August 4, 2021

Today’s special episode was inspired by a conversation I had with a then potential, now current client of ours at Pivot Point Security

In discussing our Virtual CISO offering, I described our tried-and-true process for helping a client become provably secure and compliant. He loved it and wanted us to train him and his team on it. I’ve since had a similar conversation with a couple of boards.

What I’ve realized through these conversations is this process delivers a lot of value. So in this episode, I’m going to share it with you.

Topics covered:

  • Defining a clear vision
  • Transforming a vision into an actionable plan
  • Validating your compliance

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

narrator (intro/outro) (00:00):

You’re listening to the Virtual CISO Podcast, a frank discussion, providing the best information, security advice, and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:25):

Hey there. And welcome to yet another episode of the Virtual CISO Podcast. With you today, as always John Verry and not with me today, not as always, is Jeremy or Andrea or even a guest. Today’s podcast is a bit different in a couple of ways. First it’s just me, sorry about that. The second thing is there’s a little bit of visual component to it, don’t sweat it if you’re currently listening somewhere that is not looking at a screen, you can always grab this content off our website later on, or shoot an email to us at Pivot Point, we are happy to send it to you. Second thing is it’s relatively simple from a graphics perspective. And I think as I talk through it, I can fill you in. The genesis of this particular podcast is a conversation that I had with a, at that time potential, now client, who was talking to us about our Virtual CISO offering. And I was using a graphic that I use to explain what we call our proven process for helping a client become provably secure and compliant.

John Verry (01:28):

And what’s cool about the process is it can be used for a project as simple as assessing the security of a single IoT device, all the way up through building a global cybersecurity program. As I was presenting it, the gentlemen suddenly said, “This is it, this is what I’ve been looking for.” And I paused and he smiled and said, “No, not your Virtual CISO offering, but this model, this idea is something that I’ve been looking for to train myself and my CXO suite, to manage and govern our information security program.” It was a rapidly growing software as a service firm, they process a lot of sensitive information. They have a lot of clients that are asking them to prove they’re secure and compliant. They have a very strong technical team and that technical team included some very talented information security folks.

John Verry (02:24):

So they felt they were in a good spot, but they really weren’t sure if they were. So they thought the process would be very helpful. And they said, “Hey, we’d like to hire you as a virtual CISO,” not myself, but someone on our team. And they said, “We would love for you to actually train our CXO suite in how they can effectively govern that.” Since that point I’ve had the same conversation with a couple of boards, so I thought it’d be fun and interesting to share because I think there’s a lot of value here. So let’s talk about that at a very high level and then I’ll drill in a little bit. So I mean there’s three things that we need to achieve a provably secure and compliant state. Now, the first thing that we need is a clear vision, where are we right now? What is it that we’re trying to accomplish? How do we transition from where we are to where we need to be? How does information security become a business enabler? How does it meet us where we need to be in three years?

John Verry (03:23):

Once we’ve got that vision, we need to transform that vision into an actionable plan that we can execute and we need to execute it repeatedly and consistently. Last, we need to validate that compliance, that we are actually executing and that it is indeed producing the intended result. So if we keep it at that 10,000 foot level, you might only need three questions when you chat with your team. If you sit down with your CISO, IT director, whoever’s responsible for your information security, and you said, “Hey, do we have an information security privacy strategy, one that’s aligned with open trusted frameworks and our business objectives, that’s going to allow information security to become a business enabler? If you asked that question and you get a blank look, or if you don’t need to ask that question, because you already know the answer, then we’re probably going to want to drill down a little bit.

John Verry (04:21):

Second question you can ask on the execute domain is, do we have a set of, let’s say formally documented repeatable processes? So very often people say, “Yep, oh, we got a policy document,” a policy document, or a set of procedures is not enough. The next part of the question, that’s the critical part of the question is, have these policies and procedures or policies and process been operationalized? Have we made them part of a corporate culture? Do we have a mechanism to be able to determine whether or not these things are executing repeatedly and appropriately?And do we have the trust to the ecosystem? I’ll use that phrase, so when I think of a trusted ecosystem, I think of the people and the tools that are necessary to operate them effectively and efficiently. That ecosystem will be some combination of your own folks and some combination of third parties. Third question, to ensure that we’ve got the validation component, correct, the validation domain correct.

John Verry (05:21):

Do we have the evidence that we need? And you should know this by the way, I’m going to call that trusted information that allows us to verify that our information security program is operating as intended. We’re complying with what we said we were going to do. It’s producing the outcome that’s intended, we’re getting to the secure and compliance state that we want to, and it’s generating what I’m going to refer to as the respected proof that we’re going to need to demonstrate that to key stakeholders. Because in today’s world, it’s really not enough to just be secure and compliant, if you can’t validate or prove that to somebody it’s not going to achieve all of your business objectives. So if you were to ask those three questions and those three questions alone, and you got answers that made you feel comfortable, you’re probably in pretty good shape. I would say in most organizations that I’ve been in, I’d say in very few organizations, do I think that you would ask those three questions and leave that room sleeping well at night.

John Verry (06:23):

So let’s circle back to the proven process for a second. So for those of you that are listening, I’m looking at a graphic and think about a Venn diagram, three circles, vision, execution, and validation. And then on the outside of vision are the three key outcomes that you’re looking for within that vision domain and the same thing, there’s three outcomes that we require around execution and three outcomes that we require around validation. So talking about vision at a little bit deeper level, so in order to get to, so the goal, the most critical outcome out of the vision domain is to build a resilient information security strategy that is aligned with trusted frameworks. When I say trusted frameworks, what I’m talking about are those industry or frameworks that are non-proprietary, that are going to position you to be resilient. Good frameworks, things like ISO 27000 series guidance, NIST National Institute of Standards Guidance, the Open Web Application Security Project, Cloud Controls Matrix, CSA STARs programs, things of that nature, these are open trustable frameworks, these are things which have been proven over time and they are well-respected and widely used.

John Verry (07:50):

Aligning yourselves with those standards when we get to that strategy phase, and that’s going to ensure that you’re going to be able to find the trust, that ecosystem you need, that the products that you buy are going to inter operate, that you’re going to be able to find the right quantity and quality of people out in the marketplace to staff your organization, to make sure that these things work. And also when we get to that trusted information phase under the validate, what it also allows us to do is know that if we align with open trusted frameworks, that respected proof that we need, call it a SOC 2 Type 2 attestation, call it an ISO 27001 certificate, call it a CMMC Authorization call it a FedRAMP Authorization to operate. If we align with those trusted frameworks, we’re going to be in that position to achieve that. So in order to get to that resilience strategy, what do we need? Most importantly, we need to understand where we are, we call that clear picture. So clear picture is about what information are we protecting? What are we protecting against?

John Verry (08:48):

What are the laws and regulations that govern the operation of that data? Where are the critical locations that data is being stored? Who are the people that have access to that data? Those are the types of things, understanding all of that information, understanding the technical underpinnings, understanding your business objective. So where’s the organization going? What are our three-year plans? What services are we providing right now? What pre services are we going to provide in three years? Because as your context for your organization changes, if you’re changing the services you’re offering, or you’re changing the client base that you’re pursuing, the expectations and requirements of those clients are going to shift. So what we want to do is make sure that we’re feeding that information into information security. So that way, as they build out their information security vision, it’s going to align with your business vision, so that way, when you get to where you want to be from a business perspective, the information security program is already there for you and enabling you to do what you’re trying to accomplish.

John Verry (09:49):

So that clear picture, the way that we transform the clear picture into a resilience strategy is some form of expertise and guidance. Think of that as being subject matter expertise in both the domains that we’re talking about, information security, business continuity, incident response, planning application security, all that kind of fun stuff, as well as perhaps industry expertise. SASs especially a SAS that might be working in the DevOps CI/CD space, making sure that somebody understands that it’s going to be critical. Other verticals are the same way, maybe if you’re in the legal vertical, the way they do things are a little bit different, healthcare tends to be a little bit different. So ensuring that you get the right combination of both domain expertise and vertical expertise. And by the way, there can also be valued to having some outside the vertical expertise, you don’t want to become myopic, propagating new ideas into your domain can also be pretty helpful.

John Verry (10:46):

So as we’ve drilled into vision, so if, when we ask those three pictures, we didn’t get what we were looking for, you can drill down and start asking pictures on, excuse me, asking questions on each of those areas. So the easiest thing to ask is, do we have a clear picture of where we are? And as the person is talking about this, or as we’re looking at how they’ve documented it, we’re looking for the things that I was speaking about. Does it reflect your business objectives? Is it clear what types of information we’re protecting? Is it clear that we understand what the legal requirements are today and where they’re going? Is it clear that we understand the contractual obligations and expectations for our clients? Is it clear that we understand key threats and risks to the information that we’re trying to process? If the answers to all of those things are where we need to be great.

John Verry (11:42):

And there’s a phrase I use quite often when I’m chatting with clients is, this is such a critical part of the process because you don’t want to get to the top of the ladder after a long, hard climb and realize that it’s up against the wrong wall. So the second thing we talked about was the expert guidance. And again, that’s pretty simple. Asking the simple question, do we have the right domain and vertical experience expertise on our team? And that could be, that team phrase, can be your internal folks, or that could be your extended team, working with an outside firm, somebody like Pivot Point or somebody else, might be integral to having that expertise. And then from a strategy perspective, do we know where we’re going? Do we have an information security strategy? And when you’re looking at that as a business person, the most single important thing is looking to ensure that it enables the business to meet its near and longer term goals and objectives. Do YOU look to ensure that it’s based on open, trusted frameworks?

John Verry (12:48):

There’s no reason to reinvent wheels. I mean, hundreds of thousands of organizations have used frameworks like ISO 27001. Having someone develop their own information, security framework from scratch, doesn’t make a lot of sense. And if they’re not using these open trusted frameworks, when we get to the end of the process, they’re not going to produce the attestations that are going to be accepted by your clients or by the regulators that you’re going to be wanting to prove your security compliance to. The other value and one of the things you want to make sure of is that a great information security strategy really acts as the guidance, the sounding board, if you will, for all major decisions. It sets that direction so that we can make sure that we’re aligning all of our actions to that, everything’s going in the same direction.

John Verry (13:38):

And that strategy should reflect the information that you are going to need as an organization, as management, what was the timeline? What is the cost and what are our resources and requirements to achieve that? And I love the Mike Tyson, everyone has a plan until they get punched in the mouth. I love this Einstein quote because a lot of people will, poo-poo the concept of an information security strategy, but his quote, if I had one hour to save the world, I would spend 55 minutes defining the problem and only five minutes finding the solution. Understand what we’re trying to accomplish before we set out on it, got to go back to our demographic. So, let’s talk about execution. So if we’ve got a great vision, what we’re trying to accomplish is we want to transform that vision into something which is executable.

John Verry (14:32):

So very often that starts with what I’m going to call an actionable plan. That actionable plan is often driven after you come out of that vision phase, very often we’ve got this strategy and we also have what I’ll call a short term tactical plan that’s aligned with that strategy. So as we are working through getting that clear picture, very often, we’re looking at the risks in your organization, and you’re looking at the maturity of the controls that you have in place. So very often that actionable plan and things you should be looking for is activities that are based on known, I don’t want to use the term deficiencies it’s a little bit strong, but known areas needing improvement within your organization. So that actionable plan should reflect that. That action plan is also going to be any documentation that’s going to be necessary of your policies, standards, procedures, and things of that nature, which define the repeatable processes, which essentially form the basis of what information security is. If you were going to simplify information security, really, what would it be? It’s really nothing more than a set of well-defined processes, repeated consistently.

John Verry (15:46):

And then of course, what we need to do is we need to have that trust to the ecosystem that we need to be able to effectively and efficiently execute that. So these processes very often, if you’re going to be conducting some type of a review of logs, you’re not going to be able to be very effective and efficient from a time perspective and from a quality of the result, if you are doing that all manually. So it’s not unlikely you’re going to need some products to be able to do that, some tools, if you will. And you’re certainly going to need people. Those people ideally will be internal resources that you’re already paying, they might be third parties that you would contract with. When we talk about those people, one of the things you want to make sure of, of course, is are those people the proper people, what makes people proper? We’ve got the right number them, right quantity of them and we also have the right quality.

John Verry (16:40):

Hopefully they are appropriately knowledged or appropriately trained to be able to do what they’re doing, especially if you’re making an investment in tools, make sure they’re making an investment in the training to be able to run those tools effectively. So now that we understand that execute, let’s talk about some of the questions you might ask right around that. I think the easiest question to ask on that first idea of an actionable plan is, do we have an information security plan? Usually it’s an annual plan, if they do great. The next thing to look at is does the plan align with, or does it fall logically from the information security strategy? You should look to make sure that, does it address key risks that we know are in place? Does it address key gaps in the implementation of controls that we have? Basic fundamental, is it smart? The old, specific, measurable, actionable related, and time-constrained, I think is what smart stands for.

John Verry (17:39):

But realistically, you’re just looking to say, okay, it’s one thing to have a plan, but does it make sense as it laid out well? Do we know the resources that we’re going to need to execute it? Does it have a timeline associated with it? A plan isn’t a plan if it’s sitting on one guy’s hard drive, so we monitor to make sure that all of the relevant parties that are going to be impacted by that plan are going to be knowledgeable of it. And of course, you’re going to want to make sure that the plan is being tracked, it’s being governed, we have a way of knowing it’s happening. So that’s really the easiest way to do that. When we talk about the repeatable processes, that simple question is our information security program documented and or is our information security program operationalized? They might hand you a bunch of documents, you’re going to just, you want to know, look, do we have the key policies, standards or procedures that are critical to our organization? Things like incident response, business continuity, software development, life cycle.

John Verry (18:38):

If you’ve done a good job, or they’ve done a good job, and they’ve aligned with an open trusted framework, you can ask to look at the open trusted framework. So if somebody says, yes, we’ve aligned all of our policies for ISO 27001 or NIST 853, you grab a copy of that, this 14 domains, There’s 114 controls within, let’s say the ISO gripping that we’re talking about. A quick scan of that and saying, “Hey, what are we doing with legal and compliance? What are we doing with vendor risk management, what are we doing, so they actually called supplier relationship management. What are we doing on incident response?” Simple way to know, hey, is this actually complete? That’s another value that trusted framework that I hadn’t thought of prior to this presentation. And last, let’s talk about that people and product outcome that we need, simple question, do you have all of the resources that you need to execute this plan effectively? And again, do we have the right tools? Do we have the right quantity and quality of people? Do we have the right training or the right training planned?

John Verry (19:43):

And last, and a really cool question is, do we understand our shared responsibility with key InfoSec and non InfoSec providers? So increasingly we are a cloud-based world. And as we move to the cloud, increasingly some of our tools and some of the key systems and applications that we use are cloud-based. If the cloud is done well, it’s great, it’s nice and secure, but it is a shared responsibility matrix and making sure that your team understands the shared responsibilities, so if you move stuff to Salesforce, great, that data is now secure if you do your part. My Salesforce publishes very extensive documentation of your responsibilities and how you need to configure things. I’ve been involved in legal cases where on review 42 people in a relatively small organization, like let’s say a 700 person organization had full admin access into the worldwide Salesforce database. And it was a theft of intellectual property, theft of all of that material that resulted from way too widely allowed access, which didn’t make any sense. So Salesforce did their job, the company didn’t do their job, same idea here. So that’s going through that execution.

John Verry (21:06):

So last domain that we talked about, last role thing we talked about was the validation area. So in order for you to validate, and know that things are working the way that we want them to, again, there are three outcomes that you need. One is what I’m going to call active measurement or think about it as measurement monitoring or KPIs or KRIs, you can think of it a lot of different ways. But that is about, we’ve set these repeatable processes up, how do we know that they’re actually occurring? How do we metric them? How do we measure that? How do we measure their effectiveness? A good hallmark of any information security program and another key to validating the effectiveness of the execution is what we refer to as objective assessments. Independent objective third parties, conducting some type of review to validate that, you’ve probably heard the term gap assessment, internal audit, external audit, audit, penetration tests, application security assessment. Those are all forms of objective assessments.

John Verry (22:10):

And in both cases, what we’re trying to get to a point is that we’ve got trusted information that we can rely on to validate that we are achieving that state of provably secure and compliant as management. When we have trusted information, ideally we share a single pane of glass, and you should seek that. You should get to a point where there’s somewhere dashboard or somewhere, some type of report that we’re all looking at on a regular basis to know here’s where we are. And the same view that I’m looking at as an external person and the view you’re looking at and the view that your technical teams that are responsible for implementing the controls, single source of truth. When we get to that point, you’re at a point where you can achieve high levels of respective proof. You’ll be in a position where if you need to, or want to, you can being an ISO 27001 certified, or CMMC certified, or SOC 2 attested or FedRAMP ATO or StateRAMP ATO or you name it. [inaudible 00:23:13] level two tested.

John Verry (23:16):

So that’s what we’re trying to accomplish there. So how do we, now we’re chatting with our team, we’re governing this process, what are the questions that we want to ask? So simple question. How do we measure the compliance with our security program and how do we validate that it’s effective? If you get a blank, look, do we have a security metrics program? And most importantly how do we monitor our security posture? These days when you look at the meantime to detect a breach within an organization, being less than something nutty like 170 days, so another great question is, can we detect and respond to a security incident before it would create a business impact of significance to us? The old analogy you can’t improve, what you don’t measure, I think that holds true here. Talking about that objective assessment outcome, simple question to ask, has our security program and, or our security posture been independently reviewed or independently assessed if you will?

John Verry (24:26):

If the answer is yes, what was the scope of that assessment? What you’re looking for is did it cover the right location, systems, application, people? You also want to ensure that the folks that did the testing or assessment were appropriately qualified. So you’re going to want to make sure that they had the qualifications and experience necessary to do this testing. And of course, you’re going to wonder what the results were. Folks are going to get mad at me that I usually work with on technical side, but they’re going to try to give you an executive summary report and you’re going to want the executive summary report, but you might also want to look at the detailed report and just make sure that it reflects what the summary report says as well. And then last question that I would ask is, okay, based on this assessment and these results, explain to me what are the short term tactical changes that were made and what are the longer-term strategic changes that were made?

John Verry (25:22):

Again, if you want to connect dots, did the outcome from the assessment, do you see those concepts or ideas or improvements reflected in the information security strategy? And to be honest with you, one of the last things to look for is making sure that you want to work with an independent objective firm that has a transparent mindset and is willing to tell you that your baby’s ugly. So I think that’s critical. And then the last is this idea of provable security and compliance. You’re not provable unless you’ve got some form of respected proof. So a simple question to ask is, how do we prove to key stakeholders that we’re secure and compliant? When you look at that, if they say, oh, here’s how we do it. What you’re looking for is does that attestation, is it based on a trusted framework that’s going to resonate with the people who receive it? If you think about something like ISO 27001, and that’s effectively the good housekeeping seal of approval.

John Verry (26:23):

If you hand that to virtually any organization that might be asking you for evidence, it’s going to be gladly accepted. You’re going to want to know if you’re looking at, let’s say some types of reports, you’re going to want to know whether or not, or some types of attestation that the issuer was a respected entity. If you’re using a trusted framework, one of the other values of a trusted framework is going to be that the accreditation bodies that govern those frameworks, they will enforce, and they have mechanisms in place to ensure that the people that are delivering those attestations are appropriately qualified and do business in the right way. So that covers that usually. If you’ve got something which is not quite a trusted framework, you’re going to want to look to see who actually delivered that report. And then also very important is ensuring that the attestation achieves the stakeholders criteria.

John Verry (27:17):

So in other words, does this accomplish what I want it to accomplish? So if I’ve got a critical client that is asking to have validation that I’ve got a privacy program, that conforms with GDPR and APAC and CCPA, and I’m handing him an ISO 27001 certificate, that helps but it’s not all the way there. That client would be looking for more on ISO 27701 on top of the ISO 27001 as an example. So that would be another question there. So I think Ronald Reagan the old trust but verify, holds true here. Look, my experience has been with the folks that you have in information security and information technology, the vast majority of them are great people. They work extremely hard, they’re dedicated to their craft. None of us are perfect, we all have holes in our knowledge. So I think, you doing your role well in governing the cybersecurity program is win-win, it’s mutually beneficial. It’s certainly beneficial to you as the key stakeholders of the organization. And it’s certainly beneficial to your folks because it helps them validate that they’re doing a great job as well.

John Verry (28:33):

And last idea, only constant is change. So the key thing here is that once we get done with this, once we know that we’ve got a good vision, and once we know that we’re successfully executing on that vision, and once we have a mechanisms to validate that we’re achieving the intended result, and we end up with our respected proof, we ain’t done. It’s a hamster wheel because threats change our organizations, change the people that work for us, change the technologies that we employ, change the languages we develop, our applications then change, our clients expectations change, laws and regulations change. So we’ve got CCPA BC, Colorado has got a new privacy law, StateRAMP it just, every day something changes that is going to influence your information security and privacy program.

John Verry (29:29):

So when you get to the end and you get to that respect to proof, we’re back onto the wheel because very often through that trusted information, we’re going to realize that there are ways to continuously improve our program. Which our picture has changed a little bit and we opened a new office, we closed an office, these regulations changed and we really need to update our strategy and we’re back cycling through the program. I hope this was helpful. If there’s anything I can do to further assist you in doing a great job of governing cybersecurity in your role as a senior manager or in your role on a board, please reach out. Thanks.

narrator (intro/outro) (30:09):

You’ve been listening to the Virtual CISO Podcast, as you’ve probably figured out we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.