Artwork for podcast Privacy Pros Podcast
How to Be Influential And Secure Buy-In for Your Security Programs
Episode 9528th November 2023 • Privacy Pros Podcast • The King of Data Protection - Jamal Ahmed
00:00:00 00:27:07

Share Episode

Shownotes

Feeling frustrated by the lack of buy-in for your Privacy and Security programs? Discover how to become an influential security champion in this insightful episode!

In today's ever-evolving landscape, security is no longer an afterthought, it's a business imperative. But securing buy-in for security programs can be a challenge, especially when stakeholders are focused on other priorities.

In this episode, you'll uncover the secrets to becoming an influential privacy champion, effectively communicating with stakeholders, and leveraging the right tools to streamline security processes and achieve organisational buy-in.

By the end of this episode, you'll have the clarity and confidence to:

  • Assess and improve your organisation's security posture
  • Communicate security risks and requirements in a way that resonates with stakeholders
  • Simplify security management and drive buy-in across the organizatio

So if you're ready to take your organisation's security to the next level, tune in now.

With 25 years of experience working in the networking, telecommunications, and information security space, Scott is currently serving as the CEO of SolCyber Managed Security Services.

Scott has worked with large companies and start-ups, among them IBM and EDS, where he held Security Engineer and Team Leader positions (US and London). Previous to SolCyber, McCrady built the Asia-Pacific-Japan business at Symantec; he ran the global Managed Security Service, and the Symantec and Accenture Joint Venture.

If you're ready to transform your career and become the go-to GDPR expert, get your copy of 'The Easy Peasy Guide to GDPR' here: https://www.bestgdprbook.com/

Follow Jamal on LinkedIn: https://www.linkedin.com/in/kmjahmed/

Follow Scott on LinkedIn: https://www.linkedin.com/in/scottmccrady/

Subscribe to the Privacy Pros Academy YouTube Channel

► https://www.youtube.com/c/PrivacyPros

Join the Privacy Pros Academy Private Facebook Group for:

  • Free LIVE Training
  • Free Easy Peasy Data Privacy Guides
  • Data Protection Updates and so much more

Apply to join here whilst it's still free: https://www.facebook.com/groups/privacypro

Transcripts

Scott:

a phrase we use all the time is incidents happen, but you try to never let an incident become a breach. the pain and cost of cleanup is always way more than the cost of prevention. So just get ahead of the problem.

Intro:

Are you ready to know what you don't know about Privacy Pros? Then you're in the right place. Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts. The podcast to launch, progress and excel your career as a Privacy Pro. Hear about the latest news and developments. Discover fascinating insights from leading global privacy professionals.

And hear real stories and top tips from the people who've been where you want to get to. We're an official IAPP training partner. We've trained people in over 137 countries and countries. So whether you're thinking about starting a career in data privacy or you're an experienced professional. This is the podcast for you.

Jamal:

Hello and welcome to another episode of the Privacy Pros podcast. I'm your host Jamal Ahmed, founder and CEO at Kazient Privacy Experts and Privacy Pros Academy, the world's number one place for data privacy education. And I recently became the international bestseller for my book, The Easy Peasy Guide to the GDPR.

Today we've got a fantastic episode for you. We're going to get all into how Privacy Pros can learn to speak and communicate better and value their colleagues better in cybersecurity. What we need to know about cybersecurity and some really cool tools out there. And to tell us more about this, I've got an amazing guest for you guys today.

Scott McCrady. He has over 25 years of experience working in the networking, telecommunications, and information security space. Scott is currently serving as the CEO of SolCyber Managed Security Services. Scott's worked with large companies and startups, among them include IBM and EDS, where he held security engineer and team leader positions, both in US and in London, and previous to SolCyber McCrady built the Asia Pacific Japan business at Symantec. He ran the global managed security service and the Symantec and Accenture joint venture. So we're in really good hands. Scott, welcome to the Privacy Pros podcast.

Scott:

Thanks Jamal. Pleasure. Thanks for having me.

Jamal:

My absolute privilege and honour to be hosting you today. Now you're very well travelled and you've lived in many different countries. Which one amongst them would you call out as your favourite and why?

Scott:

That's a great question. The U. S. is easily the best as far as like the options that you have and the ability to grow the career, the economy is just so big. Sydney, I spent four years in Sydney. As far as lifestyle, easily the best. It was a blast. I was running APJ, so I did a lot of travel in Asia. And then I spent some time in Singapore. And as far as there are a lot of internationals in Singapore and financially, the tax rate's very low. You can really feel like you're getting ahead financially and it's a great hub for Asia and so I tell everybody Sydney's kind of hard to beat if you really want to jump start your financial situation and have a hub to travel Asia, go to Singapore and then long term prospects, if you're an entrepreneur then the U. S is impossible to beat.

Jamal:

Okay, sounds great. So depending on what you're looking for, there's many options there for all our listeners. Now, one of the things we love doing at the Privacy Pros Academy is making data privacy easy peasy. And in fact, that's exactly what we sell to our clients at the consultancy as well. And I know you're a big fan of making sure things are easy peasy, and you actually advocate that managing security doesn't need to be so complex. What are some key strategies that you can share for privacy pros to make that process easier?

Scott:

I think we have a tendency in security because most of us are geeks and nerds and, engineers as background. And so we tend to like to play with stuff and we tend to like lots of tools and that sprawl of technology can oftentimes actually lead to less security and more complexity. And the process, if you're responsible for, doing one thing and one thing it's not easier than if you're responsible for doing 40 things. We often advocate for the fact that the legacy model of buying lots and lots of tools, and then trying to have people manage them and them not really being hung together is a model that we're seeing going away. Even super large companies that have the money, the resources, and the people are really starting to streamline a lot of their capabilities because it just doesn't make sense to try to do everything yourself and try to fit all the pieces together. And we're definitely seeing that the process is taking complexity out of the security operations to be the key piece going forward.

And the easiest example I would use is, years ago I had thousands of Dell servers in a data centre, right? So I had to buy pipe internet circuits. You had cages, you had data centre, you had servers, you had orchestration layers, you had people. And now obviously we use a lot of AWS and Azure.

And so that is one way that we've obviously taken our data components and made them less and less complex. And I think we're going to see a lot more of that on the security side.

Jamal:

Okay, that makes sense. Instead of trying to juggle 40 different things and have so many resources, and when that goes wrong, you don't know how that's going to affect the other tools, you just keep it simple. On the flip side of that, one of the concerns might be with some of the people who have this legacy or old school way of thinking is, are we not putting all our eggs in one basket? Is that one of the concerns or objections that you might come across when we say, let's take the complexity out?

Scott:

Yeah, it's a, that's a comment that comes up a lot. So it's a great thing to surface here. And, like all things, there's a trade off. And back in the day when we ran our data centre zone infrastructure, it was definitely within our control and we could move data centres. We had a lot of flexibility, but at the end of the day, we were not really a data centre company.

That wasn't what we were doing. We were an information security company that needed the data centres and all the associate components to drive the security services that we're delivering. And I think it's very similar here, which is sure. You're going to use somebody like a SolCyber, but we do it 24, seven, all day, every day, all of our people do security, live security, breathe security. We upgrade security. And the trade-off is you get simplicity. Vendor consolidation is important and making sure that it all hangs together so that, it's like a fence, right? You want all the pieces of the fence to be pushed together. You don't want big gaps. And that's really what happens to a lot of companies. They have a lot of components but running that security program consistently is really hard. And somebody leaves, somebody gets put on another project and all of a sudden you have a gap in your security.

Jamal:

Okay. Yeah, that makes sense. Thank you for sharing that. Now cybersecurity tools, there's so many of them in the market now. And there seems to be a new one popping up every day and we're seeing more and more privacy tools popping up. And now we're seeing tools that are promising security and privacy compared together. From someone who's been there, done that, and is a veteran, what are some of your most favourite cybersecurity tools that Privacy Pros can have a look at?

Scott:

We actually have this term that we call minimum effective dose, which is saying that there's actually a relatively constrained set of things that most companies need that really provide 99 percent of the security needs for most organizations. And so first, if I were just to list off three or four key things, what you're really looking to do is trying to figure out like if you're safe today, but not safe tomorrow. And on my board is a guy named general Keith Alexander. He started U. S. Cyber Command. He's on my board. He's on Amazon's board, and as I asked him once, I said , how effective is U. S. Government of breaking in? He goes, We're very effective. It's just how fast can the other side figure out whether or not we're in and kick us out.

And you want your mindset to say, How do we build the defenses? But the defenses are always going to get breached. So then how do we tell when that's happened and resolve that before it becomes a major issue? And so you want to look at starting with some of the basics, which is a multi factor authentication. It's not a panacea. It's very relatively easy to steal MFA sessions, but it's, you have to do that. You also have to uplevel your people. Security awareness training, phishing simulations, that's like bread and butter, basic blocking and tackling that you have to do.

Then you have to solve two problems, which is malicious code on the endpoint or on your servers. And then identity based attacks. And so malicious code on the endpoints is our classic Hollywood thought of somebody putting a sneaky piece of code. onto a machine and you need to be able to detect that relatively consistently.

EDRs, EPPs, EDRs are very good at that and you need them managed and monitored. But that's about 50 percent of the attack. The other 50% and there's a great phrase I'm stealing. I saw it about two weeks ago, which is hackers don't hack in anymore. They log in. So that's when they steal scouts.

Username and password and then they log in as Scott McCrady. Now, there's nothing malicious that's been dropped. There's no code that's been executed. So how do you tell when somebody's using legitimate credentials to access a network? That's the way most of the bigger breaches are happening right now.

And so you have to have an ability to detect that. So those are the three things you need to harden your people, harden your systems, So you're in a constant process of getting better. Protect against malicious code, EPP, CDRs, and you need to be able to tell so there's a user behavioural analysis and things like that.

When all that comes together, there should be a set of people that can see when that's happening and then do something about it. So they can revoke privileges, they can roll back processes, things along those lines to solve that problem so that, hey, if one or two or three machines have a problem or one person has a problem. It doesn't become a companywide event.

Jamal:

Okay, great. Thank you for sharing. So what I'm taking away from what you've just shared with me, Scott, is first of all, before anything else, we want to try and keep things as simple as possible. Take the complexity out. If we can find three tools, that's better. If we can find one even better, but we don't need. 40, 50 different tools because they're going to create their own risks, whether they're security risks or other risks, privacy risks, business continuity risk, whatever they are, there's going to be some problems over there. So let's take the complexity out first of all, let's keep it simple.

And then what we need to do is, yes, we need tools, some defenses to stop them from getting in, but they are going to get in. And it's not a question about whether they get in or not, it's when they do get in, how do we limit that damage and how do we quickly identify them that they're actually in, so that we can stop it from becoming a breach.

And for us to be able to do that, what you're saying is detection is actually key here. And what's going to help with those things is having that multi factor authentication, so we can make sure that we're actually getting the people coming in. Obviously it's not fool proof, but they'll probably go and take their chances somewhere else who doesn't have multi factor authentication.

So it's a deterrent. Get your people aware, so continuous training, simulation, so they're educated, they're aware, they know what to look for, they know what the right behaviours are, and they're not exposing the business or making themselves vulnerable. Then what we need to figure out is the malicious code that might have been dropped in, that might have been plugged in, somebody might have clicked on a link somewhere.

Somehow the malicious code is there. So we need to identify detect those and we need to eliminate those or get rid of those and sanitize and ourselves away from those. And then what you're really worried about is those identity based attacks where someone is actually pretending or someone is logging in as one of your users. So there would be nothing that sends an alarm signal to for you to know that and the only way to really try and do anything about that is to understand how your staff behave how that user behaves and by using user behavioural analysis, if it's behaving a little bit strange and you're like, this doesn't quite make sense. Let's start restricting them until we can be sure they are who they say they are. And then we can give them their privileges back. So from a privacy point of view, one question I have with the user behavioural analysis is how would that respect the autonomy of the individual and the dignity and the fact that they know that the way they're using things is being monitored. Are there any privacy concerns there?

And if there are how do we overcome those?

Scott:

Yeah, it's a great question because what you're not looking for is to scrub every single thing on a person's machine and suck it all back into a third party sock. We don't want that data, just to be super clear. The way it tends to happen is we use a lot of metadata. And we use a variety of tools to do this. But you want to baseline the different types of activities that are happening via metadata. So it's Scott on a regular basis goes to these five locations on SharePoint. Now, I don't really need to know everything inside of that SharePoint.

I just need to know those are the places that I go consistently. And generally speaking, he pulls down, whatever. On average, in an hour, five megs worth of files or something like that. Again, we don't need to know what the files are. Now, if I start going to other locations, Or I start doing trace routes or pinging across the network and I've never tracerouted or pinged anything in my life. And then all of a sudden I'm going into other locations and all of a sudden I've never been to those locations. And then my usage of the download of files is, five times what I normally would. There's a high chance that either there's somebody malicious there or I'm an insider threat.

Maybe I just quit and I'm trying to download and steal intellectual property. Those are all different types of ways that you can tell that this is not very normal behaviour for Scott McCrady. And so just to be super clear we aggressively and always try not to get any data of the underlying assets of the institutions that we serve.

Jamal:

Okay, great. That helps me feel a lot more reassured. It's a little bit like when I was a teenager. My parents would know what my normal behaviour would be when I would come home and I should be going out. And when I would sneak out at night and they'd hear my car and they'd hear the door They'd be like, hang on something unusual is happening. They don't know what I'm doing, where I'm going, who I'm with but they just know that it's unusual behaviour and so they might question me about it. And that's exactly what we're trying to do. It's just to pick up on something unusual to see if there is something going on or not.

Scott:

It's a perfect example because with malicious code, we can actually solve that problem for a lot of our customers directly and we do, but when it comes to these types of attacks, we regularly have to contact the customer and say, we're seeing a bunch of strange behaviour, but honestly maybe he was just given a new project, right? Or maybe he's been asked to do something. And so this is why adversaries use this technique so much these days is it takes a combination of usually somebody like us, who's very good at detecting unusual behaviour via the tools, the people, the consistency, the 24 by seven. So if it happens at three in the morning but we have to work very closely with the customer because usually you have to validate what's happening or they have to go do a piece of validation effort.

Jamal:

Okay, sounds good. Now, communication and collaboration is key to achieving business objectives, key to achieving success, and also crucial when it comes to achieving security goals as well as privacy goals. So we have to work with different departments and that's a huge part of cyber security too. What's the best approach to engage with different teams and communicate in a way we actually get their buy in rather than they see we're here to interfere with what they're doing or say tell them they can't do something or they need more permissions or something .What's the best way to get buy in so they actually see the value and benefits in what we're doing and they come on board willingly?

Scott:

This is probably the toughest challenge that we face in security and privacy is actually in some ways even more difficult because obviously We can obfuscate people's personal data and security. But when it comes to privacy, a lot of times you're getting stuff that's important. The thing I always talk to our customers about because a lot of the customers are like, we need to do A, B and C, but my CFO doesn't want to sign off on it or my I. T. Department doesn't want to deploy it, but I know we have gaps and what we try to help with is just the pros and the cons and the reality of when you deploy some of the stuff in today's world, how it's not so scary and it's not so difficult.

I think a lot of us have scar tissue from maybe 15 years ago, where we put a piece of software on a machine, all of a sudden the machine would slow down forever. There's a lot of that stuff that people still remember, and it's just not the way that everything works these days. And then the second thing is we'd run into this all the time. People are not aware of how bad it is out there. And it's totally normal because if I'm making widget, if I'm making shoes, and I'm like, I'm a tennis shoe company manufacturer, super competitive. I've got to make my shoes, great cost effectively, get a great product out there take customer feedback. There's all these other things that matter more than security. But if you get ransomed and it shuts down your production line, you're in a world of hurt, but most of the people in these industries, they get that at a very it's a very far away feeling. It's if that happens to somebody else. And so we try to help people explain to executives who don't live in security what are the odds and how often this happens? And because they'll say I'm a shoe company or I'm a whatever company. Why would I be a target? And it's if you can't produce your widget, then you're losing money.

And if you're losing money, you tend to be willing to pay. To get that widget, processing started again. So those are the ways I talk about it, which is you have to paint the vision of why this is going to help the company and put them into a much better position. You really have to talk a little bit about the cost of pain and how that's very different than what we all remember.

Like this stuff is very effective. It doesn't mess up machines. And then talk to them a little bit about, it's just a fact the pain and cost of cleanup is always way more than the cost of prevention. So just get ahead of the problem. I use this, I think it's a relatively silly analogy, but it works, which is you don't want your car towed, right? If you pay your five or 10 dollars at your valet, then you're solved and you spent your five or 10. You're like, I'm going to save that money and you park somewhere and you accidentally park in a tow away zone and all of a sudden you're paying 350 and you're having to go through this process to get your car out of hocket, and dealing with somebody behind bars. I've been there obviously. And it's just an incredibly unpleasant experience. And so it's a very similar thing when you get breached, it's just expensive. It's time consuming. And the amount of money you're going to spend probably was 15 years worth of good security.

Jamal:

Okay, great. I love what you've just shared there.

Scott:

I really resonate with what you're saying because one of the things we talk about with our clients and amongst our team when we're trying to get the buy in is we need to hit them with the pain of not doing this thing and we also need to deliver the gain so when they weigh it up, it actually makes sense.

But for them right now, it's not real. It's just something that could happen or it happens to those people over there. And this car analogy you gave is great because what I usually would go in and say is, I want you to think about the last time you got a parking ticket and when you paid that parking ticket, how did that make you feel, but didn't it make you feel worse knowing that you could have just paid a couple of pounds to prevent you paying a couple of hundred pounds.

Right now, think about that feeling. Think about how stupid you felt at that time. I might not use the word stupid, but just think about what a stupid decision that was not to do that. And now amplify that by a hundred by a thousand and now think about it in the context of your company. How many times are we going around not paying the ticket because we think you know, the parking warden isn't going to come around.

I'm not going to get it. I'll only be five minutes and be okay. And it just took five minutes. Yep, and that's what happened now Imagine something like that was to happen to your company either a privacy breach or a security breach. What would the consequences of that be? Oh, okay, and let's say that did happen. Then how would that have a knock on effect going forward and what would the cost of that be?

How much would you be willing to pay to compensate and fix that to get you back to where you once were? And how long is it going to take to do that? And what kind of business goodwill and reputation are you going to lose in the meantime? And then they start thinking, and then you should be like we can take all of that away.

This gets it done. And not only does it take all of these problems away, but it also gives this competitive advantage. It also helps us with this objective. It also helps us to build more trust. It means we can also win more business, et cetera, et cetera. And now it becomes a no brainer. The challenge I find with a lot of practitioners is they don't take the time to explain things in a way that is not about security or privacy. And you've done a brilliant job here by giving the example of the cars. Where do we get these stories and how can we use more stories to buy?

Jamal, this is where like this podcast and what you're doing here matter so much because I'm always looking for better ways of explaining this problem to companies because I right now have at least six companies that we've talked to that we were in conversations with, and they're like, eh, we don't know if we want to spend the money that were breached. Within three to four months after them saying that they're not in a position to move forward on spending the money, or it's going to be hard to get buy in to deploy stuff. And we know how the breaches happened and we feel very confident that we would have found them and stopped them.

And so I'm always looking for ways to better articulate this myself. So I appreciate your view on it because it's hard out there and it's hard for the CISOs and the CIOs and the leaders of privacy to get the buy in and it's our job to try to make that easier for them. And my door is always open for people to have great ideas on how to make this more appealing to organizations.

Jamal:

Now I want to ask you a little bit more about SolCyber. What kind of company would really benefit from that?

Scott:

So I spent most of my career working with the Global 1000, so the super large companies. And when we started SolCyber, what we realized is even those large companies would get breached. And there was a consistency of why that would happen. And essentially it would be a breakdown in the security program, but when you go talk to companies and you say, let's talk about your concept of operations for security. Like you want to see people's eyes roll over and glaze over talk about concept of operation for security.

But what we realized was what we call the mid market. So we support companies that are 100 employees, we support companies that are 10, 000 or 15, 000 employees. But even larger actually, but in that space, the ability to run a security program consistently is oftentimes the gap. And so we offer a really amazing managed security service, traditional managed security service, just in a much more modern and identity focused way. That's our entry point, but that's used to be where all of the other companies stop. We up leveled that to what we call managed detection and response service with the MSSP. Basically, what does that mean? Is that 50 percent attack against the machines with malicious code? We can do that. And then our preeminent product, which most people buy is what we call foundational coverage. And it's a security program subscription. So instead of having to hire the people and figure out which 4, 500 tools that you need, and then run all the programs consistently. We just drop all that in for per user per month.

And so it's a really great solution that allows for companies to take this security threat component off their plate and just allow us to run that for them consistently and they can take their security people and put them into a lot more architectural type roles. And we see this happen a lot is that a lot of companies don't have anybody or maybe have one person and that person gets pulled in lots of different directions and you don't really want them trying to look through management consoles at eight in the morning to see if something went boom last night and then on to their next responsibility. That's what we do. A security program as a service and customers love it. It's a really great service.

Jamal:

Awesome. Thank you for sharing that. And if anyone who's listening would want to get in touch to learn more about how you might be able to solve some of their challenges that they're having right now, what's the best way to get in touch with you?

Scott:

Sure. SolCyber, S O L C Y B E R Solcyber.Com and easy Scott@SolCyber

Jamal:

Okay. Awesome. And we'll link those into the show notes on the podcast. So just go and click there once you've listened to the podcast and then you can get in touch with SolCyber and see how they can actually help solve some of your challenges.

So we've had a really interesting conversation. We've covered everything from complexities, why that's a bad thing and how we can make it more simple to really get effective cybersecurity. You shared some of your top tools that are must-haves for the business, and you also told us about some of the threats and how we can actually go about detecting those incidents before they become breaches. And then we spoke about, oh, yes, we are doing some monitoring and how that actually works. And it is not actually intrusive in terms of personal information or corporate information or any of those things. And it actually really provides a metadata based approach.

Just to look for unusual behaviours, a little bit. Like when I go to my bank, I have normal transactions. And the moment they see me buying a big thing or having lots of small transactions or shopping in a different part of the world, they say, Hey, we put a block on your account. Is this really you? I click yes or I type back and say yes. And everything's back to normal again. And am I annoyed that transaction declined? Maybe for a 10 seconds, but then when I think about it, hey, if that wasn't me and that was actually somebody shopping in another part of the world and making this purchase, would I have preferred for them to block that and check with me, or would I have said, Ah, why do you keep checking every time?

And the answer is always, I'm grateful they actually do that. And so this is exactly what's going to be happening with companies, is they'll be grateful that they have these tools in place. And yes, it might cause a little bit of interruption here and there. But it actually prevents all of the pain that comes with not paying a couple of dollars And then ending up with a huge parking fine when your car gets towed away.

Are there any last nuggets of wisdom that you'd like to share with the audience before you go?

Scott:

I appreciate the time and we're always looking for better ways to explain how we do what we do and get buy in from companies and organizations, so feel free to reach out if your company's security needs, obviously we're there, but if there's other recommendations or ways of making this easier on everybody we're here as a group to try to make the companies that we work for and work with a more secure and more and keep the data that's important, private. And then the right hands are not in the wrong hands

Jamal:

It's been an absolute pleasure, speaking with you. Thank you very much Scott and if you're listening and if you just heard what Scott said, I want you to pay attention to what he said But I also want you to pay attention to something else and this is Scott's attitude, his mindset He has come on this podcast.

He is someone who is in very high demand. He's come here to share all this knowledge and the last thing he says is, Hey, I want to learn how to get better. I'm open to ideas. We're a community and this is the attitude and this is the mindset that helps the great people in this community do well and really learn from each other's experiences because we only know what we know, right?

Sometimes we don't even know what we don't know. And when you look at things from different cultural point of view, when you look at these things from different industry point of views, We pull all of that together collectively, and that is where the power of community comes in. And Scott, I really want to take my hat off to you for sharing those attitudes and the humility and the modesty and all of the great things that you've been doing, you've been part of the solution for some really great tools.

And I know you're protecting a lot of companies, so keep up the great work and whatever we can do to support you, let us know, and I look forward to catching up with you again soon. Until next time, peace be with you.

Outro:

If you enjoyed this episode, be sure to subscribe, like and share so you're notified when a new episode is released. Remember to join the Privacy Pros Academy Facebook group where we answer your questions. Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world class Privacy Pro.

Please leave us a four or five star review. And if you'd like to appear on a future episode of our podcast, or have a suggestion for a topic you'd like to hear more about, please send an email to team@kazient.co.uk until next time, peace be with you.