Site icon Easy Prey Podcast

5 Key Cybersecurity Elements with Kelly Hood

Easy Prey
“Phishing attempts are getting so much better at looking real, and it’s only too easy to click if you’re not paying attention.” - Kelly Hood Share on X

How do phishing scams, AI-powered attacks, and strategic governance intersect? Together, they're redefining the future of cybersecurity. Organizations are navigating a mix of challenges and implementing innovative solutions to proactively address today's threats.

Today's guest is Kelly Hood. She is the EVP and cybersecurity engineer at Optics Cyber Solutions. She is a CISSP who specializes in implementing cybersecurity and privacy best practices to manage risks and to achieve compliance. She supports the NIST cybersecurity framework and serves as a CMMC registered practitioner, helping organizations strengthen their cybersecurity posture and develop effective risk management strategies.

“Cybersecurity is no longer just talked about in the server room—it’s a conversation that needs to happen in the boardroom too.” - Kelly Hood Share on X

Show Notes:

“When responding to incidents, transparency is key. Let people know what’s happening and what steps are being taken.” - Kelly Hood Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Kelly, thank you so much for coming on the Easy Prey Podcast today. 

Hey, great. Thank you for having me. I'm excited.

I'm looking forward to this. Can you give myself and the audience a little bit of background about who you are and what you do?

Yeah. My name is Kelly Hood. I'm with Optic Cyber Solutions. I'm a cybersecurity engineer there, and I work with companies to help protect themselves and with our team to help protect our company. We've got kind of both sides of the house making sure that we're all staying secure.

These days, that is a massive undertaking. It's not as simple as it was 20 or 30 years ago. 

Right. Definitely always something changing, which keeps things interesting.

Yes. As we start here, I wanted to ask you because you're in the cybersecurity field, and I really want to destigmatize falling for scams and frauds and clicking on those phishing links and all sorts of things, all the things that we talk about on the podcast and try to help people not do or to be aware of. I don't want people to be embarrassed and feel ashamed about themselves, because if you and I can't get it right 100% of the time, then the listener shouldn't feel embarrassed to ask for help or to, “Gosh, I fell for this.” It's not the end of the world.

Do you have any stories around phishing attempts or cybersecurity incidents that you can share with us? 

Yeah, definitely. I think it's such a great point and they're getting so much better at those phishing attempts and making things look more real. If we just ignore it, it doesn't help anybody. It just hides the problem until it becomes bigger. In my own world, I'm lucky enough to know and to look closely because not that long ago, I received an email to my inbox. But it looks like it came from my mother saying, “Hey, Kelly. Look at this new job requisition that's just down the street from where you work today.” It looked legitimate. It was spelled and used proper grammar.

But I thought, “Why would my mom be sending me a job rec, especially in Maryland where I work today? She wants me to move back to Oklahoma where I'm from.” I thought, “This doesn't feel quite right.”

Then I looked a little bit closer at the email header and saw that her email address wasn't, wasn't quite right. I thought, “Wow.” I just—I couldn't believe how they had her name. Her email address was almost exactly what it was. They knew I worked in the cybersecurity field. They had really put together a lot of information to craft an email that looked legitimate, and it would have been only too easy to click on that if I didn't know that she didn't want me to continue working in Maryland.

That's the sort of thing to me that's getting scary about this sort of stuff, is that it used to be spear phishing was only for the Fortune 500 CEO or the well-known crypto enthusiasts. They were very specific people being targeted for very specific reasons, and now those same techniques are being applied much more broadly than they have in the past.

They have. I get a lot more emails these days where you can tell. I mean, AI has a big hand in that, or you can tell they've crawled my LinkedIn page or something and said, “Hey, I see you've got experience working for fill in the company here.”

We love to learn more about this. At first, you read it and you're like, “Wow, they really did their research,” and then you realize, “No, that's all public information. It's all out there.”

There was one. I used to work and deal with a platform that I don't think even exists anymore. This was like 30 years ago. Every now and then, I will get an email that we'll talk about that, “We see you have experience with this old non-existent platform, and we're really excited because we have a job opportunity with that.” I'm like, “No. Anyone who's currently using that platform is in trouble. This is the worst thing in the world they could possibly be doing.”

Right. I don't want the job even if they have it.

Even if they offered me a million dollars, I wouldn't do that job because that would just be, “Let's program in Ada or Pascal or something like that.” Stuff that no one does anymore.

I know we're talking about the NIST Cybersecurity Framework here today. Can you tell the audience what that is and why it is in the news recently?

Yeah. So the NIST Cybersecurity Framework, it's a voluntary framework, a structure for defining what does cybersecurity mean? Recently, or back in February of 2024, they put out the first major update since it was released back in 2014. We're now on 2.0 and it was a really big deal because they added a new function.

If anybody is familiar with the cybersecurity framework, they've always had five functions organized. What should a cybersecurity program look like? What should it encompass? That's been identified, protected, detect, respond, and recover, which has been this nice kind of colloquial way to talk about cybersecurity and make it a little more approachable. But they recently added the govern function, among other things, to really highlight some of the needs of industry.

Really, it's a nice way to have a structure for a cybersecurity program to help define what you have, communicate within your organizations with your partners, and then also a way to organize requirements that you may have many standards and frameworks that are mapped into that framework as well.

Got you. Can we talk through what each of these elements of the framework are?

The identify function is really focused on knowing what we have, because if we don't know what we have, who are we going to protect it from? -Kelly Hood Share on X

The newest one, that govern function, was as big as no kind of the first function on the list being governed is where we start. When do we want to really think about what we do as a company? What is our mission? What are our business objectives so that we know once we put protections in place later, that we're doing it in a way that actually makes sense for our business and we're not turning off plugging in a firewall with any rules or something that we actually are doing something?

That new govern function has been a really big change to highlight the need to kind of stop and say, “What are we trying to do here?” Get the right stakeholders involved, get some guidance in place, including things like policies and oversight and roles and responsibilities. It's really also provided a way for cybersecurity leaders to see where they fit in the world and feel to go back from their organization and say, “This is where I fit, this is my role, and this is why it's so important.”

Now we’ve got that. It was a category before, but they turned it into a function to really highlight the need because of what we're seeing in industry and the kind of feedback that has been received over the last few years.

Yeah, I mean, definitely. Cybersecurity is no longer talked about. Not that it's no longer talked about in the server room, but it's not only talked about in the server room. It's really started to be talked about in the boardroom these days.

Which is so important to make sure that everybody understands the risk that being in our connected world today brings nobody to operate in a vacuum; everybody's partners. Everybody's doing work online. You're connected to the Internet. With that, we have to acknowledge the risk that brings and make sure that we're handling that appropriately, that we're getting the funding and the support from the board and the senior stakeholder.

That's actually one of the things I do like about the framework, is that it is at a level that is a little bit easier to understand where a lot of standards are very jargon-y. In this case, we're saying govern: govern what you have, identify, protect your data, protect your systems. There's words that are a little bit more user-friendly.

Got you. Can we go through what the other elements are and kind of how we should be thinking about them on a business level? Then maybe we can draw some parallels over too for consumers.

Yeah, definitely. Once we start off with that—that new governing function—and then we move on to identify. The identify function is really focused on knowing what we have, because if we don't know what we have, who are we going to protect it from? That includes asset management, understanding what assets, also what data, what people, who are all the players involved in your program, looking at the risks that you have. Then they've also included an improvement category there.

It's really about kind of knowing what you have that when we get to that next function—protect—we can protect them appropriately. Protection includes everything from identity management, authentication, training is included here, data security, platform security. It's really a lot of the more technical things that we imagine when we think of cybersecurity fit in this protection function.

The things that oftentimes we want to jump to and say, “I want to buy the new, cool tool.” I was just on the floor at the last conference and somebody told me they had this fun, new tool with a pretty dashboard. They're great to have. We need to figure out where they fit into the overall program, but a lot of those more technical aspects are here in the protect function.

Got you. Then what's after protect?

Then we detect. Once we've kind of been on the proactive side, now we're moving to look more at what's happening around us. We know we think we're protected. We think we're good. But what happens when something goes wrong? And so detect is about continuous monitoring and analyzing what's going on to see, “Does anything look a  little bit off?” Is somebody badging in at one facility and then halfway around the world again, badging in 10 minutes later. Or is there somebody that's had a whole bunch of failed login attempts and just kind of seeing is there anything weird going on in the network, or maybe physically, even at a facility, so that then we can respond is the next function.

I know how to react in a quick and efficient manner when something goes wrong. Because, to your point about what we used to think of cybersecurity, is how do we make sure that nothing happens? How do we prevent an attack? How do we make sure that we aren't a victim of an attack? But really, we know something's going to happen someday probably.

It's no longer if, but when.

Right, so we want to make sure that when something happens, we're ready for it so that we're not splashed up on the headline of the news the next day. We can say we saw that. It could have been really bad, but we were able to stop it. We quarantined that system off. Where we could have had a major breach, we were able to keep that from happening.

We know that things are going to happen. There are bad actors out there. I want to make sure we can respond quickly to make sure that nothing truly bad happens, which leads to the last function of recover.

That once we've responded to the incident, and a lot of times respond to recover, we are kind of confused to say, “Why are they broken out differently?” But really, it's about what kind of thing to think of, and I was thinking about the terms of health care, like an ER. Incident response is the emergency response. You’ve got to stop the bleeding. We’ve got to figure out what's going on and get things under control. But then you might still need to do some physical therapy afterwards, and that's that recover.

How do we get back to normal? We're no longer in crisis mode, but now we aren't back up to where we were a week ago and so we need to get back to normal, and that's that recover function.

A lot of these things really need to be thought out well before you have an issue, right? 

So much of it in the heat of the moment. It's so hard to know what is the right thing to do. “Who do I call? What system do I need to get up first? Is it more important to have the website up so that our customers think everything's fine, or do we need to be working on the back end to make sure that everybody's aware of what's going on?”

There's all these priorities and things that everything is important, but what's the most important thing is something you don't want to be figuring out in the heat of the moment.

There's all these priorities and things that everything is important, but what's the most important thing is something you don't want to be figuring out in the heat of the moment. -Kelly Hood Share on X

I remember one of the many years ago, a company I was working for, we were in Southern California, and there's always the, “OK, if there's a major earthquake, what's the business continuity if there's a major earthquake?” I was like, “If we think the building's going to be shut down, we need to call the appropriate people and start making sure our employees know not to come into the building.”

But then there's this, “Is anyone maintaining employees’ phone numbers on paper anywhere? Is that paperwork accessible anywhere other than in the building?” Because if you can't get to the building, or you can't get in the building, and all the computers are in the building, now suddenly, “Oh, wait a second.”

I can't get a hold of my employees to tell them not to come to the building. There's a lot of complexity in thinking these things through, isn't it?

There is. And it's a great example and that's why it's so important to do things like tabletop exercises. When we think of cybersecurity, knowing that something's going to go wrong, we can do exercises to say to test these things out and realize, “I can't get to this data if we have ransomware, or if the building—if there's an earthquake and we came into the building and my data's locked up, I can't get the list of phone numbers of people to call to—maybe we need to have a printout or have it stored somewhere else offsite.”

That's so many things where we've seen that go wrong and it's hard to know all of the potential opportunities, but we're really thinking through ahead of time, like you said, can be so important so we have a clear mind while we're thinking, “What would those roadblocks be? What are the dependencies?” We've seen companies that have something like power. You think, “Maybe I need to have redundant power if something happens.” Then we had somebody that turned out they had redundant power, but it was being provided. The backbone was the same company.

There was an outage and they had technically two providers, but it was on the same backbone and so they didn't actually have any redundancy there. They were just paying for the same line twice. That's also a hard pill to swallow.

When you talk about power, it makes me think I live in an area where until you're looking for a data center, you don't know where they are. These days, they could be in a high rise. It could be in any community. A number of years ago, I was looking for a data center and so I started googling, “Where are the local data centers?”

I found out that not too far from me, there's this road where it's just data center, after data center, after data center, after data center in old manufacturing buildings. I was like, “This seems to be a weird location for a bunch of data centers,” but it was exactly because of what you were just talking about. It was on the border of two different power providers running on different backbones.

That data centers really want to make sure that if their power goes out, not that they just have backup generators, but that they also have a redundant main power supply. It's near an airport and airports like to have dual power.

That's why they're all down this one street, because this one street is where you've got the power running for two different power companies that bring power from two different grids or whatever.

Right, they've thought it out ahead of time and before they built it. That's a great example.

The funny thing is I don't think it was—I don't think there was ever a plan to put a whole bunch of data centers here. But like the data centers were once they found out that, “Hey, I can buy a building with two power providers,” it now becomes valuable real estate for them.

Going back through some of these, what are some of the challenges with each of these elements of the framework, because I can think of like identifying assets is if you've been in business for a long time, you may not know Bob knows what all the things that are in the server room, but he doesn't know that there's something in the closet that runs the alarm system for the building.

What are the sort of things that people forget in terms of identifying cybersecurity assets or people or data? What are some of the things that just fall off the radar?

Yeah, well, one of the first things is oftentimes when you read something like asset management, you think of systems and hardware and you're not thinking of data and people, or maybe virtual environments that you now have so much is in the cloud these days and we're working on virtual machines or all of this where people have gotten better at realizing, “I need to count my servers or my physical equipment. How many workstations did we have?”

It does come with its own challenges sometimes, but really looking at the broadened scope of what kind of data I have. That's a beast in itself. If we think of people as assets, which feels kind of weird, but if we think of the resources that we need to understand who we have and what access they have as we're protecting our systems, it makes the puzzle much more complicated. But recognizing that and having a way to catalog it, you just kind of have to start somewhere.

It's one of those things we have to realize we're not going to get it all done today, probably unless we're a really small company, but being able to talk to everybody and say, “OK, Bob, what systems do you think we have? Let's reconcile that with the other group and see what systems they have and they manage.”

We've seen especially—it’s going to be challenging with—I do a lot of work with universities and research environment where they have grants and which means they have funding, which means they can buy their own equipment and they don't have to tell you about it, which can be very nice to have that funding come in, but it makes it a lot harder on the IT teams or the security teams to say, “Oh, they have devices. We need to make sure that it's being protected and make sure they've got the right—that they're protecting their data, that they're not sharing it in a way that is insecure.”

It's really important in those cases to make sure you have friends across the organization that you can go to and start creating that centralized list, or at least know where you have to figure out where everything is to make sure we're not missing anything.

Yeah, you don't want to plug that million-dollar R&D hardware into the public internet on a college campus. Every hacker student is like, “Oh, what's this? What can I make it do?” 

Exactly. It's fun to test it out and see how far you can get until it goes wrong, or research is all about sharing information and seeing what we can do. Oftentimes this is done trying to be open and working with colleagues and maybe across universities. But then you realize, especially if it's any kind of healthcare data or PII that can become a problem really fast because you're sharing personal information across to another university for data or research purposes. It's a hairy problem.

Yeah. Even as we talk about it, my mind is like, “Oh, what about this? What about this? What about this?” That's got to be people's experience where they're trying to start up a program of like, “Oh my gosh. Every time I sit down, I find five new things that I've got to add to this list of things to watch out for.

“Don't let perfect be the enemy of good.” We need to start somewhere. We need to just start writing things down, we need to start understanding what systems we have, what data we have. Where are those connections? -Kelly Hood Share on X

That's why one of the things I feel like is so important is to jokingly say, “Don't let perfect be the enemy of good.” We need to start somewhere. We need to just start writing things down, we need to start understanding what systems we have, what data we have. Where are those connections?

That's one of the things I do like about the framework because it provides that structure and it doesn't necessarily tell you exactly how you need to do something or what you need to do, but it provides you outcomes to say you need to understand how your data is catalogued. If that means that it's catalogued on us in a spreadsheet or in a CMDB, it lets you figure out what that means for you, but it provides you that structure so that you would start capturing it.

A lot of times, we'll work with companies or even ourselves is how we got started initially and just start writing things down and like, “This is what we're doing today.” Then we can go back and say, “Well, that is not sufficient. We need to make that better.” But you can at least see what you're doing and build over time rather than getting stuck somewhere and being too focused on asset management and never thinking about whether we need to detect if we actually see somebody walking through the door that is carrying out servers.

Yeah. The stories pop into my head about protecting physical assets, again, the same company that I had been working for a number of years ago. The landlord had sent an email to all the tenants saying, “Hey…”—there were two sorts of things that were happening.

There was someone coming in claiming to be like, “Hey, the landlord wants us to do a fire inspection.” “Oh, an inspector?” “OK, just let them wander around the office.”

This was ultimately a billing scam. What happened is that you'd sign the paperwork saying that they had done their inspection, but you're really signing paperwork saying, “Yes, I agree to be billed for this inspection that you never asked for to begin with.” Crazy stuff.

Then the other one was people just walking into the office and behaving like they belong there. It's the sort of thing that if you're a size of company where you don't know every employee, if someone is walking authoritatively down a hallway, you just ignore them because they're just part of the background. If they're looking around and kind of nervous, got the nervous twitch going, then you might let security know.

But some people were walking through offices, and when people weren't watching, they would just grab a purse and walk out a different door, or grab a laptop off a desk. It's like gosh, all these things that you have to think about that are just beyond what's connected to the network. 

What about physical assets? How do I keep people from walking into my building? What do I do if someone walks into the building? 

Right. So many penetration testers that I know have these stories about as long as you walk in with confidence, you can get wherever you need to go, which is scary. You want to believe the best in people, and I hate to say that we shouldn’t, but sometimes we need to have a critical eye if you see that unfamiliar face, but especially like you said, in a larger company where you don't know everybody, it makes it really challenging.

That's why so many times now we're seeing larger companies requiring badges and to have identification. That always reminds me of, if you're watching the show Burn Notice, it's been a few years since it was on, but he was great at that social engineering and replicating badges or walking in with a uniform and you can get wherever you need to go. Unfortunately, it's true.

It's all too evident. What are some of the kinds of assets, data, or people that people forget to protect or that people are just like that doesn't need to be protected?

That's a great point. I think data is the biggest one I'm seeing as a problem. I know it's a big category, but especially we're seeing more requirements coming out about certain talks about PIIA minutes ago and protecting privacy information, or we've got HIPAA, or we've got CMMC certification for DOD that's coming out around protecting CUI.

So many companies are like, “My data's on SharePoint.” “But what type of data is it? Is it PII, PHI, CUI—all the acronyms that we have—and where is it on SharePoint? Is it stored on somebody's local desktop? Did they upload it to Dropbox?”

Being able to categorize the data types and know where it all is is a really big challenge that we're seeing, especially, “Did you email it to your personal Gmail because you were going to work from home tonight?” There are these things that we do to make our lives easier now that everything's connected that makes things easier for us, but also can make things easier for a malicious actor.

Now, if they get into your Gmail, they've got the company's sensitive information and that's something that's so hard to track down. As cybersecurity practitioners, you can talk to all of the team leads and understand who's running the programs, but if somebody emailed it outside of the company, that's a lot harder to track.

We're getting more DLP solutions and things like that that are helping, but that's one of the biggest challenges, especially doing a lot of work around CMC and working with companies trying to say, “OK, what kind of data do you have? And where is it?”

Where we think it's going to be a 10-minute conversation, it turns into a week-long exercise on mapping what system is connected to what, and where is this actually being stored?

Where we think it's going to be a 10-minute conversation, it turns into a week-long exercise on mapping what system is connected to what, and where is this actually being stored? -Kelly Hood Share on X

That has got to be exacerbated by more and more in the Cloud services where it used to be that this was all managed in the office on physical hardware inside the office. Now this piece is in the Cloud. That's through an API. It's connected to this other piece in this other cloud and this other platform. At this vendor, we don't really know how they're managing their security.

Right. It's being backed up on this other server and this other region because we're seeing more requirements limiting where the information can be stored and making sure that it's especially for US-based companies being stored in the US and not overseas. That definitely takes some tracking down to figure out who's hosting their information. Where are we using these third parties? I'd say as far as assets, data is one of the really biggest challenges I'm seeing right now.

Monitoring is probably kind of the hardest category for people? 

It can be. It's funny, sometimes knowing what you have seems harder, because everything is built on that. But monitoring is probably next to know what kind of traffic we expect to see if this happens. What's normal activity? What's abnormal? Then, what do we need? What's really abnormal is that we need to drop everything. When do we call the CEO in the middle of night, and when do we handle it in the morning and figure out what went wrong?

That monitoring is also a challenge, especially when we're auditing. We’ve got logs, just so much information to go through and so many teams have limited resources. How do you have the time to go through that to identify anything that's wrong?

I think that's part of why we're seeing more managed service providers helping with some of those capabilities to be able to provide help with that type of support. Because if you're not used to looking at it, you don't know what you're looking for and to see when something is abnormal.

Yeah, because I think of just your, kind of your generic entry badge-type of sort of thing that, “OK, I've got my entry badge. I'm keeping people from coming and going that aren't supposed to be there.” But like you said, if the person is using the badge halfway around the world at a different facility, “OK, now these two systems need to be connected.”

It's very mature.

You need to be looking for this sort of thing. 

Right, and being able to, like you said, bringing all that information together is a difficult thing to be able to do, and it takes a lot of resources to get there. That's a kind of sophisticated capability, but even like you said, tracking the badges so that if we realize something is wrong, they'll go back and say, “Who is in the office at that time?” can be a good step in that direction to be able to at least be able to track it down.

I suspect one of the things I think about responding to issues is what do we talk to the public about and what we don't talk to the public about? I think I've seen more companies mess up how they talk about an incident than companies that have done it right.

There was a vendor of mine that, I forget what the incident was, but they were potentially impacted by some breach of one of their vendors. They were very clear as soon as they found out that their vendor had been breached. They sent out an email to other customers saying, “Hey, our vendor was breached. We're not aware of any breaches in our system as a result, but here's what we're doing to look for it. Here's what we're doing to mitigate. Here's when we're going to communicate next to you about it.” They've provided a pathway of, “Here's what we're going to be doing going forward in our communication with you,” as opposed to a lot of these big companies that are like, “Yes, an issue happened.” “OK?”

What do I do with that information?

What do I do with that? Was my data breached? Was it just someone walking in your front door? What does it mean? And then they just stay silent for nine months until they have to publicly disclose.

Right. No, I think you're right. That communication piece is so often overlooked in  the incident response area because whenever we need to know, we need to react, we need to stop the bleeding, like we said, but we also need to tell somebody, “Hey, I'm bleeding.” If we can help potentially, or if you're going to be having to deliver differently to your customers.

I think you're right that being more proactive—we’ve seen more success with companies whenever they're trying to hide information and be too limiting is when we're seeing more and more companies that are kind of being raked over the coals of this is not how we need to operate now. We need to be more aware of what's going on.

There is a line on how much detail you want to provide, but being able to share that something happened, and this is how we're handling it, like you said, and this is when you can expect to hear from us again. I think having that plan is one of those critical things that’s, a lot of times, overlooked in the incident response area.

Yeah, if you haven't plugged the hole, you don't want to publicly talk about what the hole is.

Right. It's finding that balance, but that's where you can have those conversations ahead of time. You get legal involved. Get your senior leaders involved and say, “What are these thresholds? When do we need to talk to our customers? When do we need to tell the public? What level of criticality? How many records breached, or how long of an outage?” And you can set these thresholds so that in the moment, you're not making these decisions and saying, “Well, I really don't want to tell anybody about it.”

You can say this was the plan. “This is what we're going to do, and we've already consulted legal about it, and they're going to back us up on this.” Having that plan so that you're not making the decision on the fly can often lead to better decisions.

Having that plan so that you're not making the decision on the fly can often lead to better decisions. -Kelly Hood Share on X

Yeah, I've definitely heard that with if you're going to need to hire a PR company to address an incident, you better have hired the PR company or at least interviewed PR companies well before incident happens, as opposed to I'm the CEO and I'm calling up all my buddy CEOs saying, “Hey, I know you had a major incident last year. Who was your PR company? What's the law firm that you use to address this issue?” You want to know those things before the incident happens, not trying to figure it out after an incident.

Right. You’ve got better things to be doing with your time at that point.

Are there things on the recovery side that people forget often?

…sometimes recovery doesn't mean 100%. We think of getting back to normal, getting back up and running, but sometimes it can be OK to operate and get back up and running to where we're operating at maybe 75% and being able to… Share on X

Yeah, I think one of the big things that jumps out is sometimes recovery doesn't mean 100%. We think of getting back to normal, getting back up and running, but sometimes it can be OK to operate and get back up and running to where we're operating at maybe 75% and being able to prioritize those systems that matter most.

We had a client I worked with once that they said, “Don't worry about the backend server and being able to process transactions. Make sure the website is up so that people think we can process transactions, and they'll think there's something wrong with their internet. We can get to that. We can solve the problem, but that way we won't have everybody calling the helpline. It'll slow us down even more.”

It's having those priorities on what to get up first and knowing that maybe we can get up to 75% in the first week. Then over the next year, maybe if in a really bad case, it might take us to get back to a 100%, but having those thresholds of priorities doesn't necessarily mean we can get back to a hundred tomorrow, but what do we need to do to continue to operate? Then we can work back up to where we were.

Yeah, like you said, maybe that wasn't a great prioritization on that particular example, but really trying to figure out, “What do we need to do to get our business functional again after an incident?”

It's interesting because you do hear lots of stories of when someone, like an Amazon, has a major system outage that it's not simply, “We'll just reboot that one server and everything will be fine,” because once that goes down, it causes these other things to go down and things have to be brought back to life in an orderly fashion.

Although the outage may happen instantaneously, it may take hours or days to very slowly bring things back online in an orderly fashion where it doesn't result in everything going offline again in two minutes.

Right.

I guess the governing one element being brought in is because things weren't being handled appropriately. 

Right. This was funny. It was in the framework before as a category, but a lot of people kind of overlooked it or thought, “We know what we're doing. We've got an idea.” But then we're seeing that there was a lot of feedback being sent back to this thing. I think we need to build this out a little bit more, and what does that really mean?

I feel like amongst other practitioners, everybody's just like, “I understand governance, but, like, can you tell me what governance means again? What do you really want me to do here?” And it's something we all kind of have this general understanding of what do you really want from me that is kind of hard to translate sometimes.

That was one of the things NIST was hoping to do by spelling it out a little bit more and saying, “This is where we need to really look at what we are trying to do as a business and then translate it out to cybersecurity. Are we worried about availability? Are we worried about confidentiality, integrity?” The answer is yes, of course. All. But again, where is that priority? What do we want to focus on first?

Then translating it to thinking about the risks: What's going to affect our availability? Who’s going to be responsible for keeping that system up and running? Do we need to call them in the middle of the night if it goes down? Then being able to have policies in place or some kind of guidance documentation that says, “Hey, remember when we all agreed to this? Let's remember that next Tuesday. That doesn't stay in this meeting, but we need to remember that next week, next month, next year.”

Then having oversight and then saying, “Is this working? We all said this was a good idea a year ago, but is it actually working? Are we doing more harm than good? Do we need to build something on? Do we need more guidance?”

Is it really in that effect or with the goal of helping define what does governance really mean? Then they also built in the concept of supply chain risk management into the governed function, which was previously in the identify function, but they built it out a lot more.

Just back to the point we're making earlier about nobody works in a vacuum. Even if you've got suppliers, and they’re your suppliers, and we've got all of these dependencies on each other, how do we really manage that in a way that we can be resilient and still operate? That was where I think the governed function has been a really good way to kind of step back and forces us to think through some of these challenges again before we have an incident and we're saying, “Crap. What do I do now that it helps make sure we've got that plan?”

Yeah, someone who's at the helm of the ship saying, “What if this piece breaks? What do we do? What if it's down permanently or that company goes out of business and they've been a critical part of our infrastructure? How do we manage that?” Or if they have cybersecurity incidents, that would never happen.

Right. Where are our backups? Where are they stored? How do we get them back up and running?

Interesting because that really does seem to be—I’m trying to do recall of major security incidents. A lot of them have been—not that the main entity was breached, but a partner of theirs had an issue and either access was gained through that partner or the data was obtained through that partner, or that partner's failure caused something to cascade.

No, that's a great point. That's where you get back to that supply chain category of really having a way to vet your suppliers, your third parties, making sure that you're not giving them credentials to access everything back to the concept of least privileges and limiting access, and all of that can go a long way. I think your point about all these attacks coming from third parties or through third parties, not necessarily your third parties attacking you.

Hopefully not.

Yeah, hopefully not. But having that plan and making sure that we're limiting the attack surface.

Got you. As we kind of work in for a landing here, where could people find the NIST Cybersecurity Framework?

NIST's website has all the information on the framework. If you search for the NIST Cybersecurity Framework, they've got a whole page of information with the document itself, as well as a bunch of resources. That was one of the big changes that they had this year. Whenever they did the update, they released quick-start guides, implementation examples, mappings to other standards and frameworks. They've got profile examples. They've always had a lot of resources, but they really upped their game and have a lot of new types of resources as well this year.

Then you guys also have some additional resources as well, right?

Yeah, if you check out the Optic Cyber Solutions websites, opticcyber.com, or you can find us on LinkedIn, we've got resources for getting started with the framework. We have a YouTube channel. It's Optic Cyber where we've got little, short videos on an overview of the framework. If you want to get more details on what is it, how to use it, and we have a tool that we put out that's freely available called our MaPT tool—maturity and progress tracker—where you can start capturing what you're doing today, measure your maturity levels and your progress towards your goals.

It's a great way to just help get started. As we're saying, we don't want perfect to be the enemy of good, just start writing something down and then you can help to get a plan as you go.

Where can they find that tool on your website?

Yeah, so it'd be on our resources page. That'll be linked right there under the cybersecurity framework section.

Awesome, and we will also make sure to link to it in the show notes, that way people can find it directly. If people want to reach out to you and they are kind of, “I need some help. I don't know what to do.” Can they reach out to you? 

Of course, yeah. Please feel free to reach out to me on LinkedIn. My name is Kelly Hood. You can find me there. I'm often posting about the cybersecurity framework and unrelated topics. Please feel free to connect with me or you can find Optic Cyber Solutions as well.

Awesome. Kelly, thank you so much for coming on the podcast today.

Great. Thank you so much.

Exit mobile version