What do we need to do to fix our processes to truly reduce risk and vulnerabilities?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Amad Fida (@brinqa), CEO, Brinqa.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, Brinqa
Full transcript
[David Spark] What do we need to do to fix our processes to truly reduce risk and vulnerabilities?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode, you know him, I hope you love him. My cohost for this episode, it’s Steve Zalewski. Steve, say hello to the audience.
[Steve Zalewski] Hello, favorite audience.
[David Spark] Aw, that was the correct answer. Our sponsor for today’s episode, Steve, is Brinqa. Thank you so much, Brinqa. Brinqa orchestrates the entire cyber risk lifecycle across all security programs including understanding the attack surface, prioritizing vulnerabilities, automating remediation, and continuously monitoring cyber hygiene. Kind of like what you all need.
Well, guess what, we’re going to be talking a lot more about Brinqa later in the show. But first, Steve, let’s talk about the question that you posed on LinkedIn. It’s echoed in the opening tease, and you said, “What needs to change to truly reduce risk and vulnerabilities?” It’s not something security does. They need to work with all departments by improving process, communication, and motivation.
We kind of isolated it to those big three. So, you asked for experiential advice, and a lot of the conversation was around the general misunderstanding that security is supposed to fix everything. Some saw vulnerability management as a technical matter for IT and security. But really it’s a business risk reduction issue for which each department has a responsibility, and that’s where we need process, communication, and motivation.
Correct, Steve?
[Steve Zalewski] Yes. And I really use this as a test case because what we were trying to find, at least for me, is for the people that were responding, are they technically focused, risk focused, or business focused. And I think it really gave us a good sense of kind of the split between the three.
[David Spark] Well, we’re going to discuss this very issue today with our sponsored guest. Very excited that he is joining us today. It is the CEO of Brinqa. I believe he started in the mailroom, but he’s now CEO. It is Amad Fida. Amad, did you start in the mailroom?
[Amad Fida] Absolutely, David. Just like everybody else, I did.
[David Spark] You see, there’s hope for everybody.
What do most people think it is, and what’s the reality?
2:29.123
[David Spark] John Scrimsher, CISO over at Kontoor Brands, said, “Security needs to be treated as a function of the enterprise risk program instead as a service within IT. As a risk reporting to the enterprise risk program, it will get similar view to financial risk, geopolitical risks, and all other risks the business cares about. If the business views it as just another IT service, the conversation gets muted by operational challenges rather than the actual risks.” And Chris Holden, CISO over at Crum & Forster, said, “The quicker you can get away from addressing vulnerabilities and begin demonstrating the risk those vulnerabilities contribute to your system or application, a more streamlined and meaningful action plan and conversation can occur.
For this to be successful you will need at minimum a business impact analysis for each system as well as incorporating threat intelligence into your
vulnerability management program.” So, two really good quotes, very much on the, “Get away from the technical as fast as you can and get this on risk.” Right, Steve?
[Steve Zalewski] Right. But here’s where I thought this was interesting was at least we were moving to a risk conversation, but the thrust we were going for is don’t make risk the stick. How are we trying to enable the business processes that the risk is trying to improve to remove this type of risk compared to the others? And so I thought both quotes were very good in that we’re moving in the right direction.
Business impact analysis absolutely to know the business. Treat it like the other business risks like finance. But we still have to take that last step in my mind, which is why do people care, not why does the business care.
[David Spark] Very good point. So, actually what you’re referring to gets to the issue of motivation. Amad, is motivation really only a stick here? Because Steve said this sounds like a stick.
[Amad Fida] So, the motivation really is for business to understand and reduce the risk that they’re taking or that exists on behalf of the business. Now, cyber’s goal, obviously doing a lot of hard work to discover the vulnerabilities, the security findings, how do we make them actionable. So, the risk conversation really puts that into a framework where once you understand the business context, the motivation is not so much about because security or vulnerability team is saying so or nagging.
It’s more of a self-service. You’re taking the decision on behalf of the business priorities and how that enables you to accomplish those goals. So, it’s a very different conversation moving from technical to business risk.
[David Spark] So, it isn’t a shift necessarily that has to happen. It’s just framing the conversation, if you will. As I’m hearing you correctly, you’re not even bringing up technical at all, right?
[Amad Fida] Absolutely. And part of that is a little bit of democratization of the data. How do we get this data in front of folks, either they’re IT owners, application owners, business owners, executives. We’re asking these questions – “Are we safer? Are we getting better at addressing some of the key gaps that exist in our cyber security program or systems.” And talking in terms of the vulnerabilities, or Log4J, or SSL issues are not going to get you anywhere.
So, we are talking reframing, as you said, David, the conversation in terms and in context that a business can really evaluate, and address, and understand that by doing so, it’s not only making the business more secure or providing protection, but it actually enables them to grow the business.
Sometimes there’s a really easy solution.
6:22.000
[David Spark] Jonathan Waldrop of Insight Global said, “We can avoid vulnerability from the start if we don’t have to over customize software to match an outdated business process. Not every risk or vulnerability has a CVE number, nor does it have a technical solution.” And Matt Black of Contentstack said, “If you can meet people where they are, you can usually develop a good process or plan to reduce the risk to an acceptable level and ensure the team who has to make a change is bought in on what you’re doing.” And Eric Bloch of Atlassian said, “If you can put yourself in their shoes, you’ll make it a win/win.” So, Amad, I like the idea that sometimes there’s not a technical even solution to this.
We keep saying don’t have the technical conversation, but sometimes the solution will not even have a technical answer to it as well. Right? And if that’s true, can you give us an example?
[Amad Fida] If we think about it from a view of the technical solution or solution even possible, a lot of vulnerabilities that when they’re published, there are generally sort of three scenarios. You have a patch or fix available for you that you can actually deploy and apply. Sometimes the vendor hasn’t released that, and it takes time to research and figure out the fix.
Now, there are scenarios where an organization may be getting off of technology. They have an outdated process or outdated system, and they’re planning maybe in three months, six months to get off that. You need to think about compensating controls and things that you can do for a period of time, almost an exception process, to handle that risk.
And then third is, again, another good example is if you’re moving to Cloud and you traditionally have more IT infrastructure. Moving to Cloud provides you an opportunity to do things differently. Moving to more [Inaudible 00:08:12] devices, containers, [Inaudible 00:08:13] run times where you can readmit things versus having to go and patch. So, these are some of the examples in my mind where it’s not the technology that’s going to fix.
It’s actually the changing the process, understanding what business is doing in terms of achieving some of those goals and meeting them perhaps halfway or [Inaudible 00:08:34] how they function and work and then adjusting accordingly.
[David Spark] Steve, had you had a situation where you just solved an issue purely through process?
[Steve Zalewski] Yes. And it’s the conversation around the easy solution. Now what I say is I’m actually going to limit motivation. Okay? We can talk about the motivation from a security perspective, which is we know that we have certain classes of individual that are not highly technical. And so therefore they don’t necessarily understand security.
So how do we motivate them? We can tell them what to do, and we can inject friction into the process. Or we can do something like motivate them by saying if you’re willing to do what we’re talking about here, there’s a higher likelihood that your bonus is going to pay out more.
[David Spark] There you go! There’s a carrot.
[Steve Zalewski] And so therefore, we change the motivation from one of feeling stupid about security to one of understanding that there’s a motivation to do better because they’re going to get something. Okay? Or the other motivator is, “Well, if you fail your security awareness training three times in a row, you’re fired.” There’s a stick. Okay? That’s a different type of motivation.
[David Spark] Which, by the way, we have talked about an example of just that, sadly.
[Steve Zalewski] Just that. Now I look at process, and I say use an example of let’s just assume it’s Levis. And so I had all of the stylists in the stores, all the people that would work with you and check out. And of course you’d love to have multifactor authentication on all the cash registers, but it’s not practical. And so process wise might be you sit with them, and you say, “You know something?
We’re going to put you through some extra security awareness training for you to understand how important it is to log out every time.” Because we realized multifactor authentication just isn’t practical. So, we’re going to do good enough security, but we’re going to modify the process again to enhance the motivation and make the process appropriate.
[David Spark] Amad, let’s just boil it down. Why then do processes fail?
[Amad Fida] David, processes fail because we are taking a very security approach and trying to implement the security processes versus transitioning this into a business risk process conversation. And once we’re able to do that, I think the process problem goes away and essentially becomes very natural in how business works. And it will be a very practical and easy to implement approach to address this problem.
Sponsor – Brinqa
11:06.293
[David Spark] Hey, before we go on any further, I do want to read a message from our sponsor, Brinqa, that I mentioned earlier in the show. In fact we have the CEO right here. And in fact, the thing he just mentioned is very apropos here. So, as we know historically, more was supposed to mean less. So, one cyber tool though after another, after another.
An ever growing arsenal to keep up with the increasing risk exposed by a rapidly expanding attack surface. We’re all getting sold this, right? But more tools in order to bring about less risk. But that’s actually not what we got. Instead, more tools have only led to more complexity, more incompatibility, more silos, more pieces to the puzzle, more time trying to understand security posture to see what’s what.
And more hurdles to taking affective action. What we need now is more precision, more laser targeted action. And this is what we’re talking about in today’s episode, about process and improving things here. So, to manage assets and their vulnerabilities across all security tools, programs, and their attack surface to know who owns what, get to a single source of truth and surgically eliminate critical risk.
This is exactly what Brinqa provides to those charged with navigating the relentless chaos of securing their business. Our topic today. And, heck, it’s the topic of every one of our shows, isn’t it? The Brinqa SaaS platform cuts through security complexity and empowers precise action. Tuned for specific environments and business outcomes. You see clearly, you act precisely, you can do it all with Brinqa.
To learn why companies like Adidas, Whole Foods Markets, and Coca-Cola trust Brinqa, visit their site – it’s brinka.com – to learn more. Let me spell the name of the company because I don’t think anyone knows how to spell any cyber security company’s name because you cannot find it in a dictionary. Let me spell it, so pay attention. Brinqa.com. Make sure to check them out.
What are the elements that make a great solution?
13:11.252
[David Spark] Andy Kim, the CISO over at CyberCatch, said, “The cyber security program must eliminate subjective variables as much as possible. There must be a comprehensive control testing program to prove that underlying assumptions of a risk assessment are in fact true. Think Mitre Att&ck as the basis of these tests, not internal audit. And Uri Fleyder-Kotler, CISO over Staircase AI, said, “People respond better when I talk with them in person, explain the risk, what bad things can happen, the liability involved, and finally making a very specific ask to fix the issue rather than general guidelines and best practices.
You know, apply software patches, configure MFA, enable a host firewall, apply encryption at rest, restrict open ports, remove outdated container images, remove admin privileges.” That sounds like a lot of technical talk, Steve, doesn’t it?
[Steve Zalewski] Yes, it does.
[David Spark] I can see glassy eyes over the listener hearing that. [Laughs]
[Steve Zalewski] I think all of us at that point were, “Been there, done that.” And it doesn’t work. I think what we’ve been talking about today, about what makes a great solution, is an appreciation that there really are two types of folks that we’re talking to. There are those that, “Tell me what to do to make the problem go away. I don’t care. I don’t want to be part of the solution.
It’s just going to be a job function, so tell me, and I’ll be done. And if the friction is too high then I’ll either complain about it, or I just won’t do it.” And then there’s the second folks that want to be part of the solution. They want to understand. They care about the company. They care about security. And so they’re willing to go the extra mile even to be able to accept more friction in their business process, but they do want to see something in it for them.
Because ultimately even those folks do want something. So, when I look at the processes… And kind of what we’re talking about here is it’s got to be a win/win. There’s always got to be something in it for the consumer of the controls we’re going to take them, but we do realize that there are two types of consumers – those that just will do as they’re told and those that really will step up and move beyond because they really care.
[David Spark] Amad, I’m going to ask you a question that is ort of brought up in the sponsor read here, that Brinqa offers a precise ability to pull out a vulnerability. I’m anxious to know how exactly you’re doing that, because that would speak to very much what Andy Kim here is saying, is, “Get rid of this objective as best as you can and follow the Mitre Att&ck framework,” as an example he gives.
So, I’m interested to know how is Brinqa specifically finding these issues that are risk problems.
[Amad Fida] Brinqa takes a data driven approach to prioritizing vulnerabilities. So, taking the subjectivity out of the equation all together. We’re looking at the threat intelligence that’s available to us to prioritize the business context around the assets or the attack surface itself. It’s really understanding that not all assets are going to have PII or PCI, or HIPPA, or any kind of regulatory requirements or sensitive data stored.
So, once you start stitching and putting all these data points together, you come to a very precise accurate representation of what a real impact and what the real risk is of a given vulnerability to the business, to the asset, to the process. And in addition, the visibility we provide as part of that process. We’re not just coming up with a risk score or a number that’s hard to understand, but we’re actually providing the various risk factors that went into it to compute that actual score, which turned into a rating that is actually sort of a north star.
Now, these risk factors, for example an asset that is externally facing, as I mentioned has a sensitive data associated with it, performs a critical business function. For example, part of an online store or serves a web application that is on the online store. Now, once you explained to somebody that these are the different elements of why we think this is important, that generally drives an outcome that’s beneficial to the business as well as the security.
Whose issue is this?
17:39.564
[David Spark] Andrea Schneider, who is the field CISO over at Lacework, said, “Put most efforts on reducing this timeframe to prove that there’s a positive effect of every dollar in security. Choose tools in a way to reduce friction. One tool is better than three. As every additional tool creates that friction.” Kind of something we mentioned earlier.
“And this will eventually slow down your mean time to remediate.” David Casey of Summit Health said, “Know security team will ever be able to be everywhere, see everything. It takes an army these days. Engage them. Encourage them. Guide them. Leadership can set the pace. Security sets the goal. But the employees will fight the battle.” And I’ll start with you, Steve, on this one.
I kind of like that last comment there. “Leadership sets the pace. Security sets the goal. But employees actually do the work. They fight the battle.” That’s what we’ve been going for, right?
[Steve Zalewski] Yes. I think ultimately that needs to be the tagline for security. Because how we do that is a lot of the conversation for today. But the objective for what we’re trying to do is get the employees to fight the good fight in a way that they’re comfortable with and in a way that we can actually manage the risk appropriately for the company, which is… And I always say to myself, “I’m here to make money, and I’m here to protect my consumer data.” So, ultimately I have to balance the need to do that with the business processes and the people to fight the good fight.
And it’s never going to be perfect, and I’m always going to lose a few. But generally, I want to win more than I lose.
[David Spark] Amad, is there something within Brinqa that the average non-security person sees, and they can get that sort of sense of, “Aw, now I see that when we do this, this gets reduced.” Is there some visibility they get?
[Amad Fida] Absolutely. With every report, with every vulnerability that we identify, we provide a solution or remediation. And as well as the reduction in terms of the benefits that you’re going to get. Sort of biggest bang for the buck.
[David Spark] So, you can prioritize like, “We should do this first because we’re going to save a lot of risk issues if we do this first.”
[Amad Fida] Absolutely. Because we’re identifying the root causes, you can look at big ticket items that if we perform this update, or we transition from this technology to another technology, or we move from perhaps on prem to Cloud, there’s a significant risk that we can eliminate. So, it’s not only a very technical approach, but it’s also a very strategic approach because you are looking holistically across the board the things that you can do, the strategic initiatives you can take in order to reduce the risk in a meaningful way.
And Brinqa provides that visibility. And one of the things I’ll just add here, David, who owns this issue and the previous question as well, what makes it this easy solution. Security, as Steve pointed out, it takes a village. Cyber security generally is a very small team in the grand scheme of things across IT.
[David Spark] Sometimes a team of one to three.
[Amad Fida] Team of one to three. And in the times we’re living in, the budgets are probably not reducing but also not significantly increasing. So, you’re trying to do more with less. So, you do need any help you can get from other teams. As a solution provider from somebody who builds a software service, application systems that can help organizations to reduce their risk, one of the key requirements is to make this data very easily available to everybody in the organization, not just information security.
That goes a long way from reducing that friction.
[David Spark] This is not just a tool for security. It’s a tool for the business.
[Amad Fida] It’s a tool for business. Because you’re always going to have limited folks within security, and this allows everybody to take ownership, responsibility, and get a better understanding, and then drive action. And that’s our goal at the end of the day with Brinqa – to enable everybody in the organization to log in, get a list of prioritized work that they need to do, get a better understanding, and hopefully reduce that risk as the business priorities and resources allow.
[David Spark] Excellent. All right. I’m going to ask one quick last question from both of you. I’m going to assume the theme of a lot of our responses was, “It’s not technical. It’s a business issue. They should understand it’s a business issue.” I’m going to ask you for number two, Steve. And, Amad, I want your answer as well. What is the second biggest understanding that the business has?
Steve?
[Steve Zalewski] The second biggest issue is the cost of technical debt against the business process. Because time and time again, business processes work. And any time you change them, it costs money. And the technical debt often times is where the security teams really are challenged because their old systems, their old technologies or out of date processes.
And so the challenge to change something that works when it is still making money because it’s not functional but nonfunctional risk we’re addressing is the number two of why we have to meet them halfway.
[David Spark] Excellent answer. All right, Amad, you close this out. What’s number two, the biggest misunderstanding?
[Amad Fida] Actually I would like to add on to what Steve was talking about as the second most important challenge is the nature of business in terms of the technology, the roadmap, the lifecycle, and the fact that certain things are put in place that are hard to change. And the security has to work around it. It reminds me of a story that one CISO told me around when iPhones came out in early days.
The CEO of a biotech company…and it was the CISO of that company…wanted to give sales reps iPhones because they wanted to have the communication with the clients as soon as possible while they’re traveling, so no communication or emails get missed and the ability to close the deal or sell their products as far as they can. Initially IT and security really resisted because nobody really understood whether security is around iPhones or these mobile devices, but that was a business decision.
And the security has to go meet the technology and the business leaders halfway essentially, really understand and put some compensating controls, whatever they could at the time. But that’s another example. The challenge where you just can’t live in isolation and create your own policies and standards without factoring the business needs, or the growth opportunities, or the things that the business have to undertake as part of being able to do their job.
Closing
24:40.978
[David Spark] Excellent. Well, now we’ve come to the portion of the show where I ask both of you what was your favorite quote and why. And I always begin with our guest, because Steve stole your idea for the last one. So, hopefully you’ll steal Steve’s favorite quote as well. Which quote was your favorite, Amad?
[Amad Fida] Well, David, my favorite quote was from Eric Bloch from Atlassian. “If you can put yourself in their shoes, you’ll make it a win/win.” And I liked it for a couple of reasons. But mainly having that it’s not just empathy for business but really understanding what a business goes through. Nobody wakes up every morning and says, “I’m going to go and fix a ton of vulnerabilities.” They think about how I’m going to be better at my job, how I’m going to help grow the business, how we’re going to make more money.
And that’s what they’re thinking about. And you as a security professional need to think about how I make their job easier. That’s what I really like about information security teams that are thinking as an enabler for business, not a roadblock.
[David Spark] Excellent. Steve, your favorite quote, and why.
[Steve Zalewski] All right. Well, I almost chose David Casey from Summit Health about security sets the goals, but the employees fight the battle.
[David Spark] I like that.
[Steve Zalewski] And I like that quote. But I think a lot of what we were talking about today and the genesis of the question I asked was not fight the good fight for security. I think really what we want to talk about and my favorite is from Matt Black of Contentstack. “If you can meet people where they are, you can usually develop a good process or plan to reduce the risk to an acceptable level and ensure the team who has to make a change is brought in on what you’re doing.” And so ultimately it’s what Amad was saying, too, which was the technical debt, the risk that we see is meet with the people, find it halfway, see where that friction is with the business, and negotiate the best that you can.
So, I’m going with Matt Black.
[David Spark] All right. Matt and Eric win this episode. And so does Amad, and so do we as well, and Brinqa. Lots of winners. Everybody gets a participation trophy. Thank you very much, Steve. Thank you very much, Amad. And huge thanks to our sponsor, Brinqa. Brinqa, remember, orchestrates the entire cyber risk life cycle across all security programs including understanding attack surface, prioritizing vulnerabilities, automating remediation, and continuously monitoring cyber hygiene.
Did you remember how I spelled Brinqa? It’s spelled Brinqa.com. That’s where you want to go immediately following this recording. So, if you’re driving, pull over and go there right now. Amad, any last words for our audience? Any offers? Anything you want to say about Brinqa? And are you hiring?
[Amad Fida] We are, Brinqa…we’re hiring across different teams, positions. If you’re passionate about cyber security, vulnerability management, we have a number of positions from engineering to customer success, as well as professional services. We’re looking for top talents, so please feel free to reach out to me directly with LinkedIn or our website, Brinqa.com.
Thank you again, David. And, Steve, this was a lot of fun.
[David Spark] All right, awesome. Well, thank you very much. And thank you to our audience. We greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, and Cyber Security Headlines – Week in Review. This show thrives on your input. We’re always looking for more discussions, questions, and “what’s worse” scenarios.
If you’re interested in sponsoring the podcast, check out the explainer videos we have under the sponsor menu on cisoseries.com and/or contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.