty sure we can help each other, and I’m excited to find out!

Tevora is a cool company, run by a cool CEO, located in cool places with cool offices. They’re not just cool, but they’re also very good at what they do. Ray is nice contact and I’m looking forward to building our relationship.

Contact Information

Madison

John Harmon was in Madison, Wisconsin with Steve Krause (SecurityStudio’s Partner Manager). John was speaking at an event hosted by Applied Tech, a great SecurityStudio partner.

This slideshow requires JavaScript.

It was an honor to speak to their customers about information security. I’m not sure how many additional meetings John and Steve may have had while they were in Wisconsin; John and I haven’t been able to catchup yet.

ISACA – Orange County

While john spoke in Madison, and I spoke at the ISACA Orange County Chapter event on Tuesday night. They gave me two hours(ish) to speak and the interaction was amazing! There were a ton of good questions and there were many interactive discussions. This was the first group of ISACA members that I’d spoken to on the roadshow, and they were all awesome!

If you’re interested, you can download my slides here.

Special thanks to Pauline Ang for coordinating everything, and also shoutouts to these folks for making me feel welcomed; Nemi George, Sanjeev Tak (pictured), Bin Du, Yu Chen, and Bill Olah, and Jan Olson. It’s not that the the rest of the group didn’t make me feel welcomed , it’s just that these folks went out of their way during my visit.

It feels good to know that the Orange County security community is in good hands!

BBQ Reviews

A roadshow isn’t a roadshow without a healthy dose of BBQ, or lots of doses of BBQ. John and I promise to eat at all the best BBQ places we can find during our travels and provide you with the lowdown. It’s the toughest part of our job, but you can count on us. We’re in it to win it!

We rate each BBQ joint we try on four characteristics on a scale of 1 (sucks) – 10 (best); Atmosphere, Service, Portions/Value, and Taste. The overall rating is the average of the four.

Last week’s winner was Divine Swine in Manheim, PA. Read on for this week’s winner.

Lucille’s Smokehouse BBQ – Overall: 7
  • Atmosphere – 7
  • Service – 8
  • Portion/Value – 6
  • Taste – 7

Lucille’s is well-known in the Orange County area, and sort of all over the southwest. They have have a bunch of locations throughout California, Nevada, and Arizona. I’d never had Lucille’s before, and I stopped here because it was the closest BBQ joint to the airport (after landing).

I had the house salad.

If you believe that, we should talk. I had the three meat combo; brisket burnt ends, sliced brisket, and baby back ribs. The sliced brisket and baby back ribs were OK, but the brisket burnt ends were amazing! I should have ordered three pounds of those (only). The atmosphere is nothing special, the service was good, and the portion was OK. If you go, get all the brisket burnt ends you can get your hands on.

This slideshow requires JavaScript.

Hambone’s Smokehouse – Overall: 6.25
  • Atmosphere – 5
  • Service – 7
  • Portion/Value – 8
  • Taste – 5

Hambone’s is another BBQ chain. Had lunch at the Huntington Beach location, and nothing was impressive. They drown their meat in sauce, so I ordered mine with the sauce on the side. I get why they drown their meat in sauce.

Service was good and there was plenty to eat. Unfortunately, the meat was bland (even with the sauce added). I didn’t even finish it.

This slideshow requires JavaScript.

Red Coal BBQ – Overall: 6.75
  • Atmosphere – 7
  • Service – 7
  • Portion/Value – 8
  • Taste – 5

John and Steve visited Red Coal BBQ in Eau Claire, Wisconsin during their road trip. The ratings are mine, based on what John told me, and they are subject to change. His exact words were:

Pork Belly pretty decent.  Not much flavor to the meats over all and only one, super sugary sauce available. Coleslaw was the highlight. Thinking this whole WI BBQ venture needs a redo.

We’ll see if John asks me to change these ratings later.

This slideshow requires JavaScript.

BBQ Winner

The winner for this week’s BBQ showdown for the #S2Roadshow was Lucille’s Smokehouse BBQ with a score of 7. We only reviewed three BBQ joints this week, and we need to step up our game next week. Next week we’re on the road for five days in two good food cities; Chicago and Dallas. We’ll step up our game!

Next Week’s #S2Roadshow

John and I are together again all week. First, we take the #S2Roadshow to Chicago for an event with HSBC. We’ll be in Chicago until Wednesday before heading down to Dallas for more meetings and an appearance at the ISC2 Dallas Cyber Aware event at the University of Texas at Dallas. If you’re in Dallas next week, come see us, catch my keynote, and/or grab some BBQ with us!

Stay tuned for next week’s #S2Roadshow updates! You can follow us on Twitter (@evanfrancen, @HarmonJohn, @StudioSecurity, and the #S2Roadshow hashtag) and on LinkedIn.

See you next week! If you want to collaborate with us, get in touch!

The UNSECURITY Podcast – Episode 48 Show Notes

OK. Late again. I’ve been busy, and so has Brad.

Most of my highlights from last week are written/posted in #S2Roashow Recap – Week One. If you haven’t read it yet, you should. 😉 There’s a recap of the BSides Harrisburg Conference (their first one ever), a recap of the Cybersecurity Awareness Summit, and our reviews of some of the best BBQ in Central PA. You need to check out who the winner was!

As far as Brad is concerned, I haven’t seen him much lately. I’ve been on the road, and I think he’s been on the road too. Actually, he’s on the road during this week’s show! It’s a very busy time of year for all of us at SecurityStudio (me) and FRSecure (Brad).

Let’s get to it, eh?


SHOW NOTES – Episode 48

Date: Monday, October 7th, 2019

Show Topics:

Our topics this week:

  • Roadshow Recap – Week One
  • More vCISO Talk
  • This Week & The News

[Evan] – Hey oh. It’s me, Evan Francen. This is episode 48 of the UNSECURITY Podcast and the date is Monday, October 7th, 2019. Brad’s on a plane somewhere maybe, or maybe he’s in a hotel somewhere. I don’t know. All, I know if that he couldn’t make it because he’s really, really busy. In Brad’s place this morning is my good friend, John Harmon. Care to say “hi” John?

[John] John is a leader and has the liberty to say what he wants. 😉

[Evan] So, this was sort of last minute. I texted Brad on Friday night to ask if he wanted me to write the show notes. He responded that he’s going to be in San Diego, doing a board of directors presentation for a customer. Planning isn’t my strong suit, so I went to my bullpen. There I find my ace reliever, John Harmon. Glad you’re here John!

[John] John’s probably glad to be here, but it’s early. He might not be awake yet.

[Evan] Last week was week one of the SecurityStudio Roadshow (#S2Roadshow). You and I were in Pennsylvania, spreading some security love/truth. I wrote about the week on my blog, but who reads anymore? Let’s talk about it here. Cool?

[John] You’ll love John. He’s agreeable and great at rolling with it.

Roadshow Recap – Week One Discussion

Refer to https://evanfrancen.com/the-securitystudio-roadshow-week1/ for more information.

[Evan] It was a fun week, a productive week, and a very successful week. One of the most popular topics on the show is the topic of vCISO, or virtual Chief Information Security Officer. We receive emails every week from listeners asking good questions. This past week was no exception.

The questions were:

  1. Can you help me with some vCISO materials? 
  2. Like a framework of where to start?

This is a good opportunity to discuss this because we have a guest too. John has hired numerous vCISOs over the years, so his perspective will be great!

Maybe we’ll mention the book that Brad and I are starting…

More vCISO Talk

[Evan] Let’s talk briefly about where the SecurityStudio Roadshow takes us this week, then get to some news.

This Week & The News

[Evan] Where are you going to be this week John?

[John] John will tell us about his week (and hopefully where he might grab some BBQ). He might ask me about mine. We’ll see.

News

Only three news articles to talk about this week, even though there are 1000s to choose from:

Closing

[Evan] There you have it. We’ve got another busy week ahead! Fixing a broken industry is a helluva lot of work. I’ll see if Brad is up for talking about the Cybersecurity Maturity Model Certification (CMMC) next week. Interesting stuff happening there.

Thank you to our loyal listeners! Thank you for your tips and feedback. Send us your wisdom, questions, advice, whatever, by email  at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and John’s @HarmonJohn. Also, follow SecurityStudio (@studiosecurity) and the #S2Roadshow hashtag.

That’s it! Talk to you all again next week!

#S2Roadshow Recap – Week One

Central Pennsylvania

We’re happy to report that the information security community in Central Pennsylvania is alive and well!

Partners

One goal of the SecurityStudio Roadshow is to get out and meet new partners. We want to meet them, understand their businesses, and help them grow their information security consulting practices using simple, fundamental, and compliant solutions (S2Score, S2Org, S2Vendor, and S2Team/S2Me).

We met some amazing people and companies this week. We’re expecting as many as four new partners from Central Pennsylvania coming from this leg of the roadshow! Stay tuned for the announcements coming soon!

Keep up with our progress on Twitter, using the #S2Roadshow hashtag. We’re entertaining dammit!

BSides Harrisburg

In addition to meeting new potential SecurityStudio partners, John (Harmon) and I attended the inaugural BSides Harrisburg Conference on Wednesday (10/2). The event was held at the Harrisburg University of Science and Technology downtown, and the organizers did a great job!

SPECIAL SHOUTOUT to Julie Goolsby. Julie is the Director of Professional Development Programs at Harrisburg University of Science and Technology, and she was instrumental in coordinating everything for the event. She is patient, responsive, and incredibly effective.

I’m sure there were others who helped Julie, but we coordinated with her the most.

There were ~300 – 400 people at the conference (my guess), and maybe a dozen vendors. I didn’t speak until 10am, so John and I took in the Opening Remarks and the Keynote. The Keynote was presented by Ken Bechtel, a very well-respected Malware/Threat Researcher with more than 30 years under his belt. I shuddered when he mentioned boot sector viruses of the 90s. I started my (paid) career cleaning boot sector viruses from Windows 3.1 machines.

Ken has been around for a long time and he’s got a boatload of wisdom to share. Crazy how much he’s seen and how many malware packages he’s reversed. Most people haven’t heard of Ken because he’s one of those behind the scenes kind of guys. Sort of like me. He and I are both most comfortable in a dark room behind a keyboard somewhere. After his talk, we spent 30 minutes or so sharing stories and laughs.

NOTE: Ken informed me that he’s in the market for more/new work. Get in touch with him if you’d like to inquire. Here’s his LinkedIn Profile.

My Talk

This was one of those talks where I didn’t choose the title, but one of our marketing folks did. The title was “WANTED – People Committed to Solving our Information Security Language Problem”. Alright, let’s do it!

Finished my slides in a small coffee shop in Columbia, PA. SHOUTOUT to Café 301 in Columbia, a great little coffee shop in downtown. Good coffee and a great place to finish presentation slides.

My talk was in the event auditorium. There’s this slight fear of giving a talk in a large room (or in this case auditorium) and having a small audience. Thankfully, attendance was good, and it looked like the place was almost full. Phew! The talk was also livestreamed I hear.

This slideshow requires JavaScript.

SIDE NOTE: The very first talk I gave after starting FRSecure in 2008(ish) was at a conference in Bloomington, MN. This was my first ever talk, so I prepped thoroughly. I was early to the venue. I got to my room early. I got setup early. I was raring to go! One problem. Nobody came. Zero attendance. A good dose of humble pie, but ever since that day, I’ve said to myself, “as long as there’s more than zero, it’s a good day for a talk”.

I think the talk went well. There were awesome questions, and there was a dozen or so people who came up to talk with me afterwards. If you’re interested, a copy of my presentation can be downloaded here. If you want to watch the video, BSides live-streamed it, and you can also see it here.

Back to the Conference

We spent the remainder of the conference roaming the floor, striking up conversations, and attending other people’s talks. The two talks that I particularly enjoyed, so more SHOUTOUTS:

  • Rae Baker’s Open Source Intelligence 101: Finding Information on Anyone was a great introduction to OSINT. Really enjoyable presentation, and she nailed it!
  • Brandon Keath’s Hacking Yourself First, Penetration Testing for the Blue Teams: Part 2 was great. I had to miss Part 1 because I was in Rae’s talk. Brandon knows what he’s talking about and I really liked his dry humor. Good stuff.

We wrapped up the day with a few more introductions to potential partners, then headed off for BBQ (reviews below) and hotel work.

BSides Harrisburg was a GREAT CONFERENCE.

Cybersecurity Awareness Summit

Thursday’s agenda included attendance at the Cybersecurity Awareness Summit. This summit was also held at Harrisburg University of Science and Technology. The theme for this conference was “Caring and Sharing to Safeguard Our Citizens. Cross-collaboration Among Government & Education Makes Pennsylvania Safer & More Secure.

I sat through the following:

  • Welcome– Eric Darr, PhD, President Harrisburg University
  • Opening Remarks– John MacMillan, Deputy Secretary for Information Technology and Chief Information Officer, Commonwealth of PA
  • Security Challenges Confronting Government and Schools and Benefits to Collaboration & NASCIO’s Cybersecurity State of the States Report– Erik Avakian, CISSP, CRISC, CISA, CISM, CGCIO, ITILv3, Chief Information Security Officer Commonwealth of Pennsylvania and Srini Subramanian, Risk and Financial Advisory Lead, Deloitte
  • CISA: Cybersecurity Resources for State and Local Governments– Benjamin Gilbert, Cybersecurity Advisor, Cybersecurity and Infrastructure Security Agency

I will be PC in my feedback, although I don’t really want to. Mr. MacMillan is a very sharp dresser. Mr. Avakian has a nearly impossible job and needs more help. If Mr. Subramanian would have said “cyber” one more time, my head would have exploded. Mr. Gilbert was a good guy who used a helluva lot of acronyms.

I have a ton of respect for state CISOs. They do very hard work in a (sometimes) very hostile environment with less support.

RANT: Somehow, we’ve gone from using the words information security to cybersecurity to just “cyber”. Information security is NOT “cyber”. I get it, “cyber” sounds a lot cooler. Maybe using “cyber” helps you sell more $*!%. Certainly, the hipsters are impressed by the word. The truth is, using “cyber” as a reference to information security is NOT helping. Words matter. Use a dictionary.

I’m a stickler for this because I’ve been part of this army, and we’ve fought very hard to make information security a business issue, NOT just an IT issue.

OK, off the soap box now.

Benjamin Gilbert did a great job showing us all that CISA has to offer. They are trying to do everything for everyone though. This will get very expensive (to taxpayers) and will be less than optimal (wait lists, skill shortages, etc.). CISA provides a lot of value, but it would be nicer to see them do one or two things really well versus doing a whole bunch of things sort of half-assed.

This conference was very well attended and overall it was great. Seriously, it was.

BBQ Reviews

A roadshow isn’t a roadshow without a heathy dose of BBQ, or lots of doses of BBQ. John and I promise to eat at all the best BBQ places we can find during our travels and provide you with the lowdown. It’s the toughest part of our job, but you can count on us. We’re in it to win it!

We rate each BBQ joint we try on four characteristics on a scale of 1 (sucks) – 10 (best); Atmosphere, Service, Portions/Value, and Taste. The overall rating is the average of the four.

Sweet Lucy’s Smokehouse – Overall: 6.75

  • Atmosphere – 9
  • Service – 6
  • Portion/Value – 6
  • Taste – 6

Our first stop after landing in Philadelphia was Sweet Lucy’s Smokehouse. The BBQ was good, but not great. The best thing about the place was the really cool atmosphere.

Mission BBQ – Overall: 8

  • Atmosphere – 7
  • Service – 10
  • Portion/Value – 7
  • Taste – 8

We ate at Mission BBQ in Harrisburg in the evening of the first day. I wasn’t that excited for it because I knew it was part of a chain, but it was the closest BBQ joint to where we were staying. The staff was AMAZING. I can’t remember ever getting better service that we did at this place.

The cashier asked us if this was our first time at Mission BBQ. We said it was, then she proceeded to tell us all about the menu and how they make their BBQ.

Once our order was ready, the lady behind the counter asked us if it was our first time at Mission BBQ. We said it was, then she proceeded to tell us all about the sauces and how to help ourselves.

After we sat down to eat, another lady came by our table three or four times to make sure we had everything we needed. She cleared our table for us too (even though this was a self-service joint).

The service was exceptional, so I rate it a 10. The food was good too, the best being the jalapeno cheddar sausage.

This slideshow requires JavaScript.

Redd’s BBQ – Overall: 7.25

  • Atmosphere – 8
  • Service – 5
  • Portion/Value – 9
  • Taste – 7

After almost 24 hours without BBQ, we made the drive from Harrisburg to Carlisle on Wednesday night. We enjoyed some good (again, not great) BBQ at Redd’s BBQ. The atmosphere was pretty good and the portions were large. Service was so-so; the waitresses spent more time chatting with each other than they did helping their customers. Overall, this was good BBQ and it was worth the drive.

This slideshow requires JavaScript.

Shakedown BBQ – Overall: N/A

  • Atmosphere – N/A
  • Service – N/A
  • Portion/Value – N/A
  • Taste – N/A

The disappointment of our BBQ adventure came when we made the drive out to Grantville only to find the Shakedown BBQ was closed. This was one place that came most recommended from the people we talked to at BSides. Before making the drive, we confirmed that the place would be open, both online and through a friend of the owner. They were supposed to open at 11am on Thursday, and we got there at 11:15. A paper plate was hung on the front door saying they were closed. Ugh.

Divine Swine – Overall: 8.5 – #S2Roadshow Week 1 Champ

  • Atmosphere – 7
  • Service – 8
  • Portion/Value – 10
  • Taste – 9

After the Shakedown BBQ disappointment, we swung over to Manheim, where we found Divine Swine. This place takes the crown as the #S2Roadshow Week 1 BBQ Champ. The best tasting BBQ we had on the trip and huge portions. If you’re in the area, you have to visit this place!

This slideshow requires JavaScript.

Maybe we’re BBQ snobs, maybe not. One thing is certain, we enjoyed all of the BBQ we ate, and we’re pumped for next week’s adventures.

Next Week’s #S2Roadshow

I’ll be heading to Orange County, California. I’m speaking to the fine folks at the Orange County Chapter of ISACA on Tuesday. I’ve got a bunch of great meetings on Wednesday and Thursday with some potential partners and other security folks. If you’re in the area, let’s hook up. We can talk security and grab some BBQ. If you’ve got some BBQ recommendations, let me have ‘em!

John will be in Madison, Wisconsin speaking at an event hosted by Applied Tech. He’s going to be joined by Steve Krause, SecurityStudio’s Partner Manager. If you’re in that area, go hang out with John. I think he’s funner than I am.

Stay tuned for next week’s #S2Roadshow update! You can follow us on Twitter (@evanfrancen, @HarmonJohn, @StudioSecurity, and the #S2Roadshow hashtag) and on LinkedIn.

The SecurityStudio Roadshow

Introduction

OK, we’re doing this roadshow. Publicly, we call it the SecurityStudio Roadshow. Internally, we call it “Project Bacon”. Who doesn’t like bacon?

This is a short article to tell you about the SecurityStudio Roadshow and what we’re trying to accomplish with it. The first phase of the #S2Roadshow kicks off at the BSides Harrisburg (PA) Conference on October 2nd and ends with the RSA Conference in February, 2020.

Purpose

We’re on a mission. Our mission is to fix the broken information security industry. Say what?! Yeah, we know. It’s a big mission. Two things come to mind right away:

  1. Where do we start?
  2. How do we start?

We need to start where we’ll have the greatest positive impact on our industry and we need to start with people who are closest to the problem.

Where do we start

We start with information security fundamentals. If you hired me as your CISO, the very first thing I would do is an information security risk assessment. Considering that maybe ~90% of organizations in the United States fail to do this fundamental exercise reinforces the notion that this is where we’ll start.

SecurityStudio developed the S2Org information security risk assessment, and it’s already been used by more than 1,500 companies. We’ll start with the S2Org assessment and we’ll offer it for free.

The S2Org is SIMPLE, FUNDAMENTLAL, and COMPLIANT. More about this later.

How do we start

We start by making friends. We’ll get on the road and we’ll meet them where they are. The #S2Roadshow! We’ll travel the country recruiting people for our cause. We’re recruiting partners and end users. Partners use our tools to attract new customers and help their existing ones. End users can use our tools for free to address their fundamental information security needs.

Keep Up

We invite you to join us on the road, either in person or online. If you’ll be at one of the various events we’ll be at, come say “hi”! Tell us how we can help you and/or join us. For those of you who can’t be where we are, follow us on my personal blog, on Twitter, and/or LinkedIn.

It’s going to be one helluva ride, and we’re excited to share it with you! We’ll meet a bunch of cool people, establish some great new relationships, and make a lot of progress on the mission!

I’ll post daily updates here. This will sort of be my #S2Roadshow journal.

Want to know more about SecurityStudio, check us out online; https://securitystudio.com. Get your S2Score, become a partner, or help us with our mission!

Oh yeah, one more thing.  We’ll be hunting down the best BBQ joints while we’re on the road. We’ll eat and we’ll review. It’s hard to be a security guy on the road.

The UNSECURITY Podcast – Episode 47 Show Notes

Here we go. The show notes for episode 47 of the UNSECURITY Podcast.

I’m writing these during the Vikings/Bears game on Sunday. Skol Vikings! Yeah, whatever, I’m late, but I’ve got excuses. I’m late because things are sort of crazy at home right now. I’ll try to explain:

  • I was in Bulgaria for a week (several weeks ago). My sleep was thrown off a little because Bulgaria is 8 hours ahead of us.
  • My wife was in China for 10 days. This means that I was left to my own devices (not usually a good idea), and I had no backup for my 14 year-old daughter’s manipulation. Seemed like there were more kids at my house than normal. I don’t know. The house is still standing, so that’s a win.
  • In the middle of this, I decided to quit smoking on Wednesday. After 30 years of 1-1/2 packs a day, I’m done. This is day four, and the withdrawals are a challenge (my PC word for it).
  • My wife got back last night, and now her sleep is all wonky. She was 13 hours ahead.

So, let’s give this thing a go, shall we?

Last week was a blur, but I think we did some really good things! Brad spent the latter part of the week offsite with FRSecure’s Senior Management Team (SMT), doing some strategic planning. I spent most of my time working on some timely SecurityStudio stuff:

  • Next week’s launch of S2Org.
  • SecurityStudio Partner Jumpstart
  • Roadshow preparation, hard to believe that we (me and John Harmon) hit the road next week already.

Do you know what we’re doing on the #S2Roadshow? Did you know that we’re using the “#S2Roadshow” hashtag? Do you know what S2Org is? Don’t worry if you don’t, we know we’ve got a lot of preaching to do!

Friday was highlighted by a great meeting with Minnetonka School District representatives (Mike Dronen, Executive Director of Technology and Dave Eisenmann, Director of Instructional Technology), Ryan Cloutier (repeat podcast guest and Chairperson of the Consortium of School Networking Cyber Security Advisory Panel), and Ivan Peev (SecurityStudio’s VP of Product Development). We discussed how we can work together to create a free S2Teen product for students and parents. There will be some great things coming out of this (eventually).

If you missed episode 46 of the UNSECURITY Podcast, here it is.

OK. Show notes…


SHOW NOTES – Episode 47

Date: Monday, September 30th, 2019

Show Topics:

Our topics this week:

  • Fundamentals
  • Roadshow
  • Parents and Kids

[Evan] – Let’s do this. I’m Evan Francen, it’s Monday, September 30th, and this is episode 47 of the UNSECURITY Podcast. My guy Brad Nigh is here with me. Hey Brad!

[Brad] You know Brad. He’ll say something because he’s nice like that.

[Evan] I know you were offsite with the FRSecure Senior Management Team (or SMT) the last half of the week. I love how you guys set an example by working hard and playing hard. How was it?

[Brad] Cool things.

[Evan] So, late last week, I had this meeting. It was the first time I’d met this guy who runs the information security program for a VERY important organization. I can’t share the name because I don’t like to out people like that. Anyway, he has many years of information security experience and seemed like he had all the right things to say. As the discussion progressed, I could sort of sense that he and I didn’t see security the same way exactly.

He knew all the acronyms and threw them around like candy at a parade. He’s also very well connected and dropped a lot of names. We knew some of the same people, but this was the first time he and I had met each other. He went on to say how they’ve built a good foundation for their security program, and now they want to take things to the next level.

One thing that became obvious is we don’t think about the foundation or fundamentals the same way. Let’s talk about this.

[Brad] He’ll agree because he likes to talk about these things.

Fundamentals Discussion

Things to discuss:

  1. What is information security?
  2. What is risk?
  3. If I hire you to “do” information security for me, what is the first thing you would do?
  4. What percentage of SMBs…?
  5. Discuss last week’s discussion

[Evan] The basics man. How many breaches do we see where it’s just the missing basics? 

[Brad] Something…

[Evan] Complexity is the enemy. We’ve all heard it before. Really, this is what the SecurityStudio Roadshow is about.

Roadshow Discussion

  • Was called “Project Bacon”.
  • Mike Dronen brought me some bacon!
  • This week is Harrisburg, PA BSides
  • Hashtag #S2Roadshow

[Evan] Quickly, let’s talk parents, kids, security, privacy, and safety. Maybe we can devote a whole show to this in the future. Maybe we can get a guest to join us.

Parents and Kids Discussion

[Evan] Alright. That’s a lot to take in. Good discussion Brad. We could take any one of these topics and make it an entire show.

News

Here’s our news for this week:

Closing

[Evan] There you have it. I’ll be checking in regularly from the road. We have a mission dammit! Stay tuned. Hope you’ll follow along.

Thank you to our loyal listeners! Shout out to Kevin! Thank you for your tips and feedback. We’re working on it. For the rest of you, send us your feedback by email  at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Talk to you all again next week!

The UNSECURITY Podcast – Episode 46 Show Notes

Here we go, we’re on week 46 (already)!

Hard to believe how far we’ve come over the past 45 weeks. Our first podcast was recorded over a Zoom Web conference on a Sunday afternoon. Brad was at home and so was I. We kept up the Sunday routine for a while, at least until our wives requested their Sunday afternoons back. Thank God, because the quality of those early podcasts sucked, and we needed to up our game.

Anyway, there’s a story here. Maybe a story for another day.

This has been another incredible week.

The week started with a Sunday evening trip to Washington D.C. for a Monday afternoon meeting.

The highlight on Tuesday was participation in the 2019 Minnesota IT Symposium at the Mall of America. I had the privilege to participate on a panel with two really awesome information security leaders; Judy Hatchett (VP, Information Security & CISO at Fairview Health Services) and David Young (CISO at Medica). The panel was moderated by my good friend (and SecurityStudio board member) Nick Hernandez. It was an amazing discussion, and it was an honor to share the stage with these guys.

Wednesday was an office day, trying to catch up. It doesn’t seem healthy to process so many emails in such a short period of time.

Thursday was arguably the highlight of the week. FRSecure held their 4th Hacks & Hops event. More than 200 friends and partners gathered at U.S. Bank Stadium to talk about security incident response. After the keynote, I was joined by some incredible information security peers; Jadee Hanson (CISO and VP of Information Systems at Code 42), Bill Boeck (Senior VP, Insurance and Claims Counsel at Lockton Companies), and our very own Oscar Minks (FRSecure’s Director of Technical Solutions and Services).

We discussed the importance of incident response planning, cyber insurance, shared some personal stories, and fielded some great questions from the audience.

One or our attendees summed it up well in his LinkedIn post after the event.

There is an incredible amount of work that goes into arranging an event like this. FRSecure’s Jess Kooiman led the charge, with a significant amount of help from Brandon Matis, Andy Forsberg, Christy Kleve, Renay Rutter, and McKenzie Adams.

Friday wrapped with some good SecurityStudio meetings, including one with Tyler Olson (Founder and CEO of SHYLD Academy). He’s got a good thing going there!

Great week and tons going on. I hope you had a great week too. If you’d like to share your week, get in touch with me or Brad. You can find us at unsecurity@protonmail.com. We’d love to hear your successes and/or help if we can.

If you missed episode 44 of the UNSECURITY Podcast, here it is.

OK. Show notes…


Just a quick note. Brad’s super busy, so these are his show notes written by me (Evan).

SHOW NOTES – Episode 46

Date: Monday, September 23rd, 2019

Show Topics:

Our topics this week:

  • Hacks & Hops Recap
  • Upcoming Speaking Engagements
    • Our upcoming talks
    • The SecurityStudio Roadshow
  • Mental Health
  • Industry News

[Brad] – Hi there, welcome to episode 46 of UNSECURITY Podcast. I’m Brad Nigh and joining me in studio is Evan. This is two weeks in a row where we’ve been together in studio. Want to say “hi” Evan?

[Evan] We record the show at 6:45am on Mondays. Who knows what sort of mood I’ll be in.

[Brad] Sheesh, we have another jam-packed show this week. I need to stop Evan from writing the show notes!

[Evan] Yeah, probably.

[Brad] Another crazy, but great week around here. One of the highlights from this past week was our Hacks and Hops event. Let’s talk about it and share some thoughts, especially for the listeners who couldn’t make their way to U.S. Bank Stadium on Thursday.

Hacks & Hops Recap and Discussion

[Brad] It was a great event! I didn’t mind helping you out with the joke you couldn’t remember either. Your welcome.

[Evan] I was stuck. Why are jokes so hard for me to remember?

[Brad] You and I have a bunch of talks coming up, and you’ve got the Project Bacon roadshow too. We’re going to be all over the place.

[Evan] We do. It’s exciting to spread the word, and we hope that we’re helping people along the way.

Upcoming Speaking Engagements Discussion

[Brad] This will be good. One of the things that you mentioned at the beginning of your Hacks & Hops keynote was the mental health. This is a topic that isn’t discussed as much as it should be.

[Evan] Yeah, we need to shine a brighter light on this.

[Brad] You wore a Mental Health Hackers t-shirt and gave some statistics. Let’s talk about Mental Health Hackers, the statistics you shared, and how this hits home for us here at FRSecure.

Mental Health Discussion

We could spend an entire series talking about the importance of mental health in our information security industry, but for now we’ll keep it fairly short.

[Brad] Talking about mental health openly is important. We are all in this together, and we all need to take a more active role in supporting each other.

[Brad] OK, as is the custom, we close this thing out with some news. Here’s the industry newsy things to discuss briefly this week.

News

Here’s our news for this week:

Closing

[Brad] There you have it. We talked about a lot!

Always grateful for our our loyal listeners. We love your feedback and appreciate the fact that you join us each week. Send your feedback to us at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan’s @evanfrancen.

Talk to you all again next week!

The UNSECURITY Podcast – Episode 38 Show Notes

YES! I’m on time again. If I get good at this, I won’t need to make this comment anymore. Odds of that?

As usual, I’ll give a quick review of the week, then we’ll jump right into the show notes.

It was another good and productive week. Gooder and more productiver than I probably deserve, but this is what you get when you are surrounded by awesome people all the time. 

  • Monday started with UNSECURITY Podcast (episode 37). Our guest was the one and only MN State Representative Jim Nash. If you missed it, you should give it a listen. We call BS on some things, then chat about some other things. All in all it was a great show. After that, it was coffee with a friend and a lot of writing.
  • Tuesday started with coffee with SecurityStudio’s VP of Software Development, Ivan Peev. After coffee it was an executive leadership meeting (all executives rated it a 10, which is always good), more writing, and a global information security strategy meeting with an awesome vCISO client.
  • Wednesday was great. An FRSecure Customer Advisory Board (CAB) meeting, coffee with Peter Vinge (Director of Operations – FRSecure), more writing, a few more meetings, more writing, and a meeting with legal counsel.
  • Thursday started with a SecurityStudio User Advisory Group meeting, then the rest of the day was spent writing.
  • Friday (today) started with a coffee meeting with my good friend and SecurityStudio’s president, John Harmon. We had a cool discussion about family, health, and some security strategy stuff. After coffee came a SecurityStudio product strategy meeting, and now I’m writing again.

What’s with all the writing?

It’s been a while since I’ve updated people on the status of this second book. The first book (Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry?) was published this year, and it’s been really well-received. This first book was written to information security professionals. This second book is an information security book written to information security amateurs, or common everyday people. The book’s parts are (for now):

  • Introduction
  • Part 1 – Current State of Affairs (nation-state, cyberwarfare, businesses, attackers, security, privacy, and safety)
  • Part 2 – Motivation (find your motivation to act, family, friends, community, country, and business)
  • Part 3 –  Application (applying the basics and building habits)
  • Part 4 – Introducing and Using S2Me (the assessment, recommendations, and conclusions)
  • Closing

If you read my first book, you might remember where I said that writing a book is a bitch. It still is. The amazingness of the experience is more than worth it though. More to come in the coming weeks and months.

Let’s get to the show…


SHOW NOTES – Episode 38

Date: Monday, July 29th, 2019

Today’s Topics:

We’re going to touch on the following topics this week:

  • Civic Ransomware Awareness Project update
  • The #100DaysofTruth follow-up
  • Project Bacon
  • Industry News

[Evan] – Hi everybody! Holy buckets, we’ve got a good show planned today. Good morning, and in case you don’t know the voice yet, this is Evan and this is episode 38 of the UNSECURITY Podcast. No Brad joining me today. He’s got a “vacation”. Who does that?! Anyway, in his place is my good friend and SecurityStudio’s president John Harmon. This is where you say “hi” John.

[John] He’s a quick thinker with a sharp tongue, so I’ll need to be on my toes with his response (probably).

[Evan] So, Brad’s on vacation. I joked a little about that, but I can hardly think of someone who deserves it as much as he does. Kudos to him for taking some time off to be with his family. Before we get into talking more about our guest and some cool things, I just want to give our listeners a quick update on our Civic Ransomware Awareness Project and an idea for a follow-up to the #100DaysOfTruth thing.

Quick Civic Ransomware Awareness Project Update and New Idea Discussion

John can talk here too, I just don’t have anything specific for him yet.

[Evan] This is our 38th episode of the podcast, and we finally have you on the show. Sorry it took so long. Now, I know you pretty well because we’ve been working together for quite some time now, but the listeners may not know who you are. Tell us about yourself.

[John] Tells us a story about himself

Talking About John

[Evan] I gotta tell you man, I love working with you every day. You’re a guy that truly gets what we’re trying to do and you’re absolutely sold out on our mission. Later this year, like October, you and I are embarking on a new journey. We affectionately call it Project Bacon. Where did the name come from?

[John] The name was John’s idea, but let’s hear him out.

[Evan] The name is awesome. Besides, who doesn’t like Bacon? So, we have this Project Bacon thing. What is it?

[John] Tells us what Project Bacon is.

[Evan] OK, I think I get it (of course I do, but I need to act like I don’t so the show is more interesting or something). Why are we doing this?

[John] Oh yeah! The “why” is the best part.

More Project Bacon Discussion

[Evan] I’m pumped about Project Bacon. It’s going to be a blast and we’re doing good things all along the way. John, you’ve listened to our podcast before. We always close this thing out with a few news stories. You game?

[John] John is always game.

Industry News

Here’s our news to discuss in this week’s show. The depth of the discussion will depend on our time.

Closing

[Evan] – OK. That’s how it is. So many cool things going on and too many things to talk about. Thank you John for filling in for Brad this week. Project Bacon is going to be great! Also, a special thank you to our listeners. Each week, the number of listeners to our podcast continues to grow, and each week we received great feedback from you. Please keep it coming. If we haven’t had a chance to respond, it isn’t because we don’t care, we just haven’t gotten around to it yet.

If you want to keep up with the haps, be sure to follow me, Brad, and/or John on Twitter. I’m @evanfrancen, Brad’s @BradNigh, and John is @HarmonJohn. Email the show at unsecurity@protonmail.com. Have a great week everybody!