April 14, 2025 • 44 mins
Join host G Mark Hardy on CISO Tradecraft as he welcomes expert Scott Gicking to discuss the Center for Internet Security's (CIS) Controls Self-Assessment Tool (CSAT). Learn what CSAT is, how to effectively use it, and how it can enhance your career in cybersecurity. Stay tuned for insights on creating effective security frameworks, measuring maturity, and improving organizational security posture using the CSAT tool.
Scott Gicking - https://www.linkedin.com/in/scottgickingus/
CIS CSAT - https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat
Transcripts: https://docs.google.com/document/d/1WAI9U0WEUSJH1ZVWM1HdtFEf-O9hLJBe
Chapters
- 01:16 Guest Introduction: Scott Gicking
- 02:49 Scott's Career Journey
- 04:03 The Hollywood Cybersecurity Incident
- 07:38 Introduction to CIS and Its Importance
- 09:49 Understanding the CIS CSAT Tool
- 10:13 Implementing CIS CSAT in a Real-World Scenario
- 13:00 Benefits of the CIS CSAT Tool
- 18:38 Developing a Three-Year Roadmap with CSAT
- 23:25 Scoring Policies and Controls
- 24:20 Control Implementation and Automation
- 25:22 CMMC Certification Levels
- 27:52 Honest Self-Assessment
- 30:01 Quick and Dirty Assessment Approach
- 33:07 Building Trust and Reporting
- 37:38 Business Impact Analysis Tool
- 40:02 Reputational Damage and CISO Challenges
- 42:55 Final Thoughts and Contact Information
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Hey, I'm sure you've heard about theCenter for Internet Security and the
fact that they have more than just18 controls, but they've also got a
controls self-assessment tool, thecsat, and I've got an expert today that
we're gonna be talking about not onlywhat the CSAT is, but how to use it
and how you can use it in your career.
So stick around and stay tuned forthe next episode of CISO Tradecraft.
(00:33):
Hey, you've heard us rave aboutCruise Con, and now is your
chance to join the next one.
Cruise Con West from October 2nd tothe 6th selling out of Los Angeles.
It's not just a tech conference, it's afloating mastermind featuring top voices
in ai, cloud security leadership, andeven luminaries like the CIA's former
CISO and a former team lead from Israel'selite unit 8,200, but the real magic.
(00:58):
The connections you'll make.
Visit cruise con.com and use codeTradecraft one zero for 10% off.
Don't wait.
Spots are going fast.
Hello and welcome to another episodeof CISO Tradecraft, the podcast that
provides you with the information,knowledge, and wisdom to be a more
effective cybersecurity leader.
My name is G Mark Cardi.
I'm your host for today, and I'vegot a special guest, Scott Gicking,
(01:20):
on the call, and we're gonnabe talking about the CIS CSAT.
We'll explain a little bit more about whatthat is, what it means, and why you should
be involved in this potentially as a CISO.
So first of all, Scott,welcome to the show.
Thank you g Mark.
Now we met, what, a couple yearsago, two, three years ago, as part
(01:40):
of an advisory board for Red Canary.
They had invited some industry CISOs toparticipate, and we had a couple nice
get togethers, one in San Diego Countyand one over in Hilton Head, and I think
we caught up with the one in San Diegowhere we did some fencing as I recall.
And, I, didn't make, I made the firstround, but I didn't make it past that.
I don't remember howwell you did on that one.
(02:01):
Correct.
I don't remember either, whichtells me I probably didn't do that.
Yeah, we only tend to rememberthe victories in life,
not necessarily defeats.
It seems to be how our selectivememories work really well,
When ironically, we shouldbe remembering our defeats
that's what you learn.
I.
right.
Yeah.
don't learn from success.
And as they say, countries, don't,improve because they win wars.
(02:24):
They improve because they lose 'em.
And then they figure, okay,this is what we did wrong.
We have to fix it.
And the same thing inthe cybersecurity world.
So tell me a little bit about yourself.
Obviously we'd worked as a CISO.
your background, I tell people you comeoutta central casting from Hollywood as
an action figure looking should be a Dirkor something like that, or some ling guy.
For anybody who's listening on theshow, instead of watching the show,
(02:44):
you gotta go check out on YouTube.
He.
Thanks you, mark.
I, so my career actually started in theFBI, so I was in the FBI for 27 years.
And, initially, I was hired as a CPA.
and, I'm your vintage, computers werenot I as big a deal back in the day.
(03:08):
And, what was, where I was engaged infraud matters, people then began to
leverage computers to commit fraud.
And crimes and and then Ispecialized in computer crimes.
and I had the opportunity to,serve overseas a few times.
I was very interested in that.
And then, I worked in our internationaloperations at FBI headquarters and
(03:31):
was lucky enough to be selected togo serve as a diplomat in London
for three years where I was the, primarypoint of contact for cybersecurity
matters for the US government.
In London and Ireland, or UK and Ireland,I should say, stationed at the embassy
there, learned a lot of good things there.
Met a lot of valuable partners,and, continued my leadership skills.
(03:55):
And then by the time I was eligible fora small pen pension, a very significant
event happened in the entertainmentindustry in southern California.
pretty catastrophic toa, large movie company.
if it had anything todo with an interview.
It may have had something to do with that.
And what happened was the entertainmentindustry was very interest, very concerned
(04:19):
going forward with, producing movies that.
Might them make them a targetfor cybersecurity actors.
there was one company responsiblefor delivering all the world's movies
globally, digitally and physically.
And that company did not have a CISO.
I was fortunate enough to be selectivefor that role, and I built up a team
(04:39):
and a capability, and I'm tellingyou, the entertainment industry, very
interesting industry, until you reallypierce the veil and get in there, you
don't realize how interesting it is.
But, that was a lot of fun.
Did that for a few years and then,went into Big Four consulting
as a interim CISO for companies.
And then, I went back into industry asa CISO for North America for Hyundai
(05:03):
Motor Group, North America, which,covered not only Hyundai, Genesis
and Kia, but also other companies.
they build trailers, they build robots,they build a lot of different things.
And now I'm doing, Virtual CISO work.
a little bit less stress maybe.
significantly less stress as
(05:28):
maybe more than you wanted to know, but,you know that's kinda my background,
No, it is interesting.
I back when the, event happened in theHollywood area shortly thereafter, back
then I was an instructor with SANS.
I was teaching their leadershipmanagement curriculum and they called
up SANS and they said, Hey, I forget,you know exactly what studio it was
and it's probably just as well anyway.
'cause you're not supposed to mentionnecessarily names on private contracts,
(05:51):
but they said, Hey, can you come outand teach us about cybersecurity?
They said, here are our instructorsand here's our curriculum.
I said, okay, we'll take this guy.
And, they picked and choose.
They didn't want five days.
They wanted one day.
So we built out an extract for the courseand they got all those things printed
out, flew out there, got set up, hadall these things, waited in the room.
People walking in, the CIO walksin and she said, okay, fine.
(06:14):
I said, today we're gonna talk.
He said, no, we're not evengonna look at your courseware.
We just want a day of your time.
And it's okay, too bad.
Didn't know how to getahold of me directly.
But the idea, we nevereven, cracked the books.
It was just a matter of saying theywanted somebody who'd been doing this
forever to say, what about this threat?
What about this countermeasure?
What about this action?
And things such as that.
And it was very interesting.
(06:35):
not to say that of coursewouldn't have been good.
I thought it was a, very nice extract.
But you're right, it's aninteresting group of people.
I had another opportunity in thatarea in which I didn't take up.
Where they were.
This was probably nine, 10 years ago,back in the early days where I, say
early days of crypto, of course nowwe've been doing this for quite a few
(06:56):
years, 16 years, but fairly early onwhere they're gonna come up with their
own cryptocurrency and their own coin.
It was be used for funding movies andthings such as that, and people could earn
their coins by going to certain things.
And they needed somebody to do all thesecurity for the infrastructure on that.
And we took a look at it and wesaid, we'll pay you in these coins.
And I'm thinking like,can I get paid in dollars?
(07:18):
maybe get paid in?
At the time, even getting paid inBitcoin was an uncertain thing.
It would've been nice to havecollected a Bitcoin paycheck when
it was $800 and then have 'em showup a little bit later at $80,000.
but as it was, it didn't go anywhere.
So it's a different environment there.
But today.
Most of us are dealing with differenttypes of challenges than trying to
understand the world in Hollywood.
(07:38):
And the reason I asked you to come on theshow is that in our conversation we had
last week when we caught up, we're talkingabout something called the CIS CSAT.
And so the controls self-assessment tool,let's back up a little bit for a moment.
A moment and said the CISCenter for Internet Security.
So are you familiar with thebackground or how it got started
or how it got, how it's funded?
(08:00):
I believe it's a nonprofitthat was established like
2000 and, about the year 2000.
And, they, help establish standardsacross the industry and develop frameworks
and I. And, I found 'em very valuable.
They're also, California PrivacyAct, requires that companies,
(08:21):
show that they're binding theirsecurity to the CIS framework.
it, it seemed as a CISO for companies,it's a good framework to follow, puts
you in a defensible position, but I,could let you expand on that more.
I'm sure you know a lot more about,
it's interesting I mentioned SANS.
Tony Sager, who had been with SANSfor a while, he had spent 30 plus
(08:43):
years at the National Security Agency,is now the Senior Vice President
and Chief Evangelist for CIS.
And so the CIS controls of whichprobably most of us are familiar
with, they used to start as a sands.
20 and then the sans criticalsecurity controls and the CIS
critical security controls.
They dropped the 20 because then theydropped the number down to 18 and they
(09:03):
didn't want the number to be limiting ordictating what it is that they can do.
but you're absolutely right in termsof being a very valuable resource.
They're a nonprofit, and there'salso an awful lot that if you become
a member and you could download.
Guidance for how to configure differentoperating systems, different equipment,
and things such as that to best standards,which really answers one of the questions
that if you have something set up, if,let's say you're a smaller enterprise
(09:26):
and you're not funded well enough tosay, I need an ISO certification because
that's gonna cost you some money, orI'm gonna go ahead and get a SOC two,
or that's gonna cost me some money,and I might not have that, but I could
still go ahead and use these CIS guides.
And they're gonna allow me to go aheadand achieve a level of excellence
in my security configurationsbased upon the experience and the
(09:47):
consolidation of all this information.
And so that kind of brings ushere to the CSAT or the CSAT.
And, your experience with that.
So if you can, again, we're not sellinganything here, obviously it's a nonprofit
anyway, but tell me a little about whatled you to say, Hey, this might be a
good resource, and then once you startedlooking at it, what made it work for you?
(10:10):
So there were several thingsthat, made it stand out.
But what happened was I was at a client,that had, a, I'd say their maybe a small
to medium enterprise, maybe medium size.
They're, I think they're lessthan a hundred million in revenue.
and they have one security resource.
somebody that just started in securitythat branched off networking and,
(10:36):
they were concerned, about theirsecurity going forward and wanted
to see about, bringing me in to helpthem with their security posture.
and like I, I do this with clients.
I also do it when I take on a newCISO role is I want to understand
the environment when I come in.
(10:56):
and I, told them, I think it's,critical that we, understand your
environment so we know how to developit moving forward in a prioritized way.
And,
as well as many others onthe call or, cast here.
That, you leverage frameworks.
So you leverage frameworks becauseyou, it's a defensible position,
(11:20):
it's proven, it's prioritized,it's effective, it's comprehensive.
As opposed to, how do people signon, what's your password requirement?
how, what do you grab?
So, you leverage a framework.
the CIS control framework, isprioritized based on number.
(11:40):
the closer it is from.
From one to 18 being prioritizationand then the level of maturity you
are in each of those control areas.
So when I sat down to figureout, okay, what, how are you
guys currently operating?
What frameworks are you leveraging?
They were, leveraging the NISTframework, which they mapped to CIS.
(12:01):
but they did have an interesting,Tool available, that came
with their CIS PRO membership.
I think it's pro membership.
And they said there was a CSATtool that maybe could help
us assess the environment.
I found out, so you.
In my experience, generally when you'redoing an assessment, whether it's a NIST
(12:22):
CSF or ISO 27,001, is you got spreadsheetsand you're going through and you're
saying, okay, are we doing this control?
How effective are we?
Let's measure it.
And you're tracking it all on aspreadsheet, and then maybe somebody, made
the spreadsheet, so now it's pull down.
So that's cool.
What CIS did is, they madethis into a software package
(12:44):
where, yeah, it is pull downs.
You go to each of the controls,you determine whether you're
using IG one, two, or three,which is the levels of controls.
and then you measure each of thecontrols, the maturity level.
and when you do it in their, tool,you can come up with a high level,
(13:09):
High level assessment across theenvironment, across the 18 controls,
you can have a single score, yourcomprehensive average score, you
can compare that against industry.
You can, Measure that over time you cando one that looks at each of the controls.
So it looks one through 18.
And when we got through with thisassessment, we looked at it and we said,
(13:29):
okay, some of these are red, some areorange, yellow, green, and bright green.
indicating level of maturity, right?
You want to get tobright green if you can.
And so you look at the dashboard andyou say, okay, I'm looking at the 18.
Wow.
It's concerning that we got ared one near the front there.
I like it.
They make it.
(13:49):
idiot proof.
You're like, I guess that's thefirst one we need to look at, right?
so it's cool 'cause if you go in andyou, assess the environment, you sit down
with the control owners, you understandwhether or not they have a policy.
Do you have a control?
Do you have automation?
Do.
Do you have ongoing reporting?
And, if you just measure just those fourthings, then you can really understand
(14:13):
the level of maturity they're operatingat, under that control, or with CIS under
that safeguard the individual safeguard.
CIS as it has 18 controls and there's 178or something safeguards, if that's, if
you're going IG three, I think it's 156.
(14:34):
If you're going with IG two,that's where you're talking
about the complexity environment.
an I.
to insert a little bit, if Imay, so you've got the three
levels there on the benchmarks.
Level one is basic essential security.
Good place to start out if youreally don't have a program.
Level two is a morerobust defense in depth.
(14:57):
And then the STIGs, for choose beformer level three, or highly specific
configurations align with the securitytechnical implementation guidelines.
yeah, exactly.
So from one to two to three,deeper and more complex like that.
So start at one, because if youstart at one, there's only about 45,
about 50 or so of these sub controls.
(15:18):
And as you take a look atthe csac, it's wait a minute.
It just skips around a little bit.
It's yeah, let's skip around.
Because not everything needs to be done atthat level, but it's gonna have something
for each of the 18 controls, but it'snot gonna go into that level of detail.
and to your point on the prioritization,you're like, what do I start on first?
(15:39):
So you do an IG one assessment across thecontrols, and then you look at it and then
you, and if this is a complex environment,a company with multiple departments, all
that different stuff, then ultimatelyyou're gonna want do an IG two.
then you can look across the environmentand figure out what else do we need to
look at from a prioritization perspective.
But the thing that was really good aboutthe tool is not just the visibility and
(16:00):
it generates executive level reports, likeit'll do graphs and this and that, and
it'll, you can determine what industryyou're in, compare yourself against peers.
And the reason I bring that up,inevitably when you're dealing with
executives and you're measuring thematurity of a company's cybersecurity
capability, the executives wanna know,how are we doing compared to our peers?
(16:22):
Now I always try to inform them.
You have to remember, your peersare not where they want to be.
So don't think oh, we'reequal with our peers.
We're good, or We're above our peers.
Man, we must be great.
Yeah, it might be.
yeah.
(16:43):
but it is relevant, from a budgetperspective, if they need to
figure out how much they're gonnaspend, how bad shape are they in?
okay.
And so I like to use the toolbecause it gives that benchmarking
and it gives it per control area,which you know, is dynamite.
(17:04):
and then what the tool alsodoes, it gives you the ability
to assign two control owners,
doing the assessment.
So I can go, if you're doing the IG one,it's a 56 controls, whatever the heck
it is, I can send to the control ownerthat's responsible for software inventory.
(17:26):
Okay.
Please provide me, the assignmentwill be to him is whether or not
you have a policy of control,
automation or reporting, andthen provide me detail related
to that area and then attach it.
to, your assignment and it'll cometo me in the portal, and then I go
in and I, I verify the information.
(17:48):
Sometimes control owner doesn'treally understand the question.
Maybe, maybe we need to go backand forth, get some feedback, but
ultimately I, verify their assessmentof that safeguard and boom, now I
understand that particular safeguard.
I move on to the next one, And I get.
(18:08):
I'd get a complete picture acrossthe environment if I'm doing IG
two a hundred fifty six controls,whatever the heck it was, 153.
And then now I, have apicture of the environment.
So now this is current state.
That's great.
That's dynamite.
The tool gives me the ability to,assign it to the owners, get a
current state picture, validatetheir information, compare to peers.
(18:32):
It gives a executive levelpresentation deck with the bar
graphs and all this different stuff.
That's dynamite.
But what it also does, it givesme the ability to generate a
three-year development roadmap.
'cause now I say, okay.
if this is, these are my high risk areas.
(18:53):
And I'm looking at 'em from a, likeI said earlier on the earlier part
of the numbers, there's a red, that'sgonna be my, let's say it's CIS 3,
So now all of a sudden I'm like,okay, we need to bump that one up.
We need to, let's double clickon that and see where we're weak
and where we need to develop.
Let's come up with a reasonableplan moving forward for
(19:13):
us to increase that score.
What is it gonna take?
And the CIS they provide youan abundance of information.
and IJI leverage a particularpiece of theirs quite a bit.
called the, CIS controls.
(19:33):
I think it's the controls, but.
Assessment specification for the controls.
And what it does, it, it divesinto CIS two, what is it?
And then what are each of the safeguards?
And then it says okay, for CIS 2.1,that's establishing and maintaining
detailed inventory of licensedsoftware and what it should include.
(19:56):
And it'll have those policy statementsand then it'll say, okay, what if
we're running a successful program.
what would the metric be, right?
what percentage of current enterpriseassets contain the necessary detailed
information according to policy?
It's a simple stat, butthat's the reporting piece.
And then how are we automating that?
(20:18):
It'll actually tell me like, what sortof tools can you use to automate that?
So there's a lot of information.
Then CIS provided for allow you tobe successful, allow you to plan
to improve each of the safeguardsand raise your level of maturity.
So, what I did in working withmy client is, I came up with,
(20:38):
okay, here's our current picture.
how are we gonna address, how are wegonna bring it to green, is what I say.
'cause you see the reds,the oranges, the yellows.
Light green and dark green.
How are we gonna bring this all to green?
How are we gonna makethis picture greener?
in other words, raise a level of maturity.
And so you, a prioritized way you look at.
(20:58):
The ones that are, the poorperforming colors, poor performing
rating in the earlier CIS, theycan try to raise it up over time
and you do it in a reasonable way.
Now you can attack everything at once.
how do you eat an elephant?
One bite at a time, right?
So you're, so you staggered overthree years and I came up with
the picture of where we are at theend of actually two years, showing
(21:22):
that basically we're predominantlygreen at the end of two years and.
Let me give you a snapshot of the endof each quarter and at the end of each
quarter, leveraging that CSAT tool, Icame up with where we are at the end of
quarter, one of the first year, and Isaid, and this is what it looks like.
And I showed the executive team,here's our current state, here's
(21:43):
where we are at the end of two years,here's where we are, the end of each
quarter, and here's the assignments.
Here's the level ofeffort it's gonna take.
Here's the level of investmentand it, gives a complete picture.
And now I can go back and leverage thatCSAT tool to make the assignment to
that control owner that provided me thecurrent estate of the assessment before.
(22:05):
Now I can go back to 'EM and say,okay, I need you to work with,
the GRC group to develop a policy.
We can work with and how you can firmup this control against more assets.
Because before you told me you wereat, you only come 50% of the assets.
and how are we gonna measure this?
Because as as a security professional,if you're not measuring it, you don't
(22:25):
know whether or not it's effective.
You don't know whether it'sdeteriorating, you don't know
whether your environment is changing.
and so you want to be sure to tryto measure it and keep an eye on
that for monitoring progress, right?
And we used to say, you canexpect what you inspect.
Yes.
so I'm looking at their scorecardnow, which is the csat.cisecurity.org.
(22:49):
And if you don't have an account, youcan sign up for it and then you indicate.
Do you want to be implementation groupone, two, or three at the beginning and
then they're gonna show you that list.
So I signed up for IG 1 56controls out of the 153 total.
That's why I say it seems to jump around.
And so were you to do thatinitially what you're gonna see
is just these particular controls.
For example, 1.4, maintain a detailedasset inventory, 1.6, address
(23:13):
unauthorized assets tying intocontrol one complete, your hardware.
And as you had broughtup an example from two.
Inventory of authorized software.
Ensure software is supported by thevendor address, unapproved software.
All these things go right down thelist, and as you had indicated,
pretty much four columns that you'regonna go ahead and you're going
to figure out how you score it.
(23:34):
First of all, from thepolicy I. Perspective.
They say there's no policy on that.
That's the lowest.
It's like a zero.
Have an informal policy.
Yeah.
This is how we do things.
A partially written policy of which Ithink a lot of us have things like that.
I think it has to go beyond a stickynote, but it probably qualifies if
you've got at least pen to paper,or fingers to keyboard, a written
(23:54):
policy, and you'd think you'd be done.
No, it has to be an approved writtenpolicy to get to the five at the very top.
Because I've worked with clients whereI've had some draft policies that
have been ready to go for a long time.
It's just they get kicked back.
They've been put to the side.
It's okay, they're readywhen you're ready for them.
When we look at the policy, thenwe can end up with a score and we
(24:14):
can say, we could do pretty well onthat particularly, and then we'll
say, okay, it's been assigned.
how about the control implementation?
Is it not implemented?
Is parts of it implemented?
Is it on some systems?
Is it on all systems or mostsystems or on all systems?
And if we say, yep, that's good.
And then the fact that youhave the control isn't enough.
(24:35):
Is it automated?
Because that's why things don'thappen if they're not automated.
Because I thought Charlie was doingit well, I thought you were doing
it, and then it doesn't get done.
But again, parts of the policy,some of the systems, most of
the systems, all of the systems.
Then just because it's a policy,we've got a control and it's
(24:55):
automated, how do we know?
So the last column then is a controlreported and if parts or some or most
or all the system reports back, then I'mable to go ahead and say, okay, good.
I am able to go aheadand figure something out.
And so now I can then go ahead and figureout what should I be able to do with this?
Can I assign this tosome particular person?
(25:16):
As you say, track it.
Till it gets completed.
And then of course, the realtrick is to validate it.
Much of what we tend to do is beself-congratulatory when we have
these self-assessments, CMMC,cybersecurity Maturity Model
certification, which is appropriate fororganizations that wanna do business
with the Department of Defense.
And that may expand by the way, to otherelements of the federal government.
(25:41):
we'll, see where it's going, butDOD said, Hey, we'll do this first.
It has three different layers orlevels that you'll certify to.
And the first one we're back and forth.
I signed up in the CMMC ecosystemvery close to the beginning.
did all the testing, did all thequalifications, registered practitioner,
and we figured, okay, great.
The hard part was they said, Hey, doingthis level one stuff for a small company.
(26:02):
Which is really only needed forfederal contract information.
So you make paperclips forthe defense department.
Not really any classified secretsthere, but you still have to deal with
billing and account numbers and thingssuch as that and, who is a buyer.
So yeah, that gets coveredto a certain extent, but.
The change that from version one toversion two, to go from, oh, you have
(26:26):
to have an inspector and a auditorvalidate it to you can self attest.
And that's huge because the cost of havinghiring an auditor and bringing somebody in
there was considered to be well extensiveas compared to the self attestation.
Now, the real trick is forus as security professionals.
Don't cheat.
Of course you could go throughand said, yes, I do everything.
I did my 50 pull-ups this morning.
I went ahead and I ranmy four minute mile.
(26:48):
and then after that I lifted tallbuildings with a single bound or, and
all the other things that we tend to do.
it's say that we did, but.
Ultimately what we wanna make sureis that we assess our overall risk
in a way that we, as you would say,communicate it to either client or for us.
It might be the board or just evenour reporting senior, whether it's
(27:08):
a CEO or a chief operating officer,or CIO to whomever you report.
If you can show measurable progress,that's also very helpful because if you
get to the point where you realize thatyou're gonna need some more resources,
Hey, I can't automate this without a tool.
Then now you've been able to showwe have made this progress and
we're gonna be stuck here unless Ican acquire this to get me over it.
(27:30):
Now, you don't wanna spring that at thelast minute, but it really does help, I
think, to show measurable progress thatyou're moving in the right direction.
Because as an executive, I'm muchmore willing to write a check.
For a successful operation that has ahistory of accomplishment that someone
who walks in the door and said, ohyeah, I'll get all this thing done
for you in 30 days, or 60 days, or 90.
(27:51):
But here's a question for you.
You had mentioned doing this quarterlyover a couple years, so this isn't
a sit down and knock it down ona Friday afternoon type exercise.
Is it?
the, certainly the,assessment in the beginning.
It takes a period of time to accomplishand you brought up something earlier,
(28:12):
make an honest assessment of yourself andthat's one thing you need to make clear.
when you're dealing with IT professionals,a lot of times they just want to
answer the audit and move on, and theyjust want to give the answer that's
supposed to be given so they look good.
And one thing you need to makesure you're doing when you're
assessing the environment froma cybersecurity perspective, I
(28:35):
need an honest understanding andassessment of the environment.
So when you're sending theseassignments to the control owners,
when I work with the clients, I'm sure toeither meet with all their professionals
ahead of time or the securityrepresentative to tell them, Hey, just
so you understand, this is not an audit.
(28:57):
This is an assessment, a self-assessment,so we can determine where we should invest
our resources going forward and our time.
And so it's important, everybody behonest about our current capabilities.
Now, when you talked about the levelsof maturity under each of those areas,
(29:19):
and what I'm talking about is policy.
Control automation reporting.
Yeah, there's graduated levels ofmaturity under each of those areas and
that it takes time to assess, to answeryour question, it takes quite a bit of
time to make the initial assessment.
Right.
and I have an approach on thatwhich streamline streamlines
(29:44):
it and keeps it honest.
honest enough to have you move forward.
I don't If you spend too much timeassessing each of those areas and
debating it back and forth, it's gonnatake you months to do this assessment.
So I like to do a quick and dirty.
Now, if I'm not working at alarge financial institution,
(30:08):
that has a lot of resources andtalent that they can put to work.
I'm talking about meworking with somebody else.
To reach out to controlowners and try to get a good
understanding of the environment.
And what I try to say is,look, do we have a policy?
Do we have a policy that substantiallycomplies with this control requirement?
(30:34):
Yes or no?
Just make it binary.
Just yes or no a as much asyou can, they go, we have one
written, but it only pertains tothe servers, not the endpoints.
then we don't.
We don't if you have it for 80% ofthe environment and it's 80% correct,
I'll give you a yes and let's put anote there that we need to work on it.
(30:55):
But I'll give you, okay, you got that.
And then control, doyou have this control?
We don't really have on ongoing basis,but we do when we buy the asset.
then you don't, okay.
Do we have automation?
no, we, you just, you tryto be honest with yourself.
don't get wrapped up too much into thematurity levels of each of those areas.
(31:19):
But if you just take those fourareas, policy, control, reporting, and
automation, give 'em 25 points each.
And on this, on the tool, do dropdownsand give 'em between, give 'em 25
points if they have each of those.
So if they have a policy anda control, give 'em 50 points.
Move on.
Yeah.
and then you go back, okay,we're at 50 in this one control.
Now what can we do?
Blah, blah, blah.
Oh, you know what?
Our policy's kind of weak.
(31:40):
We have to rewrite it beforewe can implement automation.
That's fine.
We'll do that.
But it, I think it's important wedon't take too long to dive into the.
Whatever IG two is 153 controls,whatever it is, you spend way too
much time digging around, right?
try to do, I'm not gonna call it quickand dirty, but try to, make an honest
(32:01):
assessment, but don't spend too muchtime digging into it so you can figure
out your road roadmap going forward.
And when you.
When you're working on it going forward,you're gonna see those areas, so I brought
up, the two year development roadmap.
We, see it, I'm working with a clientand we'll, see ah, we had a policy,
we gave ourself credit, but it reallydidn't include these, safeguards.
(32:21):
So we gotta add that back in, whatever.
All that kind of stuff.
Yeah.
And I think the other thing
answers your question.
yeah, it does and I think when we'redoing the self-assessment, the other
thing to think of is this, is that wealways, we don't wanna put ourselves
on report, but avoid the danger.
Of being a little bit too generouswith your initial scoring because
if you go through there, you said,Hey, we're at 98% to begin with.
(32:44):
They're gonna great.
We don't need to fund that,
Yeah.
but we probably don't even needto fund you anymore because
everything's running fine.
So if, see you next year,
Isn't it funny though?
you, wanna be honest,
but you don't want to be too generous.
but you wanna give yourself credit.
(33:05):
you gotta have, you gottahave some runway ahead of you.
And the idea is that if you can showmeasurable progress, 'cause ultimately
as a senior executive, if I'm notgonna be able to dive into things,
what I used to do is I had a policywhere if I were had a direct report and
they were telling me about something,their area of responsibility, I would
do what I would call a core sample.
(33:25):
I would drill down and I'd drilldown two or three levels beyond
what I really needed to know, butwhat I thought they needed to know.
And so if they could track with meand said, okay, how many of these
assets do we have in the field?
Eh, we get 147 of 'em.
Okay, fine.
how many are in North America?
Well, 53 of them.
Okay, good.
(33:45):
Now, if they said, I'll get backto you, sir, I'll get back to you.
I'll get back to you.
It tells me that even if theydo get back to you, it means
they didn't have the bubble.
They didn't have this operationalpicture of what they should have.
But as you.
Dive down through, and if you dothis over some time and each time
this person tracks, what happensthe next time that they give you a
(34:06):
report or they ask for a resource?
You got extremely high level of trust thathas been created, and eventually you can
work your way to what in the military,we would call command by negation.
And the way that would workis let's say you are my boss
and I have earned your trust.
Then I could go ahead andsay, I've got some initiative.
I know this guy's really busy.
I know what I need to do.
He knows I need to know what to do.
(34:28):
So I would say, Scott, unlessotherwise directed, I am going
to go ahead and do these things.
Now, if you say nothing, was not otherwisedirected, I'll just make it happen.
So I'm on autopilot, but I let you knowin advance before I push a button, pull a
lever just in case you have some insightsthat I don't have at a higher level.
But I tell people, don'ttry that right off the bat.
(34:50):
You're gonna really have someproblems with people if you have not
yet built that foundation of trust.
But by establishing that, you thenmake yourself kind of one of the ideal
reporting individuals where the boss neverhas to worry about what you're doing.
Because you're keeping them informedand you're letting them know what's
happening in advance, and you're ableto then document measurable progress.
(35:13):
And someone from the outside ever came inthere and pulled the string, they'd find
out and said, yeah, whatever he is beenreporting is exactly where you're at.
Yeah, that's some good advice and.
I know some of that came fromyour military background and, I've
bureau for a long time too, so you
Yeah.
And similarly, I've, in the bureau you'dbe like, okay, I gotta get this done.
(35:34):
And you're, you put it all together.
Okay, I think I'm ready to presentit, but then I always stop and
think about the lens of theaudience and the lens of the boss.
And what could they ask ina probing way related to.
Okay, you did it.
Now here's the result.
What do you recommend?
hold it.
I just did it like so.
now you need to be prepared for that.
(35:54):
Okay, here I did it.
Here's the result.
And I'm thinking this for therecommendation, but let me back that up.
Like you gotta startthinking steps ahead, right?
Just think of your job done, think ofwhat they're gonna do with the result,
and be ready for any probing questions.
And the big area you could make isthat, let's say you've gone ahead and
you're gonna be briefing, let's saythe board who can make a decision.
(36:16):
You come in there and you say,Hey, this is an issue and this is a
problem, and here's the tools thatare out there, things like that.
And it's, they're like, okay, great.
What do we do about it?
It's where do we sign?
It's I didn't think about that part.
No.
have it in your back pocket.
You pull it, said pressed hard.
You're making three copies.
Glad you asked.
I just happen to have a purchaseorder here, an authorization or
(36:38):
something like that to move forward.
Yeah, it's getting a little bit aheadof the game, but the idea is it also
shows if I see somebody, I don't want'em leaning forward too far to the
point where they're obnoxious, butif they, I see that, they say, Hey,
I've got the next step ready to roll.
We're not ready to do thatyet, but when we get there.
Here's what's happening next.
So when we do achieve that, if there'sa very big distraction going on, Hey,
(37:01):
we're dealing with tariffs or somethinglike that, and all, it's okay, fine.
Yeah, that we already, thatwas already in my mind.
I already saw that a month ago.
That looked good.
Then off you go, and ultimatelyyour goal is that you want to be
believable, credible, and trustworthy.
If you do those things, then of coursereliable probably fits in there as well.
You end up, I think, being a much morevaluable resource to your organization
(37:24):
as well as most likely creating that typeof working relationship with your boss.
That, for me, is a boss, iswhat I've always wanted out of
somebody that worked for me.
Absolutely.
So going forward then if we say,Hey, this makes sense, as I said,
you can go to the, the csat.
They also have a business impact analysistool, a BIA tool that you could do out
(37:49):
there and you can sign up also for that.
Separately.
It's a ransomware business impact analysistool, and I'm looking at that right now.
I found out it says identify.
The relevant categories, could youlose confidentiality, integrity,
availability, and essentiallylose productivity across those?
(38:11):
Could you have.
Response costs involve replacements,costs, legal costs, could it
impact your competitive advantage?
Then lastly, something that we don't oftenthink about from a technical perspective
but is absolutely real from a businessperspective is reputational damage.
And it used to be when ransomwarefirst came out or even breaches
(38:33):
or problems and things like that.
I remember when California Senate Bill1386 was passed way back when, I think
it was State Senator Feinstein, who was,had advocated for that, where banks,
if they had a breach, had to notify.
At least every resident in thestate of California that had that.
And, there was a, bank that I thinkused to drive around a stagecoach,
(38:54):
I won't mention the name, thatultimately ended up being the first
company that ended up having tomeet those reporting requirements.
They didn't find you, but thefact that you had to notify your
customers that you screwed up.
It was a big deal, and thenother banks would take out
ads saying, we don't screw up.
Why don't you bringyour money to us today?
That reputational damage, I think, ismuted by what I call breach fatigue,
(39:17):
and you've probably heard that termfrom other people as well, where it
just goes wrong over and over again.
We used to joke, they said, Hey, if Ihad a hundred dollars bill for every time
I was breached, I'd be retired by now.
And then when the Equifax thingwent through, it's Hey, you
will get a hundred dollars bill.
If you sign up and not too many peoplesign up, I guess a lot of people
signed up and I eventually got, Ithink a dollar 11, which is what was
(39:38):
left after attorney's fees and costs.
okay, fine, maybe I can getmost of a cup of coffee there.
But the idea is that reputationwill damage seems to have been
muted a little bit over time bythe prevalence of it happening.
And so just kinda a littlebit tangentially on that,
(40:01):
but lemme get your thoughts.
As a former law enforcementprofessional and as a security
professional, we just go, yeah, ifI take a reputational hit, so what?
Or does this still really matter?
And is, so does that give us leverage withthe board to help finance our programs?
Yeah, I think, I think it'scarrying less and less weight,
(40:26):
and I think it's actuallyaffecting the pro, the profession.
I think in the last couple years,
The CSO profession has taken quite ahit, and I think it's because companies
are, I don't wanna say realizing, butbelieving that a reputational hit is not
as significant as they had thought yearsearlier, and it's happening everywhere.
(40:50):
And so what do they, why do they reallyhave to make this investment in this area?
Even financials, they may say, yeah,is a regulatory fine, but the fine
costs less than the remediation.
It's, yeah, it's a businessdecision and, it's, a tough market.
We didn't talk about thatduring this podcast, but you
(41:11):
and I talked about it before.
it's a tough market right nowfor CISOs and, and I see that.
When they're posting roles, the salariesthat they had once listed now are coming
down and there's so many people thatwanna be ciso, they're grabbing it and,
we'll see, what results if, companiesreally need to make the investment for
(41:35):
a, a solid experience, CISO or not?
And we used to talk about that when theyworked up inside the beltway is you get
somebody comes out with a governmentor a military pension and they've
already got a baseline of 50, 80, ahundred thousand dollars a year coming
in just by being able to fog a mirror.
I. So now if your job is paying this, theysaid, I could, I'll do it for 10 K less.
(41:57):
I'm still gonna live better thanif I only had that, and it tended
to keep a moderating, effect.
On the salaries, at least at thatlevel anyway, in the DC area.
And my experience has been, it still does.
'cause I work with companies thatdo hiring up there, and you get
to other places such as New Yorkwhere you don't have that much of a
factor and you'll see significantlydifferent numbers, that take place.
(42:20):
But it's not all about the money, it'sall ultimately, I think for some of us,
about the scope of responsibility, theimpact that we can make, and the benefit
that we can bring, not just to ouremployer, but almost society in general.
Absolutely.
Yeah.
And.
at CISOs we feel like we'readding value to the business.
We're protecting a good, legitimatebusiness, helping them be successful,
(42:41):
be resilient, maintain employment acrossall their staff and, be successful.
And, I, something I've alwaysbeen passionate about is
protecting people and companies,
And, it, it shows.
And that's why I've enjoyed gettingto know you over the last couple years
and hope to be able to continue to doas we wrap up the show here, any last
(43:03):
thoughts that you have and also ifsomeone says, Hey, I like this guy.
I wanna hear more about what he hasto say, how do they get ahold of you?
you can get me atScott@gickingassociates.com and just
Dot com at the end, right?
Hey.
Yeah.
So you're not on Ascension Islandlike.ai or.io, the British Indian
Ocean Territories, but you'regonna be the real live.com.
(43:24):
so Scott@gickingassociates.com.
or Scott ing on LinkedIn.
Everybody's on LinkedIn thesedays as well as CISO Tradecraft.
So if you're not following us onLinkedIn, if you're out here watching
or listening to the show, please do Wegot a whole lot more than just podcasts.
We also have our substack newsletter.
We have little shortsthat we come out as well.
You can get transcripts from our episode.
(43:45):
Plus we're pretty much evergreen, soyou can go back and look at the last.
220 some odd weekly episodesand see what we've had, which is
a lot when you think about it.
We've been doing this for quite a whileand I'm always glad to have somebody
on the show that I think knows theirsubject well, is, reputable and can
provide some insight to our audience.
I appreciate the opportunityand, I really respect you a lot.
(44:07):
I, listening to your podcast beforeI met you, and, all of a sudden
I heard your voice in the roomand I was like, I know that guy
It's the guy with the face for radio.
there, you.
Radio.
Okay.
thank you very much Scott.
For our listeners out there, thankyou for being part of CISO Tradecraft.
we appreciate that you are dedicatingsome of your time to improve your career.
(44:28):
And if you can let it be known toother people in your career path
where you get your secret information.
'cause there's no real secret toCISO Tradecraft, we're here for you.
So I'm your host, G Mark Hardy.
Thank you very much again forstaying tuned and until next
time, stay safe out there.
Hey, I'm sure you've heard about theCenter for Internet Security and the
fact that they have more than just18 controls, but they've also got a
controls self-assessment tool, thecsat, and I've got an expert today that
we're gonna be talking about not onlywhat the CSAT is, but how to use it
and how you can use it in your career.
So stick around and stay tuned forthe next episode of CISO Tradecraft.
(00:33):
Hey, you've heard us rave aboutCruise Con, and now is your
chance to join the next one.
Cruise Con West from October 2nd tothe 6th selling out of Los Angeles.
It's not just a tech conference, it's afloating mastermind featuring top voices
in ai, cloud security leadership, andeven luminaries like the CIA's former
CISO and a former team lead from Israel'selite unit 8,200, but the real magic.
(00:58):
The connections you'll make.
Visit cruise con.com and use codeTradecraft one zero for 10% off.
Don't wait.
Spots are going fast.
Hello and welcome to another episodeof CISO Tradecraft, the podcast that
provides you with the information,knowledge, and wisdom to be a more
effective cybersecurity leader.
My name is G Mark Cardi.
I'm your host for today, and I'vegot a special guest, Scott Gicking,
(01:20):
on the call, and we're gonnabe talking about the CIS CSAT.
We'll explain a little bit more about whatthat is, what it means, and why you should
be involved in this potentially as a CISO.
So first of all, Scott,welcome to the show.
Thank you g Mark.
Now we met, what, a couple yearsago, two, three years ago, as part
(01:40):
of an advisory board for Red Canary.
They had invited some industry CISOs toparticipate, and we had a couple nice
get togethers, one in San Diego Countyand one over in Hilton Head, and I think
we caught up with the one in San Diegowhere we did some fencing as I recall.
And, I, didn't make, I made the firstround, but I didn't make it past that.
I don't remember howwell you did on that one.
(02:01):
Correct.
I don't remember either, whichtells me I probably didn't do that.
Yeah, we only tend to rememberthe victories in life,
not necessarily defeats.
It seems to be how our selectivememories work really well,
When ironically, we shouldbe remembering our defeats
that's what you learn.
I.
right.
Yeah.
don't learn from success.
And as they say, countries, don't,improve because they win wars.
(02:24):
They improve because they lose 'em.
And then they figure, okay,this is what we did wrong.
We have to fix it.
And the same thing inthe cybersecurity world.
So tell me a little bit about yourself.
Obviously we'd worked as a CISO.
your background, I tell people you comeoutta central casting from Hollywood as
an action figure looking should be a Dirkor something like that, or some ling guy.
For anybody who's listening on theshow, instead of watching the show,
(02:44):
you gotta go check out on YouTube.
He.
Thanks you, mark.
I, so my career actually started in theFBI, so I was in the FBI for 27 years.
And, initially, I was hired as a CPA.
and, I'm your vintage, computers werenot I as big a deal back in the day.
(03:08):
And, what was, where I was engaged infraud matters, people then began to
leverage computers to commit fraud.
And crimes and and then Ispecialized in computer crimes.
and I had the opportunity to,serve overseas a few times.
I was very interested in that.
And then, I worked in our internationaloperations at FBI headquarters and
(03:31):
was lucky enough to be selected togo serve as a diplomat in London
for three years where I was the, primarypoint of contact for cybersecurity
matters for the US government.
In London and Ireland, or UK and Ireland,I should say, stationed at the embassy
there, learned a lot of good things there.
Met a lot of valuable partners,and, continued my leadership skills.
(03:55):
And then by the time I was eligible fora small pen pension, a very significant
event happened in the entertainmentindustry in southern California.
pretty catastrophic toa, large movie company.
if it had anything todo with an interview.
It may have had something to do with that.
And what happened was the entertainmentindustry was very interest, very concerned
(04:19):
going forward with, producing movies that.
Might them make them a targetfor cybersecurity actors.
there was one company responsiblefor delivering all the world's movies
globally, digitally and physically.
And that company did not have a CISO.
I was fortunate enough to be selectivefor that role, and I built up a team
(04:39):
and a capability, and I'm tellingyou, the entertainment industry, very
interesting industry, until you reallypierce the veil and get in there, you
don't realize how interesting it is.
But, that was a lot of fun.
Did that for a few years and then,went into Big Four consulting
as a interim CISO for companies.
And then, I went back into industry asa CISO for North America for Hyundai
(05:03):
Motor Group, North America, which,covered not only Hyundai, Genesis
and Kia, but also other companies.
they build trailers, they build robots,they build a lot of different things.
And now I'm doing, Virtual CISO work.
a little bit less stress maybe.
significantly less stress as
(05:28):
maybe more than you wanted to know, but,you know that's kinda my background,
No, it is interesting.
I back when the, event happened in theHollywood area shortly thereafter, back
then I was an instructor with SANS.
I was teaching their leadershipmanagement curriculum and they called
up SANS and they said, Hey, I forget,you know exactly what studio it was
and it's probably just as well anyway.
'cause you're not supposed to mentionnecessarily names on private contracts,
(05:51):
but they said, Hey, can you come outand teach us about cybersecurity?
They said, here are our instructorsand here's our curriculum.
I said, okay, we'll take this guy.
And, they picked and choose.
They didn't want five days.
They wanted one day.
So we built out an extract for the courseand they got all those things printed
out, flew out there, got set up, hadall these things, waited in the room.
People walking in, the CIO walksin and she said, okay, fine.
(06:14):
I said, today we're gonna talk.
He said, no, we're not evengonna look at your courseware.
We just want a day of your time.
And it's okay, too bad.
Didn't know how to getahold of me directly.
But the idea, we nevereven, cracked the books.
It was just a matter of saying theywanted somebody who'd been doing this
forever to say, what about this threat?
What about this countermeasure?
What about this action?
And things such as that.
And it was very interesting.
(06:35):
not to say that of coursewouldn't have been good.
I thought it was a, very nice extract.
But you're right, it's aninteresting group of people.
I had another opportunity in thatarea in which I didn't take up.
Where they were.
This was probably nine, 10 years ago,back in the early days where I, say
early days of crypto, of course nowwe've been doing this for quite a few
(06:56):
years, 16 years, but fairly early onwhere they're gonna come up with their
own cryptocurrency and their own coin.
It was be used for funding movies andthings such as that, and people could earn
their coins by going to certain things.
And they needed somebody to do all thesecurity for the infrastructure on that.
And we took a look at it and wesaid, we'll pay you in these coins.
And I'm thinking like,can I get paid in dollars?
(07:18):
maybe get paid in?
At the time, even getting paid inBitcoin was an uncertain thing.
It would've been nice to havecollected a Bitcoin paycheck when
it was $800 and then have 'em showup a little bit later at $80,000.
but as it was, it didn't go anywhere.
So it's a different environment there.
But today.
Most of us are dealing with differenttypes of challenges than trying to
understand the world in Hollywood.
(07:38):
And the reason I asked you to come on theshow is that in our conversation we had
last week when we caught up, we're talkingabout something called the CIS CSAT.
And so the controls self-assessment tool,let's back up a little bit for a moment.
A moment and said the CISCenter for Internet Security.
So are you familiar with thebackground or how it got started
or how it got, how it's funded?
(08:00):
I believe it's a nonprofitthat was established like
2000 and, about the year 2000.
And, they, help establish standardsacross the industry and develop frameworks
and I. And, I found 'em very valuable.
They're also, California PrivacyAct, requires that companies,
(08:21):
show that they're binding theirsecurity to the CIS framework.
it, it seemed as a CISO for companies,it's a good framework to follow, puts
you in a defensible position, but I,could let you expand on that more.
I'm sure you know a lot more about,
it's interesting I mentioned SANS.
Tony Sager, who had been with SANSfor a while, he had spent 30 plus
(08:43):
years at the National Security Agency,is now the Senior Vice President
and Chief Evangelist for CIS.
And so the CIS controls of whichprobably most of us are familiar
with, they used to start as a sands.
20 and then the sans criticalsecurity controls and the CIS
critical security controls.
They dropped the 20 because then theydropped the number down to 18 and they
(09:03):
didn't want the number to be limiting ordictating what it is that they can do.
but you're absolutely right in termsof being a very valuable resource.
They're a nonprofit, and there'salso an awful lot that if you become
a member and you could download.
Guidance for how to configure differentoperating systems, different equipment,
and things such as that to best standards,which really answers one of the questions
that if you have something set up, if,let's say you're a smaller enterprise
(09:26):
and you're not funded well enough tosay, I need an ISO certification because
that's gonna cost you some money, orI'm gonna go ahead and get a SOC two,
or that's gonna cost me some money,and I might not have that, but I could
still go ahead and use these CIS guides.
And they're gonna allow me to go aheadand achieve a level of excellence
in my security configurationsbased upon the experience and the
(09:47):
consolidation of all this information.
And so that kind of brings ushere to the CSAT or the CSAT.
And, your experience with that.
So if you can, again, we're not sellinganything here, obviously it's a nonprofit
anyway, but tell me a little about whatled you to say, Hey, this might be a
good resource, and then once you startedlooking at it, what made it work for you?
(10:10):
So there were several thingsthat, made it stand out.
But what happened was I was at a client,that had, a, I'd say their maybe a small
to medium enterprise, maybe medium size.
They're, I think they're lessthan a hundred million in revenue.
and they have one security resource.
somebody that just started in securitythat branched off networking and,
(10:36):
they were concerned, about theirsecurity going forward and wanted
to see about, bringing me in to helpthem with their security posture.
and like I, I do this with clients.
I also do it when I take on a newCISO role is I want to understand
the environment when I come in.
(10:56):
and I, told them, I think it's,critical that we, understand your
environment so we know how to developit moving forward in a prioritized way.
And,
as well as many others onthe call or, cast here.
That, you leverage frameworks.
So you leverage frameworks becauseyou, it's a defensible position,
(11:20):
it's proven, it's prioritized,it's effective, it's comprehensive.
As opposed to, how do people signon, what's your password requirement?
how, what do you grab?
So, you leverage a framework.
the CIS control framework, isprioritized based on number.
(11:40):
the closer it is from.
From one to 18 being prioritizationand then the level of maturity you
are in each of those control areas.
So when I sat down to figureout, okay, what, how are you
guys currently operating?
What frameworks are you leveraging?
They were, leveraging the NISTframework, which they mapped to CIS.
(12:01):
but they did have an interesting,Tool available, that came
with their CIS PRO membership.
I think it's pro membership.
And they said there was a CSATtool that maybe could help
us assess the environment.
I found out, so you.
In my experience, generally when you'redoing an assessment, whether it's a NIST
(12:22):
CSF or ISO 27,001, is you got spreadsheetsand you're going through and you're
saying, okay, are we doing this control?
How effective are we?
Let's measure it.
And you're tracking it all on aspreadsheet, and then maybe somebody, made
the spreadsheet, so now it's pull down.
So that's cool.
What CIS did is, they madethis into a software package
(12:44):
where, yeah, it is pull downs.
You go to each of the controls,you determine whether you're
using IG one, two, or three,which is the levels of controls.
and then you measure each of thecontrols, the maturity level.
and when you do it in their, tool,you can come up with a high level,
(13:09):
High level assessment across theenvironment, across the 18 controls,
you can have a single score, yourcomprehensive average score, you
can compare that against industry.
You can, Measure that over time you cando one that looks at each of the controls.
So it looks one through 18.
And when we got through with thisassessment, we looked at it and we said,
(13:29):
okay, some of these are red, some areorange, yellow, green, and bright green.
indicating level of maturity, right?
You want to get tobright green if you can.
And so you look at the dashboard andyou say, okay, I'm looking at the 18.
Wow.
It's concerning that we got ared one near the front there.
I like it.
They make it.
(13:49):
idiot proof.
You're like, I guess that's thefirst one we need to look at, right?
so it's cool 'cause if you go in andyou, assess the environment, you sit down
with the control owners, you understandwhether or not they have a policy.
Do you have a control?
Do you have automation?
Do.
Do you have ongoing reporting?
And, if you just measure just those fourthings, then you can really understand
(14:13):
the level of maturity they're operatingat, under that control, or with CIS under
that safeguard the individual safeguard.
CIS as it has 18 controls and there's 178or something safeguards, if that's, if
you're going IG three, I think it's 156.
(14:34):
If you're going with IG two,that's where you're talking
about the complexity environment.
an I.
to insert a little bit, if Imay, so you've got the three
levels there on the benchmarks.
Level one is basic essential security.
Good place to start out if youreally don't have a program.
Level two is a morerobust defense in depth.
(14:57):
And then the STIGs, for choose beformer level three, or highly specific
configurations align with the securitytechnical implementation guidelines.
yeah, exactly.
So from one to two to three,deeper and more complex like that.
So start at one, because if youstart at one, there's only about 45,
about 50 or so of these sub controls.
(15:18):
And as you take a look atthe csac, it's wait a minute.
It just skips around a little bit.
It's yeah, let's skip around.
Because not everything needs to be done atthat level, but it's gonna have something
for each of the 18 controls, but it'snot gonna go into that level of detail.
and to your point on the prioritization,you're like, what do I start on first?
(15:39):
So you do an IG one assessment across thecontrols, and then you look at it and then
you, and if this is a complex environment,a company with multiple departments, all
that different stuff, then ultimatelyyou're gonna want do an IG two.
then you can look across the environmentand figure out what else do we need to
look at from a prioritization perspective.
But the thing that was really good aboutthe tool is not just the visibility and
(16:00):
it generates executive level reports, likeit'll do graphs and this and that, and
it'll, you can determine what industryyou're in, compare yourself against peers.
And the reason I bring that up,inevitably when you're dealing with
executives and you're measuring thematurity of a company's cybersecurity
capability, the executives wanna know,how are we doing compared to our peers?
(16:22):
Now I always try to inform them.
You have to remember, your peersare not where they want to be.
So don't think oh, we'reequal with our peers.
We're good, or We're above our peers.
Man, we must be great.
Yeah, it might be.
yeah.
(16:43):
but it is relevant, from a budgetperspective, if they need to
figure out how much they're gonnaspend, how bad shape are they in?
okay.
And so I like to use the toolbecause it gives that benchmarking
and it gives it per control area,which you know, is dynamite.
(17:04):
and then what the tool alsodoes, it gives you the ability
to assign two control owners,
doing the assessment.
So I can go, if you're doing the IG one,it's a 56 controls, whatever the heck
it is, I can send to the control ownerthat's responsible for software inventory.
(17:26):
Okay.
Please provide me, the assignmentwill be to him is whether or not
you have a policy of control,
automation or reporting, andthen provide me detail related
to that area and then attach it.
to, your assignment and it'll cometo me in the portal, and then I go
in and I, I verify the information.
(17:48):
Sometimes control owner doesn'treally understand the question.
Maybe, maybe we need to go backand forth, get some feedback, but
ultimately I, verify their assessmentof that safeguard and boom, now I
understand that particular safeguard.
I move on to the next one, And I get.
(18:08):
I'd get a complete picture acrossthe environment if I'm doing IG
two a hundred fifty six controls,whatever the heck it was, 153.
And then now I, have apicture of the environment.
So now this is current state.
That's great.
That's dynamite.
The tool gives me the ability to,assign it to the owners, get a
current state picture, validatetheir information, compare to peers.
(18:32):
It gives a executive levelpresentation deck with the bar
graphs and all this different stuff.
That's dynamite.
But what it also does, it givesme the ability to generate a
three-year development roadmap.
'cause now I say, okay.
if this is, these are my high risk areas.
(18:53):
And I'm looking at 'em from a, likeI said earlier on the earlier part
of the numbers, there's a red, that'sgonna be my, let's say it's CIS 3,
So now all of a sudden I'm like,okay, we need to bump that one up.
We need to, let's double clickon that and see where we're weak
and where we need to develop.
Let's come up with a reasonableplan moving forward for
(19:13):
us to increase that score.
What is it gonna take?
And the CIS they provide youan abundance of information.
and IJI leverage a particularpiece of theirs quite a bit.
called the, CIS controls.
(19:33):
I think it's the controls, but.
Assessment specification for the controls.
And what it does, it, it divesinto CIS two, what is it?
And then what are each of the safeguards?
And then it says okay, for CIS 2.1,that's establishing and maintaining
detailed inventory of licensedsoftware and what it should include.
(19:56):
And it'll have those policy statementsand then it'll say, okay, what if
we're running a successful program.
what would the metric be, right?
what percentage of current enterpriseassets contain the necessary detailed
information according to policy?
It's a simple stat, butthat's the reporting piece.
And then how are we automating that?
(20:18):
It'll actually tell me like, what sortof tools can you use to automate that?
So there's a lot of information.
Then CIS provided for allow you tobe successful, allow you to plan
to improve each of the safeguardsand raise your level of maturity.
So, what I did in working withmy client is, I came up with,
(20:38):
okay, here's our current picture.
how are we gonna address, how are wegonna bring it to green, is what I say.
'cause you see the reds,the oranges, the yellows.
Light green and dark green.
How are we gonna bring this all to green?
How are we gonna makethis picture greener?
in other words, raise a level of maturity.
And so you, a prioritized way you look at.
(20:58):
The ones that are, the poorperforming colors, poor performing
rating in the earlier CIS, theycan try to raise it up over time
and you do it in a reasonable way.
Now you can attack everything at once.
how do you eat an elephant?
One bite at a time, right?
So you're, so you staggered overthree years and I came up with
the picture of where we are at theend of actually two years, showing
(21:22):
that basically we're predominantlygreen at the end of two years and.
Let me give you a snapshot of the endof each quarter and at the end of each
quarter, leveraging that CSAT tool, Icame up with where we are at the end of
quarter, one of the first year, and Isaid, and this is what it looks like.
And I showed the executive team,here's our current state, here's
(21:43):
where we are at the end of two years,here's where we are, the end of each
quarter, and here's the assignments.
Here's the level ofeffort it's gonna take.
Here's the level of investmentand it, gives a complete picture.
And now I can go back and leverage thatCSAT tool to make the assignment to
that control owner that provided me thecurrent estate of the assessment before.
(22:05):
Now I can go back to 'EM and say,okay, I need you to work with,
the GRC group to develop a policy.
We can work with and how you can firmup this control against more assets.
Because before you told me you wereat, you only come 50% of the assets.
and how are we gonna measure this?
Because as as a security professional,if you're not measuring it, you don't
(22:25):
know whether or not it's effective.
You don't know whether it'sdeteriorating, you don't know
whether your environment is changing.
and so you want to be sure to tryto measure it and keep an eye on
that for monitoring progress, right?
And we used to say, you canexpect what you inspect.
Yes.
so I'm looking at their scorecardnow, which is the csat.cisecurity.org.
(22:49):
And if you don't have an account, youcan sign up for it and then you indicate.
Do you want to be implementation groupone, two, or three at the beginning and
then they're gonna show you that list.
So I signed up for IG 1 56controls out of the 153 total.
That's why I say it seems to jump around.
And so were you to do thatinitially what you're gonna see
is just these particular controls.
For example, 1.4, maintain a detailedasset inventory, 1.6, address
(23:13):
unauthorized assets tying intocontrol one complete, your hardware.
And as you had broughtup an example from two.
Inventory of authorized software.
Ensure software is supported by thevendor address, unapproved software.
All these things go right down thelist, and as you had indicated,
pretty much four columns that you'regonna go ahead and you're going
to figure out how you score it.
(23:34):
First of all, from thepolicy I. Perspective.
They say there's no policy on that.
That's the lowest.
It's like a zero.
Have an informal policy.
Yeah.
This is how we do things.
A partially written policy of which Ithink a lot of us have things like that.
I think it has to go beyond a stickynote, but it probably qualifies if
you've got at least pen to paper,or fingers to keyboard, a written
(23:54):
policy, and you'd think you'd be done.
No, it has to be an approved writtenpolicy to get to the five at the very top.
Because I've worked with clients whereI've had some draft policies that
have been ready to go for a long time.
It's just they get kicked back.
They've been put to the side.
It's okay, they're readywhen you're ready for them.
When we look at the policy, thenwe can end up with a score and we
(24:14):
can say, we could do pretty well onthat particularly, and then we'll
say, okay, it's been assigned.
how about the control implementation?
Is it not implemented?
Is parts of it implemented?
Is it on some systems?
Is it on all systems or mostsystems or on all systems?
And if we say, yep, that's good.
And then the fact that youhave the control isn't enough.
(24:35):
Is it automated?
Because that's why things don'thappen if they're not automated.
Because I thought Charlie was doingit well, I thought you were doing
it, and then it doesn't get done.
But again, parts of the policy,some of the systems, most of
the systems, all of the systems.
Then just because it's a policy,we've got a control and it's
(24:55):
automated, how do we know?
So the last column then is a controlreported and if parts or some or most
or all the system reports back, then I'mable to go ahead and say, okay, good.
I am able to go aheadand figure something out.
And so now I can then go ahead and figureout what should I be able to do with this?
Can I assign this tosome particular person?
(25:16):
As you say, track it.
Till it gets completed.
And then of course, the realtrick is to validate it.
Much of what we tend to do is beself-congratulatory when we have
these self-assessments, CMMC,cybersecurity Maturity Model
certification, which is appropriate fororganizations that wanna do business
with the Department of Defense.
And that may expand by the way, to otherelements of the federal government.
(25:41):
we'll, see where it's going, butDOD said, Hey, we'll do this first.
It has three different layers orlevels that you'll certify to.
And the first one we're back and forth.
I signed up in the CMMC ecosystemvery close to the beginning.
did all the testing, did all thequalifications, registered practitioner,
and we figured, okay, great.
The hard part was they said, Hey, doingthis level one stuff for a small company.
(26:02):
Which is really only needed forfederal contract information.
So you make paperclips forthe defense department.
Not really any classified secretsthere, but you still have to deal with
billing and account numbers and thingssuch as that and, who is a buyer.
So yeah, that gets coveredto a certain extent, but.
The change that from version one toversion two, to go from, oh, you have
(26:26):
to have an inspector and a auditorvalidate it to you can self attest.
And that's huge because the cost of havinghiring an auditor and bringing somebody in
there was considered to be well extensiveas compared to the self attestation.
Now, the real trick is forus as security professionals.
Don't cheat.
Of course you could go throughand said, yes, I do everything.
I did my 50 pull-ups this morning.
I went ahead and I ranmy four minute mile.
(26:48):
and then after that I lifted tallbuildings with a single bound or, and
all the other things that we tend to do.
it's say that we did, but.
Ultimately what we wanna make sureis that we assess our overall risk
in a way that we, as you would say,communicate it to either client or for us.
It might be the board or just evenour reporting senior, whether it's
(27:08):
a CEO or a chief operating officer,or CIO to whomever you report.
If you can show measurable progress,that's also very helpful because if you
get to the point where you realize thatyou're gonna need some more resources,
Hey, I can't automate this without a tool.
Then now you've been able to showwe have made this progress and
we're gonna be stuck here unless Ican acquire this to get me over it.
(27:30):
Now, you don't wanna spring that at thelast minute, but it really does help, I
think, to show measurable progress thatyou're moving in the right direction.
Because as an executive, I'm muchmore willing to write a check.
For a successful operation that has ahistory of accomplishment that someone
who walks in the door and said, ohyeah, I'll get all this thing done
for you in 30 days, or 60 days, or 90.
(27:51):
But here's a question for you.
You had mentioned doing this quarterlyover a couple years, so this isn't
a sit down and knock it down ona Friday afternoon type exercise.
Is it?
the, certainly the,assessment in the beginning.
It takes a period of time to accomplishand you brought up something earlier,
(28:12):
make an honest assessment of yourself andthat's one thing you need to make clear.
when you're dealing with IT professionals,a lot of times they just want to
answer the audit and move on, and theyjust want to give the answer that's
supposed to be given so they look good.
And one thing you need to makesure you're doing when you're
assessing the environment froma cybersecurity perspective, I
(28:35):
need an honest understanding andassessment of the environment.
So when you're sending theseassignments to the control owners,
when I work with the clients, I'm sure toeither meet with all their professionals
ahead of time or the securityrepresentative to tell them, Hey, just
so you understand, this is not an audit.
(28:57):
This is an assessment, a self-assessment,so we can determine where we should invest
our resources going forward and our time.
And so it's important, everybody behonest about our current capabilities.
Now, when you talked about the levelsof maturity under each of those areas,
(29:19):
and what I'm talking about is policy.
Control automation reporting.
Yeah, there's graduated levels ofmaturity under each of those areas and
that it takes time to assess, to answeryour question, it takes quite a bit of
time to make the initial assessment.
Right.
and I have an approach on thatwhich streamline streamlines
(29:44):
it and keeps it honest.
honest enough to have you move forward.
I don't If you spend too much timeassessing each of those areas and
debating it back and forth, it's gonnatake you months to do this assessment.
So I like to do a quick and dirty.
Now, if I'm not working at alarge financial institution,
(30:08):
that has a lot of resources andtalent that they can put to work.
I'm talking about meworking with somebody else.
To reach out to controlowners and try to get a good
understanding of the environment.
And what I try to say is,look, do we have a policy?
Do we have a policy that substantiallycomplies with this control requirement?
(30:34):
Yes or no?
Just make it binary.
Just yes or no a as much asyou can, they go, we have one
written, but it only pertains tothe servers, not the endpoints.
then we don't.
We don't if you have it for 80% ofthe environment and it's 80% correct,
I'll give you a yes and let's put anote there that we need to work on it.
(30:55):
But I'll give you, okay, you got that.
And then control, doyou have this control?
We don't really have on ongoing basis,but we do when we buy the asset.
then you don't, okay.
Do we have automation?
no, we, you just, you tryto be honest with yourself.
don't get wrapped up too much into thematurity levels of each of those areas.
(31:19):
But if you just take those fourareas, policy, control, reporting, and
automation, give 'em 25 points each.
And on this, on the tool, do dropdownsand give 'em between, give 'em 25
points if they have each of those.
So if they have a policy anda control, give 'em 50 points.
Move on.
Yeah.
and then you go back, okay,we're at 50 in this one control.
Now what can we do?
Blah, blah, blah.
Oh, you know what?
Our policy's kind of weak.
(31:40):
We have to rewrite it beforewe can implement automation.
That's fine.
We'll do that.
But it, I think it's important wedon't take too long to dive into the.
Whatever IG two is 153 controls,whatever it is, you spend way too
much time digging around, right?
try to do, I'm not gonna call it quickand dirty, but try to, make an honest
(32:01):
assessment, but don't spend too muchtime digging into it so you can figure
out your road roadmap going forward.
And when you.
When you're working on it going forward,you're gonna see those areas, so I brought
up, the two year development roadmap.
We, see it, I'm working with a clientand we'll, see ah, we had a policy,
we gave ourself credit, but it reallydidn't include these, safeguards.
(32:21):
So we gotta add that back in, whatever.
All that kind of stuff.
Yeah.
And I think the other thing
answers your question.
yeah, it does and I think when we'redoing the self-assessment, the other
thing to think of is this, is that wealways, we don't wanna put ourselves
on report, but avoid the danger.
Of being a little bit too generouswith your initial scoring because
if you go through there, you said,Hey, we're at 98% to begin with.
(32:44):
They're gonna great.
We don't need to fund that,
Yeah.
but we probably don't even needto fund you anymore because
everything's running fine.
So if, see you next year,
Isn't it funny though?
you, wanna be honest,
but you don't want to be too generous.
but you wanna give yourself credit.
(33:05):
you gotta have, you gottahave some runway ahead of you.
And the idea is that if you can showmeasurable progress, 'cause ultimately
as a senior executive, if I'm notgonna be able to dive into things,
what I used to do is I had a policywhere if I were had a direct report and
they were telling me about something,their area of responsibility, I would
do what I would call a core sample.
(33:25):
I would drill down and I'd drilldown two or three levels beyond
what I really needed to know, butwhat I thought they needed to know.
And so if they could track with meand said, okay, how many of these
assets do we have in the field?
Eh, we get 147 of 'em.
Okay, fine.
how many are in North America?
Well, 53 of them.
Okay, good.
(33:45):
Now, if they said, I'll get backto you, sir, I'll get back to you.
I'll get back to you.
It tells me that even if theydo get back to you, it means
they didn't have the bubble.
They didn't have this operationalpicture of what they should have.
But as you.
Dive down through, and if you dothis over some time and each time
this person tracks, what happensthe next time that they give you a
(34:06):
report or they ask for a resource?
You got extremely high level of trust thathas been created, and eventually you can
work your way to what in the military,we would call command by negation.
And the way that would workis let's say you are my boss
and I have earned your trust.
Then I could go ahead andsay, I've got some initiative.
I know this guy's really busy.
I know what I need to do.
He knows I need to know what to do.
(34:28):
So I would say, Scott, unlessotherwise directed, I am going
to go ahead and do these things.
Now, if you say nothing, was not otherwisedirected, I'll just make it happen.
So I'm on autopilot, but I let you knowin advance before I push a button, pull a
lever just in case you have some insightsthat I don't have at a higher level.
But I tell people, don'ttry that right off the bat.
(34:50):
You're gonna really have someproblems with people if you have not
yet built that foundation of trust.
But by establishing that, you thenmake yourself kind of one of the ideal
reporting individuals where the boss neverhas to worry about what you're doing.
Because you're keeping them informedand you're letting them know what's
happening in advance, and you're ableto then document measurable progress.
(35:13):
And someone from the outside ever came inthere and pulled the string, they'd find
out and said, yeah, whatever he is beenreporting is exactly where you're at.
Yeah, that's some good advice and.
I know some of that came fromyour military background and, I've
bureau for a long time too, so you
Yeah.
And similarly, I've, in the bureau you'dbe like, okay, I gotta get this done.
(35:34):
And you're, you put it all together.
Okay, I think I'm ready to presentit, but then I always stop and
think about the lens of theaudience and the lens of the boss.
And what could they ask ina probing way related to.
Okay, you did it.
Now here's the result.
What do you recommend?
hold it.
I just did it like so.
now you need to be prepared for that.
(35:54):
Okay, here I did it.
Here's the result.
And I'm thinking this for therecommendation, but let me back that up.
Like you gotta startthinking steps ahead, right?
Just think of your job done, think ofwhat they're gonna do with the result,
and be ready for any probing questions.
And the big area you could make isthat, let's say you've gone ahead and
you're gonna be briefing, let's saythe board who can make a decision.
(36:16):
You come in there and you say,Hey, this is an issue and this is a
problem, and here's the tools thatare out there, things like that.
And it's, they're like, okay, great.
What do we do about it?
It's where do we sign?
It's I didn't think about that part.
No.
have it in your back pocket.
You pull it, said pressed hard.
You're making three copies.
Glad you asked.
I just happen to have a purchaseorder here, an authorization or
(36:38):
something like that to move forward.
Yeah, it's getting a little bit aheadof the game, but the idea is it also
shows if I see somebody, I don't want'em leaning forward too far to the
point where they're obnoxious, butif they, I see that, they say, Hey,
I've got the next step ready to roll.
We're not ready to do thatyet, but when we get there.
Here's what's happening next.
So when we do achieve that, if there'sa very big distraction going on, Hey,
(37:01):
we're dealing with tariffs or somethinglike that, and all, it's okay, fine.
Yeah, that we already, thatwas already in my mind.
I already saw that a month ago.
That looked good.
Then off you go, and ultimatelyyour goal is that you want to be
believable, credible, and trustworthy.
If you do those things, then of coursereliable probably fits in there as well.
You end up, I think, being a much morevaluable resource to your organization
(37:24):
as well as most likely creating that typeof working relationship with your boss.
That, for me, is a boss, iswhat I've always wanted out of
somebody that worked for me.
Absolutely.
So going forward then if we say,Hey, this makes sense, as I said,
you can go to the, the csat.
They also have a business impact analysistool, a BIA tool that you could do out
(37:49):
there and you can sign up also for that.
Separately.
It's a ransomware business impact analysistool, and I'm looking at that right now.
I found out it says identify.
The relevant categories, could youlose confidentiality, integrity,
availability, and essentiallylose productivity across those?
(38:11):
Could you have.
Response costs involve replacements,costs, legal costs, could it
impact your competitive advantage?
Then lastly, something that we don't oftenthink about from a technical perspective
but is absolutely real from a businessperspective is reputational damage.
And it used to be when ransomwarefirst came out or even breaches
(38:33):
or problems and things like that.
I remember when California Senate Bill1386 was passed way back when, I think
it was State Senator Feinstein, who was,had advocated for that, where banks,
if they had a breach, had to notify.
At least every resident in thestate of California that had that.
And, there was a, bank that I thinkused to drive around a stagecoach,
(38:54):
I won't mention the name, thatultimately ended up being the first
company that ended up having tomeet those reporting requirements.
They didn't find you, but thefact that you had to notify your
customers that you screwed up.
It was a big deal, and thenother banks would take out
ads saying, we don't screw up.
Why don't you bringyour money to us today?
That reputational damage, I think, ismuted by what I call breach fatigue,
(39:17):
and you've probably heard that termfrom other people as well, where it
just goes wrong over and over again.
We used to joke, they said, Hey, if Ihad a hundred dollars bill for every time
I was breached, I'd be retired by now.
And then when the Equifax thingwent through, it's Hey, you
will get a hundred dollars bill.
If you sign up and not too many peoplesign up, I guess a lot of people
signed up and I eventually got, Ithink a dollar 11, which is what was
(39:38):
left after attorney's fees and costs.
okay, fine, maybe I can getmost of a cup of coffee there.
But the idea is that reputationwill damage seems to have been
muted a little bit over time bythe prevalence of it happening.
And so just kinda a littlebit tangentially on that,
(40:01):
but lemme get your thoughts.
As a former law enforcementprofessional and as a security
professional, we just go, yeah, ifI take a reputational hit, so what?
Or does this still really matter?
And is, so does that give us leverage withthe board to help finance our programs?
Yeah, I think, I think it'scarrying less and less weight,
(40:26):
and I think it's actuallyaffecting the pro, the profession.
I think in the last couple years,
The CSO profession has taken quite ahit, and I think it's because companies
are, I don't wanna say realizing, butbelieving that a reputational hit is not
as significant as they had thought yearsearlier, and it's happening everywhere.
(40:50):
And so what do they, why do they reallyhave to make this investment in this area?
Even financials, they may say, yeah,is a regulatory fine, but the fine
costs less than the remediation.
It's, yeah, it's a businessdecision and, it's, a tough market.
We didn't talk about thatduring this podcast, but you
(41:11):
and I talked about it before.
it's a tough market right nowfor CISOs and, and I see that.
When they're posting roles, the salariesthat they had once listed now are coming
down and there's so many people thatwanna be ciso, they're grabbing it and,
we'll see, what results if, companiesreally need to make the investment for
(41:35):
a, a solid experience, CISO or not?
And we used to talk about that when theyworked up inside the beltway is you get
somebody comes out with a governmentor a military pension and they've
already got a baseline of 50, 80, ahundred thousand dollars a year coming
in just by being able to fog a mirror.
I. So now if your job is paying this, theysaid, I could, I'll do it for 10 K less.
(41:57):
I'm still gonna live better thanif I only had that, and it tended
to keep a moderating, effect.
On the salaries, at least at thatlevel anyway, in the DC area.
And my experience has been, it still does.
'cause I work with companies thatdo hiring up there, and you get
to other places such as New Yorkwhere you don't have that much of a
factor and you'll see significantlydifferent numbers, that take place.
(42:20):
But it's not all about the money, it'sall ultimately, I think for some of us,
about the scope of responsibility, theimpact that we can make, and the benefit
that we can bring, not just to ouremployer, but almost society in general.
Absolutely.
Yeah.
And.
at CISOs we feel like we'readding value to the business.
We're protecting a good, legitimatebusiness, helping them be successful,
(42:41):
be resilient, maintain employment acrossall their staff and, be successful.
And, I, something I've alwaysbeen passionate about is
protecting people and companies,
And, it, it shows.
And that's why I've enjoyed gettingto know you over the last couple years
and hope to be able to continue to doas we wrap up the show here, any last
(43:03):
thoughts that you have and also ifsomeone says, Hey, I like this guy.
I wanna hear more about what he hasto say, how do they get ahold of you?
you can get me atScott@gickingassociates.com and just
Dot com at the end, right?
Hey.
Yeah.
So you're not on Ascension Islandlike.ai or.io, the British Indian
Ocean Territories, but you'regonna be the real live.com.
(43:24):
so Scott@gickingassociates.com.
or Scott ing on LinkedIn.
Everybody's on LinkedIn thesedays as well as CISO Tradecraft.
So if you're not following us onLinkedIn, if you're out here watching
or listening to the show, please do Wegot a whole lot more than just podcasts.
We also have our substack newsletter.
We have little shortsthat we come out as well.
You can get transcripts from our episode.
(43:45):
Plus we're pretty much evergreen, soyou can go back and look at the last.
220 some odd weekly episodesand see what we've had, which is
a lot when you think about it.
We've been doing this for quite a whileand I'm always glad to have somebody
on the show that I think knows theirsubject well, is, reputable and can
provide some insight to our audience.
I appreciate the opportunityand, I really respect you a lot.
(44:07):
I, listening to your podcast beforeI met you, and, all of a sudden
I heard your voice in the roomand I was like, I know that guy
It's the guy with the face for radio.
there, you.
Radio.
Okay.
thank you very much Scott.
For our listeners out there, thankyou for being part of CISO Tradecraft.
we appreciate that you are dedicatingsome of your time to improve your career.
(44:28):
And if you can let it be known toother people in your career path
where you get your secret information.
'cause there's no real secret toCISO Tradecraft, we're here for you.
So I'm your host, G Mark Hardy.
Thank you very much again forstaying tuned and until next
time, stay safe out there.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.