Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everybody, welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very excited to have you here today.
Very excited to have you here every day. I'm just, I'm just happy to listen. Um, today I want to talk about, we've been diving in with a lot of our clients about obviously risk management.
A big thing that we do, but it's traditionally extremely arduous. Uh, just a lot of different things to consider and it, it turns into this massive, massive project, which is very important, but it makes it difficult to pull in a lot of different parts of the organization, especially senior management. They've got so many other things to do that focusing on this, even though, like we've talked about before, it can really lead to a lot of opportunities.
They, they don't want to invest the time. It's, it's, it's a hard pill to swallow and I don't disagree. There's a lot to it.
So today I want to talk about, um, some of the ways that we're trying to, I don't want to say reinvent, but that we're restructuring the way that we do all of our risk management to help be able to break it up more to where we're not really avoiding or skipping anything. We're just structuring it in a way that we can get the relevant information from senior management and then the supporting information from everybody else that we need to hopefully make it a collective, very good risk management process. So before we jump into that, as always, please, wherever you're listening to us, Apple podcast, Google play, wherever it is, click that subscribe button, click that light.
Don't forget to leave us a rating. If you can let us know what you like. Uh, we'll remind you at the end, but also throw in some comments in there about what you would like to, what you would like to listen about if there's any topics you'd like us to go over.
So let's go ahead and jump in and start talking about our risk management process. So one of the big things that, that we've done is traditionally it helped companies go through like their ISO 27,001, SOC two type two compliance, high trust, uh, fed ramp, a lot of these really major, uh, security solutions and certification processes for a lot of businesses. That's way overkill.
And it, while those do provide a good structure for any type of business, it's just honestly, even if it, if it does offer a lot of benefit, it's so much of a time, time suck to, to get those things set up that companies just don't even want to start. It's like looking at the, the, the mountain from the, from the base of it and just saying, I'm never going to climb that. I'm not even going to try.
So our big focus this year has really been how can we make that more accessible to everybody and how can we trim all the fat out of, out of that whole process and make it to where it's still providing the benefits, but just not taking as much time. Um, almost how do we fit a square peg into this round hole? Um, so definitely been some engineering issues in that, but I think there's a lot of ways that, that we've started to really kind of hone this to where we can at least ask different groups, different people pointed questions so that their time investment is very small and then other groups, their questions, and then mush it all together to, to give the, to give the whole benefit. So before diving into the risk process, just as a, as a quick overview, typically risk looks at on the, on the information security side, typically what you would hear as the CIA triad.
So there's a confidentiality, which is the unauthorized access of information. If I have data over here and only I'm allowed to access it, if anybody else gets access to it, that's a confidentiality issue. And when we think of data breaches, confidentiality is really one of the main things that we're, that we're trying to protect against.
The next one is integrity. And this looks at a few things. One is the data being altered in any unexpected ways.
So if I'm sending a letter to somebody and somebody opens it up midway, changes something, seals it back up, sends it on, sends it on its way, that's an integrity issue. It's, that's not the message that I was sending that somebody received. And for, especially on the medical side, if we're providing like a diagnosis, if we're providing lab results, any integrity issues there, any alteration of that data, that's massive.
That can, that can have a really significant impact on the patient and ultimately on the, on the practice or the lab or the organization. The other side of it is repudiation. And what that means is we want to be able to identify who did what to what, who made changes to this data, who accessed this data, who deleted this file.
And if we've got good integrity controls, we've got what we call good repudiation. There's, there's a, there's non-repudiation. I can't say that I didn't do that because there's logs on the system.
James, you signed in at this time, you did this. It's very clear. We know what you did.
But if our logs get destroyed or we're not, we're not collecting the correct logs or any number of other issues that can lead to an issue to where we don't, we can't support non-repudiation, somebody could say that that wasn't me. And a big, a big factor of that is when people share passwords or they use joint accounts. I can't definitively say who it was that was signing into the system with that joint account.
That could have been anybody. And maybe if I have camera systems, I can try and support it. But the shared accounts really break down that non-repudiation, breaks down our ability to pinpoint who did what.
And then if you ever try to prosecute or really just figure out what happened, who accessed what, if somebody broke into your systems, did they access certain data? If you're not able to identify it, that all breaks down. The next one in the CIA triad, availability, speaks to, do we have access to the things that we need? Data, assets, people, systems, whatever. Do we have access to the things that we need when we need it and at the level that we need it at? So that could be a server.
If server goes offline, that's an availability issue. I can't access it. We can also have an availability issue, though, if everybody in the company is working throughout the day, I'm trying to download files or I'm trying to send something to somebody and there's not enough internet bandwidth.
So it takes forever. Something that should really only take maybe a few minutes to send out and get back now takes a few hours. That's an availability issue.
It's still technically there and available, but not to the level that I really need it to do my job, to make things work. So those are typically the three that are looked at. Now, whenever you're looking at the CIA triad, it's also implied that you're looking at privacy.
So kind of CIA and a privacy issue. Seems very similar to a confidentiality issue, but a privacy issue is if we're able to identify a data subject so. I can have a confidentiality issue, but not a privacy issue, and I can have a privacy issue and not a confidentiality issue.
So an example of that is if I have a data set and in there are different patient names. If that data set gets out and accessed by unauthorized individuals, one, that's a confidentiality issue, unauthorized person access that database. But it's also a privacy issue if they're able to identify the patients that they're able to put two and two together.
James Bowers, that's obvious. James Bowers, date of birth, social. That's who this individual is.
I can identify it. That's a privacy event. Actually, the privacy events that really get you tripped up during a data breach because that's where all the privacy laws come in.
That's where you have to do the reporting. That's where you typically have to pay for credit monitoring for everybody that's affected. And a lot of times, privacy events and confidentiality are used synonymously, but they're actually separate.
So an example is I may have access to access. I may have authorization to access the database. But I don't have a need to know for all of the patients in there.
And if I start identifying the patients, that could be a privacy breach, not typically a major one, but it wouldn't be confidentiality because I'm authorized for that database, but maybe just not those patients. And we could have a confidentiality issue where an unauthorized person gets that database. But if all of the patient information is encrypted or de-identified, maybe we're just using numbers rather than patient names or identifiers.
Well, then it was a confidentiality issue, but not a privacy issue. And that's real important when setting up our systems and in our data flows and our structure, because we want to avoid privacy events as much as possible, because that's really where the money comes in and typically the bulk of the data breach expenses comes into play. The final one that we always include, rather than just a CIA triad, we look at what we call the CIA PS, confidentiality, integrity, availability, privacy, and also safety.
And any risk, any risk process that you're going through, you want to include safety issues. One, just because they're significant. And if you do something negligent on that side and have a major impact, somebody slips and falls, somebody hurts himself, somebody ends up dying because of some sort of negligence at your company.
That's a major lawsuit. That's going to have a major impact. So you want to account for that.
What's also really important, though, is not to separate that as a business side and technical side. IT also has to consider safety issues. And there's typically not as many that they're identifying.
But where it's important is there's an overlap between IT systems and operational systems. And examples of that are the phone lines, the POTS line that services the elevator, where that services your fire system. A lot of time this is overlooked and IT will look to, OK, we're going to move over to a new voice over IP solution.
We're going to get rid of all of our POTS lines. We're going to save all that money. Well, now the fire system or the elevator emergency system won't always work over those voice lines.
Or if the Internet goes out, now those aren't working. And that can lead to an extremely significant safety issue over just a small little tweak in how we manage our telecom systems. So that's one of the big examples.
But that's why just anything that we're putting into place, we want to make sure that if we're changing certain aspects of our business, could this lead to some sort of safety event to where either somebody internally or somebody externally could get impacted, could get hurt? So those are the five main areas that we look at when we're doing our risk assessments. We also look at organizational mission, which is really the organization's why. Why are we here? Why do we do what we do? Is there anything that we're going to be putting in place that would contradict that? You don't want to say that if our mission is to provide good health to all of our clients, we don't want to start selling cigarettes in our location.
That's antithetical to our mission. And that actually has big business impacts. So that's always something to look at there.
And that kind of pulls in financial and reputation impacts as well. We also look at business objectives. The easiest way to consider that is just how does the business make money? If any of this stuff that we're doing, could that impact our ability to make money, to turn a profit, to meet our bottom line? And then the final one that we look at is obligations.
And that's just what are we obligated to do? Statutory, regulatory, contractual. Are there certain things that just are non-negotiables that have to be done? So all in all, when we're doing our analysis, we look at kind of that C.I.A. P.S. and MOO, which I think we should come up with a better name for that. But ultimately, it's, again, the confidentiality, integrity, availability, privacy, safety, mission, objectives and obligations.
And it sounds arduous. As you're going through it, typically the type of issue that you're looking at will a lot of times only hit like one or two of those. So it's not as deep as it sounds like it could be.
But back to our original point, is it really used to be quite a big issue because even though we could zoom through them fairly quickly, there were a lot of threats and vulnerabilities to consider. Our original kind of base framework had well over 115. And it's a lot of different things to consider.
That's a big ask for senior management to, hey, let's sit down and go over 115 different things that could happen and let's get your opinion, like three or four in that people are checking out. So we're really looking at ways to simplify that. And before jumping into that, breaking up threats and vulnerabilities and risk.
Listen, whatever book you look at, whether it's a CISSP, whether it's a FAIR methodology, whatever you go in and take a look at, they all have their little tweaks and definitions. And some of them are radically different, which I think is nonsense. Like, why reinvent the wheel? Let's let's keep the vernacular the same and just use it different ways or come up with your own word.
That's that's a whole different topic. But for our purposes and for typical purposes, we look at threats as something bad that could happen. What's a bad thing that could happen? A fire.
Some of our data getting stolen, our computer getting stolen, that's a bad thing that could happen. Vulnerabilities are the exploitable issue that could lead to that threat. So kind of where's the weakness that could be exploited that could lead to us experiencing that bad thing? So example is.
A vulnerability of us losing, getting our laptop stolen, vulnerability could be leaving it in a public place or leaving it in an unlocked car or getting our data stolen is not encrypting our systems or leaving data just on our desk or on our screen. Those are all types of different vulnerabilities, and those could all be rated different likelihoods. And how much of an impact could it be? But that's threats and likelihoods.
And those together collectively create the risk to the business as far as really what would this mean for the business? If that vulnerability gets exploited. Causing that bad thing to happen, that threat, what's that going to mean for us either in confidentiality, impacts, availability? Are we going to lose access to our systems? Are we going to have to pay out money for remediation? And that part is really all that, that management, all that the business owners that they really care about. So that's really what we're looking at in our kind of redesign of how we're looking at at the risk process.
And our new structure is really just taking it down to trying to get to the lowest common denominator for the risk related to that CIA PS triad, that CIA triad, what are, what are the core bad things that could happen? And what would that really mean for the business at, at their worst level? What, what could this impact be? And some examples of that is we've broken it up to where with like a confidentiality issue, that's unauthorized access. What if we have unauthorized access of our physical location? Somebody actually comes into our location. What would that mean for a business? What would it mean if we had unauthorized access of one of our physical assets, our, our laptop, our server, or our, our organizational data, not client data, not, not client information, but our data.
Now, do we have any trade secrets, the Coca-Cola recipe or KFC's, the spice, spice recipe would be a, would be a pretty big impact if somebody got it. And what would, what would be the impact if somebody got our client data? So those are kind of core threats that we look at. And a lot of time, it's, it's easy to see there.
Let's say, if we look at somebody accessing our physical assets, well, especially as we start putting controls into place and say, well, there's not a whole lot on our laptops. Essentially say, since we're using Microsoft 365 or we're using Google cloud, everything that we have is, is in those cloud systems. We're really only using our systems as internet browsers to securely connect to those other locations.
So we don't, we don't store anything on our devices. There's no actual data. So if somebody were to access that, they would need all of our credentials to be able to get to anything significant.
So worst that could happen is somebody destroys it or steals it. We're out like a $1,500 or $2,000 laptop. It's not a major issue.
And here's where we can look at all of those different controls that we can put in place. We've got this threat that maybe at worst, you'd say be a $2,000 impact. That's probably not a road that we want to invest a lot of time with.
I may have IT look at things of, Hey, what are some, what are some good controls that we can put inexpensive to, to further lock our systems down? Uh, you know, we can put some administrative controls in place. Remind everybody, don't leave these in a public place. Don't leave it in an unlocked car.
Uh, don't just leave them sitting out. Let's make sure we get BitLocker or FileVault on everything to encrypt them. Just in case anything's stored, uh, locally, which it shouldn't be, but just in case we've got that secured.
We've eased, we quickly put a lot of different controls in place to even minimize that likelihood of that excessive $2,000 impact that can be put to bed. We don't need to go down all of the different vulnerabilities that would, that could lead to that threat. Um, leaving it in a location, um, car, um, being stolen from, from our, from our house or just all those different things, senior management doesn't need to rate each of those because ultimately they're all filtering up to this.
At most $2,000 impact. And if the organization's fine with that, we move on and then we can look at, well, what about our organizational data? And a lot of companies, even though they don't want the data getting out, it's not that major, it's not a major impact. There's no real trade secrets.
It's, it's intellectual property. It would be egg on the face if it got out. But even ours, we don't, we don't carry any client data for the purpose of not having a lot of exposure.
Our biggest kind of, uh, internal organizational data is our IP, our, our policies, our procedures, our structure. But that's fairly mitigated because those are sold. So they're already out there.
They're protected with licensing agreements with copyrights, but they're already out there and also share a lot of the information for free, right on our website, it's public and on the podcast on in other areas, we give seminars. So if somebody really broke in and got all of our information, it would be egg on our face because I mean, we're a security company, but there's not really anything of substance in there. So we'll structure it to keep our system safe, but that's in our case, not, not a deep rabbit hole that we need to go down.
And we definitely don't need to put a major budget to all types of systems for keeping people out. If somebody really gets in, okay, we've got backups, we've got all of our stuff. Even if everything got wiped out on all of our systems, we, we've got ways to recover it again, worse it's egg on our face.
We would have quite a good podcast show, not going to be a major issue for us. And in our case for client data, like I said, we don't really carry any client information except what's public, um, business contact info. So in our case, that's not even a major issue.
So our confidentiality concerns are pretty low from a senior management side. We can, we can move on from this. We've also got, um, looking at integrity issues.
Well, what would happen if somebody tampered with one of our physical assets or tampered with our data? How, how could that result in either a non-repudiation issue? Um, how could that result in us giving incorrect information to a client? Again, if we're looking at our case, not really at all. It's, it's a lot of structure and policies and guidance, but nothing, nothing like a lab result from a, from a medical practice, from a physician's office, that could be pretty significant because if we alter somebody's lab results, that could change their whole treatment plan and that could have major impacts on somebody. So that's where in that case, we would want to use that higher level of threat.
Say, okay, let's start breaking up all of those vulnerabilities. I'm going to have it, I'm going to have lab personnel. I'm going to have different subject matter experts that support this area.
Come up with ways that that could go sideways. What are the different things that could happen? Let them rate it. And then from a senior management side, when they come back with those, we can, we can decide which one of those do we want to, do we want to tackle first? What do we want to, um, invest budget, invest time into to try to mitigating or lowering, or even avoiding those certain risks.
We also look at non-repudiation issues. I'm just going to start kind of burning through some of these because it sucks to read a whole list, but availability collectively to where we look at, um, the availability of our core processes, core suppliers, our, our organizational data, client data, and even key personnel. Uh, very important things to consider.
Sometimes companies are running with one or two people that really keep everything together. You know who you are out there. And if they leave companies at a bad spot, that's a major risk to the organization that may not be directly like a data breach issue, but definitely the ability to continue to operate or at least operate profitably could be, could be a major impact for all the privacy issues.
And I think we'll look at a different, uh, podcast, the Linden, uh, method for identifying all the different kind of privacy impacts that you could have. But ultimately, however you talk about it, it all comes down to, are we, is there unauthorized identification of a data subject it's all we really care about because when that happens, that's when we have some sort of a data breach that's when we have to start reporting. That's when we have to let, uh, our data subjects know that, that their data has been compromised and, and we go through that whole process.
All of the other issues that could happen. Those are really vulnerabilities. Those are things that could lead to an unauthorized identification of data subjects.
And in our process, uh, like we talked about in another one of the podcasts, we've been looking at how many data subject records do we have? Not like five probably isn't a major area that we need to spend a lot of time. Uh, I'm not saying don't protect people's data, even if you only have five, definitely do, but we don't need to say, consider like a whole SOC team, security operations center, or maybe expensive XDR and MDR solutions. You know, we can come up with some other solutions that aren't expensive because it's not a major threat on the other side, if we've got 5,000, 10,000 more records, that could be a pretty major impact.
That's, that's going to be an area that, that senior management says, put your time and effort there, figure out how we can lower this impact. Next ones are safety issues. Somebody internally gets injured, injured somebody externally.
We break that up just because it seems appropriate, but I mean, really that could just even be further condensed down to somebody gets hurt. Then we also just quickly consider any of our actions. This is going against our, our mission statement.
Um, CVS, uh, decided not to sell cigarettes in their locations because they, they were all about providing good health to people. And that actually made them really help their, their bottom line. People really respected that.
They saw them as honest and trustworthy. Um, so it's always a good thing to consider. Are we going against our values, our mission statement.
Objectives, um, kind of breaks down to, we can't provide our product or service. Um, or there's a negative impact to kind of our core metrics, our leads, our conversion rate, number of transactions that we can do, the average amount of sale or our margin, uh, and margin. Is that going to throw up our expenses? Is that going to lower how much we can charge? Um, and then finally, obligations, violations.
Are we failing to meet any statutory regulatory or contractual agreement? That's it. Are those non-negotiables? If we're a medical practice, are we violating HIPAA? Um, if we're under PCI, are we breaking any of the PCI DSS requirements? If we have a special, uh, like SLAs with clients, is, is this going to impact our, our SLA, which is our contractual obligation with them, but these are really how we're now approaching it with, with companies, basically just looking at these quick 20, these, these major threats, what are, what are the major things that could happen? And when we identify how much of an impact this could be and how likely it is, then we can see from here, all right, where do we need to dig deeper? And any of these that have a higher score, any of these that have a higher risk, we can, we can start bisecting that. Okay.
There's, there's a big issue for client data being exposed for data subjects being exposed. All right. We're really going to start digging into all the different vulnerabilities.
What are the different ways that that could happen? And then work with senior management to see which one of those do we want to tackle? And that way we get senior management's input, their guidance, they can disengage, and then we can get subject matter experts for each of the different areas, each of the different types of vulnerabilities to identify what could go wrong and then put those together to see where do we need to invest our attention, our resources, and our, our budget. So that's how we're starting to, to address this. And even with our new systems, it's breaking it down to where, as you put in the vulnerabilities, they can tie to these risks to give you a calculated score of how exposed the organization is.
And so far, quite a few companies that we've taken through it, it seems to be going through quicker. And I think some of that will even improve just as we improve our communication around it. A few first few times, it's a lot of, it's a lot of tripping over yourself and ums and uhs.
But as it, as it moves forward, I think this is a good way and to just start splitting that up to where we can almost have our take and eat it too, as it, as it relates to the risk management process. Because I, I guess kind of the final thought here is everything that you do should do on the compliance side, everything that you do on your risk management process should serve the business in that it's helping you to reduce risk, helping you to ensure continued operations, not just an exercise that you're doing to check a box. This should actually serve a purpose.
And if it's too long of a process, if it's too much of a time investment, no matter what, people will try to, to try to work through it quickly and they're not going to, to really utilize it. It's not going to provide any benefit. Um, so when things do hit the fan, they won't be prepared or they'll be impacted a lot more than they should have been.
If we can keep it concise, sure, there's definitely things that we could go deeper on, but at the end of the day, are we, are we still getting essentially the same result? And, and I think so. So I'm going to leave it there. I'm always more than happy to connect with anybody and dive into your risk management process and see how we can help you there.
And, um, it's actually, this is, this is where, like we've talked about before, we can identify even opportunities for new business avenues, which is, which is really cool. That's, that's really kind of the mature version of the risk management opportunity management, but it's what we do. So always happy to, to dive into dive into that with you.
Uh, we'll go ahead and wrap up for today as a reminder, please click that subscribe, uh, send us any feedback really helps us get out in front of other people. Again, if there's topics that you would like to hear about, please let us know. Uh, always more than happy to, to dive into areas that you're interested in, but we will see you next week, 10 AM at Thursday, and thank you for listening to Cash in the Cyber Sheets.
