It always surprises me when I meet a novice or someone who is new to a field or new to a role and they are embarrassed to ask for help. Even worse is when they are afraid that receiving feedback and being less than perfect is a sign of failure or ineptness. I always just want to say, hey let’s go grab a coffee and talk. And in that talk, I would explain to them that when you are new at something it is unrealistic to expect to know how to do the work, the task, etc. without help or in a perfect way and to think otherwise is putting so much pressure on themselves that I can’t understand how they cope.
When you are first starting an endeavor, you often need a who. No, not a what – a who. As John Strelecky wrote in his book “The Why Café” we often need a Who, a person who already has the skills and knowledge in an area to help us, if we want to become competent in a new endeavor. But here’s the thing, the same person who will get scuba lessons, take pilot lessons, go to a music teacher, etc. Is the same one that will take a new role in their work career and decide that they need to figure it out on their own because if they don’t folks will think they are not capable or that they are a failure.
So here is my advice. As a novice or someone who is new to a field or a role, it is perfectly normal to not know everything and need help. In fact, it is crucial to seek guidance and feedback, especially at the beginning of a new endeavor. Don’t be afraid to ask for help and seek out a “who” – someone who already has the skills and knowledge in the area that you want to become competent in. It is important to recognize that expecting perfection without guidance is unrealistic and can put an enormous amount of pressure on yourself. You may find yourself struggling to cope with the expectations that you have set for yourself. Just like how you wouldn’t try scuba diving without lessons or attempt to fly a plane without first taking pilot lessons, you should not expect to know everything and be able to succeed in a new role or field without seeking help. It is okay to ask questions and learn from others who have more experience. Remember, asking for help is not a sign of failure or ineptness. In fact, seeking feedback and guidance from those with more experience can help you learn and improve much faster than if you were to go at it alone. Don’t let the fear of appearing incompetent prevent you from seeking the help you need to succeed.
So, go ahead and ask for that coffee meeting with a more experienced colleague or mentor. You might be surprised at how much you can learn and grow from the experience. #seekcoaching, #becoachable
“Positive leadership isn’t just about being optimistic, it’s about acknowledging challenges while emphasizing resilience and a can-do attitude. It empowers individuals and inspires teams to take risks, embrace change, learn from mistakes and work together to overcome obstacles. Unlike authoritarian leadership, positive leadership creates a more fulfilling and satisfying work environment while driving success.”- Dr. Kevin Lynn McLaughlin, PhD
Let’s talk about positive leadership and how it doesn’t mean that leaders ignore mistakes and not hold team members responsible. Positive leadership, which creates a supportive and constructive work environment where team members feel valued and respected, is better in the long-term for team morale and retention than authoritarian or command and control leadership. This is because positive leadership fosters trust and transparency, which leads to improved communication and collaboration, increased job satisfaction, and a lower likelihood of turnover. Authoritarian leadership focuses on control and punishment, which can lead to a negative and demotivating work environment.
Positive leadership is a critical component of building a strong and successful team, but it is important to understand what it is and what it is not. Positive leadership does not mean that you never hold team members accountable or that you are always behaving in a Pollyanna manner. On the contrary, positive leadership means creating a supportive and constructive work environment where team members are encouraged to learn, grow, and succeed. This includes holding team members accountable, when necessary, but doing so in a way that is respectful, supportive, and focused on growth and improvement. Cybersecurity leadership is about creating a culture of trust and transparency, where everyone feels valued and respected. When your cybersecurity team members trust their leaders and feel valued, they are more likely to be open and honest about their challenges and mistakes, which creates opportunities for growth and improvement. This does not mean ignoring coaching for improvement and learning opportunities nor does it mean you allow them to cover up mistakes. On the contrary, positive leaders must address concerns and mistakes, learn from them, and drive on to be better. This requires leaders to be honest, transparent, and constructive in their approach. Positive leadership is about creating a supportive and constructive work environment that fosters trust, transparency, and growth.Positive leadership is not about ignoring accountability or behaving in a Pollyanna manner, but rather it is about approaching challenges and mistakes with a positive and constructive mindset. One extremely important concept in all of this is to follow the tenet of praising in public and coaching/mentoring in private. Public shame and embarrassment seldom lead to high team morale and high team retention rates.
Kevin M’s Tips For Retaining Top Cybersecurity Talent
As the cybersecurity threat landscape continues to evolve, it’s important to have a talented and skilled team in place to protect your organization’s assets and data. However, finding and retaining cybersecurity talent can be a challenge.
The following best practices can help ensure your top performers stay with your organization for the long term:
Provide competitive compensation and benefits packages
This includes not only salaries and bonuses, but also benefits like healthcare, retirement plans and paid time off.
Create a supportive and inclusive work environment.
This can be done by ensuring your team members feel valued and respected. They should be able to see a clear path for professional growth and advancement within the organization. This can be achieved through regular performance evaluation, opportunities for skills development and recognition for a job well done.
Offer flexible work arrangements
This includes hybrid, remote work, and onsite options as well as flexible schedules to meet the needs of your team – which is especially important post-covid.
Develop a strong company culture
This can be done by encouraging open communication, promoting teamwork and collaboration, and fostering a sense of community amongst your team members. This not only helps to create a positive work environment, but it also helps to build strong relationships and a sense of belonging across the team.
Invest in your team’s professional development
This can be done through a comprehensive and continuous learning program that offers opportunities for your team members to expand their skills, learn about modern technologies and stay up-to-date with the latest industry trends. Offering a combination of in-person training sessions, online courses, and hands-on experiences with innovative technologies is a great way to implement this program. Providing your team with the resources and support they need to grow and develop professionally can increase job satisfaction and help foster a sense of pride and ownership within your organization.
Threat actors are working diligently every day to find new ways to compromise sensitive data and assets. Therefore, it is essential to have a strong cybersecurity team in place to protect your organization. Prioritizing the above best-practices is a great way to keep your team members engaged and motivated, which will increase the likelihood of retaining your top cybersecurity talent for the long-term.
Thank you to my friend and colleague Ibn Akbar at Nice Touch Editing Services for helping me with the edits for this entry.
I would like to discuss the advantages and disadvantages of using AI technologies in the field of cybersecurity. On one hand, AI technologies can greatly enhance the capabilities of cybersecurity professionals in detecting and responding to security incidents. AI algorithms can analyze vast amounts of data in real-time, allowing for more accurate and faster threat detection. AI can also automate repetitive tasks, freeing up security teams to focus on more strategic initiatives. Further, AI technologies such as machine learning, deep learning, and natural language processing can help automate tedious and repetitive tasks, allowing cybersecurity professionals to focus on high-priority activities that require human decision-making and expertise. AI can help detect and respond to cyber threats in real-time, freeing up valuable time for cybersecurity professionals to focus on more complex security issues. AI-powered systems can also analyze vast amounts of data, identify patterns and anomalies, and quickly detect potential security risks, making it easier for cybersecurity professionals to respond to threats before they become major incidents. AI can help improve the accuracy and efficiency of cybersecurity operations. By using machine learning algorithms to identify known security threats and anomalies in data, AI can help reduce false positive alerts, freeing up cybersecurity professionals to focus on high-priority incidents.
However, there are also challenges associated with the use of AI in cybersecurity. One of the biggest challenges is ensuring the accuracy of the algorithms and avoiding false positive or false negative results. This can be difficult because AI relies on data inputs, and if the data is biased, the AI output will also be biased. In addition, AI algorithms can be vulnerable to manipulation, and there have been instances where AI systems have been exploited by attackers to bypass security controls. Some of the primary challenges associated with the use of AI in cybersecurity include:
Bias in the data: AI algorithms are only as good as the data they are trained on. If the data used to train these algorithms is biased in some way, then the results produced by the AI will also be biased. This can lead to incorrect or misleading results and could potentially compromise the security of an organization.
False positives and negatives: One of the biggest challenges of using AI in cybersecurity is the issue of false positives and negatives. This refers to the possibility that an AI system might detect a threat that doesn’t actually exist, or fail to detect a real threat. This can be a major challenge, especially in the context of cybersecurity, where false positives can lead to false alarms and wasted time and resources, while false negatives can result in serious security breaches.
Lack of transparency: Another major challenge associated with the use of AI in cybersecurity is the lack of transparency in the decision-making process. This makes it difficult for cybersecurity professionals to understand how the AI algorithms are making their decisions and to determine whether the results produced by these algorithms are accurate and reliable.
Integration into existing systems: Finally, another major challenge of using AI in cybersecurity is the integration of these systems into existing infrastructure and processes. This requires a significant investment of time, resources, and expertise, and can be a major barrier to the widespread adoption of AI in the field of cybersecurity.
In conclusion, while AI technologies offer many benefits for cybersecurity professionals, it is important to approach their use with caution and carefully consider both the advantages and challenges. Cybersecurity professionals must be vigilant in monitoring the accuracy and effectiveness of AI algorithms and ensure that they are used in a manner that aligns with the organization’s security goals and objectives.
For the past few years I was puzzled by the concept of Zero Trust (ZT). I thought it was this big, nebulous thing that I just could not wrap my mind around. Every time I asked a vendor partner for a definition I received a different one, and each one just lead me to having more questions. I finally sat down with a group of trusted practitioners and vendor partners and forced a meeting that lasted as long as it took for me to understand what is meant by ZT. Here is what I came up with. Hopefully, you will find it to be somewhat useful if you are just now starting your look into ZT for your organization, and if you are not – you should be.
ZT is not a single architecture but a set of guiding principles for workflow, system design and operations that can be used to improve security posture (NIST 800-207). ZT follows three core principles of: assume breach , explicitly verify, and least privilege. Core parts of ZT are privileged access management, placing cybersecurity controls at the perimeter, on the end points, and building out your defense in depth architecture. ZT is having items such as the following in place:
MFA
Mobile Device Security
EDR/Advanced EDR
CASB
Email Security
Privileged Access Management
Clean Admin Workstations
Tools to protect or secure legacy infrastructure and apps
Going passwordless should be strongly considered. –
NAC
DLP
IPS and AV at the Perimeter level and server host level
Network segmentation
Management of Special through their life-cycle
Removing Admin from the users that don’t need it: removing unnecessary services, ports, protocols or applications (principle of least privilege)
Just in Time (JIT) – this is providing elevated privileges only when required and then removing them.
In reading through this list, most of you have already put in place most or all of the items on this list. Which means that you are well on your way or have pretty much completed your ZT journey.
Other items of possible interest:
Continuously communicate and start communications with regional and country counsel as early as possible. Keep them informed of the ZT journey and how/why the environment is changing.
When first arriving at an organization that has not invested in a major cybersecurity program and then looking at the sheer number of computer vulnerabilities in the environment a sense of feeling overwhelmed is a common initial response. In many cases the numbers can be upwards of one million vulnerabilities that need to be remediated. My advice is to keep a couple of concepts in mind, kaizen or continuous improvement over time and the old saying that you eat an elephant one bite at a time. As a practitioner who has faced this task many times over the past 30 years, I can tell you that it is not as daunting to complete or to get alignment and buy-in from your Information Technology (IT) colleagues to complete as it first appears. The National Vulnerability Database (NVD) is part of US government repository of standard-based vulnerability data and is part of the National Institute of Standards and Technology (NIST). This vulnerability database enables automation of vulnerability management, security measurement, and ensures standard compliance. (Wang 2009) NVD contains a list of vulnerabilities, exposures, and an associated risk score for each vulnerability. This risk score is known as a CVE score is an integral part of the NVD and Common Vulnerability Scoring System. Most commonly used vulnerability scanning tools and services make use of this CVE scoring system to assign a risk number or indicator to the vulnerabilities it finds. The higher the CVE score the greater the risk and in general the more urgent it is for you to remediate. I recall arriving at one company in an operational IT security role and during my first morning one of the cybersecurity team members came by with a cart, in the cart was an extremely large number of papers, about 10,000 pages to be exact. The guy looked at me, said good morning and then started to leave without taking the cart, I asked him why he was leaving the cart and he said “oh, those are all the vulnerabilities you need to tell IT to fix”. I did take a quick look and there were about 30 per page of all criticalities. I took the cart to the loading dock, found a dumpster, and dumped the pages into the dumpster. I then scheduled a meeting with the cybersecurity vulnerability team to talk about a process for handling vulnerabilities that would actually work. The process we aligned on looked something like this, and it is one that has proven effective across multiple companies. As the ultimate goal is to reduce overall risk, we started by agreeing that the risk listed in our current tool as Catastrophic would be the most important ones to fix first as they would reduce the highest level of risk in the shortest amount of time. As a bonus, many of the patches that resolved those types of risk overlapped in resolving some of the lower-level risk as well. At first there were always a staggering number of catastrophic risks to resolve, though not as staggering as a 10,000-page hardcopy PDF manual. We then agreed that the patches which needed deployed would be deployed in the order that hit the greatest number of systems versus those a patch that only impacted one or two; in many cases a patch to resolve a vulnerability is needed across all the Windows servers for example vs only one older version of the Server Operating System. Once the Catastrophic vulnerabilities were eliminated, we agreed that we would move to Critical, then high, then medium and eventually low. As our tool provided an executive summary of the vulnerability and a recommended patching solution along with a breadth of details that were very interesting but not relevant to the IT patching team, we further aligned that the electronic report the vulnerability remediation team received would show: System name, IP Address, MAC Address, OS Level, Vulnerability, and the recommended patch to be deployed along with a status and comment column. Lastly, we aligned the number of patches that IT was willing to deploy during their weekly or monthly maintenance window. Following this approach, in all the cases that I participated in, the number of Catastrophic vulnerabilities across the infrastructure was reduced to near zero within 12 months. Some of you may question if that is good or not or if that took too long but keep in mind that also in every case these same patches had been left, in general, unattended and unpatched for years as the sheer volume of patching that IT was being asked to do was just overwhelming. Some readers are most likely questioning why IT would not just patch systems regularly and are most likely wondering why systems would be left unpatched and be left in states of vulnerability. Yes, automatic patching should be highly encouraged and should be used across the majority of organizational systems, but the simple truth is that system patching can and does break an IT system, not as much in modern days as in the past but I can recall reading recently where this OS patch, or that Application patch needed to be pulled back because it caused a major system failure. ITs job is to keep their Organization up and running so they are hesitant to complete broad based patching for every issue on a weekly basis. By taking and aligning on a risk-based approach that provides a manageable and workable solution for the IT patching team / support staff we are more likely to get the cooperation needed to drive vulnerabilities downwards and reduce overall risk. IT leaders in the organization are very security conscious and they really do want to be great security stewards, but they also are driven to keep the business systems up and running and therefore making money for the organization. To simply dictate an unreasonable course of action and then throw our hands up in disgust when they don’t engage and do what we ask is not being a trusted and helpful cybersecurity partner to IT or to the business. As Stephen Covey said in his book The Seven Habits of Highly Effective People, if we want to reduce risk (Vildal 2012)we need to work towards the win-win solution (Covey 1989) and then aggressively drive that forward while monitoring and adjusting the results as needed. By driving this one-team, one-goal approach to reducing risk through reduction of cybersecurity vulnerabilities the chances of a successful outcome are maximized. Do this work right and you end up with a metric that looks like the one below, which is a great story to share with your executive leadership team.
Covey (1989). The Seven Habits of Highly Effective People.
Vildal, M. (2012). “A systems thinking approach for project vulnerability managment.” Kybernetes Emerald.
Wang (2009). OVM: An Ontology for Vulnerability Management. Marietta, GA, Southern Polytech State University.
Denotes steady state showing new vulnerabilities that are discovered and then removed at next patching cycle
The bad guys are now starting to target mid-tier companies with their hacking activities. In many cases these companies have not yet come to realize that having a Certified Chief Information Security Officer (C|CISO) or a Virtual Cerified|CISO (vC|CISO) is something that needs to be accepted as a part of doing business. The recent Presidential report on how Cyber Attacks impact the economy of the U.S.A. makes it clear that the cost of having a security expert on staff or on retainer is well worth it if the smaller company wants to remain in business. Cyber crime is putting many of these smaller companies out of business simply because they cannot recover from the post breach losses. At the same time these companies may not have the dollars to pay for a full time C|CISO, so their alternative is to explore the vC|CISO concept. The vC|CISO model can be leveraged to effectively manage security risk for small to mid-tier companies.
If a company is going to explore the hiring of a vC|CISO they need to make sure to do their due diligence and ask about the certifications (such as the one in the graphic below) and experience of the vC|CISO they are going to have giving them advice. While there are a lot of good vC|CISO options available there are just as many vendors and security professionals touting themselves as vCISO’s who lack the background or experience to be of much help. I lack quantifiable data on this point but I would say you should expect to pay between 3 and 400.00 per hour for a vC|CISO, the good news is you can choose what % of their time you want them to work for you (10%, 20%, on retainer, etc.) and then only pay for that portion of time.
Successful ransomware attacks are at an all time high, we are losing the cyberwar, cyber criminals are making more money than ever before and it is only going to get worse, a cyber attack could be as damaging as a nuclear war – the headlines abound with comments such as this. Yet, there are still a lot of postings about how information security should not be the office of No. Really? Information security is a security function, as an information security professional are you really going to say – Yes, sure, go ahead and port that un-scanned software code into our production environment? I would hope you are going to say no you cannot port that un-scanned software code into our production environment. No is not a bad word, it is one that the job requires us to say. If you are offended when someone says you are the office of No- don’t be. To be a security professional no is a good response. I train my team members to say “yes, but” in order to soften the perceived impression of the word no ….. (here’s a clue – “yes, but” is still a no – no matter how you spin it).
However, I have yet to sit in a business meeting and see any of my peers simply say no without being willing to engage in dialogue that would lead to a good and secure solution. So for those who don’t like to say no then do it this way – yes you can put that server with 2 catastrophic exploitable vulnerabilities into the environment after we help you remediate the vulnerabilities or work on additional adequate controls that will allow us to use the server in a safe and secure manner. For me, information security professionals can and should say no, but after doing so we need to be helpful and smart enough to engage in conversations that help the business figure out how to do what they want to do in a way that is cost effective, safe and secure.
In many ways with the types and amount of successful attacks we are experiencing across the U.S. infrastructure being the office of Yes is a far more scary response than saying No to items that put your business at risk.
One item that really bugs me is to hear IT and Cyber Security professionals espouse that the perimeter is dead and that Cyber Security professionals should stop focusing on tools that protect the non-existing perimeter. I was at a lunch with a fellow CISO a few months back and he had invited his CIO to lunch with us. The CIO had recently attended a seminar where they talked about the perimeter no longer existing and he was truly wondering if he could just get rid of his firewalls. It was a fun conversation but also a bit scary to me that the conversation actually had to take place. The reality is that while the perimeter has changed we still host most of our systems and data in a data center or in multiple data centers and whether these data centers are on premise or in the cloud they still have a perimeter that needs protected. Bad actors, both external and internal need to be kept out of areas they have no business being in. To do that requires a strong perimeter consisting of next-generation firewalls such as the ones Palo Alto or CISCO provides. These first line perimeter defense tools should alert into your Security Alert tool (such as QRadar or Splunk) and should also be running Intrusion Prevention and WildFire type of technologies.
The Perimeter exists, heck in most organizations an argument could be made that multiple perimeters exist. Let’s quit saying that there is no Perimeter as the people we are tasked with protecting don’t need to be walking around thinking that they can get rid of their perimeter protection tools.