[0:51] Navigating Security Gaps

Rachael: I'm so excited to welcome to the podcast Chad McDonald. He's Chief of staff in CISO at Radiant Logic. He's been at cybersecurity for about 25-plus years building and managing information security programs. I am so excited for today's conversation.

Chad: Thank you for having me. And, yes, I did forget my jacket in brisk wine country here in northern California, Nevada California. So it's whopping 60 degrees today.

Rachael: So jealous. We were talking a little bit before we got on, and I have not actually heard this wonderful term that you've been talking about, this cybersecurity poverty line. And I think this is something that maybe, was it Wendy Nather coined a while ago, which I find interesting. I haven't really heard anybody talking about this particular topic.

And I'd love it if you could share more about what this is Chad, with our listeners.

Chad: Sure. And the example I use when I typically talk about the cybersecurity poverty line is, for a number of years I did consulting for organizations large and small. And I had the opportunity to work on building a security strategy for, I think was like a 20 billion dollar merger between two tech titans, that we've all heard of. Unlimited budget, unlimited resources, unlimited staff.

So I could help build a strategy that was effectively militarized. It was secured to the nth degree. A number of months later I found myself building a first-time security strategy for an organization that had about 10 employees. They're well-funded, but they had about 10 employees. 

 

Closing the Security Gaps

Chad: As I started putting together sort of a product or tech stack to help them build a reasonably robust program, what I found, it's obvious in retrospect. The problems that small organizations had really effectively mirrored the problems of the multi-billion dollar organization. Same problems. The challenge is finding products and finding products that you can afford. 

Finding products that frankly, beyond, let's say you can afford it, manage, and that fit the business model and the scale and scope of the much smarter organization. It doesn't necessarily always mean a 10-person organization. I'm at a roughly 200-person organization right now, and I have the same kind of challenge.

I have what I call, grown-up problems, but a high school budget and it's sometimes a challenge to eat both resources and buy tooling to solve some of the same problems. 

For me to implement zero trust here is incredibly challenging because of the tech stack I have to build out. Not that we don't have the will or the need or anything like that, but finding things that fill the gaps with a much more limited scope of the budget.

Audra: So it is budget related than the poverty angle?

Chad: It's budget and resources. I'd sort of tie those together because both ultimately fall back into the budget space. Whether it's buying a tangible tool or resources to run that tool or someone to even build the strategy. That becomes sort of the challenge for those sort of below that poverty line.
 

Addressing Security Gaps in Small Organizations

Rachael: It's interesting you talk about this. There was an Accenture report, I think they said 43% of cyber attacks target these small organizations, but only 14% have the capabilities to protect themselves. And I don't know, do these organizations kind of think about themselves in terms of this interconnectedness? Because at the end of the day, we're not all just individual companies, right? 

We're all part of an ecosystem. And when one of those pieces fail, I think there was an auto manufacturer that had to shut down the entire production plant. Because there was a potential breach at a small component parts company. So maybe it's a 7-cent part, for an $80,000 car, but it shuts down the whole production. And I don't know if people are really thinking about it in that way.

Chad: In my experience, no. And this again, is not something specific to my organization right now. It's from what I've seen with consulting, it doesn't become real for some of these smaller organizations until there's a contractual obligation. So in today's world, I typically see what I call government flow-downs. If I'm doing a big deal with the pub sec, or DOD-type organization, they have a whole list of contractual obligations. 

I have to secure their data, to secure my organization, to do code testing and all kinds of things. Are those things that I would necessarily sign up to do if I didn't have those contractual obligations? For most of these smaller organizations, probably not. You have to spend your security dollars as limited as they are in alignment with your business. And for a lot of these organizations, that's just, not there. 

 

Strategies to Bridge the Security Gaps

Audra: So, considering the fact smaller organizations aren't going to have the same budgets as larger enterprises. What kind of steps or preventative measures can these smaller organizations take to avoid falling below the cyber poverty line?

Chad: First off, think. Align your security strategy with your business model. If you don't have extensive SaaS programs, or if you're not holding a lot of customer data then perhaps don't spend all your dollars on things that are more aligned with that SOC two compliance or whatever.

Second, training, more training is, and will always be, the best dollar you can spend. And that's not just training for your security and IT staff, that's training for the company as a whole. And frankly, your executives.

 A lot of the attacks we're seeing today just take advantage of users being tricked. I mean, it's where spam and phishing and all of this stuff really has taken hold as a mathematical, not if, but when you get popped or hacked. And a lot of it just comes back to the mass influx of attacks coming through that.

So the better you train your staff, and that's relatively cheap spend, the better off you're going to be in the long run. To see something, say something mentality has really got to be embedded in the organization.

Audra: The only challenge is that in training people, it takes them a while to actually implement what you have trained them on. And quite often it's a problem if they don't really learn until either they click on the wrong link or someone else does, and then that sort of thing gets around. 

 

 

[7:22] Closing the Security Gaps with Personalized Cybersecurity Training

Audra: So training's always, I don't disagree because I think training is essential, but it's more having that as we were talking before we joined on the podcast. I'm probably more paranoid than your average user.

Chad: I'm right there with you. I agree with you. And I think that's probably one of my biggest frustrations with the sort of commercially purchased training programs that you see today. Ultimately if I'm a line worker or an individual contributor and I come in and I'm required to go through this training class, who cares if it's the company that’s going to get hurt, not me. I've always had more luck training folks, and making it apply to their personal lives. 

Let's talk in terms of your bank account and your credit card and making sure your kids are safe online and your mom's computer is secured appropriately. Terms that matter and that are tangible and they can take back home. They typically apply in the office, but I don't see that transition, that applicability, and sort of commercially purchased programs today.

Audra: That's a good way of putting it. In terms of how can organizations work out where they sit. Especially if you're talking about the smaller ones who have smaller budgets, what sort of key performance indicators or other measurements couldn't they use to actually work out their standing? Like where they sit on the poverty line, so to speak?

Chad: There are benchmarks out there for what your spending should look like. But I always take those with a grain of salt because it varies widely from organization size, and frankly, your business model. 

 

Addressing the Security Gaps with Honest Assessments

Chad: As far as understanding where you are there are boatloads of security strategies, and assessment tools out there. There are frankly some that you can buy. I will not go online and say which company I used to work for that offers a very robust one. But there is an MSP out there that provides a very good security strategy program and a three-year timeline to sort of help you step into that.

But understanding one with any of the reference frameworks out there, whether it's in this framework or whatever. Doing a valid, very honest assessment versus that standard of where you are is a good first step.

You may learn that you don't need to comply with all of it. Some of it is not relevant to you. Some of it is probably more draconian than you need to be for your organization, but it does give you a barometer. It's sort of the top end of that security program should look like and you decide again where you should be on that.

One of the challenges that I see with a lot of first-time or newish security leaders is an assumption that you need to be on the far right of that scale. You need to be a five in everything. And that's not real.

If you start looking at how security's effectively taught and some of the ways that you really understand what risk management looks like, it is risk management. You decide what appetite your organization has and can afford, and maybe your organization needs to be somewhere in the middle. But you do have a real opportunity to overspend in security space.

That is a failing of a lot of newish security leaders, getting into the space.

 

Mitigating Security Gaps: The Dangers of Stagnation and Complacency

Audra: Because we do look at things where sometimes we're in conversation with potential customers and they're stating they need something or particular use case. And so when you're kind of going, “Is that ever really going to happen? Do you actually really need to spend your money on that?” And they're like, “Well, we're quite a risk-averse, so we just want everything.”

But those are large enterprises that have the budget to spend. I still am anti-selling people things that they won't use.

Chad: I agree with you. And the other piece of that, that I see from the vendor space is auditors, saying, looking, just running down the checklist. Half the things in the checklist aren't applicable to the service you provide or the business model or whatever. But they've gotta get the green check mark there. 

A funny story that I have from a prior life is, I worked for an organization that made web application firewalls. At the time, you could get a check on your PCI compliance if you had a web application firewall. So we literally had an organization buy one, put it in their data center in Iraq, plug it in, it blinked green lights, but it wasn't running, it wasn't doing anything.

So when the auditor came and said, you have a WAF, we absolutely do.

Audra: Excellent. So in kind of continuing around, so once a business knows where they stand on the cybersecurity kind of levels, they've looked at what they're doing. One thing you talked about in one of your articles was the biggest security risk is stagnation.

 

Staying Ahead of Security Gaps

Audra: Once people decide where they are and do some things, what can they do to stay in motion? Because security is always changing. The attacks are always changing. What can they do to stay on the wave?

Chad: That's the assumption and frankly, this becomes an executive-level and a board-level challenge. I've had a number of conversations with boards where you get, some one-time funding. You either post brief, or post new, or you're getting a new product out there and you want to do a big spin to get this thing secure.

Well, the assumption is that's a one-time thing, and it's not real. It sets a false assumption, as you mentioned, the security world's changing minute by minute. The attacks of today are nothing compared to the attacks of tomorrow. 

I think we're going to see that escalate. The whole threat landscape is just constantly evolving. The assumption that I can secure for today and not reevaluate pretty consistently my security program, is wildly mistaken. There needs to be a pretty rigorous, at least annual, and if we're going to put a time limit on it, at least annual reassessment and security program. And frankly, the security strategy.

That includes everything understanding the threat landscape for your organization, what threats are relevant to you, and what is not. This can go both ways. Reassessing your sort of baseline for security posture versus sort of what threats are real to you. And realigning the strategy.

I mean our organizations do this with their business all the time with their products all the time. Failure to do that on the security side is just incredibly shortsighted.

 

[14:09] Justifying Security Spending Amidst Security Gaps

Audra: So one of the big challenges for these organizations, especially smaller organizations, is justifying that the money is spent on cybersecurity rather than on something else. What kind of justifications, could you give suggestions that actually would help people when they're thinking about this?

Chad: So is the question how to justify security spending versus spending it on product?

Audra: Exactly. Because you're always out there, fighting for dollars.

Chad: Honestly, the answer to that's going to vary by business. I always try to align the security program with the business strategy. Like if we have a SaaS product now. So I am aligning my security spend to really pivot to support, and protecting customer data, and our infrastructure that manages the SaaS program. Organizations have to realign periodically as far as that goes.

And understanding sort of where you sit versus your business frankly is paramount to success and failure, for the whole program.

Rachael: It's interesting you say that Chad, because today cybersecurity is the cost of doing business. And I can't imagine if you're a smaller organization, kind of thinking what the future ahead looks like. Competitive advantage. I mean all of these things, I suspect security plays a key role in that. And I don't know that a lot of organizations are really thinking that way either.

Chad: Well, I think one thing that I've sort of seen in the last, I don't know, 18 months, that really makes this quantifiable and tangible is the cost of cybersecurity insurance.

 

Cost-Effective Approaches to Address Security Gaps

Chad: Frankly, the reason that you see your rates skyrocketing is because the cost of a breach. Breach response is skyrocketing, more breaches, the cost of response is ridiculous. Any organization that's ever been through a material security breach, I'm wholeheartedly believing is going to readjust its security spend to make sure that doesn't happen again.

I've consulted with a number of organizations really in the last 12 months saying, how do I drive down my spending? 

I've worked with three or four different cyber insurers to help my customers build programs that are more aligned with what cyber insurers need. So they can ideally reduce rates and manage that risk in a different way. But the reality is, the minute you have a breach, particularly a breach that affects customer data, no different than a car accident, once you have an at-fault accident, your rates are going to go through the roof. It's really a proactive stance at defending your budget by appropriate security spending.

Audra: In terms of cost-effective ways that people can actually approach there's a lot of conversation around zero trust security and kind of everything becoming a SaaS model. And that side of things. Are you using it yourself?

Chad: Zero Trust? Absolutely not. I honestly have yet to see an organization that I would consider giving the big green check mark for having zero trust fully deployed. I've seen pockets of deployment for very tightly scoped systems. And that's frankly more in I'll say, pub sec space than anywhere else, or maybe some highly regulated industries. But for most organizations right now, it's a pipe dream. 

 

AI and Its Role in Addressing Security Gaps

Chad: And I think there's so much market spend on what is zero trust. Honestly, it varies by organization. So, saying that you have zero trust, may not mean the same thing to me as it does to you. So, again, I think it's a little bit of a marketing spin on that whole thing. No offense to the marketers that may be listening today.

I think it's a wonderful idea. I think it's a valuable strategy to listen to but I'm not using it and I think the precious few are far enough down the path to say they have a control handle on that.

Rachael: It is used a lot though, to your point. I was talking to the folks at RSA last year and like what kind of proposed talks you might want to have, and they're like, “Please not zero trust.” Because it's like a wallpaper they said, I mean it's just batted about so much. It's almost what does it even mean anymore, to your point.

Chad: It's become meaningless. It's like if everything's an emergency, nothing is, well, if everything's zero trust, nothing is, there you go.

Audra: That's right. The next big buzzword is AI.

Rachael: Where do you see AI playing in this realm chat? I mean, I think so many organizations are feeling pressured that they have to get on ChatGPT and do all of these things. 

 

Cybersecurity Gaps in the Age of AI

Rachael: I think no one really knows how to move forward, though. I mean, what's the security concern? How do we protect data, it has to train on data and all these things. I mean, how does anybody navigate forward with this looming? 

Chad: So it's an interesting conversation and frankly, one that I've had pretty recently with our chief product officer. He is actually, defending his Ph.D. thesis here in just a couple of weeks and specializations around AI to increase organizational effectiveness. So we were batting around security and AI as just informal discussion topics.

And I wrote our first-ever AI security policy last two weeks because of concerns about our engineering team.

People dumping things in there, and its IP gets exposed or potentially customer data gets exposed. We really put some controls around that. And that's actually a risk. Inadvertent exposure leveraging AI is not really any different than inadvertent email of IP as far as that goes. But it's AI's still relatively unknown outside of a very specialized group of people. 

So the exposures that are going to come out of that, I think we're going to see some pretty scary things, as far as somebody put something in. I don't know, ChatGPT and it learns their secret sauce and now it's communicating their secret sauce with everyone else.

I think there's a large opportunity for that, and I think we're goign to see some things that come out of that are not exactly great. 

 

[21:05] Harnessing AI and Automation to Prevent Security Gaps

Chad: The flip side of that, I do think that as AI matures and as our use of AI and intelligent ways matures. There is a great opportunity to leverage automation and AI to reduce the security gaps between sort of multi-billion dollar organizations and 200-person organizations. It's all around leveraging your resources in the most efficient and automated way.

There are always large sets of data with any of these organizations. And that's really what AI's based on gathering these data and making inferences around the data. 

Whether it's looking for anomalous behavior or overprivileged accounts or whatever the case may be, there are a lot of opportunities for AI to be of great benefit to those folks that we may say fall below the poverty line right now. I think we've got to get over the hump of maturing everyone with how to safely and securely use AI.

But once we get past that and get a little more maturity under our belt there, I think there are some great opportunities there. 

Now, we want to put on the bad guy hat that we flip the coin around every time you have a great technological investment for good, someone figures out fully select Lutheran figures and how to use them for evil. So we have that opportunity as well. And I think I really don't know how that plays out because that could get really ugly really quick.

Particularly leveraging AI in the cloud and you have sort of unlimited scale on your capabilities with the AI compute pieces. It's going to be interesting and I think you're going to see nation-states probably leverage AI in ways that we haven't really prepared for yet.

 

Unraveling the Security Gaps: The Rise of AI in Cyber Threats

Rachael: My friend used it in deep fakes and how easy it is. He used it to make some photographs and they were wonderful photographs and you'd never know. And he showed me what he had done himself, which was terrible. And then of course the ChatGPT version was beautiful.

Chad: Just the simple examples I've seen today, they're using AI to write a worm or code or something like that, that defeats this one thing. That's effectively what we've been doing just manually for the last 20 years is, hackers are learning how to exploit some library or some piece of code or some website. Well, you put the power of AI at scale behind that and it's not if but when.

Audra: And there are sides to that people are generating new AI tools all the time in much more focused specialist areas. So beyond just being able to write a good report and things like that, whether there's an effect in it or not is something else. As we've seen in some of the articles in the press. But they're convincing, it's verbally convincing.

It's whether or not there are tools that will come along that enable you to do that with code or tools that will come along, which of course there will be. Because it's the internet and we always use the internet for interesting things. There'll be ones I'm sure that are brought out, like what kind of malware would you like to do? 

 

AI's Menace in Cyber Threats

Audra: What kind of characteristics would you like to have? Because if you just take the code from multiple different types of malware and then just bring it in and create something new. Not that I'm trying to give anyone any ideas. 

Chad: The things that concern me are passwordless authentication where it understands, the cadence of how you type and it's like that's prime for AI. There's no way that stands long term in my mind. Things like voice authentication with DeepFakes as Rachel's mentioned, the ability to clone your voice, and make you say things.

Audra: It's so easy now because they're different. I have an innovation background and have had a play with things like, one that was called Lira Bird and things like that. All you need is a short snippet of about 30 seconds to two minutes of someone's voice and then you just type it and that auto-generated voice will read what you have typed.

Chad: A podcast might be the perfect way.

Rachael: There's still so much more to talk about and you had a really good topic that you wanted to explore a little bit further as well Audra as I recall.

 

Tackling Identity Sprawl in Organizations

Audra: So what I wanted to talk about, I'm a bit more of a paranoid user than most. Even in my personal life, I've tried to keep my identity to myself and I haven't given it up for convenience or not very often. One of the things that really kind of rang a bell in saying that was, I read an article of yours that talked about identity sprawl within organizations. 

I've always been very keen as a consumer to know what my footprint is out there on the internet. I think people don't think about it from a work perspective or an organizational perspective. Could you explain a bit more about what you mean by identity sprawl?

Chad: I'm going to take you back 25 years to when I was much less gray and much more young. You could effectively contain your IT sprawl, your it exposure, by the size of your data center. What was living on a physical server living in a room with a network cable plugged into it because, when I started this thing, wifi wasn't even a thing. We have evolved obviously much past that. 

Now any organization, any person in an organization can take a credit card, buy a SaaS system, and use it for work that may be approved or may not be approved. But effectively there's an opportunity for anybody to go and buy a service online and start using it. So we have accepted IT sprawl as sort of a real thing for a number of years.

 

[27:34] The Challenge of Identity Sprawl in Organizations

Chad: But what we haven't really thought past is the expansion of those IT systems is the identities that live on those systems. Whether it's just purely for authentication or those systems are now holding identity or any other data for customers or staff or contractors or whatever. They're everywhere from HR systems to development systems to things like Slack.

The assumption is you toss SSO in front of it and magically the identities go away. That's not a reality for most organizations. 

Radio Logic's been around for 22 years and we're still seeing organizations that don't have sort of a good handle on all of their identities. There are a lot of products out there in the space, in the world that the marketing spin is you drop it in front of your IT suite and your identity problems go away.

But when you start digging into it, those systems don't connect the mainframes, they don't connect to databases, they don't connect a whole host of other things. So you're left with pockets of identities just living everywhere. 

And when you start introducing individuality, these pocketed systems, the ability to manage those systems sort of grows exponentially. And there, it's hard enough to manage identity if you have everything sort of aggregated in a single unified process to follow.

When you start having pockets, tens or hundreds, or even thousands of identity systems across your organization floating around, the possibility for you to manage all that stuff effectively, the joiner, mover, leaver problem goes away. It's not sustainable. 

 

Mitigating Security Gaps in Vendor Identity Sprawl

Chad: So this is how you have third-party exposure for some of these bigger organizations. They have vendors who have their own IT sprawl and own identity sprawl and it's not controlled. So it ends up introducing a vulnerability in another organization or the vendor themselves. It's time and time again, you see this kind of stuff.

And something like three-quarters of all security breaches, have an identity component in that breach. Whether it's a privileged escalation or privileged misuse or whatever compromises identities in there. It's step zero to any security program is really getting a handle on identity. The biggest piece of that is identity sprawled.

The better you're able to manage that challenge, the better off you're going to be in the long run.

Audra: How can people actually manage this? How do you actually stop? Because we can't shoehorn everything behind the octas of the world and things like that. So, with your single sign-on and that sort of thing, how can organizations have some level of control over this? Is it town planning when you bring in new applications or what?

Because we are bringing on new applications to use for work all the time.

Chad: Again, its controlling the process. It's about risk management, effectively understanding what bringing on a new application means for your organization. And it is a bit of a bottleneck for a lot of organizations because it requires sort of risk assessment of the product, how it's going to be used, what data it's going to store. But that's a necessary component for any program anyway. 

 

Controlling Security Gaps in Identity Sprawl

Chad: So evaluating what risk the new application means for the organization and baking it into your identity management process. Even if it's going to be a disconnected system, not running through your normal sort of identity management channels. And built into your system so that your onboarding and offboarding process accounts for this additional external identity system. 

It also has to do sort of the attestations and things like that to make sure the privileges are appropriate. It's an additional layer of work, and it becomes incredibly manual for a lot of organizations.

But if you want this additional application and it's going to provide value, you really need to understand how you're going to control security around that. I think that conversation around risk management for lots of little identity systems really helps an organization sort of understand what identity sprawl looks like. And rethink whether we really need this application or maybe we need this in a different application.

And we put it behind us, our identity management program really forces some conversations that probably don't normally happen.

I mean there's value in the applications, but I think organizations really need to think about, does the value outweigh the risk? It's a question for a lot of these applications, but if you're not evaluating the applications, then you're not doing risk management. Which is the whole reason we're here in the first place.

 

Unraveling Security Gaps in Identity Aggregation

Rachael: But it's so true. I don't know how many identity alert things, all the breaches that have happened, over the years you get like free identity monitoring. And the last one I got was just showing all the places in those free apps like Spokeo or whatever online. “Get this person's personal information for free,” or something and just how many where I'm showing up.

It's a little unsettling and with your work email address, you forget all the things that you just sign up for. Where all that information goes over time.

Chad: Not to pivot back, but AI is primed to actually scrape all of the different little pieces of identity data or entitlements that you may have across the whole internet. And identity aggregation, it's sort of step one for a lot of attacks. Let's go and see what we can find out about doing the ChatGPT sort of function and scrape everything.

And probably some stuff you didn't know about yourself.

I create separate personas to use online so I don't inadvertently expose my personal details anywhere. So 17 different email accounts depending on if it's a streaming service or retail service.

 

[34:33] Unmasking the Real Danger of Security Gaps

Audra: That's a much better way of doing things than years ago when I first joined Forcepoint. I was running the innovation labs and one of the prototypes we did early on was actually looking at businesses and their footprint and the people who worked for them. Their identity footprint that you could see on the internet. And the thing that gets

Chad: Again, points back to step one, enable your staff to do a lot of training. Say this is a bad idea and here's why.

Rachael: I saw an article this morning, I think it was in Fast Company. I'll be interested in your perspective on this because you hear a lot about returning to the office and people want to come back or whatever that might be. And I guess there was, research from the farmer school of Business at Miami University, suggesting the real dangers lurk within the office itself.

Basically, office workers get complacent thinking the security team has everything covered. Versus saying remote workers now are more vigilant in how they handle security and it's almost like a flip-flopping of the narrative. 

 

Revealing Security Gaps: Addressing the Risks of Inadequate In-Office Training

Rachael: What's your perspective on that there? Should we even bother with training the in-office people if they're going to ignore us anyway? 

Chad: Training is still going to be number one on my list regardless of security strategy or organization, or business model. Training is number one. The return to office versus remote worker thing. I think frankly it's easier, well I'd like to say it's easier to just do mobile device management on a remote worker's endpoint, assuming they're using a corporate sort of device or maybe not.

And, just control what can happen with that.

The folks in the office, and this is not really a new thing. There's an assumption, you drop something in your data center. Frankly drop something in your office and it's automatically secured by perimeter firewall and web application firewall, IPS, IDS, all the things. And so you don't really have to worry about locking down that device. 

And organizations have been bitten by that sort of assumption for decades now. I don't think this article you mentioned is really anything new. I think we're looking at it with different eyes now because of the remote versus office thing. But that complacency's really always been there. I don't think it's anything new.

Rachael: I will say when I was in the office, I felt like we talked about it more, there's this thing happening. If you get it, make sure you don't click on it, send it to IT, or whatever. I do miss that because I did learn a lot of things to look out for as well. So I just thought it was an interesting study.

 

 

Bridging Security Gaps with Engaging Training Resources

Rachael: It kind of surprised me a little bit actually. But I enjoy training it, Forcepoint has some fun security awareness training, infusing a little bit of humor to your point, like bringing it home. Making it more personal and then, you’re kind of like, “Oh, I get it.”

Chad: The thing about security awareness training and this topic in particular, years ago, but security awareness month is like October, which, obviously coincides with Halloween. Someone had liked the old movie Monsters and Things. I always love those. One because I'm a nerd, but two, because people would stop and look at them. And they always had nice little tidbits of things on. 

It wasn't just the boring, here's a poster, close your laptop when you're, whatever. But people would look at it and they would take it away and the resources are out there. I think organizations just need to look. And as I said, it's a trivial spend. It's going to cost you some ink and paper to put up a poster and the training resources are free effectively.

I won't even call it a rounding error. Budget dust is probably more appropriate for most organizations.

Rachael: So, I know we're coming up on time and I do want to be mindful. One of my favorite questions to ask folks, and I know this is completely out of the blue, but what are you reading right now? I'm in between books, both fun and for work. And I'm always curious about what other people are reading.

 

Overcoming Security Gaps with Organizational Discipline and Cyber Awareness

Chad: I'm reading the Stephen King’s book right now, and I can't remember the title of it. It's a date, but I don't remember the date. They're good. Professionally, I'm reading books about it. It's older, it's about a guy that goes back in time through like a restaurant lobby or something like that. But I just started that one.

Professionally, I'm reading a lot of books on discipline right now to sort of round out, building out some strategy work that our organizations working on, and looking at organizational discipline as sort of a risk. Learning when to say no. Rigorous defensive strategy.

Audra: I like your use of language around kind of the whole, cyber poverty. I actually think businesses need to think about that and that they need to realize that the whole kind of cyber journey is a journey. It's not just a stop with an investment and then you go, it's done next.

Chad: Exactly. And that's the longstanding gap it always has been. I think the more we, as people, in this field and security leaders sort of keep harping on, journey versus destination, maybe it's going to click one day. 

 

Beyond One-and-Done

Chad: I do feel like I'm seeing the tides turn in that regard. And I think things like SOC 2 regular assessments and then some of the other certification FedRAMP, the things with the annual assessments at a very deep level are helping sort of turn the battleship on that. But it's still out there that this is not a one-and-done.

Rachael: Well, it's great to have conversations like this to remind folks, of what they should be thinking about and what's important. Because I think too often we get in a hurry, and we're just always rushing to catch up and it's hard to take a step back and just, I don't know why I'm doing this thing anymore. Is this actually helping the business?

So maybe we should look at it in a different way. I think these are very valuable conversations for our listeners. Thank you very much for your time today. This has been a lot of fun.

Chad: Thank you, Rachel. Thank you, Audra.

Rachael: To all of our listeners out there, thank you so much for joining us this week. Always the best guest. And I'm going to recap all of the fun things that we learned, cyber poverty line, stagnation, budget dust, all thank you to Chad McDonald.

 

About Our Guest