Listen to learn the importance of risk assessments and how to successfully conduct a risk assessment.
Risk assessments are critical to implementing good security controls, but many organizations struggle with where to begin.
Josh Hyman, Chief Information Security Officer of Black Talon Security, sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. My name is Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. We have we're the we're in our fourth season already. And we have so much back content. If you haven't seen our back catalog, go take a look.
Topics on everything. And I think that that there's a lot of value out there. Today's is going to apply to everybody listening.
Super excited to talk about it's risk. We're gonna talk about risk. And the guy that I have to come talk to me today about this, his name is Josh Hyman. I'm gonna read his bio so I don't miss anything. He has been a leader in the information security space for over twenty years after serving as the director of information security for a financial company and working directly with the executives to ensure impenetrable security for the organization in his most recent role, he brings with him a breadth of experience and expertise in the field to black talent security.
His attention to detail and consistently up to date knowledge in the ever evolving world of data security have always made him an asset to any role. Josh, welcome. Thank you for joining me.
Happy to be here. Happy to be here.
And on a I mean, a a more casual note, Josh, you and I met because we did the cybersecurity price tag boot camp, held by the the good folks at Help Me with HIPAA, podcast.
And, Yeah. And and just said, yes. You've got this this risk topic nailed. Like, come and talk to me.
Risk. Risk. Where where do you start? Right? Like, I think I think that's the biggest the biggest challenge.
And, first of all, thanks for having me. It's a a a an honor and a pleasure to sit with you and chat with your listeners, today. We had a lot of fun over in Kentucky.
Yeah. We did.
Having nothing to do with the bourbon. Right?
Having nothing to do with the bourbon. Bourbon aside.
Any of it fun at all. Right?
But bourbon aside, we had a lot of fun, presenting and listening to to many different folks speak about risk and the different aspects of risk in an organization.
I think one of the the things that we you and I were talking about before we started that whole thing was, like, that drinking from a fire hose.
Yeah.
Like, the the that part of risk and, like, it's the scariest thing in the whole world. Yeah. Like, I think about anytime I sit down with a client or even when I'm addressing, like, risk for my own organization, where do I start? Yeah.
Right? And then boom. Like, they open the fire hose, you've got a million things to do. And, like, how do you deal with the data there, and how do you deal with all the different aspects of risk?
So I think this will be, eye opening experience for those listening. And maybe we can start with I don't know. I like to tell stories. Right?
I think that's always, like like like a great way to jump into something.
I'll go first. Please. Why not? Because I'm here.
So so my my my first real foray into, like, structured risk. Right? Because I I I worked my career. Before I got to Wall Street, I worked for a a business where, like, how do we address risk?
I don't know. I don't think we did. I'll tell a funny story. We we were in the automotive repair business.
Mhmm. And so much that we didn't address risk that a guy's finger got severed while on the job Oh. Probably because we didn't address the risk that a guy shouldn't be working on a machine that weighs eighty thousand pounds by himself in the middle of a cornfield.
And then when he was instead of using blocks and jacks, he used the outriggers to lift the machine. And then when he went put the tire on, he went to put the outriggers up higher so he get the tire, and he put the outrigger down. Oh. And boom, his finger gets cut off by the flange on the on the on the machine.
And, like, as I look back on that, like, how do we not think about that? Right? Everybody today in the world I play in, like, technical risk is what I think of. Mhmm.
But but everybody misses it. Like, it's it's it's something else. It could it could totally not be technical. Or it's they got the pandemic.
Yeah. The pandemic is a perfect example. Nobody thought that would ever happen. Oh, I don't have to worry about the the the bird flu or something like that.
Never. Never. And then all of a sudden, COVID and, like, now we have all this risk we didn't really think about. But, anyway, I digress as I will all the time, and I think that's where my charm my charm my charm comes from my digression, I think.
So I let's move forward, though, to to formal risk. So I try to land on Wall Street and and PCI, your world. Right? I'm I'm I'm I'm thrust into an organization that has to deal with PCI.
They've never done it before. And they kinda hired me, and they were like, look. We we started with this, but here and, like, they pushed, like, these, like, mounds of paper. Do you remember, you can't do that on television on Nickelodeon?
Yes.
Well, I think of that big that big they had the big dictionary, and they would open it up.
It was, like, that big. It was, like, you know, my hands won't even be big enough on the screen. And they're like, here. Here's where we started.
And I was like, oh my god. Where do I go? Yeah. How do how do I deal with this?
And especially with PCI. I mean, we could talk about health care and other industries. Sure. But, like, PCI and its prescriptive nature of how it addresses risk.
And I think the one thing I learned really fast was if I didn't if I didn't figure out how to slow that fire hose down, I was gonna drown. Yeah. Right? They're gonna find me in the back corner of the office in the fetal position with, you know, pages around me and, you know, just crying.
So I said, woah. Hold on. Let's slowly start to figure these things out and put them in buckets and categorize them. And Yeah.
So for me, that was my first, like, foray into risk. And I kinda do that today with all of our clients or anyone that I'm engaged with is take it down to, like, a simple something you can manage. Mhmm. Don't try and bite the whole thing.
You're gonna choke. Yeah. But you know what? I'm talk I I'm talking too much. You're talking.
No.
I I That's one thing.
I I I never come up for air.
I love believing.
I I you talk you talk too much.
Right? You talk too much. I love talking.
What I find interesting about what you said was that you it was a compliance related thing here. Do risk because of compliance. But but risk being able to address risk is so much more important than that, and it comes back to your original story, which was if you don't account for risk, bad things can happen.
And so so a lot of times, you know, why are we doing a risk asset? What is the importance? Why are we even doing this? And so even though compliance is often the driver, PCI says you have to have a risk assessment.
As a matter of fact, four point o says you have to have targeted risk assessments. HIPAA says start with a risk assessment. Why is a risk assessment why is it so important that risk assessment underlies so many compliance efforts, so many security efforts? What is it about a risk assessment that is important?
I think that's there's a really short answer to this, and it's my favorite it's my favorite thing to say to people.
I'm not in sales, although they say we're all in sales. Right?
We're selling ourselves Yeah. That's what they do us, I guess.
And right. Like like, I I'm not I'm the worst I I can't ask for the sale. I don't know how to close the sale. But if I'm on a call, I they say I'm very good at helping to close.
I'm I'm a I'm a good assistant Yeah.
Is is what everybody says.
So so my short answer to that question is you don't know what you don't know. Yeah. And I think I think that's why it boils down to a risk assessment. Like, did I know I didn't know that Johnny, and we're gonna, you know, protect the innocent here Yeah. Was doing that out in the cornfields Yeah. And and and was and if I knew that, then I could address that risk.
Maybe I send somebody with him, and I hope that there's not two idiots out in the cornfield.
Or, you know, with two people, then I would at least expect that they would follow a better procedure because somebody else was there to help. Right? This person was doing the best they could in the situation they were in because they didn't have any other way but to reach to move that machine. Yeah.
So I always say that to every every client and everybody I talk to about risk is you don't know what you don't know, and I'm here to help you uncover those things you don't know. Yeah. And that risk assessment, that first building block is going to help you uncover, like, oh, I've got a server in the locked server room, and this is another real life story.
This was my thing. And we had supplemental air conditioning, and we had temperature sensors.
And that's all we had because that checked the box. Right? Our clients were like, if you're gonna have a data center in your office, you better have some supplemental air conditioning that's separate from the AC in the office. If the AC breaks, something else will cover you. We need the temperature sensors so we could pick up on humidity in the room because humidity, as we all know, is bad for equipment.
And then I'm talking to a friend of mine who's not anything related to what I'm doing, and he he had just won an innovator of the year award in his own business. And he was in the, home automation business, so very unrelated to what we do. But his innovation was that he had put an entire home automation system in the basement of a home. And the basement was known for flooding.
So, obviously, they blocked the system up a few feet so that it wasn't on the ground, but they suspended it. They did all the smart things. And at the time, this was probably, like, fifteen years ago, there was the the company he was working with to do this automation had a, a water sensor. And they put the water sensor halfway between the floor and the rack.
So this way, if it started to take on water, they would all get alerted and then have a chance to save the equipment. Mhmm. He wins he wins home innovator of the year, and I went employee of the month because I'm like, hey, boss. We can put in a water sensor because we didn't even realize that there's a risk that now we've got supplemental air conditioning.
Right? And we know what happens there. That's it's all it's there's water contained in it. Boom.
That thing lets go. Now we start filling water up in the in the server room, and we didn't even address that risk. I mean, maybe my tent my humidity sensor maybe would've picked it up maybe. But now I knew if I picked up water, then I had a certain amount of time.
You know, obviously, if I may have a gush of water, probably not enough time. But, again, you see where I'm going with this. We addressed a risk we didn't even know we had by thinking about, the the things in front of us, the vulnerabilities that exist in front of us. Where's my t shirt?
We should've shown my t shirt.
Oh, yeah. Yeah. That's that's If you can remember what it said, we we should say that.
But what I what I love Go ahead.
What I love about, this this, story that you told me is that risk is important. Doing a risk assessment is important because of the actions you're going to take as a result. So when I was a kid, my I came from a very large family, and my mother, made sure that we all learn how to play piano. And and her big thing was protect those piano fingers.
And so when we would all jump into we had this big Econoline van, and, of course, we'd all jump in. It was chaos, and somebody would slam the door. Well, before anyone ever slammed a door, some we always yelled fingers. So everybody jumps in, somebody yells fingers, we slam the door.
So so at some at some point, somebody had done a risk assessment. What are we protecting?
Fingers.
And and so what is the process that we by which we protect those if somebody yells the word? Right? And so in and you can take these ideas that are very real world. We'd all do risk assessments all the time, and we all take actions based on our assessment of risk all the time.
But for some reason, people get in a room and that we have to do our risk assessment and suddenly it's either boring or frightening or too complex or or what or let's give it to the newest IT guy because, you know, that's what happened. That's how I got into the formal assessment of risk. I was on the, a help desk and got told, hey. We need to do risk assessment here.
Risk assessment is its own beast. And yet a lot of times people in IT or the admin for some admin person gets handed it. Here, Here, do a risk leave this risk assessment for us. And so, yes, we all can possibly do these things, but having a professional help us guides us through what you were just talking about, which is how do we not how do we deal with what we don't know? And I think, if I recall, the shirt that you were talking about was, getting the risk of getting punched in the face. And so what is the threat actor?
The person who wants to punch us.
Right? I think I think the person who wants to punch.
And the threat is for it.
I think I have it. The threat is getting punched.
The threat is getting punched, and the vulnerability is not being able to block the punch. Right?
Punch. Right. And then it was, like, residual risk or something. Oh, here. I found it.
I found it. Hold on. I'm gonna can I share my screen real quick?
Josh, I would love to see this this T shirt. Somebody needs to buy me this and send it to me.
Here it is.
I mean, it's it's it's real world. Everybody gets it. The threat actor is someone who wants to punch you in the face. The threat is the punch being thrown.
The vulnerability is your inability to defend against the punch, and the risk is the likelihood of getting punched in the face. And the perfect the the quintessential response to this, you know, made up Twitter feed is, let's not forget acceptable risk, which is your willingness to be punched in the face.
Exactly.
Exactly.
A little humor. A little humor. And so I love that you gave that example because so many times when we talk about risk, especially when we're talking about technical risk, these are ones and zeros. And it's very hard to to, in our heads, say, okay, what are the technical risks that I can't put my hands on? But if you if you start equating things to tangible risks with tangible, outcomes, then it it helps people really start forming what are those risks and how do we surface those in our company. I know one of the things that you told me at at the conference we were at, which I thought was really wise was, if you don't have the right people in the room and that is like a cross section of people, there can be a whole group of people over here that understand risks related to something that you're talking about that this group of people over here hasn't considered yet.
A a hundred percent. I mean, listen. So so to take it full circle with your your, your statement on having a professional sort of drive the the project. Let's call it a project.
Right? It's an ongoing engagement of risk assessment because risk never goes away. Right? And every day that you're in business or every day you're in life, risks come about, and you have to figure out how you're going to address those risks.
But you're right. You sort of need that Maestro who brings it all together. And and if you don't bring cross sections, right, then then HR has no idea what IT is doing, and sales risks have no idea what HR is doing. And and all of these and then what what what I've learned in my experience is as these as we get these people talking and we did that tabletop exercise and you saw as it went on, people talked more.
Right? Right. So you bring a whole bunch of people in the room. First, nobody wants to be the first one to talk.
Mhmm. They wanna they wanna keep it quiet because they're afraid. If they talk, either they're gonna say something ignorant. Right?
That's one person's fear.
And the other is they're gonna give themselves they're gonna give themselves more work.
Right? They're gonna be like, if if I raise my hand first, everybody's gonna say, oh, that person's great at what what we need. Let's make them in charge. So people are always weary of that.
But then by, like, hour or two, if you can get the the sort of rhythm going around the discussions, you tend to find out that that all of a sudden, all these people talking are bringing up all these things we didn't know. Yeah. Right? The risk that we didn't know we had.
Yeah. Look, as professionals, you and I do this on a regular basis. We meet with a cross section of different business types and business owners and people.
But I can't tell you how many times I sit down and I hear can I curse? I let a curse. I hear stuff.
I hear stuff that boggles my mind. Right? Like Yeah. I I'm I'm I'm told things, and I'm like, what?
Like, you brought it to a whole new level of things I didn't even know existed.
Even yeah.
Right? So so I think that that that, energy of those conversations Yeah. Is really what builds the best risk assessments.
Yep.
And staying focused. I I I have ADD, ADHD. I don't know what you wanna call what I have.
Well I don't know.
Hyper hyperactivity, lots of cups of coffee, all of the above. But I have a hard time staying focused. But when when I do these, I think it's very, very important to understand the scope of what you're doing Yep. And make sure you have a focused plan. Otherwise, what what it, I don't know who said this, but I walked into my wall and some isms that I learned from my days on the automotive business working with people who were not Wall Street type people. And one of them is a goal without a plan is just a wish.
Yes.
And I don't know who said that.
I don't know, but it seems like a just a real common euphemism.
Right. And and the COO of the investment bank put it up on a on the wall in her office. Mhmm. And I didn't see it the first time I went in.
Then I sat at her desk. I'm like, oh, you you you took that from me. And she's like, well, it's phenomenal. And I'm like, well, it's true.
It is true.
And then and then analysis paralysis is the one the other one that I think people struggle with. And so I gave her my other one, General Patton, another famous quote from General Patton. And I'm quote, unquote, because I never know if I get it right. I I my wife says I don't know how to quote anything, although I have the male gene that allows me to remember movie quotes that I don't always get correct.
Yeah. But, in the in the yeah. We we do it. I I screw them up, and then my wife's like, that's not what they said.
I'm like, oh, you're helpful.
And when and when when you sing songs, you get the lyrics wrong. So what we then we then we answer an argument.
But it's a good plan today. Mhmm. A good plan executed today is better than a perfect plan tomorrow.
Absolutely.
And I kinda say the same thing when doing a risk assessment. Yes. If we did this risk assessment for five million days Mhmm. And never finished it and just kept going, we're gonna have the perfect risk assessment. But guess what?
What happened between day one and day five million? So sometimes you have to know when is enough enough. Right? Go through your process. Have a good documented process. Look at your risks, address your vulnerabilities, address your compensating controls, and then move on.
Yes.
People, on to the next.
Yep. I and one of the things I run into, especially in the in in the health care industry, is I'll go in to conduct a a risk assessment, and we'll analyze the various risks and and do the write ups. And in that process of, analyzing and gathering that information, sometimes they'll say, oh, well, we're still working on that. And and I'll say, what do you mean what do you mean you're working on that?
What they're talking about is the risk mitigation. And my my response is a a risk assessment is a a point in time snapshot of where you are. Let's get your baseline. Let's get your let's get the the current state of affairs.
And then next year, you can show progress against last year's state of affairs. Right? It's not a risk assessment is not, hey. We're getting everything perfect and writing up a report.
That's that's entirely not what what is being called for.
It's like it's like they're filling out their test as they're walking into the assessment. Right? Like, they're writing policy as they're walking in with you. Oh, we have a policy.
Here. Here. I just finished this. Hot off the press. No. Don't do that. Yeah. You have risk.
Organizations have risk.
Yeah. Right?
If you I always say this. If you don't have risk, and it's like in business, if we don't make mistakes, we're not trying hard enough.
Uh-huh.
So if you don't have risk, then there's something wrong with your business.
Right? You're you're staying too much in your comfort zone, and you're not you can't be successful if you stay in your comfort zone. I learned this when we started Black Talent back in twenty eighteen.
My my partner and the CEO in the company, who is, much better at public speaking than I am, and you got to see him present when we did our tabletop. Me, I'm good in groups. Like, I wanna be the second guy. I don't wanna be the first guy.
I wanna be the guy behind the guy, or even like The Wizard of Oz or behind the curtain. And and but he said something very profound when we when we started the company. And it I think it's what takes people into leadership roles and separates those who are good leaders from those who aren't. And he said, every day, step outside your comfort zone.
Do something you wouldn't normally do. And there goes another one of my sayings. You can't if you keep doing everything the same every day, don't expect to have gain. Right?
Or Mhmm. You can't get something different if you don't try something you wouldn't normally do. I I'm messing the words up. But you hear what I'm saying?
And he said, step outside of your comfort zone every day when you're doing things. And I think it's the sort of the same mantra. Like like, if you if if you say, I I'm gonna sneaker net everything. Right?
So I'm not gonna have any Internet connection. I'm not gonna have any local network. Great. So you have no risk on that side.
But can your business grow? Can you make can you make money? Can you be successful?
Right.
I I don't think so. Right? I people would argue maybe, but I don't think so. So you gotta you gotta, every day, there's going to be risk.
Mhmm. We've gotta take the the initial steps to look at those items and address them. I don't know how many like, I feel like we're preaching. I feel like I'm tub thumping on on a on a soapbox that, like because businesses don't do this.
We I know I see it time and time again. I go in to do a risk assessment with them. I'm like, when's the last time you did this? It's crickets.
Yeah. It's not something that is done on an annual basis most of the time, and it should be. This episode is brought to you by our SecurityMetrics penetration testing team. They do a lot of pen tests.
They do a lot like network layer, application layer, segmentation checks. They're very, very knowledgeable and, some of them have even won, like, competitions at Defcon. So you can rely on these guys to know what they're doing. Head over to www.securitymetrics.com/penetration-testing, learn more about pen testing.
Sometimes people will say to me, well, we we do this for the HIPAA side of our business, but we just we don't we don't know how to apply it to the PCI side of our business or or PCI is really prescriptive, but in HIPAA, you have to start with a risk assessment. Well, yes. But that's not to say that a risk assessment hasn't been done against PCI, security controls because of the way I see it. And and and maybe, you've seen something similar is a risk assessment is a good way to let you know what security controls you should put in place based on risk.
Well, in PCI, it's prescriptive because there are a few types of data flows that the the PCI councils looked up at and said, for these data flows, you need to protect it in these ways because they've done this the the risk assessment really for people in a lot of ways. And, yes, there's some different risks that still needs to be done specific to an organization, but that's why that's prescriptive. But in health care, that's so different. There's so many different ways to deal with people's, in information, to deal with specific data, to deal with, you know, systems.
There's so many ways you it can't be prescriptive. It has to tell you start with a risk assessment because the security controls that you're going to put in place are all going to depend on what is the risk that's related to it.
Right. And and so I said, okay.
We're going into a a market that doesn't do risk assessments. We knew it. It was without a doubt. I I we'll dive in another comp another day on a topic on that.
So I said to my partners, okay. I'm gonna write our baseline security risk assessment. We're gonna start with our clients. Right?
And my partner said, okay. Good. I went back to my office. I grabbed my PCI notes, and I wrote this document.
But it because I came from a world where we did ISO and, like so two hundred was no big deal. Yeah. I said, guys, let's meet in the conference. I'm gonna show you what I did.
And we met there, and then they laughed. So what's so funny?
They said, go ahead. Try.
So I said, I don't know what that means. I don't know how to try. I don't know how to do it. They said, okay. Go do it and then come back. So I did. Scheduled a couple of these, and I came back, and I had my tablet on my list.
Oh.
It's like, what's wrong?
I said, they they they don't follow me. Mhmm. They don't know any of these things. Yeah.
And so I learned quickly about, you know, how to be how to be agile when it came to HIPAA. Right? Because as you said, like, in PCI, it says you're going to do this. Yeah.
Or should I let me say, you do you do this?
Mhmm.
Yes? Pass? Yeah. No?
Fail? Baby compensated control. Okay. You're you're configured past now.
HIPAA doesn't say that. No. Right? HIPAA HIPAA says figure out what your risk is.
Mhmm.
Address your risk, and make sure then you have and that you do this every so often. Yeah. I didn't know I didn't know how to do that.
Yeah. It's starting with something really hard.
I mean, people Let's go broad.
Yeah. It's so like Exactly. Where where where what's my scope?
Mhmm.
At least with PCI, like, my scope is the how many questions is four point o gonna have?
Oh, I don't.
I know yet.
I don't have that off the top of my head yet. But there's a there's a there's a finite number of questions. There's the same twelve requirements with the sub requirements. You know, they've added a few things and shuffled some things around.
But you know what it is that you're that you have to address. But HIPAA says, hey. What's your risk? And and people go, I don't know.
What how do I even find it?
One I I asked a doctor, and they know that that one doctor said to me, the patient doesn't die. I mean, that's my risk. I was like, okay. Fair.
That's a good risk.
Keeping the patients alive, that's a great risk.
That is yeah.
Or that's a great thing to address.
That's a great outcome.
What are you doing to address that?
Yeah.
What are you doing to address that?
And and then and he didn't have any good answers. He said, I'm doing the same thing I've been doing for thirty years. I said, okay. Have you lost anyone yet?
Right? I mean, didn't he get where this conversation kinda went? And and so I had to massage that to be able to figure out, and not everybody in health care is the same. No.
Right? And and like you said, so health care is not prescriptive because we start with the risk assessment. And I struggle. I still struggle.
Like, five years later, I still struggle. Not me, but I struggle with the clients.
Yeah.
Right? Some clients can't wrap their brain around the nebulous. There's a companies give unlimited days off. Right?
Many companies do this. And they find when they give unlimited days off, nobody takes any days off. Yeah. They're afraid to take time off, which is BS.
But the the what other people say is because it's so nebulous, nobody can wrap their brain around that. Mhmm. So if you wanna give no time off, say they can take five weeks off. And then people may not take the full five weeks, but you're giving them something that they can latch onto.
And I feel like, for me, when I sit down with someone who's never done a risk assessment, the nebulous is very scary.
It is. Yeah.
Less and even more I'm sorry. Even more scary than bringing a PCI document that may be, like, this big. I mean, like, we have to fill this out. Well, okay. I gotta get through those four inches of paper.
You know? I I know that's gonna be difficult, but I know what I I know what I can measure against. Yeah. As I flip a page, I'm one I'm one page closer to the end. And on the health care side, sometimes there isn't an end.
Yeah.
Or maybe there is.
I don't know.
Well, it's hard to know what the end is. Right? It's hard to know well, it's hard to know what the beginning is, and it's hard to know where do you start because sometimes a risk assessment is about analyzing one risk at a time. And but what do you start with? And so I guess that's a dead silence.
I don't know if you're looking for an answer, but I don't have a good answer.
So maybe that is the then maybe that is a question we should ask today is is how do you conduct a successful risk assessment?
So so I guess we could talk individually how we conduct successful risk assessments.
I would venture to to argue or, hypothesize that at the end of the day, while we may do them different, things the the the process doesn't doesn't differ much. Yeah. Right? Yeah. In order right. In order for them to be successful, we have to do the basic building blocks. Right?
We have to start with, as we said early on in this conversation, we have to start with the right people Yeah.
The right group, and the right scope. That's how I start. Right? What what what are we talking about? What kind of business are we talking about? Who can we bring in from the business that can help us to address Mhmm. The questions we need to even answer?
Yep.
And then out of that initial conversation, right, we take all I what I do for me is I take my baseline questions and that risk assessment.
But what I hope to uncover is sort of the cross pollination of the departments inside an organization Mhmm.
And learn let them learn from each other. And they say, oh, but wait a minute, mister IT guy. What are you doing to this risk that, like so I always use the HR and IT. Right?
They typically don't always talk. And IT is thinking about all of their systems they have to worry about. I think payroll was one of the ones that came up during boot camp. Right?
And and if you do, like, a business impact analysis and maybe your payroll system is hosted somewhere else, or potentially payroll is done on a spreadsheet on the server, and IT doesn't know that. And now that makes that system way more critical because if that system goes down and payroll is done every two weeks, I have to address the risk of how do I handle payroll Mhmm. In the two weeks span if I'm out for two weeks.
So that's how I start every risk assessment. It's sort of lay lay of the land, I think, is is the word I use. I bring all of my players together, formulating a baseline set of questions based on the type of organization and size of the organization I'm looking at, and then some dialogue for we typically do sixty minutes Mhmm. Of of conversation between these business units to figure out, are we missing anything that we don't know about?
Yeah. There is one difference. If I do a bigger assessment, like big, I will start with some document request list. Yeah.
So I will I will ask for, policies and procedures and other other collateral an organization may have. Maybe they have in a big organization of previous risk assessment. So let's start there. Why do I have to reinvent the wheel?
Yeah. Let's see what you were thinking about a year ago. Right? And if it's one I've done, certainly, I have the one I did last year.
Yeah.
So we'll use that as our as our starting point. But I think the the question, if I understood it correctly, is where do you start the first time? Yeah. Right?
How do you how do you how do you climb that mountain the first time?
And that's sort of my experience.
I'd be interested to hear your, you know, tales from the ground.
Yeah. A lot of times it's and it depends on what is the problem they're trying to solve. What is the purpose of this risk assessment that they're doing? So as I mentioned, earlier, four point o, PCI DSS four point o says you're supposed to start doing targeted risk assessments.
And it's against things like this. There's periodically, you should check this device for skimmers. Well, what does periodically mean? Well, you would do a targeted risk assessment that says periodically means different things if it's only used by one person once a month and it's locked in a drawer the the rest of the time, then something that is out on a desk that the public can interact with periodically is gonna mean something different because those are two different risk scenarios.
But even, even more importantly when you look at the health care world, the question is kind of it's a multifactor thing. What is the information you're trying to protect? Well, of course, it's it's protected health information.
But where does it exist? Do you even know where it exists? And sometimes that means sitting with people and asking them, show me how you do your job. What do you what are the applications?
What are the systems that you work with? Because you you wanna protect information, but knowing the applications it in, the systems it's in, the the service providers that are are going to impact that, you start kind of getting a feel for the edges of what is it we're trying to protect. And then it's not just our how do you protect the information? But in the health care world, you have to have it confidential, which is the protecting of it, integrity, which is also, you know, the protecting of it.
So it doesn't change unless it's supposed to change. But availability.
And then you've got well, just because you have the information and nobody's taken it and done anything bad with it because you encrypted it. Well, if you get ransomware and you can't access the information, then you've violated HIPAA. Right? So that you you have to be able to treat people that come in. You have to be able to give them their records if they need to know, hey. I'm going in for this emergency surgery.
Please send all of my information to the the the emergency room. Well, if you can't get it, then that's a problem. So it's not just protecting the information. It's also protecting the systems that allow you to use the information and the people involved in doing the work.
Right? One thing we found out about the pandemic, just because information's good doesn't mean people can work. Right? And so it becomes a a a thing that that really expands and can be feel super overwhelming.
And that's when I tell people, we're gonna start with just one of those things. Where's your information? What's the information you have? What is the information you're protecting, and where does it exist?
And and and often will kind of flow from there so that people have kind of guardrails so it doesn't become this, you know, we could go anywhere with this. Let's let's start with this narrow view of it. We and and we acknowledge and a lot of times, I'll have the the parking lot whiteboard where when people say something that is beyond what we are specifically looking at at the time, but they can't get it out of their head. Like, they can't stop thinking about it unless you write it down and go, okay.
It's on the board. This is something we will come back to, but we're gonna set it aside for now and stay focused on this. And so sometimes that's the thing about being a a, a facilitator of these risk assessments is knowing how to keep people all on the same track, trying to solve the same problem.
Right?
I I think you said it best. Right? It's all it's all psychology and people and everything we do. Yeah.
Right? And and and managing expectations and and and interactions with people. And I think I think to your point, staying focused is probably one of the hardest parts Yes. Of a risk assessment And not and not getting dragged into those, scenarios because you're right.
I mean, I could I could veer so right and left Yeah. On any conversation, but I have to stay focused on the the task at hand to at least get through it.
I wanna add something because I think, at least, again, in in my world and and I don't play in PCI compliance anymore.
I I like to say I dabble, only because our clients are, many of them are small medical practices. So they get asked the questions and, like, I don't know. I feel like I hate when they ask me because I know, and I have to now tell them what I know. And I almost would be like, don't ask me. Just do what you want. Like, I can't even say said that because a single office practitioner trying to fill out a a a a SAQ Mhmm.
Is is getting is getting buried under the weight of their own Yeah.
Form.
And so it's tough. But but what I what I what I say to people on the on the health care side let's talk about, like, a HIPAA risk assessment for a second.
Because it's not prescriptive. Right? Because it doesn't say you will have a firewall protecting every Internet connection.
Uh-huh.
It doesn't go to that far to say that.
Continual continual improvement.
Yes.
Right? Just continue to be better today than you were yesterday.
Yes.
And and, ultimately, you you will do you will do good things for your business by slowly reducing your risk than trying to go like this Mhmm.
And grabbing all of the risky items. Look. I'm gonna grab everything I got and try and fix it. No. What happens when you grab too many things?
It's dropping.
Falls. Yeah. You just start dropping them. So so I try to say to organizations, you have to work within your own abilities Yeah.
Your own parameters, and and make sure to be better today than you were yesterday.
Yes.
I believe everybody with that. And even the same, you could you could argue that with PCI too. Right? I mean, even with the prescriptive stuff. Right?
If you if you did good enough today Yeah.
Right, just do better tomorrow Yeah.
Whether it's a better written policy or it's, okay, I've got a firewall, but maybe I don't have all of the security services Yep.
Or not. Maybe I'm not doing deep packet inspection because PCI didn't tell me I had to do it. I think they do say you do now, but, right, obviously, that was probably an evolution. Yeah.
And and so do better at everything you do, and, ultimately, you'll reduce that risk, And your risk assessment will look better over time.
I I I want people to know. I want the listeners to know, and this is another thing I preach over and over again. The battles we fight on a daily basis. Right?
So in our business, risk assessments are a big part of our business. We're also in the cybersecurity business. So I fight the bad guys proactively. And then I also have an incident response business that is there for when the pieces fall apart.
Yep.
And and, obviously, these risk assessments are the base building blocks of building a good cybersecurity program. Right? Building good hygiene starts with knowing what your risks are.
And I tell everyone, your adversaries are well funded Mhmm.
And they have lots of time.
Yes.
Right? The two things that we don't all have here. On our side of the table, we don't have unlimited time. Our clients don't have unlimited time.
Yeah. Their resources don't have unlimited time. They certainly don't have unlimited money. Yep. So you have to use these risk assessments to make sure you prioritize where you're going to spend those resources, whether they be time Mhmm.
Money, tools, policies, whatever it may be. Because if if we had half the budget they had, we could probably do a lot better than we're doing, but we don't. That's a real that's that's that's the fact. No no two ways about it.
Companies just don't have the amount of money and time they need to do the things that the other guys can do.
I'm so glad you used the word prioritize because that was the next thing I was gonna bring up, which was a lot of times I see groups, they'll do a a risk assessment. They they have, like, a risk or roster of, you know, all of the things that they have that that, the risks that that come out of the conversation. But then they don't take the next step of saying, well, what is the likelihood and impact of each of these that we've, come up with? Because if you know likelihood and kind of put a number to it and then you know impact and put a number to it, you can kinda combine those numbers and come up with with your prioritized list based on the the number, that that you get in terms of risk, for those. So so by by assigning a num numerical value, you can prioritize those risks. And then that helps with the decision making process on where do we put the time and where do we put the money.
I don't know. I couldn't have said it better. Right? And I think I think most organizations stop at the prioritization.
Yeah. Right? They they they tend to become, as I like to say it, firemen or fire people. They they tend to go from breakdown to breakdown or from fire to fire, and they put out what's in front of them Yep.
And they use the resources they have, well, again, people, money, whatever, to address the issue that's that's burning.
Right? Or as as we would say in the automotive business, the squeaky wheel gets the grease. Yes. Right? So if if if the if the data center has a has a problem, and maybe it's not the highest risk of the organization, they're gonna go fix that door when maybe they should have fixed the roof over the whole building before they worry about the interior door or something as an example. And I think I think as any process matures or any any thing you do matures, I think prioritization is probably the key to sort of getting past the I'm crawling through a risk assessment to I'm walking through one to eventually running through your risk assessment where you're able to address all of these these findings you have.
Well, I think you and I could talk about risk for days, and I think we have actually in the past.
But, just to maybe give people some guidance on where to start. Let's say you've got a a small or even a medium organization that has never performed a risk assessment. And let's say they're in the health care space. What would what would you how would you tell them to start this process?
So the first thing I would say is take a deep breath.
Yeah.
Right? Take a deep breath.
The second thing I would say is hire a professional Yes.
To help you. Mhmm. Whoever that might be. Find the find the find the right person in business that fits your needs. That may be a big organization, maybe a small organization, maybe a single person.
I think it's always in my opinion, and I've done this in multiple ways in my career, outsourcing the service is very beneficial. Because when you give it to no offense to the name I'm about to pick. I have my characters. When you say that Mary, who's the accountant, is gonna also oversee helping doing the risk assessment, guess what?
Mary has to worry about accounting and doesn't really have time to do this. Right. Or, you know, so and so in HR is gonna do it, and it's the same problem. Mhmm.
When you work with a third party company to do it, you benefit from a few factors.
One is accountability.
Mhmm.
Right? We're held accountable regardless of what other tasks we have to do on our day. Right? If I have a client and we have a scheduled timeline, I'm held to a standard to meet those timelines. You read it in my bio. It's my job Yeah. To make sure that we stay on target.
And I would assume it may not be your particular role in your organization, but I'm gonna assume you have delivery managers or whatever the case may be to make sure that the client engagement is going according to the plan.
When you do it internally my first risk assessment took five years. Right? And we never got anywhere. So so hire the right person for the job. Mhmm. Scope scope the job.
Yes.
Don't bite off more than you can chew.
Mhmm.
So if you have a let's call it a medium sized organization.
Maybe start with a risk assessment of your IT infrastructure Mhmm.
As one as one place. Maybe you do IT and HR, and then maybe you do finance, and then maybe you do clinical. If you try to bite it off too too fast, same problem. You choke or you drop. Yeah.
And then and then set attainable goals Mhmm.
And stick to the and stick to them.
Yes.
As I said before, a a plan a goal without a plan is just a wish.
So so every time I set me I set weekly meetings, I make sure everybody comes prepared for those meetings. If we show up at meetings with nothing, you know what I do? I send you home.
Yeah.
I'm not gonna waste my time sitting there. I don't care if you're a client or I'm doing something internally. It's very important to keep on track with what you're doing.
Mhmm.
So I think your question was where to start. I think you start with the the the the basic building blocks. Even if it wasn't risk assessment. The basic project building blocks. Yes. Have a good scope.
Mhmm.
Have a good team.
Have a leader. Yep. So in my opinion, you outsource that leader. Somebody who's accountable for the movement of the project because, otherwise, this doesn't happen.
It doesn't happen.
And then I think we we didn't talk about this. I mean, you touched on it, and I don't know what we're doing on time. So I'm gonna keep going until you tell me to stop talking.
And I don't have any after this, I don't think. Think. I'm not gonna look at my calendar. I'm just gonna keep going.
I I think that some people do this because they need to check that compliance box.
Uh-huh.
And some people do it because they really are worried about the risk that their organization Yeah. Is, it has. And I think it's important to level set the playing field Mhmm. And get into an engagement as to why are we here.
Yep.
Are we here to check a box, or are we here to truly improve the risk in your organization? And if not, I wanna know that in the beginning.
Yeah. Right?
I wanna know who I'm dealing with. A, maybe I fire you.
Mhmm.
Say, you know what? I can't if you're not gonna do what I'm selling, why don't waste my time. Go buy a book or something and figure it out on your own. Or maybe we talk about why they're doing it for compliance. Maybe they were maybe they had a breach, and this is their part of their corrective action plan or something.
And so I think understanding why we're there, what the what the goals are at the end of this Yes.
And then having all of those checkpoints to make sure. And then and and if you don't set attainable goals, like, attainable goals Mhmm. You're not you're not gonna it's it's not gonna it doesn't work. It does set realistic time frames.
Mhmm. So we many times, we'll set, like, in the beginning weekly calls. And then slowly, we'll go to, like, every two weeks because we need to do more work on our side. They need more time to gather data on their side.
And I find, like, when you start to bring people to calls too many times, nothing happens. Right? It it becomes noise. Noise in in what we do, noise is terrible.
Right? We want we don't wanna be noise. We wanna be relevant Mhmm.
And we want people to be, looking forward to the next conversation with us.
Right.
Not, if I weekly check-in and we're gonna, you know, we're gonna talk about all the things I didn't do again. So that's how I start every engagement for an assess risk assessment. I don't care if you're small, medium, or large. I think as as I said earlier, when we get to the medium and the larger ones, we start to ask for more things in the beginning. Mhmm. And many don't have it. I've got clients large clients, and I'm like, can I see your written information security policy?
And they're like And they don't have one.
Yeah. It's amazing.
What's what's that? What's that?
But, you know, but it's also okay for people to recognize. If you don't have one, that is a risk, and it's okay to see that you have a risk. And then that way, you can have the time, the people, the funds put towards developing something that you don't have rather than just trying to rush and say, oh, no. Argue and say, we actually have this. Well, why why? Doesn't get you anywhere if you sort of have something. Let's recognize the actual risk so you can put the appropriate time and funds and and, what any people resources towards, you know, putting in place what you actually need as an organization.
I was just thinking of something. You said so so so, I think of, like, when you go to the doctor Mhmm. I'm gonna use another story. I love to tell stories.
And and you go to the doctor, the doctor's like, do you drink?
And everybody's first reaction, no?
No? Yeah. A little. Just bourbon.
Yeah. How much do you drink? And then you're like, daily, weekly, monthly?
What's the right answer?
This this came out. I was talking to a doctor, and the doctor got breached. And we were doing a post breach assessment. And the first question I said to him is, look, that password that you've leaked, wherever else you use it, go change it. Yeah. He's like, I don't use it anywhere else. And I was like, I don't go change it.
Yeah.
He's like, I don't use it anywhere else.
And I was like, I don't care where else you use it.
Go change it. He's like, but I don't do that. I'm like, go change it. I said, look, doc. It's like and and he was in the dental space.
Yeah.
And he's like I was like, it's like me coming in and telling you I don't smoke, and you see all the tar on my teeth. Right? Like, don't lie to the guy who's gonna help you. Yeah. Right? Yep. So so sort of that goes back to exactly what you're saying in the risk assessment.
Be realistic about what you have. It's okay to do nothing Yeah.
As long as you own that you do nothing It's it's and now you and now you do more tomorrow.
Yeah. And it's it's important to to be very transparent in those things when you're doing the risk assessment. And and to if you're a business leader, to provide a space where people can say we have a risk here. Because if you have risks but people are afraid to say it, then that's that's pretty bad.
That that means things are not gonna get fixed and and things go downhill pretty quickly. So, yeah, just being open about it is a is a pretty critical point. So well, gosh, thank you for your stories. This has been really helpful, and I I really enjoyed talking to you.
I'm sure that that our listeners will will find this valuable as well.
Thank you for having me.
Alright. You take care.
Take care.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
