January 20, 2022 • 8 mins
Join our guest, Andy Jones, CEO of Fortress Security Risk Management, as he shares his number 1 tip for improving your cybersecurity.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Hello everyone and welcome to this week's edition of cyber snacks.
This is David Myers and I'm fortunate this week to have a special guest I've got Andy jones,
the ceo of fortress security risk management and he is I've been in this space for a long time on both the preventative side as well as the response side of data privacy and security incidents.
(00:24):
So Andy I want to welcome you and as you know the purpose of the show,
the format of the show is to keep things as tight as possible.
We try to To stick around five minutes per episode,
no more than 10.
And so with that in mind I ask you one critical question.
If you could give one tip,
(00:44):
one trick,
one piece of advice to our listeners when it comes to maximizing their security,
what would it be?
So David,
thank you for thanks for the invitation.
Thanks for having us on the show and being able to participate.
I would say a singular tip.
A single bit of advice is a daunting task when it comes to cybersecurity.
(01:07):
However,
given what I believe to be the audience that's going to be listening to this if I were an executive or a business leader and I were contemplating are are the organization's current cyber posture I would say the best advice I can give you is trust but verify so trust but verify that's a phrase that you know I hear bandied about quite a bit as well.
(01:31):
What exactly does that mean?
You know it uh the the evolution of cyber threats over the last several years.
The continued evolution to continue expansion.
It's it's something for me when I say trust but verify is as it relates to this question what I'm really thinking of is we we as an organization I think that cybersecurity is a business problem not an I.
(01:58):
T.
Problem.
Much of much of your audience today.
Much of the listeners probably you're still thinking about cybersecurity in a classical sense that it's an I.
T.
Problem.
And while we have great I.
T.
Tell inside of our various organizations that are out there trying to protect us day in and day out secure our information to protect our users from you know bad actions or accidental actions or sometimes just outright reckless actions.
(02:25):
It's really not an I.
T.
Problem I.
T.
Is only a portion of it uh as you well know there's there's a there's a wide gamut when it comes to risk if I were an executive and uh sitting across the table and someone said trust but verify for me what I really think about is I know my teams are trying to do the best job they can with the tools they have at their disposal with the talent they have at their disposal and frankly with the treasure of the organization that's able that that is at their disposal.
(03:00):
I will tell you that it's it's rare that all organizations are doing this.
Well I think there's a belief across the board that needs to be dispelled?
One of which is,
who's a threat?
There's a,
there's a common misconception misperception out there,
that organizations aren't necessarily a target for these bad actors unless they're a global manufacturer that happens to produce a part for,
(03:30):
for the f 35 joint strike fighter or if they're in healthcare and they have millions of healthcare records.
I it's not the case.
Everyone today,
uh,
is a target.
These are these bad actors don't look at it purely from a targeted specific attack mechanism.
They're looking at it from more of dragnet fishing.
(03:53):
If I can get somebody to click on a link,
whether that's business email compromise or ransom.
Where and just just allow somebody just that slight slip up.
That alone is enough for me to infect your network,
uh,
and create a further activity.
Whether it's again a ransomware,
a business email compromise or,
or set me up for some sort of larger data,
(04:14):
exfiltration or true cyber espionage.
That's all they're looking for.
So when I say trust,
but verify,
ask the tough questions.
Get outside opinions,
uh,
make sure that you can prove what you think you're asking is occurring.
Whether it's your patching efficacy and and how well your systems are being patched,
(04:38):
the training,
efficacy and how well your,
your users and employees are being trained,
uh,
and then maybe maybe it's your insider threat program?
If you even have an insider threat program.
How do you know that the associates and employees that have access inside your system are truly doing everything on the up and up more and more.
(04:59):
We're seeing that that that vector specifically the insider threat being an area of concern.
So i it would sound to me like,
you know,
a big part of what you're recommending then is to make sure that the controls that we put in place are actually moving the needle,
accomplishing the goals that they put their in and intended to do.
(05:24):
So You mentioned a really good simple example for people to understand which is,
you know,
patching of systems,
you can install a utility or what have you that is supposed to keep all your machines and applications up to date.
But unless you have somebody going out and actually double checking and making sure things are up to date,
(05:47):
you don't know if the system is operating the way that it's intended to.
Is that a fair statement?
Absolutely,
Absolutely.
I uh it's rare that I've never been in an environment or talked to anyone where they said we have plenty of cybersecurity people working internally helping us out.
Everyone is understaffed in this space.
(06:07):
If you look at the jobs report internationally the jobs report for service security,
there's 3,
3.5 million job openings that are not going to be filled anytime soon.
So when,
when you think when you think about those policies procedures,
control mechanisms that you put in place to help protect your organization,
(06:28):
your clients that data um how how how frequently you're inspecting it.
It's uh if you want to if you want to dumb it down to the simplest,
Let's go back in time 20 years and let's just talk about backups.
Everyone implements backups or at least everyone thinks they implement backups and a backup strategy 20 years ago.
(06:49):
The proof in the pudding was did we do our annual tape recovery effort to bring back online a failed server or a couple failed servers.
And once in a great while a particularly ambitious C I O.
Or C T.
O.
Would launch into a data center recovery exercise if there was some catastrophic event like attack on their data center or complete loss of the data center.
(07:16):
Yeah.
In today's world the way these attacks proliferate the way they spread the ease at which they spread.
We really have to go back to that basic of can we recover our environment and prove it,
prove it not just talk about it.
Don't show me your report where you tested one server,
prove it.
(07:36):
Show me that you can you have the resiliency in your cyber posture to be able to recover your environment.
Uh Don't accept a report.
Show proof.
So and I think that that's great advice.
I think that everyone listening here to this should take this piece of advice and go back to whoever says they've got there arms around your security posture and say,
(08:02):
okay,
that's great.
I really believe in you,
but I want you to show me so.
I think that that's awesome.
Andy.
Thank you so much for that tip and thanks again for being part of the show.
Not a problem.
Thanks,
David.
Have a good day.
You,
too,
sir.
Hello everyone and welcome to this week's edition of cyber snacks.
This is David Myers and I'm fortunate this week to have a special guest I've got Andy jones,
the ceo of fortress security risk management and he is I've been in this space for a long time on both the preventative side as well as the response side of data privacy and security incidents.
(00:24):
So Andy I want to welcome you and as you know the purpose of the show,
the format of the show is to keep things as tight as possible.
We try to To stick around five minutes per episode,
no more than 10.
And so with that in mind I ask you one critical question.
If you could give one tip,
(00:44):
one trick,
one piece of advice to our listeners when it comes to maximizing their security,
what would it be?
So David,
thank you for thanks for the invitation.
Thanks for having us on the show and being able to participate.
I would say a singular tip.
A single bit of advice is a daunting task when it comes to cybersecurity.
(01:07):
However,
given what I believe to be the audience that's going to be listening to this if I were an executive or a business leader and I were contemplating are are the organization's current cyber posture I would say the best advice I can give you is trust but verify so trust but verify that's a phrase that you know I hear bandied about quite a bit as well.
(01:31):
What exactly does that mean?
You know it uh the the evolution of cyber threats over the last several years.
The continued evolution to continue expansion.
It's it's something for me when I say trust but verify is as it relates to this question what I'm really thinking of is we we as an organization I think that cybersecurity is a business problem not an I.
(01:58):
T.
Problem.
Much of much of your audience today.
Much of the listeners probably you're still thinking about cybersecurity in a classical sense that it's an I.
T.
Problem.
And while we have great I.
T.
Tell inside of our various organizations that are out there trying to protect us day in and day out secure our information to protect our users from you know bad actions or accidental actions or sometimes just outright reckless actions.
(02:25):
It's really not an I.
T.
Problem I.
T.
Is only a portion of it uh as you well know there's there's a there's a wide gamut when it comes to risk if I were an executive and uh sitting across the table and someone said trust but verify for me what I really think about is I know my teams are trying to do the best job they can with the tools they have at their disposal with the talent they have at their disposal and frankly with the treasure of the organization that's able that that is at their disposal.
(03:00):
I will tell you that it's it's rare that all organizations are doing this.
Well I think there's a belief across the board that needs to be dispelled?
One of which is,
who's a threat?
There's a,
there's a common misconception misperception out there,
that organizations aren't necessarily a target for these bad actors unless they're a global manufacturer that happens to produce a part for,
(03:30):
for the f 35 joint strike fighter or if they're in healthcare and they have millions of healthcare records.
I it's not the case.
Everyone today,
uh,
is a target.
These are these bad actors don't look at it purely from a targeted specific attack mechanism.
They're looking at it from more of dragnet fishing.
(03:53):
If I can get somebody to click on a link,
whether that's business email compromise or ransom.
Where and just just allow somebody just that slight slip up.
That alone is enough for me to infect your network,
uh,
and create a further activity.
Whether it's again a ransomware,
a business email compromise or,
or set me up for some sort of larger data,
(04:14):
exfiltration or true cyber espionage.
That's all they're looking for.
So when I say trust,
but verify,
ask the tough questions.
Get outside opinions,
uh,
make sure that you can prove what you think you're asking is occurring.
Whether it's your patching efficacy and and how well your systems are being patched,
(04:38):
the training,
efficacy and how well your,
your users and employees are being trained,
uh,
and then maybe maybe it's your insider threat program?
If you even have an insider threat program.
How do you know that the associates and employees that have access inside your system are truly doing everything on the up and up more and more.
(04:59):
We're seeing that that that vector specifically the insider threat being an area of concern.
So i it would sound to me like,
you know,
a big part of what you're recommending then is to make sure that the controls that we put in place are actually moving the needle,
accomplishing the goals that they put their in and intended to do.
(05:24):
So You mentioned a really good simple example for people to understand which is,
you know,
patching of systems,
you can install a utility or what have you that is supposed to keep all your machines and applications up to date.
But unless you have somebody going out and actually double checking and making sure things are up to date,
(05:47):
you don't know if the system is operating the way that it's intended to.
Is that a fair statement?
Absolutely,
Absolutely.
I uh it's rare that I've never been in an environment or talked to anyone where they said we have plenty of cybersecurity people working internally helping us out.
Everyone is understaffed in this space.
(06:07):
If you look at the jobs report internationally the jobs report for service security,
there's 3,
3.5 million job openings that are not going to be filled anytime soon.
So when,
when you think when you think about those policies procedures,
control mechanisms that you put in place to help protect your organization,
(06:28):
your clients that data um how how how frequently you're inspecting it.
It's uh if you want to if you want to dumb it down to the simplest,
Let's go back in time 20 years and let's just talk about backups.
Everyone implements backups or at least everyone thinks they implement backups and a backup strategy 20 years ago.
(06:49):
The proof in the pudding was did we do our annual tape recovery effort to bring back online a failed server or a couple failed servers.
And once in a great while a particularly ambitious C I O.
Or C T.
O.
Would launch into a data center recovery exercise if there was some catastrophic event like attack on their data center or complete loss of the data center.
(07:16):
Yeah.
In today's world the way these attacks proliferate the way they spread the ease at which they spread.
We really have to go back to that basic of can we recover our environment and prove it,
prove it not just talk about it.
Don't show me your report where you tested one server,
prove it.
(07:36):
Show me that you can you have the resiliency in your cyber posture to be able to recover your environment.
Uh Don't accept a report.
Show proof.
So and I think that that's great advice.
I think that everyone listening here to this should take this piece of advice and go back to whoever says they've got there arms around your security posture and say,
(08:02):
okay,
that's great.
I really believe in you,
but I want you to show me so.
I think that that's awesome.
Andy.
Thank you so much for that tip and thanks again for being part of the show.
Not a problem.
Thanks,
David.
Have a good day.
You,
too,
sir.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.