The UNSECURITY Podcast – Episode 45 Show Notes

Welcome back for another quick recap of the week and another dose of UNSECURITY Podcast show notes. Hope you all had a great week!

For last week’s show, Brad was in studio while I was calling in from Sofia, Bulgaria. Brad was joined by Ryan Cloutier, an awesome return guest. As far as I could tell, it was another great show. I had some connectivity issues, but who doesn’t have connectivity issues in Bulgaria? Brad did a great job holding things together while we chatted about issues such as liability and speaking information security with “humans”.

Catch episode 44 here.

I was in Bulgaria to visit members of our SecurityStudio development team, check out the new office, and spend some time planning future releases of the software. Bulgaria is eight hours ahead, so timing with U.S. resources was interesting.

This slideshow requires JavaScript.

The trip was very successful and we made significant progress on a number of fronts. While I was halfway around the world, Brad held down the fort. He’s a really good leader and I’m sure he has a bunch of things going on. I didn’t get to check in with him last week, so we’ll ask how he’s doing on the podcast.

Lots of other really cool stuff to share, but I’ll do that in another post or on the show.

Let’s do some show notes now.


SHOW NOTES – Episode 45

Date: Monday, September 16th, 2019

Show Topics:

Our topics this week:

  • Catching Up
    • More Mentor Program success
    • Civic duty example
  • vCISO Revisited
  • Book Announcement

[Evan] – Hi folks, welcome to the UNSECURITY Podcast. This is episode 45 and I’m your host, Evan Francen. Brad’s joining me as usual. Hi Brad!

[Brad] Brad politely says hello to me and by proxy all of our listeners. Good Brad.

[Evan] Man, this is two shows in a row where I’m out of studio. Today I’m stuck in Washington, D.C. for a meeting. Only one day, so that’s good. What’s up with you?

[Brad] Stuff and things.

[Evan] We haven’t recorded together in person the last couple of weeks, and I haven’t even been able to catch up with you. You cool if we catchup quick?

[Brad] Brad will probably say “yes”.

[Evan] Alright, let’s start with your week. Tell us what you’ve been up to.

Catching up

  • What Brad’s up to.
  • What I’m up to.
  • We have more Mentor Program success to talk about
  • One of our listeners is setting a great example for all of us in holding his local government accountable for security.

[Evan] Alright, lots of good things. We’re all in this together and there’s a job and place for everyone.

[Brad] Brad’s words of wisdom.

[Evan] We’re always grateful for feedback that we get from listeners. If you’d got some, email us at unsecurity@protonmail.com. One of the more popular topics in the past few months has been that of the virtual Chief Information Security Officer (or vCISO). We’ve received some great questions about how to become a vCISO. A couple of episode ago, we talked about what a good vCISO is, but we didn’t really talk about how to become one. Let’s do that.

How to become a vCISO discussion

  • If you’re new (less experience).
  • If you’re experienced (even existing CISOs)
  • What are the benefits to being a vCISO versus being a FTE CISO?

[Evan] Alright. Good perspective and good discussion. Thank you Brad.

[Brad] Brad’s gotta say something or we’ll have an uncomfortable silence here.

[Evan] OK, last topic before we get into some news. I want to announce something that I’m VERY excited about. You and I are going to write a book, right?

[Brad] Brad confirms. See if you can notice any change in the tone of his voice when he responds.

New book announcement and discussion

There’s a tie in here with vCISO too.

[Evan] I’m pumped about writing with you Brad. What better time than 4th quarter to get started?

[Brad] He’s lived through multiple 4th quarters, so he’ll laugh/cry.

[Evan] Let’s close this thing out with some news, eh?

News

Here’s our news for this week:

Closing

[Evan] There you have it. Thank you for another great show Brad!

A special thank you to our loyal listeners. We love your feedback and sincerely appreciate the fact that you join us each week. Send your feedback to us at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Talk to you all again next week!

The UNSECURITY Podcast – Episode 44 Show Notes

Welcome back for another quick recap of the week and another dose of UNSECURITY Podcast show notes!

Last week, Brad and I were back in studio together to record episode 43. It was a good show, where we covered some relevant topics such as (more fricken) incident response, vCISO questions, and how we (the good guys) can’t possibly do all the things that they (the bad guys) do.

Quick words about vCISO

  • It’s the future of information security leadership.
  • There are good vCISOs and less good (maybe bad) vCISOs, you need to learn the differences.
  • We got some great feedback this week from people who aspire to be a vCISO, which was really cool!

Quick words about good guys and bad guys

  • There’s a gap between what we can do and what they can do.
  • We have rules, they don’t.
  • We have ideas about how to close some of the obvious gaps (didn’t cover in the episode 43, but we’ll cover this somewhere in the future).

If you missed episode 43, you can always go back and nab it here.

Hoping you all had a great week. It was a short week, but if you’re like me, it only meant that we crammed more stuff into less time.

Most of my time this week was spent working with SecurityStudio partners find success in serving their clients. This is a blast because we create situations where everyone wins, and we do it together.

This week I started exploring the possibility of helping an incredible organization combat sex trafficking in the United States. The organization is SHAREtogether, and they’re doing amazing work. The organization is run by Jaco Booyens, the director of the movie 8 Days. If you get a chance, check them out and watch the movie (it’s been watched more than 2,000,000 times). If you feel more inclined, do more to help. Right now, my involvement is more exploratory, but I’m sure there will be more to this story before it’s all said and done.

Anyway, on the the show! Brad is leading the show this week, and he’ll have another returning


SHOW NOTES – Episode 44

Date: Monday, September 9th, 2019

Show Topics:

Our topics this week:

  • The security expert’s take on liability.
  • Speaking information security for “humans”.
    • What’s the problem?
    • Ideas for solving the problem(s).
    • Consequences of the failure to solve the problem.
  • Industry News

[Brad] – Brad can choose any opening he’d like. This is his show to lead. The standard one sort of goes like this…

Welcome to the UNSECURITY Podcast, episode 44. Joining me is my co-host, Evan Francen. Say hi Evan.

[Evan] I’ll say something here. Probably. Maybe I’ll stay silent to through Brad off, but now that it’s in the show notes, I think I let the cat out of the bag. Whatever.

[Brad] Also joining us today is a repeat guest. Ryan Cloutier is here in person. Ryan is an amazing information security expert with a noble mission. He was also on with us back in episode 27, back in May. Welcome Ryan.

[Ryan] Ryan’s a guy with something to say, so he’ll say something here.

[Brad] This week, Evan’s in Bulgaria. What’s going on over there, Evan?

[Evan] Stuff.

[Brad] It’s sort of funny. We’re beginning to think you don’t like Ryan all that much because last time he was on, you were in California. You got something against Ryan or what?

[Evan] Maybe.

[Brad] We brought Ryan on the show again because we love his perspectives on helping “normal” people, or as he likes to call them, “humans”, secure themselves better. Great mission, but before we cover that, let’s talk about some common questions we get about liability. Now, we’re not lawyers, so don’t think this is official legal advice, but we do work with lawyers pretty often when we investigate breaches.

Discussion about liability, from a security person’s perspective

[Brad] So, the key is to do the things that a “reasonable” person would do in your same circumstance. This leads to a whole bunch of questions that you should be asking yourself.

Now let’s switch gears a little bit. Ryan, you’ve got this deep desire to help “humans” secure themselves better, and this passion is shared with us here at FRSecure. You recently posted an open letter to the security community on Evan’s blog and you regularly speak to crowds all over the United States. Let’s talk about all this for a bit.

Discussion about Ryan’s mission and speaking “human”

  • What are some of the problems we’re facing when speaking “human”?
  • What ideas do we have for solving the problem(s)?
  • What are some of consequences of the failure to solve the problem?

[Brad] There’s so much we can do together, as a community, to do this better. Great discussion. What’s our one call to action?

[Brad] OK, on to this week’s security news.

News

Here’s our news for this week:

Closing

[Brad] Alright. Another great show. Thank you for joining me Ryan.

Evan, have a good time in Bulgaria. Bring me home a gift or something.

A special thank you to our loyal listeners. We love your feedback and sincerely appreciate the fact that you join us each week. Send your feedback to us at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan’s @evanfrancen.

Talk to you all again next week!

Speaking “Human”: An Open Letter to Security Professionals on a Basic Approach to the Cyber Security Gap

A guest post by Ryan Cloutier. For more information about Ryan, see his profile page.

Most people find the topic of cyber-information security boring, if they have even heard of it at all. The primary cause for this is that digital citizens do not view cyber-information security or their “digital life” as being real or even directly impactful to their own physical life and personal safety. I believe this is due to how we as security professionals have discussed the topic of cyber-info security to non-tech savvy populations.

We might as well be speaking Klingon when we approach a general population with convoluted technical jargon to educate on cyber security.

A favorite quote I heard once from a curmudgeon man after advising him “don’t click the link” was “Don’t click the link?! Listen asshole the whole internet is links!” I laughed but came to the realization that he wasn’t wrong and I then came to understand these three points:

1. We (Security Professionals) are the problem not the user.

We don’t have to go on like this. We can be the change. When educating anyone on cyber awareness, we can use better analogies and real world examples to describe the risk and issues with the behavior we want to see changed. For example, consider the awful security awareness training we must sit through once a year at work or when we get phished by the IT department and then must retake said awful training – it is viewed as a work issue and therefore only applies to the workplace.

2. Focusing only on cyber awareness in the workplace prevents meaningful behavior change. 

If you have the fortune as a Security Professional of managing to get behavior change in the workplace more often than not it is left at the workplace and forgotten about when they go home. However, if we change the conversation to focus on cyber security as a basic life skill, as a fundamental part of our daily physical life then we begin to see change. Today in 2019, most of the connected world uses their smart phone to conduct a large portion of their everyday life from communicating with their loved ones, to banking, shopping, learning, news, entertainment, dating, and so on. 

3. The world has changed but we have not changed with it or adapted our behavior to match. 

We are a society that has not changed our life skills to reflect our new “Digital Life” so when speaking to and training your clients please use relatable examples and common language. Realize that your audience may not be versed in technology nor are they all IT Professionals and as such you need to take the extra time to make it real and relatable. Once you apply this “Make it Real” approach you will see meaningful behavior change and you will have the added benefit of not only making your organization safer and more secure but you will have made the world and a new generation of humans safer and more secure. So I ask you fellow IT security and privacy professionals to please speak human and take the time to break it down. 

Join me in this mission to help make the world a better, safer and more secure place. 

THINGS you might consider adding: 

  • Take the same approach to educating about cyber security that you do when your uncle asks you to describe your job at the Thanksgiving dinner table. 
  • Take stock in what your closest non-technical friends and family don’t understand about cyber security – use this as your baseline to further craft your message into more relatable examples. 
  • Make it real – use examples from your every day life and inject humor into life lessons that will forever change the actions and behaviors of a generation that desperately needs these digital tools. 
  • Commit to spending time educating others outside of your professional work to not only evangelize security in the professional world but in every day activity- volunteer at schools, senior centers, and non-profits which are the unfortunate prime targets of cyber crime and scams. Use these interactions to further craft your message to be inclusive and targeted. 
  • Make an impact by leaving a meeting or speaking engagement with a line of people ready to come up and tell you their story – not leaving with a notebook of acronyms and confusion as they decide “cyber security is too technical for me to make changes in my daily life” 

 

The UNSECURITY Podcast – Episode 41 Show Notes

Happy Friday! Time for show notes, and I’m actually early with the notes this time.

We’re humbled and grateful for the growth of the UNSECURITY Podcast audience. Every week breaks a new record, in terms of listeners and downloads. Thank you for spending time with us!

Great show planned this week, with some healthy controversy. I won’t put the controversial stuff in these notes, so you’ll have to listen to get the skinny.

Hope you had a great week! Here’s some quick highlights from us:

  • Our very own Team Ambush came back from Def Con after capturing 2nd place in the warl0ck gam3z capture the flag (CTF)! Helluva accomplishment for an awesome and incredibly skilled group! We’re VERY proud of them and their accomplishment. This is the 2nd year in a row that they’ve captured 2nd place at Def Con. We’ll be talking with the leader of FRSecure’s Technical Services Team, and member of Team Ambush on this show!
  • Speaking of Team Ambush, they were featured on KARE 11 news (one of the largest in Minneapolis/St. Paul) on Wednesday night during prime time. A link to the feature is here; https://www.kare11.com/article/news/minnesota-team-places-2nd-in-national-hacking-competition/89-77305e34-dadd-4b55-afcb-c8d1af6165f9
  • Minnetonka School District is one of the largest and arguably the best school district in Minnesota. I had the pleasure of presenting to their faculty and staff on Monday. The title of the talk was Security@Home Security@Work. In the talk, I featured SecurityStudio’s newest product, S2Me. S2Me is a personal information security assessment and it’s free. If you haven’t done so already, go get your S2Score now! We used the results of the assessments to drive conversation about information security. Great discussion! S2Me is a great conversation starter and we’re excited to go where it takes us.
  • I spent the rest of the week fundraising for SecurityStudio. We’re in the middle of seeking our seed round of funding, and it’s a helluva experience for me. I’ve never raised money before, so I’m learning as I go. If you know anybody who’s willing to share wisdom in this area, send them my way (efrancen@securitystudio.com).

Things are good. On to show notes, eh?


SHOW NOTES – Episode 41

Date: Monday, August 19th, 2019

Today’s Topics:

Our topics this week:

  • What is S2Me?
  • More Incident Response(s)
  • Def Con with Oscar
  • Industry News

[Evan] – Hi everybody, and welcome to another episode of the UNSECURITY Podcast! This is episode 41, and I’m Evan Francen, your host. If this isn’t your first time listening, you already knew that. Joining me today is my show buddy, Brad Nigh. Care to say “hi” Brad?

[Brad] Brad almost always says “hi” but we’ll see if he read the show notes. Maybe he’ll come up with something unique.

[Evan] We’re excited for today’s show because we have a first time special guest joining us. None other than the infamous Oscar Minks, joining us from his home base in Kentucky. Oscar, wanna say “hi”?

[Oscar] Hi, or something similar.

[Evan] Oscar, you’re the Director of Technical Services at FRSecure, right? Tell our listeners what that job is.

[Oscar] Tells us what he does here.

[Evan] Thank you Oscar, it’s an honor to have you here.

Brief discussion with Oscar

[Evan] OK. Have you guys heard of the S2Me yet?

[Brad][Oscar] Tell the truth.

[Evan] Have you guys got your S2Score yet? Care to share?

Discussion about S2Me and the theories behind it. Maybe a little chat about Minnetonka School District too

[Evan] More incidents this week. If this keeps up, we might have to dedicate an entire podcast to incident response! Sheesh. I’ll tell you about mine, then you tell me about yours Brad.

Incident response discussion

[Evan] We like responding to incidents because we love helping people. We hate responding to incidents because it means someone is (maybe) in trouble. We’ll see if we make it a week without another one.

[Evan] Two weeks ago, we had “Ben” on the show to talk about going to Def Con among other things. Now Def Con is over, and we can talk a little about our team’s experience. Oscar, you were there. Let’s chat.

Def Con discussion

[Evan] Thank you for sharing Oscar. More to come I’m sure. Let’s wrap this up with some news. We’ll cover as much as we’ve got time for. Three stories to start.

News

Here’s our news for this week:

Closing

[Evan] – Again, that’s how it is. Thank you Oscar for joining us. Thank you Brad for being a great partner. Special thank you to our listeners, and especially those of you who give us input and feedback. You can reach the us on the show by email at  unsecurity@protonmail.com.

If you’d like to be a guest on the show or if you want to nominate someone to be a guest, send us that information too.

As always, you can find me and/or Brad on Twitter. I’m @evanfrancen and Brad’s at @BradNigh. Oscar, do you twit?

Talk to you all again next week!

The UNSECURITY Podcast – Episode 38 Show Notes

YES! I’m on time again. If I get good at this, I won’t need to make this comment anymore. Odds of that?

As usual, I’ll give a quick review of the week, then we’ll jump right into the show notes.

It was another good and productive week. Gooder and more productiver than I probably deserve, but this is what you get when you are surrounded by awesome people all the time. 

  • Monday started with UNSECURITY Podcast (episode 37). Our guest was the one and only MN State Representative Jim Nash. If you missed it, you should give it a listen. We call BS on some things, then chat about some other things. All in all it was a great show. After that, it was coffee with a friend and a lot of writing.
  • Tuesday started with coffee with SecurityStudio’s VP of Software Development, Ivan Peev. After coffee it was an executive leadership meeting (all executives rated it a 10, which is always good), more writing, and a global information security strategy meeting with an awesome vCISO client.
  • Wednesday was great. An FRSecure Customer Advisory Board (CAB) meeting, coffee with Peter Vinge (Director of Operations – FRSecure), more writing, a few more meetings, more writing, and a meeting with legal counsel.
  • Thursday started with a SecurityStudio User Advisory Group meeting, then the rest of the day was spent writing.
  • Friday (today) started with a coffee meeting with my good friend and SecurityStudio’s president, John Harmon. We had a cool discussion about family, health, and some security strategy stuff. After coffee came a SecurityStudio product strategy meeting, and now I’m writing again.

What’s with all the writing?

It’s been a while since I’ve updated people on the status of this second book. The first book (Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry?) was published this year, and it’s been really well-received. This first book was written to information security professionals. This second book is an information security book written to information security amateurs, or common everyday people. The book’s parts are (for now):

  • Introduction
  • Part 1 – Current State of Affairs (nation-state, cyberwarfare, businesses, attackers, security, privacy, and safety)
  • Part 2 – Motivation (find your motivation to act, family, friends, community, country, and business)
  • Part 3 –  Application (applying the basics and building habits)
  • Part 4 – Introducing and Using S2Me (the assessment, recommendations, and conclusions)
  • Closing

If you read my first book, you might remember where I said that writing a book is a bitch. It still is. The amazingness of the experience is more than worth it though. More to come in the coming weeks and months.

Let’s get to the show…


SHOW NOTES – Episode 38

Date: Monday, July 29th, 2019

Today’s Topics:

We’re going to touch on the following topics this week:

  • Civic Ransomware Awareness Project update
  • The #100DaysofTruth follow-up
  • Project Bacon
  • Industry News

[Evan] – Hi everybody! Holy buckets, we’ve got a good show planned today. Good morning, and in case you don’t know the voice yet, this is Evan and this is episode 38 of the UNSECURITY Podcast. No Brad joining me today. He’s got a “vacation”. Who does that?! Anyway, in his place is my good friend and SecurityStudio’s president John Harmon. This is where you say “hi” John.

[John] He’s a quick thinker with a sharp tongue, so I’ll need to be on my toes with his response (probably).

[Evan] So, Brad’s on vacation. I joked a little about that, but I can hardly think of someone who deserves it as much as he does. Kudos to him for taking some time off to be with his family. Before we get into talking more about our guest and some cool things, I just want to give our listeners a quick update on our Civic Ransomware Awareness Project and an idea for a follow-up to the #100DaysOfTruth thing.

Quick Civic Ransomware Awareness Project Update and New Idea Discussion

John can talk here too, I just don’t have anything specific for him yet.

[Evan] This is our 38th episode of the podcast, and we finally have you on the show. Sorry it took so long. Now, I know you pretty well because we’ve been working together for quite some time now, but the listeners may not know who you are. Tell us about yourself.

[John] Tells us a story about himself

Talking About John

[Evan] I gotta tell you man, I love working with you every day. You’re a guy that truly gets what we’re trying to do and you’re absolutely sold out on our mission. Later this year, like October, you and I are embarking on a new journey. We affectionately call it Project Bacon. Where did the name come from?

[John] The name was John’s idea, but let’s hear him out.

[Evan] The name is awesome. Besides, who doesn’t like Bacon? So, we have this Project Bacon thing. What is it?

[John] Tells us what Project Bacon is.

[Evan] OK, I think I get it (of course I do, but I need to act like I don’t so the show is more interesting or something). Why are we doing this?

[John] Oh yeah! The “why” is the best part.

More Project Bacon Discussion

[Evan] I’m pumped about Project Bacon. It’s going to be a blast and we’re doing good things all along the way. John, you’ve listened to our podcast before. We always close this thing out with a few news stories. You game?

[John] John is always game.

Industry News

Here’s our news to discuss in this week’s show. The depth of the discussion will depend on our time.

Closing

[Evan] – OK. That’s how it is. So many cool things going on and too many things to talk about. Thank you John for filling in for Brad this week. Project Bacon is going to be great! Also, a special thank you to our listeners. Each week, the number of listeners to our podcast continues to grow, and each week we received great feedback from you. Please keep it coming. If we haven’t had a chance to respond, it isn’t because we don’t care, we just haven’t gotten around to it yet.

If you want to keep up with the haps, be sure to follow me, Brad, and/or John on Twitter. I’m @evanfrancen, Brad’s @BradNigh, and John is @HarmonJohn. Email the show at unsecurity@protonmail.com. Have a great week everybody!

Must have more data…

So, I wrote the first book, Unsecurity based more on experience and less on research. It was easy (well, not “easy”) because the audience for the book were the people in my own tribe (information security people). It was like writing a book to myself.

Now I’m writing the second book, and the audience has changed. It’s a book written to and for non-information security people whom I’ve affectionately called “normal” people. This doesn’t mean that a normal person isn’t awesome or exceptional, they are.  It’s just the word I chose to reference people who aren’t information security folks. Maybe “the masses” is a better reference. We’ll see what makes it into the book.

Anyway, I have a problem. Sort of.

The Problem

I had a revelation while I was writing this book. It came to me while I was writing about how we (security people) make the mistake of assuming we know what the masses think. Even worse, we sometimes tell the masses what the masses think. It’s wrong!

Well, I was about to make the same mistake that I was rebuking other security people about.

STOP!

Don’t you think it makes better sense to ask the masses what they think about information security rather than to assume I know what they think? This book will make a lot more sense and be much more helpful if it uses the same language that the masses use and addresses their concerns!

The Solution

The best way I know how to get answers to the questions I have was to create a simple survey, one that can be completed in five minutes or less. So, I did.

So far I’ve received more than 500 responses to the thirty question survey, and the data is awesome! As I’ve mulled through some of the preliminary data, it’s amazing to see what people think! Who’d a thunk?

500 results gives the survey a lot of credibility. The margin of error is ~5%, which is great! Wouldn’t it be great to get a margin of error of <=3%? I think so, and the only way to get there is to ask for more responses. This is where I’m asking for your help.

Would you be so kind as to take this survey (it’s a safe link) and send it to as many of your contacts as you feel comfortable? The survey link is here:

https://www.surveymonkey.com/r/security_for_normal_people

The better the data, the better the book. That’s the theory at least.

I’ll be writing more about the upcoming book in future articles. I think it’s going to be fun, and it’s going to help a lot of people!

THANK YOU!

P.S. The word map you see as the “featured image” in the title is mapped from the raw input (answers without any filters or changes) to the question “What could information security experts do to help people better?” (in the survey).