Security with Tyler Ward

Welcome to Building Better Developers, the Developer Nord podcast, where we work on getting better step by step professionally and personally. Let's get started. Well, hello and welcome back. We are continuing our season of interviews. We are almost to the end. We're almost into season 21 and there are going to be some changes. We're looking at some new things, some different approaches to develop some of the topics, some of the things that we cover and be looking for that when we get into that next season. But right now we are continuing from our prior episode. We're going to be speaking with again, Tyler Ward and we're talking about security. This episode, we're going to get a little bit more into, I think something's going to hit home for a lot of you because it's about how do we either as an organization or as a development team or as a developer approach security and what are maybe some things that we should do to help ourselves, our customers, our companies do a better job in the world of security. So again, he's the expert. So let's get back into our conversation with Tyler. Now are you seeing that in non-government agents when you're dealing with particularly corporations and organizations? Because it's still, the insider is always going to be the biggest threat. Are organizations starting to see that as well or is that still really their Achilles heel? And it's definitely, it's one of the Achilles heels. So I classify insider threats in two different categories. One is a malicious insider who, you know, either they, we've seen this before, either they came into the organization and went through the HR process as a spy intending on uncovering secrets within a company and bringing those out the door with them. We've seen that. You know, so that's one example of a malicious insider. Another example of a malicious insider is one that, you know, becomes disgruntled over a period of time and they're gathering data to bring a golden parachute with them or to blackmail the CEO. We've seen that before as well. However, the more dangerous or more common category of insider threats are the people who are in control of the technology that have no idea what they're doing and they're making mistakes. And that's not a slight on them that they don't know what they're doing, but they've been put in charge of certain very important technological platforms or data inventory areas without the proper security training or without the proper security resources to support them. And they make mistakes, they leave doors open and they become insider threats. They're the more common category that we do see. The corporate spies, we do see those, but they're rare, right? We may get one or two cases a year on a corporate spy or an alleged corporate spy. And those are very interesting cases, but it's generally either the person who's become disgruntled in their job over a long period of time and the organization knows, they say, hey, we have a feeling that they're downloading all of our data. They're getting ready to steal all of our clients or bring our information over to a competitor and sell that information. Or the insider threats that are just making mistakes and causing a lot of heartache for these organizations because they're leaving the door open. Yeah, and that's the... And I forget the guy that wrote a book about it that actually spent time in jail, but he said that his... I will never forget when he was talking about the most effective hacking strategies, he said back in the day, he'd walk in an office and leave a little floppy disk on a desk somewhere that said, payroll or something like that. And he said, people would grab that, shove it in a computer, and then he owns it and he's off and running. It's just that you don't know. You're not thinking about it. It's not on your radar. And you just... Next thing you know, you've opened yourselves up to a rather large breach. So I guess what would be the most important thing is because you said even from a start, when you start off, you want to start putting these processes in place and have a cybersecurity strategy. So what would be the most important part of a cybersecurity strategy? Maybe, and if it's different, is there a difference from when you first start out versus, hey, or I guess the other one is I'm starting now and I'm doing it right, or I'm starting now and I'm doing it right only because I should have started it five years ago, but I'm just like trying to like make up for lost time. Yeah, it's never too late to start. And I always say that is, you know, and I always take this parallel to a financial aspect of a business. You know, business gets started first three to five years. They're just running. They're just running and going and building the business, building their client base. And there's a lot of things that are out of whack, you know, from a financial standpoint. And then they bring a CPA on or they bring on a financial adviser and then things start to make sense and they get organized. Get an adviser, you know, get somebody who knows what they're doing. If you do not, if you as a business do not have the internal resources that have built a cybersecurity program, when I say program, I'm not talking about a software application, but built a strategy for an organization that is a dangerous territory to bestow that responsibility onto somebody within your organization. First of all, they probably didn't sign up to do that. Second of all, they probably don't have the training or the expertise to do something like that. So if you're in doubt, if you ever have doubts about these things as a business owner or, you know, you're in the C-suite, get an adviser. You know, I'm not trying to sell our services here because but there are many firms like us who advise clients on how to go into the right direction. Now, if that's not in the cards for you as an organization at this time, there are free resources out there where you can go and download a cybersecurity strategy and at least get the basics of things, you know, you know, ransomware defense, proper access controls, inventorying your systems, you know, policies and procedures and things like that. There are resources that are available to you out there that are either free or very low cost. You just have to implement those all yourself. But I always say is, you know, we have a lot of engagements that we walk into where organizations, they've taken the steps themselves and then we come in and fix it because it just didn't work. You know what I mean? It's it's they laid in the groundwork for this, but we have to see security as a marathon. It has to be a marathon. It cannot be, hey, we do this thing once a year. We do this financial assessment or this audit once a year. We fix a few things here and then we don't touch it for another year or two years. It cannot be like that. If that is a cybersecurity strategy, if that if you're hearing this and that resonates with you, you need to change. You do not have a cybersecurity strategy that is a point in time window into your security and you need to have something that's long term structured and strategic and evolves with security threats because the security threats that were were in existence two years ago have evolved exponentially today. And the strategy to combat those threats are exponentially different. So if your program is not evolving with that, then you're out of the loop. You're not you're not up with the times on that. So I know that's a long winded way of saying find experts to help you out. But, you know, unless you have a security team who really knows what they're doing, that's what you need to do. You need to find experts to help you out. It's very it's just a complex subject, you know. Yeah, so that actually break. One of the things that I've been seeing, particularly with the rise of some of the cloud architectures like you're like Microsoft's got theirs, Amazon and Google and all them, and they have been very good about adding all kinds of security tools and processes and procedures. Is that something that that an organization is starting out? Is that where they can sort of lean there? Or is that just a stopgap measure? And it really they really do need to have somebody that's more, you know, to actually step in and sort of understands it, because sometimes you mentioned tools earlier, sometimes you can sort of like lean on the tools too much. And is that are you seeing that they're they're solid enough that if you follow their, you know, their recommendations that they're going to be pretty good shape? Or is it something where it's like, now you probably you need to do that. And you probably still need to have somebody take a look at it. I would say both, right, because the tools, the tools and the technologies are just one part of it. But if you don't have the processes in place, you know, within your organization and I can give a couple of examples of those, right, if you don't have an incident response plan, you know, a mapped out documented incident response plan of how you deal with it with incident A versus incident B, how you how do you systematically deal with a ransomware attack versus an internal threat or a disgruntled employee who's stealing data? What routes do you take from there? Who is on the call tree for you? All of those things and you're not practicing those, then that's a that's an area of lack, a significant area of lack. The tools are great and you can find a lot of them that are out there. But without real direction on which tools you're choosing, you end up with a platform sprawl and platform sprawl is something that we see all too common. We see a security team of five to 10 people and they have a hundred different platforms and a fraction of those are being used. And there's a lot of redundancy. So not only are you paying way too much for tools that are completely redundant and they're, you know, at times conflicting with each other, but the people are not using those tools or they don't have the bandwidth to properly configure and manage them. So I always, you know, err on the side of caution when choosing tools and make sure that they align your strategy. When I talk about strategy, you know, the things that come to mind for me are things like the NIST cybersecurity framework or SOC2. Or, you know, ISO 27,001. Those are security standards and frameworks that you can build a security program that's industry trusted, that's trusted not only nationwide, but also internationally. So when you explain to a client, hey, this is what we've based our security program on. It's rooted in this set of standards developed by scientists and hackers and security professionals that is recognized. However, when you come to the table and say, we've, I've developed Tyler's top 10 for security, people are like, get out of here, man. Like, no, there are so many different vetted and studied security standards that are out there now. A lot of them free that that can map you to a more secure future as an organization. The tricky part is the proper implementation. So, you know, if you take one of these security strategies as a non-technical person, the way that you would read it versus a security professional reading these and interpreting how to implement these are vastly different. So you could check mark off all these things as a non-technical person. But when a technology professional or security professional reads this and assesses your environment, they are likely to find more gaps in your defenses and find that these controls or these standards are not properly implemented. So, you know, I know that's a long answer, but there's a lot of free resources that are out there. It's just based on, you know, the expertise and the interpretation of these strategies in proper implementation that really matters. Now, have you seen that actually brings some things I've seen before is where you get an organization, particularly I've seen it in software organizations or very or mostly tech organizations where they've got a lot of those implementation resources, where they're like, hey, we'll go in and we'll, you know, we'll download the information for whichever, you know, security process we want to be in compliance with and walk through that and do their own security audit. They'll take a look at it and say, OK, we're going to go get all this stuff fixed and we're good. Have you seen that as effective or is it one of the things where sort of like a financial audit, you know, a security audit where you you don't want the financial auditors to also be the accountants you want to have like that. That third party, second set of third set of eyes to take a look at it. Do you find that with security as well? 100 percent, 100 percent. We we, you know, we do see organizations most of the time when an organization chooses to run their own internal, you know, security gap assessment, it's just based on cost. It's purely cost. That's it. Right. When it's not based on cost savings and they're willing to spend a little bit of money to have an independent third party to come and check it yields much better results. You're having an independent third party to come in and look at this with fresh eyes, no bias around your systems, treating it as a clinical experience to only make you a more secure organization. And we've had pushback from security teams. So we've been hired by business owners and business leaders. But dealing with the technology teams, they're they're very married to their technologies and the things that they've implemented. So we're not an audit firm. We always tell our clients as we come in peace, you know, what we talk about with you is only going to you to make you a better organization. We're not auditing you. We're assessing you and, you know, potentially preparing you for an audit if you choose to do that with, you know, let's say a CPA firm that does SOC two audits. But we do recommend always having an independent third party take a look at things because it just gives you a view through a much different dashboard with no bias and, you know, from a firm who does this for a living. So they know where the nooks and crannies, where are the gaps that most organizations miss, even with good intentions? Yeah, and that makes sense. I think that it does. It always seems like it's a financial thing. But yeah, you did touch on something that I was going to ask about is the the pushback from the technology people when you when you've got something in there that has built their systems. Particularly if it's, you know, they're they were there from the start. They built their systems, built their their infrastructure. And now somebody comes in and does an assessment. How does that is that something that you is that you see occasionally? You see a lot where they're they order. Do you end up getting accepted as as your intent as you're in there to help them get better or do they usually see it as almost, you know, take it personally or taking it as a negative that there are, you know, that there are gaps found in their security. Yeah, yeah, I'll say that some do take it personally, and it usually takes a little while before they become comfortable with us, because it's like anybody, you know, coming in to check your work. And like you said, for people who have been there for a very long time, they see it as a threat. They don't want to look bad in front of their boss. They don't want the owners to think that they were doing nothing. And here's the challenge. And this is this is what we always explain to, you know, the C-suite when we're walking in, we always explain that when we run an assessment, it is not necessarily a direct reflection on your IT team or personnel doing nothing. It's just a matter of this is an extremely complex area that IT professionals, unless they unless they are also security professionals, have studied security, have implemented security programs. Their zone and their focus is to make sure that your business technology works for you and enables you to do your jobs. That's their primary goal. Unless you've also charged them with handling your entire security and implementing a security strategy, your expectations of them doing everything perfectly should be zero. They should not exist unless that is on their job description. Right. So we always start out with that, with that. But but we do see IT professionals that it takes a little bit of time to warm up to them as we go through with them. They they do realize that we're partners to them more so than an adversary. But we we definitely run into situations to where they're very afraid of what we're going to find because they know that there's gaps. We also see the flip side of this equation where the IT directors or managers, they're extremely happy to see us in there because they've been beating this drum for a very long time. They've been saying we have security problems. Something is going to happen. I'm warning you. We need funding for X, Y and Z. We need this platform. We need to clean these things up. And nobody has listened to them. We have those conversations all the time. And by the time we get there, they say, oh, thank God you're here, because now you can help to beat this drum with me. We can bring this to the C-suite together. And those are great engagements, you know, and sometimes sometimes that's what the C-suite needs is just an outside perspective to give them a little bit of a bump and say, hey, yep. All the things that your IT team has been telling you that are wrong. They need to change today and and and finding out today what's wrong with your security is better than finding out when you have a ransomware message sitting on all of your servers. It's better to find out today. It hurts less. I will say that that even with the feeling feelings aside and the, you know, the egos aside, put all that away. Is that finding out all of the dirt and uncovering everything today feels better than when you're having to deal with cyber attackers and having to negotiate and having to call a lawyer. It's better to do it today. Always without fail, 100 percent. Now, before we let you go, one of the things you've talked about a couple of times, touch on is the idea of a security audit or assessment. How often do you see that as something is that something should be an annual kind of thing and particularly from a I guess let's look at it from both ways, both if you do an internal audit plus also do a external audit, where do you see like the what is a good time frame for an organization to have in doing those or frequency of those? Yeah, I would say annually. Annually is a good it's a pretty good rhythm to do a finance or a not a financial assessment, but a security assessment. However, in between that annual rhythm, those practices have to be audited as well. Right. So, you know, you go through this large, you know, security audit on, you know, January 1st. But throughout the year there, we need to also make sure that different departments and different personnel are also keeping their end of the bargain. Right. Of all of these things that we said that we were doing on day one to ensure that, you know, six months in that everybody is doing the proper things that HR when somebody is being terminated, they're sending that termination checklist over to IT. And IT is taking those accounts out of the databases and making sure that those accounts in access are removed. So on and so on and so on that, you know, when vulnerability testing is being done on month two, that the IT team or the web development team is taking care of those vulnerabilities in a in an expedited fashion of making sure that things are being patched. So, yes, assessments or audits, they should be done at least annually. But all of the things in between are what matter. Right. Those daily good habits, those good habits and best practices. Those are the things that we need to make sure that organizations are, you know, keeping up on. Yeah, that's like it's like trying to cram for the test the night before versus just like do your studying and your homework along the way. And it makes it a little bit easier to get that done. And you're just more confident about it. Then you're not like you're not sweating it when you get to, you know, quote, test time when you're doing like an assessment. You're like, no, we've been doing pretty good. So they'll find some stuff because there's always things have changed. There's always some new stuff. But if you're if you're following those processes, you're going to say, hey, we've been doing we've been diligent in our our pursuit of this. So we should just be able to get some new things to do and be able to just take it in stride. Yeah, I will say that out of all the companies that we've ever assessed and worked with, that not a single one is perfect. So if you're striving for perfection and if you reach perfection and security, let me know where that is, because you can always be better. You can always do better. And we've seen we've seen really great security programs and we've run assessments and had teams to where not only do they know what they were doing, but they had everything just dialed in everything. Everything was it was just a well-oiled machine. But we still have recommendations for them. We still have recommendations on how they can get better. But also also seen the flip side of that equation where it's been, you know, a ticking time bomb. And those are the assessments to where there's more gravitas on our recommendations and, you know, very real conversations with business owners of if you don't fix this, you have an imminent attack heading your way. You will be attacked and it will be catastrophic. We've had those conversations before. And, you know, we just only hope that they listen most of the time they do. Most of the time, they take our words and our recommendations and they start to get to work on these things and we help them out with that. I want to thank you so much for your time. And after we've spent this time together and gotten a lot of great information from from you, if somebody's out there saying, hey, I think, you know, I like Tyler, I like what he's doing. I think we can have him take a look at our organization. What is the best way for them to get a hold of you? Yeah, so you can go to our website. It's CSG cyber dot com. So that's Charlie Sierra Golf cyber dot com. You can send us an email at info at CSG cyber dot com. I'm on LinkedIn, Tyler Ward, and my company is on LinkedIn as well. CSG Cyber. Excellent. So, yeah, I think this is, like I said, this is one of those topics and one of those areas where it's always good to every so often, like, you know, scratch that itch a little bit and be like, oh, yeah, we do have to worry about security, because, like you said, it's easy to get caught just running in the regular business stuff and getting getting your applications done in your customer service and all the things that you need to do. And it's easy for this to fall off your radar. And the next thing you know, unfortunately, sometimes your your reminder is you get attacked or something like that. But if you can sort of keep up and keep the things, do your best to just that you cover the even the 80 20 rule, if you get most of that stuff covered, it's just going to make it that much harder for somebody to just stumble across your, you know, your systems or your organization and attack you in a way that impacts business. Yeah, absolutely. And I will leave us with this as well. The 80 20 rule, I love that insecurity. That's phenomenal. And also, if you if you do get attacked and if you have a cybersecurity incident and it's your first one, it will feel like the end of the world. It's not there's there's a light at the end of that tunnel. It may not be the next day, but there is a light at the end of the tunnel. And I promise you will come out with a much stronger educational base and security if you ever do undergo a security attack. But, you know, we're out there to help you. And it's not the end of the world. If it happens, you're not the first. You won't be the last. So, you know, it's just time when that happens to tighten up our boots and and start moving forward quickly. Yeah. That's stage advice from somebody that's been doing this for a few times and seen a few attacks along the way. So once again, I want to thank you so much for your time and for coming out here and talking to us and hopefully have a good rest of your day. Thanks, Rob. You too. It's my pleasure. And that will wrap it up if you didn't already figure that one out. I want to thank Tyler for his time and for just a really great conversation all around. It's a really good one. A little bit different, like I said, than some of our prior security conversations. Some of his background, particularly giving his stories of how he got into it. And and even a little bit of the stuff from the things he's seen as he's gone through his his consultations and some of the customers he's worked with, I think are really helpful. And it is useful for us to realize that it's it's not unique anymore to be have some sort of a hack attack of some sort. It's gotten a little different. As we've heard before, there's like it's an industry now. There are companies that essentially all they are are hacking companies. So we want to make sure that we're, you know, staying safe in the digital world as it were, doing some of the things that we need to do to make ourselves less of a target. Any of the I'm going to throw some links in the show notes. So any of the things that he mentioned, take a look out there like your OWASP and people places like that. They really are a good start for building out a more secure organization. But never fear. While this is the end of this interview, we do have another one coming up. Next episode, right back into it. But until then, got there and have yourself a great day, a great week, because we will talk to you and whoever our guest is next. Thank you for listening to Building Better Developers, the Develop-a-Nor Podcast. You can subscribe on Apple Podcasts, Stitcher, Amazon, anywhere that you can find podcasts. We are there. And remember, just a little bit of effort every day ends up adding into great momentum and great success. Hi, this is Rob from Building Better Developers, the Develop-a-Nor Podcast. We're excited to be on Alexa now. You can enable us by simply saying, Alexa, enable Building Better Developers. And we will be there ready for you every time you want to listen to your now favorite podcast, whether we are your favorite podcast or not. We would love to hear from you. So please leave a review on Amazon.