Catch this episode on YouTube, Apple, Spotify, Amazon, or Google. You can read the show notes here.
It’s a mystery as old as time: the cybersecurity and technology budget and acquisition strategy. How are they formed? How are these projects prioritized? How are internal teams proposing changes and asking for new dollars (and likely not getting them)? This week, we chat with someone at the heart of the matter for their business who walks us through how they build their security and information roadmap, or in what I lovingly call: quit bugging the C-suite.
David Weisong is the CIO for Energy Solutions and has a background in software development, DevOps, and managing IT functions, which makes him the perfect candidate to properly discuss the ins and outs of cybersecurity and IT roadmaps.
As practitioners, you’ve likely seen the posts on LinkedIn where your C-suite (or others) gripe about the number of vendors that reach out, cold call, and send them emails. Not just the volume though, about the approach and lack of understanding of their needs. Meanwhile, you’re sitting there wondering why vendors are reaching out to your busy execs, while you and your team are directly impacted daily by the technology and processes in place. While your CISO and CIO are providing air coverage from gifts of fancy dinners, endless swag, and, of course, demos, your team is doing the actual research to determine what ends up being prioritized. You are part of the research or buying committee. For Zero Trust, we’ve also seen this referred to as a Z TAB or a Zero Trust Advisory Board.
That is where we leave you in David’s very capable hands, where he discusses how you can internally build business cases for new processes, technology, and other resources associated with IT and cybersecurity.
David Weisong is the CIO of an energy efficiency and climate mitigation program company.
The conversation revolves around the challenges faced by CIOs and CISOs in the context of security vendors and their interactions with clients.
Understanding and meeting client requirements is discussed, particularly in cybersecurity and risk mitigation.
Frameworks such as SOC 2 and NIST are tools for addressing client requirements and ensuring security compliance.
The conversation highlights the need for continuous improvement, prioritization, and adaptation in the face of evolving client demands and industry trends.
We have a few new episodes in the works, but these will feature several guests at once. We may be slightly off our regular every two-week publishing cadence as a result.
In a recent episode of AZT, David Wysong, the CIO of Energy Solutions, shared insights into how to prioritize IT and cybersecurity projects based on business needs and client requirements.
One of the things that I’m reminded of is that it’s actually good business to be more secure. Our clients actually don’t want more really super secure vendors. They want a smaller selection of really super secure vendors.
David emphasizes the importance of being a trusted and secure vendor. By prioritizing cybersecurity initiatives, companies can build trust with clients and gain a competitive edge.
Connecting the dots between priorities and becoming a trusted vendor is key. You bring less effort on their part to vet you, and you are guaranteed repeat business.
Being a trusted vendor involves aligning priorities with client requirements. By understanding the needs and expectations of clients, companies can position themselves as reliable partners, resulting in long-term business relationships.
It’s a far longer journey. You have to pick initiatives that you can get done in a block of time.
David recognizes that the process of implementing IT and cybersecurity projects is ongoing. Prioritization requires selecting initiatives that can be accomplished within specific timeframes, ensuring progress and continuous improvement.
You have to pick initiatives that you can get done in a block of time. The recommendations from our last audit or year-over-year differences in our penetration and vulnerability testing make us say, now it’s time for us to have this type of monitoring software or maybe it’s an architectural change.
Regular audits and vulnerability testing help identify areas for improvement. By leveraging the insights gained from these assessments, companies can prioritize projects that address critical vulnerabilities and align with business goals.
We’re not in a great position to have dialogue around it. It’s mostly from them to us. I’m reading the tea leaves about where the emphasis is for these larger organizations.
David acknowledges that client requirements are often prescriptive, leaving limited room for dialogue. However, by closely analyzing client agreements and attestation documents, companies can gain insights into the emphasis on specific cybersecurity measures by larger organizations.
Prioritizing IT and cybersecurity projects involves understanding client requirements, aligning priorities with business goals, and continuously evaluating and addressing vulnerabilities. By doing so, companies can build a solid business case for investing in projects that enhance security and establish trust with clients.
This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.
Elliot Volkman: Hello and welcome back to Adopting Zero Trust or AZT. I am Elliot Volkman, your producer alongside Neal Dennis, our host, and a wonderful guest, Mr. David Wysong, who is a CIO over at a, is it a clean energy, clean tech company? Am I getting that wrong already?
David Weisong: Yeah, we’re an energy efficiency and energy climate mitigation program, our company.
Elliot Volkman: Excellent. All right. A lot of regulations and concerns and
David Weisong: Our clients have high standards.
Elliot Volkman: That is so well stated. I love it. And that is just a perfect way to kick this off before I hand this off for a self introduction. Today we are going to be talking about something that I think is plaguing probably people like you on a daily basis, maybe not an hourly basis of What I lovingly call quit bugging the C suite.
So in a lot of cases, it’s quit harassing the CISO. You are a CIO, very similar nature, a little bit broader scope. But security vendors which Neal and myself have worked with has been through this conversation so many times. We want to sell into these companies. Let’s terrorize them, but we want to flip the conversation.
We want to actually see what happens behind the scenes instead of just telling them, quit bugging them. Let’s, have a conversation. And that’s where this episode comes from. So that is all to say, David. I’m so glad you’re here. This has been a much needed piece of the puzzle and to get your perspective.
We’ll get kick into it in a minute. But David, maybe you can give us a little bit of background on yourself. ’cause obviously you didn’t wake up and become a C CIO. You’ve got a pretty diverse tech background and I’d love to dig into that a little bit.
David Weisong: Sure. Thank you, Elliot. I have been CIO at Energy Solutions for now five years. And in my previous positions, I’ve always been in a position of building technical teams, both as a VP of I. S. and a VP of software development. And so it’s been very technically focused. I’m typically one, if not, maybe two technology executives.
In more what you would refer to as traditional companies. And that’s certainly the case at energy solutions. We were born out of serving a market of utilities to help them implement energy efficiency and clean energy programs. And being the voice of the technology side, you have partners in that often in traditional organizations, that’ll be finance department manages a lot of risk for an organization.
And so that’s typically who I’ll interface with at the C suite level when discussing risk and, coincidentally. When building the teams and building, software, you end up having to reach out and look for frameworks that will help you further your your risk mitigation strategy.
And that’s something that we do a lot of at Energy Solutions, because again, our clients demand it. They, we are just under 500 employees, but many of our clients are. Sometimes tens of thousands of employees. And so their need for vendors like energy solutions is to adopt and be at their level of enterprise security and risk mitigation.
And so I think my career has been really one of marrying the technology side to the business needs sometimes that has been a work product, which You know, enterprise facing software. Other times it’s been helping steer the product direction of an organization and the technology aspects of that toward fruition.
Elliot Volkman: Yeah, I love your background because it’s so perfect for the conversation we’re trying to have, which is essentially. Our audience is primarily security practitioners or adjacent to it. They can’t just say, hey, there’s this hundred thousand dollar platform that we need. It’ll solve all our problems, silver bullet problem solved.
Obviously, there’s larger conversations. It’s, how much pain is there? How much is there ROI? Is it cost effective? Are we a cost center? So there’s just so many different factors and obviously with your background and building teams, but having been part of those teams, in and out how, those things function, especially because you also have a background leading products.
So I’m sure you’ve had plenty of conversations with your counterparts in marketing and sales. I’ve been like, does it make sense to go after those people? Is this mill built for that person or is it built for people under them? And how does that, entire ecosystem function? Transcripts
David Weisong: Yeah. And positioning is big. I think probably one of the most notable things at energy solutions is. That we’re interfacing with primarily utilities, but often state agencies and also the federal government. And so we get a very interesting perspective on where their risk tolerance is and their expectation of vendors.
And it’s really tough because, we haven’t always been. Just under 500 employees. So when you’re starting in an organization that say has a hundred employees, you can imagine you’ve got a lot of competing initiatives, both within, the technology, the it domain but also just as a company.
And so you have limited budgets, you have limited bandwidth of what, individual roles can do in a given week. And I think. One of the things that I’m reminded is that, a best practice is to have a more secure environment, everyone can nod their head, but how do you level that up on a priority ladder?
And one of the things that I’ve noticed particularly at Energy Solutions and dealing with our client requirements and preferences is it’s actually good business to be more secure. Our clients actually don’t want more really super secure vendors. They want a smaller selection of really super secure vendors.
They it’s not that they need more. They need to have certainty around the vendors that they work with. That’ll be at a particular level that they can trust, especially when you’re dealing with issues of their data and their PII, which we often get into for the work that we do on their behalf.
And connecting that dots, connecting the dots between, Oh we have lots of priorities and you can, you could have an emphasis with, maybe a particular service if, as if you zoom out enough and you realize that you become this trusted vendor and that’s all they’re trying to make sure of and that you bring less effort on their part to vet you, then you are guaranteed repeat business.
Because they want the predictability. They want certainty. And you’re serving those things, in, in various capacity. And for us at Energy Solutions, we do that. Through some existing frameworks and, the first framework that we needed to adopt which predates me joining the company was the sock to security controls and an annual sock to audit.
And that was what I would say the minimum price of admission. Was to say, okay, we, we handle data, how are we doing that as a services organization? How can we prove that and validate that through third party, audits and inside of that, then you have really a whole buffet of different initiatives around access control at least.
Least privilege access, there’s, there are a lot of things that are baked in there. It’s a lot. We maintain over, it’s over 200 security controls. And so you do your best when you begin a program like that, but it’s a far longer journey, which is part of what I, try to stress both to the executive team and to our internal team that you have to pick initiatives that you can get done in a block of time.
And I think. The place where I’m at now, five years later is optimizing our process and then trying to read the tea leaves of what our clients want from us. And it turns out that a lot of language in our contracts nowadays is just lifted from NIST. It’s
Elliot Volkman: There’s nothing wrong with that.
David Weisong: nothing wrong with it.
It’s a lot. And now SOC two audits end up being like literally a check mark. on a security attestation. Do you have a SOC 2 audit? Checkmark. Provide evidence. And then there’s 500 other cybersecurity questions that we have to answer as part of our contractual commitment. And it ranges all over, they’ll re ask things that of course are sitting inside of your SOC 2, but really sometimes very pointed depending on their internal language, or they’re just lifting clauses.
It’s almost like a mini audit. In unto itself that’s laid onto our contracts. That’s from NIST or even elements of ISO 27, 001 that play into it and you’re like, okay, I’m starting to see how they’re organized and they want to map that to us as a vendor. And so
Neal Dennis: I
Elliot Volkman: hold
that deal. No, no deal. I see you ready to go. I’m going to hold one question that I’m going to hand it over to you only because this is a little bit it overlaps way too well with my day job because I definitely understand where your head’s at because I work in the risk and compliance space.
But to make sure that we shape this conversation really well, what I’m hearing is that you’re using these frameworks to identify. the priorities and keep everything running in the right track record. And because of that, there are so many different things you’re identifying risk and that you now have to mitigate it to the, to an extent that you do.
And sometimes with mitigation, you have to bring in new tools and technology and processes.
David Weisong: Which.
Elliot Volkman: it, Neal. Now it’s you.
David Weisong: Okay,
Neal Dennis: Oh, you’re good. No, you’re good. David Elliot. It’ll be happy with this 1. I’m not going to take us too far off topic yet. Yeah, I even have notes, so you can’t really see him pause the screen, read them, whatever you want to do, but what I have at the top of this, and you started off right down a really good.
Piece in my opinion you’ve talked about, the tech to business needs, right? And requirements. We’ve, you’ve mentioned requirements a couple of times already. You mentioned the actual needs and mapping these out. And then you also talked about another really great keyword R. O. Y. And as an Intel analyst, just to caveat this, as an Intel analyst, in my world, we don’t work without requirements for what we need to be doing, and there are collection requirements, there’s threat and all this other stuff that goes into it, long and short, it’s still requirements.
Requirements are requirements. So I’m intrigued by. Y’all as the middleman in these conversations, you’ve hit this once again, a little bit on the SOC 2 type stuff and the security compliance checkmarks. But what are y’all doing? Or how are y’all approaching the conversations with your potential vendors partners?
And then the clients on the other side to make sure that before you even get into the room, right? That they do have the requirements mapped out reasonably well, other than just. Check a box for SOC 2 type 2 because I’m sure there’s a whole slew of other things that they should hopefully be considering.
But how do you go into that conversation to make sure that they’re aware that requirements other than just I want to buy a tool are there on the table?
David Weisong: Neal, are you asking how I might approach our vendors or how I might have that conversation with our clients?
Neal Dennis: More with the clients, right? So the clients need to, I’m hoping the clients are coming to you with more than just the little checklist of, I need a vendor that SOC 2, which is a good requirement that’s a great requirement, are they coming to you, maybe a better question. Are they coming to you with a legitimate in depth list a lot of times to say, Hey, we know what our business risks are, and these are the things we’re trying to mitigate, here’s those requirements list, help us fill those gaps, or are they just coming to you and saying we just want SOC 2.
And that’s where we’re at.
David Weisong: They’re, they are prescribing their, that we don’t, there’s very little discussion about how we meet or why they even have the requirements they have. They’re literally a condition of our master services agreements with the large utilities, specifically, with state agencies or federal government.
It’s all prescriptive. There’s no dialogue about how we do it. So it turns. It turns out it’s, are you doing it? Yes or no. That’s actually an interesting point that I’ll bring up. When I first joined, it was, are you doing it? Yes or no. And then you submitted that back as a response with an attestation or cybersecurity questionnaire.
Elliot Volkman: bit
David Weisong: it went to, are you doing it? Yes or no. If you’re not doing it, when will you be doing it? And then it moved to, are you doing it? Yes or no. When are you doing it? Give me the evidence. So it was very prescriptive and very direct about fulfilling the gap for whatever the security thing is that they’re going after why I referenced NIST is they’ve gone around, you’ve got the three things, right?
You’ve got users. You’ve got, devices, and then you have systems, and in our case, we call systems our applications or our platforms that we develop to manage the information that we need to run programs for our clients. And. And inside of that there’s a whole suite of things that we could be doing or doing on a continuum, like doing a decent job with, say, desktop or local encryption management, that, that’s definitely a category to, sometimes it’s really important because you might be interfacing with a client’s APIs, They want to know a lot more about your infrastructure and your access control and how they’re basically exposing themselves with maybe an API endpoint.
Like who on your team has access to the systems that were going to whitelist that IP address to even talk to this API. So it, it ranges. Depending on the client and the purpose of our engagement, but we’re not in a great position to have dialogue around it. It’s mostly from them to us. I’m reading the tea leaves about where the emphasis is for these larger organizations.
He’s very large publicly.
Elliot Volkman: you
David Weisong: utilities are, make up a lot of our portfolio and what they’re trending towards, the things that are top of mind, you see them in the security attestation documents. Which are an amendment to this MSA, right? We’re going to do business, we’re going to do these services.
And it’s oh yeah. Here’s the cyber requirements. I can tell you in the last three years, the trend on cyber liability insurance has just gone through the roof. The minimums that we need to provide and what that, the cost for that coverage has quadrupled. And do we have control over that?
No. Can we, exempt it from our contracts? No, it’s the price of us doing business. So we’re constantly seeing this. This trend of things that come through in our client agreements and then internally each year we kind of theme or prioritize what it is that we’re going to spend a focus on if we’re barely doing something, which kind of nets itself out in a sock to audit where it’s like, Hey, you passed.
Here’s your unqualified audit. However, here are the list of recommendations that we strongly encourage you to move forward. That becomes part of the theme for next year’s planning, and that does open up an opportunity because there’s an entire thankfully growing market of cyber security.
Tools that kind of play into different aspects of either access control, encryption, zero trust methodologies that, that, that may apply to us or may not because of the type of work that we do. There’s a serving community of vendors that have solutions. I have to be able to compartmentalize what those solutions are.
And I’m not paying attention to these things because we’re doing a, a good job of it, but the recommendations maybe from our last audit or what we’re seeing and year over year differences in our penetration and vulnerability testing make us say, now it’s time for us to have this type of monitoring software, or maybe it’s an architectural change that we’re promoting through our AWS stack.
Neal Dennis: Nice.
David Weisong: That helps.
Neal Dennis: oh, you’re good. I love it. I think it’s good. Thank you. One other quick question. We’re talking about the client stuff. I think it’s pretty straightforward. You’re fortunate, I think, that it seems like a large portion of your clients have a pretty solid list of requirements leveraged to you. Now, on that vein, is there any point of education other than just, hey, you should get Let me back step this slightly.
You talk about the escalation of it used to be yes, no, then it’s yes, no, when now it’s yes, no, when and show work, right? And so those are things you go back to the vendor. As you go through these trends and you see these shifts. Are you taking these requirements or these asks of the solution or these potential problems, if you will, and working with the vendors in your bucket to aptly get in front of some of these trends analysis and kind of coach them the right direction more aptly?
David Weisong: Yes we do, there is a feedback loop. It’s, I would say some vendors want this information. Other vendors were just a customer and we’re becoming a bigger customer for sure but it’s, I would say not all vendors are equal. And I think that’s actually had a lot to do with my selection of different platforms that we needed to, cover the basics.
So we, we think a lot, at least at energy solutions, we think a lot about how do we manage our fleet? And so we were a mixed environments, not quite 80, 20, but, windows versus Mac and just because of the size of our organization I trend towards solutions that service both platforms and don’t leave one platform out and now you’re Oh, this is an exception that I have to do extra work to figure out.
So I look for. For solutions that will give me coverage, which simplifies our administration. The feedback comes when we’re getting where we think we’ve. We’ve addressed something that may be in it could be a set of socks sock to controls that were like, Oh, this is what we need or as we’re, we adopt best practices from missed and other security frameworks.
Where we’re noticing that the questions that are coming to us are getting more specific from our clients. And then I’m asking questions to the vendors hey, what’s on your road map to address this? Because this is super laborsome for us to generate. So some of that is the indirect we’re being asked for this every year for our audit and can you make this easier for us to report evidence?
Sometimes, and therefore it goes into a SOC 2 audit, the SOC 2 report goes to the client. The client’s this is great, thank you.
It’s even more interesting as we move into some direct engagements with market actors, meaning not just utilities, not just State agencies or federal agencies, but market actors in the space that we serve would be like manufacturers or distributors and big ones that are national and they now have very specific questions because we’re doing engagements that deal with very sensitive data from them and they are now coming to us with a list.
And saying how are you approaching this? And that’s it’s interesting because they’re, for profit businesses selling things and they’re engaging with us in a unique arrangement to help their market intelligence and help them participate in the programs that we, that we orchestrate for utilities and for state agencies.
So we, it’s a different kind of relationship and I’m seeing more specifics asked about how we manage something. It’s. I think it was inevitable, but it’s at a level that, that they need comfort because in, in those engagements, sometimes we’re doing something directly with them and sharing and exchanging information, but they’ve never done that with any organization externally.
And so they understandably have a high desire to make sure that our organization is managing things, at a level that, that they feel comfortable with. And we will get into discussions that I always say we’ve, when we’re talking about how we manage. Our corporate, fleet, our users and, the devices that we manage, we have three agents that go on every system, so we have something for antivirus, something for encryption management and then something for remote manner remote management and monitoring without fail that, that occurs on all the systems.
If you swing over to the things where we develop software that’s, it’s their internet applications and that the data that sits behind that platform is sensitive between us and another organization, be it a utility, a state agency, or in some case, a market partner who would be, just a giant enterprise a big HVAC vendor or or a big lighting vendor.
Or a distributor of, set equipment they. They are asking us very specific questions about how we’ve managed and how we manage and monitor where those applications are hosted. In our case, they’re all hosted at AWS, and we do get into some discussion about how do we prove that we have a secure environment.
And these are, of course, in scope systems that we do in our SOC 2 audit, but how do we prove. In that hosted environment. That we’re good stewards of their very sensitive information and that, that gets into the details. Most of the time, you don’t have to pull the curtain back to show things, but we’re starting to have those conversations, which is more in depth.
Then say our utility clients are very interested to make sure that we have a third party vetting our infrastructure, but they generally will not dictate much beyond that, getting an audit is good for them. And then asking us a bunch of questions that, that kind of are like a mini audit but they’re not prescriptive in what we use, but we’re starting to see a little bit of this is how we manage something. And we’d like you to be using the same thing. And I think that’s going to be a trend, at least for our organization where we have to be responsive,
Neal Dennis: Nice. I appreciate that. So the one thing in the back of my brain that I hope people are listening and get out of this at Corpi so far there’s been this trend and it ebbs and flows of people moving away from service providers and resellers and purveyors of, the, what I consider the more consultative people in the room.
But it always goes back left, right now. We’ve got large enterprises potentially bringing socks in house and moving away from services. We’ve got small shops that are always have to take advantage of services. So I say all that because I hope people understand that people like you, like your company as a whole intermediaries, either to help provide a solution or shorten the time to get a solution in play.
Are really critical when, really at any stage, whether you’re a big enterprise or whether you’re a little company, if you’ve got critical infrastructure in particular, you don’t want to spend 9 months a year trying to figure out if tool A, B and C is really right for your environment, especially if there’s an entity out there that’s already done all that work.
So consultatively speaking, which is also part of my background. I think it’s important to have people like yourself in that role that can help me go from point A to point D and. in a short order as possible. So I appreciate you highlighting and explaining those process flows. I think it’s very important for people to understand.
Now, moving that forward a little bit, thinking about this from security practices and where someone would go you’ve hit on this a little bit from a timeliness perspective, but what kind of role do you think y’all play outside of just compliance, but from helping people maybe understand better, like a zero trust mentality apply to X, Y, and Z.
Policy and procedure like NIST pick a flavor or whatever compliance, how, what’s y’all’s kind of role in maybe potentially coaching them along a path that makes a little more sense structurally in that way.
David Weisong: One, you just said the key word, it’s a path. You don’t get it all. There is no, there’s no hey, can I just pay X amount and then I can cover my security needs. Each organization does a lot of things. Lots of organizations have basic infrastructure that you could say, almost a hundred percent, whether it’s.
Okay, everyone has email, everyone has the need for some office stack, the basics, right? But it gets quite nuanced And I think where I consider a big part of my job is to work with our clients so that they understand that we have a path there.
There’s a route. There’s a road map about things that we’re doing that are,
it’s
not the work is never done. There’s always the next audit. There’s certainly there are
Okay.
sock to audit specifically, the controls.
From time to time will get revised and more, more broken, more granular in terms of their measurement. So I think it’s both for client and for the C suite, the management of the company is talking about that. There’s the roadmap and then trying to articulate the themes.
And the themes have to be, that’s the translation part that’s sometimes difficult for both really. Cause our clients our clients are generally, certainly they’re not technology companies. They have a department inside that’s, that wants to make sure that we’re compliant with their requirements, but there’s often other people involved.
So you have to say, Hey, this is where we’re at. Okay. For our initiatives and then when I look at the stakeholders inside of my organization it’s staging how much of that I. T. budget will be devoted towards the security compliance initiatives. And what are the themes? Some years it’s not buying new tools in other years.
It’s wow, we needed to move ourselves. In a more definitive direction talking about zero trust specifically, why is it that we trust, whatever someone’s notebook is connected to that they’re getting back DNS, that’s legit. Like, why would we do that?
That seems totally crazy. And so that’s something that would be an additional expense to outfit us with some form of security and S. As an organization that wasn’t last year’s priority, but that will, likely be a 2024 priority for us and we’ve taken care of basics of, endpoint security protection or even, encryption local encryption on a system, but there’s different emphasis points that we have to direct.
And I have to weave a story and we’re on a journey. And I think that’s. That’s where I think I probably frustrate some security providers because I can say definitively, Hey, what we have right now, we’ve already done the budgeting and it’s going to meet our needs for the next year.
So I’m not. I’m actually not open for that discussion because I’m pouring my energy into the two or three things that we need to the next milestones we need to get to. And if they don’t have that product, then it’s you can call me back next year and we can certainly have a discussion.
Please don’t call me. In between, because I have a solution that’s in place and I need to talk to the people who have, whatever it is, whether it’s security NS or encryption management or different ways to look at MFA and SSO, across our entire ecosystem.
So those are things that, that I have to be pretty vigilant to keep as priorities. I don’t know if that directly answers your question,
Neal Dennis: I think
David Weisong: that’s where I find myself having those conversations.
Neal Dennis: think it tees off another good statement here is that, just because you got requirements today doesn’t mean the requirements tomorrow, right? We got to always be mindful that things shift threats shift needs shift. And
David Weisong: yeah. And I think what’s interesting too is, as you’ve, is there’s a developing industry of of companies that have solutions. There’s some knee jerk reaction when there are problems. I remember we got out of, cybersecurity attestation that said, Hey, are you deploying, or have you deployed or currently have deployed.
Whatever the Kaseya solution is when we had that issue. And I actually, it was a separate adjacent, like this is put in front of us. And I think it was across three or four of our very large clients. They wanted to know, and I was like. Wow, so you now you do care exactly what I’m doing in terms of deploying a solution.
And for us, the answer was no, we didn’t have that solution deployed. But I was like, that was like, within, that was within weeks of that issue. I’m curious if I, if we did, then what are, what would they have mandated as far as a remediation schedule or what have you? It would have been interesting, but that gets That’s like behind the curtain, right?
But then I was asked, and it’s part of our MSA that they can ask these questions that I needed to show my hand and answer that. And I thought not every business is in that situation, for sure. But in ours, there’s so many implied trust relationships. And because we are stewards to safely handle our clients information they have an overarching and a high need to make sure that we’re doing that responsibly.
Neal Dennis: yeah, that was a fun one the For personal reference while we’re recording this with the christmas tree in the background, which is awesome the this probably won’t air I don’t think until sometime january february with where we’re at, but For those who listen to this retrospectively comment, when you hear this episode on how open SSH impacted you over the Christmas holidays, please, since that’s the current flavor of the day who knows by the time we get off this call, it could be something even bigger, but I say that because this is the other aspect I’d like and the things from a comms perspective that we have to have there’s mandates, especially in the field you’re working in with critical infrastructure, there’s new mandates around responsible disclosure.
They came out, courtesy of the pipeline. Issue, but now we’ve got newer ones and now things over in Europe, also the chunk around how we’re supposed to do disclosure now in these environments, timeliness, uniqueness of that data. And then I say all that because the pipeline piece pushed us into this whole S bomb world, right?
And I’m imagining as a company like y’all in particular, having, a whole slew of vendors you’re working with. In critical infrastructure I’m assuming the SBOM discussions and those conversations left, right of the vertical are probably both complicated as well as annoying at times. But is that something that y’all are seeing as a primary need to have, or is that just something that hopefully people have started coming to the table with?
Yeah, we can, if we need to perspective. And if not, how do you get them to there? I think would be the final piece of that.
David Weisong: I’d say it’s probably more on demand than anything proactive. I’d say that’s been typically the case. The, I think maybe 1 of the other things that we’ve experienced. And this is connected to what you’re talking about is as an organization, we have so I guess I’ll step back first, there’s a roadmap of what we’re doing, helping people understand that it’s continuous that, it, we don’t do everything all at once, we cover the basics of what we need to, and then we have focus along the way, and that’s, limited in time or money to be able to address major security things.
That’s good. But what you’re talking about is actually quite nuanced in that where’s the discussion around risk and risk for an organization comes in a bunch of different flavors. Certainly a big portion of that is centered around, cyber risk, for throughout an organization the systems and again, users, devices, applications, right?
That’s where it all sits. But the cadence for the discussions and like what you’re talking about specifically for us is on demand. We internally, because we need to observe our SOC 2 controls, we have internal risk discussions annually. That’s not nearly enough for a dynamic environment.
Where, stuff changes and there are vulnerabilities that are uncovered, like within multiple per day. Some of them are blips. And some of them are like, this is going to manifest into something very large, very quickly. And you’ve got to like really work through what your remediation strategy is to pay on, on, on what it is.
And it’s you can do that stuff on demand, which catches everybody off guard, or you can proactively summarize that and then figure out your audience level about where you do that. I’d say right now as an organization, we do not proactively. Elevate those discussions to our clients. We’re on demand if they want something from us, but we don’t report out.
And I’m a big believer that if you could, if you can talk about a cadence for something, you can set the future date for a conversation like, Hey, let’s do, let’s do a vulnerability or threats update. And we’re going to do it in three months, do it at the end of, whatever, Q1, step that date forward.
And if there’s not much to talk about, knock on wood, great. But chances are there’s something to talk about and set the next future date where you’re going to put in the minds of your stakeholder group, whether in our case, it’s the management of our organization or the portfolio of clients that we have. I think being proactive in that space I think it’s super important. And I’m just reminded that it generally happens on an annual basis. And man, so much happens in a year. And if we look back this year and say, okay how did. Cyber security things, play out in 2023, there are some big milestones there now, whether they impacted you or not, doesn’t negate the fact that they’re the fact that they’re even there suggests.
that there needs to be a conversation that’s more than once a year.
Neal Dennis: Yeah, I agree. I think that’s good. I appreciate it. So I’m gonna see where we’re at. We’re at about eight before the hour. I’m gonna throw it back over to Elliot and see if he’s got some other things. I’ve got a few more things I’d dive into, but they’re like 15, 20 minute add on. So maybe we come back on another day.
But I just want to
David Weisong: to do
that.
Neal Dennis: that just for my side, I, we haven’t had. A really good intermediary type personality on yet. And so this is a fun perspective because once again, for my role, I’ve played consultant, I’ve played professional services, I’ve also played consumer and producer. I’ve been left, right of the entire vertical over the last 20 years.
And one of the most fun I personally have is sitting in the middle as some kind of. Intermediary, whether as a provider, service solutions provider, that’s taking like you’re doing or a consultant. And I just, I think people really need to understand how that conversation is beneficial. And, it’s important to have someone, a trusted advisor in a sense.
Whether they’re bringing tech or they’re just bringing ideas either way or both in the mix. Especially when you’re first, just really trying to blow things up and get things figured out in particular or revamp. I’m gonna throw it back over to Elliot.
Elliot Volkman: Rocking. Yeah, so you’re spot on. We definitely could do like an entire series about this. Maybe that’ll be our spinoff series. I’ll add a fourth series into the mix, but I love the context here. You have given a really clear vision of all the different attributes of things that trigger when you need to enhance, prioritize shape.
the different directions that come from within and externally. I want to get really tactical. So obviously you are not the sole person that has to find the solutions. That would be a boondoggle. Obviously you are getting barked at constantly. So they’re coming into you as you’re going through the audit, you realize here’s the priority roadmap of things that we need to solve.
How do you work with your team to like divide and conquer of Hey, we’ve got to fix this problem. You go figure that out. What do we resolve that with? Is approach a strategy or tool or combination, hopefully a combination, but yeah, what does that tactically look like when you bring in your team to support it?
David Weisong: again, it goes probably mostly towards themes. So I can share one that, that was a big shift for us. A lot of organizations, that, run a fleet of systems will have some version often stalled out like we were where we had a hybrid environment with our, local domain controllers running Active Directory in a hybrid with Office 365.
And this had persisted. It is not a quick project to just say, Nope, we’re moving to Azure AD and eliminating, on prem domain controllers like in directory services. And so what we do is we pick a handful of themes that are prioritized there, by the way, there’s also heap tons of problems that come up that aren’t security related, sometimes that gets solved.
When you’re actually making a robust change in your security stance by adopting, a different architecture for something. So there’s all this that feeds into the decisions and then team wise. For our organization we have a dedicated I. T. We actually also have a dedicated information systems department and we draw the boundaries where the information systems department designs develops and deploys.
Our software solutions that are consumed by our market participants and what have you, and that all exists in a hosted environment. Our IT department fills more of a traditional space that you would see in a lot of organizations, both big and small, of managing all the critical infrastructures of users, devices.
And what I’ll call the applications that are used to conduct business, but we don’t develop those applications. And so that group is in charge. The I. T. department is in charge of. Looking at, how are we going to solve these problems, whether, it could be, hey, what are we doing about security and s or what are we doing about migration to a full, Azure ad in this instance, cloud directory service.
How are we going to manage some of the very difficult things around mobile device management when you don’t own the device which is a really sticky one. Do you just get everybody a secondary device and disallow them, to have any applications on their phone that touch company information?
Some of these are really big topics and difficult to orchestrate. We identify the themes, the IT group, then. We have an IT director and then a collection of system administrators and others that will look at various market solutions. And we do engage with the market and get demonstrations of things.
We do have some verticals. Where we actually engage in, like an MSP or maybe a Cisco vendor that I’ll call it a very advanced, network vendor that helps walk us through some different ideas. And then there’s the connection with the companies. That ends up happening where we’re like, okay, this is what we’re looking for.
And they, and we keep the messages because we get a lot of people knocking on the door saying, Hey, we can solve your, single sign on issues. Hey, we can give you better encryption management. Hey, we can, give you persistent testing, virtual testing environment for penetration vulnerability testing.
So we get all kinds of stuff. So we have I would say a growing catalog of would be vendors that are ready to help us. And so we will then go and talk with those vendors to get examples of, demonstrations and understanding pricing because that’s a big deal. Some solutions are just.
Like they would be priced out from being able to afford it. And some are actually nominal where we’re like, that’s a no brainer and we can actually cover that in this year’s budget. So let’s move. But in most cases, the, how I like to orchestrate is I always want a proof of concept before any deployment.
So I need that from our vendors. Like you give me a space where I can do this. Because we have to prove it. And then the second big thing is making sure that they have some clients or customer referrals that I can talk to. If I don’t have that, then I have very low confidence that it’s something that, these are decisions that last years, and I can’t bet on things that I can’t talk to another person that has from my perspective of the customer can’t.
Can’t talk about if I can’t gain access to some group and I know that people will give their best references. But I need to be able to do that and validate that. And it will invalidate anyone’s solution. They’re like, Hey we just came to market. It’s I’m not sure I can bet in the space and I need more certainty before we’ll make that commitment.
Elliot Volkman: And you painted a wonderful picture not just for our standard like practitioner audience, but like I know we have some vendors that listen because they reach out to me often trying to get on. But you tackled both sides of the coin here. So I really appreciate that your perspective is so important to this conversation.
It actually reminds me of a past guest that we had, which is George Finney, if I didn’t mess up his last name. He wrote a book called Project Zero Trust, and essentially it’s very similar, although you added additional layers into the mix where basically there was like a data breach and he created like this stretched reality narrative where something happened and it resulted in, we need to deploy the zero trust strategy.
And it walked through these different elements that you just talked about, but I think the one piece missing was there was not like a valued partner outside that can walk you through that. Everything was done in house. Anyways, what I got out of this is there’s definitely a internal committee.
There’s a higher arching prioritization system that dictates where everything goes. So it’s all really interconnected. And at the end of the day, we want to quit just annoying. The C suite. I’m glad we at least hammered that point out. I, again, thank you so much for joining us. We’re definitely towards the end of our hour, but this was so critical.
We definitely need to continue the conversation. We can definitely expand upon it. I know Neal would probably double down on that too.
Neal Dennis: David, I appreciate your time, sir. Thank you again. We’ll have you back. We’ve got plenty of time.
David Weisong: I’d be happy to visit more and I appreciate the opportunity to share our perspective. Thanks.
Elliot Volkman: Love it. Thank you so much. All right. Join us in two weeks for the next episode, everyone.
Announcer:
Thank you for joining a Z T an independent series. Your hosts have been Elliot Volkman and Neil Dennis to learn more about zero. Go to adopting zero trust.com. Subscribe to our newsletter or join our slack community viewpoint express during the show did not reflect the brands, employers, or companies of our hosts, guests or potential sponsors.
*** This is a Security Bloggers Network syndicated blog from Adopting Zero Trust authored by Elliot Volkman. Read the original post at: https://www.adoptingzerotrust.com/p/azt-quit-bugging-the-ciso-cio