Trying a different approach today. We don’t know how many official, true blue followers we have out there, and even for those we do, we don’t know how many of those would actually write in to us. However, if we do and if they did, we imagine this would be what they were like. So here goes:
Q: Hey PSG, love the insight – quick question – as the CISO for my organization, I am in a bind. The organization makes good profits and my salary is good but other than that, my boss doesn’t spend one extra dime on security. We may have a breach, we may not, we have no real way of knowing. Thank goodness it hasn’t reached the news papers yet but it’s only a matter of time. Other than that – keep up the good work – fist bump, hand slap. (Jim from Burke, VA)
PSG: Thanks Jim. Sounds like you definitely have a challenge in front of you. Have you thought about waiting until your boss is out of the room and doesn’t lock him computer and then sending out a company wide email granting Friday off for everyone? Perhaps that will show him that he can never be too secure. Just make sure he knows it wasn’t you or that salary might be out the window.
Joking aside, you have to keep at it. One of our colleagues shared with us that selling security is like selling insurance. People know they need it, but they don’t want to spend the money on it. So we’re sure you have gathered the facts and data but until it hits close to home it really won’t matter. There are a lot of programs you can do to assess your security posture without spending a lot of money. Check some of our previous posts for some low cost ideas. And if that doesn’t work maybe the “Friday off” email might make the point.
Q: I’m having a challenge at work. I can’t keep any of my employees. They get here. They get a little bit of experience and feel like they can take on the world, or be the BMOC somewhere else. Assume I’m a good manager and I have a good working environment in your response. (Richard in Sierra Vista, AZ)
PSG: If you aren’t a sports fan, google Lance Stephenson. He was a great team player for the Indiana Pacers who played great defense and a nice role for his team. When it came time for his contract to be renewed he asked for a little more than the Pacers were willing to pay. That and he had kind of worn out his welcome. But other teams were willing to pay more. And they came to regret it. He went to Charlotte where he could barely make it through the year and then got shipped to the Los Angeles Clippers who are now looking to trade him half way through the season. Those people are out there; you can have the best culture and climate and you could be one hell of a boss but it won’t matter.
But all things being equal, evaluate how you are retaining employees. Have you done an exit interview? What type of training are you giving them? How involved are the in developing and implementing security policies? Some people are going to leave no matter what and those matters may have nothing to do with you or the organization. But some leave because they want more opportunities. Help them with their career path and progression. And that investment in your employees can only help the organization in the long run. Some people will say that you can invest in people and they will still leave. That’s true but that shouldn’t hinder you from doing it. In the end it will only make your security team stronger.
Q: Kind of random question, but if a security issue were a character from Game of Thrones, who would they be. I’m going with young Lord Bolton. He’s such a crazy SOB that he would represent all those hackers who just work and work all the time to find your one weakness and exploit it. And then they not only exploit it but they share it with everyone else and just continuously rack you over the coals with it driving your business out of business. Heartless, calculating and without any remorse. (Jimmy from Colorado Springs, CO).
PSG: Ok, we like where you are going with this. Trying to infuse some pop culture into our security world – let’s roll with it. But a disclaimer – this is only an opinion based on the tv shows, we have not read the books so please no hate mail (actually we will take hate mail because that means we are getting mail). Not a bad thought on Bolton, that’s the character I think the whole world hates in ways we would never speak out loud. To see him punished for his actions in the worst possible way will never be able to satisfy us completely, but we’d love to see it. But to your question, we have two other potential characters:
- Cersei Lannister – mix of social engineer and hacker, she continuously shows a pleasant face outwardly and even tries to appear to play nice only to be looking for your vulnerabilities and exploiting them. And even when she is “caught” and has to do the walk of shame, you just know that she’s going to come back meaner than ever and she will have learned a thing or two in the process. While her character is mean and nasty, it’s going to be interesting to watch.
- Theon Greyjoy – this is your classic insider threat. He turned on the Starks and why not. Even though he was embraced as a brother, there was too much history between families not to think he didn’t have motivation to do so. This is a classic scenario that you can only uncover by knowing your employees and understanding what they go through on a day-to-day basis. And only then do you realize someone’s capacity to be a threat. And like a true insider threat or spy, he realized that selling them out may not have been all it was cracked up to be and had a lot of regrets. But the damage has been done, after all he has lost his balls. That said there is a reason why intelligence collectors/hackers/social engineers do a lot of homework to exploit vulnerabilities. They find those with issues, those who have conflict and drive a bigger wedge into it.
So in the end, Theon represents the biggest security issue to us.
Q: Hey PSG, first off, here is your first official hate mail. Second, I hate your work. I have never seen a worst collection of posts. Have a great day and I hope you don’t trip walking out the door. (Ulrich in Stockbridge, GA).
PSG: Ok, we wrote that on purpose to give us some hate mail. Actually we wrote this whole blog on purpose so I’m not sure why we did that. Moving on.
Q: So I’m a research scientist working on the next wave of technology for my company. I don’t want to get into details because it’s kind of boring and my NDA prohibits me from saying anything. That said, I have been invited to conferences overseas lately and it’s been the bomb. They pay for me to come talk, pay my expenses and it’s a great time. Not going to lie either, I get a lot of attention. Is this wrong – my work legal team said it was ok. Is this a security issue?
PSG: Ummm, where to start. YES! You have been spotted and assessed to come to their country and likely speak in front of a room of people staged to be there. All the while, the computer you left in your room is being exploited and they have pictures of you doing things you wouldn’t normally be doing. All to exploit you further down the line when the hard pitch comes in. Ok, is this the extreme worst case scenario, yes, but it represents a key principle. If things seem too good to be true, then they likely are. Before you travel, make sure you get a full pre-brief and debrief from your security office. You may even want to check in with the local FBI counterintelligence office. Not to say attending conferences and trade shows are bad and inherently evil, but you have to think about security first and foremost. You have to be suspect and view it with a critical eye. Know where you are going and what the threats are there. Then enjoy it.
That’s all for now, perhaps we will do this again in the future. If you want to submit a real question, comment below or DM us on Twitter.