Hi, this is Gordon Rudd coming to you from Python 2021, brought to you by conference 42. Today I'm going to be speaking to you on a subject that's really near and dear to my heart, creating scalable and sustainable cybersecurity for any size organization. I'm very excited to be these today, simply because many years ago, I started my technology career as a programmer, you using a programming language that most of you have probably only read about in history books called Fortran. Today we're going to be speaking at a conference with one of the premier languages on the planet, especially a premier language in the cybersecurity field. I'm sure you're aware that every computer on the planet has the ability to create log files and literally record everything that's going on on the machine. Sounds, areas, but it creates a river of data, and these river of data flows into a data lake that creates a data ocean. And cybersecurity professionals such as myself, we're only interested in really one thing. We're trying to find where the bad things might happen. Well, you can imagine when we look at a river or we look at an ocean, we're really only seeking one drop of water. And it's very difficult to find that drop of water without a tool that's going to help you isolate these exact drop and then figure out exactly what that means. Python is one of these tools that helps us to create safer systems, systems that we can secure and to find the bad actors, and we find it everywhere. If you're a penetration tester, or pin tester, as we call it, Python's your tool. You're going to be using many different tools, but when you're going to create something, it's probably going to be in Python. For today, we've got a really short agenda, but it's really packed with content. We're going to try and define these relationship between scalability, sustainability, and the flexibility that's required in any cybersecurity programmer department. And we're going to try and show you how that scalability and flexibility relates to your Python programming every single day for your organization. And we want to walk you through how an organization should assess their cybersecurity program and assess its operational readiness. Successfully communicating with your governance risk committee teams, your C suite and your board also a critical function of cybersecurity. Identifying and focusing on the top five areas where cisos need to be successful, is one of the last things we want to do. And I want to make sure that as we're going through this that you all get a sense of what it takes to be a success at that sea level. So you may want to be in the sea level one day, or you may just work for people that are in the sea level and you want to understand them a little better from a security perspective. We've been doing this for 1000 years. We've been building castles to protect ourselves and protect our tribes for a thousand years. And we haven't changed the way we do it today. Cybersecurity today works very much like this. We've got inner walls, the watchtower guard checks, limited entry. We've got a demilitarized zone, or a DMZ, as we refer to it. We all use this castle doctrine, which is what we refer to this model as to create scalable cybersecurity for every organization. That's the model that every organization uses. But scalability is directly equatable to economic flexibility. I had several of my friends call when Covid hit a year or so ago and say, oh, my God, the C suite has gone crazy. They're sending out laptops from XYZ company that haven't been vetted, we haven't been able to touch them. We're doing all these crazy things. What should we do? How should we handle this? And my counsel back to them was very simple. The C suite and the board are doing everything they can to keep the organization afloat. They're doing everything they can to make sure that those checks that come to your bank account automatically every other week keep coming. So perhaps you should help them do what they're doing right now to keep the company alive and we can recover on the back end and see if we can't plug any holes that we've created for ourselves. That's the kind of attitude I think we all in technology need to have, is how can we keep the organization going, yet accomplish our objective in cybersecurity? We have all these layers that we work with constantly, and at the same time, we've got to maintain that CIA triad. The confidentiality, integrity, and availability of the data. Those things areas never going to change. They're constants in our organization. So when I go in to consult with an organization, one of the first things that I ask is, what is your cybersecurity readiness? And they'll say, well, what do you mean? And my next question is always, would you have a sock or no sock? Well, if you don't have a security operations center, you probably don't have the kind of cybersecurity readiness that it's going to take in today's world, we're having pipelines shut down. We have the ability to shut down nuclear reactors, any power generation station. We can shut down radio and tv stations. Hackers can just about do any darn thing they want to do today. Well, it's up to us not only to build the castle, but to watch what they're doing. If we don't have a SoC structure, if we don't have a formal place to center all the information and all the analysis, we're really running behind the power curve. So as we're building our castle, as we're building our castle doctrine security system that we all use, the first milestone that I always ask everybody for is your security education, training and awareness program. Do you have one? Cybersecurity today, simply put, is a team sport. And everybody in your organization, every single person in your organization, is part of that team. So from a programmer's perspective, you're part of that cybersecurity team. Also, you should be thinking about security education, training and awareness. And your cybersecurity team should be helping you out with that. They should also be looking to you for help in how to create secure code, how to do code walkthroughs, how to do structured code walkthroughs, things that are going to help the code that comes out of your programming department to be more secure and to make sure that we're trapping the right errors. And that that security that's baked into our applications as we develop them is also part of the overall security fabric of the organization. Because the other thing that you have to do as a CISo, when you come in, you're going to identify your stakeholders, and you're going to have to understand your numbers. Your stakeholders don't just include the board of directors and everybody that's in the C suite. They also include every line of business owner, every line of business manager, director, whatever you want to call them. Any department head is one of your stakeholders. You've got to understand these needs. Now, as a programmer or business analyst that's creating programs, you're going to have a very unique perspective on at least one department, maybe two or three. You're going to understand the handoffs between departments and between programs. You're going to have to help your cybersecurity team make sure that they know where those touch points are and that they're doing everything these can to make sure that those touch points are secure. You also have to understand your numbers. A small to medium sized organization today, let's say it's a three to $5 billion bank in the finance industry. They're going to see at least 500 million bad actors pass their firewall every year. That's a ton of bad actors. Now, as Covid ramped up, that number jumped up to about 750,000 attempts to ping, map, see into those networks. Not a good place to be. And then you have to understand your governance, risk compliance, and those five ps GRC's, five p's are programs. You've got a program for vendor management, cybersecurity, and on and on, and that sort of thing. Every program has projects, processes, procedures, and people. And those are really the five P's you're looking at. Program processes, procedures, projects, and people. That is the key element to milestone four. Who are those folks? Are they part of the security team? How do you fit into that as a Python programmer, as a security expert? And then you're going to look at your overall security architecture to make sure that that security architecture is exactly where you want it to be and is operating efficiently and in a manner that makes sense for your organization. And there's no one size fits all. Every organization is different. The other things we've got to do, and Python is kind of mission critical in this area. We've got to identify every asset that's on our network. That means when you look at these network, if you just think of it as a wired infrastructure, everything that's attached to that network, we must identify printers, fax machines, laptops, desktops, the heating and air systems. Anything that's attached to that network, we need to know about it. It's part of a triangle we're going to talk about later, of looking for threats and finding those threats, identifying your vulnerabilities and then patching these accordingly. Your business continuity and disaster recovery plans are mission critical. And again, as you're developing those, you can see exactly what the roles are going to be for the different departments. So you want to make sure that as you're developing your business continuity and disaster recovery, that you're including programming, because I promise you, when a disaster occurs, they're going to be places where we're going to want to make some temporary patches and do some temporary things. Python is an excellent way of doing that. And, of course, risk management. Everything we do is based on risk. We're looking to identify the risk. We want to make sure that we've got the inherent risk, the risk that comes in with whatever the asset is or whatever the company is identified. And we want to make sure that we know what mitigation we're going to be able to put in place to reduce that risk. And then we want to know for sure, for dead certain, what our residual risk is and also training and cross training. A lot of organizations see these as kind of a waste of time, but I'm going to take a little different opinion of that. Even if you're a programmer, you need to have an understanding of upstream and downstream. So you may want to know what DNS is. You may want to know exactly what the stack that you're working within is. You may not be a full stack developer, but you should understand the stack. And that means you've got to know a lot about networking and a lot about how everything's put together within your organization and its unique footprint so that you can create programs that are safe and securing. We're all looking for the same type of place to start, and we always start with these data. That's always the right place to start. We're always going to have an app that's going to be around the data, that's going to help us read and write the data. That app is going to be on a host system of some kind. That host is going to be attached to a network. That network is going to have perimeter security of some type. It's going to have physical security of some type, and it's going to have policies, procedures, and a security education and training program wrapped around it so that everybody can make sure that these model we use, which is really these overlapping layers of security, is in place and working correctly. Now, as a programmer, you may not be directly involved with a lot of these, but web application, security, traffic optimization, those kinds of things are going to be areas where you can contribute. They're going to be areas where the cybersecurity folk may actually want to put a little python program in place to look at some things. But we've got overlapping layers for a reason. That means we're going to have, if we take email as an example, we may have three or four different pieces of software or hardware devices that actually touch an incoming piece of mail, and they'll do different things along the way, so that if one of these layers of security misses a bad actor or misses something, one of the other layers will catch it. And that's really what overlapping layers are all about. Now, today, it's kind of like the sign says we want the AI inside. Artificial intelligence is going to give us the insight into how the data moves and how the humans on the network actually interact. And once it learns our normal standard behavior. These, it's going to be able to alert us to anything that's abnormal, and that's really what we're after. If you look at the first layer in any security model, you're going to have that security incident management that we saw earlier, your web app, security content filtering, traffic optimization, firewall, VPN, intrusion prevention detection, load balancing, those kinds of things, all indicators of a really sound first layer. And then the second layer complements the first layer. We're going to look at our threat intelligence, and here's where we really come into that triad on the left side of the screen here. As you're going down that column, you're going to see threat intelligence. Every cybersecurity program needs to know what threats areas in the wild. A vulnerability assessment requires you to know all the assets on your network talked about that. So if you know the threats that are coming in and you know the assets on your network, you can make an intellectual decision on what your vulnerabilities really are. If we take a step back to something like a patchwork quilt of effects that came into being over intel processors that we euphemistically gave a couple of labels to, you're going to find that even though there was a threat there, there was a vulnerability in those old IBM processors, and Microsoft did have a patch for it. You'd find that as we went through the process of identifying those threats, I hate to call them threats because there wasn't really anything we could do about it. But as we're looking at those old threats that came in and looking at patching them, the patch would break the computer. And what I'm talking about is Spectre and meltdown. When Spectre and Meltdown came about, there was a lot of organizations that threw up the red flags and said, oh, my, these are threats. Great. Did we have that vulnerability? Well, yeah, everybody had them. We all had intel processors running somewhere. Microsoft came up with a patch for the Windows servers. And, oh, yes, in testing, the patch worked, but it broke the apps that were on the server. Break is probably too strong a word. It slowed them down to the point that it appeared broken. Not really a functional fix. We had at that time to defend the perimeter against anything that would come in so that we could not see or allow any spectre or meltdown weaponization within our networks. And of course, we've got these tried and true access control authentication, endpoint security, email security recovery and backup. You want to put a halt to ransomware, make sure you know your backup and recovery cycle. And make sure you know that you're doing it in isolated network segments. Make sure you understand your backup, whether it's towers of Hanoi or mix and match, or last in, first out, whatever backup and recovery methodology you're choosing, make sure that that methodology will get you a recovery point. If you end up with ransomware. It's really incredibly important that you do that. The third layer in any model is encryption. As you can see. The second word on every one of these bricks, these are the bricks in the wall for your castle. Every single one of them has encryption at the bottom. You want data encryption, you want email encryption, and you want device encryption when it's practical. That's your third layer and your center layer, and that's going to really create this layered security model for you. So you're seeing everything put together in one model, one wall of that entire castle of the castle doctrine as we're going through this, that will give you what you need for cybersecurity today. The other component that I'm going to suggest is one we cannot live without any longer, is the AI insight. Artificial intelligence allows us to watch, monitor and alert on all the activity on the network. So we can watch all the data that's going by in the river, we can watch all the data that's in a lake, we can watch all the data that's in a data ocean. And we can actually parse it with AI and find the points that we need to find to determine if there's been data exfiltration, or if there's been some access control violation, or if one of our end users has decided they want to zip up everything they've been working on and take it home with them. I don't know why, but for some reason, human beings in the last two weeks of their employment with any organization feel it's a moral imperative to zip up all their files and take them with them. Well, the AI inside can help you spot that and can help you eliminate that once and for all. And again, I want to caution you and remind you that one size doesn't fit all. There's no way you're going to take a corporation that's a billion dollar corporation or a trillion dollar corporation and use the same tools, the same cybersecurity tools and setup as you would a mom and pop shop. Completely different size organizations require a completely different methodology for making sure that they're secure. Now, to avoid any mistakes in cybersecurity, we always have a choice to communicate or speculate within the cybersecurity community. We communicate threats just as quickly as we can to as many people as we can. Within your organization, if you think something's wrong, it's up to you to communicate it to the proper channels. And again, every organization is going to be different. I would rather have a lot of false positives, a lot of people within the organization communicating things that turned out to be false positives, as opposed to them sitting around and wondering because everybody in the organization is part of the cybersecurity team. Remember, cybersecurity is a team sport. Having said that, not everybody has the same cybersecurity awareness, not everybody has the same cybersecurity training. So within your organization, make sure that you've allowed for that communication, and make sure that you understand a typical CMMI model or capability maturity model index. If you look at the small organizations, you're going to see that they're characterized by the level one that you would see down here on this level. That's going to be competent people and heroic efforts keeping everything running. Now, unfortunately, as operations grow, they don't always compensate for that. They still will have a lot of very heroic efforts. Competent people working long hours to make things work. But as you go up the model, you see we've got basic project management and we're starting to use different tactics to make sure that the organization has processes and procedures in place. And the level these of any model, you're going to see that process standardization comes on. We're going to have the five P's. This is our process, these are our procedures. This is how the projects work. These areas, the people that are on it, and it's all standardized. You get up to a level four, you're going to look at the common approaches to quantitative analytics taking their place beside everything else that's going on. So you're going to measure and count, you're going to quantify what's going on. It's a simple thing, but you have to be a fairly large organization to be able to afford quantitative analytics. And five, that would be something that would happen with the federal government or with one of the big defense industrial contractors, something that would allow them to move their folks around in a manner that would give the organization the opportunity to take full advantage of continuous process improvement, because that's something that a large manufacturer has to constantly do, those process improvement cycles. And you want to look at this model as it fits into the cybersecurity department, and you want to look at how it fits into your information assurance and your cybersecurity as well as your governance, risk and compliance. Those are all areas you need to make sure areas taken care of in any size organization, bigger the organization, the more formal the process. A small business is not going to have the same type of cybersecurity that everybody else does. They're going to be using a different class of routers, switches, hubs, firewalls and that sort of thing. They'll be using the smaller products by Sonicwall and Fortinet and some of the other vendors. CISO has some small products for small businesses. I say small products. They have some scaled down products for small business that are very effective. So all those types of things are going to be coming into play as we draw near to keeping our confidentiality and integrity and availability model intact. You're going to be pulling in everything you can still creating that castle doctrine model, but you're going to be doing it with a different tool set. You're not going to have as much flexibility. You won't see as much data passing through your filters and through any particular program you're using inside to determine what's going on. And that's really a level one organization. If you look at this particular slide, you're going to have a lot of mom and pop shops that are going to be having a router and wifi and a firewall, and they'll have printers, laptops and desktops attached to these. It's a simple model. It's every mom and pop shop that I've ever been in. And again, they're going to be using not necessarily the industrial strength router switches and hubs that we had used in a larger organization, but they're still going to have them. They're still going to be using them no matter how big or how small. We get these four points of alignment areas going to be mission critical for you. The economics, the talent, the existing equipment, and the function. I can't tell you how many times I've seen an organization want to replace a piece of software when it had the functionality they needed. They just hadn't gone to class, didn't understand, hadn't taken the time to find out, or hadn't upgraded that particular piece of software to its latest model that would give them that functionality. The other thing, and that's part of looking at your existing equipment, because what we have on the ground have the right functionality. The existing equipment is identifying that asset. Do we have assets in place that will do that right now, or do we need new assets and then talent? We have to have people that know how to corporate in the environment we're in, you're always going to have folks that are turning over. You're going to have new employees, you're going to have current employees terminating and moving out. But you're going to have to make sure that you've got the talent to run your equipment, no matter what size you are. And it's got to be economically effective. Again, your C suite is going to be doing everything they can to make sure that the organization stays afloat and make sure that the organization does not go broke. So you've got to take a look at the economics of it. And part of that is saying, okay, if I've got an asset that's a dollar, I don't want to spend a dollar to secure it. You're going to have a risk appetite statement within your organization. You're going to have to use that risk appetite statement and the risk assessment process to make sure that these economics are aligning with the risk, so that if you've got an asset that's worth a dollar, you might spend $0.10 securing it. That's simple, but exactly what you want to do. And we need to have an understanding of routers and how routers work and switches and hubs and that sort of thing, especially within these cybersecurity team. But it also doesn't hurt for anybody that's in programming to understand these things. Single band, dual band, that kind of deal. Are you doing anything that's going to securing your wide area network or your routers? We've got wired connectivity everywhere, especially when we moved everybody home. Everybody's working on a wireless network at their house. Could be trouble if you don't have the right security in place. It would behoove as programmers to understand these difference in wired and wireless and to understand a single wan versus a dual wan, how that works, these types of things are mission critical for us. And remember our four points of alignment. You got to always go back as you're looking through here at the economics, the talent, your equipment on the ground, and the functionality that equipment's giving you. It's not going to change. If you look at the Internet today. Thank you, Kopersky, for this picture. If you look at the Internet traffic today, and this is just one rendering of it, this is what's going on all the time now. The opportunity for something to break or something to have a hold that's not plugged in it in a network that's literally worldwide is incredible. So as we've got nation states, and really sophisticated bad actors trying to take advantage of it. It behooves us to look at how we're going to handle the next level up. When we come out of the mom and pop shop and we get into a growing organization, we're going to have multiple routers, we're going to have multiple wireless networks, we're going to have multiple points of entry, multiple points of egress. It's going to be a battle to make sure that as the equipment grows, so does our capability, so that we are absolutely able to take advantage of every nuance and every single thing that's available to us in the products and services that we bring to bear to secure that organization. Now, the third level, believe this is a CISO diagram. So thank you, Cisco. If you look at this, you can see how we start out with a lot of equipment on, usually the ground floor, and then we move up. But each one of these racks supports multiple users. As we go across, it's imperative that we look at standardizing our requirements development, our technical solutions, our product integration, the verification and validation, the process focus and definition, the organizational training. All of those things need to be dialed into a comprehensive approach to managing cybersecurity. And at this point, we're going to have log files turned on. We're going to have a sim running so that we're collecting data, not all the data, but we're going to be looking at specific data elements coming out of every computer. We're going to be looking at specific data elements that we're going to be parsing out with tools like Python to make sure that those organizations are safe. And as we move on to the fourth level, and this is definitely a Cisco design, you are going to have multiple buildings. You're looking at a campus structure here. This is where you need that quantitative approach. We need to be looking at tools that are going to help active directory. And remember, active directory has two flavors. There's one ad for hosted, which this is a pretty good diagram of, and there's a different ad for these cloud, for the azure cloud, that is. And we want to make sure that we understand those different directory structures. We want to make sure that we understand everything that's different between hosting it ourselves and what's in the cloud. And we're going to have quantitative project management at this point, projects are going to be brought together into a project portfolio, and there's going to be project portfolio management going on, and it's all going to be based on numbers and resources, that sort of thing. The organization is going to be bigger and much more spread out at this point than it has been in the past. And it's going to be imperative for the cybersecurity professional to make sure they can secure it. And when you get to a level five, all of a sudden you're looking at a department that's outsourced, you're looking at a new company you're bringing in, you're merging. You're going to segregate a department for regulatory requirements. We need a chinese firewall over there, so wall those people off so they can't see all the other data, those kinds of things. And you're still going to have that campus communication fabric from the prior slide that you're going to be working on that particular diagram in the lower half of this. Now, we also start doing something early on that should be part of our process of drilling down on any fault, flaw, error, intrusion, whatever is causal analysis. What caused it? If we're looking at the pipeline ransomware incident that we're just experiencing, what caused it? Where did it come from? What happened? And we're going to be making sure that we've got all of our intellectual property secured because that's our competitive edge. That's exactly how that organization that we're in differentiates itself from other organizations within the industry or within its particular area of expertise. We're also going to have artifacts that we need to be collecting along the way. And this is another area where programming really helps. We're going to have threat hunting that. We're going to have to bring in artifacts from log aggregation. Again, we don't take all the data elements out of a log, we aggregate them, but we're collecting specific data elements out of different types of computers. And we're looking at things like firewall clustering and AI. We're using behavior analytics to determine what Mary and John and Joe are doing on our network and what's right and wrong with it. What kind of success are Mary and Joe having in exfiltrating data? Are they actually taking data out of the network for nefarious reasons, or are they just copying it onto their laptop and taking it home so they can work a couple of hours on it? We're going to look at things like incident response and forensics. And when we think about forensics, there is a chain of custody that must be maintained with any forensic analysis. And you've got to make sure that you've got the necessary artifacts in place, the necessary projects, processes and procedures in place, so that when these things occur that need forensic analysis, these things being incidents or events. You're going to want to make sure that that forensic analysis is done according to a very specific set of processes you've predefined, that maintain these chain of custody. And of course that old training and cross training, I really think we can't live without it. But that's just one man's opinion. Your network endpoint defenses, we're always going to have endpoint defenses, we're always going to have some firewalls set up on the endpoints. We're always going to have some kind of virus protection malware identification on our endpoints, always going to be there. We want to make sure that we're doing HTTPs inspection, that we've got all the bot protection that we can afford, and that we've got application controls in place. And that's another point that Python programmers can help, or any programmer for that matter, in that application control, because we've got to be able to predict exactly how those applications are going to react in certain circumstances. And of course you're going to have that ur filtering. It's just going to be part of that process. And by now you're going to be saying, well, that's a lot. Is that actually enough? Can we get by with that? Well, probably not. Nothing's foolproof. It really isn't a magic bullet. And if you give me enough time and money, I can pretty much get into anything. That's true of any bad actor. And nation states have a lot of money, so they can buy a lot of time, these can buy a lot of hardware, a lot of software. The old thing true is users do make mistakes. I have myself gotten in a time bind and been crunching things out for two or three days at a time. Had our person that was doing the phishing testing sent out an email that looked exactly like you have a phone message on our VoIP phone system. We had little emails that come in that say this person called, click these to hear the voicemail they left you. Well, she sent that out. Looked exactly like it to me. I'm in a rush, did not notice it, didn't come from the right email address, clicked on it and instantly got sent to additional training, which was the correct thing to do. But users do make mistakes. We all get in time crunches, we all have bad days, we all have sleepless nights. Those types of things cause us to make mistakes at work. It's up to the cybersecurity professionals within your organization to anticipate those. And of course, vendors make most. I guess, in my mind, in my humble opinion, the two most vivid examples of vendor mistakes would be target and the bad actors coming in through the HVAC vendor. And then the other vendor mistake that I would want to use as a cautionary tale would be the Facebook example, where Facebook hired Cambridge Analytica to do particular data science elements and data science work on their information. Tons of data analytics going on, but that not necessarily a secured place to be, and that data was repurposed several times before anything happened there. Then the other thing that we have to be constantly aware of is what we don't see will kill us. It's absolutely a mortal certainty that if you don't see it, it's going to get your brute force attacks on all your assets or your local accounts, detect the invasion, the local events, the privilege escalation, lateral movement within your network. If you've got a network set up and you can't see lateral movement in it, which is always indicators of those level one networks, that could be a problem. So you have to make sure that the other companies of your cybersecurity matrix, your overlapping cybersecurity layers, are going to catch that lateral movement in different ways. You also need to make sure that your new local user accounts are being created appropriately, that you're not creating one for a bad actor. And you've got to look for things like protocol poisoning, especially within web applications. There's just tons of ways to bust a web up. If you're not familiar with the OWASP model, as a python programmer, I would suggest that you get familiar with the OWASP model and that you make sure that everything you do is going to be geared to one of those standards and that you're looking at that model as kind of guidelines. Like, okay, did we think of this areas? We covered for that. What happens if this happens? What happens if that happens? Protocol poisoning being just one of those areas. The way we get to see what's going on is the AI inside machine learning. We can use things like cluster algorithms or add staff, and that's an expensive option. I personally would rather add machines all day long than to have to add staff. If you can automate it and not have to add staff, you're going to have the ability to remove the human factor out of the area, out of that equation. And if you look at the RSA compromise that happened several years back, they had all the staff, they had all the processes and procedures, but they were bringing so much information in and it was generating so many false positives that the humans that were looking at it were ignoring the errors that were indicating that there was a bad actor on the network. That's where the specialized applications come in, the ones that actually start looking at what's going on laterally in networks that understand exactly how to find that bad actor. Take a look at that behavior, because really what we're talking about is behavioral analytics. If we remember that a bad actor is going to be on a network for like 280 days, give or take, depending on who you listen to, before they actually start exfiltrating data, that means they're going to be on the network and taking a hard look at what's going on. That gives us an opportunity. If we've got AI and behavior analytics operational, it gives us a significant opportunity to make sure that every single thing on that network is being watched and that the anomalous behaviors are being popped up and brought to a human's attention to decide on whether or not an action needs to be taken. But again, we've got to minimize the number of events these humans have to make a decision on. So that means we've got to put a little more time into developing our AI algorithms and our behavioral analytics algorithms. It's imperative that we maintain those at a high level. We must make sure that we're able to connect the dots and expose intruders. That's another area where large data sets are very useful. But if we don't have a tool like Python, if we can't write some quick and dirty, don't mean it in a bad way. Quick and dirty programs to reach in and look at the data, to do some data analytics on it, then we're never going to know what's going on in the river or what those molecules are all about. Don't forget that AI is going to give us the ability to scan our networks and all the devices on it and do these vulnerability assessments and create remediation workflows and tracking, but it's only going to be giving us advice on those vulnerabilities. So we've got to make sure that we're using it correctly and that there's not a flaw in the process or a hitch in the get along, as some people might say. For our cybersecurity professionals, they've got to have complete picture of everything that's going on. And if you look at the benefits well, we're going to keep our vulnerable systems on our radar and watch them closely. We're going to look at the notifications we're getting from those systems. We're going to be planning our remediation processes and projects. We're going to be tracking remediation, and we're going to be making vulnerability management workable. Whole goal is to decrease our attack surface. Now having said that, I want to remind you that we are going to be looking at threats, vulnerabilities, again, knowing all the assets on that network and then looking at patch management and how we're going to handle that to decrease those attack surfaces. And when you start identifying, even in an organizational of let's say 800 people, you may run some piece of software to go out and identify all the assets on the network. And the first time I did it, it came back with something like 8 million assets. And my first reaction was we only have 800 people. You don't think everybody has that many computers. But when I started going through the file and parsing through it, I found that every Adobe reader since dirt was on most of the machines that we had because we had an image that we were using when we renewed our pcs through their normal lifecycle that had every one of those on it, it had all the updates, it had all the patches net frameworks do the same thing. You're going to have net remnants from dirt that are going to walk through your network. You've got to be able to look at those data sets, parse those out and say, okay, those 1st 27 Adobe's we can get rid of, then you've got to have a process and a project to get rid of them, eliminate any potential vulnerabilities that they may have had. And again, we're always looking at decreasing that attack surface. That's where we're trying to get to. And then you've got to tell people what you're doing. In cybersecurity. It's very important that we report our activities and we report what's going on so that everybody in the organization can have a vivid understanding of exactly what's happening. We're going to report to the board quarterly, at least if not monthly, to a committee of the board, which would be the audit committee, the compliance committee, the technology committee, and those sorts of things. Those committees, again quarterly if not monthly. And if we're reporting into a committee of the board, that board committee is going to turn around in the very next board meeting and report up to the board so we can cover that in that manner. We want to make sure that the CEO gets a monthly update or as needed. PRN is a term from healthcare that means as needed, the point of keeping the CEO in these loop is because he or she's going to be the person that everybody's going to turn around and look at and say, what do we do now? And that CEO is going to be the face of the organization. If we should have an incident or if we should have a breach, you want to make sure the senior management team isn't surprised again, monthly or as needed. And your key stakeholders, the people that are heads of lines of business or department heads, you want to make sure they're in the loop. They've got to be critically informed on everything that's going on within cybersecurity. Now, what do you put in those reports? Well, the board needs to know something very simple. Are we safe? I've sat through governance committee meetings, and you would try to explain something to the committee that would have the senior management team on it or the board on it, and they would start asking questions, really, because they didn't really know what the words meant. They might be asking the questions incorrectly. And when you drill down in every instance, the bottom line is the men and women that make up your board of directors and your senior management team want to know one thing, are we safe? These it's up to us to give meaningful metrics, budget performance and a snapshot of our overall program status to those people, either monthly, quarterly and certainly annually. We certainly want to do an annual recap for our board, committees of the board, same as the board, they want to know, are we safe? Your C suite. Well, you're going to do everything you're doing for the board. Plus you're going to add in your threats and vulnerabilities and how they're affecting your patch management. You want your C suite to understand what a threat is, whether or not you've got that vulnerability on your network and what you're going to do to patch it, what process you're going to go through. And of course, you want to make sure your events, incidents and breach management processes are in place and your key stakeholders, you want to do everything you're doing for the C suite, all of the above and that line of business information, it's all critical to what they're doing every single day in every single way. Now, we talked a little bit about risks and identifying risks. Well, every organization should have a risk appetite statement. Actually, in reality, maybe 30 40% of organizations have a formal risk appetite statement. The rest of the organizations may or may not even know what that means to say, hey, we need a risk appetite statement. Well, that just means how much of a loss are we willing to endure before we're going to take corrective action or mitigating action to reduce those risks? I always encourage folks that I work with to just ask their chief financial officer, Mr. Or Miss CFO, what do you consider a material loss? The bank I worked at, the first time I asked it the first week I was there, these CFO said 25,000. The last week I was there, I asked him what a material loss was and he said 300,000. If it's less than 300,000, I'm not going to worry about it. Anything over 300,000, I'm going to scrutinize heavily. So we knew that the risk appetite for the organization was at the $300,000 mark. So any threat that was going to cost us 300,000 or more, we needed to mitigate. Use a framework, and there are many to choose from. In the US, you're looking at NIST and Europe. In the european theater, you're looking at ISO. The Koso framework is always really good for cybersecurity. Of course, the NIST 800 and ISO 27 and whatever will also have cybersecurity framework components in them. Those are places that you can go to find out exactly what you ought to be doing. And of course you're going to have to do an assessment on whether or not it's working. And I always like to just use the old stoplight method. Is it good, green, yellow or red? What process are we in? What is our assessment going to look like? Well, the things that we're going to assess are going to be our people, our processes and our technology. Do the people have the right training? Do they have the right set of program in place or our processes there? Do we understand that tailgating is a bad thing in a secure area? Do we understand that not emptying our waste bins every evening into the shred bins is a problem? Do we understand our technology and we're keeping the CIA, the confidentiality, integrity and availability triad intact? Do we understand our threat matrix, our vulnerability matrix, and our patch management matrix? And are they actually working together? Are they tied together? And we're going to look at our talent level, how can we improve it? Where do we need to shore it up? How can the talent that we've got in house laterally train others to bring them up to that level? And we're going to look at our overall project management capability. And these are all assessments. And we're going to assess our standardization. Do we have standard ways of standing up a server do we have standard ways of setting up a desktop? That standardization is critical to security of the organization? You don't really want to set up a lot of desktops and not restrict the admin account on those desktops and laptops, because people will go out to the Internet and they will find things they like and they will download them or they will click on things that will automatically download something. You don't want to do that. You want to standardize it, lock them down, see if you can't harden them as much as possible. You need a server hardening policy. You need a desktop hardening policy, and you want to start counting. You want to make sure that your quantitative management capability is intact. You can quantify everything you're doing, that you've got a baseline you're measuring against. And these, you're always looking at that golden circle. And the golden circle is just your area that you want to keep everything in. And that's if you look at these old Venn diagrams and put three of them together for confidentiality, integrity, and availability, where they all meet in the middle, that's your golden circle. You want to make sure that you've got the numbers to support that, that you're looking at these things that are mission critical to your organization. The other things you want to do is to make sure that you understand the skill level of people in your department, especially within cybersecurity. We do this all the time. We take the person, what role they're in, what skill level they're at, what their current scalability is, what the ideal capability for that individual and that role would be. And then we've got some development action. Are we going to send them to training? In former lives, I made sure that my security teams and my teams train for one week every quarter. So every 90 days, they were taking five days to train on something. And while that may sound excessive, I would submit that Moore's law has been cut in half, that we're now down to an 18 month life cycle on new equipment coming out that is so much better than the equipment we've got in place that it's going to be hard not to upgrade. And we see that with Apple upgrading to Big Sur, all of a sudden we've got to have a hardware platform come up to meet that level of excellence. Because the new operations system is little more than the old hardware platforms can adjust to in some instances. And that happens with Windows, as they develop new windows, that happens with Apple as they develop new oss. It happens on our smart devices, on our phones and tablets all the time. All of a sudden you'll have an iPhone or some other Android device that will not be able to utilize the new software that's coming out or the software updates that you're updating automatically. So compensate for that. I strongly suggest that five days out of every 90, your team is training everybody on your team, and they'll be training in different areas, but that training is critical and you're going to look at your projects in a project portfolio manner as you grow. You want to make sure that you have a project status in place so that you can look at how a new project comes in, how those milestones are monitored, how you add and manage resources to the project, people, money, time, and how you track progress and these, the workloads. And you also want to make sure you close projects out. A lot of organizations, especially with cybersecurity projects, the project just kind of goes on and on and on. A project that doesn't have a definite end is a process, and that process may be broken if it doesn't have a stop and a start in it. You want to make sure that you understand how to close a project. If you've got a project going that you can't close for any reason, call it a process, close the project and say, we now have this process in place, and away you go. Only real way to make that happen for you. The rest of your project portfolio dials into your project portfolio management. You've got to make sure that you're strategically aligned with the strategy and tactics your organization is going to use. And you want to make sure that you can execute and deliver on everything that you're doing in a project. You're going to have tools and methods. One of those tools for projects in a project portfolio environment, it's always going to be a programming language. Python is a great one. I see a lot of java, I see a lot of python. I'm starting to see a little go. But predominantly python. For the cyber people in the tool set, always good governance. Got to have that securing committee on these projects and make sure that you're dialing in your existing governance. Your existing governance risk and compliance is going to inform you, or you're going to inform them both on your project status and they're going to give you advice on how to handle these projects. Absolutely a normal part of it. And if you look at it governance, these two off on the right, the strategic planning, you need an IT and a cyberstrategic plan. You also need a way to request projects and tasks. Now, I'm not saying the rest of that's irrelevant, but those two off on the right, as far as governance is concerned, are your cornerstones. What's these strategic plan for the organization? How does the it strategic plan and the cybersecurity strategic plan dovetail into that organization's plan? And how do we handle projects? How does a project get started, how does it run and how does it close down? Those are two critical areas that you want to make sure you understand. And when we start talking about frameworks, these is, in my humble opinion, what those frameworks should be used for. NIST, CFS, of course, is cybersecurity. These CMM is going to be software development, Koso Enterprise risk management, Cobit going to give you some really good controls. Itil itsm always a good one to have. Itil one of the first ever attempts to say, this is how the whole thing that is, it should operate. Your ISO IEC 2700s cybersecurity, Togaf, Sackman, lots of frameworks out there. Find one that works for you. If you're in the US, you're going to look at NIST, probably if you're in Europe or Asia, you're going to look at an CISO standard. Doesn't matter which one you use. They all look about alike when you get down to the absolute nuts and bolts of them. But make sure you've got a standard. Now, I always have a clock in my head, and I found out a few years ago that not everybody does. So I've started including this in everything that I do. The clock in your head is important. You've got to understand that. I have my teams justify their technology every 18 months, because again, as we discussed, Moore's law has been halved. So that what we're seeing is new products and services, new software updates, new patches coming in that materially affect our operational capability. About every 18 months, training every three months, each member of your team has to go to training. And calendar up is a little tool that I kind of stumbled onto 40 years ago. It's having a Monday morning meeting at 08:00 a.m. On Monday morning. And just asking everybody around the table, set your team in a room or in a Zoom meeting, and just say what's on your calendar this week, just this week. And somebody might say, well, I'm going to be out Friday, or I'm going to install a new router, or I'm going to do this, I'm going to do that. Somebody else around the table, if somebody says, I'm going to install a new router on Wednesday. Somebody else around these table might go, oh no, you're not. I have to do this before you can do that. And I can't get that done until these other things happen. So that Monday morning meeting and allowing the team, not you, but the teams itself, to decide the work and the work pattern that's going to happen for the week is kind of critical. Now we may have projects going, people may say, I'm working on Project A. I got to be doing a this week. I'm all project a all week. Well, that's great. You know what they're doing and they're pretty much going to be busy all week. GRC, you want to have at least a monthly governance risk compliance meeting, your framework adjustments every twelve to 18 months, no matter what in mws, no matter what. Take those frameworks out, take a look at them and make any adjustments you have to have or as needed. You may have a framework if you're in NIST, if you're in the finance industry, that NIST framework may get updated every year and you may have to go back and say, okay, well, we're now doing business continuity management and it's not working exactly according to the framework. So we need to kind of modify what we're doing to fit these framework. Your GA releases again, twelve to 18 months, no more than that. And as needed, vulnerability assessments, we do those daily. What new equipment is coming on the wire? What are we taking off of the wire? What vulnerabilities do we have? What's our exposure? What's our risk? And that clock keeps on ticking. Your risk assessments need to be done annually. Anytime you're adding a new product or service, the cyber people need to be doing that. So as needed as every new service, every new product comes about, we need to be doing a risk assessment on that product or service. Our code reviews development is a team sport as well. You don't develop in a vacuum. The days of being able to have an isolated programmer that creates all this magic and just throws it over the wall and we turn it on and just say it works or doesn't. That's in the past. We've got to do things like adhere to the Owasp model. It's absolutely critical for our web application development. Everything's getting a web interface patches. You want to make sure that you're patching something every week or as needed. Patch Tuesdays is areas thing. So as Microsoft releases patches, you want to make sure that you're testing those patches before you implement them and making sure that they don't kill. Production system configuration. You want to do that pre production. You don't want to configure a system that's in production. I know some of you have done that, but it's not that good an idea. The other thing I want to make sure you understand is your cybersecurity roadmap. These are those milestones, your set of program, security, education, training, awareness. Number one thing to have in place, because cybersecurity is a team sport. Know who your stakeholders are. Watch your budget. Watch your number of employees. What's your burn rate? Your burn rate is, how much money do you spend every month to keep the wheels on cybersecurity from a programming perspective? How much money goes into our programming effort every month? And know your four P's, your policies, procedures, processes, and projects. Make sure you know your security architecture and you're able to identify your assets. Don't forget the cross training. Whatever you do, let's not forget the cross training. So, at this point, you've built your castle. Everything should be fine. You should be rock solid on what you're doing, and we're ready to talk about those elements that make a CiSO successful. Your EIQ, your emotional intelligence quotient, mission critical. You may be the smartest technologist on the planet, but if you can't deal with people and you can't control your emotions, you're worthless in a corporate environment. So you got to make sure your EIQ is there. Your iq, you only get sharper if you keep learning. So you're going to be a continual learner. Is your technical ability kung fu or Krav maga? And if you know anything about martial arts, you'll understand that kung fu is a very elegant sport. Krav Maga is awfully brutal, so there's a difference. Technologists tend to take one of those two tacks. They're either brutal or they're elegant. A lot of times you don't have time for elegant, and you go with brutal. I would suggest that we all start polishing our kung fu. We want to be a little more elegant, and you want to make sure that you understand high performance team building. And you got to understand third party risk management. Those pesky vendors will get you every time. So if you have any questions, this is obviously recorded. You can give me a call, you can send me an email. You can look me up LinkedIn. I'll be happy to interact with you at any time, answer any questions. You might have comments, criticisms, emotional outbursts, whatever it is, thank you so much for spending this time with me, and please have a great rest of your conference.