Matt Alderman 0:00
This week we welcome Ben Rothke Information Security Manager at Tapad to discuss the multiple personalities we encounter during compliance and audit engagements and how to deal with them in the security and compliance new section, culture integrity and the board’s role in guarding corporate reputation, compliance officer burnout skills for the compliance professional in the 2020s and more. Join us as we break down silos and build bridges on this episode of Security and Compliance Weekly.
SPONSOR 0:17
This is a security weekly production. And now, it’s the show that bridges the requirements of regulations compliance and privacy with those of security, your trusted source for complying with various mandates building effective programs and current compliance news. It’s time for Security and Compliance Weekly. Today’s organizations face an evolving set of security threats and continually changing compliance requirements. as your business grows, privacy concerns only multiply and add to a dynamic set of priorities. Today’s organizations need to integrate risk security and privacy into a cohesive program online business systems team of seasoned security practitioners work closely with you to assess your security posture, policies, procedures, and technologies providing tailored solutions that are specifically aligned to your business’s risk profile and ultimately ensure the protection of your brand. To learn more about online business systems go to securityweekly.com/online.
Matt Alderman 0:49
Welcome to security and compliance weekly. This is episode number 13. Recorded January 14, 2020. I am your host Matt alderman sitting in for Mr. Jeff man, he had a customer meeting today. But I do have the two Yahoo’s joining me remotely as my co host, Mr. Scott Lyons and Mr. Josh Marpet.
SPONSOR 1:00
Hey, we resemble that remark. Okay.
Matt Alderman 1:31
It’s gonna be one of those shows. I just got I’m gonna I’m just gonna try to keep you rained in today. The RSA conference 2020 February 24 to 28th and join 1000s of security professionals for thinking innovators and solution providers for five days of actionable learning, inspiring conversation, and breakthrough ideas register before January 24, and save $900 on a full conference pass. You can also save an extra $150 with our discount code, visit securityweekly.com/RSAC2020. To register.
Alright, Ben Rothke manages information security at Tapad and has over 20 years of industry experience in information system security and privacy. His areas of expertise are in risk management mitigation, security and privacy regulatory issues, design and implementation of Systems Security, encryption, cryptography, and security policy development. Ben is the author of computer security 20 things every employee should know, and writes book reviews for the RSA conference blog. Ben, welcome to Security and Compliance Weekly.
Ben Rothke 3:18
Thanks, good to be here.
Matt Alderman 3:20
Now, we titled this segment. That the different personalities we face when we’re doing, you know, security, compliance, audit work, and how to deal with them. And I think this starts with from a book about the kind of the seven personalities that we see in infosec. So why don’t we start with kind of a definition of maybe those seven personalities first?
Ben Rothke 3:48
Yeah, it’s funny, there was a you know, last month, George homey had an interesting article called the seven toxic Information Security personalities and you know, he goes through the different types of personality you will encounter in the world of technology, information security. And you know, that’s true in general and it’s specifically anyone who’s done an audit and assessment. Previously joining tap had I spent about five years at Negritude doodle was doing a lot of cloud assessments, PCI assessments, and there you see a lot of different people, you know, respond differently to, you know, to the engagements around, around security, around privacy or any regulatory issues and in some ways, you’re an information security professional, but you know, many times you have to use a put on a social worker hat, a psychologist hat to, to deal with, you know, sometimes they can be confrontational, sometimes there’s denial, there’s control issues, so you really see a wide gamut of personalities. So I was thinking, you know, there’s denial, there’s bias control, paranoia, you know, phobia, you know, a whole, you know, a whole lot there would have been a pull out the DSM to, you know, to go through all of them.
Matt Alderman 5:14
Yeah, right. In the first one that pops up on the list in the article is the roadblock or though the traditional way, a lot of people view security professionals, right, or the Office of No, no, you can’t do this. No, you can’t do that. But from a compliance perspective, I don’t think you see that necessarily from the security teams, I don’t think they have an option to say no, really, at that point, right. I mean, compliance is compliance. If you don’t own blinds? Well, yes?
Josh Marpet 5:43
We get no all the time we get, you know, we’re not going to do that. Because this is why it’s a good enough reason. It’s like, No, no, no, that’s not the way the standard is written. Well, we don’t care all the time.
Ben Rothke 5:58
Sure, I mean, it’s, a lot of people don’t want to play nice in the sandbox in some, and those who have that approach. Often. It’s a, it’s their own dysfunctionality. It’s an organizational dysfunctionality. Many times people have built, you know, technology systems, and part of their control is, you know, is about not sharing, and you find that, you know, relatively quickly, you know, identify that. And the key point is to, you know, to alert, the project sponsor, alert management, say, Hey, you know, this person is not, is not sharing the information, they’re not showing up to the meetings, etc, especially, you know, when it comes to, you know, PCI, it’s, you know, quite descriptive, you know, here’s the evidence we need, and, you know, I’ll let always, you know, you let the client know, well, in advance, as we want to talk about these five things, this is the type of things you know, I need to see, you know, from them, this is what I’m expecting. So, you know, when you, you know, show up for that meeting, really, there should be, you know, no surprises within the, within the meeting invitation, you made it, you know, eminently clear what the expectations were, you know, we got to cover these things, you know, here’s the output, here’s the evidence, here’s the format, you make it clear, and you find out, you know, very quickly, if it’s going to be an easy engagement, or if it’s going to be a challenge. And, I mean, I have a friend who’s a pediatrician, and he’s been in the industry, while he says he knows, within, you know, 90 seconds in many times, you know, what the diagnosis is, and so you get that feeling pretty quickly in the insecurity also, and so once again, is you let them know, you know, hey, I’ve got my job, you got your job, we really need to work together. By and large, you know, you make it clear that this is not a Dilbert type of project, you know, not out to, you know, eliminate their job. You know, by and large, most people will, you know, play nicely in that sandbox, but occasionally, you do run into people who, who just don’t want to play and, you know, you know, think by by not sharing, you know, they’re controlling more. But, you know, if they’re getting in the way of a compliance effort, especially around PCI, if they are noncompliant, you can’t process credit card transactions. And for an entity who can’t do that, they’ll, you know, find themselves in a, you know, becoming a nonprofit rather quickly. You identify it, and then, you know, go back to the project sponsor, go back to, you know, management and, you know, explain, you know, explain it, and as it is, you know, nine times, you know, 99 times out of 100 your things work out. And at that point, if they still only have that, you know, once where they didn’t want to cooperate, you know, at that point, it’s not a compliance issue. It’s really an HR issue. So that’s sort of out of my ballpark at that point. But yeah, those those who, who, you know, want to control have their own fiefdoms, you know, that, you know, that will not work, when you have to have a compliance effort, where, you know, everyone has to play nicely and share together.
Josh Marpet 9:06
So Ben, got a question for you. We have the article with the seven toxic personalities that George homey wrote, and it’s actually a very good article. Do you think he missed any? Or on the converse side? Do you think there are any good ones that you’ll meet as well?
Ben Rothke 9:23
Um, I think, um, I mean, with it, it’s a matter of, you know, how you could break it, you know, into, you know, probably 15 or so is, you know, there’s a sort of, you know, digressing, you know, one of the complaints, you know, you know, psychologists have against the Myers Briggs is that, you know, human personalities are far too complex to you know, categorize into say you know, 24 types. So, you know, for a, I think a psychologist would look at this and say hey, you know, we could identify, you know, 50 different types of personalities, but from an IT perspective, from a security perspective, I think you know, sevens in nice, a nice, good number. It’s not too big, it’s not too small. And but it says, you know, we could, if we want to turn it into a, you know, an internet RFC, you know, we could break it into, you know, 50 different types and sub domains? And who knows? But how about the good sevens? A good number? Yeah.
Josh Marpet 10:21
What about the good people that you meet the good personalities, the good ones?
Ben Rothke 10:25
Yeah, um, so those are the, you know, the, you know, those are really, it’s, like, I think one of, you know, what he talks about is a fear monger. And, you know, it’s very easy to get, you know, overwhelmed with all of the various threats, vulnerabilities, you know, ransomware. And what’s going to is, you know, there’s in our daily lives, there’s risks everywhere, you wake up in the morning, you know, using toothpaste, drinking the water getting in the shower, but what’s going to at a certain point, it’s a matter of, you know, understanding how to deal with those risks. And clearly, once you when someone powers on a device, that’s risky, right there, but it’s a matter of really understanding it, getting in touch with the fears, you know, knowing what the real risks are. Bruce Schneier has made a point, he point he makes, you know, quite often is, if it’s in the popular media, you know, you don’t have to worry about it. Because, you know, more often than not, they’re reporting on, you know, on the one offs, but it’s really it’s, you know, is don’t know, don’t let CNN, you know, don’t let Good Morning America, you know, run your information security program really after, you know, understanding, you know, what are the issues, what are the threats, you know, what are the real vulnerabilities, and really make it a make it a quantitative approach. And, and once you do that is we’ll find, you know, most organizations, you know, work quite well as it is, you know, if you understand the fear, let it in, you know, encourage you, you know, but once again, we don’t want to be becoming completely immobilized, both in the physical world, and also the digital world with this, these irrational fears.
Scott Lyons 12:08
So, Ben, thank thanks for coming on with us. It is greatly appreciated, and it’s good to see you, by the way. Um, my question to you is, so we’ve talked about the Roadblock, or in the fearmonger, right? What’s the opposite side of the roadblock? Or like, what is the positive? What’s the positive mentality that counteracts a roadblock or?
Ben Rothke 12:29
right, it’s like, you know, someone who’s engaging and, you know, creates those creates those, you know, opportunities. I mean, clearly, many times, you know, road Brock road blockers in the right place, are great, meaning if there’s a if there’s a massive pothole, you know, 100 yards, down the road, you like that police officer, you know, to block that road. But you don’t want to block a road block or roads, as a, you know, as a method. So it’s really understanding, you know, the opportunities, you know, what’s out there. I say, you know, you know, our conference like RSA, you go, you go there, and there’s, you know, hundreds and hundreds of vendors, clearly, you know, one shouldn’t buy, you know, one of everything. So, you know, road blocking is good. And with that is, you know, in the, in the technology world, in general, I think in information security, you know, specifically, you’ll have, you know, things, you know, shelf where you’ll have these expensive products organizations buy that, you know, end up on the shelf, and whether it’s, you know, appliances or, or sim or, you know, an IDS, you know, DLP, you know, they’re buying these expensive tools, and not knowing you know, why they’re deploying them in those case, a roadblock or would have been a good thing, because, hey, you don’t want to spend, you know, huge amounts of money for, you know, for a technology that you have, you don’t have a real business need for so there is a fine line between on what’s that you want to, you know, encourage and engage technology. But you know, those have to be backed up with, you know, requirements, you know, who’s going to manage it, you know, who’s going to, you know, listen to those alerts, you know, I said, you know, DLP is great, but if it’s, there’s not someone to deal with those alerts at 2am. On a long holiday weekend, it’s not giving you a whole lot. So road blockers in the right time, are, are great because they’re saving you money, they’re saving you, you know, people hours in from going down, but it’s, you know, again, it’s a it’s a fine line.
Matt Alderman 14:38
Yeah, the way I would describe that kind of alternative is the business engager. Right, somebody who was actually working with the business to understand business requirements, potentially identify risks and come up with solutions. So instead of being a roadblock, they’re actually trying to enable the business to accomplish its goals, but in a more safe, secure way. And I think That’s what we’re seeing is starting to see this transition where the security groups are moving away from this office and no and saying, Okay, let me understand the requirements, and then let me help you identify the best way to move forward and secure that data. So that’s kind of how I describe that role. It’s that business engager versus the roadblock or greed disagree.
Scott Lyons 15:21
So you’re saying it’s, it’s more valuable to have somebody that questions the business move to make sure that all of the right pieces are in place versus somebody who sits back and says no, can’t do it?
Matt Alderman 15:33
Yeah, exactly.
Ben Rothke 15:35
Yes. Like, you know, do we, you know, do we really need this many, you know, someone go off and you know, people buy a, buy a car in a way, we, you know, I need this car, with the sales, what I’ll do is, you know, they’ll, you know, give you all these, you know, add ons that you may or may not need, and so to is, you know, you’d want to, you know, that’s why you look for, you go online, look at Consumer Reports and say, Hey, you know, do you need these, you know, these protection packages, which, you know, may not give you, you know, a lot of protection, and so to in the in, you know, when it comes to security products, your CIO or CTO or CSO might not have, you know, be so close to the technology to understand, is this really a good solution? Do we need it? Is there value and, you know, is it worth it, and once again, is these, these can be, you know, expensive solutions also, and then above and beyond that, you know, there’s, there’s, you know, you, you need people to, to administer it, you know, to deal with it. So, it’s a, there’s a lot of add on costs, there’s, you know, modifications, and so, as it is really understanding, you know, do we need it, how we’re going to how we’re going to use it, you know, how’s it going to, you know, affect the business, you know, what’s, you know, what’s the security ROI, and, and you put a lot of those, you know, into play, so it’s sort of turning the road blocker into really understanding is, you know, do we really need it, you know, can we benefit from it, and it says it’s it, that’s the best of both worlds, you just don’t want to have a, an open door policy to all purchases, because you’re gonna have seen so much software you can’t handle and that you don’t want to walk every road so that you you’re losing out on a lot of great technology to, you know, to help secure the environment.
Matt Alderman 17:15
Yeah, then you become a money thrower, right?
Ben Rothke 17:17
Sure. Yeah. It’s like, you know, once again, is, and I think that’s, you know, that’s one of the, you know, and that’s one of the things, you know, George identified also is that, you know, thinking money could, you know, could solve problems, and it can, to a, to a limited degree, but, you know, many times if there is, you know, deep technology issues, you know, throwing money at it is just clearly the, you know, the last thing you want, you don’t want to stand back and say, Hey, you know, what, what do I need to do to really fix the problem as as simply, you know, addressing the, the, you know, constantly, you know, addressing the system, it’s sort of like, you know, these old cars at a certain point, throwing money at it is just is a waste of money. And for some, some organizations, especially in the financial services sector, where they, they often will use that as a, as a key method, just, you know, throw it, you know, bring in the consultants, let’s fix it. Once again, it may work in the short term, in the long term, it is a is a disaster.
Matt Alderman 18:23
Yeah, you know, if we walked into an organization where you’ve got shelfware, you bought all the little blinky lights, but they’re, they’re not actually running, they’re not working, they’re just sitting there, they’re shelfware
Ben Rothke 18:34
it’s the equivalent of a, you know, a treadmill is, you know, people buy it, and then, you know, they don’t do a whole lot. That’s why, you know..
Josh Marpet 18:44
I use my treadmill! It holds lots of clothes.
Ben Rothke 18:48
Yeah, so you know, an expensive shirt hangers, that’s why you get some great deals on treadmills on Craigslist on eBay, because, you know, people use them for, you know, 1015 miles, but then, you know, it just sits there. And then within is that the last thing you want is to, you know, throw that money away. And there’s, there’s, you know, there is a lot of money wasted. The key is, you know, invest it wisely. Right, you know,
Scott Lyons 19:15
it’s been talking about Yeah, yeah, it’s funny, it’d be talking about shelfware. You know, we did a really good deep introspective look into cyber insurance, right. And we found insurance carriers that are selling cyber insurance that would quantify a million dollar policy with a question of, do you own a firewall? Not is it plugged in? Not, is it turned on Not are you collecting logs? Not? Does it actually provide strategic protection to the business? Do you own a firewall and it’s mind blowing. When you sit back and you look at this and you say, How are you basing a general policy or an error and omission policy on a single question? You know, and when you translate that over to a compliance, right to to add to dollar sign compliance set, you know, being able to understand why a company is doing what they’re doing and sitting back and saying, okay, does this provide adequate protection? Have they done their homework on it? Right? it’s really interesting, right? Because everybody wants to throw their own two cents into the, into the pot and let the decision makers battle it out. It’s like compliance Thunderdome almost correct, you know, you feel that you feel that you have to, um, you feel that you have to really put forth an effort to try to go around somebody that you would think would be a roadblock. Right, or money thrower, you know?
Ben Rothke 20:48
Yeah, I think that’s good. But I think in the physical world, you know, we have, you know, you know, hundreds of years 1000s of years of, you know, physical security experience, and even with underwriting, you know, in the physical world, they’ve got, you know, hundreds of years, when it comes to information security, it’s a relatively new field. So, you know, you have underwriters out there who understand, you know, the art world, and they know exactly how to write a policy for fine art or jewelry, or, you know, you know, cars, etc, when it comes to, to data, I think there’s two things, it’s, it’s relatively new in the big picture, and then just a matter of, you know, how do you quantify you know, data? You know, that’s, that’s a big question. I mean, I’ve got this, you, you know, you’ve got this, they’re underwriting a new Tesla. So we know, it’s brand new, it’s x, you got depreciation, it’s why, but now, here, we’ve got, you know, well, you know, 20 million records, you know, what is that data worth, and I said, is, you know, physically, it could be, you know, one, you know, on a USB, it could be worth, you know, $2, practically, it could be worth, you know, millions, but, you know, when you want to insure it, you know, with that USB is lost, you know, then what, and I said is, that’s, that’s one of the challenge of you know, cyber insurance is just, it’s so new, you know, so little, so little experience, and, you know, some of the underwriters just really don’t, you know, don’t understand the environment as it is, you know, it’s not physical, you can’t measure it, you can’t touch it. And, as it is, you know, that’s something that could take another probably, you know, a decade or so to really, to really, you know, work out and there are really a lot of organizations out there, when they try to, you know, cash in on a policy in the event of the breach, you know, they find out when they read all the, you know, the errors and exclusions and all those fine details there, you know, even though they had a firewall, you know, they’re not going to be covered. So it is, no, it’s a cyber insurance, in some ways is a is a work in progress.
Scott Lyons 22:52
Cool. So, uh, that’s, I love the discussion, right, we’re gonna, we’re gonna switch gears for those of you who are listening, you’re you really can’t see us. If you go out to the wiki and take a look at the show notes, you’ll be able to see the article down in the down in the description of where we got this information from. I want to change this just a little bit. Ben, you wrote a book, about 20 things that every employee should know, right? Can you give us like the top three or top five things and how that how that all relates into compliance and security and what we should really be looking for?
Ben Rothke 23:35
Yeah, I mean, it’s a books do for a, you know, for an update, but you know, a lot of it is just, you know, just, it’s just having that awareness of what you’re doing. Clearly, when someone goes, when you go to a foreign country, there’s guys out there, you know, do’s and don’ts, whether when you’re in there, you go to Saudi Arabia, do not bring alcohol, there’s, you know, don’t even hide it, because it’s a capital offense there. And when you go to Japan, you know, do a, b, and c. So, you know, when engaging with, you know, with a desktop, with a mobile device, you know, with can be extremely protective of your data, really have that understanding, you know, don’t share data, you know, trust but verify, you know, patching, you know, patching, you know, antivirus, you know, a lot of the, those, you know, you know, core issues from 15 years ago, were still relevant. Now, once again, as, you know, two-factor authentication is an absolute must in, you know, 2020 is you know, everyone’s got a smartphone. So turn on 2FA, you know, make sure you if you’re using Google’s, you know, Google suite, you know, turn on, you know, Google Authenticator. It’s a little effort, a little security effort, you know, can go you know, can go a long way. There’s the little joke about you know, two guys running from a bear And you know that he says, you know, those running shoes won’t help you outrun the bear. He says, You know, I just have to outrun you. And to degree, you know, that works for a lot of consumers, you just want to make it a little if you make it a little more difficult to do that, to be a victim, you know, you won’t be evicted. And also with what, you know, Spam is pretty obvious, you know, don’t don’t reply to that, you know, we’re seeing a lot of messages now. You know, robocalls, you know, just just, you know, don’t answer the phone, and even if anyone is calling you to offering you a, you know, a travel package to Puerto Vallarta to Las Vegas, if someone wants to sell you, you know, out of the blue a, a car warranty, you know, just know, don’t engage with them. If, if they, if someone won’t let you call them back, you know, that’s, you know, that’s the red flags there. And so by understanding red flags, you know, how not to be a scammer, you know, you won’t get scammed. But as I said, as, you know, I live in, I work in New York City, and, you know, people you walk down the street, there’s three card Monte, you know, there’s all these things. So you know, we could never like risk, we can never eliminate it, you just want to control it. And in a nutshell, it’s, you know, be aware of the surroundings. Be careful what you click on. And, you know, and, you know, we talked about, you know, being a roadblock or you know, when it comes to your personal data, it’d be a big Roadblock, because, you know, very few organizations, you know, need your information, never share it. And if they’re demanding of it, you know, call them back, once again, is, if the IRS, you know, wants your money, they’ll, they’ll let you call them back. But it’s got to, you know, be careful out there,
Matt Alderman 26:45
that basic cyber hygiene, right? It’s just, yeah, some of the basics, right? It’s funny, because, as a security professional, you there’s certain things I don’t do, right? I don’t have Facebook, because I don’t want to share my data, etc. My wife’s got Facebook, but anytime my wife can’t do something on her computer, she assumes I’ve locked the machine down to the point where she can’t use it. I’m like, but No, I didn’t. I mean, there’s basic safeguards in place, just so you know, your machine doesn’t get compromised, and, you know, who knows what, what vanishes. But I think that’s a big challenge for the lay person, the consumer is what are those handful of things that I should do, and just do it on a routine basis? Because a lot of us don’t think about this on a daily basis, until it’s too late. My data stolen or my identity stolen or whatever?
Ben Rothke 27:32
Yeah, I mean, one thing, you know, just, you know, the simplest is, you know, difficult passwords, and you know, different passwords for every site is, you know, that’s the value of a phishing email is that for a lot of people, if you’re able to hack their Gmail password, you know, that’s going to work, you know, at Aetna, it’s going to work at Citibank at chase at Target, you know, at Amazon. So with, is it a little hygiene, you know, can go a very long way.
Matt Alderman 28:01
Yes definitely. Scott, Josh, any additional questions for Ben while we have him?
Scott Lyons 28:07
Yeah, actually, I do. I have one more. Ben, which came first, security or compliance, like chicken versus the egg.
Ben Rothke 28:15
That’s it. That’s the they were created exactly at the same time.
Josh Marpet 28:21
Oh, you’re copping out? Come on.
Ben Rothke 28:23
Yeah. I mean, what it’s, you know, as you know, it’s what it is, you know, from a, if you want to keep the, you know, this, you know, the CEO out of jail, you know, compliance is key is clearly if it’s a matter of security or a HIPAA violation, you don’t want to have a HIPAA violation, but really there, it’s a Venn diagram and that they do need to, to work together and, and good security will, you know, give you you know, 90% of compliance, what’s gonna feel if you focus, you know, encryption, strong infrastructure is secure coding, you know, you put all these good security controls in place, you know, by and large, you can cover, you know, every compliance initiative out there. And, you know, that’s the key is, you know, you want to a lot of a lot of the compliance initiatives also are not exactly leading edge, you know, what’s going even, you know, PCI version four is coming out, there’s a lot of interesting stuff in there. But even with PCI, nothing in it, is leading edge, whether you look at HIPAA, you’re nothing, nothing. There’s nothing in HIPAA, you can’t use technology from the year 2000. You know, to me, but you call it you know, between the two, you know, security is going to protect the data. But, you know, compliance is going to keep the, you know, keep the lawyers happier.
Matt Alderman 29:52
At least we hope.
Ben Rothke 29:53
We hope. Yeah, yeah, okay, its that way.
Matt Alderman 29:54
Okay, so, Ben, thank you so much for joining us on security and compliance weekly. My pleasure. Thanks. And with that, we’ll take a quick break and then cover the security and compliance news.
