Charter Engage: Know IT

Cybersecurity Awareness Featuring Jason Maynard

October 12, 2023 Charter Season 1 Episode 8
Cybersecurity Awareness Featuring Jason Maynard
Charter Engage: Know IT
More Info
Charter Engage: Know IT
Cybersecurity Awareness Featuring Jason Maynard
Oct 12, 2023 Season 1 Episode 8
Charter

💭 Charter Engage: Know IT Podcast Series – Cybersecurity Awareness Featuring Jason Maynard


 October is Cybersecurity Awareness Month, and this podcast focuses on enhancing your Cybersecurity Awareness throughout your organization by exploring what’s happening in the field, through real-world case-study examples, the top security issues and challenges, and ways to protect your environment by capitalizing on IT, OT, and IoT technology. 

 

Get to know our special guest, Jason Maynard, Cisco’s Field CTO- Cisco Security, as well as Ronnie Scott, our Chief Technology Officer and Mark George, Charter’s Director – Energy, Resources & Industrial Markets as they have a roundtable discussion touching on Bill C26 legislation, the cybersecurity framework (based on six strategic pillars), and strategies to implement basic controls for breach prevention. 

 

“Understanding the adversary and how they operate in your environment is strategic… and that's where we need to start shifting organizations to - moving from commodity-based controls.”

                                                                                      Jason Maynard, Cisco, Field CTO- Cisco Security

 

This is the second of four Charter Engage: Know IT podcasts set to be released weekly in October. 

·       Week 1 - Charter’s Business Transformation Roadshow: A Practical Approach to Business Transformation

·       Week 2 - Cybersecurity Awareness Featuring Jason Maynard

·       Week 3 - Charter's Cybersecurity Best Practices

·       Week 4 - IT Staff Smarts: The Augmentation Approach

 

💙 Leave a Rating and Review on Apple Podcasts

Let Charter help drive your business outcomes Forward, Together.

Show Notes Transcript

💭 Charter Engage: Know IT Podcast Series – Cybersecurity Awareness Featuring Jason Maynard


 October is Cybersecurity Awareness Month, and this podcast focuses on enhancing your Cybersecurity Awareness throughout your organization by exploring what’s happening in the field, through real-world case-study examples, the top security issues and challenges, and ways to protect your environment by capitalizing on IT, OT, and IoT technology. 

 

Get to know our special guest, Jason Maynard, Cisco’s Field CTO- Cisco Security, as well as Ronnie Scott, our Chief Technology Officer and Mark George, Charter’s Director – Energy, Resources & Industrial Markets as they have a roundtable discussion touching on Bill C26 legislation, the cybersecurity framework (based on six strategic pillars), and strategies to implement basic controls for breach prevention. 

 

“Understanding the adversary and how they operate in your environment is strategic… and that's where we need to start shifting organizations to - moving from commodity-based controls.”

                                                                                      Jason Maynard, Cisco, Field CTO- Cisco Security

 

This is the second of four Charter Engage: Know IT podcasts set to be released weekly in October. 

·       Week 1 - Charter’s Business Transformation Roadshow: A Practical Approach to Business Transformation

·       Week 2 - Cybersecurity Awareness Featuring Jason Maynard

·       Week 3 - Charter's Cybersecurity Best Practices

·       Week 4 - IT Staff Smarts: The Augmentation Approach

 

💙 Leave a Rating and Review on Apple Podcasts

Let Charter help drive your business outcomes Forward, Together.

Charter Engage: Know IT Podcast – Cybersecurity Awareness Featuring Jason Maynard

[Recorded simultaneously in Victoria, BC, and Calgary, AB, September 14th, 2023]


[0:06] Mark George, Charter, Director – Energy, Resources & Industrial Markets, Moderator

Welcome to the latest episode of Charter’s ongoing podcast series called “Charter Engage: Know IT.” I'm your Host, Mark George, the Director of Energy, Resources, and Industrial markets. 

Today's discussion will focus on enhancing your Cybersecurity Awareness or, as I like to think about it, our panelists are here today to answer one question “Why is it mandatory that every organization increase their cyber-aware capabilities and the mindsets across the whole organization?” 

From a definition point-of-view, awareness includes information on threats to your networks, the risks introduced, and mitigating security best practices to guide behavior. Mindset considers a layered approach to thinking holistically about cybersecurity and the engineering protection standards for data applications, information, and cloud services. When put together, it is an ongoing process of educating and training employees about the threats that lurk in cyberspace, how to prevent those threats, and what they must do in the event of a security incident. 

For over 25 years, Charter has built a very successful business as a reseller of networking, IT, security, and collaboration products and services. Last year, we made the strategic decision to invest and build a much broader systems-integration business focused initially on companies in the energy, resources, and industrial markets. To do this, Charter will take responsibility for customers achieving business outcomes, leveraging best-in-class technology, and a comprehensive portfolio of professional services to help them integrate and optimize their operations across the traditional IT and OT infrastructures. To put these comprehensive solutions together, Charter will partner with third parties to help our clients achieve their digital transformation and business objectives.

[2:16] Now, for our regular listeners, you'll know we spent the last few months in our podcast series exploring topics such as how we work with industry partners to secure connected workers, to leveraging design thinking to build business transformation road maps, and, most recently, how to move beyond using spreadsheets to make more informed decisions. Underpinning all of these subjects is protecting corporate integrity with pervasive cybersecurity. 

[2:47] Now all the leading consulting firms in the world suggest that you are either an organization that has already been hacked, or you soon will be. Cybersecurity statistics indicate that there are 2,200 cyber attacks per day, with a cyber attack happening every 39 seconds, on average. In the United States, a data breach costs an average of $9.5 million, and cybercrime is predicted to cost $8 trillion by 2023. [1] 

[3:20] With these sobering statistics as a backdrop we're blessed today to have two industry veterans with us to help answer the question “Why is it mandatory that every organization increase their cyber aware capabilities and the mindsets across the whole organization?” It is my absolute pleasure to introduce our guests Jason Maynard, the Field Chief Technology Officer of Cybersecurity for Cisco Canada, and Ronnie Scott, the Chief Technology Officer of Charter.

[3:52] So gentlemen, let's get started. I think you both agree that there's no question that cybersecurity has become a top priority for organizations across all industry sectors. Jason, you're so visible in the market, into the social media world, for all this ongoing series of cybersecurity, YouTube videos, and obviously, you've worked with a variety of clients across the globe. What are the top three security issues that you're seeing?

[4:23] Jason Maynard, Cisco, Field CTO- Cisco Security 

Yeah, great question, and happy to be here, and nice seeing Ronnie, again. Thanks, Mark. 

I think number one, if you look at most organizations, the biggest challenge is visibility. People just don't understand what's plugged in the network. We talked a little bit about IoT in the past, Ronnie, and IoT is just one area of assets that are in the network that people - they have limited visibility in. But now it's becoming the largest portion of your environment and you can’t install things like endpoint detection response or tools that you would traditionally install on traditional assets like a laptop, or a desktop, or server. You can’t install that because the footprint is pretty, pretty small. So, visibility is key. We need to understand what's in the environment. 

The next thing is you need basic controls, basic hygiene in the sense of having not only the ability to mitigate vulnerabilities and make sure that your systems are operating at the right patch level (which is a challenge in itself because there's risk associated to anytime you're patching;) but also, things like, I even almost hate saying it, basic controls in the sense that you need end-point protection that has ability to do detection-response capabilities - because you will be compromised, as you mentioned, no matter how many controls you put in place you need some network based controls so something that as stuff comes into the environment you're going to need to be able to scrutinize and validate. 

You need e-mail security. 

These are just basic tenants, or basic controls, that you require in the environment - and it's not enough. The problem is that we've been focused on commodity-based controls. And what I mean by that is you've got IP addresses, domains, URLs, SaaS - people are focused on mitigating at that level. But we have to move higher up and understand the adversary, how they operate in the environment, and look at how they navigate, (what we call our, tactics, techniques, and procedures), and really understand how they might target us, learn from that, and build in the right detection and controls - if we even have the ability to do that. 

So, for example, [for] an IoT-based device, if a control would be installed in endpoint detection response capability, or remove PowerShell, or a shell capability within that asset, well, maybe you can't do that. (It would void the warranty, or it needs it to operate, or you can install an agent.) So, you might not have a preventative capability. You might have to use, maybe, the network as a detection tool - to see some activity. What do you think?

 

[6:34] Ronnie Scott, Charter, Chief Technology Officer

Yeah, that’s so much. What we've been talking about is the bigger picture - getting beyond the individual response to a given threat. 

I, actually, have been thinking a lot about, I think, it was a Gary Larson comic strip [2] from a long time ago. And you start off with this frame, and there's a dam. There’s a dry side, and the river on the other side, and you see, sort of, three lumps sticking out of the dam. And then, a few moments later, on the second frame, you see the person pop up out of the water, and the water is now coming out of three holes in the dam.  And I feel like that's a bit of how cybersecurity is working in the environment. We go and plug all these holes and we're drowning all the time, and we don't get out, look at the big picture, and say “Let's come to the dry side.” 

[7:16] Let’s think about how we build a strategy, a plan for building, that secure damn, that secure strategy, around your organization. And so, certainly, big picture thinking, frameworks, all those kind of things. Then, we can apply the actual controls to that big objective. 

 

[7:36] Jason Maynard, Cisco, Field CTO- Cisco Security

What's interesting, I think I remember that comic that showed that. And I don't know what play it was on, but you finally get the dam there. You think it's all there, and then the water just goes around the data, yeah right. So, it's a never-ending game in cybersecurity, and that's the challenge. [With] every control you implement you think you've moved the needle, There's still opportunity for the adversary to be successful. They change their behavior as much as you change yours, and the game continues. So, it's a never-ending story that you have to continually progress at.

 

[8:00] Mark George, Charter, Director – Energy, Resources & Industrial Markets, Moderator

Now, I value your opinion on an article I saw from McKinsey and Company. [3] They commented that in the manufacturing world, over 90% of companies that they surveyed had had their production or energy supply chain hit by some sort of cyber attack and that because we traditionally look at cyber attacks from the IT side, their comment is the OT cyber attacks tend to have a higher, more negative affect than those in IT do because they can also have physical consequences - shutdowns, outages, leakages, explosions. Maybe I'd ask you both to comment on what you're seeing in the market on the OT side, as we start to look at the overall network, basic controls, and visibility to both problems on the IT side and OT side?

 

[8:54] Ronnie Scott, Charter, Chief Technology Officer

So, maybe I'll lead out there. So certainly, the OT world is not the same as the IT world. And I think this idea that inside our nice safe building (like we're in, right now, in our office block), we can put these perimeters around us - how we've been able to create a nice, crispy shelter of our network in the past. Now, even that’s dissolved, and we've seen that change. And I think it's good that IT has had to learn those lessons about how threats come in different places; our people aren't sitting where they re supposed to be anymore; they’re outside the perimeter - and that's made us think differently. 

The OG world comes at it from a very, very different perspective - than that I've always just disconnected. I've had this nice air gap between the two worlds. But obviously, you talked about visibility at length, around security. It's exactly the same in the OT world. They want to know what's happening. And getting that visibility means they have to expose this very hard shell above head and soften them and expose it to the IT world. And they feel like they have compromised their own security in doing that. 

So, if IT hadn't been working ahead of the game and thinking “How do I do this differently? And, how do I build security that allows me to protect cells of people wherever they are doing, whatever they are doing?” I think IT would introduce risk to the OT world. 

Whereas now, I think we can bring methodologies and structures that say “Well, if we create isolation, we create segmentation, we create clear policy boundaries, (about what can come and go from this part of the OT world, this part, and then on to the IT world, and beyond), we can build a very strategic plan to protect that environment in a scalable, manageable way.

 

[10:32] Jason Maynard, Cisco, Field CTO- Cisco Security

Yeah, I think those are good points for sure. I've done a lot on the operational side as well, so if you look at it, the operational skill set - they're very, very talented engineers, but they may not know IT systems. The same as the business IT world, right? We've been doing this for a long time in business IT, where we see threats all the time. We're just not worried about an explosion because we put a control in place for just stopping data from leaking. This the way we look at it in IT. In OT, you might disarm a safety control system and that's that. You don't want to do that.

And so, I think it has a lot to offer OT in the sense of understanding some of the controls. Because if you look at a lot of the breaches, they're actually starting in IT base systems - in an OT environment. Like, it's a windows box that gets popped. But then the environment through, most likely, the environment, they made their way in. And then stuff happens. Colonial pipeline, you can see it when it came in - I think it was VPN. 

As an example, I think everyone's heard about the casinos this week. That's out there. But the bottom line is that there's a lot of capabilities within IT that can complement the operational environment. Obviously, there's nuance, there's more auditing. Then blocking - visibility is key. The one advantage operational environments have is there pretty static so you can baseline them very, very easily and look for nuance. But it's really about IT and OT coming together and really building that security framework to drive those outcomes, and reduce risk, and gain visibility within those environments. 

 

[11:55] Mark George, Charter, Director – Energy, Resources & Industrial Markets, Moderator

Well, we're going to come back and talk some more about that IT/OT framework as we get further into the discussion this morning, but I wanted to get both of your points of view on a really hot topic in Canada. We're looking at Bill C26 and, potentially, it's going to be implemented, some are saying in the fall, perhaps next spring. And there's going to be pending new regulations, also potentially, for publicly listed companies in the US. And that it’s going to be mandatory that within four days of a breach, they've got to report it. So, more and more companies, I think, are going to need to be forced to develop governance and disclosure when incidents occur. 

So, going back to the notion of a framework then, I’ve got to believe that these events going on in the market, whether it's because you're SEC listed, or Bill C26, that companies are going to have to develop more sophisticated policies, procedures, and then benchmark themselves against some of the industry standards, like NIST. I'd be interested, Jason, in your perspective on that, and then we can segue over to Ronnie.

 

[13:03] Jason Maynard, Cisco, Field CTO- Cisco Security

Listen, anytime they introduce new bills or frameworks, organizations are challenged with developing or meeting those guidelines. That's always a big hurdle for many organizations. If we're talking about disclosure, I think that's what you're saying Mark, right? There is one element of it, which is breached disclosure - in the event that you are compromised. That one is interesting in itself because, I think, there's some legislation, at least in Canada, where that's already in play. That there are certain rules and regulations in regard to a breach of your time to respond back to the governing entity - whatever that might be. But if you look at most breaches, I've always said this, at the end of the day, us, as defenders we’re blocking and batting down hundreds and thousands of threats per day. That's what we do. But the business really doesn't care about all of the stuff that we block. They really only care about the things that happen when those controls fail. And that's, really, where you show your skill or capability as an organization, or in our case, as defenders, is our ability to respond. 

[We] talk a lot about cyber resilience. Well, part of cyber resilience is “If I do get compromised,” because I'm going to be. If you take that mindset that it's going to happen, what does that mean? Well, if I can scope, contain, and remediate a certain segment or portion of my environment, and reduce my risk, and allow the rest of the organization to operate, then I've got a level of resilience. I'm not out of pocket, like what we're seeing today on the news around casinos, as an example. So, there's that portion of it.

The challenge is that understanding what is taking place when a breach occurs. Do you have the right skill sets internally to identify, even what to disclose? Do you know how to disclose? Do you work with a partner or somebody, that's been living and breathing that space for some time - to help bring them in, to help manage that? But the challenge is going to be is, “How are organizations going to meet that demand?” And “What is the detail required in order for them to respond to the committee, or government entity, or whatever in order to articulate what took place?” 

Because what we find (and again, this kind of shows some of the challenges that organizations are faced with.) Today, they come out and say there's 1,000 people that were impacted. Two weeks later they say it's 10,000. Four weeks after that, it's a larger set of people and it's the wrong direction you want to go in. You don't want to go in and say too much either, but you also don't want to show that you really don't have a handle on what's going on. And outside of any bill that might be legislated, you're losing confidence from the consumer, so that they do business. with on top of all of that because you really don't understand what's going on.
 
 

[15:32] Ronnie Scott, Charter, Chief Technology Officer

Yeah, so important. So, just a little background. Jason and I, once upon a time, had the same job. I used to be the Security Solutions Architect back at Cisco, many years ago, and Jason actually took my role when I moved into the data centre side of things. And so, I wouldn't say I'm a security expert - Jason did the job much better than me, following that. And, he's done an amazing job over the years and then escalated himself up to this field, sitting on the security side. Myself, I've changed tack a little bit and, over time, I tried to get a little bit more generic again across the whole business. And now, as Chief Technology Officer at Charter, I'm thinking about the whole organization and thinking about how we run as a technology organization, [and] how we offer services to our customers. 

But all this gets to the point of my approach as CTO to security. It is very much about, as best we can, “How can we holistically manage this?” And it's really hard. It's really hard and I've got some great people on my team. Josh [Patton] we’ll meet in a couple of weeks, in our next podcast, and Krisann [McDonnel,] and they bring a really good perspective on how we actually, technically do this. 

But the important part to all of this is that [Bill] C26 is an interesting thing because it's saying “OK, let's pick the high-value industries, and let's make sure they are accountable.” And what I'm worried about is that there are a lot of people in lots of organizations who will start with the “Am I?” under the C26 regulations. “Am I one that's going to be looked at?” And to be honest, wrong question. That's irrelevant. Everybody, every company should be thinking “What is my duty of care to protect my data and the data that belongs to all of my stakeholders?” Whether they be the owners, the customers, the employees, or the partners. And so, C26 can become an excuse and can be a means by saying “We're not under that. We don't have to do these things.” Well, you do. Every company should be thinking like this. Every company should be thinking of “OK, [if] things go wrong, I need to be able to disclose to the relevant parties. And maybe it's not government, but it's my other stakeholders - where we are at and where we're going.”

And we had a partner of ours who was compromised a while ago, and we found it terrible that they wouldn't communicate with us. And fortunately, none of our data was impacted. But it took us weeks, and weeks, and weeks to get that information from the partner. 

Visibility, being accountable, and keeping people informed is critical to keeping our data flowing in this industry and keeping trust. And just what you were talking to me in there, Jason, if you want people to trust you you've got to do this. It's not negotiable. And it doesn't matter if it's government dictated or any other way, you should feel obliged to make sure you're thinking about how we get visibility, how we understand what's going on, and how we keep those key to stakeholders informed. 

 

[18:16] Jason Maynard, Cisco, Field CTO- Cisco Security

Yeah, what's funny Ronnie, is that you know [in] security, there's still this debate whether or not the investment needs to be made. And I think you've heard this one before, but the conversation goes back to “What make a car go really fast?” So, it's a question. But, like, “What is it? The engine?” It could be the gas, it could be the driver, maybe. Right, a really good driver. But in fact, it's the brakes. Because without the brakes you're only going fast once. You're never going to go fast again. And security is very much the same. It's not the brakes to slow down the business, it's the thing that allows the business to be agile and move fast, and act quickly, and inform, and make sure that the people that you care about are being taken care of when an incident takes place. You've got the brakes. Yeah, to slow things down. But it allows you to be agile. It really, really does. But it's a challenge. 

And what bills C26 specifically, by the way, I think it's coming up to ratification (I think the second reading or something like that.) But then, the regulator has got to interpret the data, to build out “How do we achieve those outcomes?” So, there's still a long runway there. But we got to start thinking about it today. Regardless of the Bill, we should be thinking that way. 

 

[19:21] Mark George, Charter, Director – Energy, Resources & Industrial Markets, Moderator

And even if you're included in Bill C26, there's still companies out there that will still have to be thinking about being compliant. Because at some point, they're going to expand the number of industries and organizations, I suspect, that are covered by that kind of regulation. 

Now, Ronnie, you introduced the topic of framework and the importance of having a cybersecurity framework. The complexity of cybersecurity really says that it has to be a combination of technologies, processes, and capabilities from top to bottom in the organization. 

Jason, Cisco's done an amazing job building a very comprehensive strategy for security resilience. Could you walk our audience through some of the key components - all the way from the segmentation of the networks to how your supply chain relationships are set up and defining KPIs? Because the thought, and effort, and sophistication that you built into your security and resilience strategy will be of tremendous interest to our audience. 

 

[20:29] Jason Maynard, Cisco, Field CTO- Cisco Security

Yeah, that's a big topic. There's lots of frameworks out there but I think many people will always piggyback on NIST853 and the basic controls. And, you know, there's multiple tenants in there that talk about some of the things that you need to do. And Cisco, obviously, has a portfolio of technology and product that can help service some of those, but not all of them. And, in fact, there's not a single vendor or manufacturer today that can walk into an organization and say, “Here's the magic box of stuff and now you're going align to NIST 853.” 

And there's people involved in that, too. The people are the weakest link, unfortunately. Great people, but again, you play into the human emotion. The human firewall is real. You’ve got to be able to detect that. But there's multiple things within that framework. So, it's very, very challenging. 

You can look at things as simple as micro segmentation and how it aligns to a specific control within 853, but there's a whole lot more to that. So, that's a broader question. We have capabilities that drive towards many of those things like micro segmentation, understanding assets, bringing them on the network, limiting their ability to communicate, and, if there's a breach, have the ability to automate and respond to some of those actions. But then you've got identity services providers, you've got cloud service providers, in multiple cloud environments, there's other controls that are required, there's having the ability to posture and assess, and making sure that you're complying throughout the whole time that you're delivering your outcomes. And you want to do that regularly. So, it's much broader than just a couple of “Here's micro segmentation, a couple of firewalls, and an end point. And you're done.” What do you think, Ronnie?

 

[21:58] Ronnie Scott, Charter, Chief Technology Officer

I'm going to play the “I'm not a security guy” card, anymore. What you just said - everything is true, but it can also sound completely baffling. With so many words and so many functions, then you could talk about all these controls, which are the things we do to stop things happening. And that's why you need security people to do that.

But I’d like to come back, from a philosophical perspective, the simplicity behind the frameworks. And the thing I'm most trying to repeat to my people, and we're on trying to embed into our mindset, is that underpinning these controls (which can be lists of a dozen, or 20, depending which one), we have a mentality there that comes down to these five key pillars of the frameworks. And I know that there’s now a sixth - the sixth now being pillar “0,” which is Governance. 

But, beyond that, you then have these five basic pillars. The first is IDENTIFY. If you don't know what you've got, in your organization, you can’t protect it. Because it's there, it's doing something. [If] you don't know it's there, how can you identify what to wrap around that thing to protect it? A lot of organisations don't even know what they have in their organization. That's a challenge for us, even, in a small organization of 120 people at Charter. Just knowing what we’ve got is hard work. 

The second pillar is then PROTECTING it. And so, we want to put the wrappers, and the protections, and controls around all those things. But, again, if you don't know what you’ve got, you can’t protect it. The protections are then not the end of the story. 

So, then we go onto the third pillar, which is DETECTION. “Oh, something’s happened.” And, again, this is all the visibility part. If I don't know that I'm broken into, then the attacker can do whatever they want. We talk about “This is dwell time. How long are they there before they actually pop their head up and cause damage?” And so, if you're not protecting and you don’t have those tools in place to detect what's going on, then you've got nothing to report on. And you've got no way of reacting to real world threats. 

The fourth pillar, beyond detect, is the need to RESPOND. And how are you going to respond to something that happens? Who can you call? Are we going to be sitting around the table saying, “What do we do? What are the steps we take to minimize the damage and protect our organization, should that occur?” 

And, finally, heaven forbid if real damage is done, “How do I RECOVER?”

So, if we can think a little bit, just even, across those simple concepts of good governance – identifying, protecting, detecting, responding, and recovering, that can build a real simple strategy to at least set us down a road. And that's what I like about frameworks is they’re a pathway. They’re not necessarily ever an angle, they’re a roadmap that we can work down for our security process. 

And one thing that I’ll also highlight is that in all our other podcasts, we've talked about “Starting Small.” And, unfortunately, I don't think it's a luxury we really have in the security space. I don't want to overwhelm everyone, but I do think it requires some strong foundational thinking up front. It requires those (again, alluded to by Jason) those fundamental protections you’ve got to have in place. But then, you continue to build on that with maturity over time. So, we need to invest a little bit up front on security, like the brakes analogy, to get us in a good place.

 

[25:04] Mark George, Charter, Director – Energy, Resources & Industrial Markets, Moderator

We've covered a wide variety of topics today talking all the way from some of the cyber security issues that are out there, implementing basic controls, following a framework, and Ronnie, a great summary at the end of the five pillars, that we see, that pull it all together. 

I'll ask you both the bottom-line question though. You've seen some customers that have done cyber very well and perhaps some of those that haven't done it quite as well. We suggest a customer start from the perspective of doing an assessment - whether it's a cybersecurity assessment, or a broader, just security assessment that also includes the environment, and as you referred to earlier, the governance policies and procedures behind it. But each of you had some great insights across the globe, starting from an assessment perspective. Is that a good place to start?

 

[26:02] Jason Maynard, Cisco, Field CTO- Cisco Security

It's not a bad place to start. That's for sure. There's commodity-based controls that you must have. And so, those are obvious things - you don't need an assessment. if you don't have advanced capabilities on an end point to do mitigation, you probably want to do that. But taking a step back is critically important in how all of this does come together. It is a little bit complex. 

If you look at any other vendor you go, “Oh networking, how many vendors?” You go to a Network Engineer (I’ve always said this), and ask them to name 15 manufacturers. I would say most would struggle, even though that's their specialty. You go to storage, you’re sitting at 15. In fact, in security (and I've done this before, [but] I will never do it again), I asked a group of people about a company that I learned about called “Cyber Security Ninja.” I asked a group “Who, here, has heard about it? They do sandbox, really cool stuff in the end point.” And someone raised their hand. And, unfortunately, I was making it up. And I learned my lesson there - never to do that type of exercise with anybody again.

But the problem is that there are so many pieces to security to drive an outcome. And there's many different manufacturers of tools out there that you can deliver on. So, taking a step back, and if you're looking at end point, say detection response, a very similar capability, or control you should have, you want to know how that plays into the rest of the ecosystem so taking a step back and doing an assessment of understanding where your gaps are. 

The other thing I'm a big believer in is if you've got end point and you've got to control, and a partner or manufacturer comes in, and they're trying to tell you why their endpoint is better, you're not moving the needle. And it's not worth the time for you (and maybe there's an agenda on the other side, I don't know), but we should be looking at areas of opportunity to increase your overall security posture. Maybe there's gaps and then assessment would help identify those. 

 

[25:04] Mark George, Charter, Director – Energy, Resources & Industrial Markets, Moderator

Well, in fact, Jason has, I think I have seen this in at least one or two customer sitAnd I think that's the point you're talking about, Jason, from a gap perspective. It shouldn't just be the procedures, the technologies, and the policies. It can also be the insurance coverage that you have in place.

 

[28:28] Jason Maynard, Cisco, Field CTO- Cisco Security

Yeah, it's not checkbox security anymore, either. It's not “I have a gap; I'm going to fill it. Check.” It's how it plays into the entire ecosystem capabilities that you have. You’ve got to operationalize the technology. That's a big challenge in many organizations. Some of this stuff can get a little bit complex, or there's nuance to it. 

But, as I mentioned earlier, it doesn't matter how many threats to block every day. I mean I care; Ronnie might care a little bit; whomever looks at the report cares. But the business does not care. They care about making sure that the business is operational all the time and they expect that you're doing your job. 

And so, you want to look at that big picture of what that incident might look like. That's why I'm a big believer of understanding the adversaries that might be targeting you - and going through exercises of understanding that process that the adversary takes, (like red teaming or purple teaming), within an organization. But truly understand that drive towards outcomes that fill those gaps. So, it's really about truly understanding where the gaps, are filling in those gaps, but operationalizing the technology. That's where the biggest value is going to come in. Because when you get breached, that's the time that people are going to recognize Ronnie Scott. 

 

[29:31] Ronnie Scott, Charter, Chief Technology Officer

Yeah, the term “Assessment” is an interesting one, in and of itself, and we’ve had this conversation even inside our organization, very recently. Is, when we say the word “Assessment,” what do we mean? And to assess something is to look and understand, and review, and determine where you’re at. So, I think assessment is a valuable thing. I think that's a great thing. You should always be assessing yourself. 

Whether you need somebody who’s an expert to come in – and that’s where Charter can help. We can step in and help you do that assessment by giving you those insights. If you don't have people who are framework experts, we can bring that in for you, and if you need a particular area of your business reviewed and assessed, we can help you with those individual, direct cases. I think it's high value in that.

But what we really want to see is an organization who is thinking about those pillars of understanding and knowing, again, that you know what you've got, and you know how to protect it, you know how to detect things that are going wrong, and then respond. By building that nature into your organization, then you’re building a culture of “OK, it's not about the point product,” it's about “Is this fitting into my overall plan to protect my environment?” 

And at the same time, then, if we can help you assess where you’re at on that road, that's where the assessments come in. We don't want to come in and say, “OK, how is your firewall?” We can always help with it, but it's not a great plan to come in and say “How is your firewall configured? Do you have all the right firewall rules?” And then, “Do you have the right intrusion preventions rules turned on?” Those are not enough. 

I think you have to start with assessing “Where am I at as a business, and a culture in my organization?” And an increasing part of that is “Are my staff being told and trained on how not to click on bad things? Are my staff given the right mentality of how people are trying to manipulate and to get data?” And like you see, Jason, almost every attack that we see, at the moment, is more likely going to come from somebody doing something stupid, rather than some vulnerability in my system that the hackers have managed to squeak in under.

It can happen, I’m not dismissing that. But most of the attacks just come from people giving away the password, to using bad passwords, or just doing bad things. So, the assessment is not about “What products do I need?” It’s “What's my strategy?” and “Am I deploying that consistently? 

 

[31:45] Jason Maynard, Cisco, Field CTO- Cisco Security

It becomes a little bit more strategic versus what you were talking about. There are more tactical health checks, kind of good, sanitary things you should do anyway. But an assessment is more strategic. Understanding the adversary and how they operate in your environment is strategic, right. And that's where we need to start shifting organisations to - move ourselves from commodity-based controls. 

 

[32:07] Ronnie Scott, Charter, Chief Technology Officer

Does that make sense, Mark?

 

[32:09] Mark George, Charter, Director – Energy, Resources & Industrial Markets, Moderator

Absolutely.

Well, I want to thank Jason and Ronnie for the insights that you’ve both provided to our audience today. Charter is in the business of providing a comprehensive portfolio of cyber security services including assessments, developing cyber plans across the whole enterprise environment, and the delivery of project implementation and managed services. 

We hope today's podcast has been valuable and we want to thank you for investing the time to listen to our program. 

The Charter team is already working on the next episode in our cyber security series. In it, we're going to talk more about best practices and how effective the security strategy needs to be - and ensure that it covers cyber security, physical security, and environmental security. Together, these pillars provide a holistic security approach that protects people, assets, and the devices of your organizations. Thank you.

 

Sources:

[1] [1] University of North Georgia. (2023). Cybersecurity: A Global Priority and Career Opportunity. University of North Georgia. https://ung.edu/continuing-education/news-and-media/cybersecurity.php 

‌[2] The Far Side Comic Strip by Gary Larson - Official Website. (n.d.). TheFarSide.com. https://www.thefarside.com/

[3] How to enhance the cybersecurity of operational technology environments | McKinsey. (n.d.). Www.mckinsey.com. https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/how-to-enhance-the-cybersecurity-of-operational-technology-environments

 

‌Presenters :

 |  Jason Maynard, Cisco, Field CTO- Cisco Security   | Jason has been architecting, designing, and deploying security technologies that secure the most complex computing environments for almost 2 decades. His understanding of operational and informational technologies, people, and processes enable him to deliver effective, comprehensive security solutions that align to an organization's security goals and strategic imperatives. Jason is adept at addressing a range of risk profiles across multiple industry verticals; skills he has cultivated as an end-user security practitioner, partner/integrator, and now manufacturer as the FIELD CTO, focused on Cybersecurity for Cisco Systems. Jason is also active in the direct community speaking at BC Aware, Privacy and Security Conference, and Cisco Live achieving distinguished speaker, and has delivered multiple sessions at BSides. Jason also holds over 75+ designations across a variety of products and technologies including the CCIE designation.  

  |   Ronnie Scott, Charter, Chief Technology Officer | Ronnie Scott has over 35 years of broad IT experience, including programming, and network architecture, as well as senior consultative roles for Financial Services, Internet Service Providers, ILEC Carrier Networks, and large enterprise customers across New Zealand, Australia, and Canada. Ronnie is currently the CTO at Charter Telecom Inc, a Value-Added Reseller specializing in IT service delivery. As CTO, Ronnie brings his extensive technological background with a strong Business and Service Delivery lens to Enterprise IT Infrastructure solutions. [ bit.ly/3E9QdBk ] 

 |  Mark George, Charter, Director - Energy, Resources & Industrial Markets | Mark George is a proven business leader with global experience across multiple industries. He currently serves as the Director – Energy, Resources and Industrial Markets for Charter. Prior to that, he worked for five years as Managing Partner and Founder of EdgeMark Capital and Advisory Services Inc., a capital markets and financial advisory services firm.  Mark’s in-depth energy markets experience developed through leadership roles with Environmental Refueling Systems Inc. and with PricewaterhouseCoopers.  From 2000 to 2010, he served as the Founder and President of the Cielo group of companies, a fully integrated residential and commercial construction and real estate development company in Arizona. Mark has an intense interest in emerging technologies, having spent 15 years with Nortel, Bay Networks, DEC, and Honeywell in progressive sales, management, and executive roles throughout the Americas and Asia Pacific. Mark proudly serves on the boards of several privately held companies and not-for-profit organizations.  


 

About Us:

Charter [https://www.charter.ca/about], an award-winning IT solution and managed services provider, was founded in 1997 in Victoria, BC, Canada. We offer a comprehensive portfolio of innovative IT solutions, managed services, project delivery, and consulting services. Our mission is to align people, process, and technologies to build better organizations, enhance communication, boost operational performance, and modernize businesses. Our team of experts leverages a business architecture methodology and a human-centered design approach to drive successful digital transformations for our clients, unlocking new opportunities, generating value, and promoting growth. We provide knowledge and support that extends beyond our clients’ businesses, empowering them to focus on their core operations. Let Charter help drive your business outcomes Forward, Together.

Questions? Please contact Dawn van Galen at dvangalen@charter.ca or 250-412-2517

© 2023 Charter Telecom Inc. All Rights Reserved.