Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

Episode #28: Moving CISOs from Good to Great - with Ed Escobedo

This week, the guys welcome back Ed Escobedo, former Head of Technology Risk Management for PayPal, CIO of Apollo Education Group, VP for DHL and Charles Schwab, and currently Silent Sector's Chief Strategy Officer. They share how to bust through the growth roadblocks that CISOs hit when improving their organizations' cybersecurity programs. They also share the unique Organizational Adoption Framework and Methodology(TM) that Silent Sector uses to bring established cybersecurity programs to the next level. 


Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com
Be sure to rate the podcast, leave us a review, and subscribe!ontent here…

Transcript

welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about on  their fancy website and trade show giveaways all  
to protect you from cyber security criminals and  now here's your hosts mike rotondo zach fuller and  
lauro chavez hello and welcome to the cyberants  podcast for another great episode this is your  
co-host zach fuller joined by mike retando and  lauro chavez and we have guest ed escobedo back  
here with us today with for some interesting  conversation talking about a program that's  
developed and before we dive into that though  mike why don't you kick us off with the news  
all right so the news for today and this story  isn't going away yet so this has been around  
for a while hack to patch by law enforcement  is a dangerous practice as you all may recall  
we've talked about this before but the fbi went  and fixed a bunch of exchange servers um without  
notifying anybody they got a court order took four  days remove the web shells they patched anything  
didn't change anything now there's more stories  coming out about there are two principal reasons  
of concern first apache by exploit contravenes  basic enterprise security practices and second  
the risk of collateral damage at the enterprise  level is too great simply because of the law of  
unintended consequences but i'd like to focus  on something it's not in the articles that is  
the concern of constitutionality and the violation  of the bill of rights do they really have the  
right to just go into your computer without  notifying you and make changes to it so that's  
and how many honey how many honey pots do  you think they spent all this time patching  
exactly well that's the thing is they're not  patching they're they're finding the active  
root shell right that's calling out to the command  and control and so they they go in through that  
shell that's already there basically the owners  haven't figured out they've been breached and  
so the webshell is running and the fbi thinks  it's a good idea basically you know to break in  
using the web shell itself and then  uninstall it which you know i i'm  
that's the process i'm i'm questioning  right how are they uninstalling the shell  
well then they're actually watching the server  right right they're not fixing the problem  
they're just removing the shell that just  makes them exploitable all over again  
so some tells me there was more to  that hack than uh we're being told  
maybe i want to give the fbi the benefit of  doubt especially if they're listening hi fbi oh  
they're listening oh hi guys yeah no no we think  it's real cool and all but yeah you're awesome  
somebody somebody's coming up to my door in  a black suburban hold on guys i'll be right  
back hold up yeah i think it's a pizza yeah uh [  __ ] used new subpoena power to contest contact  
companies vulnerable to hacking okay here's  another federal thing apparently there was  
a law passed sometime last year that went into  effect in january that allows homeland security  
to use subpoena power to contact u.s internet  service providers with customers whose software  
is vulnerable to hacking the the cyber security  infrastructure security agency system has long  
stopped us and uh they basically want to identify  technology firms with flaws and contact them prior  
to being exploited or hacking again this is just  another can of worms that i'm not seeing is a good  
idea well well i i you know to be to be the  advocate on the other side here i'd like to  
just front this conversation with there is a lot  of deprecated software that is you know don't  
don't you know it's not broken don't fix this sort  of mentality because their apps are running on it  
that they need a business that is causing probably  all kinds of scary stuff at a homeland security  
level and so i mean i can understand letting  those people know that you know you should you  
shouldn't have rdp open to your windows xp  box at all ever and you know i mean and so  
we we don't have a power sometime to go in and  tell a client that right because we have the  
business operational you know perspective that  they have like if they need it for work it's hard  
to justify turning it off but with a subpoena  right from uh from a a federal organization can  
come in and say look we understand you need to  migrate your app yeah so i i kind of don't mind  
the strong arm tactic to this extremely deprecated  software that like all makes us weaker as a nation  
but i i do agree there's some there's some  certainly some some you know questions around  
the the the programmatic process that you yeah  and that that's really my concern and you know  
this bill was crafted by a couple lawyers in the  house of representatives and then the senate so  
lawyers and id i'm not going to go too far down  that route that rabbit hole but uh hopefully they  
had good input from somebody social engineering  watch out for these threats against cyber security  
experts um basically what's happening now is their  social their social engineering campaigns against  
cyber security experts and researchers and they're  using the best intentions of these people against  
them and trying to get into people's head and  exploit them still data and ip so be careful who  
you're talking to yeah i've been turning down  google and mcafee and all these all these job  
people that are approaching me via email and i you  know i like to click on the smishing on my on my  
on my drop phone just to just to see what type of  exploits you're trying to execute into my sms but  
good good job guys keep it up you know what i  do with those i take those um urls and i put  
them into like my cali box you know over a tour  and just see what it winds up at and it's always  
interesting and generally it's not some place  you want to be that's right all right so spam and  
fishing in q1 2021 the past year cyber criminals  have actually exploited the topic of government  
payouts most often in relation to damage caused  by the pandemic in q1 2021 scammers imitating bank  
emails began to focus on compensation they linked  their links in their messages took the victim to a  
well-designed fitting page with official emblems  business language in reference to relevant laws  
uh the attacks are mostly aimed at stealing  any credit card details and personal data  
so be careful what you click on this is kind  of scary if you get older parents that might  
have pacemaker or something cyber security  and the growing use of medical iot devices  
uh major major hackable devices  in the iot world are smart pens  
infusion and insulin pumps wireless vital  monitors thermometers temperature sensors  
implantable cardio cardiac devices and of course  security cameras these devices were found to be  
hackable by via brute force attacks a lot of  them are running on deprecated xp machines  
during the research the security experts they  discovered cardiology device anesthesia equipment  
infusion systems mri scanners nuclear medical  systems through basic showdown queries so so give  
us all a moment of pause next time you go into  the hospital or gosh that's again that's just  
a huge problem with the medical companies right  where they they build it to platform running a  
certain version and then they never change right  because they don't even think about it they have  
no no insight and understanding i think we  talked to a client when we first started so  
inside sound sector and the guy's like oh no  we'll never get hacked no one's ever gonna  
come after us says the wise man yeah he who  scrubs car with dirty brush still has dirty car  
exactly attackers are using compromised accounts  to create distributed malicious oauth apps so  
oauth apps if you don't know ad business features  and user interface enhancements to major cloud  
platforms such as o365 and google workspace  unfortunately they're also a new threat factor  
as bad actors are increasingly using malicious  oauth 2.0 applications or cloud malware  
to siphon data and access sensitive information  in 2022 proofpoint detected more than 180  
different malicious applications attacking over 55  percent of customers with a set success rate of 22  
the attacker basically creates a malicious code  and hosted on a web server by a url compromises  
a web target creates an app puts it in the azure  portal um marking the application is multi-tenant  
application and then they use the code to steal  be careful what you're clicking on out there a  
malware group leaks millions of stolen off cookies  uh raccoon which is i'm giving credit for the name  
um there's a fairly typical malware as a service  where they pay where you pay 75 to 200 per month  
you get access to a toolkit to generate malware  payloads and a back-end website to administer  
your campaign from it's designed to steal login  credentials credit card information cryptocurrency  
wallets and browser information so see raccoon is  actually an anagram for trash panda so you say it  
trash can actually makes sense what is that  from is that from uh guardians of the galaxy  
maybe anyways and basically what  they're using is they're they're using  
these cookies and then they're encrypted in the  windows api and they're using them to exploit  
the malware uh the reason why the start actor  focused on stealing off cookies is that they are  
better allow better and easier access to an  account compared to username and passwords  
but to add insult into injury after users were  infected by the malware strain that stole their  
passwords and personal data the malware operators  forgot to secure their back-end servers which we  
sensitive user information for hundreds of  thousands of victims for more than a month  
so i guess the hackers need to work on  their process and procedure to ensure  
you know the safety of their data the safety of  cookies yeah misconfigs and unpatched bugs to top  
top cloud native security incidences over half of  organizations over the security incident due to  
misconfiguration or known vulnerability in their  cloud native applications there's an open source  
security firm called snick that put out their  state of the cloud native application security  
report and revealed that adoption of the cloud  native techniques is soaring with over 78 percent  
of work production work loads now deployed as  containers or serverless applications however  
this comes with own risk as 60 percent developers  have had increased security concerns since going  
cloud native they reported misconfiguring 45 and  known unpatched bugs 38 were the most commonly  
experienced security incidents this one's kind of  funny uh you get what you pay for ruck ransomware  
finds foothold in bioresearch institute  through student who wouldn't pay for software  
student went looking for a free uh for a  free version of a data visualization software  
visualization software tool which would have  cost hundreds of dollars per year and he went to  
a forum asked to find a free alternative couldn't  find a free alternative so he went and purchased a  
broken a cracked version and when they launched  the software it loaded a trojan which was able  
to harvest students access credentials  to the biomolecular institute's network  
so um yeah be careful crack software cisco  critical vulnerabilities enable remote  
attackers to execute commands uh this is they've  already patched this bug but there are multiple  
vulnerabilities the web-based management interface  of of cisco hyperflex hx and sd-wan vmanage  
uh when exploited allows unaltered remote  attackers to execute binary execute arbitrary  
code and lastly ransomware hackers infect  thousands of sonic wall vpn implementations  
there's a ransomware identified as five hands they  managed to exploit the zero day flow on sonic wall  
sma 100 series vpn solutions uh to compromise  networks of different organizations the united  
states and europe so with that what do you got  for us lauro not as not there's not as many active  
exploits that that we've got uh certainly to to  the to the front of the of the attack vectors  
we're seeing in the news that's for sure so i've  got one good one for you this week that i think  
is important and it's uh involves wordpress fixed  price big surprise anyways so super edit one of  
the plugins uh 254 there's a remote file upload  piece for that that that's been proof of concept  
pretty good so you know you can get you get some  arbitrary code past the the the server host in the  
wordpress so if you've got wordpress check your  plugins if you're running super edit upgrade that  
i think they've got a new version out it's like  two six or two five six or something like that  
check into it make sure you're not vulnerable to  the file upload and so that's that's it for this  
weekend exportable vulnerabilities want even more  cyber ants be sure to subscribe to the cyber rants  
podcast get your copy of our best-selling book  cyber rants on amazon today this podcast is  
brought to you by silent sector the firm dedicated  to building world-class cyber security programs  
for mid-market and emerging companies across the  u.s silent sector also provides industry-leading  
penetration tests and cyber risk assessments  visit silentsector.com and contact us today  
great well thank you both and ed it's great to  have you back uh welcome back uh good morning zach  
but thank you for having me this morning great our  pleasure yeah i'm so excited to talk about this  
you know what we're what we're talking about today  really is a a discipline that i think is often  
forgotten about in in the industry um and that is  one of leadership one of alignment across business  
units one of really stepping up the maturity  level of an existing cybersecurity program so  
working in mid-market emerging organizations  a lot of times companies start with nothing  
go in and get them aligned to a framework get a  lot of different things taken care of to get a  
formalized cyber security program in place now  companies that have that though it seems to me and  
you know cures to your thoughts but it seems to  me like they um once that's in place they're far  
better off than they were before but a lot of  companies that you see mid-market and larger  
organizations will hit this kind of growth  ceiling in the capability of their cyber  
security program and it it seems for them to  almost be just an ongoing indefinite struggle  
you know why is that ed what what are you seeing  out there um in the in the in the wild so to speak  
and why is these companies that even though they  have all the kind of the foundational elements  
in place they they kind of hit this this stopping  point in terms of maturity sure i mean i think the  
thing that i see and and laro and um michael sort  of talked about some of the technical depth and  
expertise that many csos or i.t security directors  have to pay attention to i mean that what i see  
is in the bulk of their job is consumed by all of  the various exploits that are in the wild and all  
the attacks and the surface area attacks that  happen across the enterprise and the part that  
that that i'm finding and this is confirmed by  a gartner report that i recently read is that uh  
csos are so consumed by all the technical issues  that they have to deal with that it's important  
for them i think uh to try to understand how  to be more effective in the softer areas of  
leadership the areas of influence and governance  and relationship building and service delivery  
and sort of thinking about their organizations  not only and exclusively as the one-stop shop to  
you know prevent attacks from from outside into  the network but also building influence and  
relationship skills across their teams and across  the organization across stakeholders to really  
make sure that everyone understands the importance  of security so it's very much on the other side  
of the coin of leadership i mean you have to have  the technical chops to be a cso but then the thing  
i'm finding is that you also need to have you know  strong leadership influence relationship building  
skills to build trust credibility and respect  with your business partners so what's your advice  
or how what kind of guidance would you provide to  those let's let's take the example of the cso who
grew up through the technical ranks right and is  is tremendously skilled in that um it seems to me  
like in a from a business perspective a lot of  times it's hard to get it's hard to step out of  
what you know really well right in in order to  rely on others to do those things right because  
you always have certain ways you want to do  things and and certain ways that you want to see  
different projects accomplished but what  would your advice be to those people that are  
maybe maybe they're new to the csu role or  maybe not but they need to really transition  
their thinking in order to reach the next  level of capability yeah and and you know  
the thinking behind this program that we've  developed is really to help csos become more  
effective in their careers as leaders uh and as  executives and aspiring executives in in the roles  
and i and i know how hard the job of cso is i've  had cecil's report to me i've been a biso at a  
large company and and so it's a very difficult job  with lots and lots of pressures and um and demands  
i mean the one thing i would encourage csos to  do is to sort of think of your role as a business  
person right to and there are three keys i think  in my mind to help csos be successful one is make  
sure that you real reallocate time to relationship  build and do strategic planning and that needs to  
be aligned with the business i think it's really  important that that they think about the role  
of the security function security program that  is running lockstep with the business and with  
the company and the demands of the company and the  growth plans of the company and that there's clear  
strategic planning alignment with with the key  business leaders across the company the second  
thing is just prioritizing your time and the  allocation of your time as you build relationships  
and as you meet other people not just to your  own team or not just to the technology the i.t  
the cio technology function but prioritize the  relationships with non-it stakeholders the cfo  
the cmo the person that's doing sales because  those are the people that you need to have  
uh on your in your in your camp you know when  you know when when things don't go as well as  
they should and you're dealing with a crisis so  building that level of trust proactively i think  
is really important and then the third thing i  think relates to just making sure that you do the  
basic blocking and tackling of leadership so that  you can manage stress that you have that you built  
a good team around you that you've you know that  you're doing all the basic uh service delivery  
things around meeting your project timelines that  you've set up a governance program that scales  
um you know those things i think are critical  to have the the core foundation to be able to  
and obviously they have a framework in  place that you're managing to the risk  
um so those are the the three i think keys to  success that that you know that i've seen and  
that has been validated by by the literature  that i've read what would be your advice or  
what what kinds of things have you seen that have  worked well for you and and others uh in terms of  
in terms of creating good collaboration across the  various business units you mentioned prioritizing  
time with the cfo and the cmo and others  that are handling different business aspects  
what what's the kind of the practical approach  or can you dive into that a little bit more  
about what you actually do um with those different  business units yeah i mean the relationships well  
and the roles that i've played you know when i've  had this function in in organizations is you know  
number one you just have to make the time right  you have to do one-on-ones again when you set up a  
cadence with these non i.t stakeholders you put it  on your calendar you you give them updates in the  
context of the things that they have the second  thing that that i've seen that's been effective  
is um in places that i've worked is you establish  a quarterly business review with your stakeholders  
so you have insights and metrics and operational  understanding of what's going on with the risk  
specifically in the language of their business and  the things that you're dealing with particularly  
on the service delivery side that are helping  their business maybe tickets that you've handled  
that are coming from their organization and giving  them feedback on how you've been able to handle  
and respond and help people that work for your  stakeholder constituents you're helping them  
be more effective and you know either writing code  that's more aligned with best practices and other  
things and then the the third thing which is  the most important thing is really just getting  
alignment at the top you know whether it's the  audit risk committee or the ceo or the cto so that  
you have a top-down um prioritization i'll call it  a hammer that helps the organization realize that  
uh this isn't just a security you know keeping the  company uh free from hacks and data breaches isn't  
just the cso's job it's everyone's job and so  getting alignment at the top and making sure that  
accountability flows from the top down is another  really really important key to success i think so  
those are the two or three things that i can think  of to help cso's you know build build maturity and  
and maybe expand their skill sets into things  that they might not have had to deal with in  
the past great advice what about uh we we talked  a little bit about on the leadership side across  
business units from that side but what about  within your team um uh defining uh or creating  
accountability and and measurement of  performance of the various team members well  
what would your advice be there yeah well i mean  i've always had the opinion as a leader you know  
from the many years that i've been in a team that  you know you can't improve what you don't measure  
right so it it obviously starts with the control  baseline and making sure that you have a like a  
clear understanding of where your gaps are in your  control uh inventory and making sure that that is  
that is transparent to not just your own  team but to the to your stakeholders both  
on the i.t side and on the business side so that  everybody's aware where the problems could exist  
and then having a cadence that sort  of tracks that over time whether it's  
monthly or quarterly or you know whatever the  cadence that makes sense for your business is  
that that obviously is number one um because  you have to get alignment around what the top  
five to ten wrists are so that you can attack  those first there's so many things to fix in  
the security area as you know as you guys saw that  you've seen so because you want to make sure that  
you're focused and you're laser focused on the  most important risk that exists in the enterprise  
so that would be number one i think the  second thing is just making sure that you  
help your partners particularly on the i.t  side build operational metrics so that they can  
align the things that they're doing within you  know their ecosystem to ensure that you've got  
you know that they're helping you with like  operational daily metrics and dashboards that  
can give you an insight into how you're moving  the needle on reducing risk across the categories  
that come out of the framework that you're using  let's talk a little bit about we we've actually  
developed a a framework and methodology to create  organizational alignment gain adoption throughout  
the organization and for those listeners that  don't know ed is the chief strategy officer of  
science sector so when i talk about this on  sector's organizational adoption methodology  
um what what would you um like to share about  that process how can maybe start with a little  
bit about how it was developed but um anything  else you'd like to um mention the listeners about  
you know why it's important to think through  this as opposed to um continuing to grind you  
know forward the weight with the way things are  if you don't have a fully aligned organization  
yeah well um i mean it's sort of inspired by by  two things um you know one is the just reading  
in in in the in the literature that's that's um  in the in the public domain about you know how  
companies should think about aligning their cyber  security programs to the business and the second  
as somebody who's always been customer  focused and all the jobs i've had in i.t  
and in security you know thinking about developing  a methodology that takes does an internal internal  
assessment of how you think you're doing but  then also validating that with key stakeholders  
across the business community and doing a 360  degree feedback so with those two things both  
sort of a framework that comes from the public  domain and the literature that i've read and  
then secondly you know just my energy towards  you know always being focused on the customer as  
kind of the primary role that any leader has  to do as an organ in an organization you know  
we've come up with you know six principles that  we put in place in a methodology that we think  
can help csos and i.t security directors really  understand sort of how they think they're doing  
versus how the business things are doing and then  getting those gaps and coming up with practical  
recommendations that that they can implement  you know in a way that helps helps them close  
those gaps and the goal here is to build trust  and confidence and respect with the business so  
so that they have the ability to to have sustained  relationships and also grow their careers and and  
be more successful in in the roles that they  aspire to be on security maybe down the road  
you've put together a six principle process really  that you go through it's really really looks  
like a framework in essence but um for a thing  that your traditional security frameworks don't  
don't uh um accomplish and so would you give  us an overview of those those six principles  
why they matter yeah yeah i can do that so um the  first is uh developing uh and governing a healthy  
security culture right and that that speaks to  both security governance and security culture  
across the enterprise the second which i think  is to me really really important is speaking and  
managing risk in the language of the company or  the language of the business you know and i mean  
i think we pride ourselves as technologists that  you know we speak a certain language and we have  
a certain culture that we can understand amongst  ourselves but when you're talking to cfo or cmo  
they you know they have no idea what you know  what what um you know what what a control is or  
you know what a vulnerability is i mean so having  to explain that in a language that resonates with  
them is so critically important the third which i  spoke to earlier is really just establishing that  
control baseline and that sort of reference  point which is kind of helps you establish  
the true north of how you're going to make the  environment safer and more secure and then the the  
fourth one relates to just rationalizing uh your  security program and putting it in the narrative  
of of the i.t strategy so making sure that the  security strategy and security program is clearly  
lockstep with the it strategy because you can't do  security without this close alignment with the cio  
and and the it operations folks that are managing  the and operating the environment that's being run  
the fifth is uh controlling access without  putting a drag on the business i mean i think  
one of the things i've seen is sometimes  you we as security professionals will  
you know lock down everything and cause  the business to slow down but sort of being  
being having a good understanding of explaining  how to help the business go faster in a secure way  
rather than you know stopping them from doing it  i think is critical and then the final one which  
relates to the managing stress which is one of the  keys i think is just making sure you have a strong  
cross-functional resilience program and a reaction  program and an incident management program because  
you're going to be dealing with critical events  that happen inevitably so you want to make sure  
that you have that muscle established and  those processes established and the policies  
and procedures established so you're not the  only one as a security professional having  
to steer the ship when something breaks you've  got sort of cross representation with legal and  
with your technology partners with you know with  public relations and other people who need to be  
involved when critical incidents happen well thank  you ed this is excellent stuff i mean there's a  
lot to be said here we certainly uh have more to  talk about on on future episodes so thank you for  
joining us for the listeners out there ed just  has a tremendous background ranging from head  
of technology risk management for paypal to cio of  apollo education group vp roles for big companies  
like dhl and charles schwab and he's u.s air force  veteran as well so thank you so much ed any final  
thoughts or advice or wisdom you would share with  uh with the listeners before we jump off here  
no i mean the only thing i will end with is what  i always end up with is is how proud i am to be  
part of the silent sector team and and serving our  mid-market uh clients uh making sure that that we  
help them protect the backbone of the american  economy i think that's critical and so i'm  
excited to have developed this program and to be  a resource for csos or i.t security uh directors  
who just got into the job who maybe need some help  you know if they're struggling with their you know  
challenge and getting adoption within their  organizations i'm happy to be a resource and  
and i think we can bring the full silent security  portfolio to to bear you know as opportunities  
come up great well thank you ed and if you're  a cso or even a cio listening to this and need  
some guidance need some help on the topics that  we cover today by all means reach out and get  
we'll get you connected directly with ed and you  can chat and go from there so thank you all for  
listening hey hey what was that one thing i'm  and i'm i'm happy to jump on a call with anybody  
just to sort of just to try to understand what  their you know what their challenges are i mean  
i'm happy to do that just just to just to get  some free advice as people need it you know so  
just reach out and we'll get on the call and talk  about you know how we can help great thank you so  
much ed well and thank you all for listening if  you like the podcast please subscribe reach out  
let us know what you'd like us to discuss uh  concerns that you have questions anything like  
that or happy to address in future episodes thank  you all for listening and if you haven't checked  
out the book on amazon go to look up cyber rants  and i think if you enjoy the podcast you'll really  
enjoy the material we cover in the book so have  a great day and we'll see on the next episode  
pick up your copy of the cyber rants book  on amazon today and if you're looking to  
take your cyber security program to the next  level visit us online at www.silentsector.com  
join us next time for another  edition of the cyber rants podcast