Organizational Adoption Methodology - Cyber Security CISO

May 10, 2021

The Cyber Rants Podcast

Episode #28: Moving CISOs from Good to Great - with Ed Escobedo

This week, the guys welcome back Ed Escobedo, former Head of Technology Risk Management for PayPal, CIO of Apollo Education Group, VP for DHL, and Charles Schwab, and currently Silent Sector's Chief Strategy Officer. They share how to bust through the growth roadblocks that Cyber security CISOs hit when improving their Organizational Adoption Methodology. They also share the unique Organizational Adoption Framework and Methodology (TM) that Silent Sector uses to bring established cybersecurity programs to the next level.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways all

to protect you from cyber security criminals and now here's your hosts mike rotondo zach fuller and

lauro chavez hello and welcome to the cyberants podcast for another great episode this is your

co-host zach fuller joined by mike retando and lauro chavez and we have guest ed escobedo back

here with us today with for some interesting conversation talking about a program that's

developed and before we dive into that though mike why don't you kick us off with the news

all right so the news for today and this story isn't going away yet so this has been around

for a while hack to patch by law enforcement is a dangerous practice as you all may recall

we've talked about this before but the fbi went and fixed a bunch of exchange servers um without

notifying anybody they got a court order took four days remove the web shells they patched anything

didn't change anything now there's more stories coming out about there are two principal reasons

of concern first apache by exploit contravenes basic enterprise security practices and second

the risk of collateral damage at the enterprise level is too great simply because of the law of

unintended consequences but i'd like to focus on something it's not in the articles that is

the concern of constitutionality and the violation of the bill of rights do they really have the

right to just go into your computer without notifying you and make changes to it so that's

and how many honey how many honey pots do you think they spent all this time patching

exactly well that's the thing is they're not patching they're they're finding the active

root shell right that's calling out to the command and control and so they they go in through that

shell that's already there basically the owners haven't figured out they've been breached and

so the webshell is running and the fbi thinks it's a good idea basically you know to break in

using the web shell itself and then uninstall it which you know i i'm

that's the process i'm i'm questioning right how are they uninstalling the shell

well then they're actually watching the server right right they're not fixing the problem

they're just removing the shell that just makes them exploitable all over again

so some tells me there was more to that hack than uh we're being told

maybe i want to give the fbi the benefit of doubt especially if they're listening hi fbi oh

they're listening oh hi guys yeah no no we think it's real cool and all but yeah you're awesome

somebody somebody's coming up to my door in a black suburban hold on guys i'll be right

back hold up yeah i think it's a pizza yeah uh [ __ ] used new subpoena power to contest contact

companies vulnerable to hacking okay here's another federal thing apparently there was

a law passed sometime last year that went into effect in january that allows homeland security

to use subpoena power to contact u.s internet service providers with customers whose software

is vulnerable to hacking the the cyber security infrastructure security agency system has long

stopped us and uh they basically want to identify technology firms with flaws and contact them prior

to being exploited or hacking again this is just another can of worms that i'm not seeing is a good

idea well well i i you know to be to be the advocate on the other side here i'd like to

just front this conversation with there is a lot of deprecated software that is you know don't

don't you know it's not broken don't fix this sort of mentality because their apps are running on it

that they need a business that is causing probably all kinds of scary stuff at a homeland security

level and so i mean i can understand letting those people know that you know you should you

shouldn't have rdp open to your windows xp box at all ever and you know i mean and so

we we don't have a power sometime to go in and tell a client that right because we have the

business operational you know perspective that they have like if they need it for work it's hard

to justify turning it off but with a subpoena right from uh from a a federal organization can

come in and say look we understand you need to migrate your app yeah so i i kind of don't mind

the strong arm tactic to this extremely deprecated software that like all makes us weaker as a nation

but i i do agree there's some there's some certainly some some you know questions around

the the the programmatic process that you yeah and that that's really my concern and you know

this bill was crafted by a couple lawyers in the house of representatives and then the senate so

lawyers and id i'm not going to go too far down that route that rabbit hole but uh hopefully they

had good input from somebody social engineering watch out for these threats against cyber security

experts um basically what's happening now is their social their social engineering campaigns against

cyber security experts and researchers and they're using the best intentions of these people against

them and trying to get into people's head and exploit them still data and ip so be careful who

you're talking to yeah i've been turning down google and mcafee and all these all these job

people that are approaching me via email and i you know i like to click on the smishing on my on my

on my drop phone just to just to see what type of exploits you're trying to execute into my sms but

good good job guys keep it up you know what i do with those i take those um urls and i put

them into like my cali box you know over a tour and just see what it winds up at and it's always

interesting and generally it's not some place you want to be that's right all right so spam and

fishing in q1 2021 the past year cyber criminals have actually exploited the topic of government

payouts most often in relation to damage caused by the pandemic in q1 2021 scammers imitating bank

emails began to focus on compensation they linked their links in their messages took the victim to a

well-designed fitting page with official emblems business language in reference to relevant laws

uh the attacks are mostly aimed at stealing any credit card details and personal data

so be careful what you click on this is kind of scary if you get older parents that might

have pacemaker or something cyber security and the growing use of medical iot devices

uh major major hackable devices in the iot world are smart pens

infusion and insulin pumps wireless vital monitors thermometers temperature sensors

implantable cardio cardiac devices and of course security cameras these devices were found to be

hackable by via brute force attacks a lot of them are running on deprecated xp machines

during the research the security experts they discovered cardiology device anesthesia equipment

infusion systems mri scanners nuclear medical systems through basic showdown queries so so give

us all a moment of pause next time you go into the hospital or gosh that's again that's just

a huge problem with the medical companies right where they they build it to platform running a

certain version and then they never change right because they don't even think about it they have

no no insight and understanding i think we talked to a client when we first started so

inside sound sector and the guy's like oh no we'll never get hacked no one's ever gonna

come after us says the wise man yeah he who scrubs car with dirty brush still has dirty car

exactly attackers are using compromised accounts to create distributed malicious oauth apps so

oauth apps if you don't know ad business features and user interface enhancements to major cloud

platforms such as o365 and google workspace unfortunately they're also a new threat factor

as bad actors are increasingly using malicious oauth 2.0 applications or cloud malware

to siphon data and access sensitive information in 2022 proofpoint detected more than 180

different malicious applications attacking over 55 percent of customers with a set success rate of 22

the attacker basically creates a malicious code and hosted on a web server by a url compromises

a web target creates an app puts it in the azure portal um marking the application is multi-tenant

application and then they use the code to steal be careful what you're clicking on out there a

malware group leaks millions of stolen off cookies uh raccoon which is i'm giving credit for the name

um there's a fairly typical malware as a service where they pay where you pay 75 to 200 per month

you get access to a toolkit to generate malware payloads and a back-end website to administer

your campaign from it's designed to steal login credentials credit card information cryptocurrency

wallets and browser information so see raccoon is actually an anagram for trash panda so you say it

trash can actually makes sense what is that from is that from uh guardians of the galaxy

maybe anyways and basically what they're using is they're they're using

these cookies and then they're encrypted in the windows api and they're using them to exploit

the malware uh the reason why the start actor focused on stealing off cookies is that they are

better allow better and easier access to an account compared to username and passwords

but to add insult into injury after users were infected by the malware strain that stole their

passwords and personal data the malware operators forgot to secure their back-end servers which we

sensitive user information for hundreds of thousands of victims for more than a month

so i guess the hackers need to work on their process and procedure to ensure

you know the safety of their data the safety of cookies yeah misconfigs and unpatched bugs to top

top cloud native security incidences over half of organizations over the security incident due to

misconfiguration or known vulnerability in their cloud native applications there's an open source

security firm called snick that put out their state of the cloud native application security

report and revealed that adoption of the cloud native techniques is soaring with over 78 percent

of work production work loads now deployed as containers or serverless applications however

this comes with own risk as 60 percent developers have had increased security concerns since going

cloud native they reported misconfiguring 45 and known unpatched bugs 38 were the most commonly

experienced security incidents this one's kind of funny uh you get what you pay for ruck ransomware

finds foothold in bioresearch institute through student who wouldn't pay for software

student went looking for a free uh for a free version of a data visualization software

visualization software tool which would have cost hundreds of dollars per year and he went to

a forum asked to find a free alternative couldn't find a free alternative so he went and purchased a

broken a cracked version and when they launched the software it loaded a trojan which was able

to harvest students access credentials to the biomolecular institute's network

so um yeah be careful crack software cisco critical vulnerabilities enable remote

attackers to execute commands uh this is they've already patched this bug but there are multiple

vulnerabilities the web-based management interface of of cisco hyperflex hx and sd-wan vmanage

uh when exploited allows unaltered remote attackers to execute binary execute arbitrary

code and lastly ransomware hackers infect thousands of sonic wall vpn implementations

there's a ransomware identified as five hands they managed to exploit the zero day flow on sonic wall

sma 100 series vpn solutions uh to compromise networks of different organizations the united

states and europe so with that what do you got for us lauro not as not there's not as many active

exploits that that we've got uh certainly to to the to the front of the of the attack vectors

we're seeing in the news that's for sure so i've got one good one for you this week that i think

is important and it's uh involves wordpress fixed price big surprise anyways so super edit one of

the plugins uh 254 there's a remote file upload piece for that that that's been proof of concept

pretty good so you know you can get you get some arbitrary code past the the the server host in the

wordpress so if you've got wordpress check your plugins if you're running super edit upgrade that

i think they've got a new version out it's like two six or two five six or something like that

check into it make sure you're not vulnerable to the file upload and so that's that's it for this

weekend exportable vulnerabilities want even more cyber ants be sure to subscribe to the cyber rants

podcast get your copy of our best-selling book cyber rants on amazon today this podcast is

brought to you by silent sector the firm dedicated to building world-class cyber security programs

for mid-market and emerging companies across the u.s silent sector also provides industry-leading

penetration tests and cyber risk assessments visit silentsector.com and contact us today

great well thank you both and ed it's great to have you back uh welcome back uh good morning zach

but thank you for having me this morning great our pleasure yeah i'm so excited to talk about this

you know what we're what we're talking about today really is a a discipline that i think is often

forgotten about in in the industry um and that is one of leadership one of alignment across business

units one of really stepping up the maturity level of an existing cybersecurity program so

working in mid-market emerging organizations a lot of times companies start with nothing

go in and get them aligned to a framework get a lot of different things taken care of to get a

formalized cyber security program in place now companies that have that though it seems to me and

you know cures to your thoughts but it seems to me like they um once that's in place they're far

better off than they were before but a lot of companies that you see mid-market and larger

organizations will hit this kind of growth ceiling in the capability of their cyber

security program and it it seems for them to almost be just an ongoing indefinite struggle

you know why is that ed what what are you seeing out there um in the in the in the wild so to speak

and why is these companies that even though they have all the kind of the foundational elements

in place they they kind of hit this this stopping point in terms of maturity sure i mean i think the

thing that i see and and laro and um michael sort of talked about some of the technical depth and

expertise that many csos or i.t security directors have to pay attention to i mean that what i see

is in the bulk of their job is consumed by all of the various exploits that are in the wild and all

the attacks and the surface area attacks that happen across the enterprise and the part that

that that i'm finding and this is confirmed by a gartner report that i recently read is that uh

csos are so consumed by all the technical issues that they have to deal with that it's important

for them i think uh to try to understand how to be more effective in the softer areas of

leadership the areas of influence and governance and relationship building and service delivery

and sort of thinking about their organizations not only and exclusively as the one-stop shop to

you know prevent attacks from from outside into the network but also building influence and

relationship skills across their teams and across the organization across stakeholders to really

make sure that everyone understands the importance of security so it's very much on the other side

of the coin of leadership i mean you have to have the technical chops to be a cso but then the thing

i'm finding is that you also need to have you know strong leadership influence relationship building

skills to build trust credibility and respect with your business partners so what's your advice

or how what kind of guidance would you provide to those let's let's take the example of the cso who

grew up through the technical ranks right and is is tremendously skilled in that um it seems to me

like in a from a business perspective a lot of times it's hard to get it's hard to step out of

what you know really well right in in order to rely on others to do those things right because

you always have certain ways you want to do things and and certain ways that you want to see

different projects accomplished but what would your advice be to those people that are

maybe maybe they're new to the csu role or maybe not but they need to really transition

their thinking in order to reach the next level of capability yeah and and you know

the thinking behind this program that we've developed is really to help csos become more

effective in their careers as leaders uh and as executives and aspiring executives in in the roles

and i and i know how hard the job of cso is i've had cecil's report to me i've been a biso at a

large company and and so it's a very difficult job with lots and lots of pressures and um and demands

i mean the one thing i would encourage csos to do is to sort of think of your role as a business

person right to and there are three keys i think in my mind to help csos be successful one is make

sure that you real reallocate time to relationship build and do strategic planning and that needs to

be aligned with the business i think it's really important that that they think about the role

of the security function security program that is running lockstep with the business and with

the company and the demands of the company and the growth plans of the company and that there's clear

strategic planning alignment with with the key business leaders across the company the second

thing is just prioritizing your time and the allocation of your time as you build relationships

and as you meet other people not just to your own team or not just to the technology the i.t

the cio technology function but prioritize the relationships with non-it stakeholders the cfo

the cmo the person that's doing sales because those are the people that you need to have

uh on your in your in your camp you know when you know when when things don't go as well as

they should and you're dealing with a crisis so building that level of trust proactively i think

is really important and then the third thing i think relates to just making sure that you do the

basic blocking and tackling of leadership so that you can manage stress that you have that you built

a good team around you that you've you know that you're doing all the basic uh service delivery

things around meeting your project timelines that you've set up a governance program that scales

um you know those things i think are critical to have the the core foundation to be able to

and obviously they have a framework in place that you're managing to the risk

um so those are the the three i think keys to success that that you know that i've seen and

that has been validated by by the literature that i've read what would be your advice or

what what kinds of things have you seen that have worked well for you and and others uh in terms of

in terms of creating good collaboration across the various business units you mentioned prioritizing

time with the cfo and the cmo and others that are handling different business aspects

what what's the kind of the practical approach or can you dive into that a little bit more

about what you actually do um with those different business units yeah i mean the relationships well

and the roles that i've played you know when i've had this function in in organizations is you know

number one you just have to make the time right you have to do one-on-ones again when you set up a

cadence with these non i.t stakeholders you put it on your calendar you you give them updates in the

context of the things that they have the second thing that that i've seen that's been effective

is um in places that i've worked is you establish a quarterly business review with your stakeholders

so you have insights and metrics and operational understanding of what's going on with the risk

specifically in the language of their business and the things that you're dealing with particularly

on the service delivery side that are helping their business maybe tickets that you've handled

that are coming from their organization and giving them feedback on how you've been able to handle

and respond and help people that work for your stakeholder constituents you're helping them

be more effective and you know either writing code that's more aligned with best practices and other

things and then the the third thing which is the most important thing is really just getting

alignment at the top you know whether it's the audit risk committee or the ceo or the cto so that

you have a top-down um prioritization i'll call it a hammer that helps the organization realize that

uh this isn't just a security you know keeping the company uh free from hacks and data breaches isn't

just the cso's job it's everyone's job and so getting alignment at the top and making sure that

accountability flows from the top down is another really really important key to success i think so

those are the two or three things that i can think of to help cso's you know build build maturity and

and maybe expand their skill sets into things that they might not have had to deal with in

the past great advice what about uh we we talked a little bit about on the leadership side across

business units from that side but what about within your team um uh defining uh or creating

accountability and and measurement of performance of the various team members well

what would your advice be there yeah well i mean i've always had the opinion as a leader you know

from the many years that i've been in a team that you know you can't improve what you don't measure

right so it it obviously starts with the control baseline and making sure that you have a like a

clear understanding of where your gaps are in your control uh inventory and making sure that that is

that is transparent to not just your own team but to the to your stakeholders both

on the i.t side and on the business side so that everybody's aware where the problems could exist

and then having a cadence that sort of tracks that over time whether it's

monthly or quarterly or you know whatever the cadence that makes sense for your business is

that that obviously is number one um because you have to get alignment around what the top

five to ten wrists are so that you can attack those first there's so many things to fix in

the security area as you know as you guys saw that you've seen so because you want to make sure that

you're focused and you're laser focused on the most important risk that exists in the enterprise

so that would be number one i think the second thing is just making sure that you

help your partners particularly on the i.t side build operational metrics so that they can

align the things that they're doing within you know their ecosystem to ensure that you've got

you know that they're helping you with like operational daily metrics and dashboards that

can give you an insight into how you're moving the needle on reducing risk across the categories

that come out of the framework that you're using let's talk a little bit about we we've actually

developed a a framework and methodology to create organizational alignment gain adoption throughout

the organization and for those listeners that don't know ed is the chief strategy officer of

science sector so when i talk about this on sector's organizational adoption methodology

um what what would you um like to share about that process how can maybe start with a little

bit about how it was developed but um anything else you'd like to um mention the listeners about

you know why it's important to think through this as opposed to um continuing to grind you

know forward the weight with the way things are if you don't have a fully aligned organization

yeah well um i mean it's sort of inspired by by two things um you know one is the just reading

in in in the in the literature that's that's um in the in the public domain about you know how

companies should think about aligning their cyber security programs to the business and the second

as somebody who's always been customer focused and all the jobs i've had in i.t

and in security you know thinking about developing a methodology that takes does an internal internal

assessment of how you think you're doing but then also validating that with key stakeholders

across the business community and doing a 360 degree feedback so with those two things both

sort of a framework that comes from the public domain and the literature that i've read and

then secondly you know just my energy towards you know always being focused on the customer as

kind of the primary role that any leader has to do as an organ in an organization you know

we've come up with you know six principles that we put in place in a methodology that we think

can help csos and i.t security directors really understand sort of how they think they're doing

versus how the business things are doing and then getting those gaps and coming up with practical

recommendations that that they can implement you know in a way that helps helps them close

those gaps and the goal here is to build trust and confidence and respect with the business so

so that they have the ability to to have sustained relationships and also grow their careers and and

be more successful in in the roles that they aspire to be on security maybe down the road

you've put together a six principle process really that you go through it's really really looks

like a framework in essence but um for a thing that your traditional security frameworks don't

don't uh um accomplish and so would you give us an overview of those those six principles

why they matter yeah yeah i can do that so um the first is uh developing uh and governing a healthy

security culture right and that that speaks to both security governance and security culture

across the enterprise the second which i think is to me really really important is speaking and

managing risk in the language of the company or the language of the business you know and i mean

i think we pride ourselves as technologists that you know we speak a certain language and we have

a certain culture that we can understand amongst ourselves but when you're talking to cfo or cmo

they you know they have no idea what you know what what um you know what what a control is or

you know what a vulnerability is i mean so having to explain that in a language that resonates with

them is so critically important the third which i spoke to earlier is really just establishing that

control baseline and that sort of reference point which is kind of helps you establish

the true north of how you're going to make the environment safer and more secure and then the the

fourth one relates to just rationalizing uh your security program and putting it in the narrative

of of the i.t strategy so making sure that the security strategy and security program is clearly

lockstep with the it strategy because you can't do security without this close alignment with the cio

and and the it operations folks that are managing the and operating the environment that's being run

the fifth is uh controlling access without putting a drag on the business i mean i think

one of the things i've seen is sometimes you we as security professionals will

you know lock down everything and cause the business to slow down but sort of being

being having a good understanding of explaining how to help the business go faster in a secure way

rather than you know stopping them from doing it i think is critical and then the final one which

relates to the managing stress which is one of the keys i think is just making sure you have a strong

cross-functional resilience program and a reaction program and an incident management program because

you're going to be dealing with critical events that happen inevitably so you want to make sure

that you have that muscle established and those processes established and the policies

and procedures established so you're not the only one as a security professional having

to steer the ship when something breaks you've got sort of cross representation with legal and

with your technology partners with you know with public relations and other people who need to be

involved when critical incidents happen well thank you ed this is excellent stuff i mean there's a

lot to be said here we certainly uh have more to talk about on on future episodes so thank you for

joining us for the listeners out there ed just has a tremendous background ranging from head

of technology risk management for paypal to cio of apollo education group vp roles for big companies

like dhl and charles schwab and he's u.s air force veteran as well so thank you so much ed any final

thoughts or advice or wisdom you would share with uh with the listeners before we jump off here

no i mean the only thing i will end with is what i always end up with is is how proud i am to be

part of the silent sector team and and serving our mid-market uh clients uh making sure that that we

help them protect the backbone of the american economy i think that's critical and so i'm

excited to have developed this program and to be a resource for csos or i.t security uh directors

who just got into the job who maybe need some help you know if they're struggling with their you know

challenge and getting adoption within their organizations i'm happy to be a resource and

and i think we can bring the full silent security portfolio to to bear you know as opportunities

come up great well thank you ed and if you're a cso or even a cio listening to this and need

some guidance need some help on the topics that we cover today by all means reach out and get

we'll get you connected directly with ed and you can chat and go from there so thank you all for

listening hey hey what was that one thing i'm and i'm i'm happy to jump on a call with anybody

just to sort of just to try to understand what their you know what their challenges are i mean

i'm happy to do that just just to just to get some free advice as people need it you know so

just reach out and we'll get on the call and talk about you know how we can help great thank you so

much ed well and thank you all for listening if you like the podcast please subscribe reach out

let us know what you'd like us to discuss uh concerns that you have questions anything like

that or happy to address in future episodes thank you all for listening and if you haven't checked

out the book on amazon go to look up cyber rants and i think if you enjoy the podcast you'll really

enjoy the material we cover in the book so have a great day and we'll see on the next episode

pick up your copy of the cyber rants book on amazon today and if you're looking to

take your cyber security program to the next level visit us online at www.silentsector.com

join us next time for another edition of the cyber rants podcast

Episode #28: Moving CISOs from Good to Great - with Ed Escobedo

Send Us Your Questions & Rants!

Categories

Archives

Transcript