As a virtual CISO and cybersecurity consultant, Gideon Rasmussen helps new CISOs and organizations that are bringing on a CISO for the first time build a program architecture, conduct budgetary assessments, and translate cybersecurity into business impact the board understands. Gideon and Joe discuss the importance of consistent process execution, QA, and automation to help teams avoid things slipping through the cracks and experiencing “compliance jitter.” They dig into the latest update for the NIST Cybersecurity Framework, and share ways to use risk assessments and incident response exercises to improve cyber resilience. If you’ve got an upcoming board presentation and need to communicate risk to guide decisions, this episode has advice to help.
Connect with Gideon:
Website: https://www.gideonrasmussen.com/
LinkedIn: https://www.linkedin.com/in/gideonrasmussen/
Twitter: https://twitter.com/gideonras
Connect with Delinea:
Delinea Website: https://delinea.com/
Delinea LinkedIn: https://www.linkedin.com/company/delinea/
Delinea Twitter: https://twitter.com/delineainc
Delinea Facebook: https://www.facebook.com/delineainc
Delinea YouTube: https://www.youtube.com/c/delinea
Joseph Carson:
Hello everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm the host of the show, Joe Carson, Chief Security Scientist and Advisory CISO Delinea. And I'm really excited about today's episode. We've basically been really kind of looking at all different areas of the industry for thought leadership, for expertise, and I think this is a really important topic. And I'm really joined with a very special guest, someone who I met quite a number of years ago, just by chance at a conference. It was RSAI believe. So I'm joined by the awesome Gideon. Gideon, do you want to give the audience a bit of a background about who you are or what you do and some things about how you're getting into the industry?
Gideon Rasmussen:
Sure, Joe. First, thanks so much for having me. My background is starting off in the US Air Force and then a variety of corporations, but across industries, insurance, pharmaceuticals, banking, state government, so startups, so a great exposure to different types of businesses, which has been fun. And I started out as a full-time employee and went up through the leadership chain to being an executive, a CISO. And then over time I transitioned into consulting and supporting people.
Joseph Carson:
Fantastic. And I mean, your background gives you a really good set up for a lot of regulation and the governance side of things because a lot of those industries you mentioned do have a lot of policies and regulations and standards that has to be adhered to. One of the things that I was interested in as well, one of the roles that you're doing today as a virtual CISO, you want to give me a bit of background. What does a virtual CISO? We've heard a lot about CISOs and what the CISO role is. What does a virtual CISO do and what's the types of things that you provide organizations from a consultancy perspective?
Gideon Rasmussen:
Sure. So my focus moreover, is on the client and their needs. So that will vary. It ends up being in two different types of spaces, one I would refer to as program architecture. So if you think of a CISO, he or she is one person and everyone looks to them, and it's not just a cybersecurity program, but it's all the sub-programs beneath that. So oftentimes they'll either want to build out a new program or there's a program that needs attention and they'll bring me in for help with that. I will also help them prepare for board presentations and strategy. I have one client that three times a year I face off in a tri-annual committee meeting, and then for three days we just do brainstorming and working sessions. It's exciting actually.
And then really the second type of service I get pulled into is assessments, and again, needs of the client. So I won't do a straight NIST Cybersecurity Framework or ISO framework assessment. It's typically much deeper than that and it may cover heavily, like I've got someone right now asking me to focus on insider threat. I've done assessments that dealt with 911 operations deeply in an investment department. So I get involved in business processes quite frequently. So there's oftentimes there's opportunity there because people in our career field, a lot of times we focus on what I call enterprise security and kind of tech, and it's hard to have the capacity and the funding to get past that. And oftentimes the lines of business, the business units, they're kind of out on their own. And I dig in and try to understand what the processes are that are critical to their services and then what controls are in place to protect them and make them successful.
Joseph Carson:
Absolutely. I think that's really important role. One of the things we've found is a lot of organizations who have brought in a lot of new CISOs, because CISO has been something, an area of growth for many organizations. And many organizations, it might be the first time they're having a CISO or the CISO that they bring on, it might be one of their first major roles as a CISO. And I do find that a lot of organizations in that position, they might be coming from a very technical background and they don't have that business acronym. And it's really important to have those seasoned experts who can spread their experience across multiple organizations to really give them the ability to, well, here's what you're used to be doing, but in order for you to be successful with the board, this is how you need to transition into that.
These are the skills that you need to be able to go and do budgetary assessments or these are the things that you need to be able to translate into what the board understands. And I think that's a very important role to make sure that we're able to provide that expertise to CISOs who might be coming from different backgrounds. And to your point, I think it's really important as well as organizations who might have been doing the CISO in a certain methodology for a number of years and they now need to change that methodology where it's very much enterprise focused or technology focused to being much more into business resiliency or into heart and applies to the business functions. So I think that's a really important role and it's great that you're doing that and seeing that many organizations are getting the value. And hopefully, I mean there's a lot of CISOs who that experience and that knowledge will make them very successful going forward because it is a very important function.
One of the things you mentioned around is those assessment side of things, and this is what I want to dive into for today's episode is we hear a lot about governance, risk and compliance, and there's a lot of different theories out there, a lot of different approaches and a lot of different methodologies. Give us a bit of a summary into what GRC or governance, risk and compliance is. What does it mean from your side and what it comes into to doing security for organization?
Gideon Rasmussen:
Great. So I think I would start with that cybersecurity has a lot of complexity to it and it's easy for people to get lost in that complexity or not have consistent process execution. So that sounds kind of high level and wonky, but really what it comes down to is there are many times I think many of us watch and watch podcasts like yours and read articles and blog entries, and a lot of times it's not. I remember back in the day, they used to say Chuck Norris in a gang of ninjas, it's not, or it was an advanced persistent threat and it was a hostile nation state. And when you find out what was missing, oftentimes it's very foundational things like missing MFA or things we shouldn't...
Joseph Carson:
Reuse passwords and people clicking on something or accidental not having security even configured correctly. It's a lot of times it's the basics which we get wrong.
Gideon Rasmussen:
Right. So I'll give you an example. I spent about four years in PCI payment card compliance for a large financial institution, and I'm now supporting a startup doing that from scratch. And PCI is a good example, whether it's PCI or NIST CSF or whatever it is you're doing, there's a term I use compliance jitter. So something may be in place at one point and then it comes out of place. So there's two things that I look to have is one I call activity task scheduling. So if you look down through whether it's PCI or NIST CSF or ISO, there's things that you have to do throughout the year, weekly, monthly, quarterly. And what I try to do is put that in a scheduling tool and have very specific instructions on what needs to be done, assign it to somebody perhaps as a procedures manual. Obviously we try to automate everything that we can, but the idea behind that, and I think this is core GRC, is I want to put those kind of pedestrian routine tasks that are very important behind us a little bit.
So we're focused forward on things like cyber threat intelligence, threat hunting, all of the things that really bring us to work. And also I like to build into whatever sub program I'm dealing with, like third party risk management. I like to build QA into that process. So there's mission, vision, process, procedure, system of record, reporting, metrics, and then at the very end, your highest level of maturity as you build in light lean, quality assurance. So there's areas where you think left alone with everything else that's going on, maybe some of these things won't happen. And to have the team check itself, not learn from an incident or a compromise or an auditor.
Joseph Carson:
Learn from actually practicing the control and making sure you've actually put it in place correctly, which is a lot of where the mistakes come from. And a lot of where the attackers take advantage of that is when we try to do things quickly and we're not having somebody follow-uping and checking on those types of controls and waiting. It also means that when you get the auditor coming in, it means you've also done your due diligence as well and it makes you more likely that you're going to be successful and pass the audit than the first time and not have to go back and correct a lot of things. So when you put that quality assurance in, it does really mean that you're getting the quality first time and you're also making sure you're learning from that process as well so you can actually make sure in the future, because it is a lot of repeat.
As you mentioned, you have those repeatable actions and tasks that need to go continuously. You might do it multiple times a year, you might do it once a year, but it also means that when you can back to doing that, you can sometimes even get to the point where it becomes much more automated to your point where it allows you to then start focusing on the more proactive types of controls, the more things around checking to make sure that no one malicious in your network, no one's abusing the access. And also in the supply chain as well, it means that when you go into multiple suppliers, you have a repeatable process that you can apply to each of those rather than having to do net new every single time you onboard a new supplier that might touch those controls. What's some of the methodologies? You mentioned about PCI and the NIST Cybersecurity Framework? What's some of the methodologies that you put in place when you're looking at an organization who's looking to assess their compliance or regulatory ability?
Gideon Rasmussen:
Got you. So I like the NIST Cybersecurity Framework and I understand we have an international audience here so that that's distinctly American. I think whether it's NIST CSF or ISO, I think that's fine. I'm kind of excited because the second version of the NIST Cybersecurity Framework is coming out, it'll be published in February. And I'm a controls wonk, so I really went through, I provided a lot of feedback in the feedback period and then I've looked at the draft and they've said not much will change. So the framework itself is pretty stable, but they've released implementation control examples and there are 357 of them. So I don't think, I'm not compliance driven. So to me it's not, "Oh, they've come out with 357 implementation examples, let's go do that." It's more, I like risk lenses, so I like to look at different control frameworks. There's the Center for Internet Security, they have their critical security controls.
So I think it's great to look at many different control frameworks and kind of pull pieces out. But again, I like to kind of get that in a way behind me a little bit so we can focus. If you think about the way that a security team works, there's day-to-day operations, there's the annual program goals. The employees themselves have performance and development plans that they have to execute to. So I think one of the things that GRC and these control frameworks do for us is they make sure we're doing the basics. And if we have a good GRC program with a system of record and ways to influence remediation a seat at the table at the board, maybe a cybersecurity committee, risk register entries, wow, that's a terrific way to influence change. But to me it's much of the focus in all of the frameworks mentioned risk analysis, risk assessment, and that just gets skipped over.
So to me, it's having your cyber threat intel program, but not just having it be a coffee break where we all get together and kind of share interesting things. It's having an intake process and saying, look, we're as these things come out, someone's going to analyze them and we're going to choose specifically as their recommendations. I think CISO is doing a great job recently of saying, these are the commercial tools adversaries are using, these are things that you should be doing to detect an adversary. And I'm much more into the TTPs, the techniques, tactics and procedures versus IOCs indicators of compromise. And then going off and actually here's a concept, not just passively letting the SIM run and passively waiting on the sock, but doing threat hunting. I think GRC gives us capacity. I mentioned four times a year, I do three days of just insane working sessions, strategy meetings with a phenomenal team and there's a lot that comes out of that. So you need the capacity to actually go off and do those things.
Joseph Carson:
Absolutely. I think it's really important. It also means that organizations can better scale and also spend more time making, also doing the simulations as well and being ready. Because I'll say that if you just spend time focusing on basically doing the controls and doing the controls, what you end up doing is you get in this rut of not being able to meet the business needs and be prepared for when bad things happen. It all just becomes a fire drill. And I think that's the worst thing for a security team in an organization is when you're a fire drill and you haven't caught the incidents early enough to minimize the impact where possible.
So I think that's really important to make sure, as you mentioned, it's really getting ahead of off the controls and getting to the point where it also laws. That means that you're also able to spend some time on newer technologies and newer methodologies as well in order to seeing how that might be able to adopt into your organization, whether it be looking at pass keys to go down the path of passwordless experience or whether it being look at purple teaming in regards to understanding how you're both offensive and defensive teams can work together, whether it being mapping out to new business areas where you can make sure that understanding it from a business risk perspective.
I think that's great initiatives and the more time organizations spend on that, the more they become dynamic and adaptive to the threats rather than basically being this point in time thermometer, temperature check. You start actually saying, let's not every day just dress for the weather that's outside. Let's make sure we have the right readiness for the climate and for the season that we're about to approach. And it's a very different way of approaching from a security perspective.
Gideon Rasmussen:
So I love that you brought up incident response and exercises. So, so huge. I had an exec that once said, if you don't do exercises, it's like going to play football, and that first game you just kind of walk out there and you wing it and the other teams really, they're going to own you. So there's a couple of things that I do with exercises and anyone can adopt, is it depends on the organization you're with. You don't want to go off and do a proper exercise to begin with with injecs and all of the sophisticated things, and really kind of break down and have the cyber and IT team fail. You want to start, in my opinion, with an exercise where say you've got nine different scenarios that you're going through, kind of common scenarios like we lost a laptop out of somebody's car and you give them A, B, C, D and what's the best answer?
And we kind of talk about that and that first time they get used to, oh, okay, we're going to be in the hot seat a little bit here, and maybe you do that the first time, you leave senior leadership out of that one and you see how that goes. You might do a second one of those, but then you start to get into proper injecs and maybe you do one of those, see how that goes. And then eventually over time you start to bring in senior leadership and you also exercise crisis communications. So a lot of places that I go to, they have an incident response plan. And I think in the back of senior leadership's minds, somehow the CISO and the security team are going to be responding to this incident trying to determine what accesses the adversary has, eradicate them from the IT environment.
And at the same time, we're going to clone ourselves and we're going to go write press releases and speak to the media. So obviously we can't do that. And I would say I'm not well suited. Don't have me go off and speak to the media, I'm just not trained for that. You need training. So I spent a fair amount of time helping people create a crisis communication plan with holding template statements for common scenarios and then including that whole process. So we're not just going to say, "All right, we're going to do the tabletop exercise and we're going to exercise IT and the security staff," but also we're going to say, "Okay, while we're doing this, here's a little information. What would you do, crisis management team? What holding statement template would you pull down?" There's the potential for eight different entities that may be depending on their criteria and their laws or regulations, we're going to have to notify. So to make it real for them too.
Joseph Carson:
No, absolutely. I think you really, for me, you brought up such an important point is about we can't treat incident response plans and strategies like we did in the past. And organizations, they had an IT support and that evolved into this incident response, but we have to remember today is incident response is no longer just an IT response or technical response. It's actually a business response. And that means that when you look at your incident response plan, you think is do you have the business functions included in that plan and strategy? Do you have the people as you mentioned, do you have the right people who's going to be communicating from a press perspective and do you have all those scenarios played out and ready?
The last thing we'll be doing is doing your sophisticated cyber tech press statement in the middle of an incident. That's the last scenario I'll be doing. Having your legal team understanding about why is your accountability and responsibility when it comes to regulations, compliance frameworks, having your finance team understanding about do you have the ability to pay the ransom and cryptocurrency? I see a lot of times in instance, I see that's where organizations waste a lot of time because they haven't prepared that scenario is about what do we do have to pay, what do we do have to consider? Do we have the ability to get those funds? So it gets into where I always say that incident response today we have to change it from being a technical incident response, which is that traditional method, it's the IT team or security team's need, it's their responsibility, they will sort it out, but now we need to involve the entire business. It's a business response to security incidents because it impacts the business itself.
And this gets into me as well. One of the things the SEC bought out the new disclosure rule recently, and that has a big massive change in its response even today were during incident response, it was all about getting the business back to operations. Now with those, for example, that SEC ruling means that you have denied as part of your incident response team determine material impact to your business, which means that you're going to have to have somebody within that incident response team who is financially acronym about, well, does this incident have a material impact to if we go to do our financial results at the end of the quarter or end of the year, whatever it might be, does this incident have a material impact to those filings? And that's where you need to start thinking about, well, now we need to think about reporting that to the SEC.
So this is really where I think we have to start building those bridges with a business and making sure that we're able to bring a lot of those traditional components into where there's some type of, and we've seen BISOs playing that role where they're embed it within the business to create those bridges. But I think it's really important to become much more established going forward and that the CISO does have somebody who's probably either on their team or sitting on another team that allows that translation going forward. Do you see this as an area that you've been involved in more or you're seeing organizations realizing the importance of this when it comes to the dependency of technology in the business today?
Gideon Rasmussen:
It depends on the size and complexity of the organization. So I've been, without naming names, I've been at some very large corporations, and you're right, they have BISOs and the reason being is some of those lines of business in a large company are medium-sized organizations if you were to separate them. So there's that complexity. And also I think it's important always for security to be embedded at the right level because to me, you want to enable the business to do whatever it is they need to do and kind of have it be frictionless and you need to be involved to be relevant to them. Also, I think earlier I mentioned being involved with the board and having a cybersecurity steering committee. I think it's important when you get involved in the board to realize that the committee meeting that you're in, there's probably four or six others of those that also meet three times a year.
So about once a month, the CEO, the COO, they sit and somebody like us comes and says, "This is the most important thing. We need your support, we need your undivided attention." So I've had enough exposure to that that I realize it's important for me to bring risk transparency and recommendations and give them the information they need to make informed decisions. I mean, businesses are in the business of making money, so they need to make decisions on what amount of risk they're willing to take. And there are times where the combination of people, process and technology and cyber is very expensive. So they may decide to defer for a year or so and take that risk. And I think as long as we're communicating that effectively, that's fine.
Joseph Carson:
Absolutely. And that brings an important point is that especially, and this is why governance, risk and compliance is really important for CISOs, is that it's their ability to translate that into when they actually meet with the board. Because it's not technology and security that gives you the weapon to go to the board and give budgetary decisions and get acceptance and gets the ability to develop your program. It's the risk and compliance because that's what the language the board speaks, that's what they understand. That's where they actually make a lot of decisions is based on the financial risk. What's our exposure here? Do we have coverage? Do we have insurance? Do we have cash in the bank that when a rainy day happens, we can pull out and actually apply here? What's our capability of mitigating it and minimizing this risk? Are we heavily exposed and we have to find other ways to mitigate it?
And that's where they get into is that if you're just coming up with a technology proposal without actually having the GRC support in the background to help you bring that decision to the board, you're going to get a lot of denied. You're going to be sitting on a shoestring budget trying to achieve those, and unless you can actually have that GRC component to support your communication. And this was something that I learned, it was an interesting, I've done lots of conversations on board meetings and looking at from a security perspective, and I was mentioned, I did a workshop last year and one of the things, the value they mentioned to me was what they do is when they have their presentations ready to go to the board meetings and what they do is they start with a final conclusion. They start with the last slide because that's what the board wants to understand is where do you want to be and then what's your basically, and then they'll start asking you questions.
They'll ask you questions based on where your goals and where your vision is. And then that's where you look at basically a more interaction conversation. Forget the fluff, forget the journey to that final slide, put that at the front and start there. And the rest of the actually presentation becomes an appendix. It becomes a supporting argument for what your requests are. And I always thought that was very interesting is get straight to the point, get straight to what you want to achieve because ultimately you have very little time in those areas. And if you've done that risk side of things very effectively, that will make sure that you're able to support and have that appendix is going to support your goals.
Gideon Rasmussen:
That's great. Yeah, go ahead.
Joseph Carson:
You mentioned a couple of the frameworks, you mentioned PCI for me, and looking at them holistically, I think it's very important as well is because they do have a lot of overlaps. A lot of them have overlaps. And you'll find that when you look at one control of one, whether it be PCI or the basically top critical security controls, or you look at the NIST, you'll find these overlaps everywhere. And some of those controls take a long time to be updated as well. Some of them are on old revisions. And what gets me is that a lot of these are even predating artificial intelligence, the acceleration that we've seen in the past year.
And I do like for me, the NIST Cybersecurity Framework is definitely a very solid one and it provides a lot of those practical examples. As you mentioned, those scenarios and deployment examples. I think those are fantastic because that's what the industry needs is that don't just tell me a legal control proposal, tell me how it can apply to me and how I can make the most best value out of it for the organization. And that's where I've seen that maturity. In recent years, they had the risk model, which was fantastic. They brought that into it, they brought the phased approach, and now they actually working examples. What other types of frameworks do you see is where's the resources that you also use? What resources do you use to support your assessments and work?
Gideon Rasmussen:
Well, one, I now have a massive set of work papers from doing all of these different types of assessments. So I still am very focused if I engage with a client to understand what type of business are they in, logically what type of threat actors might that bring, what types of sensitive data, and kind of coach them through maybe we should follow that and be focused on that. Another thing that comes to mind based on what you've said too is we talk a lot about cyber, but what I found in my career and as a vCISO is we as CISOs as security executives get pulled into what I'd say is the chief risk officer role.
So there are times where I'll say to people, for example, I'll be in a program for a couple of years running it and I'll say, "Look, privacy is very important as well. And NIST has, I think a good started a framework, the NIST Privacy Framework Version 1." And I'll say, "These 29 controls are cyber and they're almost literally copied from NIST CSF, and then there's 71 other controls and there's some overlap like having an inventory." But I'll say, "These 71 controls, who do we have doing this?" And oftentimes if you ask that question, I'll warn you, you end up doing those 71 controls. But also, and I do a deck on this, there's an intersection of fraud in cybersecurity. So you have to be very careful in your organization because typically if you go to a CISO and you go, "Are you responsible for fraud or have you've taken a look at that?" They'll say, "Absolutely not. That's the CFO."
And if you go over the CFO, these are some of the things I do in assessments, I'll say, "To what extent are you all looking to identify and mitigate risk, fraud, et cetera." And they'll say, "Oh, well, we have an annual assessment done on that. Don't take that at face value." And then you ask and you say, "Well, great. That's terrific. Is that an annual fraud assessment by one of the big four or something like that?" And if you dig a little further, you'll find out they have their standard annual assessment. And as an upsell opportunity, all of the consulting firms will do like a half hour on fraud prevention and they'll say, "You don't have a fraud response plan, you don't have a litany of things. And we really would recommend every time if you can get some of those reports," they all say, "Someone really should do fraud examination and dig in here." So that's something I do focus on because really you've got the CFO saying, it's really not me, and security saying it's really not us. So I do like to do a little oversight in that space.
Joseph Carson:
Absolutely. You bring up a really important topic because we've seen a lot of increase. I mean there's lots of different risks that we've seen in the past year increase. And definitely one of those main areas has been business email compromise, which is very much sitting right in the middle of that financial fraud scenario because it's all about modifying the path where the payments are going, or changing invoices or sending a fake invoice the day before the real one comes in, or just getting the accountant to send money based on some type of acquisition or type of purchase or so forth. And when you get into it, was that a cyber scenario control that the CISO should have been covering or is that a scenario where the CFO should have the right controls in place? But you're absolutely right, it's both. It's that both of them need to make sure that they're collaborating and making sure that, one, is the security controls are identifying the possible areas and that the actually financial controls are making sure that certain checks are done before the payments are made, validations and so forth.
You're not taking it at face value or you're getting an email coming in and you're only trusting the email as the single source of authorization or a phone call comes in because we've had a lot of deep fakes being on the rise as well. We're basically modifying the voices and videos. And you might be seeing someone that you're familiar with or their voice might sound exactly like they are and demand that you need to transfer funds because there's this deadline. If you don't do it immediately, it's not going to happen. It's going to be your fault. And people will do that. They'll make the exceptions. And ultimately then when they find out it was malicious, it was an attacker who had used technology in order to, let's say try to find ways around the controls. But you're absolutely right, it can't be a finger pointing. And this is why it's really important that there's a collaboration between different parts of the business today.
Gideon Rasmussen:
I have about, I think it's 15 different fraud scenarios, and they're kind of like finances version of the OWASP Top 10, it's nothing to be proud of. But there's one that I always find interesting where it's called the largest subsets growth scenario, very financially wonky. But the idea behind it is if you visualize financial transactions, there's kind of a pattern to them. You might have quarterly payments that kind of go like this. Maybe over time they might go up a little bit and then you see one that just goes, woo. So the question is that doesn't happen in business that much if you think about it.
So if you're monitoring for that, oftentimes that type of pattern is fraud. And the reason behind it, and if you've watched, and I'm sure you have, a lot of the fraud documentaries, somebody starts and in the beginning they're very tepid and nervous and there are things that happen in their lives. They'll go like, "Well, maybe I'll go on a vacation. Oh, I need a new car. Oh, my kid needs a down payment on a house." And that's what starts to bring it up. So somebody needs to look, there's specialized software for that and their certified fraud examiners. So just a fascinating space to get involved in.
Joseph Carson:
Yeah, I looked at, I think I saw, it was last year I went to a event where the CISO was actually showing their annual budgetary spend. It was quite interesting where for every year during the month of August, the spend went to zero. And then so every year you had that because the CISO went on vacation. And then anytime you saw a spend, it was anomaly was a suspicious spend because the CISO was on vacation and it should not have occurred.
And it was interesting watching. He was showing this is how he does his plans throughout the year and how he does budget approach and where he does his spend. And everyone was also seeing this one month August vacation, and he said, anytime, they've got the controls put in place, he said anytime there's a spend, that triggers automatic suspicion because he has to sign off on this. So it was an interesting scenario is that we use that historical trends and historical data in order to find those outliers, because absolutely you're right, is that the ones that tend to be ad hoc or on the cuff or they're just not following the previous norms, they should be flagged immediately and not just done as that's the urgency sometimes that they come under.
Gideon Rasmussen:
Or the transactions that float right beneath the threshold for further evaluation like that sign off. So yeah, it's a fascinating space to be involved in and as a cyber professional to dip into and help make sure that we're doing the right thing in finance. And sometimes you want to have that conversation one-on-one in the beginning, but maybe it's something you whisper, the conversation doesn't go well. You might whisper in the COOs ear, "Hey, there's a gap here."
Joseph Carson:
Absolutely. So for the audience that's looking to get started in this area, there might be, you might have an organization who, they might've been doing this for a while, but they're looking to, let's say modernize their program. Or you might have a new CISO that's just starting off and they're getting into GRC and they're getting advice. What's a good place for them to get started? Where would you point them to in order to where would help them? Whether it being a good training course or is there good books out there that might help them prepare and get ready for this path and journey they might go on?
Gideon Rasmussen:
Great. So to me, if someone understands IT, so obviously you can't just leap into the cyber domain. So if you have a basic understanding of IT, and it can come from an infrastructure space or development space, once you have that, when I have people and I spend a lot of Fridays for a half hour with these calls, they say, "How do I get into cyber?" I always say start with the NIST Cybersecurity Framework. Today it's 106 controls, down the road it's going to be 108. So it's kind of a nice way if someone's thinking about getting into cyber to get a flavor or a feel for what it is.
And then also I just think going to security conferences and where we cross all the time, Joe, everywhere I go, there you are. And then your local security chapters I think are great, ISACA, ISC2, in the US Infoguard. And I always say have friends with dark circles, so it's great. There are times where I get myself into trouble where I'm on the edge. There's no such thing as a cyber expert. We all have areas where we just haven't had time. We're human beings. We're only here so long. So you don't have a lot of experience in X area or domain. It's great to be able to put out a call to a buddy and get that help.
Joseph Carson:
Absolutely. And I use that quite often as well because there's only so much I can absorb and become knowledgeable in. So what I've done is I've built up my community of experts is those are the people that when I know I need their advice, I go to them because that's what they do all day long. That's the specific area that they're excited in and that they're developing their skills in and vice versa. They've come to me when it's areas of privilege escalation or password hygiene and so forth and access controls. So absolutely your spot on is that make sure to be aware of the community around you, get involved in and start going and listening to talks and sessions and finding out what's out there and then building up your network of that knowledge as well. Because it's two ways as well. I've reached out to a lot of mentors and the network around me to help me out of areas or to help provide me direction, but also vice versa. I've had people come out and ask for my advice as well.
So you've absolutely spot on. I think that's a great way in order to really also, it allows you to find out what you are interested in specifically because as well, it will help you develop your skills and also the path that you might go on because cybersecurity, it's a massive industry. There are so many areas that are even being introduced, quite frankly. We talked a little bit about generative AI and AI as well, which is going to have a massive impact on governance compliance going forward, where it becomes even to the point where it'll be real time. You'll be not just doing that one assessment per year. It'll be basically assessment in real time all the time and allow you to modify, configure, and change the controls as you need to. So was spot on. What areas, one part of advice would you leave the audience? What would you say is some things to be prepared for for the year ahead?
Gideon Rasmussen:
So one, I always like to have a plan. And I think that plan evolves. And I think if I were to say one thing, start your year and say we're going to have three days of just strategy and brainstorming sessions and don't make it so that that schedule and those topics are all written by the leader. And it doesn't matter who the leader is, it's just that's one person. I always say to whatever team I'm working with, we own the program. I always get very uncomfortable if someone says it's Gideon's program or it's Joe's program. So I think if you set aside three days, even if you do it just once in the summer, it helps you kind of level set where the program is today and where we need to do work moving forward. And again, I do that with one organization, tri-anually, which is intense, but the program, the maturity of the program is just growing exponentially and we're also really very much in tune with the threat landscape.
Joseph Carson:
Absolutely. I think that's a very important part is that it's the team ownership is that if you have it as a person, that person owns it. But if you have it as we, we all are participating and we all have value for it to be successful together. And absolutely, you mentioned reminds me of I participate in a number of hackathons throughout the year, and those hackathons are a great way to take those problems and to really come out at the end of the few days with solutions that everyone's involved. So a great way to bring people together and at the same time have fun because at the end we want to have fun in this industry as well. Gideon, it's been amazing having on the show. We'll make sure that the audience, what ways can the audience get in contact with you if they're looking to reach out, ask some additional questions or get advice from you? What's the best way?
Gideon Rasmussen:
So probably just reach out via LinkedIn. My profile's open, so if someone wants to send a message or connect. I'm very social. I spend, I probably have four half hour sessions with college students, individual contributors, managers, separating veterans. So I welcome, obviously I only have so much time on Fridays, but usually three or four sessions. So I welcome the conversations and we always learn from each other whether I'm speaking to a luminary CISO or an individual contributor. I love that exchange. So it's great.
Joseph Carson:
Fantastic. Thank you. So Gideon, it's been amazing having you on the show and the episode and your insights and knowledge is so valuable for the audience and including me. I've learned a lot today from today's session. So for the audience, tune in every two weeks we have the 401 Access Denied podcast. Again, bringing you amazing content and thought leadership and really ways in order to help provide you more value, experience, and help you shape your career to being one that's very successful. So again, thank you. Take care and stay safe.
Gideon Rasmussen:
Thanks so much, Joe.