Posts

The UNSECURITY Podcast – Episode 65 Show Notes – Money Grab

Another week down. Damn, a whole month is down! January is already in the books.

While I’ve got you here, help us out with our mission. We’re busting our tails off doing our part to fix the broken information security industry. We’re striving and doing these things:

  • Setting a common information security language that can be spoken by everyone; the S2Score.
  • Developing and delivering simple (but effective and credible) information security risk assessments for the under-served (SMBs, state and local government, K-12, etc.):
  • Developing and delivering simple (but effective and credible) tools to help the under-served do information security better.
  • Teaching and mentoring others for free. The FRSecure CISSP Mentor Program is in it’s 11th year! We started with six students in 2010, last year we had 532, and this year we had more than 540 enrollments within the first 24 hours! Check it out and enroll here.

What can you do to help? Simple. You can help in (at least) three ways:

  • Do your own S2Org and S2Me assessments.
  • Contribute your opinions and feedback (after all, we’re all in this together).
  • Spread the word. Tell others. Tell them about the S2Org and S2Me assessments and tell them about the FREE FRSecure CISSP Mentor Program!

OK, on to the show…

February is already upon us, and RSA is just around the corner. Speaking of RSA, let’s talk about our industry’s money grab in this week’s episode. Let’s also discuss tips for talking to the board of directors about information security stuff .

This will be fun!

Alright, on to the show notes. This is my (Evan) show to lead and these (below) are my notes.


SHOW NOTES – Episode 65

Date: Monday, February 2nd, 2020

Show Topics:

Our topics this week:

  • Opening
    • Normal Stuff
    • Got Mail?
  • The Money Grab
    • It’s alive and well – everybody wants your $$$.
    • The Bad Guys Of Course
    • The “Good Guys” Too?
  • Talking to the Board
    • Tips
    • Recent Experiences
  • News
Opening

[Evan] Alright, welcome! This is Evan Francen, this is episode 65 of the UNSECURITY Podcast, and the date is February 3rd, 2020. In studio with me is none other than Mr. Brad Nigh. Howdy Brad.

[Brad] We’ll see how awake he is on an early Monday morning.

[Evan] I’m curious, are you a morning person or a night person?

[Brad] I don’t know what he’ll say here…

[Evan] We’ve got a great show planned for you today. Lots to talk about, for sure! We’re going to talk about this industry’s money grab and we’ll cover some tips for speaking to the board of directors. Before we dig in, Brad, how you doing?

Quick Catch-up Talk

[Evan] Alright. Well, let’s get to it. Let’s talk about the money grab in this industry. In case you didn’t know, I’m referring to the information security industry. You have the something that everybody wants. The bad guys, the good guys, and everyone in between. They all want your money. Collectively, I call this the “money grab” and we’re going to discuss this. I want to discuss this because I don’t want you losing your hard earned money to some crook and I don’t want you to piss it away on something that doesn’t do what you thought.

Discussion about the Money Grab

The money grab is alive and well. Everybody wants your $$$. Everybody.

  • The Bad Guys Of Course
    • The 2018 cybercrime industry was worth at least $1.5 trillion
    • There is no low that’s too low.

This slideshow requires JavaScript.

  • The “Good Guys” Too?
    • Gartner estimated that 2019 industry spending was $124 billion in 2019, and by some estimated it’s expected to grow to more than $170 billion by 2022. NOTE: this is for context only and not to imply that this is wasted spending.
    • FUD (scare the sh*t out of you) and Sex Sell (buzzwords, new blinky lights, etc.)
    • Seems like everybody is fighting for your money.
      • Conferences (RSA, Black Hat, etc.)
      • Companies (borderline extortion, crappy advise, etc.)
    • We’re (FRSecure and SecurityStudio) human too. Mission over money, does it keep us honest?

[Evan] It’s a dangerous world and people (non-information security people are confused). I wonder how much of this is on purpose. The enterprise organizations can afford to make mistakes, but the smaller players are left in the cold and they’re suffering because they often miss the basics, the fundamentals. I feel bad for the under-served markets, especially SMBs. This is our primary focus. OK, on that note…

Discussion about talking boards of directors and executive management

[Evan] Brad, you and I have had the privilege on many occasions to talk to boards and executives. What tips do we have?

Some good back and forth discussion I’m sure…

After a while, let’s do some news.

News

[Evan] I’ve only got two stories to discuss today, but I think they’re interesting ones:

Closing

[Evan] OK, that’s it. Episode 65 is in the bag. Brad, you’ve got any ideas for next week’s show yet?

[Brad] Maybe he does, maybe he doesn’t…

[Evan] Thank you to our listeners, we love hearing from you. If you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet sometimes. I’m @evanfrancen and Brad’s @BradNigh. If you like company stuff, we work for SecurityStudio (@studiosecurity) and FRSecure (@FRSecure). The company people post good things from time to time too!

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 64 Show Notes – 3rd Party Risk

Here we are, already into the 4th week of January and this is the last show for the month.

Quick recap of last week because it was awesome!

On Saturday (1/18), we held our holiday party at Punch Bowl Social. FRSecure and SecurityStudio employees flocked in from all over the country (Nevada, Kentucky, Missouri, Florida, etc.) to celebrate together. We sort of took over the joint with 120+ people eating, drinking, singing karaoke, bowling, playing pool, and hanging out.

One of our core values is “work hard/play hard”, and Lord knows we are experts at both these things! The teams did incredible things in 2019 and every single person played a critical part in our success. It was so awesome to spend time with each other, celebrating (a great 2019) and looking forward to an even better year ahead (2020)! It was a great night!

We gathered everyone together on Monday (1/20) morning for our quarter end/year end meeting. There are no words to describe what these people did in 2019. There isn’t an adequate adjective. By every account, 2019 was a huge success. Not only in terms of dollars and cents, but more importantly in the impact we made on our industry and in people’s lives.

This slideshow requires JavaScript.

Just a few highlights:

  • FRSecure has helped more than 1,000 organizations build and maintain better information security programs.
  • The CISSP Mentor Program helped 532 people learn better information security, secure better career options, and/or successfully pass their CISSP exam. UPDATE: We exceeded the entire 2019 enrollment within 24 hours of opening this year’s registration!
  • We gave more than 100 talks at conferences all over the United States.
  • SecurityStudio made great strides in helping organizations and people speak the same (information security language), including the release of the S2Me.
  • The companies grew at more than 40% again (top line), for the 10th consecutive year.

I could write an entire book about what was accomplished in 2019, and I’m speechless when I think about what we’ll do together this year (2020)!

The Minnetonka HQ office was full and buzzing on Monday! The rest of the week was filled with meetings, conversations, and security stuff. All icing on the cake.

Alright, on to the show notes. This is Brad’s show to lead and these (below) are his notes.


SHOW NOTES – Episode 64

Date: Monday, January 27th, 2020

Show Topics:

Our topics this week:

  • Opening
    • Catching Up
    • FRSecure Year End
    • SecurityStudio Year End
  • 3rd-Party/Vendor Risk Management
    • Let’s get literal.
    • A deep dive.
    • Seven “must haves”.
    • A warning (or two)
  • Next Week
    • Tips for talking to boards
    • I’m going to RSA this year and I already regret it
  • News
Opening

[Brad] Welcome back! This is episode 64 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is  January 27th, and joining me is my co-host, Evan Francen. Good morning Evan.

[Evan] Something energetic and uplifting I’m sure.

[Brad] We’ve got another great show planned for you this week, and we’ve already got some good topics to talk about next week. This week we’re going to cover a deep dive into 3rd-party (or vendor) risk management. Next week we’re going to cover tips for talking to boards and have a conversation about the RSA money grab. Don’t miss it! I’m guessing it could get controversial.

Before we get started, let’s recap last week quick.

  • Brad’s update(s)
  • Evan’s update(s)

[Brad] I wanted to take some time today talking about Vendor Risk Management and the difference between an audit based certification (SOC2, ISO, HITRUST) vs a risk assessment (S2Org or similar).

[Evan] Yeah man! Let’s do it!

3rd-Party/Vendor Risk Management

[Brad] You added stuff to my show notes! What gives man?

[Evan] Yeah, I couldn’t help myself. Hope you’re OK with it.

[Brad] What’s with “let’s get literal”?

Discussion…

[Brad] Let’s talk about the differences between audit based certification (SOC2, ISO, HITRUST, etc.) versus a risk assessment (S2Org or similar).

  • The fundamental differences
  • The positives and negatives to both approaches
  • At the end of the day, what should an organization be trying to accomplish with their Vendor Risk Management program
  • What should the vendor share/not share, how do they handle requests for more than they are comfortable sharing

Be sure to mention the new article (not yet posted), “Seven must-haves for effective third-party information security risk management”. You can get the free preview download by emailing us.

[Brad] Hopefully that was helpful to people working on both sides of Vendor Risk Management. Let’s do some news.

News

[Brad]

Always plenty of things to talk about in the news, and here’s a few stories that caught my eye this week:

Closing

[Brad] That’s it. Episode 64 is a wrap. Thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan is @evanfrancen. Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies!

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 63 Show Notes – Mission

I’m grateful to be back home. Two weeks in Cancun, Mexico where the sun was shining and the temperature was in the 80s. Now, I’m back in Minnesota where there’s a foot of snow on the ground and the temperature is in the single digits. I’m grateful to be back home because I’m with my family again. My FRSecure and SecurityStudio family!

THANK YOU to Brad and Ryan for doing holding down the fort!

OK, I was in Cancun to begin writing our next book. It’s “our” next book because Brad’s going to write his part and Ryan’s going to add a little flair too. The book is unofficially titled “Securing America” and will start to come together over the next couple of months. The (rough) outline looks like this so far:

  • Introduction
  • Information Security Operating System (ISOS)
    • Components
    • The Cycle
  • Securing America
    • Small Business
    • Local Government
    • Education
    • Home
  • The People Component
  • The Asset Component
  • The Control Component
  • The Process Component
  • The Measurement Component
  • The Journey – All Working Together
  • Starting NOW

If this book is anything like the first one (UNSECURITY), there’s likely to be some changes to the outline, but this is what we’ve got so far.

Alright. On to the show. This is episode 63 of the UNSECURITY Podcast. I’ll be hosting and these are my notes. Joining me in studio will be my co-host Brad Nigh and SecurityStudio’s very own Ryan Cloutier.

Let’s do this!

-Evan


SHOW NOTES – Episode 63

Date: Monday, January 20th, 2020

Show Topics:

Our topics this week:

  • Opening
    • Back Home
    • Book (Securing America) Status
    • What did I miss?
  • U.S. and Iran
    • Finishing the discussion from last week.
    • We’re not out of the woods.
  •  The “Mission” and CISSP Mentor Program
    • What is it?
    • Why do we care?
    • How can you join us?
  • News
Opening

[Evan] Hey UNSECURITY Podcast listeners! This is episode 62 and the date is January 20th, 2020. I’m Evan Francen, and it’s good to be back! I’m hosting today’s show, and joining me in studio is my friendly co-host Brad Nigh and my left-hand man Ryan Cloutier. Hey guys.

[Brad & Ryan] They’ll say “hi” or something.

[Evan] Did you guys catch that? I called Ryan my “left-hand man”. Of course you did, you guys read the show notes! You know why I called Ryan my “left-hand man”?

[Brad & Ryan] Stumped. Maybe.

[Evan] Well, I’ll tell you…

[Evan] Alright, I’m back home. It feels good to be back, and it couldn’t have been any better to come back to a bunch of smiling faces at our holiday party on Saturday! What did you guys think?

[Brad & Ryan] Sharing thoughts and such.

[Evan] We have a ton to cover today! Let’s catch-up quick. You guys cool with that?

Catching Up Discussion
  • Back home
    • Holiday Party
    • Q1/2020, Expectations
  • Book (Securing America) things
  • Did I miss anything?

[Evan] Like always, many good things to look forward too. Love you guys and love being back. Last week I had to run halfway through the show. We were talking about tensions between the United States and Iran and how it affects us all. There’s this talk of a cyberwar between us, and I just want to close the loop a little on the topic.

U.S. and Iran Discussion

[Evan] OK, the world’s not likely to end today, but we need to stay vigilant. Complacency and ignorance come with consequences. Switching gears now…

We talk about this mission at FRSecure and SecurityStudio. Brad, you have your take. Ryan, you have yours. I’ve certainly got mine too, but what is this “mission” and why is it important for our listeners to know about it?

Discussion about The “Mission” and CISSP Mentor Program

An open and honest discussion about our mission.

  • What is it?
  • Why do we care so much about it?
  • Are there ways for people to join us? If so, how?

The CISSP Mentor Program Registration is Open!

[Evan] Yes, it’s all about the mission! The theory is if you focus on the mission you’ll make money, but if you focus on the money, you’re certain to miss the mission. Love it! Alright, good talk. Let’s cover a few news stories, and wrap this thing up.

News

There’s always plenty of news in the information security industry. Here are a few stories that caught my eye recently:

Closing

[Evan] Wow. Lot’s going on and plenty of news to stay up on. I guess this is why they pay us the big buck, right?

This is the end of our show, and we close these things out pretty much the same way every week. Keep sending us your feedback, tips, of whatever else you’d like us to know at unsecurity@protonmail.com. If you have a suggested guest for us to reach out to, let us know that too.

If you’re the social type, socialize with us on Twitter, I’m Evan and you can find me @evanfrancen. Brad’s a cool cat, and you can find him @BradNigh. Ryan’s not to shabby himself, follow him at @CLOUTIERSEC.

That’s it! Talk to you all again next week!