Listen to learn what you can do to better prepare you and your company for a risk assessment.
"Security is hard, even for professionals. There are a ton of things to know. As a defender, you have to be right 100% of the time. As an attacker, you kinda just have to get lucky once. If you go out there and educate people (in your company) about security, then they can become an ally for you."
Matt Halbleib (CISSP, CISA, QSA (P2PE), PA-QSA (P2PE)) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss all the things you can do to better prepare you and your company for a risk assessment.
Listen to learn:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. I'm Jen Stone. I'm a principal security analyst here at SecurityMetrics, and I have with me today one of my colleagues from the team. Also, he's my boss, but I don't know if I should use the word boss. But his name is Matt Halbleib.
And he has I said, can we tell people, you know, your bio, all the cool things you've done? He's like, I don't wanna talk about me. So let's just say he has a ton of letters after his name and go look him up on LinkedIn or on the SecurityMetrics blog post area. But, a couple of big things are you do a lot of P2PE for PCI.
Yes. So, but since today's topic is risk assessments, let's start off by maybe just talk a little bit about your experience with risk assessments, why this is a topic that that, that you, you know, you get to be on here with me to talk about.
Okay.
You know, in addition to the fact, PCI, of course, has a requirement for risk assessments.
And frankly, a lot of people don't I don't think a lot of people really understand them or or use them as effectively as they could. In my previous employer, we used risk assessments to make all sorts of decisions.
And everything from, you know, evaluating products and, to both those that you're acquiring as well as sometimes selling. You know, we had our own products that we would, of course, sell on the market. And, you know, we do risk assessments against certain of the features and things because you can, of course, help identify potential problem areas that, need addressed in terms of people attacking your products or whatever. So whether it's software or even hardware or whatever, you know, taking a look at the attack surface from that perspective in the sense of, you know, threats and vulnerabilities and things to it, what are the, you know, impacts if it, gets compromised and things.
To using risk assessments to, of course, against the corporation as a whole, which can help you allocate budget and things, because you know what your problems are and what you're trying to solve and what are the greatest risks to the, to the corporation.
You can use it to that. You can use it just to make decisions about, individual policy things and stuff too.
Sometimes if we were looking to make a change to policy or whatever, we'd do a simple risk assessment on it and go, okay, you know, let's say you're looking at your encryption levels for data, you know, the static data or whatever.
Triple DES is long in the tooth, and, you know, should we move to some other algorithm or whatever?
Taking a look at it from the perspective of, you know, what are our options here? Whether it's ECC or whether we go to AES or whatever it is, and then going, well, how vetted is that? And kinda doing a mini risk assessment on it so that you can help inform decisions.
Yeah. Yeah. You know, I like that that you said that, like, basically anything that you do. And when we were kinda briefly talking about this last week, one of the things that stood out for me on your comments was you said, you know, preppers have a lot that they can teach us about risk assessment.
And I went, Oh, you know what? That is true. And and I think a lot of the people that I talk to like risk assessment, you say the word risk assessment and their eyes just glaze over. They're like, this is the most boring topic.
But you couple that with the idea that, pre COVID people thought preppers were crazy. Right. And and I can tell you that because here's a little bit of a confession. I am married to a prepper.
Right.
Okay.
But a couple of years into the whole COVID thing, people would come to our house and say, do you happen to have some extra toilet paper? And we did not because we went and bought it up, but because he just happened to have a bunch stored away, you know? And and so so why don't you talk a little bit about, maybe why risk assessments are you shouldn't consider them the most boring thing in the world.
Yeah. Good question. I think, you know, ultimately, I think one of the problems that, people have is, as a friend of mine told me a long time ago, is they try and boil the ocean, essentially. I mean, that was when I was asking him about doing some of the first risk assessments, and he says, Don't try and boil the ocean, you know. And so you have to be really careful about how you define the risk assessment.
If it gets too big, then it becomes unwieldy. And then you're Yeah. You're just chasing all these rabbit holes and you got you just kinda start to lose track of everything you're you're trying to do. And it seems like it's too too big and too intractable intractable of a problem. Mhmm. And, and so then they they give up.
Right.
And so if you clearly define what it is that you're you're trying to assess, and that's why I say, you know, is it an individual product? Is it an individual decision?
Right.
Then you can more more narrowly focus the questions around that and use that to to make good informed decisions.
Right.
You know, there was one time we were trying to make a a change in, well, let's put it this way. There were you know, there's always a competition competition, that's not the right word. There's there's always a little bit of conflict between, security, you know, if you look at the Dilbert, you know, it's it's no. You know, the default answer, right, versus the security, you know, the the people on the other side saying we wanna we wanna move to this.
I mean, right now, we all talk a lot about, you know, bring your own devices kind of thing. Right. Or the cloud was a huge deal. I mean, I've I've been in security long enough that the cloud became a thing while I was in.
And, you know, the company I worked for was very risk averse in that sense. And it's like, you know, we all joke the Cloud is somebody else's computer is all it really means.
So no way we're moving to the Cloud, right? I mean, that's just no way. But, then we started, of course, experimenting with some clouds internally, and you start doing risk assessments on it, and you go, well, what are the real threats to it? You know, what can happen to it? And one of the odd things that we identified in the end was, somebody could frankly steal your machine because, you know, a virtual machine is just an image in reality.
Up to then, if somebody wanted to steal your hard drives and your machine and everything else, they literally had to break into your data center to steal something.
But, you know, if they want to steal a virtual machine, it's just a file.
And so in that sense, you know, you can take information.
So it actually, just in that process of going through and trying to determine if it's something we wanted to do, and could we do it securely.
Do you know and that I think that kind of takes it down to its essence is is it something we want to do and can we do it securely? Because so many times, I'll especially talking to customers, I'll say, do you have a risk assessment? And they'll say, well, what?
Which one? Like, what risk? What is the risk assessment? What do I need to do? What what does it have to include?
And and and that generally is because, there is a lack of knowledge around what is a risk assessment even for. And so if we understand that a risk assessment isn't just we don't just do a risk assessment. So we have a report that then sits on the shelf until next year when we do another report. But instead, a risk assessment informs decisions about how we do certain things that we want to do or whether we even do other things.
You mentioned PCI, for example. So there are several things in PCI that are not full in in PCI. For people who don't know, it's the the credit card payment card industry, you know, securing credit cards. So, in the PCI standard, the d DSS, there there's, it says based on your risk assessment, you should do certain things.
There are certain things you should log. There's certain cadences that you should have in your logging. There's certain, file integrity monitoring that should happen that there's there's different things. But it all comes down to the risk assessment.
So, but have you seen that where people have a risk assessment, but they don't actually know how to apply it to their situation?
Oh, absolutely.
People who are less familiar with risk assessments. So requirement twelve point two that you've been, you know, is is the explicit, requirement in twelve in, PCI DSS for having an annual risk assessment, as it says.
You know, some people you go there and you look at the annual risk assessment and it's like, and not that this is necessarily wrong, but they're just looking at it like, you know, Well, what if there's an earthquake or a fire or whatever? They kinda look at very holistically at the environment and the company, and that's what they focus their risk assessment on. And, and that kind of a risk assessment does have a place, right? But like you mentioned earlier, when there's, there are lots of other requirements, you know, if you say, you know, one complaint sometimes people have is PCI isn't so risk based. It's a do or do not kind of standard, which, you know, is somewhat true. But they have always, you know, for a long time had the compensating control process.
Right.
And in there then, you know, you're you're allowed to show well, you have to demonstrate why the way you want to meet the control is, you know, of sufficient rigor and and meets the original intent of the requirement and everything. Well-to-do that, then you have to have some way to go, well, how am I different from it? What are the risks associated with that? You know, threats, vulnerabilities. I wanna, you know, I wanna I wanna use different password metrics. Right?
Right.
I don't wanna change it every ninety days. Uh-huh. You know, I encountered somebody who a client who they they wanted to do that. They wanted to change their password settings.
And, interestingly, what they did is they would go out and calculate the entropy of a person's password.
Oh.
And and literally, you know, if you said, I'm gonna have a twenty four character password with high complexity and everything, they'd go, Yeah, knock yourself out, change it, you know, once a year or something.
And they had, you know, they backed it up with essentially a risk assessment metrics to go, Look, this is just as good as, you know, because on the other side, if somebody wanted the minimum of seven and, you know, seven characters with complexity and PCI, if somebody wanted just seven, they go, no, you're changing it often.
And so, you know, it's one of those things that, you can kind of prove to yourself and to management, because, let's face it, ultimately, a lot of times you have to prove, you have to make that proposal to management and say, We wanna do this differently.
And so if you can, if you can have a risk assessment that goes, yeah, look, we've considered all of these threats, vulnerabilities, impacts, likelihoods, all that. Here's what would happen in all these different scenarios.
And this is why we feel this particular change is a low risk Mhmm.
To the environment. And then management's very informed and goes, yeah, we'll accept that.
Right. That's a that is a terrific example because it also talks about another function of risk assessments. Often, a risk assessment is done by your security team because they're close to the risks. They understand the risks, but they shouldn't be the ones making the decisions about how they how they then remediate that risk. What what actions are taken. That really is a business decision on on on how they, manage those risks.
Yeah. Absolutely.
And let's face it. There are people, especially in public companies and things with boards, typically there's an audit board, as well as finance people on the board. Finance people have been doing risk assessments of a different kind Yes. For a long time.
Security people use different language in their past life too. We kind of tried to make, or we tried to reconcile those two worlds and make a unified risk assessment process That security people could agree we would use it, finance people understood it. Then as things got presented up the chain, and sometimes even up to a board level, people understood the language.
Mhmm. Because let's face it, you know, security, we have a lot of obscure terms. We have lots of acronyms. Yep.
We might use words even in ways that somebody else doesn't use them. So So it might be a familiar word with a slightly different connotation.
Yeah. Absolutely. You know, threats to a security person Mhmm. Mean something different than threats to your loss prevention guy.
Right.
Or or a financial guy. Mhmm. You know, I did a lot of M and A work for a time.
And That's mergers and acquisitions.
Yeah.
So Okay.
Yeah. I I probably shouldn't say we jokingly internally call it mergers and inquisitions. Oh, no.
Oh, that's terrible.
It is.
But frankly, that's that's the way the person on the other end felt about it, you know?
Yes. Having been through both mergers and acquisitions in previous companies, it can be a very painful process on both sides.
Yeah, Because all of a sudden you get all these people coming in.
Well, you don't know my systems. Well, you won't tell me yours. Yeah. It turns into sometimes like that, but sometimes it can be done well.
Oh, yes. And and and using threat, excuse me, using risk assessments to to understand what's going on in an environment, I think, is is really important. I mean, if you look at recently in the news, we saw, Marriott again. You know, they they they acquired Starwood.
Mhmm.
Right. And Starwood had had a breach for two years before Marriott acquired them, and then they continued to have a breach for two years after. So a total of four years. Right. Because the risk assessments that were not that were performed were insufficient.
And and so when you look at how do we leverage a risk assessment, well, you don't just make it be a, an activity that you go through where you're just checking the boxes. Right? It's it's truly a truly a way to discover really what's going on in the environment and then make good decisions based on that. So, I wanted to go back a little bit to PCI because, like you said, PCI is largely prescriptive.
It tells you things to do. You check the box. It's either yes or it's no. But the degree to which you look at something or do a thing is not prescriptive because there's no way to do that.
Let's let's take an easy example. If you have a lot of, swiper devices in your environment, one of the things you have to do is check it, make sure you don't have skimmers. Right? Yep.
Well, how often does the PCI say you're supposed to do that?
It it yeah. That's a good good point.
I mean, it just says you have to It just says you have to do it.
Doesn't say how frequently or anything else.
Yeah. And so I I especially when when I go to the universities that that we that we work with, I have a lot of little merchants that are, you know, together under the university umbrella. And and they ask, well, I I have this requirement, but what does that mean? How often do I need to look at? How often do I need to record that I looked at it? And that's when I get to say, well, let's look at the risk.
Assessment.
Assessment. Yeah. And and if they say, well, I haven't done a risk assessment. That's that, central IT does that.
Well, central IT does it for what they know. Do they know your environment at all? And so we'll go through kind of a you know, such a quick lightweight risk assessment, which is who has access to that machine? Is it just you or is it other people?
Where does that live when it's not with you? Right? So so do you lock it away in between? Do you use it twice a year?
Do you all of these things feed into well, then what do you think is reasonable in looking to see if someone else has in somehow compromised your machine? And they'll come up with an answer, and I'll say, can you write me down that answer? Just a quick little paragraph. And there's a a risk assessment about a specific item that was solving a specific problem, and it was meaningful because it wasn't just, oh, I'm gonna go through this big old risk assessment that has nothing to do with how I do business.
Well, totally. And that's what I was trying to say earlier about defining the scope of the risk assessment, right? You really need to define what the scope is.
Yeah.
And that's a perfect example of using the risk assessment process in a very lightweight way that's accessible to lots of people, is not difficult, but in the end backs up a decision and why you did it.
And, you know, let's face it, if you did that risk assessment at a higher level, whether it's the, you know, corporate or in your case, you said a university, you know, it's, if you're doing it up at a higher level, they're not even frankly gonna think about those devices for the most part.
It's very out of their radar.
It is. I know, once again, previous life, when we do a corporate risk assessment, we actually ended up breaking it up into all these different areas, finding subject matter experts for each of those particular items, you know, IT and and we did it across all different things.
But even in IT, then we'd break it up into subgroups and say, you know, I going back quite a few years, I was a Lucent Dfinity PBX administrator at one time, certified, you know.
That's a good day.
Yeah.
But I knew it quite a bit about telecom. And this was way before VoIP and everything.
Although VoIP was starting to come in, you know, and has its own once again, that's another one of those as we started looking at it.
You know, I'm kinda getting off track slightly, but, you know, as as we started to bring in the idea of having VoIP Mhmm.
Once again, we had to kinda do a risk assessment of it and go, well, what are the what are the problems with it here? Right. You know, internally, okay, it's a network, but there are tools out there, Cain and Abel. You you it handles all the different capture the traffic, you can pull the voice stream out. I mean, it's really quite trivial to listen in on somebody's conversation, right? So, you know, knowing that then you go, well, okay, what's what's the real risk? Okay.
Well, then we can we can mitigate that by doing some other things, you know, putting on its own network or whatever, you know, segmentation, etcetera, etcetera.
Is actually voice over IP is actually a really it's an important concept because so many people, especially during the last year, went to a work from home model. Oh, yeah. And the way they resolved a lot, especially for people who who were doing phone calls or even call center people who are now working from home, they were they've been solving that work from home problem functionally by using, VoIP, voice over IP. Right? And so knowing that, there are risks associated with that, how do you then allow that work from home while while keeping, security on it? So so it's a it's a way to do, again, security about a specific thing, solving a specific problem.
Yep. Perfect example.
You say this is you know, we wanna we want to enable people to work from home. Mhmm. Let's examine the work from home environment and go, what are the threats to it? Right?
Right.
Okay. So are we gonna let them work from their own device or are we gonna provide them Mhmm. A system? Because if I provide a system, I can control all the elements on it.
Right.
Right? I can I can bring it back into my network? I can put it on a, you know, a separate network for a time while I interrogate it, make sure its patches are up to date, make sure that the antivirus is up to date, whatever, before I actually allow it into the corporate environment. Right?
So you can have a little remediation network, if you will, that it can attach to. It gets interrogated. Okay. Now you're good to go. Now you can connect to the corporate.
As opposed to having somebody's home system Mhmm.
Which you don't have nearly as much control over.
Right.
Not always as easy to say you have to run this kind of software on it or whatever. Are you gonna pay for my antivirus on my home system because you want it, you know? Yeah. Risk assessments are great informers on all those decisions. Yeah. And then it helps you, you know, understand, well, what's you know, as a company, what's our risk tolerance?
Right.
Do we want to accept a a moderate?
You know, I don't know. That's a little borderline, right? Can we get them down to lows, negligible?
But once again, you know, you can you can say, well, let's look at the the difference of having the person who's working from home use their own machine or a corporate machine.
Mhmm.
Now let's do a risk assessment on it real quick on just some of these high level things.
Mhmm.
And now we can make a more informed decision. Yes. This one costs more, but it lowers our risk down to this. This one doesn't cost us as much, but it has more risks associated with it.
Right. And And almost always, the cost of something that reduces risk lowers the cost of something that would be the result of that risk. That sound really, like, circular? Like, you're going to pay for security whether you pay now or whether you pay later. Unfortunately, that's the circumstances that we're in now is that there are risks associated with doing business virtually.
Oh, yeah.
And everybody now does business virtually. As we look at different risk assessments and different cadences at which people do risk assessments, you know, it used to be annually or after a major change. And then people are like, oh, there's no major change or we're gonna we're gonna just make sure that our major change aligns with when we do our risk assessment anyway, that type of thing, because we didn't have something forcing these major changes. So looking over the last year, everybody had to go from working in office to working from home or working in a different way, that they that they didn't foresee. Most of them did not have potential pandemic in their risk assessment.
So that's that was in some people did, but most people didn't have that. Right? But the the sudden need to work from home should be in everybody's risk assessment now. They should know, what do we do to accommodate risks associated with work from home as opposed to, risks associated with working in the office?
Now here's the tricky part. People are leaving home and going back to the office now. So what are now the the the reverse what are the risks in changing once again? Because it's any major change to how you do business in our in our, you know, very connected world.
It has associated risks. So my expectation as an assessor would be to go into an organization now and say, let me see your risk assessment. And as I read through the risk assessment, I generally ask people, can you justify why you looked at these risks and why you didn't look at these risks? And if I don't see anything about changing from work in the office to work from home in fact, then I know that that they don't understand the value of a risk assessment.
There's there's a potential there to talk about how you can use this report as a tool to really direct, security activities and decision making.
Yeah. Yeah. Well, yeah, for me, that's like I say, in that past life, it drove many of our decisions. Like you say, it's it's a great because even if they took a, you know, in a lot of instances, we saw clients and things who allowed people to not only work from home, but then take systems home.
Systems that used to only live in the corporate environment.
Right.
So now you're letting them go home into what probably is considered a more hostile network environment. Right? I know people don't always think of it that way, but it is. Right. Because you don't control the systems that surround that on that network.
Yeah. Yeah.
And so even though your machine, you know, your your company machine is there and it's got antivirus and all that good stuff, It's now on the same network with potentially less protected machines, with less sophisticated users who, you know, are going to their odds of getting compromised are greater than somebody, you know, in in in a work environment.
Mhmm.
So your work machine went from from a very protected environment to a home environment, and now you're gonna bring it back in.
Right.
So great place to look at it and go, okay. What are our risks associated with this?
Well, it was out there.
Exactly.
It changed in the configurations while it was out there.
See, it was in a hostile environment. Yeah. It potentially changed. Right?
Yeah. Yeah.
So so Did it get a back door and now I'm gonna bring it into my company and it's gonna have a back door for somebody else to to come in?
Yeah. Exactly.
So, yeah, all those things can be done through risk assessments and, you know, great opportunity to to look at it and go, okay, if we're gonna do that, then, you know, we do the risk assessment. It it identified that, you know, it was in this hostile environment. We're not entirely certain of its configuration now that it's coming back into the office. What ought to be our steps so that we can have confidence in that machine and putting it on our network again?
Right.
So, we talked about PCI where people get kinda worked up about, well, it's too prescriptive and I don't have any kind of flexibility. And then you say, well, what about the risk assessment for these things? And that's where risk assessment goes. And then almost on on the opposite end of the spectrum is HIPAA, where it's very non and people get upset because it's nonprescriptive.
But it all starts with the risk. And, you know, side note, I thought this was really funny. We I get comments from people from all over the world, and I just love it. And feel free to reach out either through SecurityMetrics or through LinkedIn.
Happy to answer questions. But I got one comment that was one of my favorites where somebody from Europe who said, it sounds like in America, people get a lot more upset about compliance than we do here in Europe. We're talking about, you know, cybersecurity. And I was like, do we?
Probably a bunch of, you know, Wild West people.
Yeah. But and that's okay. That because risk assessments helps us with that, right? So you look at HIPAA where people are like, Well, I don't even know where to start.
Yeah, you do. Because you know what? HIPAA says you should start with a risk assessment. So risk assessment all starts with knowing what is your environment?
You know, what is the scope of things that you're looking at? And then looking at that environment, what are the risks there? You know, if if you know what the risks are to personally identifiable protected health information in that environment And protected health information is just information related to health that can be connected to personally identifiable information. So PII, connected to health, creates PHI magic.
So so in HIPAA, you look at that and say, alright. I have this risk assessment. How am I protecting PHI? How am I protecting information that should be private?
That is very, you know, people don't want that information out there for a lot of good reasons.
Right.
You know, connected to fraud, connected to, you know, taking over a person's identity. But also our health is is personal. You know, and just having people know things about our health, we don't want that to be out there in the world. Right. So, yeah, so the HIPAA says you should protect that and you should start by doing a risk assessment. But but if you have that kind of a of a broad ability to do things or not, you know, where do people even start when when step one is do a risk assessment?
Well, what would you tell a group that's that's kind of dealing with this for the first time?
Well, go out and read about some of the different standards out there, whether it's NIST or whomever. I mean, there there are different, risk assessment.
Uh-huh. Sure. Yeah.
I know. Standard's not quite the right word. What do you call it?
Frameworks? Frameworks. Yeah.
Frameworks that, that you can use.
You know, if you've got a finance person, they may have some background in risk assessments themselves done from a financial perspective, but still it can inform your decisions and your ideas. And like I say, you know, when it comes to talking to the board and lots of different people at different levels within an organization, it's probably, you know, as we talked about having the the right vocabulary. We say one thing Yeah. But, you know, they may mean it as something else than we do. So it's important to to be able to have that conversation on a level playing field that everybody understands when we say this, this is what we mean.
And and sometimes people will be like, well, shouldn't the onus be on them to understand me?
And and and my answer is always, well, it depends. What is what is the problem you're trying to solve? If you if you feel that security needs to be improved in certain ways based on your understanding, then it's on you to explain that to people in words and concepts they can understand.
And and and any of us who wants to make things better should be saying, what can I do to improve this communication?
And it makes things better. So therefore, the onus is on all of us.
You know, ironically, not that I've looked at it this way in the past, but as is you're describing it, I'm going, well, you know, in a way, what you're describing is a risk in and of itself. I communicate one thing, people understand it as something completely different. Yeah. So, you know, yes, I agree. You need to let's face it. Like I say, security is hard, even for professionals.
There's a ton of things to know. As a defender, you have to be right one hundred percent of the time. Right.
As an attacker, you just kinda have to get lucky once.
I mean, you know, if you're good, yeah, great.
You can you can force some things. You can get better.
But in essence, you just have to find one area that you can attack and get a get a toehold into an environment and then start, you know, looking around and seeing how you can pivot and move around in an organization. Right? So security is hard enough as it is. Right.
I mean, even for people who practice it every day. And so now you're you're putting out there these concepts and ideas. Yeah, I did this risk assessment, and we found this and that problem. And, and if you don't go out there and educate people about what it is you're really talking about, I don't mean that everybody has to become an expert in security.
Just find ways to put it in terms that they understand, which is kind of why I was mentioning, like, the finance people. They've looked at similar, you know, they've looked at their world from that perspective.
They just really haven't looked at the security side of things that we look at. And so if we can find some way to help them understand what we're talking about in terms that they know, then they can become an ally for you.
Right.
Same thing in a previous job, I found that, my dad was an attorney, so I can kinda say these kind of things. You know, they're they're not always the most favored people Oh, no. In, in companies and things. Right?
You know, so in any case There is some stress involved there.
Yeah.
Yeah. Yeah. What I was gonna say is, you know, from a security perspective, we found that, the lawyers, if we could communicate to them what the problem was, and, you know, it's not just a regulatory thing like PCI, you know, we're gonna have to pay some fines and everything. But, you know, they look at things too of, like simple thing is like, well, what's your email retention period? Right?
Mhmm.
You know, or what's your crypto period? Because, you know, that defines, you know, how long you're gonna keep some cardholder data in PCI. Right?
Or how long your keys are good for or whatever. If you can clearly define anyways, we were able to get legal on our side for many things to help push on the board and others at senior management level to go, no, this is a real risk to the corporation.
Right.
We, you know, I I know marketing and and those people really want all this data about all these people, but like I say, you know, identity theft is a huge problem, whether it's PHI or whatever. Right. Downside of some of those things being stolen is that I can't change them. Yeah. I I I can't I can't go change my health past. No. I can't change, you know, where I was born.
I can't. Yes. You can.
You can change your social, but it's hard. Yeah. It's pretty. But I can't change where I was born.
No. Yeah.
I mean, things that are very unique to you, you you can't change. And when that information gets out there, that's a huge loss. You lose a credit card, okay, fine. You can cancel it, you can, you know, get a new one or whatever.
But losing true personally identifiable information is that's that's, that's something that we don't want to have happen.
And and so understanding the risks to to keeping that. So so telling people, well, if you have information, you have to protect it.
Right. And so back to back to legal, if we could show to them why something was a threat or a risk, and if it came down to a lawsuit, you know, it's like, look, I can't defend this position. Yeah. Marketing says they wanna keep this data, but for what?
Oh, it's, you know, it doesn't play over in the courts well to say, well, we just wanted to sell more product Yeah. To the end user.
Right? It's like, yeah, but you didn't protect the people's information. Manager.
Yeah. Yeah.
So and and you knew it was potentially an issue. So, you know, why aren't you pruning your database with old information?
So security people, sometimes we need to go to the finance people. Sometimes we need to go to the law, the lawyers, sometimes. So it depends on on where we can get that risk heard to get the support that we need to get the people, the money, the time to to resolve whatever security issue that that's related to. So sometimes, you know, especially if you're in the security issue that that's related to that. So sometimes, you know, especially if you're in the the position of being doing the risk assessments and then, performing the remediation, if you get stuck in in being able to resolve the problems you want to resolve, then maybe look for a different pathway to the support that you need.
Yeah, absolutely.
Well, this is, this has been absolutely fantastic. I really appreciate all this. Is there anything, you know, specific to risk assessments that maybe you wanted to cover that I that I missed today? You gave me a ton of great notes, and I don't think I got to all of it.
But That's okay.
Okay. Yeah. Well, well, you know, if there's something key, we can we can always have you back too.
Okay. Yeah. Thanks. Or if somebody had a real question, you could get back to me.
Oh, yeah. For sure. For sure. And and, you know, I tell people all the time I'm on LinkedIn and and they're welcome to to contact me there or or, like I said, through the the SecurityMetrics. We have a lot of blog posts on SecurityMetrics that I haven't really talked about before. But there are blog posts. There are white papers.
There's a lot of of information that we put out there for free just Right.
Just so that people can can, improve their security in their organizations. And and I think that, that that's a good place to start for people who have questions, but, also, they can reach out, and and we can maybe answer some questions directly. So, thanks again for joining me.
Absolutely.
And thank thank you for joining us once again here on the SecurityMetrics podcast. I hope to see you again next time.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
