Ryan Leirvik, author of 'Understand, Manage, and Measure Cyber Risk: Practical Solutions for Creating a Sustainable Cyber Program,' joins host Sean Martin to discuss the fundamentals of risk management in cybersecurity on the Redefining Cybersecurity podcast.
Guest: Ryan Leirvik, CEO of Neuvik [@Neuvik]
On LinkedIn | https://www.linkedin.com/in/leirvik/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Pentera | https://itspm.ag/penteri67a
___________________________
Episode Notes
In this episode of Redefining Cybersecurity podcast, host Sean Martin discusses the fundamentals of risk management in cybersecurity with Ryan Leirvik, author of "Understand, Manage and Measure Cyber Risk: Practical Solutions for Creating a Sustainable Cyber Program." The conversation centers around the importance of understanding risk management in cybersecurity, categorizing assets, and identifying what's important to the business versus what's important to the individual.
They also discuss the need to use frameworks like NIST-CSF to define and categorize risks and the importance of responding quickly to active threats and having a plan in place for recovery. Sean and Ryan provide practical advice for creating a sustainable cyber program that prioritizes risk management and explain how to set the stage for conversations about cybersecurity with stakeholders. Overall, the episode provides valuable insights into risk management in cybersecurity and how to prioritize and protect critical assets.
ABOUT THE BOOK
When it comes to managing cybersecurity in an organization, most organizations tussle with basic foundational components. This practitioner’s guide lays down those foundational components, with real client examples and pitfalls to avoid.
A plethora of cybersecurity management resources are available―many with sound advice, management approaches, and technical solutions―but few with one common theme that pulls together management and technology, with a focus on executive oversight. Author Ryan Leirvik helps solve these common problems by providing a clear, easy-to-understand, and easy-to-deploy "playbook" for a cyber risk management approach applicable to your entire organization.
This second edition provides tools and methods in a straight-forward, practical manner to guide the management of a cybersecurity program. Expanded sections include the critical integration of cyber risk management into enterprise risk management, the important connection between a Software Bill of Materials and Third-party Risk Programs, and additional "how to" tools and material for mapping frameworks to controls.
Who This Book Is For
CISOs, CROs, CIOs, directors of risk management, and anyone struggling to pull together frameworks or basic metrics to quantify uncertainty and address risk
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
Understand, Manage, and Measure Cyber Risk: Practical Solutions for Creating a Sustainable Cyber Program (Book): https://www.amazon.com/Understand-Manage-Measure-Cyber-Risk-dp-1484293185/dp/1484293185/
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
voiceover00:15
Welcome to the intersection of technology, cybersecurity and society. Welcome to ITSPmagazine You're listening to a new redefining Security Podcast? Have you ever thought that we are selling cybersecurity insincerely buying it indiscriminately and deploying it ineffectively? Perhaps we are. So let's look at how we can organize a successful InfoSec program that integrates people process technology and culture to drive growth and protect business value. Knowledge is power, now, more than ever.
sponsor message00:53
Imperva is the cybersecurity leader whose mission is to protect data and all paths to it with a suite of integrated application and data security solutions. Learn more@imperva.com
voiceover01:10
and Tara, the leader in automation security validation allows organizations to continuously test the integrity of all cybersecurity layers by emulating real world attacks at scale to pinpoint the exploitable vulnerabilities and prioritize remediation towards business impact. Learn more at pin terra.io
Sean Martin 01:39
Hello, everybody, you're very welcome to new episode of redefining cybersecurity here on ITSPmagazine. This is Sean Martin, your host where I have the pleasure of trying to figure out how to operationalize security so that the business can succeed safely versus being blocked from technology and people who think they both know better than the business does. It's a balance and and I have an interesting mummy, it's not interesting a common view and maybe not one that's so common that it's widespread and proficiently employed. But looking at this from the viewpoint of risk and and I'm fortunate to be part of part of the program at Pepperdine Graziadio Business School and, and love the topic of risk. And so when I was introduced to Ryan Ryan, thanks for joining us.
Ryan Leirvik02:34
Thanks for having me, Steve. So
Sean Martin 02:38
I'll go buy Steve today. That's yeah. Depends on where the conversation goes. I might want to be Steve. Yeah, no. But when I was introduced to you, and then this topic, I was like, Yes, please, can never talk about it enough. Because I think it's, it's really the starting point. For many. Well, the original starting point is what do you want to accomplish? And you have to bake the risk conversation into that. I think a lot of a lot of folks jump straight to controls will maybe actually wrap some policies around that. Or this, this new, this new company has this new stuff to offer. Let me see how I can fit it in. And I think generally, we often miss the whole point of risk management, which can be hard to deal with sometimes. So that's what we're gonna talk about today. And it's rooted in a book that you wrote, understand managing measures, cyber risk, practical solutions for creating a sustainable cyber program, which is two things write
Ryan Leirvik03:38
catchy title, first of all, the the, the intersection
Sean Martin 03:40
there. Yeah, you do one to lead to the other. Just kind of my point I guess I made earlier. But before we get into all the all the fun bits that people who dig out on risk, like us do, will enjoy. Tell him a little bit about who Ryan is what you're up to.
Ryan Leirvik04:00
Oh, sure. So Well, first, thanks again for having me, Sean. So Ryan Ludovic been in security for probably about well, actually 20 years this year since 2003. So finally hit the two decade mark, largely, you know, it developer, you know, database guy, turned security individual when secure the database that I was working on to department defense and then turned pretty quickly into cyber warfare, DOD for just under 10 years. So spent a lot of time in that space, fell in love with the industry and thought, you know, this is this is kind of how I think, right? You can always look at systems and practical designs and architectures and say, Alright, well, how is this going to fail? Right? Like, Where's where's this going to break? And if it does, why does it matter? So left that largely to go point towards the commercial space, right, you're given as much that we rely on it is sort of an enabler. Right? And, you know, it sort of implies Perfect, right? Let's not call it flawed, but call an imperfect. And then we keep stacking more imperfect technology on imperfect technology, you know, the imperfections line up pretty well for nefarious individuals to sort of, you know, get after critical information. So, we've been spending a lot of time over the last 10 years on the commercial space, helping think through the problem and making sure that, you know, helping that, you know, at least a point of view on how do we keep the fundamentals, top of mind when we hit issues, like you just brought up, right, like, what tool should we buy? Right? Where should we hire? Where should we be focusing on from a practical standpoint, from our program? So I like, and there didn't seem to be any, you know, there didn't seem to be any handbook out there, that's like, alright, if I wanted to pull all these things together, and really, from a practical sense, you know, have a, have an idea of what I should be paying attention to. I mean, I know I was grappling for something like that and didn't exist. So just over time, sort of putting the pieces together and, you know, launched the book a couple years ago, that sort of acts as a playbook to just say, Look, when you know, when we're stuck, here's three things to think about, from understanding what the risk is to managing it to, you know, putting measures in place to manage it and just became a practical guide guidebook, I guess. So, yeah, it's, we do love
Sean Martin 06:14
it. And I'm excited to get into this. And, and I've never really thought about it this way before. But I think we share a common common entry point into this world. In the database world, funny enough, and, and one of my first engineering project, so we're talking mid 90s, here to kind of set the set the stage, my first engineering project was on a was a flat file database that essentially housed very sensitive private, I was working for a landscape company, very sensitive, sensitive private information about plant material and, and fertilizers and pests and, and abatement to protect against protect the plants against the the past. And it was basically the company's secret sauce, that they wanted to provide access to the people that work there and not the competitors. And so they did a risk analysis and said, We need to provide this, we have to protect it, Shawn, go off and figure out a way to do that. So that was kind of one of my first engineering projects, and then happened to be security project as well. But driven by risk, right, yeah, the company understood what the what the value of that information was, and what we needed to do protect it. And so, never really thought about it that way. But yeah, your thoughts? And
Ryan Leirvik07:40
and that's the core right there. Right, like, so. Yeah, I would argue, we've that's the, the very essence of security is understanding what's important and why it needs to be protected. Right. That's it everything else is sort of everything else. Right. And this is I think, some of the challenges that we see in security these days, it's like, we see a new threat or no new vulnerability or some new tool, and all of a sudden, the questions around that great. What do we do about that threat? What do we do about that vulnerability? What do we do about that new tool? Let's go scope if it's to do whatever, without actually thinking through? I mean, not always, but without immediately thinking through all right, why does it matter? Right, is that particular threat point and on something that's critical, like getting the fertilizer information, right, and understanding how it might be weaponized, right? certain ways, right? Or a particular type of fertilizer that you want to keep the IP on? Right? And that could be leaked, which if leaked, then you get copycats, and then all of a sudden your market share goes down? Like why these things are important, right? Are the vulnerabilities that you might be putting on systems somewhere, right? And these are the challenges of like, Do we even know what's important? And I find that like, the more we get away from that, the more busy we become, but less secure we become, right?
Sean Martin 08:50
Yeah. And it's interesting that so let's, let's unpack this a little bit. And we can use my example of yours or others doesn't really matter to me. So I think, I think generally, and I'm trying to think back if they articulated all the reasons why it was important, I don't know that it mattered to me. And this may be an interesting point, I don't know, if it mattered to me if it's important, or how or why it was important, just that it was and what they didn't want to happen to it. And in those days, I mean, I was also responsible for a lot of the infrastructure development and deployment. We're setting up line lines between offices, direct T ones and things like that. So yeah, pre pre roll, broad spread internet type thing. So access to it on as a publicly facing web app was not an issue. Right. It was a desktop app available to only certain people, presumably. So the scope was very different. So I guess the couple points there, I guess we can talk about one is they told me it was important, and why it was important. Not Not in every situation. So I just kind of knew that I had to do something. And I, I knew the scope of where it was kind of vulnerable understanding the network that it wasn't going to be on that or how it was, I think it ultimately was on the network as well. But so let's unpack that a little bit. Kind of the under description, communication around understanding the risk. Yeah. And yeah, that's scoping that the controls are on it.
Ryan Leirvik10:29
Yeah. And that that is the hard part. Because a lot of times, that a lot of times, but generally, you can see where you're either told it's important and don't understand why but you have the authority to keep it safeguarded, right. Or on the flip side, sometimes organizations are in a situation where there is critical information or critical assets, right? connected networks, connected applications that do connect to things that are critical, that may not be seen as critical, but you as the practitioner, recognize, if they were to fail, it, you know, you could have some level of massive impact to the organization, but the organization doesn't know it's critical. So there's, there's two sides of it. And to unpack that a little bit, you know, Shawn, to use your terminology here, no matter what it is, you know, there's, there's almost like this lack of a rubric around like, how we, you know, how we categorize our assets? Right. I mean, there's, there's, there's plenty that are coming out now, and we're seeing some of them over the last couple years, which is good, but a way to actually identify like, what do we mean by critical, and a variety of different examples, you know, have been out or, you know, but not identify not seeing, the crisp ones show up enough as we'd like, I mean, like NIST, you know, has a good definition in the ir 7621. I think that, you know, sort of breaks it down into five categories, right? It's like, lost, lost work, lost access, incident response, you know, fees, that's like your IRA teams, you have to pay legal fees, and lost work, and, you know, lost business. Right? If, you know, having a way of actually looking at this from an organizational standpoint of what the actual impact is, right, is wildly helpful to sort of, you know, weed out what is important and what is not important, right there, you know, or let's just put it in normal parlance, like what's critical and what's not critical. So in the fertilizer situation, like, if the organization's you know, intellectual property is the makeup of that fertilizer, I would assume, right? Like, that's what made it critical, right. So they want to keep the recipe. Yep. Okay, so that's sort of your, you know, number one crown jewel, if you will, right. The, the impact of that coming out would be what, right, the impact of that being leaked of what the actual formula is, again, we talked about a few minutes ago, like copycats taking it right, as long as it's not like there's not legal protection around it, right. Maybe there is maybe there isn't, so doesn't stop people, as we see. But, you know, competitors could use something similar, right, or start butting up against the patent. And next thing, you know, like your ability to serve the market, based on your research and development that you've put in for that particular product, right to get there and you're expecting a return on that there, your sales wildly diminishes your ability to serve as the market if somebody comes in and undercuts you, because they don't have to make up that r&d cost. So even though at the time as a database administrator, or you know, at least putting things together, you may not know why it's critical, the fact that they're able to identify that as critical and put safeguards around it and prioritize it says it okay, at least we know, from the security standpoint, what problem we're solving for, we're solving for, you know, zero exposure of the mix that is in, you know, X fertiliser, right. And that gets just having that simple definition and understanding for all the security team or practitioners or even IT folks be a database or network engineers or, you know, however, the however, the rest of the corporate network is, is is architected and deployed. Right? Understanding what's critical, immediately has puts a hyper focus, you know, on those that are actually in the deployment phase, or in the architecture phase, or even in the procurement side, to know, we need to be protecting this information in ways it at least heightens the awareness, if nothing else, if you don't have controls or standards or procedures around it. So just a simple definition of you know, categorizing it that way, as you know, as critical matters, so that people know what's important. Right? Yep. Yep.
Sean Martin 14:35
Excellent point, because, as I alluded to, at the beginning, it was basically just a flat file of a bunch of stuff. Right? If somebody accessed it and was able to look through it all and use it for whatever purpose they wanted, there was really no logical documents somewhere. Right. So to your point, maybe, maybe, yeah, kind of similar to that just format. And, but in a more complex world Now, granted, this is early days, and it was a cool use of technology to provide access to information that people wouldn't have gotten access to otherwise. But start throwing business logic around it, write different use cases, different users, different scenarios, different context, maybe parts of that data are, are important to protect, not all of it, maybe different contexts, open and close different different paths to different parts of the data. And so understanding to your point earlier, why, and what the what really matters in that sense, too. So it was a blanket scope of just protect this. But if if that thing grew out and was web facing and had multiple users in different roles in different datasets that had to be manipulated, specific ways, it gets a little more complex.
Ryan Leirvik16:03
It does, yeah. And the way to sort of break down the complexity that I've seen in the work is a really easy trick, right? Is what's what's really important to the business versus what's important to, to the individual. Right. And so if you can answer that, sometimes it helps you sort of, you know, pushing more into what's going to have impact on the business. So it should get out or leaked, or compromised in any way, right? Or manipulated, right, which is a form of compromise. And the stuff that doesn't, it won't be as impactful. Like, let's just let's just go with the fact that I said earlier, like, maybe not as important, everything is important, but there are degrees of importance, right. So one big trick, and we see this a lot with insurance, right? It's like, okay, well, what's critical, right? And for those that are running the algorithms and identifying sort of the underwriting pieces, like they think that algorithms are crown jewel, absolutely. 100%. But is it? Right, because what might be important to the individual to do their job may not be important to the outside. So how valuable is an algorithm on weather patterns? And, you know, southern Florida for underwriting? You know, let's just, let's say, motor vehicles, right? Well, for the business, it's pretty important to get that number, right. But if it were leaked, right, or exposed in some way, no one can use it. Because if a competitor tried to use it, that's against the law, and they're probably not going to risk their business and using it, right. But what is important is what assets you're actually underwriting right? How valuable those assets, where are they? Where the key? Where are the keys to them, or the or the extra keys, who has access to them? Right now, that's something that's important, because it's valuable to the outside. And a quick trick could be alright, is this valuable to an attacker? Or is this valuable to the business and, you know, make the distinction between the two, now you understand or if it's important for the business could have impact on the business? Now, we're talking about something that's critical, right? Because, you know, if it's just important to an individual to do their job, although important for the job and loss work could happen if it you know, if it were compromised, but if it were leaked, you know, from a data breach standpoint, maybe not as catastrophic to the business, right? That's a simple, simple way to simple way to look at the start the conversation. And then of course, you can push into all the, you know, the pieces that are out there now, in terms of just, you know, running through a quick assessment of, you know, do we put $1 value to it? Do we do a high, medium, low? I mean, you know, they don't take time, it just takes dedicated effort to try to figure it out. And it's not easy. And again, back in, you know, in the context of Oh, yeah, if we only had time to do that.
Sean Martin 18:46
Yeah, exactly. Exactly. I mean, it's easy. It's easy to look back on something and say, Okay, that was, that's how that was, what we did make sense probably doesn't fly now, given where it might be with advances in technology. But what I did I want to talk about here, which is, I just jumped in and started talking about it. And I'm wondering if you have any, any thoughts or advice on that, because I'm assuming that having a framework for how to have a conversation might be an important thing to have, and setting the stage for those who you're going to have that with, so they understand their role in that conversation, what you're bringing, what they're bringing, what the outcome is, might be helpful as well. And somebody like me, jumping straight to, here's how this looks, might not be helpful. Maybe it is, if it's if it's storytelling driven, and that's part of the framework, but talk to me a little about, maybe some of this is covered in your book, talk to me about kind of setting that, that frame that stage, that relationship with the stakeholders.
Ryan Leirvik19:58
Perfect Yeah, we always need to But we're ready to jump in. That's always that is usually, you know, the best. Two things. What I was surprised that is some of the fundamentals that we've kind of gotten away with. So to me, the initial framing, right, is, do we know what the risk actually is? Like? Do we have a good definition of risk? And why is that important? Because it helps demystify what the risk is not. Right. The pitfall to avoid in most risks conversations, you know, is, is talking about pieces that don't necessarily apply to the risk, because we only have so much, so many resources, right time being one money, and, you know, effectively individuals to help solve the problem. So having a clear, crisp definition of risks like that, you know, in this dire 7621, or, you know, ISOs got a good one, there's a handful of ones out there that, you know, categorically define risks, and sorry to find threats and vulnerabilities plus impact to the business and violence we're talking about impacts the business, you got a risk, right. So I mean, we're at the end of the day, from a corporate standpoint, or enterprise standpoint, we're in the risk management game, right? Trying to mitigate identify the risks early on, so you can mitigate it. And so the real challenge is inviting people into this world that don't come from it or find it very mysterious. Right? So, I mean, look, you know, cyber used to be information assurance, right? It's like, do we have certain controls in place to ensure that the information like fertilizer, right are protected? In a way, even if it's a flat file, and we got to, we got to load it, didn't we? Oh, you know, what was the term back in the day ETL, right, extract, transform and load it into another database, right? Somewhere that we're mindful of the sensitivity of the data, right. And there's, there's that piece of it. But now, it's gotten so complex, and we call it cyber, like, people don't understand the difference. You know, most people that aren't in technology have a hard time comprehending it. This is where frameworks can really come in, like standard frameworks. Right? So NIST, ISO COBIT, you know, Highmark, depending on where what business you're in, right? Or what industry you're in, you could use frameworks to say, alright, from a guideline standpoint, at least, we can again, same with risk, start categorizing these problems. So we can invite our peers in to have conversations without using the word cyber, or without using a technical term that may not be as well understood. As you know, we might have you know, asset management, inventory management, patch management, right? Anything that has to do with you know, something that may need a little bit of understanding of the underlying problem that we're trying to solve. And this industry framework can be really helpful to get the get the conversation started. It's like, Alright, great, like NIST CSF. You know, they all have their merits. But the beauty of the CSF as it starts with five categories, soon to be six coming up in the fall of 23. Right? That really hone in on what the problem is. Okay, great. Like number one, identify, Okay, what does that mean? Know, your most critical assets, we just spent a decent amount of time talking about it, why is it important, because that's where the risk is, if those ever are, you know, compromised not available, or the integrity of it falls down, like classic CIA model starts to break down Well, now, the people and the organizations or the enterprises that rely on that, right, become, it becomes compromised, and the confidence in those systems or those assets, or that information becomes compromised. Now we've got a problem because the business is at risk, right? At the end of the day, so the CSF starts there, right, and then sort of builds out from Alright, do we know what we're protecting? So let's get to the compensating controls, I do have controls in place to protect what we know is important. Great. That's the next layer. Right? Okay, what if those break down? Can we detect any threats? Or, you know, can we monitor or discover any potential events that might do harm to the organization through, you know, breaking through the meaningful safeguards to get to the ticket to the most important information, right, you see how there's, you can sort of layer this in and having a conversation with your peers, and managers, or, you know, across or even above from the oversight or executive committee, you start to have a conversation where you're not even using the word cyber, you're not using mysterious terms, you're just saying, we know it's important to be protected. Can we detect that? Oh, and by the way, there's two other pieces that we always forget about, right, which is, can we respond, and can we recover quickly? Well, what do we mean by that? Great, let's say there's an act of threat, how quickly can we identify it and put a team in place to start identifying what's actually happening? Right, you may or may not even get that attribution, but that's not the issue right away. The issue is that you've got visibility that you can see it. And now all of a sudden, like you've got a team in place. Well, that's a really important question. So the response to have you know, a category of respond really makes a difference for most organizations of any size? Because we spend too much time on protected detect and not enough on what's important and responding well, then who cares? That's Part of the issue. And then of course, last but least like you get into the recovery piece, like, alright, if we can't recover quickly within the whole business can fail. Right now we know these models from basic risk management and the tools for a long time, right, and physical risk management for, you know, plants and others. For financial risk management. The challenge that we have in cybersecurity is, you know, there's this mysterious layer more than it was in the financial world, right? Because at least financially, people can understand, hey, you've got money, you're deploying it in one place, taking it out from another, and there's a risk that it could get lost. Okay, it's a finite number, right? With, you know, some sort of currency involved here. It's a little bit different their systems, their networks, right? There's applications, right? There's data, right? So there's a variety of different assets that can fall into this. So this is where frameworks come in pretty, pretty closely, they're pretty tightly I should say, to, to tighten up the conversation so that we at least have a starting point to, you know, jump in, if you will, right, and start working on the problem. And it actually winds up being very helpful from a deployment of assets. Because now you can say, alright, you know, do we actually know we're what's important? Great. All right. Now, do we know if we're protecting it? Right? How many assets can we put towards that? Right? Do we know how to detect it? Do we do we know how to respond and recover? And from a, from a practical cybersecurity risk management standpoint, you, you basically get a roadmap, or at least a, you know, an architecture of how to start building out your teams.
Sean Martin 26:35
So as we're talking about this, I'm just thinking, there's always the, the first step to anything IT and security, which is what do we have? All right, the identification that always comes up? Right, what do you have? Then you have to figure out what does it do? How important is it? How's it connected to the rest of the things? And, and getting getting that knowledge? can be super difficult?
Ryan Leirvik27:11
Right? Yeah, nearly impossible. I mean, small organizations have the benefit, because you can probably talk to everybody about what they're using, you know, and have you have you set up some rogue access points somewhere, right? That that isn't that you're bouncing through in using when you're far enough away from the corporate network, or whatever. I mean, today, in today's day, and age is a little bit different, you know, but from a physical standpoint, but yeah, but large organizations, I mean, nobody does Asset Management. Well, very few people do asset management really well. So you're, you're in constant discovery of what's being connected to your enterprise. Right? Be it any and all things right, and, and the push to cloud hasn't necessarily made it better, right? Because then in times, and we see this quite a bit, the fundamental architecture, right, you know, the rush to get something up and running sort of supersedes the monitoring, the access credentials, credentialing and access, privilege, access management, access management in general. And then the architecture so that at least from a monitoring or logging standpoint, that's the soccer sim has some visibility into it, those seem to go the wayside sometimes, just to quickly push into, you know, a new infrastructure that's automatically push button setup for you. And let's forget about that little private public toggle switch that could mean oh, if it's critical data, let's put it private. So don't you know, release it to the world, per se, or make it public? And now everybody can find it. I mean, the, the ability to make errors now is a lot easier. And the stakes are higher than you know, they are, or were a long time ago, right? And back to the layering of, you know, imperfect technology and imperfect technology deployed imperfectly, right. That's a it's a three tiered problem.
Sean Martin 29:03
Exactly. My sense is that a lot of this and maybe this, maybe this makes it difficult as well, just if you can't get a full, complete picture, which by the way, it will change tomorrow anyway. You kind of have to have a big picture view of what's what, how do things work? And I think a lot of that comes down to, at least from my perspective, business logic, right. So these are these are the businesses we're in these are the transactions we enable. These are the workflows that make that possible. Eventually you get down to the systems and that make it happen. But underneath that is all the data you're also trying to protect for availability and confidentiality integrity as well. So How, if that's at least partially true? How do we have a conversation then to uncover that in a meaningful way?
Ryan Leirvik30:14
Yeah, this is a hard part. Right? In a be curious, your thoughts on this, because in my experience, not everybody in the security world knows what the business actually does. Right? From marketing standpoint, I mean, let's be honest, like the management tech divide is still alive and well, for sometimes good reasons. And other times, you know, not good reasons. Right. And the reality of what the business actually does, and what the business logic is required in order to meet the stated goals and objectives of the business may not be well understood in if the, in that it is a problem in and of itself, not so much in the day to day activities of the security, because we can still do security without it, but understanding what's important to the business. We keep saying the business, you know, or the enterprise, right? Whether you're in quote, business or not you every organization has a mission. Right, that you're organized for some reason, right? Be it, you know, anything across the spectrum from, you know, highly capital to widely, you know, benevolent, right, there's a wide spectrum there. But the issue is every organization is organized in a way to meet a stated objective. And the real question is like that, quote, business logic is really important to say, right, what, what matters to the business, because when we rely on the technology so much, that there may be instances where there's flaws, or imperfections in it that really impact the overall mission, right? Critical Infrastructure comes to mind right away, right? That it The impact can be catastrophic. So in my view, and again, Shawn, I'm curious of what you've seen here, net, haven't necessarily seen, you know, a one to one relationship every time between, you know, those that are in security and an understanding of what the business does. So maybe, you know, that might be one way to really help understand what's critical, and sort of make sure we've got, you know, the proper assets identified, which is almost impossible, right, or at least compensating controls around them, you know, defense in depth, right, and ways where we can start to identify, you know, pieces that, let's say, say this, right, that could do harm to the business, if the more we understand the business architecture, and what what the stated goals and objectives of the business are, the easier it is to, you know, reduce the impact of that. But that's, you know, that's one way of looking at it. Yeah.
Sean Martin 32:41
And I think there's no way around looking at the lowest level, at the lowest level, there's this system with this OS running these apps, the services, hosting this data with and making it accessible through these connections, right? How do we protect that, right? And there's a, there's a baseline level of security for all those elements, right, and may require multiple layers to, to kind of protect that thing. And then the data is acrosses. And so you kind of have those elements that I think we can't get away away from. So somebody needs to understand that and attack this problem from that level. But I think, I think where it becomes really interesting is, is having those conversations, and I apologize that, that I have to go here, but I keep thinking about generative AI, where instead of looking at a dashboard with a bunch of assets with labels that presumably mean something to somebody. If I could ask a system a question, what, what does this business unit do? How does it do it? Draw me a diagram that shows me how things are set up to enable that business to to succeed, I can then get a picture of all right, I have some things in on premises, I have some things in the cloud, I have these apps that we bought that have these apps we built so I have these, I can start to drill down into figuring out what's underneath the hood. But at least to the big picture, I can see Alright, these are the these are the critical areas of that workflow, which and then these are the critical lines between the key transaction points in that workflow. And in those pipes are our datasets that we care deeply about? And the transactions we care deeply about. And then that paints a picture that I think most people can have a conversation around. Right, then that translates. And I think that while may may be hard, I think is feasible. For good chat DBT, or that I think I've been having that conversation is usable, I think translating that then into something IT and security can can do something with, I think is probably more challenging. And it's probably require some tool sets or whatever to the output that but so I think that's where the the bottom up and the top down, come together. In some sense, if we can, we can see what systems are heavily used them the which networks have the most throughput, whatever and kind of map that back to the business stuff, we can kind of then paint another picture that says, these are this is what's important to the business, this is where a lot of stuffs happening under the hood. These are the exposure, obviously up to look at the exposure and threat levels are those as well. Probably just talking in circles here. But that's kind of my view on this.
Ryan Leirvik36:21
It's great. And this is where, you know, database administrators, or folks that come from the data world have sort of a leg up on this, right? So where you and I came from, right in terms of identifying what data needs to go where and how we, you know, either normalize it or put it all together? This is where the generative AI matters, what data sets are you pointing it at? What's it using, right to form the you know, we're the machines pointed towards to get the logic to then learn, right and move forward like and what's what's in and what's out. And when you have sort of a call it a legacy point of view, right? From from sort of the old school day to days, right? You can see this like, well, if you're not looking at certain datasets, you'll miss some of those critical nodes. So for example, there are let's not say a decent amount, but there are a number of, you know, let's just let's go into the technical debt world, right? For a moment. Organizations like that it is enabled, let's go back to that as well. Right. So you've got this idea is that Nibbler, you know, organizations don't necessarily spend a lot, don't Wow, that's a wild generality. So the key here is that your organization's may or may not spend a lot on tech refresh, if you will, and they may not refresh all of the all of the technology, right? You know, large organizations just don't do that. Typically, from a capital expenditure standpoint, right. So if you're pointing sort of this degenerative AI, and you've got you understand what where the code is, and how it's actually thinking and learning, if you're missing datasets that may be in some tape backups stored somewhere that didn't get pulled over to the operational side, you may miss things that only happen every five or six years. Right, and now you've got a warped sense of what might be critical, when you forget, oh, every five years, we have to have this particular report for this federal agency or this, you know, compliance piece, or whatever the case is some, you know, 40% owner that asked for this every five years, if we're not looking at the complete data set, then the the output may sound great and feel great, but it's incomplete. And, you know, this is where that legacy data understanding of what what the whole picture looks like, first, you know, sort of matters, right? And, and you can see how this, you know, wherever we point it, can I say go off the rails, but the picture can be incomplete. Pretty quickly if the data sources aren't holistic, right?
Sean Martin 38:53
That's it. Yeah, no, I completely agree. And I mean, we can look at the GPT, three, five, for whatever. Limited to up to 2021. Right? So you're gonna get Oh, sure, interesting stuff that might be valuable and useful and meaningful, but not complete.
Ryan Leirvik39:14
Right? Yeah. Cuz some of the data is just not query Abul like, it's the or, or the opposite. It is questionable. But the you know, the lookup, if you will, doesn't know to look for it, or can't ingest it when it does show up, right? They can think back to the flat files, like whatever it was delimited by like, you know, comma, tab, you know, a pipe or whatever it's like, but if you've missed the commas, you're not going to get that data set because I didn't know to look for him I eliminated from the query because I just figured, you know, might be a sentence.
Sean Martin 39:44
Structured unstructured data.
Ryan Leirvik39:45
That's right. Yeah. And this is what gets so interesting with like, just the fundamentals right, the more we sort of push up the stack, without that common through line of exist, this is the type of data or type of system or or network That's really critical to the business, that really fundamentally understanding that we do ourselves a bit of a disservice, you know, by hyper focusing on other places, because then we're missing the thing that oh, by the way, the attacker is gonna find because we're not looking at it, and all of a sudden, we'll have an issue, right? And I say that tongue in cheek, because it's really hard to get these all these things under management even understand what they are. But at a fundamental level, it still is a, it's a goal worth pursuing. Because if we know what we own, right, and we know what's important, then we have at least wear a hat, we've got to have solve problem, right? Because it's well defined. And now it's a function of all right, you know, protecting in a way that we protect the access controls and protect the access to it. Right. pathways, and, of course, the use and, you know, a manipulation of the information. But, you know, without focusing on that, right, you know, next thing, you know, we're, we're focused on the tooling around it. We were gonna miss the core piece. Right? Yeah. So it always comes back to the fundamentals in some way.
Sean Martin 41:04
I know. And that's where I want to go next. Because I've been in the Pollyanna world that I that I described, where there's some executive level committee having these conversations that paint the nice picture. Yeah, probably not going to happen anytime soon. And security still sitting there trying to figure out what where, where do I invest? How do I ensure the controls are in place, and that the investments are providing the return on risk mitigation that the company is expecting of me? Yeah, yeah. And how do we how do we get there as as we kind of wrap up here? Oh,
Ryan Leirvik41:39
great. Yeah. So showing three, three simple things. And again, these these aren't easy. But there's simple, right? One, understanding what we're talking about when we talk about risk, right, defining the risk problem. Okay, great. Then having it under management, alright, what are we using from a framework standpoint, to guide the program, and that will help line up the initiatives, activities or initiatives that the organization is funding to address the cybersecurity problem, the risk problem, that's number one, right? And if we do that, in a way, that's sufficient, in other words, we've got categorical definitions of what we're trying to look for. So like any one of the frameworks do this, right, you can line up activities to them, who actually owns them, what date, you know, they're due by so you can actually it's like a program management list. Right? Then we can sign measures to it, which is the last part to say, hey, I don't even know if we're doing well, how do we know what percentage of assets we have identified as critical? Like, how do we know how many employees are passing the annual application management poly policy awareness program? Right? How do we even know like the time to discovered threat to response activity, right? These are ways to sort of bring all those things in context. So at least everyone's on the same page. And once you get everybody on the same page, right? Regardless what the page looks like, everybody's on it. It's like that, that, again, a well defined problem becomes half solved, because now you can invite other people into the problem set without using words like cyber and without using, you know, words that we love, and we understand but may not be understood in HR or in procurement, right? Especially when it comes to third party risk, right? Or in the legal community, right. And it gets us all on the same page to say, alright, well, we know what we're measuring, measuring, we know what we're managing, so we know what we're measuring, right. And then we can change the measures over time as we start to mature. And now at least we've got a program to start playing, you know, start moving forward to at a fundamental level that, that then back to your sort of, you know, the proverbial boardroom where these conversations are happening. We have a fundamental placement. Okay, do we know what problem it is we're solving for? Are we all on the same page? Yeah. Okay, great, because it's smart people in the room, that are there for a reason. Question is, do we have a rubric or a framework or a way of thinking through the problem that, you know, eliminates the assumptions and puts the puts the point squarely on what the problem really looks like? Right. And yeah, there's just one way to do it.
Sean Martin 44:02
And gets gives those people an opportunity to contribute, in a way that matters. Right? That's right. And yeah, and not to your point on assumptions, but also just why I don't think I know, so I'm not going to contribute, because I don't want to influence in a way that's not helpful. When it right, when in fact, if you can actually open it up for them to be helpful. And then come being comfortable in doing so you're gonna you're gonna get a much better picture that so yeah, Shawn,
Ryan Leirvik44:31
it's like an architecture. Yeah. Right. I mean, it's the distinction of saying, hey, go build me something in the best person who is the best bathrooms in the world sitting back going, I don't know what the building is. I'm not gonna say anything. And next thing you know, you have an office building with no bathrooms. But if you go and say, Hey, we're gonna build an office building, which means we need parking, right? We need restrooms, we need it all of a sudden, you know, the, the bathroom person in this scenario says, Oh, great, well, how many do we need and you because if you lay out the architecture first, and say this is this is how we're going to walk through this problem set. Now you invite people in the contribute that might have something you may not have expected. Yeah, that's a good point.
Sean Martin 45:05
My question is how many cafes are on each floor? Because we need our coffee. And how close are the restaurants? Exactly? I'm driven by food and coffee. That's not super, super cool conversation, Ryan. And I think we probably my brain hurts thinking about this a little bit. But in a good way. So I'm sure those listening are probably trying to unravel some things. And that's where I kind of go back to the frameworks you mentioned, we include some links for those. All I'll ask you to help me make sure we have the right ones there. And of course, your book that helps helps kind of guide folks through some of this as well. You probably include the frameworks in the book too. So. Yep, yep. So
Ryan Leirvik45:50
I think, some practical examples. So it's like, hey, stuck here, use this. It's like it's almost like a it's like a guidebook. Right. So where are you stuck stuck in this part of the problem is great, read that particular piece? implement it, see if it works. Move on to the next one, or don't? Right, yeah,
Sean Martin 46:07
I think I think we'll cover I'll recap with two points. Don't be afraid to jump in like I did. But in but don't be afraid to put some framing around it as well. So so you know that you're actually doing something that matters.
Ryan Leirvik46:22
Exactly know you're solving the right problem, right. We love problem solvers. But the question is, are we solving the right one? Exactly.
Sean Martin 46:30
Yeah. Right on Ryan. Well, thanks for thanks for having this chat with me and being part of the show. And thanks, everybody, for listening. Of course, if you have your own thoughts or ideas, I'd be very open to hear them on social media. Of course, if you liked the conversation, share with your friends and your enemies and subscribe. All that good stuff. As you probably are figuring out I'll put notes that include the links to the Ryan's book and his profile and whatnot, so you can connect with him as well. And stay tuned for much more coming, obviously on redefining cybersecurity here on ITSPmagazine. Thanks, everybody. Thank you, Sean.
voiceover47:13
Penn Tara, the leader in automation security validation allows organizations to continuously test the integrity of all cybersecurity layers by emulating real world attacks at scale to pinpoint the exploitable vulnerabilities and prioritize remediation towards business impact. Learn more at Penn terra.io.
sponsor message47:39
Imperva is the cybersecurity leader whose mission is to protect data and all paths to it with a suite of integrated application and data security solutions. Learn more@imperva.com
voiceover47:57
We hope you enjoyed this episode of redefining security podcast if you learned something new and this podcast made you think then share itspmagazine.com with your friends, family and colleagues. If you represent a company and wish to associate your brand with our conversations sponsor, one or more of our podcast channels, we hope you will come back for more stories and follow us on our journey. You can always find us at the intersection of technology, cybersecurity, and society