EPISODE 068 – Bridging the Cybersecurity Divide

NetSPI Field CISO and host of Agent of Influence podcast Nabil Hannan sat down with Robert Wagner to talk about how and when to establish strong security processes for small and medium-size businesses and beyond.

Show Notes: 

• 00:55 – The Cybersecurity Divide
• 02:08 – Measuring Wealth Production
• 03:52 – Prioritizing Your Cybersecurity Budget
• 06:07 – Assessing Your Security Standing
• 07:15 – What Small and Medium-Sized Businesses Have To Learn
• 10:17 – The Security Feature Debate
• 13:39 – Effective Control Frameworks
• 16:20 – Pentesting Methodologies Top Talent
• 18:26 – Communicating Risk to a Board
• 21:49 – Finding Passion Through Knowledge Sharing in Cybersecurity
• 23:16 – The Impact of Mentors and Community in Cybersecurity

Transcript between Nabil and Robert

Topics covered: Cybersecurity security processes, incident response, audit failures, threat model, multi-factor authentication, robust backups, risk communication, board engagement, CIS controls, pen testing, risk assessment, security awareness, mentorship, community impact

This transcript has been edited for clarity and readability. 

Nabil: Hi everyone. I’m Nabil Hannan, Field CISO at NetSPI, and this is Agent of Influence. Today, Robert Wagner joins us to talk about the cybersecurity divide and also how to establish strong security processes. Robert, thank you so much for being here. As we get started, why don’t you maybe tell a little bit about yourself and where you are today, professionally?

Robert: Thanks for having me. I have been in InfoSec for little over 20 years now, and have had a lot of roles, everything from a third shift stock analyst all the way up to my role now, which is very exciting. I’m a managing director at NetSPI, just started and my job is to advise people to help them overcome hurdles and mature their programs.

00:55: What is this concept of the cybersecurity divide, what does it really mean, and how should people think about it?

Nabil: Why don’t we start maybe with you explaining to us this concept of the cybersecurity divide, and what does it really mean, and how should people think about it?

Robert: The term was coined by Wendy Nather back in 2010 and the worst thing about it is she was trying to help people realize that there was such a thing and hopefully overcome it, and all we’ve seen is the the gap get worse. It’s gotten worse and worse, especially for small companies, but the concept that she put forward was there’s basically a budget line, where if a company falls below that line for their size of company, they don’t even have enough money and resources to meet even the bare minimum requirements of security hygiene or compliance. If we take a look at the curve of the Fortune 2000 or something around there, you’ll see that somewhere around 300 or 400, a lot of companies start falling below that line. That’s not great, because we’re talking again, just the basic security hygiene, and these companies aren’t even able to achieve it.

02:08: How do you measure wealth production in an organization from a cybersecurity perspective, and what are some of the key indicators that you’re maybe falling behind, or you’re way behind, the line itself?

Nabil: So when it comes to just regular divides, there are obviously countries that are bucketed into different categories, like least developed country to a first world country. You have concepts like GDP, per capita, and so on that normalize some of the wealth production in a country and how they measure it. How do you measure that in an organization from a cybersecurity perspective, and what are some of the key indicators that you’re maybe falling behind, or you’re way behind, the line itself?

Robert: As any good engineer says: it depends, right? It can be very company specific, but usually you know. You can tell if you’re failing your audits, and you can’t even fix the reasons you’re failing the audits, that would be a good indicator. At some point or another, everybody’s going to have an incident or has had one, if you don’t even have the basic things, like an incident response plan, and I mean, like a real one, not just a cut and paste job, where you’ve said, this is our incident response plan, but nobody knows how to execute it. Those are easy ones. Not having a policy, not having any sort of documentation for your employees on what to do if they see things, things like that, would be a good indicator. In a breach situation, if you can’t recover quickly, that would be another really good indicator that you you don’t have the basic resources to do the most simple block and tackling.

03:52: Is there reasoning as to why an organization doesn’t prioritize budget towards cybersecurity?

Nabil: Is there reasoning as to why an organization doesn’t prioritize budget towards cybersecurity, that that you most commonly see? Is it more a lack of leadership perspective? Is it more just the business sector perspective? Is it something else? What are the patterns out there to look for? 

Robert: I’ve seen a lot. I’ve seen even major retailers think that they were not a significant enough target for attackers to go after. Because back in the day, they thought, well, we just sell, you know, basic home goods, right? Why is an attacker going to come after us? So I think so very often, it’s just lack of awareness, lack of what an attacker would really go after in your organization, and why. There’s also, for small businesses, one thing that I’m certainly seeing is, as the bigger organizations get better and better at what they do, attackers are turning smaller companies for easier pickings. Now you may have to hit a lot of them to get the same kind of payoff that you would going after a larger organization, but if that’s where the money is, that’s where the money is. But too often, I think people just don’t think they’re a target, they don’t think they have to worry about it. There’s even a complacency of, well, nothing’s happened so far, so I guess we’re doing okay, right? Too often they’re already breached, and they just don’t know about it yet. The pain is coming. They just aren’t aware. So I think it’s awareness, more than anything. When there is awareness, maybe it’s just not a priority for executives. They think well, we’ve bought antivirus and we’ve bought a firewall. That’s what you’re supposed to do, right? That should be enough. And because there’s no expertise in the organization to really say, no, we have to build a threat model, we have to do some testing, things like that. There’s just no awareness of what could happen.

06:07: How do you know that you’re not the worst one?

Nabil: Is there also the problem where people think I can’t be the worst one, so I won’t be the first one to get breached. Here’s my question for you there, which is maybe not quite as obvious—how do you know that you’re not the worst one?

Robert: With bigger organizations, it’s been easier, right? We have all sorts of sharing platforms where we can actually tell each other how well we’re doing and what we’re seeing out in the wild, but a lot of smaller companies don’t participate in the ISACs. It does cost money, usually, to do so. So if they haven’t had any actual engagements to test them, I don’t think there’s a good way to tell if you’re the worst one. That whole concept of I don’t have to run faster than the bear, I just have to run faster. I think people used to think that was a legitimate way to approach the problem, but these days, attackers are just opportunistic. They’re going to go after whatever they can find, and sooner or later, they’re going to find you. 

07:15: What advice do you have for the small to medium-sized businesses out there? What should they learn from the bigger companies and where do they start?

Nabil: What advice do you have for the small to medium-sized businesses out there? What should they learn from the bigger companies and where do they start?

Robert: It’s kind of interesting. I see when smaller companies look at large organizations and what they’re doing, they often make two mistakes. One is they don’t learn from any of the mistakes we’ve already made over the last 20 plus years. But then they also try to emulate the larger companies exactly, which is part of the problem, because they don’t have the budget to emulate them exactly. So where to start? It can be tough. If you’re starting from just scratch, maybe taking a look at the CIS 18 controls is a good idea. The nice thing is that CIS has created implementation groups. So for each control, they’re like these two or three at the top—that’s basic hygiene, that’s your first thing to achieve in each control. But you can also then take a look at the 20 controls and start figuring, well, where’s the biggest impact that I’m gonna get? So while we all know that assets should be a priority, we also know how hard it is. At a small company, maybe start with controls number 9 and 10, which are browser security and maybe some endpoint protections, some anti malware. Doing a basic threat model is not a bad idea, and you probably don’t know how to do one on your own, so doing some research, there are templates out there where you could actually do your own threat model if you wanted to. But just figuring out, what is it we need to protect? What is an attacker most likely to steal when they get into our organization? Those would be a really good start, at least. And then there’s some very simple protections that a lot of companies don’t do that would be super big bang for the buck. If I was a small company, and I could do nothing else, I’d do multi-factor. We hear it all the time in security, but they don’t hear that all the time. They don’t know that probably multi-factor is one of the biggest things they could do, but they have to do it for everybody—it can’t just be some. I think having robust, immutable backups. I mean, you’re going to get breached, you might as well look good doing it, and you are going to look good if those backups come into play, right? Those are two simple steps, and so simple now. You probably remember when we had to do backups to tape and how terrible was when you’d forget to change the tape. Three weeks later, you’d find out you haven’t backed up in forever. It’s so easy now, you just go back this stuff up and you’re done.

10:17: Are organizations obligated to provide security features as part of the solution, or is it up to the user to decide if they want security features if they have to pay for it or somehow opt in to to the security feature?

Nabil: With that being said, we talked about multi-factor, right? And I agree multi-factor is a huge differentiator, and I feel like it should be the bare minimum when it comes to authentication. Every organization needs to provide it. I want to talk about something maybe a little more controversial, but around multi-factor. So company like X, for example, only offers multi-factor if you pay for a premium account, so my question is maybe two fold, but the primary gist of the question is, are organizations obligated to provide security features as part of the solution, or is it up to the user to decide if they want security features if they have to pay for it or somehow opt into the security feature?

Robert: That’s an interesting question, and when I think about it, I think about banks. Most banks right now consider it their obligation to at least make it available to you and we would consider that critical infrastructure. Are things like X and other social media critical infrastructure? That’s debatable. I mean, we do depend on social for a lot of business right now. I don’t see why they don’t feel the same social pressure to do the same thing for their customers that almost any bank will do for you now, and would prefer that you actually do, because it saves their customers, which is good customer service, and it saves them too, right? It saves them from a lot of hassle and cost and everything else. So I don’t know why X would go to a model where they’re like, oh no, for us to protect you, which also protects us, you’re going to have to pay for it. So I would say, for something like that, they should be doing it just because it’s the right thing to do, social obligation, if nothing else.

Nabil: My perspective on that is also a little different, which is, I don’t think you can leave it to the general public to decide what is good for them and what isn’t, especially from a security perspective. So if someone can’t afford it, they will naturally not get it. Or if someone doesn’t understand it, but can afford it, they may not pay for it because they just simply don’t understand it, and in both cases, you end up exposing your company and your clients to some level of risk because you’re not providing that to them.

Robert: And interestingly enough, we don’t have qualms about mandating that all cars have backup cameras, right? They certainly save lives, and the government’s decided it’s good enough that we’re just not going to give you the choice anymore. It’s going to have to be there. 

Nabil: Or the seat belt or rearview mirrors, for example. Like some little things, there’s many, many examples when it comes to cars.

Robert: Sure, and I don’t think that would be an egregious request. It’s fairly simple. It doesn’t take that much effort to add that into a product.

13:39: Are there certain control frameworks that you like to recommend organizations start implementing, or frameworks that you see adopted by organizations that have been very effective? 

Nabil: If we talk a little bit more about process—we talked about technology and solutioning—if you talk about the process and try to understand where the SMB organizations should focus on which controls to implement first: MFA, maybe the first one. Are there certain control frameworks that you like to recommend organizations start implementing, or frameworks that you see adopted by organizations that have been very effective?

Robert: If nothing else, I think the CIS 18 is probably the most approachable, but if you’re ready to mature a little bit, MITRE ATT&CK is another great framework to start at least understand your attackers and where your focus for your protections should be. I think another really big mistake that small organizations make is the one the larger organizations were making back when pentesting first started, and that was: so you’d engage for a pentest, and you would literally go, haha, we’re not gonna tell you anything. You have to find your way in, right? And for a small org, you’re burning money that you don’t need to burn. If you just give your pentester a foothold into the organization, and see what they can steal from that foothold, which they’re going to get, you’re going to be much more cost effective. So give them that foothold. Let them tell you exactly how they’re going to steal stuff from you, because then you can start shoring up. Using real world pentesting to guide your efforts, while not an official framework, is a great way to get started, because you’re going to be putting your very small budget dollars into probably the most effective fixes you can. The other mistake that a lot of small organizations make, that larger orgs used to but certainly don’t anymore, is the whole way that they would scope out a pentest to begin with, right? If you don’t have a really good scope—if you just go to any sort of pentesting company, ask for a pentest, and leave it up to them to decide what that is, what they’re going to do is put a 12 year old with Nessus on your perimeter and call it a pentest. I don’t think a small company might know that that’s not really an effective use of their time and money. Being able to at least get some advice from some friends or the internet or whatever on how to build a proper scope is super critical.

16:20: When it comes to pentesting providers, are the testing methodologies similar enough where you know it’s a worthy comparison? 

Nabil: Do you think the other challenge is pentest providers are hard to compare? It’s often hard to understand if both the providers, if you get quotes from multiple providers, scoped it the same way. Is it truly a comparison of apples to apples? Are the testing methodologies similar enough where you know it’s a worthy comparison? And then lastly, as you said, a 12 year old with a technology or a tool is very different from a seasoned tester who has much more creative ways of going around controls.

Robert: It is really hard to determine who’s gonna deliver you a quality assessment or pentest or something like that, most of the time. The large organizations, we’re all here at places like Black Hat and DEF CON, and we talk about which companies did a really good job and which companies were like I got a stack of nothing, right? It was all stuff that was I could have found out if I’d run Qualis against my my systems. So that helps, social proof can help there. But just like Amazon, you’re never quite sure if someone’s gaming system or not, so it’s tough. Finding trusted peers in the industry and asking them who’s done a good job for them and what it was that made it a good, productive assessment for them is good, but also within that scope, you should be literally spelling out, hey, not only are you going to do the assessment, but I want a full report on how to fix things, on what the impact of these things are, how deadly they are to my organization, things like that, not just simply the results of I was able to get to this, and that’s it—that’s not very helpful.

18:26 What’s the most effective way to communicate risk to a board?

Nabil: You’ve been in the industry for a really long time, and over that period, you’ve obviously had many discussions with senior leadership and board members, etc. Would love some insights and perspective from you on what’s the most effective way to communicate risk to a board?

Robert: I think everybody struggles with that, right? It’s really difficult. There’s no perfect way, but I’ve seen some really good movement in better ways to communicate to the board. At the end of the day, money is your best sort of translation mechanism for taking security risk and making something that the board can understand. We’ve all seen the risk matrix where you’ve got these little dots of likelihood and stuff like that and people have been writing about how useless, or worse than useless, these risk matrices are because they kind of give us a sense that we are measuring risk effectively, and usually we’re not there. They’re based on more or less sticking your finger in the wind and taking a wild guess. But folks like Douglas Hubbard, for instance, who wrote the book How to Measure Anything in Cybersecurity Risk, he’s really trying to translate risk into dollar amounts using simple Monte Carlo simulations and then just simple but effective ways to make people better estimators. He’s proven, and other people have proven, that people are really bad at estimating when they don’t know how to make that kind of risk versus reward calculation. But you can recalibrate them in half a day, just doing some simple online exercises. It’s not difficult, but we really don’t know how much our risk bias that we all have built-in is skewed the wrong way. A little bit of recalibration of how we assess risk and then putting that into a monetary equation that the board will understand, and basically he’s just talking about probabilities, but what we do is come to your board and say, board, what is your percentile of acceptance of us losing, say, $100,000 this year? Now for a small company, that may still be too much, but for a large company, like a bank or something, might say, we’ll accept up to 90% risk of that happening. And you’re like, okay, cool. Now how much are you willing a probability of us losing 20 million? And then you’re gonna see, well, maybe less than 2% is what we’ll accept as the risk of that happening. And you go, great. So by basing your acceptance of risk from the board and your better estimates of the likelihood of that risk happening, you now get a risk acceptance curve where you can show the board we are above or below what you’ve said you’ll accept. Now you can start saying and it’ll cost this much money to get to the level that you want us to be at, and they were the ones that made the decision. You didn’t have to make that decision.

21:49: What is it about the job that you do and what you contribute to the community and cybersecurity that excites you the most?

Nabil: That’s great. Robert, you know, anyone who’s met you or gotten to know you, and I’ve gotten to know you over over the recent few months, obviously know that you’re very passionate and very dynamic and charismatic person. What I want to learn from you is, what is it about the job that you do and what you contribute to the community and cybersecurity that excites you the most?

Robert: What gets me really excited is just helping people get better. Our field is so difficult. I think I heard once that we have something like 30 times more conferences in InfoSec every year than there are medical conferences. It’s some huge number, and it’s not because we all just like going to conferences. It’s because there’s so much to learn. In fact, even some of the stuff that I do in some of my talks, for you and me and people that have been around a while seem like almost common sense at this point. But when you start sharing this almost tribal knowledge that we’ve accumulated with people new in the industry, they’re like, oh my God, I’ve never heard that before. So just sharing knowledge, which is so difficult to do because there’s so much of it, but if it lifts people up, if the tide raises all these boats, God, that’s a happy day. I love to be able to do that and and I think it benefits the people I try to help as well.

23:16: Is there someone that you consider maybe a mentor, or someone who’s influenced you in your career path that was equally passionate and kind of helped guide you through this journey? 

Nabil: Is there someone that you consider maybe a mentor, or someone who’s influenced you in your career path that was equally passionate and kind of helped guide you through this journey?

Robert: There’s been so many people that I’ve looked up to through the years. Everybody from like Johnny Long right back in the day, building out stuff that was for charity to lift up people in third world countries. The first time I heard what he was doing with one laptop per child, or something like, oh my God, and what he did with IHack Charities was fantastic. A lot of the people that have helped build the whole conference space and the community, like Jack Daniel and Wolfgang Gorlick, and the accidental CISO, all these people who are just trying to help so inspired me, and for anybody I forgot. I mean, the list just goes on and on, but I’ve seen so many people actually care. I mean, even I saw him on the board of a charity called Hack for Kids, and when the president of it came to me and said, I’m thinking of starting this. Will you help me found it? and just seeing that we could give back to the community by bringing up the next generation of security practitioners, and how much joy that brought to the kids has just inspired the heck out of me.

Nabil: Awesome. Well, Robert, thank you so much for being here today. It’s always fun chatting with you and I look forward to continue working together.

Robert: It’s a pleasure. We’re gonna have a lot of fun.

Nabil: Thank you for joining us today. You can find more episodes on YouTube or wherever you listen to podcasts, as well as at NetSPI.com/AgentofInfluence. If you want to be a guest or want to recommend someone, then please reach out to us at podcast@netspi.com, and as always, stay proactive, my friends.

Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence. If you want to be a guest or want to recommend someone, please fill out this short form to submit your interest.