First understand the location of the data that needs to be protected. How can data protection be in place if a company does not understand location of sensitive data? All data is not equal. For the company there is intellectual property, financial records, operational records, and client records. Take the time to determine what is most import and why.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Ron Tosto.
Ron is the founder and CEO of Servadus, a Cybersecurity and Compliance Consulting company. He is a U.S. Navy Veteran with a 24-year career in the Submarine force where he earned several awards and medals for technical prowess, resourcefulness, and superior leadership. After his military career, he was the Global Lead of PCI Consulting and Assessment practices. The company was one of the three largest Qualified Security Assessment companies in the world. He has a bachelor’s degree in Management of Technology and master’s degree in business administration. In total, Ron has over 30 years data protection experience and over 15 years as a Certified Information Systems Security Professional. When not working, he enjoys spending time with his family, traveling and sailing.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Jason, thank you for that introduction and the time for today’s topic. Growing up my life is fairly simple. Depending on who I talk to I will tell you I am either from the East Coast or the south of the United States. I was born and grew up in North Carolina. Having poor eyesight, I was not diagnosed or giving glasses until I was in the fourth grade. It was at the start of my the sixth grade year in school that I was still at a first grade reading level. It took a few years of special classes and patient teachers to get me up to speed on my reading abilities. We were fortunate enough to live near the coast until I was about 10 until we moved little further west into the mountain areas for my preteen and teen years. After a challenge in my high school career, I joined the US Navy and the elite US submarine force. Yes, that means I was underwater most of my life. I spent 24 years in the Navy and served two overseas assignments, and was assigned to five submarines during that time.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
My military career was about information security. I was a Radioman by rating. I was protecting sensitive military documents. Encrypting all the information was a fundamental requirement to send the data over the airwaves. As I entered into the workplace in the late 1990s, it was a natural fit to connect computers to military transmitters and receivers. Loving a good challenge and making it to work together to send lots of information in a secure manner was absolutely fascinating to me. In my last tour of duty, one of my obligations was to make sure that submarines were following the department of defense standards for info sec or information security. Returning from the military allowed me to discover greater opportunities in cyber security and compliance programs to go with it.
Can you share the most interesting story that happened to you since you began this fascinating career?
One company I worked for was short on qualified people for computers forensic investigations. I was in the professional services division and was asked to join the forensics team to help with some tasks for a client that suffered a breach. At the time, I was a qualified security assessor for the payment card industry data security standards, or PCI DSS. The particular client processed, transmitted and stored credit card data as part of its normal business operations. That means they also had to be PCI DSS compliant which requires to have reassessment annually. One of the tasks of the forensics team is to determine if credit card information was a part of the breach. When credit card information has been stolen from a breach it has to follow the rules of a PCI forensics investigation or PFI. The client operations were so complex we had teams on the east and west coast of the United States with daily check-in calls. Forensic investigations require removal of hard drives from computers so they could be replicated and analyzed as a part of the investigation. What was absolutely fascinating is that the credit card data was segmented from the rest of the network. All the client details had been shared with the hackers. Every aspect of operations had been compromised except for credit card information. The messages is Cybersecurity works if given the right attention. If the company had followed the same best practices security plan used for PCI, they would have never seen the breach. It’s been several years now, and at the time companies we’re not open to sharing the details of the breach to protect their liability. In a day where we see breaches daily I always remember the story that cyber security can work. Having a good cyber security program and compliance program, which is only a validation of security, can make a difference in the long run for an organization. And this was a great story of security that worked in the sea of data compromise.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Just one particular person? That would be difficult. It is every person in our personal and professional lives that make us successful and who we are, and contribute to our achievements. Studies show it is the five closest people in our lives that have the greatest influence.
There’s one particular person that made a difference in my life. It was an officer, previously my executive officer, within the current team had moved on to be the officer in charge of all training for the Submarine force in the Pacific Fleet. We had a good working relationship so I went to talk to him about this CISSP. He approved me to go to the training and follow on certification exam. It was that key decision that led the opportunity for me to get that certification which led me into the role I am in today.
On the personal side, of course, is my wife. I am generally a big “take-charge” person. My wife says I just jump into the deep end of the pool without asking how deep it is. Before we were marries, I got a job offer in Washington DC while living near San Francisco. We were still googly eyed for each other and I was only going to get to come home twice a month for two days each month. It was 2008 and millions of people had lost their jobs due to the economy. She knew I could not take unemployment much longer, so she encouraged me to take the job. My responsibility was to get to work on time and follow the rules. That led to a key opportunity that brought me to where I am today, to support cybersecurity programs after military life.
Are you working on any exciting new projects now? How do you think that will help people?
Personally, I support two organizations at work to rescue kids in southeast Asia that are at risk of human trafficking and other exploitations. It is both exciting and horrifying work at the same time.
For the business there are several projects in play. We started the business as a way to validate compliance of cybersecurity. In a way it is very transparent to the clients and provides them a means to measure their maturity rating in the space in order to build strategy for their cybersecurity program and that supports the objectives of their business. We have an aggressive three-year plan and many tools and features to support our clients. In the United States after the pandemic there seems to be a shortfall of employees in every industry. In cybersecurity there has been a number of shortfalls of qualified people for many years with an increase in deficit. Being able to help companies with their cybersecurity program helps their business protect their clients. Those people may never know about our company but our goal is to make their lives safer and more secure in the work we do helping businesses.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
The short answer is to be the tortoise, not the hare. I once had a boss that said I fall in the methodologies of kaizen. Kaizen is a Japanese word loosely translated means constant improvement. I believe that concept applies in the business world at work and at home. It especially becomes true in the balance of work and personal life. There are many parts of the world that live to work, while others work just enough to live. I spent several years working a full-time job while being a full-time student to get my undergrad and post grad degrees, but I wish I had taken the time to complete at least my undergrad studies before entering the workforce. Achieving balance between a life and work means executing with efficiency. I was fortunate that many of my bosses helped me get promoted because of the extra things I did, but in hindsight I could’ve gotten just as far with less emotion and less work by focusing on the task. There are boundaries between the time spent at work and the time spent at home.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
That’s a very interesting question. I think the first part is evolution, second would be the innovation, and third is the complexity.
In the 1980s, the movie wargames depicted a teenager that broke into a military system by learning the basic password for the programmer. The President of the United States watched the movie at the White House and, intrigued enough, he asked his military advisers if the scenario was possible. And while passwords are still the weakest link for security, we continue to evolve the identification and authentication methods in order to keep information system secure. Today some of those systems are biometrics and multi factor of authentication. Biometrics can be facial recognition, fingerprint reading, and voice recognition. As technology systems evolve, so does the security that goes behind it.
The way we carry out the methods of cyber security demand to be innovative ways that provide security while not adding so much complexity it’s not worth the use. It would not have been an option in the 90s when most people did not have a cell phone, but today receiving a code via text, along with our password, takes very little time of the user and adds a layer of defense for the users. When that step is protecting peoples’ financial records, it is a pretty big step in data protection.
As a person that believes and enjoys Kaizen, the complexity of cyber security constantly adds pieces to the puzzle every day. Learning new methods to train people, develop systems, and support business is fascinating! Cyber security, like technology, is not going to turn back in time. While taking classes for my undergrad degree I took a computer forensics course. It was that class in forensics and investigations that made me realize I could spend years studying the art of cyber investigations. Yes there is the basic part of cyber security forensics, but it’s also very complex. If you are looking at ways to constantly improve, then cybersecurity is definitely a career area for you.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
From business point of view, connectivity to the Internet has an unmeasurable positive impact on the entire world. From a security standpoint, it has had a completely disastrous impact on the world. The connectivity of companies that were supposed to be a part of the cyber defense have actually been the threat factor. SolarWinds and Kaseya are two examples. Cloud computing has made it easy to integrate work tools. Companies need to work towards a plan for independent operations and methods for verifying data sharing and integration such as secure APIs. It also means that there must be a way for security service providers to achieve security and to be able to demonstrate the security to the world at large.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
The story I have is about permitting the breach. One of the bigger challenges for organizations is vulnerability management. What’s interesting is the challenge with managing vulnerabilities when it comes to process and capability. It is easy enough for companies to understand the current set of vulnerabilities within information systems. The challenge comes from taking the document that identifies vulnerabilities and converting it into a process that will repair systems or update/patch software applications. One of my past hospitality clients handed me a report showing more than 500 system vulnerabilities. This company had already been breached twice in the previous 12 months. The report they handed me was also 12 months old. After a little prodding they handed me a new report that also had more than 500 system vulnerabilities. Because of the previous breaches they were under an extreme amount of pressure by outside organizations to demonstrate the improvement of cybersecurity. Without addressing the vulnerabilities they would be subject to breach number three in a short time. They had the right capacity of people but they did not have the capability to log, correct, track, and re-validate the vulnerability was no longer present. We were able to help the company develop a process and went through these steps each time they received a new report on vulnerabilities. In the process, the company was able to remove all systems with newer, faster and better capable systems, which actually helped operations. At the end of the day the company was able to routinely manage vulnerabilities in such a way that securely ensured there was not another breach. That company has had no further breaches in the last five years.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
I can tell from my stories I’m believer of taking care of the basics. Patch management and vulnerability management are a key part of those basics. In the area of vulnerability management, we use the QualysGuard tool and recently partnered with Qualys as a reseller to provide add-on services for companies. After having a good vulnerability management scanning tool, there are very few tools we feel we could recommend. SolarWinds distributed the Sunburst vulnerability placed in its tool by hackers. They did not know there was a breach or that their software was compromised. SolarWinds was considered a leading service provider in network monitoring and management prior to the event. The U.S. Government was one of their clients. This has set the example of what it means to not be a trusted partner. In effect, it means that each business that uses tools has to run tests on the tool prior to putting it in a production environment. There are several tools out there for managing changes and patches to systems. It really takes the right due diligence to determine which one fits in your current environment.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Over the last few years, cloud providers have really stepped up in the terms of security. The popular providers also have the right tools and teams in place to ensure the infrastructure is secure. For, older organizations the first step is taking a hard look at the infrastructure. There is never a time that a company can go with over the counter software alone. Log management tools like Splunk are wonderful but they require people to operate the tools. There are companies like Servadus Consulting, that can provide a security management program, and provide a virtual Chief Information Security Officer to make sure their company has the capability in cybersecurity. In June 2020 they were more than a half million open cybersecurity positions and that was an increase of 200,000 from February of the same year. The gap between the needs and availability of resources is increasing at a greater rate than other jobs including cyber jobs. If your company does not have the right capacity or resources, the company should quickly reach out to a company like Servadus to help them find the right balance between software and competent people to run their security program.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Ransomware is at one of its highest levels of attack. Those attacks are often carried out by email and other social engineering exercises. For people that open an email and see grammatical and spelling errors, that the email is suspect. Those errors are indicators of being a false email. Few people work in an office now, but if you hear of several people getting the same email from an unknown source and asking for information, or to visit a website, don’t click on the links and take the time to report it.
If there is a lot of activity on the hard drive or you see the network indicators transmitting a lot of information when you’re playing solitaire, then you are seeing an odd indicator. If it doesn’t seem right then it is not. One of my technology clients realized they had been breached when the hacker that was removing data from a database filled up the hard drive. The network monitoring team got an alert of a full drive, not the breach. Often times it is the small indicators that should help you raise a flag.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The best approach after breach is to prepare the plan before the breach. Organizations must have a disaster recovery plan and a business continuity plan and they must walk through the plan on a regular basis to be prepared. Any reaction following a successful data breach will not remediate the damage inflicted on the organization, its brand, and its customers. If a company wants to stop the bleeding, disconnect from the Internet and shut down the systems. This of course is not providing any business continuity, and while it does protect from further damages, it can and will spoil customer confidence.
CDPR and CCP were put into effect because companies did not do the right thing. This is one of those cases that is “pay me now or pay me more later.” The privacy measures you mentioned are steps taken by governments as companies paying more later. For companies that operate a good business, it is extra administration to assure customer data is protected. However, companies that are in the business of selling information, specifically consumer information, it puts a challenge on the business. I’ve seen those businesses anonymize the data so they can conduct analytics.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The biggest mistake is not testing their systems and patching their systems and applications. Having good security is a process instead of a point in time. As systems and software evolve, there is an introduction of new vulnerabilities. A company’s infrastructure could be secure one day and be the weakest link the next. Additional threats change almost daily. The fluidity of vulnerabilities and the changes in threats are keys elements to determining the risks of a breach. Risk is a moving target, and it is hard to quantify the risk at any given moment. Companies cannot change the threats, but they are in control to the vulnerabilities. There are many ways to learning about the weaknesses in their systems. Using an internal or external team, companies need to protect their assets by testing the system for weakness, remediate them, and retest the system to verify the weakness was removed.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
As the stay-at-home orders went into place, companies went into a mad dash to implement Wort At Home (WAH) protocols. Entire call centers closed. Agents on the phone often work with customer private information. At the same time spouses and children were at home. Companies did not really have a handle on many of the cybersecurity or privacy errors. Virtual Private Network or VPN usage went from about 20 percent of the company to 90 percent and more. Companies had to add the capacity. That much change so quickly can lead to errors. During the pandemic, Zoom, a video conferencing tool, was used so much it became the reference word for conference calls. We have all heard the phrase “let’s have a zoom call.” Before the pandemic, the security of Zoom was considered as an add-on feature. Zoom and the world learned quickly that security should always be a fundamental part of communications. Fortunately for Zoom, they were able to quickly see the error of their ways and implement new security protocols in every “zoom” call. During the time of Zoom without security there were plenty of privacy errors.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
This is an awesome question and very important for everyone. There are a lot of things that need to be done and usually has a budget constraint. Is it imperative that we remember the basics. And here are the five things I believe that are fundamental to data protection, data privacy and cyber security.
- First understand the location of the data that needs to be protected. How can data protection be in place if a company does not understand location of sensitive data? All data is not equal. For the company there is intellectual property, financial records, operational records, and client records. Take the time to determine what is most import and why. Let’s look at KFC as an example. Their recipe is intellectual property. If KFC let the recipe out to the world, then KFC would no longer be unique and that is lost forever. Operations records are good for the current time period. The loss of operations records may be bad for the day or quarter, but the company still has its uniqueness in place. For this example, knowing the recipe has a higher value than operational records, and lets the company build appropriate security controls.
- Set the expectation or plan in place. That comes in the form of policies. The privacy and data policies published is a great place to start. My daughter recently did a cross country drive with a friend. She had a plan that had stop locations, number of miles to drive a day, and the actives between the driving times. It is those policies that drive the data protection designs by several groups. Cybersecurity and privacy is a group effort. If the Chief Information Security officer is the only person to know the plan, then the plan will fail.
- Implement a Security and Compliance program. Security controls must be in place and mature through the life of your company. They also need be sustainable. In a study of PCI DSS compliance, it was determined that most companies without a sustainable security program are no longer compliant or secure between 3 to 9 months of a 12-month validation period. Monitoring the security program is the compliance piece of the puzzle. That is the report card per say. Embrace the feedback received from reviews of security controls. If they are not maintainable, then it is not sustainable. It requires a change to have a different result. There are several frameworks already available to implement a good security program.
- Have the right team in place. In order to have the capacity and capability, it takes the right human capital to maintain an outstanding security program. If there are not enough internal resources, then you must get help. Threat skill-sets and competency for the resources is also another imperative. Help comes in a wide variety of services. Staff augmentation, consulting services, virtual CISOs, and manage security services. Servadus provides support with most of those options.
- Communications is a multifaceted capability. The training that is provided to every person within a company is part of the communications. Last week there was an announcement of a group than intended to step up the intensity of ransomware attacks. Did your company advertise that to employees and give guidance and reminders to not click on emails that didn’t make sense? Prior to COVID-19, almost every time I walked into a company, there would be a security awareness poster that had been on the wall for more than three years. While the three year old poster to remind you to lock your computer when taking a break is good, it does not represent good communications. Security challenges and privacy concerns need to address issues more dynamically than updating a poster once every three years. It does take a great team to have a good security program and every member of a company is a part of that team. There has to be a culture of open dialogue about problems or challenges that maintain security and when things go wrong, be equipped to take action on those challenges. That all comes from communications.
Again, these are foundations that every company can use to improve the security programs and reduce the risk by reducing the threats while improving data protection, data privacy and cybersecurity.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Good security practices and awareness start with you as an individual. It seems like a daunting task to have more than one password for your 100 different apps, but there are tools and ways to help you have complex passwords that you do not have to remember. Personally, I shifted to random generated passwords two years ago, and while it seems much more complex, it actually was very liberating not having to remember my password. Seconds to protect yourself with multi-factor authentication. LinkedIn, Facebook, Twitter and many other social media platforms support multi factor authentication. Like the passwords, I personally implemented this concept with my social media accounts. I have less risk and less worry about someone defacing my Facebook account. And when I get that spam email that says you have logged in from some unknown location, it makes it easy for me to recognize spam attacks. If you have a smart phone, the multi factor app setup is easy and achievable. Give yourself peace of mind and set the example for others.
How can our readers further follow your work online?
Thank you again for the opportunity to speak with you on this topic. It was a fascinating set of questions and I appreciate the opportunity to speak to them. For more about me and my company on LinkedIn visit www.linkedin.com/in/ronaldtosto/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!