Tuesday, January 31, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

Q&A: Rick Holland | Decipher

Researcher by Researcher
January 20, 2023
in Cybersecurity
0
Q&A: Rick Holland | Decipher
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


“If you want to have a good culture, you’ve got to first start with your security teams, and they need to have a good culture, so investing in them, retaining them, having internal training, external training, career pathing, all those things are important.”

Lindsey O’Donnell-Welch: What is important for building out a security culture in a business?

Rick Holland: It is all about people. There’s this tendency to buy the newest technology, or the flashiest whatever at RSA or at BlackHat in Vegas. But, you know, if you want to have a good culture, you’ve got to first start with your security teams, and they need to have a good culture, so investing in them, retaining them, having internal training, external training, career pathing, all those things are important. Because I think if you don’t have a good culture, within your security function, you’re gonna fail at having a good culture more broadly, across the entire company, because it’ll be kind of obvious, if your security team is not bought in, that no one else is going to get bought in. So I think that’s a really, really key component.

I probably learned things the wrong way when I was a lone security person – I was kind of proud to be the Department of No Guy – And my CIO, who was my boss at the time, gave me some really good feedback in talking about enabling people, and helping them do their job, that they’re just trying to do their job, they’re not a security expert like you. And I think that’s really, really key still, to this day. How are you going to have a positive culture, a security minded culture, if you’re super negative about your customers, your partners, your colleagues? And having technology that is transparent, understanding that managing passwords is a pain in the butt for people, having empathy for these people that we’re trying to protect I think is really, really key to having a strong security culture as well.

Lindsey O’Donnell-Welch: When you’re looking at kind of building out an effective cybersecurity program, are there a couple of critical steps that you would say are most important?

Rick Holland: Yeah, I think the first one is alignment of the program to the business itself. We don’t do security for security, we do security for our business, or our nonprofit or whatever the kind of organization is that we’re trying to protect, and understanding what the goals and objectives are for that company or organization are really really key and then translating that into this security program. I’ll give you a this specific example there; one of the things that I’ve been talking about for years, it’s more applicable to public companies, but it still applies to private is public companies have their SEC filings, and one of the SEC filings is a Form 10-K. And that Form 10-K has a risk factors section, and it usually has between like eight and 20, 10 to 15, something along those lines, risks that the company has to the overall business. And there’ll be things like supply chain, whether some places maybe gets hit by wildfires, or hurricanes or whatever, but being able to have a business discussion, and being able to understand what the risks are to the business and how you can try to mitigate those risks from a cybersecurity or physical security perspective, as well. And if you look at retail – with Black Friday – if you look at a 10-K from a public retailer, they’ll probably have things in there about their employees, their rewards program, and how that is key for loyalty and maintaining stickiness with customers. So if you’re coming into a new program, looking at a Form 10-K, or just the annual report; knowing what the business is focused on, where the business is going to grow, and then mapping it out to people, process and technology, and how you can give visibility into risk, how you can then mitigate risk, it’s almost a blueprint for the from the program, it’s the top-down blueprint for the program. But it also lets you critically talk in terms of “business cares about,” right. I’ve seen a lot of prediction stuff, and suggestions for 2023 planning right now. But most of it is focused on hey, you need to invest in API security, or you need to invest in cloud security. Really, what we need to be doing is investing our time in understanding the business goals for 2023. And then figure out what people, process and technology is needed to give visibility into risks, and then mitigate them. Is a business expanding into a new region of the world? What are the threats there? How do you protect employees when they’re there? Is the business rolling out a new piece of software that’s going to generate 20 percent of the net new revenue for the year? How do you secure that? So I think the Form 10-Ks, if I was with a public company, I’d be listening to the CEO’s quarterly call every quarter. And now if you’re not a public company, you still have a risk committee of some sort. So being engaged with the risk committee, understanding the risk, but that’s another place you can go if you just don’t have access to the public filings there. So that’s where I like to start as a hey, let’s just make sure I’m aligned on what the business objectives are, how I can do that.

The other part, to me, again, goes back to the people, which I think is the most important part of the people, process and technology. How are you going to recruit people? Don’t always try to recruit unicorns, it’s a highly competitive market, don’t have these ridiculous job descriptions, that act like they’re for inexperienced people but really, you need 10 years of experience to get the role. Have a mix of experienced people and very junior people that you can train up, and then do creative things, remote working, flexible working, I’m going to give you a SANS class every year, or whatever the case may be, have an actual curriculum to try to maintain these folks. And I think it’s the most painful thing in a program when you have someone you’ve invested time in, and they leave prematurely; we know everyone’s going to leave at some point. But if you invest and you lose somebody at a year to a year and a half, well, perhaps you could have gotten another year out of them. And you know, that can be quite material, right? If you have to ramp up, learn the organization all over again, learn the tools, and all that sort of stuff. So I really think it’s what’s the overall corporate strategy? How do you map to it and be able to talk in terms of business concerns? And then how are you going to staff the people needed to act on all the promises that you’re going to make to the business about helping secure and minimize risk?



Source link

Related articles

Novel Malware Installed in VMware ESXi Attacks

VMware Fixes vRealize Log Insight RCE Bugs

January 31, 2023
Securing CI/CD. There are many organizations moving to… | by Binu Panicker | Jan, 2023

Securing CI/CD. There are many organizations moving to… | by Binu Panicker | Jan, 2023

January 30, 2023
Tags: DecipherHollandRick
Share76Tweet47

Related Posts

Novel Malware Installed in VMware ESXi Attacks

VMware Fixes vRealize Log Insight RCE Bugs

January 31, 2023
0

VMware has released updates for a group of four vulnerabilities in its vRealize Log Insight logging platform, three of which...

Securing CI/CD. There are many organizations moving to… | by Binu Panicker | Jan, 2023

Securing CI/CD. There are many organizations moving to… | by Binu Panicker | Jan, 2023

January 30, 2023
0

There are many organizations moving to the cloud every day. Some are developing software at a fast pace, some are...

The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment

The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment

January 30, 2023
0

On Friday, January 20, 2023, Google announced it would lay off 12,000 employees. Amazon and Microsoft have laid off a...

How IT Budgets Should Fill Cybersecurity Moats in 2023

How IT Budgets Should Fill Cybersecurity Moats in 2023

January 30, 2023
0

TechRepublic speaks with Carlos Morales of Neustar Security Services on the best ways for companies to spend on cybersecurity —...

Boosting Data Security with AI and Blockchain | by Binu Panicker | Jan, 2023

Boosting Data Security with AI and Blockchain | by Binu Panicker | Jan, 2023

January 30, 2023
0

Today, data is considered the new oil and rightly so because the amount and type of data collected on people...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
A first look at threat intelligence and threat hunting tools

A first look at threat intelligence and threat hunting tools

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
Novel Malware Installed in VMware ESXi Attacks

VMware Fixes vRealize Log Insight RCE Bugs

January 31, 2023
KITMEK Launches $1 Digital Only School for Children Across MENA

KITMEK Launches $1 Digital Only School for Children Across MENA

January 31, 2023
Whole-Network Visualization With Meraki Dashboard

Whole-Network Visualization With Meraki Dashboard

January 31, 2023
Securing CI/CD. There are many organizations moving to… | by Binu Panicker | Jan, 2023

Securing CI/CD. There are many organizations moving to… | by Binu Panicker | Jan, 2023

January 30, 2023

Recent Posts

Novel Malware Installed in VMware ESXi Attacks

VMware Fixes vRealize Log Insight RCE Bugs

January 31, 2023
KITMEK Launches $1 Digital Only School for Children Across MENA

KITMEK Launches $1 Digital Only School for Children Across MENA

January 31, 2023
Whole-Network Visualization With Meraki Dashboard

Whole-Network Visualization With Meraki Dashboard

January 31, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cybersecurity Data Digital exploited financial Finds Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches Payments platform Ransomware RoundUp security Software TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved