CFH #20 - Pete Bowers

[00:00:00] Cultivating operational resilience through people process and technology, and re-billitating your reputation after a security setback. That in the latest news and trends in the managed security space, coming right up, on Cyber For Hire. Building bridges between managed security providers and their clients, it's the podcast

[00:00:22] where MSPs, VCs, and end users take a United stand against cyber crime. Cyber For Hire. Alright, welcome friends to episode number 20 of Cyber For Hire, how's everybody doing today? I'm Bradley Barth with S&D in New York and joining me today 13 times zones away in Japan.

[00:00:43] Is Michael Host and partner in Cyber Crime, Ryan Morris, principle consultant with Morris Management Partners? Ryan, let me just start off by asking you a question since you do so much overseas traveling.

[00:00:55] The longest flight I ever had was maybe about 10-10.5 hours or so, so I want some advice from you. How do you pass the time on a really long flight so you don't go insane? The well, see that's the thing, right?

[00:01:11] Hey, you try real hard to pass the time and be, you're probably actually also going to go insane. It's never, it doesn't matter how many movies you watch, how many podcasts you listen to, how much you read, how many spreadsheet you work on on the computer.

[00:01:27] At about 10 hours, literally there comes a point where you look around and go, are we landed? Are we there yet? No, we're not. This one, we were from from Frankfort over the top of the globe down in Tuto P.O. Japan.

[00:01:43] All in it was about 15 hours and I will tell you, I did. My, I got to the point where my ears hurt so bad from wearing my headphones that I had to just go old school and read an actual book.

[00:02:01] Like a actual hard copy book that I had with me, that one got me through until I could, you know, falsely, be delirious before I got off the plane.

[00:02:10] All right, well, I was hoping maybe you'd have some kind of magic formula for me, but I guess there is no magic formula. You just kind of have to, you know, to deal with it and cope however you can. Yeah, so fair.

[00:02:20] You do what you can and and what I will say is being six, two and a reasonably large size individual in this world makes it all that much more difficult when,

[00:02:31] when, when, when, when I look around the airplane and I see all the folks that are five foot two coming back to Japan, I look at them with great envy because even an economy plus seed that reclines, you know, like this far,

[00:02:46] that's still actually quite comfortable for somebody that size, but when you put the actual exercise human in that chair, there is no comfortable position. Yeah, well, a lot of those airlines, they certainly do pack you in like, star deans and comfort isn't top of their mind,

[00:03:03] but I guess that's the just the perils of of traveling overseas. All right, plenty of coverage today is always, but some news just can't wait, which is why we want to share with everyone what's top of the world.

[00:03:14] So here's your headline, the German IT services company bitmark a big tech player in the healthcare and health insurance sector. Shut down its customer and internal systems and it's a unique data center following a late April cyber attack. It's part of its recovery plan.

[00:03:32] The company has been methodically and gradually bringing the systems back online based on priority oriented procedures that take into account individual customer situation.

[00:03:43] And the respective operating center that they rely on about 35 health insurance companies also taking advantage of some of the interim solution that bitmark is propped up allowing them for the disbursement of sick pay and other payments directly and allowing them to carry out other critical orders all in a secure environment.

[00:04:07] But bitmark is still warning there'll be some road bumps along the way noting at the restarting of individual services will bring with it renewed temporary service flaws.

[00:04:16] So you know at the very least it seems like customer and patient data was not affected apparently Ryan, why is this top of mind for you? See I can think of three things that made this one jump right to the top of the stack number one critical failures.

[00:04:34] There's happened a lot of people in the world of cyber security and data protection business continuity we like to talk about that as though it is it's a philosophical kind of a debate right you'll get into this with with some clients where they're like well in the hypothetical when we might be out how long would it take for us to get back in to full business operation.

[00:04:57] We talk about things like recovery point objective and recovery time objective and payware techies so we even have fancy little acronyms for those things.

[00:05:07] It's all just an academic exercise until something legit happens and you made the key point as you were as you were introducing this story they went down and laid April as of the first week of May.

[00:05:23] There's still down that's not kidding. I would say from from a an old data nerds perspective in this industry. The one thing that we don't do often enough is real-time practice for actual severe interruption of service.

[00:05:44] That's you know, we often talk to people and we say well hey how resilient are your systems and do you have a business continuity plan and how soon would you be able to get back online and everybody's gotten data.

[00:05:56] Everybody's got a plan it's going to take this long you know it'll bring these systems back up and then those systems back up to which a very wise person wants to talk me that the best question you can answer ask the best question you can ask right after that is so how do you know.

[00:06:13] It'll take me two days to get back online. Oh, you know well because that's the way we've scripted it. Cool, you know that old Mike Tyson quote, you know, but he's got a plan until they get punched in the face.

[00:06:25] These kinds of things happen and it will take people outside of their philosophical operational boundaries and my very first reaction to this story was we need some varies and see your significant.

[00:06:41] Real-time exercises don't just do this philosophically your data continuity and your business continuity plan needs to be tested in real time with the risk of things actually going off line.

[00:06:55] One thing that made this one jump up to the top of mind for me is this is not even the first time in the last two weeks that you and I have talked about severe interruptions of critical operating systems in the healthcare field.

[00:07:10] That trend is accelerating all the data that we see is you know, it's not just financial services. It's not just manufacturing but healthcare systems that might be the most intimate personally identifiable information that we deal with with our customers and that stuff is in the crosshairs people are coming for it.

[00:07:31] And this is yet again another example of it's not like a little mom and pop health records company that manages a few things you know, we got some patience that dropped by the office once a year and get a regular check up.

[00:07:46] These are hundreds of thousands of records and customers and employees who are out of their operating comfort zone simply because of this downturn. So just because you big does not mean that you are protected from all of these things it is possible to knock these big companies down.

[00:08:09] The third thing that really came to mind is the point that you closed with in the introduction. Even though they are coming back online, they are standing back up old fashion versions of their services and they anticipate that there will be basic operational interruptions in those new services as they spend them back up.

[00:08:32] You know, we spend years fine tuning our operating systems, our applications, our databases, all the workflow everything that we use in this business world.

[00:08:43] We put all the work into making that stuff better and you look back and you say, can you imagine going back to the way things were two years ago like, wow how would you even survive? Well, the answer is you and unfortunately others in the industry are about

[00:09:01] to find out what it's like to go in the delorean back in time and go back to operating in the bad old days. That is the bottom line that we're seeing with a lot of companies in severe cyber interruptions when actual business systems go down.

[00:09:21] Their answer is, well, we're going to go back and operate like it's 2018. And maybe we know what we're doing and maybe we don't. I would argue most companies legitimately don't have a plan for a massive disruption like that.

[00:09:37] It's time for all managed security service providers to step up not just the real-time services that you provide, not just the preemptive services, but the potential for disaster recovery and business continuity.

[00:09:54] A lot of people don't think of backup and recovery as a security protocol. I'm here to tell you no matter what else you do in cybersecurity, the baseline of everything we do is backup. So let's test those things.

[00:10:11] All right, Ryan, very good. Well, we'll certainly keep an eye on this particular story and see if there are any other future developments worth covering and certainly we want to hear from you if you have any thoughts on this or anything else in our show.

[00:10:23] Please write to us at cyberfor hire at cyberrisculience.com. Anyway, that's going to be our top of mind hot take for the day. There'll be more news later in the show.

[00:10:32] But first it's time for our featured info sex strategy topic of the week presenting our big idea in security cultivating operational resilience through people process and technology.

[00:10:46] Now due to a scheduling conflict, I recorded this segment with our guest expert at an earlier time. So please enjoy the following interview that we're about to play for you and Ryan will be rejoining me for the second half of the show.

[00:11:01] What's the best way to ensure operational resilience against cyber criminals tactics, techniques and procedures? Well, just rearrange the letters in TTP and you get PPT people process and technology.

[00:11:17] This session will examine how organizations can score benchmark and improve their cyber resilience through a combination of security processes proper cyber hygiene and employee behavior and our robust technology infrastructure to do it right all three elements need to be in place.

[00:11:35] To discuss this further, we'd like to welcome in our guest speaker Pete Bowers, COO at the UK-based managed security services firm norm where he is responsible for the overall operational and financial functions of the business.

[00:11:49] Pete also oversees customer innovation and success and plays a pivotal role in the ongoing development of cybersecurity and data protection services for norms growing client base. His previous roles include director at confido and CEO of Interroot.

[00:12:08] Pete, thanks very much for being here today, glad that you could join us and as always we're going to jump right into things. In the UK, the financial conduct authority recently ushered in new operational resiliency rules for financial organizations.

[00:12:25] So that happened last year. Meanwhile in the US, the SEC just recently proposed some new rules which include requiring organizations under its authority to include third party providers when conducting their business continuity and disaster recovery testing.

[00:12:43] So as much as we often think of regulations, as they pertain to data privacy and notification after a breach it does seem like maybe there's been a growing emphasis on the notion of post attack resilience and recovery.

[00:13:01] I'm wondering if you agree with that and would make that same observation. Hi, Bradley. Firstly, thanks very much for having me today. Great to be here and talking to you. Yeah, I think you're right.

[00:13:14] You know, regulation is increasing and there are simple reason why regulations increase in both in the US, the UK and beyond is because of the increased amount of cyber attacks and cyber threats that are out there.

[00:13:28] Governments regulators realize that they've got to do more to try and stimulate industry and organizations to try and put in the right measures both pre attack and post attack to be able to recover from such an incident.

[00:13:43] So if you look at the operational resilience regulations that came to play at the end of March last year, 31st March 22, they are focused on making sure organizations particularly those within the financial sector.

[00:13:57] And going to buy the FCA have robust plans in place to deliver their essential services, no matter what the disruption so operational resilience typically is related to operational elements of making sure they can deliver their services but keep to that is cyber resilience and what plans in place do those businesses those organizations having placed to respond and make sure they're inherently resilient should quite often the inevitable happen.

[00:14:27] Absolutely, so I know that you want to kind of take us through these three key elements that are all important to operational resilience looking at resilience and how to do it right from a people process and technology perspective.

[00:14:45] So let's break up this interview segment into those three elements and here's some of your observations and recommendations for best practices among all three of those.

[00:15:01] So I believe in this particular case you'd like to start with the processes so let's do that first and talk a little bit there about what you would identify some of the the key best practices that organization should be following.

[00:15:19] Yes, certainly I think when you look at how to make a business cyber resilience which as we talk about phoenix operational resilience typically there's no silver bullet and so simply looking at instant response plans or business continuity plans or information security plans or even buying product and services to satisfy technology challenges and never really going to be suitable and acceptable.

[00:15:46] Both the regulator and actually to protect that organization and make sure that that business is resilient.

[00:15:52] So the way to look at this and if you look at the way regulators will well expect businesses and organizations to do it the way ensures and expect you to do it the way your customers expected it is make sure you as an organization a cyber resilient.

[00:16:07] And to do that we look at it in the sense that you have to address those three angles of processes people and technology.

[00:16:15] So from a process is perspective what I call is the foundation of your cyber resilience plan is what actually is your cyber resilience plan or you're doing the basics right.

[00:16:25] Have you got the right policies in place the right processes in place both in terms of how you process data how you handle data how you handle your confidential assets within the business.

[00:16:38] And also those technology processes what do you do when you on board and you start or what do you do when you want to you off board a starter.

[00:16:45] And those typical information security policies and processes that we see within the industry in the UK we have a national cyber security standard called cyber essentials.

[00:16:58] And cyber essentials plus which is really the foundation for any business to be able to undertake to be able to go and project the outside world that they've got the basics in place.

[00:17:09] And then of course the international standard from a most security perspective is ISO 27,000 and one and that takes more much more risk based approach and allows organizations to really understand the risk within their business.

[00:17:21] Understand the controls they want to apply and then apply those controls based upon the risk and that can be different for every single organization.

[00:17:29] But if you if you started that position of getting your processes right you give yourself a foundation but that alone without doing other other elements isn't going to secure an organization or ability is not going to make you resilient it will have things written down.

[00:17:44] But it's key to test those and it's key to constantly evaluate those processes.

[00:17:49] The next level in the stack if you like in terms of making your business resilient is looking at how an attacker can potentially infiltrate your business well that's typically three or people we often hear people being called.

[00:18:06] The human firewall or we also go all the week link and every element in between but people are key to your business people help your business work people actually are your business.

[00:18:19] And therefore there are an easy target sometimes quite often people are busy quite occupied they've got lots of tasks to do.

[00:18:27] And particularly if we look at the current state of the macroeconomic economy across the globe at the moment there are challenges in certain sectors of industry in terms of layouts and so therefore you create.

[00:18:40] And disruptions within that people environment and you want to make sure that those people understand their obligations in terms of protecting your business.

[00:18:49] So typically in the past people of some businesses some organizations will do induction try induction training for security awareness they will do a once a year power point presentation and I'm really that's been proven over over the past few years to be insufficient.

[00:19:07] You have to train your people you have to educate your people on a constant basis that's either serving them for easy to consume content where at home making it relevant in terms of their personal work life since the pandemic that we all experienced.

[00:19:24] Work that work life mix has become even more blurred people don't go to the office and then come home and switch off anymore it is.

[00:19:32] Work life is now completely intertwined and the devices we use and where we actually use them from so making sure that people are aware of their surroundings making sure that people are aware of their obligations to protect.

[00:19:44] Business data and they employ you data as much as they protect their own personal data such the banking information is really quite important and that you just got to keep that front of mind. So that they're constantly thinking about every time an email comes in.

[00:19:58] Do I click on this link it just needs to be front of my and there's various tools and platforms that allow you to do that.

[00:20:06] And then it's trying to go and insight of how those tools are working so if you in the old days if you go and present a annual PowerPoint presentation or watch people make a video.

[00:20:16] You typically would have taken a list of who attended we don't know actually who understood and who digested and who comprehended that content.

[00:20:24] And so by testing that on an ongoing basis both through simple assessment tests simple confidence test or simulated fishing which lots of people do now it.

[00:20:34] It took as part of security awareness engagement to make sure you really understand within your organization who are the people who really do get this in its front of mind and who really could do with some more assistance in terms of further education or further understanding because I think.

[00:20:53] I was a recent survey towards the back end of 2022 and it's a pretty common number that comes around around 85% of attacks on businesses.

[00:21:04] I typically done through people it's through leveraging sort of fishing or tucking senior people within it with an organization known as wailing another great term but.

[00:21:18] In terms of trying to exploit that human fact that I'm trying to infiltrate a business that way it's still very common yeah and it's quite easy to do.

[00:21:26] And absolutely and and and peep you know for those who you know maybe listening as well and saying you know anti fishing training is obviously very important security awareness tool.

[00:21:40] Certainly from a preventative measure but you know how does it also impact my resilience well I think we talked about this a little bit and the answer to that is is that.

[00:21:51] While sure you know the training is also meant to stay of off attacks in advance the training should also cover scenarios of. If that fishing email actually gets through into your inbox how to properly dispose of it who you're supposed to alert within your organization.

[00:22:11] If if an attack does perhaps reach an additional stage how to conduct a response there so really it is as much about. The the response as it is also about preventing. The fishing attack from from proceeding further as well to really it covers both sides of the equation.

[00:22:34] Absolutely Bradley you know for sure it. A comprehensive awareness program if you like educate the individuals both from the preventative side at both on the reaction side because because it's so prevalent as I mentioned before.

[00:22:52] The attacks through that way so it's important to train your user and your employees not to panic to think clearly think precisely in terms of what to do from when that happens.

[00:23:04] And similarly training can go beyond just the whole employee base you may target training specifically at different functions within the business so far the training may be training around instant response.

[00:23:16] So what happens if this scenario has happened how do we manage it how do we inform our stakeholders how do we inform our customers how do we form rate inform regulated if there's a person how to identify for personal information.

[00:23:28] And we have to inform the regulator across Europe in terms of the GDPR all that train is really case of it. Your organization and those people working within it are as prepared as they possibly can be for what is becoming inevitable.

[00:23:44] I think we saw too and even the way that you started to present talking about some of the key processes that you need to have instituted in your organization for resilience you so smoothly segue right into the second.

[00:24:03] And that's a very important thing of this triangle which is people and that just shows how much overlap there actually is between people process and technology.

[00:24:13] There is a lot of overlap there and so certainly part of that training as well and getting your workforce up to speed is also training them on the processes and controls.

[00:24:29] You was an organization want to want to implement and so I know that we had talked about even in our last discussion and prepping for this call that you know that could include really a mix of both.

[00:24:43] You know technical measures and then organization organizational measures like various governance policies and so you know maybe you can also. If we can rewind a little bit and talk a little bit more about the process and how it interplays with the people aspect of things as well.

[00:25:05] How how do you make sure that your your various policies are properly being followed and enforced and that the technical measures you've implemented are being properly used.

[00:25:19] Well I think there were the way organizations can do that quite easily is if they're doctor framework and they adopted a a standard to follow as best practice so I mentioned in the UK side of essentials.

[00:25:30] International on the ice of 27,000 one of course that has a very comprehensive set of controls within within the framework if a business even if if a business adopts a framework like that.

[00:25:42] It can then go out and get external certification and get external audit to validate those controls are working in the first instance and that allows you then to go and demonstrate to your stakeholders that you are doing those basics right you have got them in place.

[00:25:57] I know all of them will come along and test a sample of the controls that you put in place but they could be the response capabilities in terms of business continuity plan.

[00:26:07] They could be the preventative controls you put in place they could be how effective the staff training is working and they were looking at a sample.

[00:26:16] I think one of the key things from the operational is in its guidelines both from the SEC and the FCA in the UK is making sure the board understand the resilience of the organization and the risk within the organization.

[00:26:32] So at a 27,000 one level you have a risk assessment of a more specific perspective but if you're deploying the three elements that we talk about processes people technology.

[00:26:45] You should be able to measure how each one of those individual components are working and therefore contributing to any your overall cyber resilience as we call it in norm.

[00:26:55] But I think each of those you talked you mentioned about the overlapping is really key and I think what that demonstrates itself best is simply in the annex a controls within ISO 27,000 one.

[00:27:10] You have people focused controls you have preventative controls you have reactive controls and you have technology controls and those combined when they're working together.

[00:27:20] I give you a good chance of protecting your business but also be able to respond to it and I think on the resilient side of it is and the response side of it. In short, it's market is a very good place to follow from a vantage perspective.

[00:27:41] If you look at the way insurance policies for cyber being written now there is much about having preventative controls in place as they are actually have been able to respond to it to an instant I.

[00:27:54] How can we stop the losses as quick as possible how can we get the business back up and running and so the two are working very much hand in hand those preventative pieces.

[00:28:02] And and the reactive pieces and I think when you come into the technology side of it where we talk about processes people technology. The right technical controls are proactive preventative and reactive the resilient element of it and if a parallel proactive sign of the preventive element it is.

[00:28:23] Understanding where your technical risk lies within the business so do you understand all the devices that are connected to your environment you understand where they are to understand who's got them to understand what vulnerabilities they have on them to understand what what they're doing within your organization.

[00:28:41] And then make sure that you are hatching those those devices making sure that you're configuring them correctly and that they are securing inherently and that changes constantly changes on an hourly daily basis as new vulnerabilities are discovered.

[00:28:56] And then the reactive side about is okay if we've trained that if we've got the processes in place we've got our people trained we've got our vulnerabilities understood what do we do if if an attack happens how do we firstly detect it.

[00:29:11] How do we identify the suspicious activity going on across the organization where that's on a device or user account in office 365 on a network or an account inbound what does what does malicious activity look like how do we detect it.

[00:29:25] And filter it out from the noise and then how do we respond to it. Do we do we isolate the environment do we shut the port down do we block IP address do we isolate the device.

[00:29:37] Has it propagated out into the wider environment and therefore do we need to contain the specific subnet or network. How do we respond to that and having those. Playbooks in place having those response plans in place and testing them is really really key.

[00:29:54] Absolutely and you know one of the again this really involves people process and technology all three of these things.

[00:30:03] Can you talk a little bit about how having a business continuity or disaster recovery plan requires all three of these elements that we just discussed as well because it's really everything from having the technology and the systems needed to be able to properly.

[00:30:23] You know restore any of the systems that were affected and to. Basically to take advantage of any. Backups or redundancies that you might have and at the same time from a process and people perspective you have to you know train people had to deal with.

[00:30:40] Down time situations you have to have processes in place for basically this is kind of our emergency protocols for right now are our website is down or. We're a hospital and we can't actively accept patients right now we might have to divert them.

[00:31:00] There's really elements of people process and technology to all three aspects of a business continuity and disaster recovery while in mid crisis and managing that. Be curious to hear some of your thoughts on that. Yeah that that's absolutely okay spread.

[00:31:18] I think yeah and it all comes down to the planning of that business continuity plan. It's on disaster recovery plan.

[00:31:24] It's if you start at that foundation level I talked about where I see processes is actually what are our key systems what are our key services we need to deliver.

[00:31:35] How long can we live without them so if we if we lost them and typically again go back in the day of spending my first part of my career on the on the customer side if you like to where we work now and and.

[00:31:49] worry about business continuity plans in it running a technology function with within various different industries.

[00:31:56] You typically looked at what were the physical events that could happen you looked at what would happen if a plane landed on a building what happens if we have snow or tornadoes or bad weather and then you'd slowly talk about well what happened with the if the technology environment just stopped.

[00:32:13] Yeah when service packed up or data centers weren't available or internet connections typically went down. Now business continuity plans have got to evolve around cyber because in reality.

[00:32:24] We don't see planes drop the on buildings every day of the week we can live with the in climate weather are internet connections have got a lot more resilient.

[00:32:33] Data centers of go a lot more as in the technology's got a lot more as in it one of the biggest risk now is actually cyber and so in those planning in those continuity plans it's considering what could happen for cyber perspective.

[00:32:47] And what is the what's the what is the outages that I can tolerate so the same outage conversation but actually what is my what is what can I tolerate so making sure you understand those in the first instance and so that process element is okay.

[00:33:01] What will the service that needs provide and if they do go down what are the processes to keep those services running so if you take. You're medical example well if I haven't got systems and technology services in place in hospital.

[00:33:18] What of the services can we provide can we still provide triage can we still provide outpatient care can we still provide can we go to paper based so understanding all those processes in the resilience capability and keeping services going is really key for a process perspective.

[00:33:36] Then of course overlaid on top of that is your people piece well actually if something happens who needs to be involved what's the team what's the what's the crash team if we talk about the medical environment again.

[00:33:48] What is that it emerges to my need on board to help.

[00:33:52] Keep the continuity going keep the services running but also outside of that who do I need to inform which people need to understand the business continuity plan and then which people need to be told that something is in place.

[00:34:04] And that depending on the industry can be an internal group within your organization if you're a public facing business you're a consumer business. You of course have to tell your customers you have to tell your news outlets and make sure that communications managed.

[00:34:17] And then on the technology side is really the disaster recovery pieces making sure the preventive side you've got the right.

[00:34:25] Back at some place you've got you you're testing those backups you understand have a if I lost all my data worst case scenario how long would it take to restore that and making sure that. In the event of a cyber incident actually from an instant response perspective.

[00:34:42] Have I made sure the bad guys are out so I'm our restoring a backup that actually has been infected so I'm just overlained problems after problems quite often you see customers when they come to us when is the response perspective is.

[00:34:56] They think they've got the bad guys out but I've restored it but I still in in there and it's the tools and technology put in around that to start isolating that environment and start cleaning it up and and get it back on.

[00:35:07] Yeah, Pete from your own experience and observations taking this from a managed security services provider point of view.

[00:35:20] Where typically our organizations most indeed of help from their managed services provider the people area the process area the technology area is there one that customers clientele typically tend to be a little bit weaker at than the others that they need reinforcement in.

[00:35:45] I think it depends on the industry and it depends on on the geography as well.

[00:35:50] I think certain if certain businesses that are what I call technology lead in terms of their foundation of their business is through technology so maybe any commerce platform or the maybe a SaaS platform.

[00:36:05] They inherently understand technology so they inherently have relatively good technology controls in place and their people and processes are particularly robust.

[00:36:15] If you switch that to manufacturing industries they're typically traditional IT environments because IT is there just to support the information workers within the business and some of the production plants but.

[00:36:31] They're not IT OG crossover and just quite often their technology controls room place are are are sometimes in adequate but actually what we see the most. And the majority of organizations we speak to is that people are doing elements in terms of addressing cyber risk.

[00:36:51] But they're not doing enough in terms that a ballistic approach across processes people technology and therefore they don't have a really good insight is to what their cyber risk is there's a shoe but because they bought this product that is too.

[00:37:04] They're safe because they've got 27,000 and one then they're safe. We run red team penetration test the exercises with our business we pen test 27,000 one organizations and in reality if they're not doing the other elements that is easy to get into as some of you hasn't.

[00:37:23] So it's really important to keep all those three elements working and have that visibility of what the actual cyber risk is within the business.

[00:37:31] Understood, Pete. Well, you know, you bring up the notion of risk and that it can be difficult for some organizations to truly assess risk correctly what something that truly represents a grave threat to them and what in particular they need to.

[00:37:53] Sure up their response to so that they can be resilient and and that really offers us a nice opportunity to transition here.

[00:38:02] To talk a little bit more about what you particularly find to be among the most serious threats out here in the the cyber world as we know when we've mentioned before in previous episodes.

[00:38:16] The cyber security community is full of chicken little's out there that are constantly warning us that the sky is falling.

[00:38:24] When in reality some threats are a little bit more over exaggerated or maybe a little bit more down the road and some are more prevalent and important to address right away there are times where the danger is very real.

[00:38:39] And I want you to try to help us identify which among the threats that are out there today are the ones that are very real.

[00:38:47] So with that, I would say let's all gather around the campfire and hear from our expert Pete today for a little scary story on what keeps him up at night, what gets his spidey senses tinkling.

[00:39:00] And so with that we're going to do a little segment that we like to call what scares you.

[00:39:06] So Pete, having a having a given you this little bit of an intro here on what we're looking for I now turn to you and ask you Pete what scares you.

[00:39:19] Well in the in the business that are on today, the biggest thing that scares me is our customers suffering and attack and you mentioned people often ask what's the biggest threat out there.

[00:39:32] The reality is there is a threat out there will it will it get everybody tomorrow of no. We talk about the war in Ukraine, we talk about layoffs and disgruntled staff.

[00:39:42] We talk about specific vulnerabilities in terms of log for jail, our sheer exchange vulnerabilities which get big headlines and big alerts. But the simple factor of the matter is there is a threat out there and we see that every down the news.

[00:39:58] What we try and do and what I constantly talking about is making sure businesses are prepared for that threat and if businesses are prepared for that threat. Then, well, it's never nice when you see a customer potential customer suffer a breach.

[00:40:14] There's some comfort in the sense that actually you can respond to it really quickly.

[00:40:19] If you think about organizations and this is the majority of organizations out there aren't putting out a quick controls in place aren't addressing it holistically and therefore what they don't always know if an attack has happened and typically or manifest itself.

[00:40:35] These months after the attack has first been in there, those are going to compare that to those organizations that have put the adequate controls in place.

[00:40:44] Whilst it keeps us awake at night, there's a bit of comfort that you've got a team behind you, you've got people responding to it and isolating that and building your resilience up as soon as possible.

[00:40:57] But yes, it's you have a lot of responsibility in this industry and so it's you sleep but it's yeah you. One of the things that you do worry about.

[00:41:12] Yeah well I guess one aspect of that then is if the concern is about you know what the fate of your your customer should a cyber attack strike them is making sure that you know if you want to.

[00:41:26] That you know if you are partnering with them that they're taking your recommendation seriously right like that I'm sure at times. One of the challenges of any man and services provider is the idea that the client may not always take every recommendation.

[00:41:47] And that you know, it's getting more and more seriously or as expediently as you would like them to. And maybe with bringing it back to the whole concept of people process and technology that that may be they're not emphasizing some of these best practices that your.

[00:42:05] So how do you try to drive home those points to your customers and make sure that they are taking your advice seriously? What would be like your best advice for how to make sure that you are really getting through to them?

[00:42:29] So I think it's all about there's a lot of organisations are complex, particularly that some of our customers are geographically dispersed throughout the world. So they've got complex environments in the current world we live in.

[00:42:44] Some of those environments are on premise, some of those environments are in the public cloud but most of them are somewhere in between and so that makes quite a complex environment to understand and their people are distributed at home in coffee shops, in offices and traveling

[00:43:01] around just as much as we did. So I think one of the things that we think is important is making sure within all that noise you start to focus on what are the key things that you can improve and improve over time and try and prioritize those improvements.

[00:43:20] Within the managed service that we offer our service called Smart Block, every month we produce a report that has those highlights in terms of what you should be doing across people, process and technology and where we think the key risks are correlated with

[00:43:38] what the most emerging threats are. We also provide a focal analyst as we call it which is Senior Socchanalyst which is a scientific customer that talks that customer through in terms of what they really should be doing on a monthly basis.

[00:43:55] So that both parties understand and are working together to increase that cyber resilience within the business and increase that preparedness and both preventative and reactive and making sure that actually we are doing everything we possibly can to make you safer than the next guy along along the street.

[00:44:16] All right, Pete, thanks very much. Really appreciate all the thoughts and insight on this very important topic. Glad you could share with us some key best practices around people process and technology. With that said, we're out of time.

[00:44:29] So that's going to wrap up the first half of our show. Please return for part two of our episode. My co-host Ryan Morris will be back and we will be tackling our big idea in business, which is all about recovering and rehabilitating your reputation following a damaging incident

[00:44:47] or a bad customer review. That plus our info-sec news rundown and our dear cyber-for-hire advice column segment all coming up shortly so we'll see you in a moment on the other side. Struggling to monitor the growing threat landscape, pressure to reduce costs, security skill gaps,

[00:45:12] facing compliance issues, these issues can translate to operational, financial, regulatory and reputational risks to your business. Checkpoint can help. Checkpoint combines an MSSP Enablement Program, Cloud Delivered Multitennet Management, Soft Platform, and Superior Threat Intelligence capabilities to give MSSP's the confidence to grow profitably at a reduced risk.

[00:45:38] Checkpoint is 100% channel driven. We partner to deliver the best security everywhere. Visit MSSPAlert.com slash checkpoint. All right, welcome back to cyber-for-hire, the Man of Security Podcast. Once again, I'm Bradley Barth with SC media. In the first half of our show, we talked with key powers at norm

[00:46:00] about improving your resilience through a combination of people, process and technology. Right now, I'd like to welcome back in my co-host Ryan Morris from Morris Management Partners because it's time for us to examine our MSSP business and industry topic of the week.

[00:46:17] So presenting our big idea in business, rehabilitating your reputation after a security setback. The worst has happened. You fail to protect one or more managed services clients from a cyber attack. Maybe you were even infected yourself or perhaps failed product launch

[00:46:39] or negative engagement with a customer has resulted in a scathing review. There are lots of ways an MSSP can wind up with a tattered reputation, and sometimes they're not even fully to blame. And that's why a good incident response in disaster recovery plan means not only getting

[00:46:55] your IT networks up and operationally again, it also means salvaging your reputation and not letting this incident define you. This session will look at strategies for restoring your image after something goes very wrong. So Ryan, as always, let's jump right into it.

[00:47:14] I think the place to start here is just how bad is a bad reputation. We have seen some precedent of there being instances of company suffering a major breach and sometimes they take an initial hit with their reputation, but then we'll see that

[00:47:30] let's just say that more of a business to consumer type company. We'll see, like Target is a great example of one word, suffered a big breach and eventually the customers all still kept flocking back and over the long term, no major damage to business.

[00:47:52] But do the same rules apply to an MSSP when they experience a damaging breach or they fail to protect a client from a breach that realistically they should have caught. Is it as easy for them to come back from something like that with their customer base?

[00:48:13] See, I think you make an absolutely critical distinction there. The difference between the end-user organization having a security breach in their own systems exposing data of their own customers in the industry we like to talk about that as an

[00:48:31] existential activity. Like, oh no, you suffered a breach, you might literally cease to exist as an entity, except that those consequences literally never happen. Now, every rule exists for the exception to be proven and there are exceptions when smaller, particularly exposed or brittle

[00:48:55] organizations suffer. It's the straw that finally broke the camel's back. We've seen a number of those things, but as you hinted at, there are some very large, very well-known security breaches where the end-user organization they apologize to gave the man callpa, they said,

[00:49:13] hey, I'm going to try harder and everybody still went back to the store. Everybody still subscribes to their software. They don't pay the permanent price. However, as the service provider, you live in a completely different era of expectation and risk associated with these things.

[00:49:36] Think about it this way. You mentioned Target as one of the good old fashioned examples when not just once several times they had breaches. We all know about the one that came in from the

[00:49:47] the HVAC contractor, but they had other exposures where they were continuously over a couple of years period, making an announcement. People had to get new credit cards, whatever. The business of Target

[00:50:00] is to sell you stuff in a store or in an online environment. Most of the time, you physically get in your car, you go park in the parking lot. You walk into the store, you intend to spend $30, you learn of spending $300. That's their business model, right? Cybersecurity is

[00:50:18] ancillary and as practitioners we want people to take it seriously and believe that it is quote unquote mission critical. For a service provider, it is existential. It is literally the reason why we exist. Therefore the damage to reputation for a service provider in one case can be a

[00:50:43] going out of business and it's not fair, it's not an equal division of risk and reward. The end user is protected and shielded. They can always just point to that service provider and go wood. We trusted the professionals, right? That's not fair. It's not equal and that's really.

[00:51:06] That's the bargain we signed up for as practitioners in this industry. I think that it's absolutely vital for us to not get complacent just because end user facing organizations don't go out of business when they suffer a reputation damage does not apply to the service provider. We have

[00:51:29] a higher level of risk and expectation and we need to live up to that higher level of expectation. All right, let's continue with the scenario of there being some kind of a damaging compromise or

[00:51:43] cyber attack of some form. We can talk about some other scenarios in a little bit but in your mind Ryan what's the playbook for when one of these incidents does actually happen? Obviously the best case scenario is that you nipped it in the bud but if you didn't

[00:52:05] now there's a reputation to rebuild. There's got to be a short-term playbook strategy here. I would imagine and long-term maybe in the short-term you're trying to frame for everybody a little bit what happened put it in perspective there's maybe a

[00:52:22] PR element to this but long-term it's probably more of actually doing the work and proving that this was a one-time mistake and you've learned from it and it's end-snack or anything happen again. So what's the short-term playbook here and then what's the long-term playbook here?

[00:52:44] See it's good to look at it in those two contexts because as we've heard guests on our show say before in interviews that we've done with them there's basically the old cliche in the industry is

[00:52:56] that there's two kinds of organizations those that have been hacked and those that don't realize that they've been hacked right? It is it is coming for all of us and it puts me into a

[00:53:06] frame of mind of before during an after the essential playbook that we have to operate on is number one pre-communicate to your clients, to potential clients, to the media at large that hey we are doing

[00:53:21] everything we possibly can and be there will be problems right? We can't set the expectation of perfection because any little mistake looks like a massive breach of trust we have to let people know that we're doing everything we can there. Many layers and complexities too are operations the

[00:53:42] client's operations individual user behavior clicking on stuff malicious internal hacks right? The there is a dangerous world out there and breaches will happen it's not a question of whether or

[00:53:56] not they will it is a question of a did we anticipate that and b do we know how to recover from those things right? That's the before phase. The during phase is the exact reason why the whole category

[00:54:10] of technology around them exists active incident detection response recovery and management that is something that we have to be very trusted and tried professionals around. The build of wall around your data and your customers data and systems and nobody will ever penetrate

[00:54:36] we're all way through mature and grown up to believe that that's true anymore so it brings us we don't stop doing the protective preventive work but we absolutely have to drill and practice active incident management to ensure that when these things happen we can recover as rapidly as

[00:54:56] possible get back up and running and make sure that there is a recovery plan in place to get the customer back to full operation as quickly as possible to borrow the thoughts from the first half of our

[00:55:11] show people process and technology software is a very effective tool for active incident management but software alone is not going to solve any of these issues we have to be ready to communicate effectively internally to follow predetermined and practice procedures to get the humans to

[00:55:33] amp up their level of effort and energy and then let's actually use the tools to recover whenever possible. The after category before we let people know stuff is going to break during

[00:55:47] we need to be practiced and that will rigid-kippling problem if you can keep your mind when all about you seem to be losing theirs that's not an accident or a byproduct that's the result of

[00:56:04] practice under pressure so that has to be the during phase. The after phase is twofold. Number one is the actual recovery and validation that the data and systems are back up that they are healthy

[00:56:21] and that they are hard to prevent a similar attack from happening again. There's a technical process of recovery and validation after any of these incidents occur but it's that final piece of the puzzle where we're really focused today which is the question of how you're going to

[00:56:40] communicate with this client, with other clients, with potential clients out there in the market place because the fact that you had this breach that you've recovered from it, that is technical, it's

[00:56:54] operational. Reputation has nothing to do with how smart you are, with how good you are at your job, your reputation is not the truth, your reputation is merely what people believe about you and would

[00:57:10] say about you when you are not in the room. The reputation recovery is the longest process and it requires a predefined script of internal client and external communication to ensure that we can get people back on side and realize, hey we told you this might happen. We recovered,

[00:57:32] we did the technical work as aggressively and as effectively as possible. Now let's talk about the future and what's next going forward before during an after is the only way that any of us can

[00:57:46] live through these kinds of breaches and come out with any semblance of a trusted reputation after the fact. What can help add to the messaging though to show that you mean business about making sure

[00:58:00] that whatever mistakes were made during the process of this attack aren't going to happen again. Do you, for example, do you issue a Miyakopa, do you try to give the incident some context to

[00:58:17] explain some of the extenuating circumstances that perhaps at least explain or justify some of the controversial decisions that were made? We've even seen some organizations that have suffered a major breach, ultimately if not clean house, bring in some new leadership perhaps somebody who has

[00:58:39] experienced a breach before and done clean up after a breach to show hey we're bringing in some fresh blood, some people who have been there done that before so that nothing like this particularly

[00:58:54] happens again. Our gestures like that meaningful to an MSSP client audience I'm curious as to some of the messaging and actions post incident, especially after one that's damaging that an MSSP can take that perhaps does sort of present some kind of a message to the audience of

[00:59:23] we're going to do things differently here and what's an empty gesture? It's funny you've probably personally read a hundred or more bad examples of the wrong way to communicate right

[00:59:38] when you when you do the research, when you talk to the people in the industry, there are a lot of statements that come out that they they tried to over explain, they tried to point fingers, they tried to

[00:59:49] but it wasn't my fault man, after this kind of thing has happened the bargain we strike in the minds of our customers is we accept that this might happen and we are willing to pay the consequences

[01:00:05] if and when it does. To point fingers to place blame to go it was the client it was their employees that is absolutely not going to solve the problem because all that says to other clients is oh so

[01:00:18] if something goes wrong with my with my systems then you're going to blame me in the process as well. I don't want to deal with that potential blowback in my reputation so maybe I'm going to

[01:00:30] look for a more professional outfit right? The key here is to communicate as though the breach is part of business as usual right? Getting the before category we said guys this is hard. We're doing

[01:00:47] absolutely everything we can but things will still happen when they happen we need to be able to communicate saying we knew that these kinds of things were out there are research indicated that

[01:01:00] this type of attack was present in the environment and it was something that we would potentially deal with. These are the preventive measures that we took and they weren't enough so here is

[01:01:11] how we recovered and how we will continue to operate in a more resilient, a more protected way because we had the bad experience. We've learned from it we've now improved. If the tone sounds like we're

[01:01:28] passing blame well hey it wasn't me it doesn't matter whether that's true or not you've just alienated everybody who may potentially go through that same experience with you in the future. If it sounds blaze like hey no big deal man stuff happens that's over correcting and

[01:01:47] you will lose a lot of credibility for being obtuse or tone death in the in the relationship there's that happy medium in there that says we know this is hard work it is serious we saw that

[01:02:00] this was out there right? We do our homework we're aware of the things that are going on we knew it was a potential thing but it's still got around all of the defenses that's why we

[01:02:12] worked so hard for active incident response and we have a trusted protocol to bring the client back up and into full operations as rapidly and with as least disruption to their business as possible.

[01:02:26] Here's the steps we've taken here's what we've learned and how will be better in the future please let us know if you have any questions right? That tone is something it's not defensive it's not dismissive but it's not reactionary either. You made the comment about places where

[01:02:45] serious things have happened and they've made changes in senior leadership. I doubt that there are very many things that could happen in the business of cybersecurity that would warrant such a an aggressive or drastic action in response. If you knew that it was possible and you have the

[01:03:09] active incident capabilities and you have a natural people process and technology prove and method for recovering, verifying and hardening the systems in the future then firing senior managers or leaders in the environment all that says is either oh you guys are actually in control over

[01:03:31] there and you're freaking out and you're totally abandoning your business operation and your leadership structure because of one incident that's panic inducing that might make all of your clients run away right but it also indicates that perhaps the source of the breach

[01:03:50] was internal was that individual either through some deliberate act or gross negligence now. If that's true, that's the one exception to my advice that I could actually see if we had a bona fide breach of protocol professionalism and trust internally and it was

[01:04:15] either we just were literally asleep at the wheel and we didn't see things coming or it is mouthfeasants on the part of individuals in the organization. Cut them out fast, be aggressive,

[01:04:29] swallow it, don't try to protect, don't try to slip that stuff under in the late Friday night release in the news cycle. Be upfront, make sure everybody knows and this is what our recovery plan is going forward. Other than those tiny little examples, the percentages of actual

[01:04:50] mouthfeasants are in leadership of service provider organizations are astoundingly low. That's fairly safe to assume that's not why you're actually going to have this problem as a result even the gesture of, well we're going to follow on our sort and we're going to take the hit for

[01:05:14] this thing. All that does a strash reputation. All that does is make you look reactionary, out of control and potentially culpable for the problem. I would never recommend going that far. It's a question of do we have the systems? Do we actually have the methodology that we're testing?

[01:05:34] Did we practice? Did we do like did we have a fire drill? And we tested it all and it actually worked. Are we regularly checking our client systems to validate that everything is in working order?

[01:05:47] Then when bad things happen, the answer is, guys, that's why you work with us. We're professionals. We know how to manage the incident. We know how to recover from the incident to validate and strengthen

[01:05:59] the systems. This is the time you need us more than ever. Let's be in business together. I think that kind of a tone and that kind of a proactive plan, that might actually attract customers.

[01:06:13] Right? That might cement existing relationships like, wow, I'm glad it didn't happen to me. But if it did, I'm glad that person is in charge because they actually sound like they know what they're

[01:06:24] talking about, that's very healthy. I think in our environment. So it's something that we need to be very proactive about the communication. Internally first, if that affected customer, other customers, then potential customers. Right? Stay holders. If you will, that's the sequence of communication.

[01:06:48] My most strenuous piece of advice during the accident management phase, be quiet. Like there are going to be regulatory requirements. There are legal requirements in certain instances where you must notify the government. You must notify a regulatory body and industry institution.

[01:07:09] There are places where that's necessary. Do what's required. But do not try to actively massage the situation during this situation. The worst thing you can do is give faulty information like we think it's this. That turns out not to be that, and you have to

[01:07:27] redract and then that just, that's chaos happening. During active incident management, comply with the law and shut up. Right? Like don't be telling people anything more than is legally required. That's what the after phase is for. And that's why you've practiced the incident methodology.

[01:07:47] So that when you need to send these messages out, you're not panicking. You already know exactly who to communicate with in each sequence with which tone and we do that. That's where the fire is.

[01:07:59] We don't talk while the fire is still burning. Sure. Brian, with the last couple of minutes so you have your before we move on to our next segment, let me just bring up the one other scenario

[01:08:08] that I was hinting at a little bit, which is the idea of you having a customer that for whatever reason has become disenchanted with you. Doesn't like a particular engagement. Isn't happy with the

[01:08:20] way something went. And now they're starting to perhaps trash you a little bit. Whether they're an X-client or they're still a client but they're talking to some of their peer group members of

[01:08:29] their peer groups and saying, don't use these guys. Don't use the MSSP service because XYZ kind of giving an anti-tastemonial in a way. What do you do in that situation to perhaps help avoid the

[01:08:45] spread of these negative reviews? How do you deal with that particular client? How do you perhaps nullify some of the negative effect that these bad reviews might be having on your reputation? In most cases legally speaking, the best practice is take your lumps. Right? Because

[01:09:06] there are certain schools of thought where people are like, well, I've got a contract with you and it has an on-disfairagement clause and you're not allowed to say mean things about me.

[01:09:16] You know that might be included in the verbiage of your contract but trying to enforce it makes you look petty and small and what you have to be able to admit is not everybody's going to be happy

[01:09:28] with us right? In the true sense of, you know, be careful what you wish for because you might actually get it. What we have wished for as service providers is the opportunity to be trusted with

[01:09:41] something that is so serious and critically important in the business operation that the client can't be trusted to do with themselves. They outsourced to us because they are not as professional and

[01:09:52] as capable as we are. When you take on that level of risk and trust, there will be black eyes. You will take a hit. The major extent that you can usually go to is to find out,

[01:10:07] you know, if somebody is doing that, who is it? Be with them directly as soon as possible, ask for a clearing of the air. Stay hey, what is it that you are dissatisfied with? Is there

[01:10:19] something that we can do to rectify and get you back to hold? If not, then I will initiate our disengagement protocol and we will allow you out of the contract without further penalties.

[01:10:33] Right, you're not going to be in breach. We will mutually agree that you will be moving on as soon as possible. We have a plan in place for disengagement. Obviously, that's one of the communication protocols that we have to anticipate. In the aftermath, when we're communicating with existing

[01:10:54] clients and with potential clients, people will say mean things about us in that environment. We need to be able to say it's a very difficult environment. We knew that this was a potential

[01:11:08] risk. We did everything there that could possibly be done. Here's how we manage the active incident. Here's how we've recovered and verified that things are better. Here is how we will operate

[01:11:20] going forward. We are happy to have this conversation. I think that tone can prevent a lot of lasting impact because, you know what? What's the oldest statistical reality that a satisfied customer will likely tell one person, a dissatisfied customer with health somewhere between six and 10?

[01:11:43] That's life. We deal with things where emotions run high because risk is meaningful and if it has very significant and expensive impacts on customers, we shouldn't be surprised that people say mean things about us. If you can't handle that kind of bad mounting in the marketplace,

[01:12:05] you don't know how to be resilient and professional and communicate through that. Hey, you can't stand the heat. Stay out of the kitchen. Is my last cliche in today's conversation? All right. Everybody, that's our thought process. What do you think about it? We obviously have

[01:12:26] a million ideas that we can't fit into the time of today's program. We'd love to hear what your thoughts are. So please reach out to us. Cyber for hire at cyberriskaliance.com. That's our email address.

[01:12:37] You can reach us through our show page as well. What are your experiences managing reputations after negative security situations? Do you have best practices? Do you have horror stories to tell? We would love to get your advice. We'd also like to be able to

[01:12:53] commiserate with you when and if that is necessary. So please reach out and let's keep this conversation going. Now, we're going to move into our next segment and this is what we call dear cyber for hire.

[01:13:08] This is our advice column segment where we get to play marriage counsel between MSSPs and their clients to help men fences make sure people love each other whenever anything might go or rise. So the letter that we're going to share today's been dramatized for the purpose of protecting

[01:13:24] the innocent but make no mistake. This situation is as real as possible and we hope to be able to provide you with some advice on how to manage through this part of the relationship between

[01:13:37] you and your clients. Bradley, what is today's drama? All right Ryan, yes well we are back with more juicy MSSP Melodrama and this one comes from the provider side of the relationship so fellas,

[01:13:51] cue the music. Dear cyber for hire, awaken me from this terrible nightmare. My once honorable partner has turned to a life of delinquency. No they're not out there committing crimes, although I certainly feel robbed because you see my client is extremely delinquent with their payments.

[01:14:17] Multiple months behind in fact and I'm starting to feel like the proverbial dormat if they don't settle up soon, I may have to lay down the law but I'm afraid of looking like

[01:14:29] the bad guy when I really do need their business. How do I get my partner to pay up? Penilously yours desperately demanding delayed deferred and delinquent dinero disbursements in Dallas. Ryan is there a tactful yet effective way of getting a delinquent company to settle

[01:14:51] at what point do you even maybe put a hold on your services or enact some kind of consequences for not getting paid? Think about it this way, Bradley. Can you imagine the consequences

[01:15:03] if you just woke up one day and flipped a switch and turned off your managed security services for a particular client? Not only would that not be graceful, not only would that not be you know unflappable professional in the environment that we hope to come across as

[01:15:23] that could probably get you some legal consequences because as we've been saying today you do something mission critical and if you just turned it off one day and stop providing that service, you are going to cause vulnerabilities, exposures and potential business problems

[01:15:43] that the client cannot recover from even if they are in a rears in their payment with you just turning them off one day without opportunity to cure without notice, without for warning and preparation that is going to be the fastest path to a courtroom for your service business

[01:16:06] unfortunately. This is another case of before during an after you begin with the after part of it. When this happens, you know that you need to communicate with the client that, hey we are beyond

[01:16:19] the point of what is acceptable. We need to look for a planned disengagement, let's use the Guinness Palatrode, the conscious uncoupling with our customers. We know that that's going to happen so how can we do that as smoothly as systematically as possible without exposing ourselves to risk

[01:16:41] or our client to undo exposure and risk in the marketplace. That's something we need to script. We need to know step one, step two, step three, how do we wrap up their database and all of their

[01:16:54] user information and pass that along to an internal person of responsibility if they're moving away from us and to a new service provider, how will we do the transfer of information and the cut over so

[01:17:07] that the service does not have unnecessary interruptions. That's a little bit of communication process but that's an awful lot of eyes and teeth to be dotted and crossed in the in the technical part of that decommissioning process. That's not something we should figure out

[01:17:26] as we go. We should script that very, very carefully. That's the after phase, right? Unfortunately, there are times when customers just don't pay. You gotta go and you need to know

[01:17:36] how that is happening. Which begs the question in the during phase when they go from up to date to not up to date, how do you manage through that process? My answer is there is such a thing in

[01:17:50] this world as bad revenue. There are bad customers, there are bad clients, there are bad contracts. I know it feels like we're going to pay a price by losing that customer. They pay us sometimes.

[01:18:05] We need their money most of the time. We feel like that's going to cause a problem. I can tell you from bad experiences that keeping that non-paying client around for too long causes more

[01:18:19] problem, more disruption to other parts of your operation than it is ever worth in cash. Let's make sure that we have very clearly communicated standards and that we stick to those standards

[01:18:33] without variation. If it is net 30 and you get a guy's word about to turn your service off net 60 and we are initiating our protocol net 90, the protocol is done. You guys are gone and somebody else's responsible for your services, pick your own dates. Some people are going to

[01:18:54] be net 10 net 20 net 30 because they don't have any tolerance for late payment. Others are going to be a little bit more forgiving. I'm not here to tell you what your personality is but I am here

[01:19:06] to say when you set those numbers, you communicate them clearly to your clients and you absolutely positively never vary from those expectations or you will become the dormant. Which gets us back to the before category of how do you make sure that customers know what your threshold is?

[01:19:27] Understand their responsibility and are not likely to fall into the frequency to begin with. Let's just put it this way. A lot of people in this industry make the mistaken assumption that because I have a contract that I will never have to link when receivable. I mean,

[01:19:46] it's not like a purchase, right? It is they signed a contract. They pay me on the first of the month, every single month. Contract means it's always going to happen, right? If that were true,

[01:19:58] there would not be lawyers in this world. And we all know that there are that means that you will unfortunately probably experience this at some point. What we need to do is to communicate ahead of

[01:20:11] time with our customers. This is the service we will provide. These are the financial terms and conditions. These are the consequences that happen if and when there is something that that goes a rye in that process. I don't like accounts receivable and collecting on delinquent accounts.

[01:20:32] You don't like it. I yet to meet a technical professional who doesn't break out in hives when they think about that kind of a process. That's one of the really good reasons that I have a CFO,

[01:20:46] to have an accounting professional, to outsource to an accounting professional service provider. Have somebody else be the bad guy. You get to be the visionary. You get to be the operational guru, the one who's here to maintain good and happy client relationships. It's really good

[01:21:05] to have a bulldog on your team so that when things go wrong, they follow up with a very friendly and professional tone immediately on the first day of delinquency and then again the following week, the following etc. Don't put that into your operational dynamics. Make that a dedicated

[01:21:25] professional function. That somebody else on your team gets to be the main guy about. Out sourcing is good. That's why we have jobs as service providers. There are other service providers who can

[01:21:39] do that in our league. Peace of business for us as well. Or hear me out here Ryan, sending some big, burly brass knuckled enforcement goon to your client's headquarters and being like, it's a nice database he have here. Be ashamed of something happened through it.

[01:21:59] Absolutely true. We did observe lawyers exist. So do cousins Tony. There are many cousins named Tony in this world and stuff happens. I don't want to have that attached to my reputation

[01:22:14] but I do know that there are people who do have that attached to their reputation. I don't want to go off all of those people so you know it's always good to let people know when you sign contracts

[01:22:26] with them. It's funny, right? Like that's the moment of truth where people really start to learn whether or not you mean business and whether they take you seriously in the terms and conditions of a

[01:22:38] contract. Bring your lawyer, right? Like that's not just a sales person activity or you as the leader of the organization when we sign contracts we bring cousin Tony with us to the meeting

[01:22:51] and he's smart and he's happy. He's leaving all the brass knuckled in his pocket at that point but everybody knows who he is and why he's at the table so that they are not likely to run a

[01:23:03] foul and get another visit when Tony's not quite so happy. Sure. All right well there you go. Another relationship saved. Hopefully our listeners have learned from this and don't make the same mistake. I remember if you've been struggling with your managed security services relationship

[01:23:20] whether you're the user or the provider we want to hear from you so please write to us at cyber for hire at cyberriscalions.com and we might use your letter in future episode. The meantime, is any security practitioner can tell you there's no shortage of headlines

[01:23:35] filling up the cyber news feeds every single day so we wanted to highlight a few items that we curated just for you and this lightning round that we call the security detail. And headline number one goes to you Ryan. Google has launched a new cybersecurity certificate

[01:23:52] program. It's also a little bit more about that. Would you? Yeah absolutely so in the world of there are 755,000 odd open positions in cybersecurity just in the United States it's good to see somebody do something tactical now Google a number of years ago actually started in 2018 they launched

[01:24:14] a program with a limited number of certificates that were based on best practicing industry for very specific job functions they looked at data analytics they looked at project management at UI UX design these are things that they looked around and said hey there's not enough of

[01:24:32] these professionals so let's do a training program now what's interesting about their program is not just the curriculum which is good because I mean think about it right like Google does UI UX design and data analytics and project management if there's anybody in the wide world who

[01:24:49] know about those topics it's probably the people who already work at Google right that that's a very good assumption to me so they took good curriculum they put it out there in a digital format

[01:25:01] they made it infinitely available to anybody in an in a digital long demand environment and what's more they made it surprisingly startlingly affordable where you could actually get through this program of tennis certificate and be able to improve your job prospects but they went a step further

[01:25:20] here and this is where I think of very very interesting and important what Google said was if you are a person out there in the world and you complete the certificate and you receive that endorsement

[01:25:31] from Google will treat that credential as equivalent to higher education requirements for an open job position that they're trying to fill right if it says bus have four year degree and you go to

[01:25:45] Google if they but I also have a Google certificate instead of a four year degree Google says well if we don't stand behind our own training why would anybody else will hire you on that basis

[01:25:59] that's a bold step they have now added cybersecurity to that program in just the last couple of years in their original certificates that Google has put out there they've put through more than 150,000 individuals through this program and their goal is to amp that up aggressively Google's not going

[01:26:22] to solve all the problems in the world everybody still means all hands on deck to fill these job positions but this is good this is a step in the right direction, putos to the Google folks for

[01:26:34] the certificate program and everybody else should be inspired let's see what else we can do to also fill those 750,000 open positions all right headline number two Bradley survey recognizes human talent

[01:26:50] as a viable aspect of incident response we like to think we're important in the process what is the research saying Bradley well the the research actually agrees with that notion in a survey of security and IT professionals recently conducted by the cyber risk alliance 73% of the

[01:27:11] respondents who participated said that their place of employment has an incident response playbook now a little bit of a smaller number only 63% so that they had a specific team in place dedicated

[01:27:25] to incident response such as a sock or a serd and yet the organizations that do have a team in place gave themselves the highest incident response readiness scores amongst all of the participants in

[01:27:37] the survey so in keeping with that people process and technology theme from part one of our show we can see how having the right people in place can also ensure that some of the processes that you've

[01:27:48] also instituted and established help those processes work more efficiently and more properly the problem is of course the talent is scarce as we've talked about many times 49% of respondents identified a lack of qualified IT or security staff as their biggest IR challenge amongst the most

[01:28:09] among the most coveted skills that they seek from IR staffers problem solving was number one followed by team skills for more on this research I would encourage you to register for S.C. media's May 2023 incident response e-summit virtual conference which is currently available for viewing

[01:28:29] on demand on the S.C. media website all right headline number three courts and nine one-one services disrupted following a ransomware attack on Dallas tell us more Ryan you know earlier today we made the comment that bad things happened even to very large and

[01:28:51] vital operations out there in the world earlier it was a health care example this one is the actual city of Dallas Texas imagine a world where police can't communicate courts can't function 9-1-1 cannot receive calls and their other critical systems that are associated with their daily operations

[01:29:14] and those things were compromised by ransomware causing widespread service outages you know if if I find myself in a position needing 9-1-1 and I call and you can't help me out in that situation

[01:29:31] I'm sorry our servers are down because we had a ransomware attack is not a response that I'm going to be happy to receive this is a call to all service professionals that deal anywhere in the

[01:29:46] public sector you and I talked at length before Bradley about critical infrastructure and these operating environments we looked at that from a federal systems point of view from a gas and electric point of

[01:29:59] view from all of the things that keep the lights on and keep us safe in this world my advice is state local city right state county city and right down to city councils right down to town councils

[01:30:16] any neighborhood HOAs these are operating bodies that exist for a reason and they need the service provider who will come in and say let's do an audit here on your system A let's figure out if you've got

[01:30:28] any vulnerabilities B let's do a little cybersecurity preparedness training for your people so they don't click on things like this and let's put in place a resilience and recovery plan to ensure

[01:30:42] if bad things happen you can get back up and running as quickly as possible one would like to have assumed that the city of Dallas Texas of all the cities in the in the great 50 states would

[01:30:55] have been large enough to have have a plan like that turns out not so much so if Dallas didn't I'm thinking there are many other cities little towns local to you as a service provider that need a phone

[01:31:11] call as soon as possible so that we can prevent this and other similar situations for happening again okay finally headline number four Bradley state of cybersecurity CRA research findings what what else can we learn from a cyber risk alliance research that is just being published

[01:31:32] yes yeah thanks Ryan yeah it's this 2020 excuse me 2023 global state of cybersecurity study this particular one with the focus on the the U.S. this this research was published in conjunction with the info blocks and contains some of the survey responses from approximately 1300 security

[01:31:54] pros all really looking at some some trends following the the the pandemic how the the work from a home culture and and and security processes around that continue to proliferate so since the start of the pandemic approximately half of all organizations have responded to the needs

[01:32:21] of the remote workforce and and customers by fast tracking digital transformations that's about 52 percent 45% added resources to networks and databases and 44% increased support for customer portals this all according to an SMEDIA article from Steve Zerrier that did a nice job of summarizing

[01:32:45] this particular research also about a third response and said that their organization has hired more IT staff also moved more apps to third party cloud providers and placed network in security controls

[01:33:00] on the edge so these are all just continuing trends that we see that basically the work from anywhere is not going anywhere we discuss this a little bit actually in our on our previous episode

[01:33:13] a couple of more little interesting points in the past year 51% reported that their organization added VPNs or firewalls and cloud managed DDI servers to their networks and bring your own device trend also continuing about 48% of respondents reporting a remote employee own devices

[01:33:35] being added to their networks among the the greatest security concerns related to the prominence of the remote workforce that includes at the top of the list data leakage ransomware cloud attacks and attacks through remote worker connections those are among the most

[01:33:55] lingering concerns all right well that's that but we have one more news item to go and it is drum roll please our relevant news item of the week this is a real news pitch that Ryan or I have

[01:34:10] received an air inboxes for reasons that are entirely inexplicable to us are you ready Ryan? I am ready all right well with some reproaching interest in pickleball continues to surge in fact the number of people playing pickleball grew by 159% over three years to 8.9 million in

[01:34:31] 2022 any interest in covering pickleball surge data compiled by keyword research firms send brochure connecting with pickleball equipment company just paddles well no don't have any interested in that because we're a cybersecurity company thank you but I do recognize that pickleball has become

[01:34:50] this really huge crazy phenomenon it's this it's like the Goldilocks rocket game it is a smaller court than tennis it is bigger than ping pong have you been sucked up in this padded all

[01:35:03] Ryan? You know I play I am not obsessed and it's something I will absolutely endorse exactly where you were going anybody even without skills to play tennis can absolutely pick up this game

[01:35:19] and having very good time what I'm fascinated by is not just how many people are getting involved and how frequently they're playing actually have a friend who started up a new business in refinishing basketball and tennis courts to make them into pickleball courts and he's booked out

[01:35:40] literally six months in advance on these services so you can you can absolutely vouch for the fact this is growing when do what I think is the most interesting part of this the number of HOA

[01:35:53] organizations that are now outlawing pickleball from courts that are too close to residence units because Bradley if you've played pickleball not only is it super fun but you will also acknowledge not quiet right yeah it's a hard battle in a hard ball on a hard court and people

[01:36:14] whoop and holler and they enjoy themselves apparently one of the good things about tennis not not only do you actually need to be good at playing it but it comes with the presumption of decorum

[01:36:26] associated with playing that game I'm not aware of any presumption of decorum when it comes to pickleball yes well I see that could be confusing though if a member of the homeowner association says I'll see

[01:36:39] you in court well now are they saying I want to play or are they saying you know I'm going to I'm going to take you to court and and and and challenge this pickleball court being placed a little bit too

[01:36:52] closely to my living room I have not personally played pickleball myself I would be curious to try I would say maybe the most fad like sport that I've tried recently and I think the fad kind of

[01:37:07] has passed a little bit was I tried curling not too long ago and that was really big a couple of Olympics ago when the US won and you know and everybody was like oh these guys are just like

[01:37:20] guys like I don't really need to be an athlete to to curl and I know I think that's a little bit of the appeal to pickleball too is I mean you can be in shape but also this really appeals to people

[01:37:33] of all ages and physique so considering I'm not particularly in the best physique maybe a pickleball would be a good thing for me to pick up but yeah I think it's a great it it's a great

[01:37:45] past time for you to pursue their Bradley because it is it is very fun right but in exactly the same spirit as currently it's a sport that you get better at the more you drink so I will say if

[01:37:59] the phenomenon of curling has as debated a little bit in the United States for the sake of our friends north of the border in Canada oh it not only is it not abating up there it's more popular

[01:38:13] than ever and it's a you know when you're outside on ice in the winter and you're playing a game that involves an awful lot of standing around you know it's almost like official

[01:38:29] issued equipment right like you can't play that game without a drink in your hand it would be it would be unwise to do that without a beverage so I am I am on team curling for sure all right fair

[01:38:43] enough although I do say that a little too much drinking you might be a little tipsy and then I'm not sure you really want to be in a giant slippery patch of ice when you've already don't have

[01:38:53] maybe your best sense of balance but what do I know all right speaking of pickle ball we're in a little bit of a pickle right now because we are definitely out of time so we're gonna have to wrap things up

[01:39:03] but don't worry because we're really back again soon enough for episode number 21 I mean while feel free to check out even more cybersecurity podcast content on the SC media MSSP alert and

[01:39:15] channel E to E websites until next time I'm Bradley Barth and I am Ryan Morris please reach out to us via our show page and our email address at cyber for hire at cyberriscalonance.com with any of

[01:39:29] your comments questions and insights about the business of cybersecurity and then we'll be happy to keep this conversation going on the next episode of cyber for hire your inside source for cyber outsource