E is for Everyone

There are lots of relevant information security words that start with “E”, but I’m going with “Everyone”.

Why?

Three primary reasons:

  1. Information security (good or bad) affects everyone.
  2. Everyone has a role in information security.
  3. If everyone has a role, then everyone must have responsibilities.

There’s a saying I often use:

Information security isn’t about information or security as much as it is about people.

Two important points from this statement:

  1. People suffer when things go bad. If nobody suffered, nobody would care.
  2. People are riskier than technology. Technology only does what we tell it to (for now).

Let’s apply these points to our reasons why “E” is for everyone.

People Suffer

When bad things happen, people suffer. Doesn’t matter if we call the “bad thing” a data breach, a ransomware attack, a phish, business email compromise, or whatever. All bad things related to information security affect real human beings, either directly or indirectly.

Some quick examples:

  • Ransomware attack (poorly prepared) – A ransomware attack hits an organization. The organization isn’t well prepared for it, meaning they didn’t adequately backup their data or adequately protect their backups. The organization has no hope of recovery without negotiating with the attackers and paying the ransom. No worries, “it’s covered by insurance”, a common reply. People suffer:
    • The organization suffered an outage, even if minimal, it’s an outage. Outages mean lost services to customers and lost revenue for the organization. Customers suffer and so do the organization’s stakeholders (owners, investors, employees, etc.).
    • The insurance company suffered the claim loss. This might seem insignificant, but insurance companies are not in the business of losing money. They will raise premiums across the board if necessary to recoup losses. “In the first half of 2020 alone, we observed a 260% increase in the frequency of ransomware attacks amongst our policyholders, with the average ransom demand increasing 47%,” Coalition (one of the largest providers of cyber insurance services in North America). Insurance company stakeholders suffer (even if temporarily), and we all suffer through higher insurance premiums.
    • Paying an attacker a ransom, leads to their re-investment in better and more frequent attacks. We all suffer. Everyone suffers, and worse, the cycle continues.
  • Business email compromise – An organization suffers a business email compromise that leads to $800K loss; stolen money through unauthorized ACH transfers. This resulted in a loss for the organization, its customers, and its stakeholders. They all suffered. This attack resulted in $800K that could no longer be spent on good things; things like expansion, employee benefits, employee salaries, etc.
  • Data breach – A hospital gets hit with ransomware, but this variant also exfiltrated protected health information (PHI). The hospital didn’t properly protect itself, and certainly didn’t protect the patients well. The hospital suffered a significant outage, affecting services for patients when they’re needed most. To make matters worse, all patients who were affected by the lost information are now dealing with significant anxiety and safety issues.
    • Anxiety from knowing their private information is in the hands of someone they don’t trust. Contributing to the anxiety is not knowing when/if their information has been used by criminals or how to fix the problem if it did.
    • When a criminal uses stolen PHI to get treatment, their health information becomes mixed with/added to the victim’s. If the criminal gets treatment for a condition using a victim’s medical record/insurance, the criminal’s treatment is now on the victim’s medical record. The next time the victim gets treatment (legitimately), he/she will be treated as though he/she has the criminal’s condition, leading to potential faulty life/death decisions made by doctors
    • Victims are also faced with medical bills that aren’t theirs. If you’ve dealt with medical bills before, you know how this feels.

The list could go on, but you get the point. These scenarios are based on real stories. Reality, NOT fantasy.

Information security (good or bad) affects EVERYONE.

At Home

At home the problem is more direct, but less understood. Attackers have always gone after people at home. Since the first home PCs were connected to the Internet, they’ve been under attack. If we think attackers have relented, we’re foolish.

The problems at home are less understood for a couple reasons:

  1. The consumer market has been grossly underserved. This market is underserved because consumer information security is more difficult to monetize. This market is very easy to monetize for cool blinky lights, personal assistants, “smart” homes, etc. It’s a pain in the ass to monetize for information security.
  2. Personal attacks, or attacks at home, don’t grab the headlines like organizational attacks do. People aren’t paying attention (as much); however, this might be changing with the explosion in remote working or “work from home”.

At home, your information security and safety are your responsibility. Not mine. Not the government’s. Yours. Sadly, an attack aimed at you or your children is yours to bear, sometimes alone.

People Are Riskier

Riskier how? In terms of being riskier than the technology or in terms of being riskier than they were before?

Yes. Both.

Technology only does what we tell it to do. Tell it to do bad things (on purpose or on accident), and the technology does bad things. Tell it to do good things, and you guessed it, technology will do good things. It’s not technology that’s bad as much as it’s the behavior of technology makers and consumers that can make it bad. Technology makers are incented to get the product (hardware and/or software) into consumers’ hands as quickly and cost-efficiently as possible, NOT as securely as possible. Information security is up to you then. If you don’t know how to secure the product or technology, then you will suffer the consequences.

Technology makers need to be incented to make things more secure, not punished for making things insecure.

Consumers need to learn better information security habits to reduce their risk within their area of influence; in communities, at work, and especially at home.

EVERYONE has a role in information security. What’s yours?

Roles

In simple terms, there are information owners, custodians, and users. In reality, this is where the break down starts. Most people have no clue what their role is. If you don’t know your role, you don’t stand a chance in understanding your responsibilities.

Information Owners

These are people who are directly affected by the loss of confidentiality, accuracy (or integrity), and/or availability of their information. They “own” the information, and it’s theirs.

Examples:

  • My health record is mine.
  • My financial account information is mine.
  • My Social Security Number is mine.
  • My private conversations are mine.
  • My private emails are mine.
  • My credentials for accessing accounts are mine.

I am the information owner. At times, I’m the information owner for people I’m responsible for too, like members of my family.

Information Custodian

These are organizations and people who have been delegated the responsibility of protecting information from the information owner.

Examples:

  • The hospital is a custodian of my health record.
  • The bank is a custodian of my financial account information.
  • The school, employer, bank, credit agency, etc. is custodian of my Social Security Number.
  • The phone carrier (or whoever else I might be using for private conversations) is the custodian of my private conversation.
  • The email provider (personal and work) is the custodian of my private emails.
  • The password manager program (please tell me you use one), and everyone I authenticate with, is the custodian of my credentials for accessing accounts.
Information Users

These are people who use the information in a manner approved by the information owner through the information custodian.

Organizations Are Not Data Owners

Organizations do not “own” our information. Organizations are custodians and users of our information.

Organizations do NOT “own” any information except what they’ve created.

Organizations act like “owners” of our information, but they’re not. If they want to be, then they’ll need to accept the consequences of misuse instead of pushing the consequences onto the real owners (you and me). Organizations act like owners of our information when they make risk decisions on our behalf without our approval. Truly, if more people knew how some (maybe most) organizations protected our information, I’m pretty sure some of us would stop doing business with them.

Responsibilities

Each role has specific responsibilities, but this is where things get even messier.

Information Owner

Information owners must inform/declare to information custodians what’s acceptable and what’s not with respect to protecting their information. Once this has been defined, it’s also the owner’s responsibility to hold the custodian accountable.

The problem

Most people have no idea that they are an information owner or what it means to be an owner. For those who do understand the role, many feel powerless to do anything with it. We have a long ways to go in empowering information owners; to delegate information security responsibilities effectively and simply to data custodians. We’ve tried going down this route, sort of, with compliance mandates, but our compliance initiatives are far behind the times and largely ineffective. Much work to be done here.

Information Custodian

Information custodians protect information according to what’s been delegated by the information owner. If nothing has been delegated (explicitly), custodians are left to their own devices. Some custodians treat our information with extreme care while others could care less. If we’re frustrated by how organizations are protecting our information, maybe we need to back up and look at our responsibilities (as information owners) and create solutions that will allow us to become empowered.

Information User

Easy. Just follow the rules, as defined by the owner and delegated through the custodian. If the user doesn’t understand the rules, it might be due to break downs with information ownership and/or custodianship. If the user doesn’t follow the rules because they don’t want to, there’s other problems of course.

If everyone has a role, then EVERYONE must have responsibilities.

Fundamental

This is not only fundamental information security, this is fundamental logic. We’ve got a lot of work ahead of us.

Honorable Mention for “E”

I received many great suggestions for the letter “E” including:

  • Evolution – information security is certainly evolving, but not fast enough. Complexity is the worst enemy of information security, and we’re going too fast to secure things. Technology is evolving much faster than our ability to secure it.
  • Elephants – the “elephant in the room” is often information security, or the lack thereof. If only we could make the elephant a little smaller and little less intimidating.
  • Efficiency – a great word, but could be a can of worms. If we can make things more secure (less risk) and be more efficient, we have the potential recipe for success!
  • Endpoint – endpoint protection is certainly part of the equation, but I didn’t choose it because of the overemphasis our industry puts on it’s importance. It’s important for sure, but some people (vendors mostly) will claim it’s the silver bullet/easy button. I know the person who suggested “endpoint” is NOT insinuating such a thing (I know him), but others might. Just FYI. silver bullets and easy buttons don’t exist and never will.
  • Encryption – a great suggestion and safe choice. Encryption is wonderful and a critical protection against unauthorized disclosure and/or alteration of data.
  • Evolve – closely related to “evolution” See above.
  • Exfiltration – another great suggestion. Exfiltration is the extraction or taking information from an environment, and the word is often used in relation to data breaches. It often results in a compromise of confidentiality if the data wasn’t adequately protected with encryption (another vote for “encryption” above).

One last word that I was considering was “education“. Education is VERY important and we all must continue learning. There are so many good free and paid education opportunities available everywhere, there’s really no excuse for not investing in yourself.

Next up is “F”. Ooh, a bad word I use too much starts with “F”! You know the word, but it’s not going to make it into the Security ABCs, sorry.

Why Isn’t “C” for Compliance?

If you missed it:

And “C” is NOT for compliance. Why not?

The simple answer is:

Compliance is NOT information security despite what people may think.

Judging from how many organizations treat compliance and information security like they’re the same, they’re not. People must be confused. Compliance has never been the same as information security, and it never will be.

Ultimately, compliance is doing what you’ve been told to do.

Explanation

Here’s how compliance works.

A governing body (country, state, industry, etc.) decides it needs to do something about information security, or privacy (a different, but inseparable thing). They write a law, regulation, or standard by which all entities (organizations) must abide. Examples include:

  • 104th United States Congress\Department of Health, HIPAA, all entities interacting with PHI.
  • 106th United States Congress\Federal Financial Institutions Examination Council (FFIEC), GLBA, financial institutions
  • California State Legislature, Assembly Bill No. 375 (California Consumer Privacy Act  or “CCPA“), for-profit businesses who conduct business in California that 1) has gross revenue in excess of $25MM, 2) buys, receives, or sells personal information of 50,000 or more consumers, or 3) earns >1/2 of its annual revenue from selling consumer personal information
  • Payment Card Industry Security Standards Council (self-regulation), Payment Card Industry Data Security Standard (PCI-DSS), organizations that handle branded credit cards from the major card brands (VISA, MasterCard, et al.)

If you’re in the sights of the regulation\law\standard, you have little choice but to comply with the regulation\law\standard or face sanctions. Where organizations DO have a choice is in how they comply. Organizations can choose:

  1. To abide by the intent of the regulation\law\standard, or
  2. To abide by the letter of the regulation\law\standard.

The choice comes down to the organization’s understanding, lack of skill, and/or how short-sighted management may be.

Option #1 – Intent of the Law

The intent of information security and privacy related regulations/laws/standards is usually a noble one. Take HIPAA for instance, the intent is to protect protected health information (PHI).

That seems noble.

The challenge is writing a regulation\law\standard that’s prescriptive enough to be effective in enforcing the intent while at the same time being flexible enough to apply to a large population and all its inherent variables. There are 146 mentions of the word “risk” in the Final Rule. This is great because “risk management” fits our definition of information security. Clearly, when reading the text, the intent of HIPAA is to build a fundamental information security program upon risk management fundamentals.

This is not only noble, but it’s very close to producing the same outcome as information security. Sadly, this is as close to information security as compliance gets.

Option #2 – Letter of the Law

If the intent of the law escapes you, you have the other option, a shortcut, the letter of the law. Abiding by the letter of the law is a shortcut, leading to checkboxes and poor information security.

HIPAA calls for a risk analysis in the Security Rule, so shortcutters get out their Excel spreadsheet and do the minimum work necessary to check the box. HHS recognized that people were half-assing it. Many healthcare organizations were not even doing their risk assessments, so in 2009/2010 they incented health care organizations through Meaningful Use Requirements. That still didn’t have it’s desired effect, so they increased enforcement through the OCR (first settlement in 2009). That still didn’t do enough, so HHS started compliance audits in 2011. Still not enough, so the Omnibus Rule comes about in 2013. Since then HIPAA audits have been delayed and we’re in a bit of a stalemate.

Question. Has healthcare information security been improved, or not? In some places, “yes” maybe. In other places, “no”. There’s nothing definitive to say one way or the other.

Conclusion

“C” is not for compliance because compliance isn’t information security. If you must use compliance as your driver, go after the intent of the law versus the letter of the law (PLEASE).

D is for Data

The words we use make a difference. They make a difference in what we do, how we communicate, and our overall effectiveness as information security professionals.

This may seem basic for you, but it’s important to recognize not everyone is an “expert”. Unless you only work with people like you (experts), you’d better master the application and communication of these basics.

Despite wanting “D” to stand for something else, something a little less obvious and more sexy, it’s for “data”. Covering two things here, what is “data” and why must “D” stand for data.

What is Data?

Wouldn’t it be nice if there was just one definition? Unfortunately, there’s not for the word “data”. Merriam-Webster has three:

  1. factual information (such as measurements or statistics) used as a basis for reasoning, discussion, or calculation
  2. information in digital form that can be transmitted or processed
  3. information output by a sensing device or organ that includes both useful and irrelevant or redundant information and must be processed to be meaningful

Dictionary.com has four:

  1. a plural of datum (and datum has five definitions)
  2. individual facts, statistics, or items of information
  3. information in digital format, as encoded text or numbers, or multimedia images, audio, or video
  4. a body of facts

BusinessDictionary has two:

  1. Information in raw or unorganized form (such as alphabets, numbers, or symbols) that refer to, or represent, conditions, ideas, or objects. Data is limitless and present everywhere in the universe.
  2. Computers: Symbols or signals that are input, stored, and processed by a computer, for output as usable information.
Despite eleven definitions from these three sources, there are some commonalities. Here’s the definition that I’ve gleaned; data is raw or unorganized information that is factual and/or statistical.

If “information” is core to the definition of “data”, then what’s the definition of information?

Data that is :

  1. accurate and timely,
  2. specific and organized for a purpose,
  3. presented within a context that gives it meaning and relevance, and
  4. can lead to an increase in understanding and decrease in uncertainty.
Summary Definitions

Data is:

raw or unorganized information that is factual and/or statistical

Information is:

accurate, timely, specific, and organized data that provides meaning and relevance

The difference between the two is organization and meaning.

Why D is For Data?

The simple answer is data is at the core of everything that is information security and/or data security. To drive home this fact, not only is “information” in the term “information security”, information is data, and the word “data” is applied all over our industry:

  • data administration
  • data aggregation
  • data breach
  • data integrity
  • data leakage
  • data loss
  • data loss prevention
  • data mining
  • data spill
  • data theft

So, to come full circle on the why “D” is for “data” despite wanting to find a more sexy word, data is fundamental to everything we do as information/data security professionals.

There you have it.

Honorable Mention for “D”

  • decrypt (or decryption) – turning ciphertext data (encrypted) into plaintext data.
  • digital – representation of data in discrete units, such as binary (0s and 1s).
  • denial of service – an attack aimed at making a system, service, or application unavailable to authorized users.

There you go. That’s “D”. “D” is basic. “D” is boring (to some). “D” is fundamental.

Next up is “E”.

C is for Cybersecurity

Cybersecurity is NOT the same as information security.

Different words, different things.

What is “Cybersecurity”?

In order to fully appreciate the difference between information security and cybersecurity, we need to define both.

Information Security

The workable definition of information security that I’ve used for a decades is:

Managing risk to unauthorized disclosure, alteration, and destruction of information using administrative, physical and technical controls.

This is a workable definition because it hits all the necessary points:

  1. It’s “managing” risk, NOT eliminating risk. Eliminating risk is impossible.
  2. It’s a business issue, NOT an IT issue; therefore, administrative and physical controls cannot be dismissed. Two common phrases to drive this point:
    • It’s easier to go through your secretary than your firewall.
    • Nobody cares about your firewall when someone steals your server.
  3. Keeping things secret is important (confidentiality vs. disclosure), but so is making sure the information is accurate (integrity vs. alteration) and available (destruction).

OK. Now for “cybersecurity”.

Cybersecurity

Cybersecurity or “cyber security”, tomayto tomahto.

Seems this is a combination of two words, “cyber” and “security”. So then, what does “cyber” mean?

Let’s Google it:

Me being me, I’m not to be one who takes a single source of truth at face value, at least not if I can help it. What does Merriam-Webster say?

Alright good enough. Confirmed. Cybersecurity then is defined as:

Managing risk to unauthorized information disclosure, alteration, and destruction using technical controls.

Cybersecurity is a subset of information security. They are NOT the same. We could reason that cybersecurity and IT security are the same (or similar), but not cybersecurity and information security. Sort of looks like this:

If accuracy and language are important to us, which they should be, then we need get our words and terms straightened out.

Why This Matters

There are several reasons why it matters:

  1. There’s enough confusion already. Don’t believe me, go ask someone to define “cybersecurity” out of the blue. For the best results, ask three or four people who work in our industry and three or four people who don’t. Note three things:
    • The bewilderment with the question.
    • Their exertion in providing a clear answer.
    • Differences between answers (yours and theirs, theirs and others, etc.).
  2. We’ve fought hard to make this a non-IT issue. The struggle is real. For 25+ years we’ve struggled to get business leaders to buy in and take responsibility for what’s theirs. We’ve been consistently preaching this isn’t an IT issue. We’ve trudged and plodded for slow progress. Now, we start using the word “cybersecurity” and we begin to lose ground. The ground we lose may seem insignificant, but ANY/ALL lost ground is bad. If you’ve fought this battle as long as some of us have, you know how hard we’ve grappled with this issue over the years.
  3. They’re both valid terms/words for what they’re already designed for. One word means one thing and one term means something different. They’re both perfectly valid for what they’re designed to communicate. Why mess?
How We Got Here

In my opinion, two reasons, marketing* and laziness.

Cybersecurity sounds cooler, sounds sexier, and probably sells more stuff (not necessarily stuff you/I need). Another reason might be laziness. Information security is eight syllables, and cybersecurity is six. We can save two whole syllables when using “cybersecurity! Think of all the cool things you could do with the extra syllables we’ve saved! I’ve even heard “experts” refer to information security as simply “cyber”. How sexy is “cyber”?! Using only two syllables?! Sounds super-experty too. The other six syllables can now be used to explain what you actually meant in the first place I guess.

Changing the meaning of words to fit marketing and/or laziness doesn’t seem right.

How To Get Back

Simple, use your words correctly. If you must use the word “cybersecurity”, preface it with what you’re actually talking about.

Honorable Mention for “C”

  • Confidentiality – protecting from unauthorized disclosure or keeping information secret.
  • Control – we can’t secure things we can’t control. A control is a restriction put upon an asset to protect it from unauthorized disclosure, alteration, and/or destruction. There are many applications of controls and control types, including access control, configuration control, change control, etc.
  • Cryptography – the simplest meaning is “secret writing”. It’s turning plaintext data into encrypted data (ciphertext) and vice versa. Cryptography can be great for protecting against unauthorized disclosure and alteration of information, but doesn’t do anything for protecting against destruction.

Most people could have guessed what “C” was going to be. Next up is “D”.

 

B is for Business

A business is in business to make money.

You and me?

We’re in the business of living life.

Don’t forget either of these points, now or when you’re doing your (information security) work. Personally, I get messed up sometimes, thinking I’m in the business of securing/protecting everything under the sun, forgetting to live life.

Protecting information is a good thing, even a great thing, but it’s not THE thing.

At Work

For-profit organizations are in business to make a profit. Non-profit organizations are in business to serve a mission.

It’s not that binary though, is it?

There are mission-driven companies, and there are non-profit organizations who rake in millions.

What drives your organization?

Mission-Driven

I can speak from experience on this. SecurityStudio and FRSecure, the two companies I work for, are both mission-driven organizations. They are for-profit companies, but it’s all about #MissionBeforeMoney.

Our mission? To fix the broken information security industry.

We serve out our mission by:

  1. Serving in our industry’s best interest. We seek partnership and collaboration with like-minded organizations, and we steer clear of bad-mouthing and destructive behaviors. We avoid and/or terminate relationships with organizations who aren’t like-minded.
  2. Serving our customer’s best interest. Always. Two things; don’t ever sell a customer something they don’t need (or the rumor is I’ll run you over with my truck), and stay product agnostic (selling products and consulting shouldn’t mix for us because there’s an inherent bias).
  3. Building solutions to fix real problems. Real problems might be difficult to solve, but it’s what we do.

OK. What about your organization?

If you work for a mission-driven organization, what’s the mission? If you don’t know the mission, then you’re probably not working in a mission-driven organization.

Money-Driven

Pure money-driven organizations focus on money obsessively. They will sometimes compromise quality and/or doing what’s in the best interest of their customers to make more money. In reality, pure money-driven organizations are heartless.

Good thing though, pure money-driven organizations seem rare. Most money-driven organizations are a mix between money lust and mission.

Why this matters.

You work for an organization. If you want success in return for your information security efforts, you’d better align your efforts with the purpose of the organization.

  1. You must figure out and communicate how information security feeds your organization’s mission, and/or,
  2. You must figure out and communicate how information security will make your organization more money.

Both can be done. It’s work. But it’s worth it. You’ll serve the organization better, and you’ll be better too.

Business people think information security is a cost center and/or some necessary evil. It’s obvious. How many times have you heard:

  • What’s the minimum we need to do?
  • What’s the cheapest way to check the box?
  • We don’t include information security in business decisions because it slows things down.
  • We don’t have money to hire help.
  • Etc., etc., etc.

It’s no wonder we don’t have “buy in” from the business. We’re not aligned with the business!

Every miss-spent dollar on information security is one less dollar for the mission and one more headache for the bean counters.

At Home

You’re in the business of living life, we all are. You might be someone who works in information security, or maybe you’re not. Either way, you’re still in the business of living life.

So, how does information security improve or make your life better? If information security doesn’t, why bother?!

  • Passwords. No thanks.
  • Scary things. No thanks.
  • Extra steps. No thanks.
  • More work. No thanks.

We need to figure out (for ourselves and others) how to position information security as something that improves life; something that makes life better. Information security is a life skill, and we’d all be more skilled if it was enjoyable and simple.

We’re working hard on this front with S2Me. It’s 100% FREE, go check it out. Also, go check out all the awesome content put out by Wizer.

Closing

So, there you have it. “B” is for “business”. We need to make information security more “B” friendly at work and home.

Honorable Mention for “B”

  • Basics – the basics of information security are what form the foundation of information security. Poor basics = poor foundation. Poor foundation = crumbling structure (or information security program). Most risk is found in missing (or broken) basics. Master them. If you don’t know them, learn them (book).
  • Backup – bad things happen. What will you do when they do? No backup, expect to lose data (forever). Expect it because the time will come soon, and it’s never convenient.
  • Bit – the smallest unit of data in a binary system, like your computer. Bits are cool. When they get together, they make bytes, kilobytes, megabytes, etc. Speaking of backup (previously), get all your important bits!

Next up, “C”.

A is for Accountability

Information security ABCs – An exercise in the fundamentals and basics of information security for everyone.

Accountability

the state of being accountable, liable, or answerable.

This is where information security starts. If accountability were better understood, agreed upon, practiced, and enforced, we’d have much better information security.

Who’s ultimately responsible for information security in your organization?

This is a question I’ve asked 100s of organizations over the years. You’d be surprised by the answers:

  • “I don’t know.”
  • “That’s a good question.”
  • “Well, I am (the CIO, CISO, etc.).”
  • “We all are.”
  • “Nobody is.”

What’s the right answer? Simple, do this:

  • Grab an organization chart.
  • Find the person/people at the top of the chart

This is the correct answer. Always.

Sample Org Chart

Three questions then:

  1. Does the person/people at the top know they’re ultimately responsible for information security?
  2. If so, do they act like it (demand periodic status updates, champion the cause, plot direction, delegate effectively, etc.)?
  3. If not, who’s responsible for telling them?

The sample organization chart above is semi-typical for a business. Let’s look at a city, county, and/or school district. Same thing applies, the person/people at the top is/are ultimately responsible.

This slideshow requires JavaScript.

If this ultimate accountability is missing or broken, then expect the information security program to be missing or broken. The lack of accountability at the top permeates through all other information security efforts.

Tip: Define ultimate responsibility for information security in your organization and document it in an information security charter.

Top-Down

There’s a saying, “information security is everyone’s responsibility.” This is sort of true, but sort of not true. It’s true that everyone has responsibilities in information security, it’s not true that information security is everyone’s responsibility. Ultimately, information security is a responsibility that lies at the top. Only once this is realized, can we effectively begin to define and communicate delegated and supporting responsibilities.

Don’t assume that people know what their responsibilities are. Once responsibilities are defined and agreed upon, we can start practicing/enforcing accountability.

The CISO

In simplest terms, a CISO only has two responsibilities.

  1. Consult on information security risk, enabling the business to make sound risk decisions.
  2. Implement the business’ risk decisions in the best manner possible.

Both of these responsibilities are delegated from the top. In some cases, the top may delegate risk decisions to the CISO as well. This can work if the parameters are well-defined (and documented) and the CISO is empowered to do so.

NOTE: This approach is a delegation only, and should/does not absolve the top from their responsibility.

Honorable Mention for “A”

  • Asset (and asset management) – something that has value to a person or organization. Assets can be tangible (hardware, facility, etc.) or intangible (software, data, intellectual property, etc.).
  • Authentication – proof of an identity (subject or object). Three factors; something you know (password, PIN code, etc.), something you have (token, mobile phone, etc.), and something you are (biometric).
  • Access (Control) – what a subject can do with a system, file, object, etc.

Next up, “B”.

The UNSECURITY Podcast – Episode 94 Show Notes – Transition

Happy Monday! You know what it’s time for, right?

Show notes!

Last week’s episode with FRSecure’s Director of Technical Solutions and Services, Oscar Minks was GREAT! I’m still pumped about Team Ambush and how well they did in their competitions (not one, but four) at DEF CON Safe Mode. That team kicks ass and the future looks incredible for that team.

Now, we’re sort of between series here at the UNSECURITY Podcast, so we’re going to try something new. We’re going to do a Google search of an industry term, then discuss what the results are. Should be fun and educational, all at the same time.

Brad is leading the show this week, so let’s get to it!


SHOW NOTES – Episode 94

Date: Monday, August 24th, 2020

Episode 94 Topics

  • Opening
  • Catching Up
  • Google Search – “Cybersecurity”
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Good morning and welcome to episode 94 of the UNSECURITY Podcast. Today is August 24th. My name is Brad Nigh and joining me is my co-host, Evan Francen. Good morning Evan.

[Evan] This is where I usually say “good morning” back to Brad.

Catching Up

[Brad] What’s up and what’s new?

Quick discussion about last week, the weekend, or whatever else comes to mind.

  • How are you guys?
  • Tell me about your weekend quick.
  • Anything in particular that you’re excited about?

[Evan] Things and such probably…

[Brad] Things and such probably too…

Transition

Google Search – “Cybersecurity”

[Brad] Alright, well we’re between series right now. We finished up the Women in Security Series a couple weeks ago and last week we caught up with Oscar Minks. This week we’ll do something educational. Here’s the idea. We’ll do a Google search of the word “cybersecurity” and you and I will discuss the first page of results. What do you think about that?

[Evan] Sounds good to me. Let’s do it!

[Brad] Cool. So, open your favorite browser. Go to https://google.com if it’s not your default search engine and type “cybersecurity” (all one word). What do you see? Do you agree with what the links say or show? The thing about information security is we need to be a little more literal because of all the confusion. So let’s talk about it.

Open discussion about Google’s search results.

[Brad] That was sort of cool. Hopefully our listeners learned something or maybe they shot up in their chair disagreeing with you and I. We’ll see from the feedback we get!

How about some quick news stuff? We’ve got a few news stories of note…

News

[Brad] Alright, here’s some newsy things that I thought were interesting this past week:

Wrapping Up – Shout outs

[Brad] Well, that’ll do it. Episode 94 is a wrap. Good times! Evan, you have any shout outs to give?

[Evan] We’ll see.

[Brad] Got questions or suggestions for us? Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan is  @evanfrancen, and Mr. Nigh is @BradNigh.

Lastly, be sure to follow our show on Twitter (@UnsecurityP), and follow the companies we work for, SecurityStudio (@studiosecurity) and FRSecure (@FRSecure).

That’s it, talk you all again next week!

WARNING – Foul language

For those of you who are offended by foul language, please stop reading OR continue reading at your own risk.

The Security Shit Show

You knew about this, right? Well, maybe. In case you didn’t, I’ll tell you a bit about it now.

NOTE: We’ve already done ten shows, I’ll post another article highlighting the shows we’ve done so far.

The Security Shit Show is a live video/podcast that three friends put together; me, Ryan Cloutier, and Chris Roberts. We’re information security veterans (some call us “experts”) with more than 70 years of combined experience who have a lot of shit to get off our chest. The information security industry isn’t all hunky-dory; we’re doing a lot of things wrong and people are suffering because of it.

You can be the “fly on the wall” or you can interact with us live (we keep the chat going).

Here’s the lowdown for our show…

Name

The Security Shit Show

You can take this name two ways; either we’re calling security a shit show, or we’re discussing security shit on the show. The answer is “yes”.

Purpose

Provide people with the real shit going down in our industry, and always discuss ideas about what people can do to make things better.

This is not a commercial podcast, meaning we won’t be hocking product or taking sponsors. We suppose this could change sometime in the future, but probably not.

Format

Three experienced and (a little) crazy information security veterans talking real shit, unfiltered, and raw.

  • This is no holds barred. The show starts fast with a topic, and the three experts get into the shit right away.
  • Nothing but truth and honest opinion, coming from the combined ~70 years of experience.
  • For each show, one of the three of us brings a topic.
    • This rotates each show. For example, Chris brings a topic one show, Evan brings a topic the next show, Ryan brings a topic the show after that, then back to Chris again.
    • First half of the show is raw, honest, hard, discussion about the topic.
    • Second half of the show is cool down time which is probably good for Evan’s blood pressure. 😉 This is where we discuss ideas, solutions and advice for our listeners. If we don’t have any good advice, we’ll say it and ask listeners to give us some to share.
    • Guests maybe occasionally welcomed.
  • This is an adult show. Swearing is permitted, but not required. We’re just going to be who we really are. If we let an occasional “fuck”, “shit”, “asshole”, or “wanker” out, so be it. There are certain swear words that will never be used, but the three of us don’t use those anyway.
  • This show isn’t politically correct, but it’s also not intended to offend anyone (except maybe those who need to be offended).
  • There’s no racism, no religious BS, maybe a teeny-weeny bit of politics, but certainly no discrimination of any kind.
  • The focus is helping people with our raw take on things and a sense of humor.
  • Our information security industry is screwed up and helping to fix it is the ultimate focus.
Length

We plan for a minimum of an hour, but we don’t really care. We’ll keep talking as long as there’s something relevant and (somewhat) valuable to say. When we’re done talking, we’ll be done talking.

Schedule

Weekly. We do the shows live each Thursday night @ 10pm CDT.

If you can’t make the live show, the recording is available immediately afterwards here; https://www.youtube.com/channel/UCIt8MkGaS-y-BKGJ9wrirFA?.

The podcast is usually published on Monday mornings, and you can find these here; https://podcasts.apple.com/us/podcast/the-security-shit-show/id1513813641

Topics

Usually, we publish the topic ahead of time on our blog (https://securityshitshow.com) and in our Twitter feed (https://twitter.com/security_shit).

Tech

We’ll be talking to each other from the road or our homes. Chris’ home base is Colorado, and if you know him, he travels often (but not as much now with COVID-19). Ryan does an adequate amount of travel too. Evan, he’s random, so we won’t know where he’s at on any given day.

So, the tech consists of what we can bring around with us.

Other Stuff

We anticipate a lot of activity related to our show, so I’ll try to post these things as they become available.

Follow us on Twitter

Not sure if Twitter is good for our health, but we do some tweeting everyone once in a while anyway.

Our first episode (“Security Shit Show – Episode #1“) was recorded on May 14th, 2020, and we’ve done another nine episodes since. Go check it out!

One more thing, even though Evan and Chris have badass beards, you don’t need to have a bad ass beard to be one of us. For one, look at Ryan. For two, there are many amazing information security ladies out there too!

The UNSECURITY Podcast – Episode 83 Show Notes – It’s About People

Ever have so many things going on that you can’t remember what happened last week? Yeah, that’s where I’m at right now.

Pretty sure Brad’s in the same place I am. So, rather than recapping everything (or trying to), I’ll just get to the show notes.

These are Brad’s show notes this week…


SHOW NOTES – Episode 83

Date: Monday, June 8th, 2020

Episode 83 Topics

  • Opening
  • Catching Up (as per usual)
  • Information Security Isn’t About Information or Security
  • Work, Life, and Mental Health
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Welcome back! This is episode 83 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is June 8th, and joining me this morning as usual is Evan Francen.

[Evan] Regales us with stories from the weekend. Oh God!

[Brad] Before we get going let’s recap our week.

Catching Up

Quick discussion about last week, the weekend, family, safety etc.

[Brad] What would you say you do here Evan?

[Evan] Hmmm. Good question! This outta be interesting.

Information Security Isn’t About Information or Security

Discussion about people, information security, working remote, stress, and overall mental health.

[Brad] Your blog from last Tuesday (Information Security Isn’t About Information or Security) really inspired me for this week’s podcast.  There have been countless articles written about how to secure remote workers so we aren’t going to focus on that, though it will probably come up in the course of this discussion.

Here’s the reality, it’s no secret that InfoSec and IT staff struggle with stress and a healthy work/life balance (Mental Health and Cybersecurity).  There really is no “done for the day”, systems can be attacked or suffer an outage anytime.  Add to that the now nearly 3 months of social distancing and quarantine that add even more stress.  We’ve seen an increase in cyber attacks the last 3 months and if your staff is struggling and has lost focus or is more distracted than usual your risk increases even more. So what can we do about it?  (Disclaimer, neither Evan or I are licensed mental health professionals and this conversation should not be taken as professional advice).

From an information security perspective I think you really captured the increased risks to organizations during this unprecedented time in your blog.

As a leader in an organization the employees’ health is critical, looking at it from a business perspective if they are not able to work we cannot deliver for our customers, but to me that feels cold & cynical.  I really do care for every one of our employees, I have a personal, vested interest in their well-being and want to be aware and in-touch with their status… That has become incredibly difficult during this time when you can’t read them face-to-face.

So what I want to do is talk about how we can be more aware and help reduce these risks.  First is being aware, I found these articles that I thought were really good to help identify and be proactive.

And then some really solid advice for employees, or really anyone feeling additional stress right now.

[Brad] Good conversation. Thank you Evan.

Let’s do some news…

News

[Brad] Always plenty of things to talk about in the news, and here’s a few stories that caught my eye this week:

Wrapping Up – Shout outs

[Brad] Alright, that’s it. Episode 83 is a wrap. We got any shout outs this week?

[Evan] We’ll see.

[Brad] Next week is Evan’s show and I think he’s sort of itchin’ to tell us his idea.

[Evan] Yep. Tune in.

[Brad] Thank you to all our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh (B-R-A-D-N-I-G-H) and this other dude is @evanfrancen (just spell his name without a space). Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for goodies and things.

That’s it! Talk to you all again next week!