Ensure the CISO/CSO has regularly scheduled meetings with the C-Suite. Too often we hear of stories of companies where the CISO does not report to the C-Suite, and does not have face-time with them. This is a clear reflection of the importance that security has with these key decisionmakers. As cybercrime is rising as the biggest threat to every company worldwide, then the hierarchal position of the head of Cybersecurity should appropriately be rising, as well. How can the C-Suite be informed enough of cyber risk without hearing directly from the CISO? How can they trust this person if they have not even met him/her? The CISO must be assured that his/her message on business risk is not modified or watered down. This can only be achieved with the face-to-face meetings.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Richard Greenberg, CISSP, a well-known Cyber Security Leader and Evangelist, CISO, Advisor, and speaker.
Richard brings over 30 years of management experience and has been a strategic and thought leader in IT and Information Security. His Project Management, Security Management and Operations, Policy, and Compliance experience has helped shape his broad perspective on creating and implementing Information Security Programs.
Richard has been a Chief Information Security Officer (CISO) for 15 years, Director of Surveillance and Information Systems, Chief of Security Operations, Director of IT, and Project Manager for various companies and agencies in the private and public sectors.
You may have heard Richard’s interview as a Cyber Security expert on Will Ferrell’s Ron Burgundy podcast: https://www.iheart.com/podcast/the-ron-burgundy-podcast-30270227/episode/cyber-security-47951911/.
Richard is the Founder and CEO of Security Advisors LLC, which offers fully-managed security assessments and penetration testing services that allows organizations to continuously assess their internal and external cyber risk posture, and helps companies with compliance issues.
Richard is an Information Systems Security Association (ISSA) Distinguished Fellow, one of only 64 worldwide, and has received their Honor Roll designation (only 55 worldwide). He has also been selected as a finalist for both the (ISC)2 Americas Information Security Leadership Award in the Senior Information Security Professional category and the Los Angeles Business Journal CIO of the Year in Security.
Richard serves on the OWASP Global Board of Directors, leads the OWASP LA Chapter, and has been Co-Chair of the highly successful AppSec California conferences. Richard also is President of the Information Systems Security Association Los Angeles Chapter and is Chair of their widely recognized annual Security Summit and CISO Forum.
Richard’s reach in the Southern California region is extensive. He has worked diligently to bring together the various Southern California IT and InfoSec organizations to enhance their collaboration efforts, to help reach new IT and InfoSec professionals.
Richard has been a published author and has spoken on Information Security individually and on panels.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Thanks for the opportunity! I was born and raised in Manhattan in New York City. I loved the sites and smells of the bustling city. I would take busses and trains everywhere, at a young age, including to Yankee Stadium and Shea Stadium. I was exposed to a huge amount of art and architecture, plays, shows, and even opera. My mother relates of when she asked how I liked the opera, I replied it was pretty good, but too much singing. Individual and civil rights were stressed highly in my family, and I hold those two tenets very highly. I played baseball and football in college, but am paying for that now. But I would probably do it again, if given the chance. Sports has helped me tremendously in my professional career. The discipline and work habits it instilled in me are essential to my success.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
That’s a very interesting question and one that I’m sure results in a lot of fascinating in different types of responses. In my case, I was a Director of Information Technology and was tasked by the head of the organization with building an infrastructure that would support a hundred business partners. Now this was occurring back in 2000, and the existing VPN was inadequate. So I started designing and building a new one. This raised the ire of some Executives who thought that the existing structure would support our needs. As soon as I started to build a new was regularly receiving threatening emails. I felt it was in my best interest and the interest of the organization for me to enhance my information security knowledge. I signed up to take a class and was learning all about infosec, when the teacher remarked, “hey, you’re the only one who has not signed up to take the CISSP exam at the conclusion of the class.” I responded that I was an IT professional, not an expert in security. For example, I knew very little about encryption. However, he told me that I had asked the best questions and seemed to be the most attentive. I guess from all the years of project management, that seemed natural to me. Well, long story short, I didn’t take the test right after the class, but I did in a few months and passed. As a result of this, I started putting CISSP after my name, and when others in the organization saw this, to my surprise, all questioning stopped. That had not been not my intent, but you have to remember this was 20 years ago, and certifications seemed to hold a lot more weight back then. I never looked back, as I pursued newer positions specifically in InfoSec.
Can you share the most interesting story that happened to you since you began this fascinating career?
Yes, I really like this question, as it allows me to share not just my experience but a personal message to everyone. I had been a Novell Network Manager and due to the downturn in the economy, was laid off. I was then highly recommended by my previous company to another company who then offered me a position, but it was a Unix Systems Administrator. I would be responsible for supporting Sparc 10 workstations as PCs and also servers, with BNC connections on a daisy chain Unix network. I thanked them but told them that I really had no Unix experience, but they insisted and said they would train me. This basically was the previous Unix Administrator sharing everything he knew over four days of firehose training.
The night before I was to start the job, I was extremely nervous and felt that I was going into a situation way past my capabilities. Then, fortuitously, my girlfriend put on the television and a movie came up called The Great Imposter. In this amazing biography, a person fraudulently took on variety of jobs and roles without any qualifications, and was highly successful at them all, including a marine, a monk, and a prison warden. The most amazing one, and the one that really grabbed my attention, was physician on a Royal Canadian Navy ship. In a memorable scene, he is faced with having to care for and save several who had come aboard from a distressed ship. As wounded sailors are brought in to his room, he grabs a medical book and starts researching diagnosis and appropriate treatments, successfully treating all three — even completing the amputation of one man’s leg. I sat and watched with amazement, and then felt that I had enough basic networking knowledge that I too, could read and succeed in my new job. It took me many hours of overtime to both learn while working, but I will always remember the movie, and the important lesson that we all should be stretching our envelops, and pushing past our comfort zones.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
When I took on the role of Unix Systems Administrator, you could call company Helpdesks and the person who would answer the phone was the equivalent to today’s level 3 support tier. Calls were also free, and the person could stay on the phone with you for a long time. These folks were my best friends, and had a profound influence in my success in my position.
Are you working on any exciting new projects now? How do you think that will help people?
I was elected to the OWASP Global Board of Directors in 2018. The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. We are working on trying to get the word out to all companies and organizations about the amazing tools, templates, checklists, and frameworks that have been developed by experts in software security under the OWASP umbrella and are available for free. Most people have heard of the OWASP Top 10, but this is just one of over a hundred open source projects. Hackers are breaching networks on a regular basis through layer 7, and the use of these OWASP resources can have a major impact in helping with more secure software. Find out more at owasp.org.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
We all need balance in our lives, and too much work or too much play can send us outside of our “center”, resulting in unintended consequences to both our psyche and physical self. I have seen the manifestation of overworking and its effect on people. Many will turn to substance abuse, such as alcohol and drugs. We have all heard stories or seen firsthand how overuse of these can cause harm to internal organs and personalities. People should be busy with other things outside of work, such as hiking art, history, books, games, and other adventures to keep them whole and relaxed. We all need to grow as well, and areas for growth should include areas outside of what we are doing for work. We all need to dedicate ample time for family and friends, and not let our careers overshadow these hugely important aspects of our lives. Balance is indeed the key.,
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
I would say I am most excited about the people, collaboration, and the sense of community. The cybersecurity industry has so many dedicated people who I have learned so much from, and hope to continue to do so. I love that so many are willing to share their experiences, pain, and solutions. The more we collaborate, the more prepared we continue to be to meet the challenges of our highly connected world. I have had so many interesting conversations with so many in our field. I always walk away having learned something new about someone that I did not know before. New friendships have sprung up the more we have all shared. Our industry is really a community, and so many want to always provide assistance. So many are very active in social media, discussing important issues in our field, and in the world. So many come from so many varied backgrounds, but the common bond of Cybersecurity creates a lasting and important link for us all.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
One of technologies that we need to keep a focused eye on are the Deep Fakes. Sure, today there are some solutions that can identify them, but we are indeed in an arms race, where newer and more clever ways to create fake videos are being chased by these solutions. The incredible amount of funding behind emerging deep fake technology can result in a time where there is a gap and some fakes could go undetected. This can change important events in our lives, including influencing presidential elections. But imagine, if you will, the effects on the stock market and companies’ valuations with the creative use of deep fakes.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
A dozen laptops that were in locked file storage were stolen. Fortunately, I had put in place processes that removed sensitive data from all of the laptops. Upon return from the user, as part of the check-in process, the laptops were wiped, and a new standard image was installed prior to the laptops being put into storage. Proactive planning and controls are the keys to helping protect your company.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Many of my peers incorporate network vulnerability scanners, endpoint protection management dashboards, and patch management solutions into their Information Security Plan. But are they all reviewing results and creating remediation plans? Is there ample follow-up on remediation efforts? Are InfoSec heads also comparing the various reports from these and other tools? I would compare results and always found systems that were identified in network vulnerability discovery scans that did not have the endpoint protection or patch management agent fully and properly installed, and thus were not showing up in the consoles of these two tools. Without these report comparisons, several unprotected systems could have been backdoors into our network.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
For small companies, or those who have not budgeted adequately for Cybersecurity, here are open source solutions that can be deployed on a company’s network, but these typically involve customization. Thus, there is a need for resident Cybersecurity skills. Many companies are outsourcing many Cybersecurity functions to a managed security service provider (MSSP). There always is a need for the head of information security, even if most factions have been outsourced. Oftentimes in these situations, we see virtual CISOs helping small companies. These can be individuals who act as a part-time CSIO, or companies that provide CSIO functions in the form an assigned vCISO.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
This is really important, as the average time to identify & contain a breach is 279 days, and all too often it is discovered by an external source, such as the FBI. Everyone can help keep their company or organization safe. Do not be afraid to inquire about or report about a co-worker who is suddenly displaying erratic or strange behavior. People’s personal circumstances can change suddenly, putting undue stress on them, and if this stress is financial, they may be forced into a compromised position. Helping them to deal with the stress can be the best thing you can do for them, potentially preventing an incident, as well. Also do not be afraid to report new unknown people that you might see in controlled or sensitive areas. If you notice your PC suddenly acting very slow, it might have some background processes doing something nefarious. It might be a good idea to report this. If you overhear conversations of employees in public areas, including elevators, and they are sharing sensitive information, do not be afraid to speak up, as it might prevent the disclosure of this information.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Hopefully they will have already done at least a tabletop exercise with their Incident response Team, so everyone knows their roles and what to do. Of course, identification of how the breach is occurring or has occurred is important. If it is still happening in real time, you must identify how so you can “stop the bleeding”. Once under control, you must try to identify what data has actually been breached. This essential in getting an understanding of the scope of the breach. This could have huge financial ramifications down the road. Hopefully your Cybersecurity Plan has included network and data segmentation, which would help to limit data loss. We must be careful, whenever possible, to not just shut off an offending/compromised machine, as this makes forensic investigations very difficult.
Finally, the United States has regulations to protect consumer privacy. This has been long overdue. In an attempt to legislate GDPR in the US, California is once again leading the way by requiring compliance with CCPA by companies with at least 25 million dollars in annual revenue, or more than 50,000 users’ or devices’ data, or who earn more than 50% of revenue from selling data. There are several exceptions, but many companies are rethinking how much data, and for how long, they really need to retain. Deleting old data, permanently and from all storage locations and devices, has become essential for all businesses. Previously, companies would just request/require everything about customers and business partners, but now, after reevaluation, only key data elements are obtained and saved.
A side benefit of purging data is reduced storage costs. However, having a good process for identifying all the data more than surpasses that saving. Companies must be able to do fast indexing of all their data, and be able to check and modify access levels to any CCPA personal information.
The California Privacy Rights Act will be voted upon by California voters in November. If passed, it will enhance and replace much of CCPA, and creates a new category of personal information, “sensitive personal information”, which includes geolocation data. Very importantly, consumers will be able to demand businesses to correct incorrect information about the consumer. Also, companies can no longer gather information about anyone under 16 without their or their parents’ consent. There are several other provisions that tighten controls on the gathering, selling, and sharing of consumer information. Any company doing business in California will be subject to state audits, and a new staff and power are built into the regulation to help enforcement.
New York, Massachusetts, Maryland, North Dakota, and other state have already implemented privacy regulations. It is a good bet that Washington will be looking to create and implement federal regulations in the near future.
What are the most common data security and cybersecurity mistakes you have seen companies make?
With the huge amount of data that companies are starting to amass, and the potential for the loss of that data, not to mention ensuing penalties as a part of several regulations that are based on the amount of data loss, most organizations are now looking towards cyber Insurance to help transfer their risk an event of a breach. However, insurance companies require a vetting process which puts the organization on the hook. They must sign that they have ample security controls in place to help protect against intrusions and breaches. A form is required to be completed, and signed by the organization that they have these controls in place. If there is a determination after a breach that some of these controls were not indeed in place, the payout could be reduced to zero. Some companies were very unhappily surprised to find this out, as they did not take the questionnaire seriously. Additionally, it is important to review the fine print in all cybersecurity insurance policies, as often there is a cap on the number of records the coverage will allow. This can result in the need for a secondary policy by another company. Make sure you do your homework and are not a company that is shocked to find you don’t have enough coverage.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Social engineering, primarily through phishing attacks, which were already proliferating, have taken on a new level of frequency, as the attack surface has expanded with a fully remote workforce. “Business continuity” no longer can just focus on mission critical processes, but must now encompass all business functions. We have seen the emergence of thousands of coronavirus-related domain names, and thus the potential for more mistakes by employees as they search for more information on the pandemic. Hackers are using key words related to coronavirus to entrap unsuspecting employees. Nation states, including Russia, N. Kora, Pakistan, and Iran have stepped up their efforts.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Ensure you have a functioning Enterprise Patch management process. have processes in place to ensure regular, timely, and enterprise-wide patching. Always test patches on a pilot group before deploying to everyone. It is important to include third-party apps when you roll out your patches, and to minimize excluding systems. It is important to isolate systems that cannot be patched regularly, utilizing VLANS and firewall rules. Long term, look to replace these systems whenever possible. Actually, contact the vendor of these systems directly to discuss; do not take App owners’ or System Admins’ word on the patch issue. Companies are much more responsive now to demands from InfoSec. And of course, minimize the effect on users. Patched systems would have prevented the Equifax breach and the WannaCry ransomware attack. Clearly patch management can have a huge effect on your organization. Patch Management should be number one on your list of security controls.
- Test your Incident Response Plan. Firstly, organizations must build a good Incident Response Team, that is comprised of representation from Executive Management, Legal, Risk Management, Public relations, InfoSec, and IT. If a breach occurs, you should not be scrambling to find the communications experts to help formulate a public response if one is necessary. The team should have already been called into action, and the appropriate message should be in creation by the right people. Oftentimes the correct public statement can really influence public perception. We all remember how Target’s consumer perception dropped over 50 percent after their 2013 breach. Unless you have done tabletop exercises and enacted your Incident Response Plan, you may find yourselves running around trying to find the right people and trying to figure out who does what next.
- Test your Disaster Recovery Plan. No matter what plan you decide to create, whether it includes a hot, warm or cold site, it must be tested, as painful as that can be. You do not want to find yourselves, similar to my discussion above on IR, scrambling and hoping things will work as drawn up. Again, all the right people must be involved. Do you know all of the apps in your organization, and have you received confirmation from the executive sponsors of the appropriate order of which to bring apps back up? Your business future is dependent on doing this right.
- Ensure the CISO/CSO has regularly scheduled meetings with the C-Suite. Too often we hear of stories of companies where the CISO does not report to the C-Suite, and does not have face-time with them. This is a clear reflection of the importance that security has with these key decisionmakers. As cybercrime is rising as the biggest threat to every company worldwide, then the hierarchal position of the head of Cybersecurity should appropriately be rising, as well. How can the C-Suite be informed enough of cyber risk without hearing directly from the CISO? How can they trust this person if they have not even met him/her? The CISO must be assured that his/her message on business risk is not modified or watered down. This can only be achieved with the face-to-face meetings.
- Ensure regular and ongoing monitoring of everything on your network is taking place. Are You Able to Detect Anomalies on Your Networks? Do You Know if You Have Been Compromised? Maybe? Would You be able to Detect Strange Outbound Traffic to, Let’s Say, China or North Korea? Monitor Unusual Changes in User Behavior. Would you be able to detect if a person who for five years and worked only on ten thousand records at a time M-F 8–5pm suddenly is accessing 100,000 records on a Saturday? Do You Know if 50 users all had their accounts locked after unsuccessful login attempts? Is a managed security service provider (MSSP) for you? Many companies are moving in this direction.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I recommend everyone look to get their security teams and developers involved in OWSP. There are local chapters meeting regularly around the globe. The lack of focus in Cybersecurity Plans on software security and the increase in attacks on software make this extremely important.
All of us in InfoSec and Information Technology need to constantly remind friends and family about the dangers of clicking on links or opening attachments in unsolicited emails. Fighting phishing attacks needs to take a village.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!