Chess legend Bobby Fischer once said that winning tactics flow from a superior position.
Bobby Fischer would have made a great CISO.
That’s because information security strategy is all about steering your business to a winning position that makes tactics easy.
And it’s why your infosec and business strategies are entirely dependent on one another.
My guest today, Chris Dorr, Virtual Chief Information Security Officer (vCISO) at Pivot Point Security, is an expert at marrying security and business strategy. He joins the show to share his expertise and help you become one, too.
In this episode, we discuss:
- Why business strategy and infosec strategy are inextricable
- How frameworks can be used to shape effective infosec strategy
- The 3 reasons why infosec strategy is more important than ever
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
You are listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice, and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to informed and proactive, welcome to the show.
John Verry (00:25):
Hey there, and welcome to another episode of The Virtual CISO Podcast. With you as always, your host, John Verry. And with me today is Chris Dorr. Good day, sir.
Chris Dorr (00:38):
Hey John, how are you this morning?
John Verry (00:40):
I am well with the exception of the fact that we just spent a long time on the phone and I forgot to hit record, but I’m an idiot. What can I tell you? All right. But you should be really good at this now, so let’s start simple. Tell us a little bit about who you are and what is it that you do every day.
Chris Dorr (00:58):
Sure. My name is Chris Dorr and I am the Practice Lead for Pivot Point’s virtual CISO and virtual security team programs. I have worked in IT for about 25 years, spent seven years head of IT at a bank. I teach information security at Thomas Moore University in Northern Kentucky. My full-time job here at Pivot Point is to manage a team of security professionals that function as the outsourced security team and outsourced CISO for companies ranging from small four-person startups through multi-thousand person companies all over the country.
John Verry (01:37):
Thank you. Before we get down to business, I have the tradition of saying, what’s your drink of choice?
Chris Dorr (01:43):
I have actually become a bourbon guy a little bit late in life. I didn’t used to be, I used to be a beer guy but I live in Cincinnati which is pretty close to the Bourbon Trail. And I picked up a nice new Victor’s Bourbon that I’ve never had before and, see what I think tonight.
John Verry (02:01):
As a bourbon oficianado who does doesn’t live anywhere near the Bourbon Trail it’s amazing to me it took you this long to arrive where you did, but welcome to the show.
Chris Dorr (02:09):
Thank you. Really good.
John Verry (02:12):
Anyone that is listening to this from the title of the podcast you certainly have an understanding that in my opinion, having an information security strategy for some organizations is arguably as important as having a business strategy. I think the challenge is that when I do have this conversation, I think there’s an abstract nature to the concept of an information security strategy. If I asked you, Chris, how would you define an information security strategy?
Chris Dorr (02:41):
Well, I think we have to start with differentiating between tactics and security, information security. And for me the best analogy comes from chess. If you’re a chess player, tactics are the short-term things that we do, things that have to be done right now, but I have to take his piece, he takes my piece, I end up upon ahead. I can calculate that I can do it, it’s something that’s done very much in the present. In InfoSec, the equivalent might be deploying endpoint anti-ma;ware. It needs to be done today, there’s a limited set of options and we’re going to go ahead and do push that up.
Chris Dorr (03:20):
More nebulous and more complicated I think is the strategic side of things. And in Chess’s strategy is a longer-term set of guiding principles, is what is the game going to look like and it’s the same thing with information security. It’s what is our information security program going to look like over the next two years, three years, five years? What are the guiding principles that are going to drive us to making particular decisions?
John Verry (03:48):
Gotcha. So every action taken or not taken and every decision in an idealized way would be aligned with this strategy that you’re referring to?
Chris Dorr (04:02):
Right. For example, if our company’s information security strategy is going to drive us towards using a hybrid cloud model, every decision I make is going to be with the notion that it has to fit in with a hybrid cloud model, whether it’s antivirus, whether it’s the endpoints we use, whether it’s certifications we have. There’s still those tactical decisions to be made but they’re all going to be based on this higher level framework that is going to guide us to where we need to be in five years.
John Verry (04:33):
Gotcha. Yep, I agree completely. Another example would be if we’ve agreed that a particular framework is important to the way we’re going to do things, whether that’s ISO or NIST or Zero Trust. Every product decision, every hiring decision is going to be made in a way knowing that we need that product or those people to be able to logically leverage and interact with those frameworks.
Chris Dorr (04:58):
Right. And that’s a really important point. I think that’s a great point. These frameworks, they function as the bridge between the strategic and tactical. The frameworks connect the two, and not just in terms of very detailed things like controls to quote you, John, like you said before in hiring decisions, that it provides us a way of establishing a common vocabulary. It lets us establish a common ground that everybody starts off on. And it really reduces a lot of the friction from building something from scratch.
John Verry (05:33):
Right. Yeah, I think the other thing that’s great about frameworks is that frameworks convert the ambiguous to the tangible. I think when you’re working with an executive and you’re saying, “We need an information security management system,” that is a vague nebulous term. If I can boil that down to, I need a InfoSec management committee, they need to meet each month, they need to review an agenda that looks like this. If I can break that down into something which is more tangible, I think that framework provides a lot of benefit. I think the other thing it does is that it also in a weird way a framework can work to, we have a problem with not having enough qualified, knowledgeable people in our industry and frameworks can educate people. Because I can hire an information security guy and maybe he’s not 20-year seasoned, which I would like, he’s five-year seasoned. But if I give him a framework, the chance that he’s going to miss something or make a significant mistake goes down inexorably correct.
Chris Dorr (06:33):
Yep. It becomes leveraging a checklist in a way and it actually does a lot more than that. I’m a huge fan of frameworks. It’s not just the person who’s going to miss something, it is really easy for organizations to miss things. If you are doing the daily work with information security you’re heads down focused on what you have to do today. I have to get this user access list checked. I have to get this update pushed out to the firewalls. If you’re that focused on the details it’s really easy to miss something critical. Frameworks don’t miss anything critical. ISO has got a lot of information. I know I am not going to miss one of these critical controls because there’s 114 of these critical controls that are expressly defined. That’s the way that it connects those tactical things to that strategy.
John Verry (07:22):
Yeah. I mean, I think the other thing that I like about frameworks is that frameworks they make it much more likely that your products will interoperate seamlessly. As an example, if all of your vulnerability assessment tools are talking CVSs, then we know that it doesn’t really matter which scanner I run or which team does it in an external party. It makes sure that that data is interoperable. The other thing too that it does is that I think it expands the pool of qualified resources as well. If you’re using the John Verry security standard, your pool of resources is John Verry. If you’re using NIST 800-53 as guidance, your pool of people are NIST 800-53 knowledgeable numbers in the hundreds of thousands.
Chris Dorr (08:13):
Mm-hmm (affirmative). Yeah. And it saves a lot of time dealing with others. If I am dealing with another company that is ISO 27001 certified, the fact that I can see their certificate communicates a great deal of information. I don’t need a six-hour call to discuss which controls that they’ve got in place, because I know what controls they’ve got in place. They’ve got that certificate, a test done by a third-party saying, “We implemented these 114 controls.”
John Verry (08:38):
Yep. What you’re saying is that if we start with good trusted frameworks, not only are they going to… We use a three-step process, if you will, right?
Chris Dorr (08:48):
John Verry (08:48):
Vision, a clear picture of where we are, where we need to get to. We convert that vision into an actionable plan and then ensure that we operationalize that, and we call that execution. And then we ensure that the execution is taking place through what we call validation. And at the end of validation the most important thing is after you’ve got that trusted information, is that you’ve got a respected form of proof because very often you need to demonstrate to a stakeholder, most frequently your customer, perhaps a regulator, perhaps a board member, or the CXO suite. You need demonstrable proof, respected proof. Starting with a trusted framework does what? It creates trusted proof. If you give someone an ISO 27001 certificate, a CMMC Level 3 certification, a SOC 2 attestation, an OS vS VS Level two pen test, you’ve given someone respected proof so that’s another great advantage to starting with a trusted framework.
Chris Dorr (09:40):
Yep, absolutely. And implicit in that is the fact that you have to demonstrate this which means you have to have some metrics and you have to have some objectives that you’re working against. That’s a really, really critical aspect of your information security strategy, that you have, have to have things that you are working towards, you have to have steps that you can show now because I can’t get the five years if I can’t get the three years, I can’t get the three years if I can’t get the longer.
John Verry (10:06):
Cool. We kind of jumped into the middle of it a little bit, which is cool. And what we said is that one of the integral components of an information security store strategy is having a strategy around frameworks. Let’s take a step back. I’m listening to this, I’m going, “God, these guys are brilliant. I agree with them completely. I need an information security strategy.” Where would you start? How should someone start moving towards an information security strategy?
Chris Dorr (10:35):
Well, the important thing in the information security strategy is that it’s like your business strategy. You have to begin there before you begin looking at risks, before you begin looking at frameworks, controls. Anything with information security you have to look at what are you trying to do as a business? Where do you want to go? Information security is a business function, it exists to serve the business. If your objective as a business in five years is to become publicly-traded, offering SaaS services in the business to consumer realm, then everything we do in information security has to serve those business scores.
Chris Dorr (11:17):
The first place we start is what’s your business strategy? Where do you want to be? Where are you heading? When you look at tactical decisions, the questions is going to be something like what do we need to do today? Whereas the first question I always ask when we are starting an engagement is where are we going and how do we get there? That’s the first step, is figuring out how it’s connected to your business strategy.
John Verry (11:42):
Right. And we often refer to that as a clear vision, right?
Chris Dorr (11:45):
John Verry (11:45):
We need a clear vision of where we’re going to. And if we do that well, the goal would be to convert information security into a business enabler, into, I like to use the term information security is inherently for most organizations value preservation. Can we also make it value creation?
Chris Dorr (12:06):
Yeah. And increasingly I think we’re seeing that and we’re asking this question, is that we’re never going to have customers paying the information security function but we can make the people, the customers do pay function better. We can help marketing, we can help sales, we can help product design. And all of that, again, begins with this connection between what is it that your business is doing and what is it that InfoSec do?
John Verry (12:33):
Right. We need that clear picture of where we’re going. And I guess we also need a clear picture of where we are now, because we’ve got to know where we are to get to where we’re going. How do we arrive at that clear picture of where we are?
Chris Dorr (12:46):
Well, in our proven process, the thing that we use in our vCISO program, after we do that strategic connection the next thing we do is a comprehensive risk and gap assessment, looking at what you are doing in your company right now. And again, this is some place where we let the frameworks. Frameworks give us this common language. And there’s a reason that people value frameworks, it’s because they hit the important notes. So we will do a gap assessment of where you’re at versus one of these frameworks. That’s typically associated with your business strategy and say, “You know what? In this area you guys are fantastic. You’ve done a great job. In this area we’ve got some problems and these problems are going to come back to haunt us in this way.” And we walk our way across all these security functions and get this view of you’re great here, you need help here, this has to be our critical focus in the first three months. This we can put off until year two.
John Verry (13:46):
So we’ve got a vision of where we’re going as a business, we’ve got a vision of the frameworks that are going to help us get there. We’re documenting this into a strategy. Anything else that during that vision phase, if you will, that we’re looking to ensure that we’re capturing from a strategy perspective?
Chris Dorr (14:03):
Well, typically this is not the beginning of an engagement, this is a cycle and I’m sure that theme is going to keep coming up through this podcast that it’s a cycle that feeds back on itself. But at the very big getting here it’s very important that we really understand the things that are going on in your business operation. Not just the strategic, where you want to be in five years, but how are your people doing the business? And this goes way beyond information security and this again is why this has to be connected to your business, how this has to be viewed as a business function. What we do goes beyond just information security, it goes beyond just this control and this firewall weakness. It’s integrating ourselves into your business operationally.
John Verry (14:46):
Mm-hmm (affirmative). Yeah, agree. I know like in our information security strategy one of the things that because we’re ISO 27001 certified, what we’ve done is part of our strategy is that we use the process to update the objectives of our ISO 27001 information security management system and then we also use the objectives to drive the security metrics of our program. That’s actually part of our stated strategy, which is cool because way too often orgs that have an ISO 27001 certification those objectives remain static and those security metrics remain static. What’s cool is that our strategy drives those actions in a way that you’d expect it to.
Chris Dorr (15:31):
That’s a great point. And one of the things that we see in clients that we work with year over year as they mature, is that we tend to add to the metrics, that as we get better at helping them manage their security that we need to know more information about how we’re doing. And it’s not just us, again, this information is what flows up to this senior management. So we’re establishing that feedback early on every year. It’s built in that we’re getting better at what we’re doing.
John Verry (15:59):
Gotcha. When you start to work with a client and we’re talking about that execution phase. Now, talk a little bit about what we’re trying to address from a information security strategy to ensure that we’re building what’s necessary to make sure that we’re optimally operationalizing the program.
Chris Dorr (16:19):
Sure. And that’s critical, that all of these wonderful strategies don’t mean anything unless the other gets real. The next step in this process is building rigor and process into the information security function, doing things like ensuring that documentation is updated on a regular basis, doing things like ensuring that specific controls that we’re implementing are being implemented in the right way. This is the difference between the vCISO and the virtual security turf. The vCISO, the virtual CISO is providing that strategic vision and the virtual security team or the folks who are actually executing on the ground, they are performing compliance testing. They are analyzing products, they are helping in the deployment of end user protection systems. We tried to be everything to a client that they would have if they were doing it internally. The execution that they would do if they had people in the information security department is the same kind of execution that we’re doing.
John Verry (17:26):
Right. But let’s bubble this up to the strategy level. You delve down into the execution level. What might the strategy… As an example, one question I would ask is that when I’m building a plan I look at it and say, “We know that we need this plan, we need it operationalized.” I think you need a strategy to operationalize. I mean, it could be something as simple as how are we going to operationalize this. Are we doing it through a help desk ticketing system? Are we doing it through Asana? Are we doing it through Jira and are we integrating it into our SecDevOps pipeline, workflows? Are we doing it through, a GRC platform, right?
Chris Dorr (18:03):
John Verry (18:04):
I mean, we’ve got to have some way of making sure that we have a strategy for operationalizing, correct?
Chris Dorr (18:12):
Yeah, absolutely. And that goes to the information security management system that you mentioned before, the ISMS, is how are we doing security? And that’s part of how we’re building out this process. What are those operationalized processes that we’re going to use? How are new users going to be proficient? How are new desktops going to be rolled out? And that’s documented in the information security management system, developing policies and procedures. Because that’s a critical part of what we do, is you can’t really operationalize it until you have the laws that the govern. Those laws are corporate policies.
John Verry (18:53):
Right. And you talk about documentation. I mean, I think that’s another area that you need to have a strategic approach. If you’re an organization that let’s say over the course of the next three years you want to get ISO 27001 cert, you’re in the DIB scene, you need CMMC Level 3, you’re all also in the commercial space so you need ISO 27001, and you may even need to go to another framework, maybe a privacy framework. If you think about it logically, how are you going to evolve your policies in a way that they’re not going to continually need to be rewritten and they’re going to stay current? Right?
Chris Dorr (19:27):
John Verry (19:27):
I mean, one of the strategies might be to use some type of policy automation engine, right?
Chris Dorr (19:32):
John Verry (19:33):
Like one that we’ve created for our clients.
Chris Dorr (19:35):
Mm-hmm (affirmative). Yeah. And absolutely. And this is where it’s sometimes a little difficult to see the connection between these tactical activities and the strategy that we started with, but all of this has to be tied back to that strategy because this isn’t just what are we doing today, this isn’t just what are we doing tomorrow? That if we’ve got that vision of using your example of certifications, using that, that in five years we have to be SOC 2 certified because the clients we sell to care about that.
Chris Dorr (20:09):
Then the way we do documentation is going to be totally different than if we didn’t care about that. If we were an auto parts manufacturer that didn’t have to have that kind of certification, and it’s not just documentation, it’s everything about the operationalization of the security practices, that everything we build going forward has to be able to fit into whatever comes next.
John Verry (20:32):
We talked about during vision there’s definitely a focus on trusted frameworks. During execution often we’re talking with people about making sure that they’ve got a trusted ecosystem. Talk about a trusted ecosystem and why that is important to your strategy.
Chris Dorr (20:51):
Information security is enormous. If you go out there and you google information security you’re going to get billions of patents and a trusted ecosystem is critical to make sense of this all. I’m a huge fan of developing a trusted ecosystem. In fact, that’s a big point of what I think Pivot Point offers. I think that’s one of the real critical values we bring. If you’re not an information security professional, how are you going to know whether you need web application firewalls? How are you going to know whether or not you need this kind of hybrid cloud security approach? You can’t, because this is what we do and there’s an incredible amount of information out there.
Chris Dorr (21:33):
And even if you are an information security professional, if you don’t have a set of practices, services, and products that you know you can trust and rely on then you are going to spend a lot of time spinning your wheels looking at everything, coming up with an answer that you probably could have come up with better if you knew that these three firewalls are the best firewalls out there. That these three governance, risk, and compliance systems are extremely good. That goes to making sense of all of this vast universe of information much of a contradictory.
John Verry (22:08):
Right. Yeah. Because if you think about it you need a… I mean, when we talk about that trusted ecosystem, by the way, it can be internal to the organization as well. I think some people fail to get that when we say trusted ecosystem, it doesn’t have to be that you’re using an external party like Pivot Point or another services provider. And if you think about it, in order for these processes to be executed repeatedly we need the right products and we need the right people. And when we say the right people, what do we need? We need people that are both qualified, have the right training, and we need the right quantity of them.
John Verry (22:40):
Now realistically, part of building a trusted ecosystem might be, what are your hiring practices? How are we going to source these people? How are we going to train these people? Do I have the budget to do that? How are we going to ensure that our products are being maintained up to the level and the people know how to optimally operate those products?
John Verry (22:57):
The other thing, which is cool about a trusted ecosystem, and I think this is a little more externally-facing, is if you’re working with folks that live in your space and know which products and which approaches are going to be better for you, what it does is it reduces project risk quite notably, right?
Chris Dorr (23:15):
John Verry (23:15):
And I think it shortens your time to achieving your target state.
Chris Dorr (23:19):
John Verry (23:20):
Less missteps, if you will.
Chris Dorr (23:22):
Yeah. And I think that a critical part of that is that it’s not just shortening one part of it, these tend to cascade. If I’m spending an extra month on phase one and an extra month on phase two and an extra month on phase three, then suddenly my three-month project has become a six month project. And during that project you’re spending the money but you’re not making the money.
John Verry (23:45):
Mm-hmm (affirmative). Yeah, the other thing you run into is that let’s say that you are a law firm and you’ve committed to a client to be ISO 27001 certified in one year, you just slid that by six months, which means that whatever you’ve committed to the following year has been slid by that much or more and, like you said, it has this cascading effect. If you are lucky enough that you can develop a trusted ecosystem you should have a strategy for that. And that trusted ecosystem could be some certain critical third parties, it could be the use of virtual CISO. It could be working with Gartner or Forrester or somebody that is going to help you shortlist who you should be doing business with. Right?
Chris Dorr (24:23):
Yeah, absolutely. And one of the advantages of that too is that information security changes so quickly that three years ago nobody was talking about a KSB. Nobody even knew what a KSB was. Now, a KSB is a critical infrastructure component for most companies out there. If you don’t have people you can trust who interpret this and understand what’s the wheat and what’s the chaff, then you’re constantly going to be behind the ball in implementing these new technologies, or perhaps worse, spending money to implement technologies you don’t need.
John Verry (24:57):
Right. The other thing that I hadn’t thought of until you just said that is that your people have a trusted ecosystem, whether or not is the right trusted ecosystem and whether it’s well-considered and strategically acquired. They’re listening to somebody. And way too often I find that they’re listening to product people. And the answer to every question should not be product. Information security is about process and you only need product when product is necessary to support process. I mean, I think you’d agree with me, if you are a CXO or if you are a board member, and every time you ask the question about an information security strategy or an information security program, if the answer is always a product strategy, I think you’ve got the wrong people.
Chris Dorr (25:48):
That’s a really good point. And I think that this is a failing of the information security community, we’ve not done a good job on this in that, because there’s so many players selling products and devices and software as a service solutions. That’s the perception of what information security is all about. But if you look at the traditional cycle of people, processes, and technologies, the process is the most important thing there. And very, very often we replace processes with technologies and this goes to the heart of why a strategy is important because if I am using technologies to replace processes, when the process has to change, which it’s always going to need to do in response to changing the business environments, I’m still going to have the technology and this technology’s not going to change. It’s absolutely critical that when you view your information technology strategy, that you view it in terms of process first.
John Verry (26:50):
Right. And you define the process and then you determine whether or not a product is necessary to support?
Chris Dorr (26:56):
Mm-hmm (affirmative). Yep.
John Verry (26:57):
Yeah. I like that a lot. All right. We got this idea, vision, right?
Chris Dorr (27:01):
John Verry (27:01):
And arriving in a vision and that vision definitely trusted frameworks are a critical part of that. We’ve got this idea of figuring out this way, a strategy for ensuring we end up with the repeatable processes that we need and a critical component of that is that trusted ecosystem. All right, now we’ve got a strategy for the first two pieces, now we need a strategy for what I’m going to call the last piece, the validation, if you will. And in that, one of the things that we talk about a critical tenet is trusted information. Talk a little bit about trusted information, talk about its role in validation. What we need to cover from a strategy perspective to ensure we’ve got the right strategy to validate where we are and be able to prove it.
Chris Dorr (27:43):
Sure. We can do all the cool things we want within information security, but unless it’s communicated to somebody it loses a lot of its value. And that can be internal partners, that can be external parties as well. And this definitely goes back to what we talked about earlier about information security is a value enabler, right?
John Verry (28:04):
Chris Dorr (28:05):
… is a business enhancer. If you think about buying a new car, what’s the first thing you’re going to do when you buy a new car? Are you’re going to go out and to research the car? But you’re not going to go to the dealer’s website to be told the dealer’s really good, you’re going to go to consumer reports. You’re going to read articles on the car. You’re going to go look at Yelp to see if the dealer is a good dealer. And the reason you do that is because you need that trusted information. While our analog are things like internal audits done by an independent third party.
Chris Dorr (28:35):
So it’s not us saying we did a good job, it’s somebody else saying that a good job was done. It’s really important in terms of understanding our metrics to make sure that our metrics are taught to some of these independently-verifiable valuations, because these are going to be what feeds the continuous improvement of our program. And again, this is all very strategic. If you, for example, are a cloud service provider and you are providing services to consumers, direct to consumers, you’re consumer-facing, you’ve got 20 million customers, being able to prove you’re secure looks entirely different than if you are a software as a service company that sells to 100 critical companies who are spending 10 million a year each on you.
Chris Dorr (29:25):
That ties back to that validation strategy that we talked about before. Am I going to need a SOC 2 which business cares about? Am I going to need something on my website in consumer language that consumers care about? Am I going to need privacy valuations, which is what consumers might care about, but maybe the companies don’t really care about that because you’re not getting personal information.
John Verry (29:46):
So trusted information has, I think, there’s three components there, so we need a strategy for how are we going to monitor and validate that this is happening. And that might be monitoring of compliance, so it might be some type of compliance. How are we going to ensure compliance on an ongoing basis? Especially if you are a SaaS as you talked about and you got SecDevOps and you’re pushing three builds a day, how do we know that everything’s gone through the security milestones, that each release has gone through dynamic or static application security testing or whatever your security milestones call for, right?
Chris Dorr (30:22):
John Verry (30:23):
We need a strategy for how we going to metric, what are we going to measure and why? You mentioned we need a strategy for what’s our assessment strategy? Because the hallmark of any great cybersecurity program is independent objective assessment. What’s our strategy there? Are we using third parties to do penetration testing or vulnerability assessments? Are we subject to external audits by the Fed, or C3PAO, or the ISO registrar, or the SOC 2 CPA firm?
John Verry (30:51):
You talked about we need a strategy for respected proof and I love the fact that the strategy for respected proof definitely correlates with the strategy for your trusted framework because if we start with trust frameworks at the beginning we should end up with good respect to proof at the end. And then I think the last piece to talk about if you would is, in my mind increasingly we need a strategy to have all of that information to me in toto builds a single source of truth, and we need a strategy for how we’re going to maintain or present a single source of truth.
Chris Dorr (31:25):
Yes. I would agree completely. And you’re seeing that not just with information security, with the increasing emphasis on data warehouses and data lakes, large corporations. And if there’s a single place that people can go to get the correct data we’ve got to have that same thing with information security. And again, this may be even more important with information security than most other parts of the business. But information security for a lot of companies is the area that poses the most existential threat to your company. If I fall down in information security badly and that ransomware and network encrypt the entire network, your company’s gone, it can’t continue to work. There’s no data to work on. And to make sure that doesn’t happen we have to put extra emphasis on making sure there’s one set of verified truth. There’s one thing that can be absolutely reliable.
John Verry (32:16):
Right. And if you think about it, when it’s done well it’s awesome. Because if you think about it, you could have a single source of truth. Think about having a dashboard. As an executive I can go to the dashboard and I get just red, green, yellow lights, things are good, things are not good. I could go to the same dashboard, drill down one level as an information security director and I can see where I am across all of my domains. I can go down one level below that and as a person who owns responsibility for part of the environment I can see exactly where I am in my part of the environment and what I’m responsible for.
John Verry (32:49):
And then the last piece is imagine being able to then give a special view of that to an external auditor or a client or a regulator. I mean, there’s no mistakes there. I mean, it’s like, okay, everyone knows exactly where we stand and we’re going to be successful with that external audit and we’re going to be successful as an organization achieving our business objectives at the one end and we’ll be successful at the audit at the other.
Chris Dorr (33:16):
Right. And this is one place where a good governance, risk, and compliance system can come into play here, because that can really help us operationalize that view.
John Verry (33:25):
Yeah. That’s such a really interesting question. Because my stance over the years has been that I don’t think most organizations need a GRC tool and I still think organizations don’t need a GRC tool in many or most instances but I do think for clients where we get to a certain level of complexity and there’s a certain number of moving parts that I do… Increasingly I’m agreeing with you more than I used to that there’s value to a good GRC platform if you can make it support your strategy in the way that we’re talking about.
Chris Dorr (34:02):
Yep. And going back to what you talked about before, the GRC tool is part of the process. It’s not because it’s a GRC tool, you have to have the process in place first. And for a lot of smaller companies, that process doesn’t require but at some level you got so many moving parts that the only way you can really maintain all of those moving parts is some kind of an automated system.
John Verry (34:24):
Yeah. And to your point, this is where, like you said, the strategy crosses over into the tactical implementation, is as the number of moving parts, number of frameworks, number of people that are involved in implementing the management system, the number of people that need to review what’s going on goes up, the strategy becomes that a GRC platform makes more sense. So it starts at the strategy, how are we going to create the single source of truth? How are we going to present our data to our auditors? How is management going to know, how is the board going to know? How are we going to present the data to this regulator? And that will shape the fact that when we get down to how we’re going to do that you realize that the only way to do this tactically is to implement some type of a GRC solution.
Chris Dorr (35:10):
Yeah. And that’s a great point, that it’s a strategic decision. All of these are big picture strategic decisions.
John Verry (35:16):
Exactly, exactly. The last six months have been eyeopening to me. I’m amazed at how many of my conversations have become strategic where I think prior to that they were more in the tactical realm. I think you’ve been experiencing the same thing, so I would ask you, is it us? Have we gotten smarter? Have we gotten more strategic? Is it our clients? Are they getting more strategic? Are they asking the right questions? Are their boards feeding them or is this just a natural reaction to an increasingly complex set of information security requirements and regulations that people are dealing with or is it some combination of all those things?
Chris Dorr (36:04):
I think it’s a combination of all of those things and it’s definitely not just us. I ran across a study recently, it’s one of the problems with information security is that it’s very hard to get objective information. But there’s a really good study that’s done every year by Deloitte, primarily our financial institutions and they get some really good data about things like information security spend, about organizational aspects of information security. And one of the things they look at is what do the board members care about? What questions are the board members listing as the most critical? And in 2019, there already a substantial number. 75% of board members said one of the most critical questions was our information security strategy. Between 2019 and 2020 that went up to 95%.
John Verry (36:52):
Chris Dorr (36:52):
… In one year. There was this dramatic jump in senior managers really caring about information security strategy to the point where basically they’re all asking that question. And I think there’s three main drivers of that. I think the first one is an increasing recognition that these tactical things that you have to do, it’s much easier and it’s much less expensive to do than if you have a good strategy. I mean, going back to the chess analogy. Bobby Fisher once said that good tactics come from having a good position, having a good position comes from a good strategy. These things that we have to do at the tactical end, these systems that we have to implement, if they’re not connected to a strategic approach, then I’m going to have to pull it out next year when suddenly we move to the cloud because what we bought this year doesn’t support the cloud. And I think the companies are recognizing that.
Chris Dorr (37:47):
I think another thing companies are seeing more and more clearly now is the increase in existential threats from information security point, back to what we talked about before, an increase in ransomware, that no longer is the biggest threat to my company. A data breach, that’s going to cost me a million dollars. I can spend a million dollars. I don’t want to spend a million dollars, but I can spend a million dollars. What I can’t do is have every single piece of information in my company turned into garbage by a ransomware attack that I can’t afford to pay.
Chris Dorr (38:19):
If the threats are increasingly existential, then the solution to those threats has to be increasingly strategic. And I do think the third one is an increase recognition that information security not only is a cost center but that it also is a business enhancer. We can help marketing, we can help sales, we can absolutely help product development, but we can’t do that unless it’s approached from a strategic standpoint and I think all of those things are combining to make senior managers at companies saying, “You know what, we’ve got to change the way we look at information security.”
John Verry (38:50):
Yeah. You sent that over to me this weekend and I did look at that one chart which was eyeopening. And strikingly I had a conversation last week with a client that we had probably talked with two weeks before that and we’d agreed to go forward on an ISO 27001 plus 27701 project. And we had a phone call again with them and they suddenly expressed a concern that a board member had asked about whether a risk assessment had been done to arrive at that decision.
John Verry (39:18):
And risk assessment is part of ISO but it was just interesting to me. So it speaks to what you’re exactly speaking to, is that the boards are increasingly wanting to make sure that there’s a strategy to that, and ISO is one of those weird things which is strategic and tactical at the same time. But I think the board member looked at it as being a tactical response, how do we know that ISO is the best approach to this? I thought that was really interesting and I thought it spoke directly to what you were saying.
John Verry (39:46):
The other thing I picked up in that, that I thought was interesting, and I wonder if you are seeing it in strategies or should it be part of a strategy? Is, there were some actually interesting numbers in there with regards to what an appropriate spend is or what the average spend is for information security. Do you think that that is something that should be part of your strategy?
Chris Dorr (40:09):
I do. And if you think about it from a business perspective, that if everybody else who is competing with you is spending $10,000 on something and you’re not, they’re not spending $10,000 because they want to, right?
John Verry (40:21):
Chris Dorr (40:22):
It has to meet some kind of a business objective. And if your business spend, or if your information security spend is dramatically lower than everybody else’s, your question has to be, what am I missing? Again, that has to tie back to the strategic aspect of it. It goes to the same reason we do objective validation as part of the information security program, that there has to be some way of measuring ourselves against what we say we do, which are the objectives but there also has to be some way of measuring ourselves against what everybody else is doing.
John Verry (40:55):
You just made me think of something we which is really interesting. One of the principles of value based selling, so when you’re selling a service or selling your company to somebody else, is to ensure that you’re communicating your value proposition. And you can go the other direction on this, is let’s say that you figure out that you’re spending more than other organizations, one of the questions would be, are you communicating that value proposition and are you missing an opportunity, right?
Chris Dorr (41:24):
John Verry (41:24):
Because if you’re spending 20% more than an average organization because you think that’s the right thing to do and you’re not communicating your superior investment and logically your superior security posture relevant to your competitors, I think you’re missing something as an opportunity from a marketing perspective. It’s always not about just spending less, it’s about whatever we’re spending how do we position that appropriately?
Chris Dorr (41:51):
That’s a great point. That it’s every day in the news you’re hearing data breaches and ransomware attacks where the security message is being constantly drilled down into consumer’s minds. And especially if you’re playing in a technology space, then if you are not emphasizing to them why you’re better than everybody else, if you are better than everybody else on information security, how you’re protecting them more and you’re delivering a better service because you’re more secure, like you said, that’s money that’s not being leveraged for sales.
John Verry (42:24):
Yeah, it’s interesting. I mean, even if you think about it, what is the natural inference? If you heard somebody say, “We spend 20% more than an average company in our industry on information security because it’s so important to us.” You may or may not be more secure but that is a compelling value prop to me when I hear that.
Chris Dorr (42:44):
Absolutely. The message is we care about information security. We care about your security.
John Verry (42:48):
Yeah. It’s interesting, I never thought of it using it that way until you mentioned that, so kudos. Look, there’s definitely some places where if you’re listening to this and you are a widget manufacturer you’ve probably turned this off a while ago, because I would argue that if you’re a widget manufacturer then information security strategy is not as critical as a business strategy. But I think for a lot of organizations it is. From your perspective, are there any specific industries that you think it’s more important then or would you go more towards the attributes of organizations that would make an InfoSec strategy more important for them?
Chris Dorr (43:25):
Well, there are both. I mean, there’s certainly some industries where it’s absolutely critical, SaaS services, for example. Your ability to communicate your security message and your ability to be secure is fundamental to your ability to be a SaaS player and to grow. You can’t grow unless you can communicate that you’re better than your competitors. Legal services is another one. It was just a few years ago we had the Panama Papers, which just absolutely rocked the legal community, right?
John Verry (43:55):
Chris Dorr (43:55):
And not just the legal community but the trust people were placing in the legal community. I think now that if you’re a law firm or you’re a legal services firm, absolutely information security strategy is critical. And then there’s some that are a regulatory requirement. If you want to serve a defense, industrial mix, if you’re a member of the dev, if you want to start with the DOD, you don’t have any choice, you have to be CMMC compliant. And if you want to stay CMMC compliant, I don’t know how you do that without a strategy connecting your information security to your business.
John Verry (44:31):
Yeah. I think if you generically said anyone who processes a lot of sensitive information where somebody defines it as being sensitive and something that’s got a lot of high regulatory component, high-attestation requirements from the companies that you’re doing work on if you’re a technology service provider, a SaaS, a cloud service provider, I think all of those industries you are getting to a point where information security strategy is critical. Is there anything that… We beat this up pretty good, is there anything that we didn’t cover?
Chris Dorr (45:05):
Well, I think we spend a lot of time talking about information security and one of the things that’s really closely related to it is privacy. I think we need to bring privacy back into this as well, because privacy is one of those things that a lot of times gets left out in security discussions when it’s looked at at the tactical level. When you’re looking at it at the strategic level then privacy nationally becomes a fit with that, and if you’re looking towards where you have to be in five years you have to look towards what privacy laws are in place and they’re just growing everywhere. There’s dozens of states right now that are rolling out privacy laws. I think when we talk about the security strategy we also have to be talking about a privacy strategy and they are inextricably linked.
John Verry (45:51):
Yeah, thank you. In my mind, I was talking about information security and privacy strategy but I don’t think we were explicit and I think that was a mistake on my part, so good point. I agree completely. All right, I always ask, give me a fictional or a real world person who you think would be an amazing or horrible CISO and tell me why?
Chris Dorr (46:14):
Okay. This is going to sound weird. Lord Voldemort is my CISO, from the heavens.
John Verry (46:17):
He-Who-Must-Not-Be-Named? What didn’t you understand about He-Who-Must-Not-Be-Named?
Chris Dorr (46:22):
Who I just named. It’s jam-packed but it’s small.
John Verry (46:25):
We’re going to need whoever is producing this needs to… I don’t need that, but I’m trying to think of the line from Talladega Nights. I don’t need that. Anyway, I can’t remember it. Right, so explain this He-Who-Must-Not-Be-Named because I am certainly not going to use the word.
Chris Dorr (46:48):
Well, okay. If you get past in being [puritable 00:46:51] and you get past in wanting to destroy the world, the guy did a really good job of keeping his eye on the price. He was very, very strategic. He didn’t get sidetracked by little things, he kept his focus there. And that’s what you need in a good CISO, that’s what you need in a good executive. Somebody who can see what the ultimate objective is. And once you get past him being evil, plus I want to see him in the boardroom meeting. I want to see him in a boardroom meeting talking about budget, but past that, he really does a great job of keeping his eye on the prize and that’s critical when you’re a CISO.
John Verry (47:24):
Yeah. But I think he was a little short on strategy. I mean, if he’d put a couple more Horcruxes in place, if he’d have realized the threat that Hermione represented, if he’d maybe gotten a few more of the… I mean the whole Dementor thing didn’t work out at Azkaban. I mean, strategically, maybe what you’re saying is that He-Who-Must-Not-Be-Named with an improved strategy would’ve been successful and ridded the world of Harry Potter?
Chris Dorr (47:56):
Yeah. But he kept it close for seven movies, so we got to give him credit for it. Right?
John Verry (48:02):
All right. Last question. Based on the fact that you do this every day, all day, any other interesting topics for a future podcast?
Chris Dorr (48:09):
Well, future and past podcast, machine learning and AI. I know you recently did a podcast on that but I really think machine learning and AI is going to change the entire landscape of information security in a way that nothing else has.
John Verry (48:25):
I agree. I think there’s a lot of work to be done to get there. One of the things that we learned through the efforts that we did is that ensuring that we’ve got the right quality data to do the ML training is critical. We ran into a lot of problems with the data not being normalized, with inconsistencies in the way the data was structured. I am hopeful that the executive order and the emphasis on incident-sharing, that CISO who is going to be responsible for that will standardize that to the extent that we need and will train the people that are providing set data. But I agree with you, if we can get to the point where we’ve got the data that we need I think machine learning is incredibly optimistic.
John Verry (49:17):
Now, the problem we’re going to run into is that the bad guys can use machine learning as well so we have to be aware of that we’re not going to be the only guys using AI. We’re going to use AI to protect ourselves. They’re going evolve equally, so we could be facing it the other way as well. Although I will say one thing that I wanted to chat with you about, that I think that there are some opportunities in the not to distant future, in the near-term, really for us to do a better job of using some machine learning and some AI for vendor due diligence reviews. I think that probably would work in the near-term.
Chris Dorr (49:54):
Yeah, I absolutely agree. And there’s already some players who are doing that. That you’re starting to see the rise of some of these automated third-party monitoring and reviewing providers out there. And that goes back to what you were saying, is because now we actually have some data, we’ve got some visibility to them. We can see what their finances look like. We can see whether they’re still in existence. We can see if they announce any data breaches. We’ve got more of that external information that we can tie back to those attributes that we’re looking at predictively. So I absolutely agree and I think that’s probably going to be a bigger impact in the next two, three years than in a lot of other areas of security.
John Verry (50:36):
Yeah. I think the other thing that you can do is that I think if CISO can normalize the data, I think the other thing too is that there are opportunities for larger organizations, the Dell Secureworks, the AT&T Cybersecuritys. Their data sets are massive and they have control over their data sets. So if those data sets, if they can normalize their data sets and get that data clean enough, yeah, I think they could probably do it near-term. But the people who don’t have access to data sets of that size I think are going to be the ones that are not able to capitalize on in the near-term.
Chris Dorr (51:11):
Right. And that also goes to the changing nature of Office 365 and G Suite, that if you’re running those, even if you don’t have access to your clients’ data you have got a lot of access to the kind of packs that are being driven against your clients.
John Verry (51:26):
Mm-hmm (affirmative). Yep. Yeah. And the other thing too is that, which is always the crazy thing, is understanding… One of the problems with getting too excited about machine learning for that is the fact that there are these targeted attacks but most attacks, or a large percentage of attacks, are opportunistic. They’re not looking for your organization, they stumble on your organization running a scan of the internet for a particular open port on a WordPress, a Joomla vulnerability, and you just happened not to patched Joomla last night and you got caught. So all of the AI in the world is not going to protect you against a zero-day.
Chris Dorr (52:13):
John Verry (52:13):
… And an opportunistic attack, unfortunately.
Chris Dorr (52:16):
Right. And you’re always going to need the basic blocking and tackling. I mean, you can have Tom Brady back there but if you don’t have a left guard knows what he is doing, it’s not going to help.
John Verry (52:26):
It would’ve been more impressive if you said left tackle.
Chris Dorr (52:28):
John Verry (52:28):
Because I know you’re not an Uber football guy, you’re… I mean, you know enough to know that it was a left, the left side is important but the left tackle is the key, is the key position. And I think on Tampa Bay that’s Trent Wirfs?
Chris Dorr (52:43):
Well, that impresses me.
John Verry (52:45):
Listen, I could be wrong. I know on The Jets it’s Mekhi Beckcton and he’s a big man. So Zach Wilson’s now left tackle is we’re in good shape there. Don’t know if it’ll make him successful. I’m a Jet fan so I doubt it, but we’ll see. Well, listen, you’re from Cincinnati so I hope Joe Burrow comes back and is as healthy as possible, because he was an exciting player last year, I would love to see that guy light it up. He seems like a nice kid and he had a fantastic first year before he blew out his knee.
Chris Dorr (53:21):
He did. And actually Ohio football is starting to look like football, so just keep your fingers crossed.
John Verry (53:27):
From your lips to God’s ears. Okay, our last thing, if folks want to get in touch with you, email is just the route?
Chris Dorr (53:33):
Yeah. Pretty simple to remember, email@example.com. You can also reach me via the webpage or just look up Chris Dorr on LinkedIn, I’d love to connect with you. Any questions or comments, I’d love to hear.
John Verry (53:47):
Awesome. Thanks, sir. This was fun.
Chris Dorr (53:49):
Thank you. I really enjoyed it.
You’ve been listening to the Virtual CISO Podcast. As you probably figured out we really enjoy information security, so if there’s a question we haven’t yet answered or you need some help, you can reach us at firstname.lastname@example.org. And to ensure you never miss an episode subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.