Have you ever thought that Cybersecurity focuses on the wrong things?
Join Jason and Paul, two experienced and often comfortably disagreeing CISOs, as they kick off their very first F-Sides podcast.
In this inaugural episode, we go through why the heck you should listen to this podcast, what to expect from it in the future, and, well, lots and lots of self-deprecation.
Oh. And our topic of discussion for today is "Do you start with Compliance or Risk Reduction" in a Cybersecurity program. Yawn right? Not. We're gonna tackle topics like this and keep em lively and fun... it is F-Sides, after all.
If you work in Cyber, are affected by it, or are interested in it, you'll find that our discussions, debates, and interviews with thought leaders across domains apply to Cyber in surprising ways.
F-Sides KICKOFF Episode V2.mp3
Jason Loomis[00:00:10] Hello and welcome to Offsides.
Paul Love[00:00:13] That's Jason.
Jason Loomis[00:00:14] That was ball. And this is.
Paul Love[00:00:17] The Cyber Humanity podcast where we focus on the human side of cybersecurity.
Jason Loomis[00:00:22] This is our very first episode, number one.
Paul Love[00:00:26] I know. I'm shocked. It's here it is. We finally did it after a lot of a lot of planning.
Jason Loomis[00:00:33] This is great, man. So if you're one of our three listeners and I'm not counting our immediate family members who were possibly bribed, coerced or guilt driven to have to listen. Well.
Paul Love[00:00:42] If you're one of those three and you're not my my wife or sons, that is is.
Jason Loomis[00:00:46] What you meant. Right. If you're not one of those three, we're going to explain a little bit for this very first episode of what would you say you do here of what we're exactly doing here? And hopefully answer more importantly, why the heck you should be listening and hopefully continue to listen to our podcast.
Paul Love[00:01:01] Yes. And by the way, I love that reference and I think you're going to talk about that later of what would you say you do here? Because that is one of my favorite statements. But, you know, the the thing the for a little bit of background, Jason approached me about this and we started talking more about doing a podcast like, oh great, another podcast. Great. That's, that's exactly what the world needs.
Jason Loomis[00:01:23] Is another.
Paul Love[00:01:24] And another one. Yeah. So, but the thing that, the thing that I've always liked about talking with Jason is, and I think people who've heard Jason Knight talk is we, we often have similar but opposing views. And I know that that doesn't make sense probably initially, but we have a lot of views, but we come from different parts of our we come from different backgrounds and security. So a lot of what you'll hear is Jason and I having some of the discussions we'd have over drinks or whatnot where we we argue in a good way, respectfully argue and and talk through like why we disagree with each other on, on interesting security topics, in my opinion. And, and that's what I think this podcast will do tonight because there are a lot of podcasts I hear it feels like everyone's just kind of slack at each other on the back. Yeah, that's. I totally agree. I don't think you'll get that here.
Jason Loomis[00:02:17] No, not at all. You and I are both are fervent believers in the importance of difference agreement. In fact, one of my favorite quotes is that this, quote, Freedom is hammered out on the anvil of discussion, dissension and debate. That was Hubert Humphrey.
Paul Love[00:02:30] That's great. I love that.
Jason Loomis[00:02:32] It's a great way to look at the importance of we have to be able to disagree. We have to be able to have dissension and debate to come to a truth between us or even just to learn. You know, I learned all the time, but you as my mentor and the fact that I disagree with my mentor is fantastic, that I don't have to agree with everything that, you know, the person that I followed in the footsteps of tells me all the time.
Paul Love[00:02:51] Jason has been way too kind. I actually he I've learned far more from him. I feel like because Jason is a very we actually both have different approaches towards how we think about things. You're a deep researcher. You love facts and and use case studies. I like facts and case studies, too, but I don't read as I don't think I read as many case studies as you because Jason has a case study for every single issue you can think of, whereas I use a lot based some of the things I do on my experience, like, okay, I've seen this work, I've seen that done a certain way. And case studies are just in a lot of cases, extrapolation of multiple people's experiences. So I tend to use some of that when I have discussions.
Jason Loomis[00:03:33] Then because you have that experience to fall back on. You were writing your seventh book when I was still bartending my way through junior college, so, you know, there's that too.
Paul Love[00:03:42] I don't think it's quite like that, but you know, and that's and but it's good to have someone like you, Jason, who will who has gone and done that extra study. It isn't totally dependent on or not leaning more on the experiences because it's very important to hear other people's experiences. And that's something I try to do is when I people start to talk to me about their experiences, I try to be quiet, right. And, and I find that humility and listening, you actually learn a lot as opposed to sometimes you'll see CISOs coming in and saying, Oh, I know all this and here's how you have to do it. Right. And and Jason, you bring in a good perspective because you're always willing to argue and you have a lot of cases. I don't know where I think he Jason needs to start up a website on case studies r us where you type in what what do I need to argue about and the case study shows up in you know, maybe a picture of Jason smiling like Clippy or something saying, is this a case study you're looking for?
Jason Loomis[00:04:37] Hmm. So yeah, you're going to find that both Paul and I approach cybersecurity in our unique in different ways. And we don't always disagree. But just like science fiction, you may we both love science fiction. We both love cybersecurity. But you might think you'll like Star Wars or do you like Star Trek better? And that's where we get into the fine points of the debate. But we both believe passionately about the importance of cybersecurity to get that. This the other the other theme that you're going to hear a lot with us, besides us maybe disagreeing. Hopefully disagreeing is this idea of move the elephant and moving away.
Paul Love[00:05:10] What is the elephant? Yeah, Jay-Z said that to me the other day was like, What are you talking about? Meant Move the elephant. That makes no sense to me.
Jason Loomis[00:05:16] But he's been pals, heard enough about, and read enough about it. So he understands the concept too. He's just playing with you folks. If you look on our on our branding or you look on our website, you look on our logo, you're going to see the elephant predominantly displayed its F side's f s ideas dot com. Check it out. And you'll see, though, the whole idea is there's this very famous framework created by a psychologist. The University of Virginia, I believe, is NYU, now probably most famously referenced in the book Switch by Chip and Dan Heath. Great book. I highly recommend you check it out. It's about how to effect change in individuals, families, organizations, and companies. And the framework is this. It's that any time you want to effect change or get people to change behavior, you need to have these three things work together. A little writer. Imagine a little guy, about £180 sitting on top of an elephant, weighs about £6,000, walking down a path. And to get people to change that elephant in that rider in that path, and to be going in the right direction, in the direction of the elephant, where is going to end up is the change. Now the writer represents the logic or the analytical side. The data side. Yeah. The R why do you have the numbers? Well, show me the spreadsheet that tells me we're going to why we want to do this. The elephant represents human emotion. It's that imagine you're on a diet. This is a great analogy to the writer and the and the elephant and how much they can conflict. Is your little writer guy is saying, I need to lose weight. Here's here's what I'm going to do if I do if I eat this and I eat just this over the next week, I can lose a pound a week. But, you know, you get that elephant in a room full of freshly baked chocolate chip cookies. Right. Who do you think's going to have that fight? You've got £180 guy trying to move a 6000 ton elephant. That's cookies. Cookies that wants to get those cookies will win every will, every time. And the path represents process. Something else we in cybersecurity are big on we're going to talk a lot about process is, you know, that's what frameworks are. That's what you know, it's the process of how you get that elephant in that rider to move down a path of change. But often and mostly in my career, in my previous career, before I came across this framework in my grad school days, I always failed at motivating the elephant when it came to implementing change in organizations, getting change, getting things like, Hey, I want to do a new security program, a new city awareness training program. I have a new framework. I have a new control I need to implement. I would always focus on, Oh yeah, here's the Y, here's the science, here's the writer, here's the r y we're going to get. Here's a reduction in risk, the path. Okay, so if we do these following ten things and then I'd be bummed when my stuff didn't get approved, no budget approval or the organization I didn't have buy it. And people were just like not interested. They wouldn't take it seriously because I was never looking towards how do I get that elephant to agree with these things too? So this entire concept of our F sides is really to talk about people and human beings and human behavior in cybersecurity and what gets humans to change.
Paul Love[00:08:16] Yeah, and you'll hear a lot of what got us to change because I was in the same boat. Right? I would always throw up all these data points and try to just go the data route only. And I wasn't respecting and honoring the fact that a lot of decisions are made are based off of emotion, too, right. I mean, so you have to consider a lot of different things when you're trying to change people's behaviors and make sure to to honor them or at least acknowledge that they're there and appease them. But that's something I think you'll hear a lot from Jason. And AI is how we did that. You'll get our experiences in it. Your experiences are going to be different, but we hope that, you know, what you hear from us will help help you in hearing a different viewpoint that you may not have heard.
Jason Loomis[00:09:03] Yeah, absolutely. And also occasionally expect to be peppered with obscure pop culture references throughout the podcast. We did one earlier to Office Space Night out to one of the best movies of all time and funniest movies of all time. If you've never watched Office Space, you need to.
Paul Love[00:09:20] But I think I think some of the follow up by by Mike Judge are just as good to nobody seems to agree with me but everyone says office space is good.
Jason Loomis[00:09:27] That idea Idiocracy was great. It was. I love it. A little too fortune telling for my taste.
Paul Love[00:09:32] But I felt like it. So hey, I notice you're wearing a shirt. Tell me a little bit about that. You don't generally, right?
Jason Loomis[00:09:38] Because Paul should mention that the plan was for me to go shirtless in these podcasts. So that's great. Thank you about that. You're confident.
Paul Love[00:09:45] So I sort of rephrase that. I decided.
Jason Loomis[00:09:47] To wear the.
Paul Love[00:09:47] Shirt you're wearing.
Jason Loomis[00:09:48] Thank you for that. But I think what Paul means is I'm not wearing a collared shirt. Typically, I wore collared shirts and all my but on all our podcasts you'll see me wearing collared shirts. And today I came in ready to change into a collared shirt and keep the hat to be a little. More casual. And then I realized, wait, I'm working a good troubleshoot. Good trouble is a is a is a great way to look at what we're going to do today. In Good Trouble is a phrase that was made popular by Georgia Congressman John Lewis and civil rights icon. Rest in peace. And I just love the phrase I love the idea of it is that, you know, and he was also big on dissension and debate. I mean, kind of the godfather of it, of, you know, you have to sometimes step up and disagree with the norms to effect good change. So we hope Paul and I are going to get to some good trouble in this podcast.
Paul Love[00:10:33] Yes, hopefully so.
Jason Loomis[00:10:35] So we're going to kick off this first podcast with a little discussion, cybersecurity focused. But I believe that it can affect you, whether you're not a cybersecurity professional, the idea of should you start with compliance or risk reduction in a security program? And Paul, I'm going to let you expand on that for maybe some listeners who might be what do you mean, compliant and kind of get some definitions around that because I know well, actually that idea that I just said I know what it means is an appliance could mean different things to different people. So, yeah.
Paul Love[00:11:04] Let's talk about contextualization of what compliance means in the scope of this conversation. So you may have heard that compliance is not security, right? You that organizations that are compliant with certain regulations still have problems sometimes. And that's true, right? There is no silver bullet. If there was, you could automate information security. But what compliance does is it helps to set a kind of a lowest common denominator on expectations within a regulatory field or within, you know, some agreed upon organization. For instance, let's use PCI, write PCI sets, requirements, you're required to meet these to to be able to process credit cards. Therefore, you need to comply with those rules. So compliance are things that are you there's an expectation that you meet these minimum requirements that some other usually third party body will put into place. And so what Jason and I were having a conversation about is, okay, well, since compliance is not security, right, how do you help reduce security? And that's where you bring in, you know, you're reducing risk, right? And that could be using the Center for Internet Security Controls, where if you put in their their you know, their security controls, that you in version six. Right. They did research that showed that you could reduce the potential of an incident by X percent. I think it was in the 80% to 85%. There you go. Top five, 85%. If you do all 20 inversions, six, you can reduce it by 90 by nine. Yeah. Now, okay. I thought it was like 90.
Jason Loomis[00:12:44] I'm a I'm a big fan of CIS. I'm a fanboy.
Paul Love[00:12:46] Yeah, I think it's a it's a very, very solid framework. So, you know, when you do that, you actually are reducing risk. It's not regulatory required anywhere that you implement CIS that I'm aware of. But, you know, if you do that, you are showing that you're reducing risk. So we're going to talk about today is, you know, which one should you do first? Should you do the compliance stuff? If you're just building a program out, should you focus on compliance and then do risk later or should you do risk and then compliance or some other option? And I think that's kind of what Jason and I are going to discuss.
Jason Loomis[00:13:20] Yeah. And I'm going to answer that. I'm going to answer that question. I feel like you just asked me your question. What should you.
Paul Love[00:13:24] Say? I did.
Jason Loomis[00:13:25] Paul. I think I'm going to do the cop out of all cop outs on the answer, but just wait and let me finish the cop out. Paul It depends, but I want to finish now. I'm going to finish now. I'm going to finish that cop out. It depends on the organization, but let's go with most SME bees, meaning small to medium sized businesses, under $1,000,000,000 of revenue, even under 100 million of revenue, which I think is the large mass of what we see out there in the United States, in North America, for businesses that are faced with this question. So for SME B's, compliance is where you're going to want to start. And I hate answering that question, but it's the real world answer because it absolutely is not how you should start, but it's moving the elephant. That's how it's going to move the organization to be proactive about cyber, because unless you tell people they have to do something for a small to medium sized business, profit will always override risk reduction.
Paul Love[00:14:20] And shockingly, I'm going to agree with you to a point, right? Because compliance is a strong driver. As long as an organization hasn't decided that they're willing to forgo compliance and accept risk of fines and so forth, because that is a risk strategy. Some organizations decide, hey, you know what, it costs us more to comply. We'll just pay fines. You know, most security people don't like working in those types of organizations because you're not moving forward, right? You're just managing your managing risk. But in a, you know, using money to kind of replace, you know, good security practices. So I would say I actually agree with you that compliance is a great chance. Yeah, it is a good point to start. But actually I'm going to add. And a caveat that understanding what your management wants is exceptional and super easy to say, by the way. Right. Because they're all you know, when you talk to management, they're going to say, well, we want to comply. We want to reduce, you know, the exposure to, you know, an attacker breaking in or whatnot. And that would imply, okay, there's in addition to compliance, we need to do risk reduction. And what I would suggest is that you can do both and the way to do that. But it's not easy is to identify what your compliance requirements are. Your compulsory requirements is what I refer to them. Write the things you have to do and then identify report.
Jason Loomis[00:15:41] Actually, that's the opposite of compulsory. Compulsory is you're compelled to do it. You can do it, but you don't have to be PCI compliant. That's what compulsory right regulatory is a law that says you have to do this. Compulsory is we choose to be PCI compliant.
Paul Love[00:15:54] The way we the way I think about it is that compulsory is you you don't have an option, right? You have to do it.
Jason Loomis[00:16:00] So I disagree. I look at it the exact opposite. How did we get. Well, we get debating about the word compulsory. Compulsory.
Paul Love[00:16:05] We'll go through that choosing. I'm going to go look up now just to make sure. But basically it's things that you're required to comply.
Jason Loomis[00:16:11] So PCI, PCI credit card say you got to do these controls and have these controls in place.
Paul Love[00:16:16] You have no option to change them.
Jason Loomis[00:16:18] But and here's the problem with starting. Here's an argument about why starting there can be a bad thing and why I don't like starting with compliance is it's it's all based on what they call scope. Scope is well, what environment are you talking about? So let's say you have at your company somebody who's responsible for the cafeteria, a free cafeteria. All they do is cook food. They have a little workstation where they work on their menus and that's what they do. PCI is going to say they don't deal with credit cards. They're not in scope means don't worry about what they're doing and I'm not even going to go look at what they're doing for security. So much of the problem with me was starting with compliance. Why I'm so dead set against it yet I just said start with it is that scoping will not be the company will want to spend the minimum amount to get compliant.
Paul Love[00:17:02] That's depending on the organization. Yeah, absolutely right.
Jason Loomis[00:17:05] I argue 80 to 90% of all of our subs are revenue profit driven.
Paul Love[00:17:10] And I'm not I won't be passive. I won't say I don't disagree. I agree. Right. So the thing to understand with that, though, is that in the way I view it is if you're if you're playing games with scope. I actually heard many years ago and I don't remember the name of the company, but it doesn't matter, right, that there was a massive issue. There was a breach at the company and I had read where the an article with the C so basically was talking about how the C so years before get up give it a podcast an interview saying Oh yeah, my goal is to reduce the scope on all of these compliance things. And here's a conversations I have with the auditors. It's like, Yeah, if you're playing scope games, then you're, you know, you're, you're definitely more of a compliant C. So initially then I would say maybe I would, I would actually say I want to be a risk, see, so and you can be a risk see so and poor compliance in and still meet the compliance goals and that's where I was you I, I would suggest identify what your compliance requirements are and then find a good framework for risk like this or whatever you choose and then merge those together and say, okay, out of the, here's the, here's the risk controls that we need to have, here's where they link to the compliance requirements. Okay. I can accomplish two goals with one thing I'm going to when I show this to people, I'll focus on the compliance. But knowing that we're going to get to this ultimate goal of risk reduction as well.
Jason Loomis[00:18:38] Right. And that's actually you this is the the mentorship that was Paul taught me that. And it's the idea of taking the most restrictive controls. You you look at your list. Here's the things PCI says I have to do. Here's the things this says I should do. Let's pick oh one has passwords that eight characters in this complexity the other one has passwords at ten characters and no complexity. You pick whatever is the most restrictive across your organization and it's really you can use that as a is here's how I'm going to I'm going to say it's a cost savings you know because the organization why do you want this so restrictive? Oh, it's because it's just going to be so much easier to manage. And it saves us cost with having to manage two different environments for passwords. We're just gonna send it across the board and you can start scope creep on your own if you're in security to sort of start applying those PCI great controls in PCI across the organization instead of just tightly scoped. Exactly a great way to use compliance and start shifting towards risk. But when it comes to you reporting and getting budget for things, when you say I need budget for for PCI compliance, you're going to get yes's for that budget. A heck of a lot more than you're going to say, oh, I want to reduce risk by such and such by implementing this control.
Paul Love[00:19:48] Well, let me add something to that, is that that tells a story that people understand, and we'll be talking about that in later podcast. That compliance is a story that people can wrap their head around immediately. Right. Risk reduction is a lot more of a complex subject because risk reduction really depends on the people involved and what their perception and acceptance of risk is. Right. So the compliance it takes out, the emotion and the interpretation is like it is what it is. Right. So that's a story that's it's already pre-built for you. So it's very, very easy to to use that story. The harder part of a CISOs job is to sell the story of risk reduction. Why a shared vision of what your interpretation of the appropriate level of risk is important and get by. And that's a much harder conversation to have.
Jason Loomis[00:20:36] It is a struggle, but we're going to get into storytelling as a topic later on. We're going to talk about we're going to talk about all these awesome things that we just sort of very lightly sprinkled at you today, talking about compliance, the risk reduction. So the answer to the question, should you start with compliance or risk reduction and security program? I think Paul and I both agree that, yes, you start with compliance, but you should start with compliance if you're an SMB. But well, let's get my answer for that. Here's my and.
Paul Love[00:21:05] Then I'll give mine.
Jason Loomis[00:21:05] My succinct answer. Yeah. Audience Folks, yes. Start. If you're an SMB and you're in security and you're just trying to kick off a security program, start with compliance driven because you're going to get what you need from the organization. It's easier to push through, it's easier to sell and then slowly start moving and shifting over to a risk reduction based security program using either a better or different framework or combining frameworks. And that's my answer to that question.
Paul Love[00:21:33] And I would agree. Yeah. Is start with compliance as a tactical maneuver. Right. Because again, that that that story is pre-built for you. It's very easy. It's it's been it's been shared before. And but integrate the strategic risk reduction framework and select a risk reduction framework early. And the good thing about frameworks, especially the non-compulsory, which Jason are going to argue about later, but the ones that aren't necessarily required is you can change them out if they don't fit your needs, right. You can do a fast fail type of approach and say, Hey, SAS doesn't work in my organization. I'm going to use a different framework, right? So I would say integrate that in to your compliance immediately and understand what compliance activities help you meet the risk reduction goals and do that through the later. Because the longer you wait, it feels like the harder it is to integrate because you've already started down a path and people are focused on the compliance aspect, especially within your security team.
Jason Loomis[00:22:34] Absolutely. Well, high five, that wasn't as disagreeable or dissension filled or debate filled as I would have thought. But stay tuned for other ones. I know that there's a lot more out there because Paul and I are constantly, constantly debating ideas and topics. This time it wasn't over beers. It was over a good, troubled T-shirt. Stay tuned for our next episode coming. I believe in one or two weeks, we still haven't figured out the cadence. We have no idea what we're doing. What's going on here? Who is this?
Paul Love[00:22:58] I didn't even know I was doing this today. Jason, I. You just told me, turn off my camera. Let's chit chat. So. And it turned into a podcast. So great.
Jason Loomis[00:23:05] He's lying, folks. He can tell by his nose grows.
Paul Love[00:23:08] To.
Jason Loomis[00:23:08] The camera. His nose would be fun out here. Awesome. Well, hey, thanks, everybody. Please stay tuned for episode two. And welcome to F Sides and goodbye from all sides.
Paul Love[00:23:17] Great. Welcome. Thanks.