On Aug 24, 2021 odix hosted an all-star panel of IT leaders to discuss the most impactful paradoxes and widespread cyber misinformation shaping the tone of cybersecurity today. Bringing together a unique blend, MSP visionaries, Hackers, Military veterans and NGO leaders, the event included the insightful remarks of Chris Roberts, Diana Kelley, Dr. Oren Eytan and Matt Lee to bring new clarity to what can practically done to improve your cyber defense.
We will highlight some of the most meaningful remarks in the blog below.
What is the biggest misconception in cyber protection today?
“The tools, and I apologize that this will not be something positive necessarily for you. But the conversations still stand that are not security. Right? We’re so peddled by the vendors. And I love you all, saying this will stop this.
And this will make it malware free.
And this will solve this.
And this will fix this, that you have this paradox where you can’t actually teach the practitioners that that’s not true.
Just like I’ve got to go play baseball, I have to have a bat, I have to have the ball and I have to have the shoes, the appropriate cleats and the things I need. You need tools, you do need them. The core of it is the baseball player. The core of it is the understanding of what we have to do to deliver security in an effective manner. And I think some of the challenges we fight is that it’s paradoxical, and believing that you can tell everyone that this will stop everything, this will fix this, that this will make it malware free that this will solve the risk of an email attack and compromise. When you translate that out, we really should be telling them No, it’s won’t, these are the things you need to put in your tool belt and line up and make sure that you have your gaps covered and you’re aligned to a framework and you’re using that framework to test against yourself and that you’re not holding expectations.”
How do you balance the value of technology vs that imparted by employee education?
Dr. Oren Eytan:
“When you are approaching an organization, or you start to see, what is the human factor? What does the technology start with, when you are doing some assessment for the risks that you’re facing, because there are not the same risk for an SMB, or a large enterprise or defense entity in Israel, or the United States. So they all have different risk environment, they all have different assessment as of the other side that would like to control their assets, they would like to to penetrate into them, and to, of course, to damage so and now you’ve come to the point. Okay, so who’s gonna do that? Without any bias without any? That will be completely objective? And, you know, you’re still looking for this objective entity that will said, okay, for the SMB is this and this will be enough? Because, you know, what are they using? Are they using only email? I mean, they don’t need, you know, much more than such and such protection. So and now, one, once you do that, you’ll be able also to do some analysis, as of, you know, okay, what is the human factor? What is their education? Would they still need in order to be more educated towards the same risks and the same attacks that you met before? So I think, and it’s not so complicated, it sounds like complicated, but it’s not that complicated, I think organizations can really do that and can do it successfully. And then and then decide on the meaning of, you know, what is the human training required and versus the all the technologies that we like to integrate into this organization, and the formulation of this mix and the amount, you know, each part of it, I think this is the magic equation that, you know, we are looking for.”
How can we build cyber resilience to meet the needs of business of all sizes?
“This is why it really goes back to understanding of creating an assessment, understanding where the risks and exposures are, and then creating a plan because most smaller companies, a lot of the nonprofits and NGOs, they have limited resources. And that means if you don’t, we can’t do everything, right. Even large, well funded enterprises have to make prioritization decisions. But certainly the smaller that you get the you know, the harder those decisions can be, or the more resource limited.
So it’s about having understanding where the real exposures are, what you need to get done, and then creating a plan and doing what you can there’s no perfect, unfortunately, no company can accomplish everything they want to, from a security perspective. So it’s about figuring out what are the things that are going to give us the biggest bang for the buck? Where are we going to get our 8020 Pareto principle?
And how are we going to, you know, how can we invest these limited resources, and just it’s about making these decisions wisely. And it really engaging, especially when you’re at these smaller companies, engaging the executives in the decision making at larger companies. Yes, executives should be involved, the board for some really big decisions needs to be evolved. But generally, you’ve got so many people, if you’ve got your hundreds of 1000s of people in an organization, the CEO can’t be involved in every decision. But at a smaller company, the CEO, the CIO, the CFO, they often are involved in these decisions.
So it’s really on the the side of security to make sure that as you’re creating this plan, and explaining it to the executives that you do so in a way that’s going to make sense to them that they can they can embrace that they can make logical decisions and reasonable decisions for the organization from because it’s it’s really easy to snow or flood somebody with a whole bunch of like scary tech jargon.”
What are the easiest steps to implement on day one to improve your cyber defense?
“You know, it’s a simple stuff. And again, he will take the military approach on this one, he typically don’t go kick in a door or jump out of a plane until you actually know what the situational awareness is. Yeah, we continue to try to protect companies without understanding what the hell we’re protecting. We continue to go into organizations say we can protect you or the company goes hand in hand by this to protect myself without fully understanding their situational awareness.
So if you don’t know what the hell you’ve got, How the hell do you know how to protect it. So this is where, you know, we need to go back to the very simple stuff, look your assets, physical assets and digital assets. And by the way, when you tell me you don’t have enough people to do it, go get a frickin intern, go get an apprentice go pull somebody who’s just coming out of the military, hand them a piece of paper and a pen or a pencil because some of them shouldn’t be allowed to have actual pens and then say actually go do acid inventory for me go do some checking for me, tell me what I actually have.
So that now I can understand how the hell they’re protected. Now I can overlay passwords MFA to FA now I actually know what I have on my mind because I’ll tell you right now you ask any any company out there any organization including.mil and.gov and they will tell you exactly what assets they have. So How the hell do you know you’re protected?”
Dr. Oren Eytan:
“I’ve been asked the same question, we need to do three major things, which are awareness, awareness, and awareness. And I think this is the key. As Chris said, and I think we were talking about it a long this session, the one factor is is critical, we should increase the portion of the human factor in the formula of the training and in the tools that we say that we are about to protect our organization. So I think the first, the first major thing is, in order to increase the awareness how you do that, you train the people, you educate the people you give them, you show them a lot of examples. You make them a lot of demos, you know, what can happen, and other things.
So they really feel that it is not a science fiction, but it’s really across the block, it’s, it’s there. Because one of the things that, you know, always people said, and tend to say that, well, it won’t happen to me, I’m secure, and so on, but they really don’t realize how simple is to penetrate to them.”