Dan Doggendorf was on the latest episode of #SimplifyforSuccess, a podcast series presented by Meru Data and hosted by Priya Keshav to discuss IG programs.

Dan is a founder and principal advisor of Pro4:Six Consulting and comes with over 25 years of experience in the field of information security and audit compliance.

Mr. Doggendorf discussed the ways for strengthening the organization’s cybersecurity controls and having a strategy for dealing with an attack. He stressed the importance of practicing the disaster recovery plan and evaluating the backup strategy.

Listen to the podcast here:

Transcript:

Priya: Hello everyone, welcome to our podcast around simplifying for success. Simplification requires discipline and clarity of thought. This is not often easy in today's rapid-paced work environment.

We've invited a few colleagues in the data and information governance space to share their strategies and approaches for simplification.

Today, we'll be talking with Dan Deggendorf. Dan is the founder and principal advisor of Pro 6 Consulting. Dan brings more than 25 years of experience in the field of information, security, and audit compliance. Previously, he served as a CISO and global infrastructure and IT operation lead at Corteva Agriscience, CIO at Dallas Stars, CISO at GameStop, Penson financial services, Belo Corporation, head of the inaugural computer risk management departments for the Kansas City and Omaha Arthur Andersen offices.

Dan, welcome to our podcast.

Dan: Thank you very much.

Priya: October is the National Cyber Security Awareness month and as you know the breadth and the depth and the impact of data breaches have dramatically increased during the COVID-19 pandemic. According to the 2021 report from IBM and the Ponemon Institute, the average cost of data breach among companies is now $4.24 million per incident and it's the highest it's ever been in the last 17 years. The number of data breaches through September 30th, 2021 has also increased. It’s now about 12191 breaches this year up to September, which is about 17% more than the total number of breaches in all of 2020. Phishing and ransomware continue to be primary attack vectors.

So, despite the importance of cyber security and obviously the increase in the number of breaches, about 40% of organizations surveyed responded to, you know, how much cyber security costs them? It tends to be about 10 to 15% of their total IT budgets. Why is this topic of cyber security more important now than ever?

Dan: Well, it's an interesting question Priya. Because I don't necessarily feel that it is more important now than it ever was. I think it's always had the same importance. It's just that now there are more high profile and expensive ramifications for not addressing it.

And so if you take that perspective about it, even in the pandemic, when we were all doing remote access and that type of thing. Had the right principles and approaches been put in place from a breach perspective, this could have been a pretty non-differentiating environment, right?

Because we should have always been worried about the remote access and what data they can get to and the exposure it is to our corporate environments. That's always been a concern. It's just never been one that has really been addressed or paid attention to from a priority perspective.

Priya: So as an ex-CISO yourself, how can a CISO make sure they're adequately protected against ransomware attacks? Why do you think it's not a very easy task?

Dan: Well, I think there's a few different things that make it a challenging one and from a defense perspective, I'm of the belief that preparation is your best defense, right? So, if you go down that path, you know you have to take a hard look at your backup strategy. Your data backup strategy, and your recoverability. If an incident does occur and talking about it with your backup vendor, whoever that may be, what is it about their product or solution that protects you from ransomware?

Some of them have something and someone quite honestly if you ask the question, they don't have an answer for it, right? I just read an article this morning that one of the backup vendors is now offering a ransomware recovery warranty that if their backup system isn't successful in recovering your organization after a ransomware attack, they will pay you, I think it was up to $5 million and it's just another form of cyber insurance, right? That's kind of a cool thing. I don't know if it's going to go anywhere, and if other backup vendors will kind of jump on that, but it's a cool idea.

So, I think recoverability is a key component. The other aspect that I'm a firm believer in is that the best defense, and it's always been this way, is an educated user, right? If you have a very strong educated user group, now you're relying on people and they have this security prevention thought process about it. And that takes a lot of pressure off the tools, right?

So, I think spending a lot of effort on security training, ironically, we're doing this during security Awareness Month. But I think that one of the best investments that you can make as a CISO is constantly educating your user community on how to protect themselves not only from themselves, as an extension of your corporation, but themselves in their personal lives as well.

Priya: I agree. So, you know, one of the things that we always talk about is that security awareness, right? Training sometimes is restricted to just phishing attacks and then you have your acceptable use policy but there is more to it. You know even from a backup perspective you talked a little bit about making sure you're adequately backed up and part of that is the tools and making sure that you know the tools are working effectively. The other part is what are you backing up and what is part of your disaster recovery plan and what is critical and what is not so critical.

I mean, knowing the differences and sometimes it takes more than you know, just the security folks to kind of be able to put that together. So, as you said, you know awareness is very critical and you need the business users engaged, you need IT engaged and the only way they're going to be engaged is with more awareness and training.

Dan: Absolutely, and on the disaster recovery side of things, one of the things that I think people and organizations make a huge mistake about is they'll spend time doing roundtable exercises which are fantastic and they should be done. Not many organizations actually practice their disaster recovery plan and say, you know what, this data center is gone. What do we do? And literally, just turn it off.

I've worked at organizations where we did that and the lessons that you learned from that are invaluable.

Priya: That makes sense too, so you know we're talking about practicing disaster recovery, fostering a relationship. How do you foster a partnership between legal, privacy, IT, security, and for that matter, business as well? What do you see are some of the challenges in your mind in achieving this, especially, in larger corporations?

Dan: Yeah, it's interesting because for whatever reason what's always been a strength of mine is fostering those relationships and quite honestly, I think one of the reasons that a big obstacle to fostering those is just the communication styles if you will. So many CISOs and security leaders have come out of the IT world and that's what they speak, is IT. As you very well know, not everybody speaks IT, right? And so, I kind of equated to a foreign language, right? If I'm trying to build a relationship with and we don't speak the same language, how are we ever going to build the relationship, right?

It's going to be very, very challenging. And so, one of the things I think is that the CISOs need to tone down the technology gobbledygook if you will. And just have personal relationships and so much of it is about a business relationship. Business relationships are okay, but the way you really break down those walls is by having a personal relationship, maybe it's about baseball, maybe it's about Monopoly, maybe it's about the spelling bee. I don't know. It could be about anything but fine. Just like when you're meeting friends outside of work, you have to do the same thing. You find those commonalities, and that's what relationships are built on, and understand what their pain points are, and what their concerns are. And be empathetic to them, and not fake empathetic but real empathetic because they're real problems. And they're depending on you so many times to help them solve those problems.

Priya: Agreed, so we talked a little bit about fostering relationships, you know. What are some of the challenges though, you know it's beyond just, you know, speaking the same language are there true challenges in building this relationship?

Dan: There are and some of those challenges are personality conflicts that you just have to accept and we're not all best friends with everybody we work with, right? And that's just the facts of life. But you fight through that and you work with them together anyway. And you just have to, that's part of it. My kids are 21 and 18 and we're having a lot of conversations about adulting and welcome to adulting right and I think having been able to have a relationship with somebody that maybe you aren't on the same level with is part of that adulting and CISOs should be leading the way in that regard, in my opinion. I think one of the other challenges is there's such a high turnover rate within the CISO chair that more often than not, there are a lot of roadblocks and obstacles and bad taste in folks' mouths that you have to overcome to build that relationship. And we, through some of our predecessors, are instantly the bad guys. And all we're going to do is say “can't do that, can't do that, can't do that.”

One of the things we CISOs have to remember is that the business is there for a different reason than security. We are an enabler to what the real purpose of that business is. Whatever it is, whatever widget they're making or selling, we have to remember that we are an enabler and quite honestly, the other aspect that I, I think that has served me well, is realizing that we are not the ultimate decision-maker on security things. We are educators to the executive team who is the ultimate decision-maker and once they make a decision, if we've shared with them all the pros and cons and facts and figures and made them an educated decision-maker, I feel we've done our job. Now, if they make decisions that are something that we just absolutely can't accept that liability or that risk for, then we have a choice of leaving that organization if it's just something that is so, so bad, right?

Priya: Yeah, you bring up some good points. So, this applies to compliance and privacy as well, right?

So, you are educators. You don't want to be looked at as someone who's always saying no, but how do you bridge that gap between security and business? Make sure the business is able to function efficiently and securely, but not stopping the business from being able to move forward so that that makes good sense. So, what do you consider to be an important aspect of your ransomware contingency plan? Should payments be considered and also how has the recent success of the FBI and recouping the Colonial pipeline's ransom payment affected future attacks?

Dan: Well so, from a preparedness perspective, I think it's some of the items we've already talked about. Educate those users, focus a lot of effort on education and awareness. Have the recoverability plan, have those discussions with your vendors on recoverability. Practice the disaster recovery plan and the recoverability of those backups that you have. Those are the key components and from my perspective.

Now when you get into the plan and that type of thing, all the other things you talked about, I think are aspects that need to go into that plan and should be decided upfront. Are you going to pay? Well, if you haven't gone through your plan, first of all, figure out who's going to make that decision for you. I said earlier that we're not the ultimate decision-makers, and we're not, even in this case. We're educating the executive team, that committee, if you will, that says, here are the pros and cons but it's ultimately their decision if they're going to pay or not. And whether you pay or not has some impact, a lot of impact on just normal return on investment. If you have to pay $5 million but if you're down for five days, you lose $25 million. It seems like the $5 million might be a good investment to get it back up and going. Now there's risk associated with that because you know there's not a lot of guarantees in the ransomware world that it's actually going to unencrypt and the decryption can take a while to do so. Then it has to calculate the ROI. And then it also an impact that you have to have is, who are you paying? Because, you know, there are governmental laws now that make it illegal to pay cryptocurrency to certain countries, right? So, you have to take into account who exactly are you paying, and by paying are you breaking the law, which is where the colonial pipeline kind of got into that a little bit they went ahead and paid. But by that federal law, they were actually breaking the law. And as far as the recoverability, no I don't think that had any impact on future ransomware at all. If anything, I'd say the threat actors learned a valuable lesson from that. We've got a little bit more track covering to do, and we've learned valuable lessons. How they track us down. And now we will put in in measures to make sure that they can't do that anymore.

Priya: So, what are some of the biggest challenges you faced as a CISO?

Dan: Ah, wow. So, you have to keep in mind that I've been a CISO since the late 90s, so when we talk about the biggest challenges, we're talking about a large time frame. But I would say by far one of the challenges that every CISO is asked to do is from board-level kind of conversations is now that their conversation is in the boardroom. Do you know how do we compare to others? What are the metrics? How do we rate all of that type of thing? And when we're compliant, why do we have to do all this other stuff with security. My opinion on all those questions is that's just kind of a smokescreen. How do we compare to others? What's the difference? It doesn't matter. Their risk postures are different from our risk postures, it shouldn't matter from an arbitrary score. I don't think, and I've had many conversations and many people will disagree with this, but I don't think cyber security can be quantified right, and I think all the efforts to try to quantify it are just kind of a waste of time and has to find requests that come from the board that that like numbers, right? I don't think even try to quantify it. I think there's extremely subjective and don't mean anything. I talked about CISO roles being highly transient. Well, the subjectivity of that quantified score that a CISO-A puts in front of the board is going to be completely different than what CISO-B that replaces CISO-A in 18 months, right? So, how does that help the board decide? You know, how they're doing the type of thing, so I think I think getting the right mindset and getting that explanation understood is a huge challenge that all CISOs have.

I also think I mentioned compliance, I think compliance is also a huge challenge for CISOs because compliance has this aura about it that if you do this then everything is all good, right and there's a lot of compliance aspects that really have nothing to do with security, and it's just the checkbox I have to do this to get the checkbox on this compliance certification that I want that everybody has this false sense of happiness about, right? So, I've always had this approach to focus on the security program first and then the compliance becomes really easy. But let's not chase a compliance certification and hope that security comes along with it. They're meant to be a guidepost, but they are not the “be-all and end-all,” right?

Priya: So, you can say, for example, let's take the backup and recovery. I could easily check a box saying I'm backing up my data, but how good my backup and recovery processes depends on a lot of other factors in terms, like have I considered all critical data, recoverability in case of a ransomware attack? You know, how fast can I recover and how long is the business downtime? Is that acceptable from a loss and lack of user perspective? So, there's a lot of thought behind it, that compliance doesn't track.

Dan: Yeah, that and that's exactly right Priya. None of that comes out in any compliance framework, right, or questionnaire and again, I think one of the reasons the compliance sometimes leads the discussion is because it's something tangible that that board members and executives alike, right? They get uncomfortable when they're spending a lot of money and they are spending a lot of money on something that is intangible and that when they ask the question, OK, we spent all this money, are we secure? The answer is always no, that's uncomfortable, right? It's uncomfortable to answer it, and it's uncomfortable to hear the answer. Well, how much do I have to spend to be secure? You don't have enough money to do that right and by compliance, it's like Okay, well, if I do these then I get this magical certification, right?

And it's something tangible that I can hang onto as their management executive and it makes me feel good, right? And I think that's one of the reasons that compliance consistently leads security rather than security leading compliance.

Priya: What are some of your challenges around system patching and vulnerability tracking?

Dan: So, system patching is one so not only from a CISO perspective, I've been doing this for a long time, I've got, you know, probably 10 or 12 years of also running IT operations as well, and so I know what it means to be on the operation side of things and patching has always been one of those mysteries to me as to why it's so hard because it's really not. I guess I would go back to that challenge as well because it’s like it's not fun and it's a burden you have to generally do it after hours and nobody wants to do it. So, I get some of the rationale for why it's not getting done or this challenge or whatever but to me, the challenge is that is thrown out of why we can't patch this or that. And there are so many of them that don't hold water in in my opinion, so I think it's just a matter of really putting some enforcement behind the patch management program. The tools are there to make it easy, and it's inconsistent. For instance, this particular environment can't be patched because of this application, or that whatever it is, right? OK, well you should really only have to decipher that one time and then you build the rule around that and it shouldn't be a rationale for every month or why you can't patch that type of thing.

Now, one of the other challenges of that is we don't have people dedicated to patching management, we're throwing it on top of system administrators or database administrators or network administrators as another task on their job. Why not have somebody that's dedicated? All I'm doing is I'm managing and deploying patches. That's my job because I know exactly what that environment is, I know what the equipment is. I know it and I understand what this patch is going to do. I understand why I can or cannot roll it out and I'm not distracted by day-to-day IT operations that this is down or that's down, or I've got this project to do. When we don't dedicate people to it, and I think that's a giant problem in doing the patching. And as far as the vulnerabilities, I think liability gets in the way of vulnerability scanning and management. To be honest with you. So, I think when you get a vulnerability report, it is daunting and overwhelming. It's like how do I do 15,000 patches? I've got $15,000 bills, what do I do with that? Well, there's not a lot of tools, I think some do, but a lot of them don't kind of summarize that up and say- you know what? These 6000 vulnerabilities that we identified, if you deploy this one patch, you address those.

Well, that's a much more manageable thing, so I think the vulnerabilities management companies can help us manage that a little bit better by giving us summarized reports and not so much granularity and just giving us what's actionable, because 15,000 vulnerabilities, that's not actionable at all.

Priya: So, for all the CISOs listening to this podcast, if there's one piece of advice that you can provide or would like to provide, what would that be?

Dan: The one thing that I would ask all CISOs to do is simplify. I think there is so much unnecessary complexity in the environments and some of it is designed by CISOs quite honestly that the old school of thought that I've never bought into is well if I make it more complex, it's harder to break into. I think it's just the opposite. The more complex your environment is and your protection mechanisms and everything like that, the more holes you've created that you don't know that you've created. So, I would beg CISOs to simplify your environment as much as possible.

Priya: Any other closing thoughts you wanted to give?

Dan: The only other piece of advice that I would give to all the CISOs is don't be afraid to be true to yourself. And this is not just for CISO, this is all security practitioners. We all have specialties, right? And I make this correlation to the medical field. They're all doctors but a neurosurgeon and orthopedic surgeon and cardiologist aren't the same, and they're not interchangeable in cyber security. We like to make ourselves interchangeable. Can I do a pen test? Yeah, I can do a pen test. Can I do vulnerabilities again? I can do that. And can I write a policy? Oh yeah, I can write a policy. It's not true, right?

So, I would ask all security practitioners to be true to themselves, stay focused on what they do really well, and don't force somebody to do something that they don't do well because it's not going to end well. It's going to end up with this gap or this hole that we talked about from a simplicity perspective leveraged the specialists that you need for the particular engagement that you're doing.

Priya: Thank you so much for taking the time to talk to us. Appreciate your words of wisdom. And it's been very, very nice talking to you.

Dan: Well, likewise, Priya. I appreciate the opportunity and it's been great talking to you as well.

*Views and opinions expressed by guests do not necessarily reflect the view of Meru Data.*