CyberWire Daily - Resilience. (CSO Perspectives)
Episode Date: September 23, 2024Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, turns over hosting responsibilities to Roselle Safran, the CEO and Founder of KeyCaliber and one of the original contributors to the N2K... CyberWire Hash Table. She interviews Tia Hopkins, the eSentire Chief Cyber Resilience Officer, to make the business case for why resilience might be the most important cyber strategy. References: Black Women in Cyber Collective, 2024. Securing Our Future: Embracing The Resilience and Brilliance of Black Women in Cyber [Book]. Goodreads. Ken Underhill, Christophe Foulon, Tia Hopkins, Mari Galloway, 2022. Hack the Cybersecurity Interview: A complete interview preparation guide for jumpstarting your cybersecurity career [Book]. Goodreads. Ron Ross, Victoria Pillitteri, Richard Graubart, Deborah Bodeau, Rosalie McQuaid, 2021. SP 800-160 Vol. 2 Rev. 1, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach [Guidance]. CSRC. Roselle Safran, 2024. Who Does the CISO Work for? [Social Media Post]. LinkedIn. Staff, n.d. Empow(H)er Cyber Home [Website]. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, Thank you. that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, and AI. Learn more at zscaler.com slash security.
Hey, everybody. Welcome back to Season 15 of the CSO Perspectives podcast. This is Episode 2,
where we're turning the microphone over to some of our regulars who visit us at the N2K CyberWire hash table. You all know that I have a stable of friends and colleagues who graciously come on the show to provide us some clarity about the issues we're trying to understand. That's
the official reason we have them on the show. In truth, as you all know, I bring them on to
hip-check me back into reality when I go on some of my more crazier rants. We've been doing it that way
for almost four years now, and it occurred to me that these regular visitors to the hash table
were some of the smartest and well-respected thought leaders in the business, and in a podcast
called CSO Perspectives, wouldn't it be interesting and thought-provoking to turn the mic over to them
for an entire show? We might call the show Other CSO Perspectives.
So that's what we did.
Over the break, the interns have been helping these Hashtable contributors
get their thoughts together for an entire episode of this podcast.
So hold on to your butts.
Hold on to your butts.
This is going to be fun.
My name is Rick Howard, and I'm broadcasting from the N2K Cyber Wire's secret Sanctum Sanctorum studios,
located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old U.S. of A.
And you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. I've known Rizal Safran for years now.
I initially met her at this recurring dinner she and I attend here in D.C.
called the Cybernosh Dinner,
organized by Pascal Luck, Aynab Ghosh, and Thomas Knox.
They gather a gaggle of senior security business leaders
around a dinner table
at Bobby Van's Steakhouse in D.C. and facilitate a discussion of the issues of the day.
They always bring in an interesting guest to speak off the cuff about what they're up to.
Like a couple of months ago, they brought in Nina Jankowicz, author of the 2020 book,
How to Lose the Information War, Russia, Fake News, and the Future of Conflict.
It was fascinating.
But when I started gathering experts at the N2K Cyber Wire hash table, Roselle was one of the first people I called.
She's a civil engineer by training, a Princeton graduate, consulted at a couple of big firms,
moved into government service for a while, working for DHS as the deputy branch chief
for digital analytics, and later working for the White House as the Branch Chief for Cybersecurity Operations.
But she has always had the entrepreneurial bug. She's been the CEO and founder of several
startups, and today she runs a company called Key Caliber that provides a customer platform
to manage cyber assets and threat exposure. For this show, she's going to make the business case for why resilience might be the most
important cybersecurity strategy of them all.
Here's Roselle.
Hello, everyone.
Thank you for joining me for our conversation today about cyber resilience.
Cyber resilience is a very hot topic these days because we have so many
examples of why we need it. When the pandemic began, organizations faced a sudden change to
their environment that prevented business as usual. Organizations adapted to remote work
out of necessity. When CrowdStrike erroneously pushed out a flawed update, organizations faced
a sudden change to their environment that prevented business as usual. Organizations adapted
and applied the necessary fixes automatically or manually. And every time an organization is hit
with a ransomware attack that is not blocked, organizations are faced with a sudden change to their environment that prevents business as usual.
Mitigations and remediations are vital in order for the organizations to get up and running again.
situations, the rate at which an organization goes from not operating adequately to operating again depends on the organization's resilience. And that is why the topic of resilience needs to be
front and center for organizations of all sizes. And that's why resilience is the topic of our discussion today.
So what is resilience?
Broadly speaking, from a business perspective, operational resilience is the ability for an organization to readily adapt to a change in its environment.
What that comes down to in practice is the ability to continue to function and provide essential services during and after disruptions.
When we talk of resilience on a holistic level, that encompasses all the activities necessary to prevent, respond to, recover, and learn from operational disruptions.
Operational resilience encompasses adapting to both physical and cyber changes. For this conversation, I'm going to focus specifically on cyber resilience because in today's society, most physical environments come with a technology
or cyber component. We saw this was clearly the case with the pandemic. Physical offices were
closed and that necessitated adapting from a cyber perspective. The same can be said for other
physical situations such as natural disasters.
If a physical location is not functional because of a hurricane, earthquake, or tornado,
technology or cyber operations need to happen elsewhere for all but a handful of types of businesses.
Because technology is the underpinning of our society today.
So I'm going to discuss the core element of resilience, which is cyber resilience.
This actually fits very nicely with my background as I've been in the cybersecurity industry for 20 years now. So I've been looking at business operations through the lens of cyber for a very long time.
So why does cyber resilience matter?
In some ways, cyber resilience is akin to business Darwinism.
Generally speaking, the organizations that can better adapt to changes their technology environments will fare better than those who struggle or fail to adjust.
The resilient ones are able to either continue operations during technology disruptions or readily recover and resume operations when an event occurs. Their financial and reputational
losses are minimized to the extent possible, then the business remains a going concern.
This is in stark contrast to the businesses that have significant downtime and face serious
consequences as a result. According to one company in the
resilient space called Veeam, up to 60% of small businesses fail after a successful cyber attack
due to the losses from business interruptions and the costs of recovering data. So the reality is
for most businesses today, cyber resilience is an imperative.
So let's talk about who owns the responsibility of cyber resilience.
This tends to be a difficult question to fully answer in many organizations
because many of the requisite responsibilities are shared between IT and
infrastructure and security. Certainly when it comes down to security issues, it's the security
team that identifies what is a concern that can lead to a major disruption in operations
should a successful cyber attack occur. But then it's often the IT or infrastructure or cloud or networking team
that has the responsibility of doing the work to address the security concern,
whether it's patching a vulnerability, fixing a misconfiguration,
or anything else along those lines.
Similarly, when there's a security incident, configuration or anything else along those lines.
Similarly, when there's a security incident, it's the security team who does the response and investigation work. But often the recovery process, such as restoring data from backups,
falls under the purview of the IT team. Additionally, there are standard IT complications
such as servers going down or internet going down and other complications which don't have
a cybersecurity cause and therefore squarely reside in IT's lane. So often cyber resilience is a shared responsibility jointly held by the CIO and the
CISO. Sometimes the CIO and CISO are peers in the reporting structure, but often the CISO reports
to the CIO. I've actually seen some movement towards flipping that paradigm so that the CIO reports to the CISO.
I recently posted about this on LinkedIn and was surprised to learn that the concept is gaining traction in some organizations.
In my role as the CEO and founder of Key Caliber,
I have the opportunity to talk with lots of cyber leaders
about their challenges, and many of them are focused around challenges to achieving cyber
resilience. Generally, I see four major challenges they face in pursuing cyber resilience.
major challenges they face in pursuing cyber resilience. Number one, for many organizations, the biggest challenge to achieving cyber resilience is the complexity of their own
technology environments. They have on-premises and cloud assets. The cloud assets can be in
multiple clouds and they are in a highly dynamic state of being created and torn down.
They may have operational technology assets or Internet of Things assets, and often have unmanaged assets, referred to as shadow IT commonly.
referred to as shadow IT commonly.
Additionally, there's often a spectrum of assets that organizations must contend with,
from legacy systems that are outdated or end of life,
but cannot easily be extricated from operations,
to new technologies such as AI models
that bring a novel set of security concerns that are not fully understood or addressed.
This complexity tends to only increase as the business grows.
Number two, a lack of resources is often a major obstacle to cyber resilience.
often a major obstacle to cyber resilience. When an organization is having a difficult time making ends meet, it's not going to focus on what would happen if there's a problem. Even when an
organization has sufficient funds, it doesn't mean that cyber resilience is a priority. As a result,
it's common to see organizations that lack the talent needed to plan and implement
cyber resilience strategies and or lack the technologies that make cyber resilience possible.
Number three, there is the challenge to cyber resilience that we cyber security folks understand all too well.
Cyber incidents are a major cause of disruption and cyber threats are growing
in intensity. Cyber attacks are happening at a greater frequency, the
sophistication of attacks is continually growing, and the sheer number of threat actors is expanding. Last but not least, number four.
The organization's dynamics can be an impediment to cyber resilience.
To build an effective cyber resilience program requires strategy, planning, and implementation.
If there isn't support and buy-in from senior
leadership, or there is not a clearly defined set of roles and responsibilities for IT versus
security, the organization will face an uphill battle in making its cyber resilience initiatives successful.
So what is actually needed for success in cyber resilience?
I'd like to suggest a simple, straightforward, five-step guide to how you can make cyber resilience work in your organization.
cyber resilience work in your organization.
Number one, it starts with the tone at the top.
There must be support from your senior leadership that is demonstrated to the entirety of the organization.
This includes delineating who is responsible for each element of the cyber resilience program.
Number two, identify what your critical functions are.
This means knowing which assets and systems must be running in order to continue critical operations, generate revenue, and achieve your mission.
generations, generate revenue, and achieve your mission. If you do not have this crucial set of information, you are setting yourself up for failure. Granted, this is often a very challenging
process, especially for large businesses, and many organizations resort to manual procedures for it
that can include interviews and surveys to obtain the right information.
But there are technologies that can accomplish this as well.
And for full disclosure here, my startup, Keycalibur, does provide this technology.
Number three, devise your plans.
There are several essential documents for cyber resilience.
Your business continuity and disaster recovery plans and your incident response plans.
And these plans are for both security and IT incidents.
These must be drafted with the knowledge of the critical functions and any
regulatory compliance that applies. And they must be living documents that you revisit and refine
as necessary. Both the security and IT teams need to know these two documents. Yes, this is a step
in the direction of breaking down the silos that security and IT
often reside in. Number four, modify or build your cybersecurity and IT programs according to the
specifications of your organization's cyber resilience needs. This means that all of the critical functions
that are identified in step two
become your key priorities.
Make sure that you have proper backups
for all your critical assets and systems
and that you can quickly and easily access the backups
in the event of a cybersecurity or IT incident.
Make sure that you are effectively applying security controls on your critical assets and systems.
This can include implementing zero trust and ensuring that the assets and systems have the prevention, detection, and response technologies in place.
That includes vulnerability scanners, endpoints, detection and response, firewalls,
and a host of other security stack technology that may be necessary.
And make sure that the security and IT teams
are aware of the critical assets and systems.
So when they see an alert or a notification
related to one of these assets,
they know that it is a high priority.
A Sev-1 incident or Severity-1 incident,
as I've heard it called in IT circles.
And that way they can respond accordingly. They know that they need to jump to focus on that first.
And lastly, number five, learn and iterate based on real world or tabletop testing.
The best way to determine whether your plans are solid
is to put them to the test.
Ideally, this is done in a controlled situation,
such as a tabletop exercise,
but in some cases, the testing will happen
while you're in the midst of an incident.
In either case, spend time reflecting after the fact to figure out what could
have been done better so that you are more prepared for future incidents. Then go back to the step
where you're identifying your critical functions with this newfound knowledge and work through the paces again. As the basic tenets of Darwinism stipulate,
surviving and thriving is based on the ability to evolve. So for my discussion on cyber resilience, I figured there'd be no better person to have
this conversation about it than with Tia Hopkins, who is the Chief Cyber Resilience Officer and Field CTO at eSentire.
Now, we're very lucky to get to speak with Tia. She is an incredibly busy person. In addition to
her role at eSentire, she is an adjunct professor of cybersecurity at Yeshiva University. She's a LinkedIn learning instructor. She has
co-authored two best-selling books, Half the Cybersecurity Interview and Securing Our Future.
And she's the founder of Empower Her Cybersecurity, which is a nonprofit aimed at inspiring and empowering women of color to pursue cybersecurity careers.
And then out of the office, she's a women's tackle football coach.
So lots going on. But thankfully, she's made time for our conversation here today.
So thank you so much, Tia.
Yeah, for sure. Thanks for having me.
Yeah, for sure. Thanks for having me.
Excellent. So let's get started here for our discussion on cyber resilience.
So cyber resilience, relatively new concept, and certainly chief cyber resilience officer is a relatively new title.
So how did you get your role?
How did that come about?
Yes, an interesting question.
So prior to being the Chief Cyber Resilience Officer at East Entire, I was strictly field CTO, which is still part of my responsibilities today. And that was a lot of evangelism.
And that's our show.
Well, you know, part of it.
There's actually a whole lot more.
And if I say so myself, it's all pretty great.
So here's the deal.
We need your help so we can keep producing the insights that make you smarter and keep
you a step ahead in the rapidly changing world of cybersecurity.
If you want the full show, head on over to the cyberwire.com slash pro
and sign up for an account. That's the cyberwire, all one word, dot com slash pro. For less than a
dollar a day, you can help us keep the lights and the mics on and the insights flowing. Plus,
you get a whole bunch of other great stuff like ad-free podcasts, my favorite, exclusive content,
newsletters, and personal level-up resources like practice tests. With N2K Pro, you get to help me
and our team put food on the table for our families, and you also get to be smarter and
more informed than any of your friends. I'd say that's a win-win. So head on over to thecyberwire.com slash pro and sign up today
for less than a dollar a day. Now, if that's more than you can muster, that is totally fine.
Shoot an email to pro at intuk.com and we'll figure something out. I'd love to see you over
here at Intuk Pro. One last thing, here at Intuk, we have a wonderful team of talented people doing insanely great things to make me and this show sound good.
And I think it's only appropriate you know who they are.
I'm Liz Stokes. I'm N2K's CyberWire's Associate Producer.
I'm Trey Hester, Audio Editor and Sound Engineer.
I'm Elliot Peltzman, Executive Director of Sound and Vision.
I'm Jennifer Iben, Executive Producer. I'm Brandon Kareltzman, executive director of Sound and Vision. I'm Jennifer Iben, executive producer.
I'm Brandon Karf, executive editor.
I'm Simone Petrella, the president of N2K.
I'm Peter Kilby, the CEO and publisher at N2K.
And I'm Rick Howard. Thanks for your support, everybody.
And thanks for listening. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.