Cybersecurity: Understanding cyber risk with Rami Zreikat and Trinh Ngo

Show Notes

On this episode of Navigating Forward: the Cybersecurity series, Mike Halstead and Vidhya Sriram from Launch Consulting chat with Rami Zreikat, Chief Security Architect of xTerraLink, and Trinh Ngo, Director of IT Regulatory & Controls Assurance at an insurance company. They discuss best practices for measuring cyber risks and why it's important for organizations to understand their vulnerabilities and the potential impacts of a cyber attack.

They also touch on why people are both an org's best defense and its weakest link — highlighting that ongoing education and awareness programs are a key component of risk management. Recognizing that there will always be residual risk and that what's acceptable now may not be acceptable in the future, they also emphasize that risk assessment is a journey and not just something that's one and done. 

To learn more about how to develop your organization's Future State of Cybersecurity, go to launchconsulting.com/cyber.

Follow Rami at https://www.linkedin.com/in/rami-j-z-1338a84/
Follow Trinh at https://www.linkedin.com/in/trinh-ngo-mba/
Follow Mike at https://www.linkedin.com/in/mike-halstead-77bb6018/
Follow Vidhya at https://www.linkedin.com/in/vidhyasriram/

Transcript

00:00:01:02
Narrator
Cybersecurity is one of the most important and most complex aspects of modern business. Ransomware and other cyberattacks are skyrocketing. Millions of security jobs remain vacant, and in the age of AI, new opportunities and threats are growing quickly. In this special series from Navigating Forward, security and business experts from Launch Consulting explore the evolving landscape of cybersecurity across industries. Along with a slate of distinguished guests, we’ll discuss how organizations can build healthy habits and practices that promote cyber resilience for the long haul. Join us as we uncover what businesses need to do now to prepare for what's coming next. This is Navigating Forward, the Cybersecurity series.

00:00:49:24 - 00:01:15:22
Mike Halstead
Hello, and welcome to Navigating Forward, our series of cyber podcasts at Launch Consulting Group. I'm your host, Mike Halstead. We feature guests from industry and our own internal experts to help educate you on specific areas that better safeguard your organization. As we've previously spoken, 80% of cybersecurity is good hygiene. As part of good hygiene, you should understand your threats and risks. Cyber should align to your organizational goals and your business risk appetite.

00:01:15:24 - 00:01:34:22
Mike Halstead
Today, we'll do a deep dive into best practices for measuring and explaining cyber risk and why it is crucial for organizations to understand their potential vulnerabilities and the impact of a cyberattack. I'm pleased to be joined by our special guests, both who are actively involved in ISACA, which is also near and dear to my heart, because that's where I started with my first information security certificate.

00:01:34:24 - 00:02:07:27
Mike Halstead
ISACA is an international professional organization focused on IT and cybersecurity governance. First guest I'd like to introduce is Rami Zreikat. Rami has founded xTerraLink, which is an IT consulting and security firm, and he's also the Chief Security Architect. He has previous roles at Intel and EDS. Next guest I'd like to introduce is Trinh Ngo. And Trinh is an inspirational leader who serves as a director in regulatory and controls at a well-respected insurance company and is a board member at Sacramento Children's Home.

00:02:07:29 - 00:02:36:24
Mike Halstead
My partner from launch is Vidya Sriram and she is the director of Product at Launch. A little bit on myself is that I joined Launch last year. I came from a long career at an international bank. The last 11 years were in cybersecurity. Besides cyber, one of my passions is watching Chicago sports teams. However, I have lowered my expectations and now it's just hoping that at least one team will finish above 500.

00:02:37:01 - 00:02:44:05
Mike Halstead
But that being said, let's go to Vidhya. Quick introduction on yourself, a little bit on your background and a passion you may have.

00:02:44:08 - 00:03:11:00
Vidhya Sriram
Thank you, Mike. Hello, Rami and Trinh. Very excited to meet here and looking forward to hearing from you. My name is Vidhya and I lead the product team at Launch. We build and commercialize products for startups and established companies to innovate and differentiate themselves in the digital economy. I think it's going to be very instructive for me and for my team to hear from you, because when it comes to innovation, cybersecurity is not something we should compromise.

00:03:11:03 - 00:03:16:03
Vidhya Sriram
So, it's going to be great to hear from you and learn some lessons here. Thank you.

00:03:16:06 - 00:03:19:27
Mike Halstead
Thank you, Vidya. Rami, could you give us a little background on yourself.

00:03:20:00 - 00:03:44:09
Rami Zreikat
Yes, my name is Rami Zreikat, and I wouldn't worry about my last name. Everybody thrashes it. I started a company called xTerraLink. I started it when I left Intel because at Intel I was doing quite a bit of cybersecurity and we were doing, the last project we were working on was a joint venture between Intel and G.E..

00:03:44:12 - 00:04:11:19
Rami Zreikat
So, I wanted to come out and take these best practices and see if I can deliver some of that to small and medium business. And my first consulting was for small business as then I moved into doing consulting for the state of California. So, I have a lot of clients with the state of California, and we focus on NIST compliance, on cybersecurity, and privacy compliance.

00:04:11:20 - 00:04:26:12
Rami Zreikat
We do audits and we do assessment and reports, and we also are advisors to some of the state agencies. And we're excited to be in the field of cybersecurity because it's a growth field.

00:04:26:14 - 00:04:30:16
Mike Halstead
Excellent. All right, Trinh, can you give us a little update on your background and passion?

00:04:30:23 - 00:04:59:15
Trinh Ngo
Yes. Hi Mike. Thank you. So, my name is Trinh Ngo, and I have over 30 years of experience in IT. So, I started out as a developer and went into systems administration and then, you know, product and program management. In the last 30 years, I've been in multiple industries and working for, you know, bulk electric utilities and critical infrastructure and now healthcare.

00:04:59:18 - 00:05:24:14
Trinh Ngo
You know, it's been a really great journey. And transitioning from IT operations to cybersecurity and risk management has just been, you know, the culmination of all of that experience. Right now, what I do is a lot of assurance. So, trust, digital trust, and it's what we hear a lot right now is around digital trust. So, risk management, cybersecurity, all of that.

00:05:24:15 - 00:05:52:09
Trinh Ngo
So that's my area of expertise. What I'm passionate about is, you know, educating definitely the next generation of cybersecurity professionals. And you cannot be an IT professional these days without understanding, you know, risk and cybersecurity. And that's really important. The other passion I have, which you mentioned, Mike, is that I'm on the Sacramento Children's Board, so I have a very big passion for giving back.

00:05:52:15 - 00:06:05:17
Trinh Ngo
I mean, I've been so fortunate in my career and in my life. So, it's a big honor for me to be able to give back now as much as I can now. Thank you. Thank you for having me here today.

00:06:05:20 - 00:06:19:11
Mike Halstead
Thanks, Trinh. Thank you. Thanks, Rami. Really glad to have you guys. Trinh, I'm going to start with you. What is cyber risk and how does it change depending on the size or industry of a company?

00:06:19:13 - 00:06:58:14
Trinh Ngo
Okay, so I'm going to start off with the very boring definition from National Institute of Standards and Technology. So, the definition of cybersecurity risk is an effect of uncertainty on or within information and technology. Cybersecurity risks relate to the loss of confidentiality, integrity, or availability of information data, or information or control systems and reflect the potential adverse impact organizational operations, i.e., mission functions, image or reputation and assets, individuals of the organizations and the nation.

00:06:58:14 - 00:07:26:15
Trinh Ngo
Because it comes from NIST. So, as you can tell, you know, what does that all mean? That’s a lot of words. You know, cybersecurity risk is really this. It's really, you know, that moment when your executive or your business partner says, oh, my gosh, we're in trouble. Right? And it's coming from, you know, some information system like some IT assets. So that’s really cybersecurity risk. And then how does it change?

00:07:26:18 - 00:07:58:28
Trinh Ngo
So that's a great question. It definitely you know, cybersecurity risk is not the same for every organization. It definitely does depend on what industry, the size. Great examples are, and I deal with this all the time, when I was in critical infrastructure, the organization I worked for was very small. But if they were if they were impacted, they had ransomware, they had some kind of, you know, compromise, you know, the bulk electric utility industry.

00:07:59:00 - 00:08:18:25
Trinh Ngo
So, a lot of damage. A lot of impact, a lot of people, right. So, their risk is really high in cybersecurity. So, it does, it definitely depends on, you know, what industry you're in, the size of your organization, what is your data? Right. Is it, you know, highly sensitive, is it not?

00:08:18:28 - 00:08:28:06
Mike Halstead
Okay, great. Thanks for that, Trinh. Move over to Rami. Why is your understanding of cyber risk? Why is the understanding of cyber risk important for an organization?

00:08:28:08 - 00:08:54:17
Rami Zreikat
So, I'm going to start off with an example about why do we have brakes on a car? A lot of people would think that having brakes on a car is to slow it down. Right. But really having brakes on a car is for you to go fast because now you have the confidence. So, the same thing would understanding your risks, it gives you a compass, It sets the boundaries.

00:08:54:20 - 00:09:22:10
Rami Zreikat
It allows you to essentially become aware of what are the priorities that you have to go after. So, for example, if you are in a healthcare industry, you know that the risk of exfiltrating the protected health information is very high and you know that a lot of attack vectors come through email phishing where people are compromised.

00:09:22:12 - 00:09:56:09
Rami Zreikat
So, once you understand what those risks are, you can then focus on how you mitigate those risks. So, essentially what you do is you look at every risk and you say, does this risk impact me? And what controls do I have in place? Otherwise, what ends up happening is you end up either over-protecting yourself or perhaps under-protecting yourself, kind of like walking blindly into a highway and not knowing where the exit is.

00:09:56:12 - 00:10:14:06
Rami Zreikat
That's why understanding the risks is important. It allows you to have those guidelines for you, and it allows you to spend and focus your energy on the appropriate controls to mitigate and to protect your own assets.

00:10:14:08 - 00:10:35:07
Vidhya Sriram
That's such a thoughtful metaphor Rami, what you said about brakes and walking blindly to the highway. We talk about customer development and spending time to understand customers’ needs and goals the same way. You have to do this to go fast. Otherwise, you could be going in the wrong direction. So, I really love the analogy you said there. What kind of risks are underestimated by companies, usually?

00:10:35:07 - 00:11:18:20
Rami Zreikat
I deal with, when I started a few years back and you know, Trinh was saying that she was 30 years as a developer. I was a mainframe developer. So, when I started my first consulting, I was doing small and medium business. Small business, you know, like small practices, and you'd be surprised that some of the issues that are, you know, like poor password hygiene. People write the password on the desk, or they put it on their on their laptop right in front of you, or maybe even share an email account.

00:11:18:23 - 00:11:46:25
Rami Zreikat
Perhaps it's a generic email account. So, for example, when we were establishing the HIPAA software that my company developed, we needed individual emails for people so we can send them notification and logins and training, and they were using a generic email account. So, using a generic email account loses the accountability, right? Another thing that you will see is, is the mobile devices.

00:11:46:25 - 00:12:06:24
Rami Zreikat
You know, we walked into one practice, and they did not have anti-malware sitting on their server. And so, I asked him, I said, how come you don’t have anti-malware? And they said, well, we're not connected to the Internet. I said, but I just have a USB. I can place it into your server, and you have a lot of trust in me.

00:12:06:27 - 00:12:36:02
Rami Zreikat
Not having the basic security controls are important. So, we've seen a lot of those. Everything that we see is about employee training, right? Awareness. Because the weakest point comes from your human being getting phished, getting an email, getting a text. I can't tell, I myself get texts, you got a delivery, click here to follow and track the delivery and all of sudden your mobile is hijacked.

00:12:36:04 - 00:13:00:17
Rami Zreikat
And that, believe it or not, could translate into your email. So, we call it security hygiene. Just basic security hygiene that you have to keep in mind. A lot of companies have trust in a third-party IT. Like for small businesses, they'll hire somebody that comes in and manages their IT infrastructure. You know, you're a small business owner.

00:13:00:19 - 00:13:19:19
Rami Zreikat
You don't know how it's set up. We were called one time because one of the servers was running slow. We found out that they had a supply chain sitting on their server. It was basically pivoting from their server, and somebody was using it remotely.

00:13:19:22 - 00:13:47:25
Trinh Ngo
I feel that a lot of executives, they believe their company is secure because they have security teams, because they, you know, have spent a lot of money on security tools. Right. So, they have this false sense of comfort. And so, I think where they underestimate is, I'm really bad with my metaphors, but I think there’s a thing that said, like until the rubber meets the road.

00:13:47:28 - 00:13:49:27
Vidhya Sriram
That’s right.

00:13:50:00 - 00:14:23:29
Trinh Ngo
Until the rubber meets the road. So, until they're actually in an event, they don't know if the money they spent and the tools they bought were configured right. They were, you know, if the people they have in place actually, you know, are able to handle an event appropriately. I think that's one of the things that, you know, executives underestimate because they, you know, they need to make sure that they're spending time actually getting quality right, pen test exercises.

00:14:24:06 - 00:14:53:27
Trinh Ngo
Right. Like tabletop or, you know, or actually running through because muscle memory is really important. That's why we need training. Right? That's why we talked about people and during training, cybersecurity training awareness. Right. And if you train at one time, most of the time people don't remember, but if you continuously train them, you continuously remind them, you have them learning to do things that just become muscle memory for them, then they'll do it automatically.

00:14:54:00 - 00:15:17:08
Trinh Ngo
So that's where I think a lot of executives, they focus on the before the boom. So, they spend a lot of time and a lot of money before the boom. But you got to spend some time for things after the boom. So, you've got to create the boom. You have to create the boom and actually get your people and your folks and your tools tested.

00:15:17:10 - 00:15:20:03
Vidhya Sriram
Yeah, such a good point. Thank you, Trinh.

00:15:20:06 - 00:15:45:07
Mike Halstead
Yeah, it's and say you know, pay now pay a lot later, right. When you get into a security incident as I'm sure all of us have been involved with, it is chaos. You have regulators, you have customers, you have third parties. You know everyone is impacted as a result of that. And bringing in an incident response team, those are very expensive.

00:15:45:12 - 00:15:58:21
Mike Halstead
And, you know, the recovery of an incident is very expensive. So, it's better to focus on the hygiene up front, I think is what we're saying, as opposed to waiting for that to happen and then having to go back and clean it up.

00:15:58:24 - 00:16:07:19
Vidhya Sriram
Mike, what is it makes me wonder. Trinh and Rami, I want to hear from both of you. How can companies put a dollar value on the cyber risk mitigation?

00:16:07:21 - 00:16:36:27
Rami Zreikat
You know, I am involved in one right now, and I was asked to see if I can truly do a quantitative analysis. When you do evaluation, there is some, there are some items you can't quantify, right? Like reputational damage. You can easily say the average cost of a healthcare record is $176. Right? Multiply it by the number of records you have and there is a cost.

00:16:36:29 - 00:17:05:03
Rami Zreikat
But then we know that there are some businesses that don't even recover after a breach. So. Okay. So back to your question. How do you quantify it? So, you look at recovery costs, you look at replacement costs, you look at staffing costs, you look at it, what is it? What kind of pain are you going to go through for you when you are down, when you are impacted by a breach.

00:17:05:03 - 00:17:41:14
Rami Zreikat
What is the overall operational cost? What is the overall? Every one of those has to be quantified. Either what they call a single-loss expectancy. You know, average time to recovery, maximum interruption window, all of these are factorials that will essentially lead to quantifying that risk. But that has to come in from a collective senior management involvement because you get, you as a risk assessor cannot do it alone.

00:17:41:16 - 00:18:05:02
Rami Zreikat
You know, if you go and talk to an individual, a data owner, let's say an individual who owns an application that services a department that was called, that's the data owner. Of course, their system is the most critical for the organization, but it has to be meticulously planned. So, you have to do what they call a business impact assessment.

00:18:05:05 - 00:18:41:08
Rami Zreikat
And then that business impact assessment ends up feeding into your risk assessment. And there is costs associated with that. So, the factors that I mentioned is your costs of staffing, your cost of replacement, your cost of perhaps covering some credit reporting, recovery. All of that comes into play. Attorney cost to. So, it becomes that for you to assess the risk and that actually feeds into prioritizing what risks that you want to mitigate because those are ones that you want to go after.

00:18:41:10 - 00:18:42:28
Vidhya Sriram
Yeah, thank you.

00:18:43:00 - 00:19:16:00
Trinh Ngo
Who actually does a really great job of quantifying risk right now? It's insurance companies, right. When you buy life insurance, they are quantifying your life, right? Your value, right. And then coming up with a face amount, and then you pay for that insurance policy. So, they're really, really good actuaries. Right? So, you know, you have to think of it in terms of that because you really are trying to quantify your risk that you know, okay, how much if I were to buy insurance, how much would it cost me?

00:19:16:02 - 00:19:37:21
Trinh Ngo
How much face amount? How much face amount. Do I need the million-dollar policy? Do I need a $10 million policy? Right. You know, if you need it, let's just say you need $1,000,000 policy. These are the reasons why because you have to calculate that to get that face amount. So that tells you, okay, I can spend up to $1,000,000 because it's going to, I’ve got to replace $1,000,000, right.

00:19:37:22 - 00:19:58:04
Trinh Ngo
That's why you need to get insurance for $1,000,000. That's how that works. So, just from a, you know, understanding of how to quantify with that, what you need to understand first is that you're looking for that face amount how much you know, how much is it going to cost me to replace everything. What if I had to buy insurance?

00:19:58:04 - 00:20:23:15
Trinh Ngo
What would the face amount be? And that's how much you can spend now? Well, preferably less. And then you break it down like Rami said. Right. That's what, that's how you get to, okay, this a million dollars’ worth of risk or $10 million worth of risk, and this is how much I should be willing to pay to, you know, to protect my company.

00:20:23:17 - 00:21:05:19
Rami Zreikat
The cost of replacing data becomes the number one factor in my mind. A lot of people overlook that, right? Oh, yeah. We have backups. We were involved in a client where we went overseas to try to analyze and recover their data and we couldn’t, and they were using a very reputable backup and recovery company. What they didn't know is that backup and recovery company was transferring these tapes in a metal box and taking the subway and placing these tapes on the floor of the subway train.

00:21:05:21 - 00:21:20:06
Rami Zreikat
So, we went back six months. No data. Did anybody ever do a risk assessment on that one? That's an example that was very costly for the client.

00:21:20:08 - 00:21:20:29
Vidhya Sriram
Yeah.

00:21:21:01 - 00:21:29:14
Trinh Ngo
They should have been doing, you know, recovery testing.  They should have been trying to restore their backup.

00:21:29:16 - 00:21:47:19
Rami Zreikat
Yes. That was, you know, almost 20 years ago. I keep using that as an example because, again, most people don't realize that, you know, you place your trust in a third party with good reputation, but you fail to focus on that minor step that you overlook.

00:21:47:21 - 00:22:10:05
Trinh Ngo
I can give you a more recent one. Let's say you, you had ransomware and you had really good, you know, backup and you tested your backup so you know, you can recover your data. Okay, so you decide not to pay. And then the ransomware person said, hey, I'm going to put all your data out on the dark web now for everybody to see.

00:22:10:07 - 00:22:28:03
Trinh Ngo
What do you do? That's a risk. That's a risk. And you've got to be able to understand that, right? Understand that like, you know, and calculate that in. What if you pay the ransomware and they put the data out anyway. What if you don't pay the ransomware and they put the data out because you can recover your data.

00:22:28:03 - 00:22:34:04
Trinh Ngo
I mean, those things a lot of people don't think about, right? They, and that's part of risk.

00:22:34:07 - 00:22:35:10
Rami Zreikat
Very true.

00:22:35:13 - 00:22:42:25
Mike Halstead
Yeah. Government’s also looking at this where, almost requiring, you know, an approval before you can pay the ransomware.

00:22:42:27 - 00:22:49:10
Trinh Ngo
Well, here’s a question for you. Can the FBI tell you, as a private company, to pay or not pay ransomware?

00:22:49:13 - 00:22:51:02
Mike Halstead
Well, they can only recommend right now.

00:22:51:07 - 00:22:56:22
Rami Zreikat
Yeah. And they do recommend not to pay by the way, because I worked with the FBI.

00:22:56:25 - 00:23:19:00
Trinh Ngo
So, you're right. They cannot. Right. They legally cannot tell you as a private company what to do. And should they know, That's a question, because that's a risk now for your organization. Right? What if they kidnaped your CEO and that was the ransomware, like they were asking, they have his laptop, they have this mobile phone, they said, hey, you know, do you want him back?

00:23:19:02 - 00:23:25:13
Trinh Ngo
If you want him back, you have to pay our ransomware, our ransom. Can the FBI tell you? 

00:23:25:13 - 00:23:52:05
Mike Halstead
You’ve got your succession planning, so you can do that. But you're right, it's a case by case. It's difficult decisions that all organizations need to almost tabletop and talk about before it happens. So just kind of moving on. You spoke a little bit about the steps to assess risk, business impact assessment, then a risk assessment and then looking at the ones with the highest impact to mitigate.

00:23:52:07 - 00:23:58:14
Mike Halstead
Rami, first, are there tools that are out there that can help accelerate these assessments?

00:23:58:16 - 00:24:23:26
Rami Zreikat
Look, there are plenty of tools and there are free ones. There are some things that you pay for. But you have to keep in mind that the tool does not replace the human interaction, right? You can have a tool that collects risks and helps you feed it, but it has to be done in conjunction with a group and you have to have that painful exercise taking place.

00:24:23:29 - 00:24:47:28
Rami Zreikat
So yeah, there are tools and this National Institute of Standards and Technology put out tools, HIPAA has a free tool that you can download the Health and Human Services or healthIT.gov puts out a free tool. Plenty. But what needs to happen is you need to do what Trinh was saying and what you explain is you have to have that tabletop exercise.

00:24:48:00 - 00:25:15:09
Rami Zreikat
You have to understand your environment, what is it that you are complying with. So, first number one, every industry you're in is pretty much highly regulated, right? You have to align with the regulation. Then once you understand that is your number one risk, is to make sure that you comply with the regulation, then once you understand your regulation, you have to also understand what are the risks associated that this industry is facing.

00:25:15:14 - 00:25:43:11
Rami Zreikat
So, health care, there’s theft of protected health records, right. Credit card industry, stolen accounts or credit card, and now you have to follow whatever security requirements that have you implement to mitigate those risks. And then Trinh talked about the size of the organization. It talks about your risk appetite. You have to understand how much can you tolerate from a risk perspective.

00:25:43:13 - 00:26:09:02
Rami Zreikat
So, all of these coming into what we call into assessing your risk. So, yes, you have a tool that says what if? And then you say, what's the likelihood that this is going to happen to me? And if it does happen, what's the impact? Right? What is the cost to me? What's the pain? And the combination of both gives you what we call a pain score.

00:26:09:04 - 00:26:36:12
Rami Zreikat
And that pain score is what gives you the ability to then prioritize. Now you can't have everything painful, or you might have everything painful, but you then have to go through and find out how you can mitigate, and you can never mitigate that pain to completely to be gone. You mitigate it and you will always be left with something that will remain, we call it residual, right?

00:26:36:14 - 00:26:58:02
Rami Zreikat
And that's the risk that you can live with. And you have enough controls that if it were to happen that you would go back and mitigate it. And then you go through what we call a continuous monitoring process where you monitor your risk, because that residual risk today, it's small, it's going to bubble up and become higher risk in the future.

00:26:58:04 - 00:27:22:23
Rami Zreikat
Right. Some elements come into play and affect that risk. So, it's no longer residual risk. New regulations come in. So, you always have to continue to monitor. So again, tools don't go by tools and say, I have the tools and I'm good, as Trinh said. Tools only gives you what they call a sense of security. You have to take that painful step.

00:27:22:25 - 00:27:26:16
Trinh Ngo
So, Mike, do you get on rollercoasters?

00:27:26:18 - 00:27:30:16
Mike Halstead
Yes. And I'm very scared of them.

00:27:30:18 - 00:27:31:04
Trinh Ngo
Oh.

00:27:31:06 - 00:27:37:24
Mike Halstead
I’m scared of heights. It's the going up, right, that I don't like. After that, I'm okay.

00:27:37:27 - 00:27:40:28
Trinh Ngo
You get on them, so Vidhya do you ride rollercoasters? 

00:27:41:00 - 00:27:42:09
Vidhya Sriram
Yeah, I do.

00:27:42:11 - 00:27:45:02
Trinh Ngo
Yeah. What about you, Rami? Do you ride rollercoasters?

00:27:45:08 - 00:27:51:15
Rami Zreikat
I’m like Mike, I am very afraid of heights, and I don't like to scream. That's embarrassing to me.

00:27:51:17 - 00:28:09:13
Trinh Ngo
And the reason I ask is this. Risk is relative when you talk about people, right? What's risky for Mike and what’s risky for you, Vidhya and for you, Rami, may be different for me. Right. And it's different for all of us. So, you have to understand that. So, what you want to do is you want to make sure, like Rami said, it doesn't matter about the tool.

00:28:09:13 - 00:28:35:00
Trinh Ngo
You can pick any tool you want right? Because as long as you're consistent when you're doing your risk assessments? But what's really important is that you have somebody who understands risk, who is facilitating that conversation and utilizing that tool correctly. You want to make sure that, number one, you have somebody who understands risk. And two, that they are educating the group that's going to be performing the risk assessment.

00:28:35:00 - 00:28:53:23
Trinh Ngo
So that way everybody’s speaking the same language, everybody understands, you know, for your organization what's low risk, what’s medium risk, what’s high risk. So, making sure that there's standardization. But yeah, like Rami says, it doesn't matter really what tool. There's plenty of them out there. Just pick one, pick one and, you know, be consistent.

00:28:53:25 - 00:29:21:22
Rami Zreikat
And I reiterate what Trinh said. A lot of businesses, right, as consultants, when we go in and meet with clients, we tell clients, hey, listen, you know your banking business very well. We know cybersecurity very well. You tell us your business; we will help you with the cybersecurity component. So, you don't want to do you don't want to see or somebody who has no idea what risks are to do with the risk assessment.

00:29:21:22 - 00:29:41:25
Rami Zreikat
First of all, they'll lose interest. Another thing, they'll come up with risk that may not be relevant. And so, what I typically do is I start with what I call a risk primer. So, I educate them, I do a presentation to them, and I say, here is what a risk management framework is all about. You have to identify the risk.

00:29:41:27 - 00:30:02:04
Rami Zreikat
You have to score the risk, your have to mitigate the risk. Not in that order, but you know, what I'm saying is I create the primer and then I give them examples of risks to set the stage. And then the next time, if we have another, when we have the next session is when we do the risk assessment. The first one is only education.

00:30:05:14 - 00:30:11:21
Vidhya Sriram
Yeah, yeah, that's such a thoughtful point. Your level set first understand what tradeoffs they are okay with.

00:30:11:24 - 00:30:12:17
Rami Zreikat
Yes.

00:30:12:20 - 00:30:16:11
Vidhya Sriram
In their business and then go forward. Yeah. Thank you.

00:30:16:13 - 00:30:31:26
Mike Halstead
So good dovetail into the next question and that's, we're going to move up a level on that. Now you've got to go in front of your board. How do you explain to the board cyber risk? How do you persuade them that action needs to occur?

00:30:31:29 - 00:31:02:26
Rami Zreikat
I typically say you have to know your audience. You know, there's some audience that likes pie charts. There are some others that like detailed reports and so forth. But management at the end of the day is concerned of what does that mean to me? So, for example, I had a CISO, a client, that would go up to the CIO and say, oh, we patched 30 servers, or that's like 85% of the servers that are in our organizations are patched.

00:31:02:29 - 00:31:32:08
Rami Zreikat
Well, what about the next 15%? How are those? Are those the critical ones? Okay, so what you did, so at the end of the day, management is looking so what, and what does it mean to me, cost dollar wise when you do that? Is it going to protect me? Are you protecting me by saying that? So essentially you want to elevate the conversation to the level we want to understand how do they, what's their risk tolerance tone from the top?

00:31:32:11 - 00:31:52:13
Rami Zreikat
And then number two, how are they receiving the risk? How do they like that reception information? And then you tell that information. But it can't be tactical nor technical. It can be very technical. 85% of the servers are patching. Good for you. I'm glad I'm paying you.

00:31:52:15 - 00:32:14:12
Trinh Ngo
I agree, Rami. When whenever you want to talk to a board, you always want to talk in terms of line of business because that's their language. They don't care about like how many servers, you know, they have. I'm being honest. They don't care. They don't care if we have 100 servers, or we have a thousand servers. What they care is their line of businesses is generating revenue and is profitable right.

00:32:14:19 - 00:32:34:09
Trinh Ngo
And nothing that's going to disrupt that. So, when you talk to them, you have to talk to them in terms of that, which is, you know, this line of business is doing really well. But I'm concerned, you know, this risk that we have is going to cause impact to our revenue here like that. So that's the kind of words you have to use.

00:32:34:17 - 00:32:55:13
Trinh Ngo
And you have to say to them, hey, but I can tell you this, if you give me $100,000, I will protect this, you know, this line of business for you as best I can. And if there is something that happens, we will take care of it. Because of that, we'll try to minimize that impact. So, our revenue isn't you know, that revenue stream isn't impacted for long.

00:32:55:15 - 00:33:17:17
Trinh Ngo
I don't ever promise they won't be impacted like this, that it won't be impacted for long, we're going to do our best, you know, and then explain it in that those kind of terms, because that's what they understand. Unless it's a small company and it's a tech company, like a software company, then your CEO is probably really technical and he might even geek out, you know, listening to some technology stuff.

00:33:17:20 - 00:33:30:05
Trinh Ngo
But most boards, most executives, especially on the business side, to them, that's your job. You know, they don't want to hear about it. They want to know what you're doing to support their business, their operations.

00:33:30:07 - 00:33:51:07
Mike Halstead
That's great. Sounds like taking the CIA concepts to put it in more business terms because they do care about it, but they care about the impacts, right? They care about, like you said if a system or service is not available, that's going to affect the revenue stream or if you have a breach that gets out in the newspaper, that's going to impact the reputation.

00:33:51:07 - 00:33:56:20
Mike Halstead
So, using those examples, that certainly makes sense. So, thanks for that, Trinh.

00:33:56:22 - 00:34:33:12
Rami Zreikat
One last point I wanted to add. That's where that risk assessment at the beginning comes in handy because now you can tie the risks to an actual business value. And essentially when you're doing the risk assessment at the beginning, you do start by understanding the mission of the company, the mission or the organization, the objective of the organization. When you understand that, you can tie now that risk to that mission and that objective and then it becomes very relevant.

00:34:33:14 - 00:34:47:20
Mike Halstead
Yep, for sure. Are there any from your perspective or experiences any risk mitigation, cyber risk mitigations that are table stakes for all companies? What you know, what should be top priority?

00:34:47:23 - 00:35:24:05
Rami Zreikat
Well, we talked about the human being, and I would say in my professional experience, education, you cannot under-educate. You can over-educate, like overcommunicate. I publicize to all my clients, having security reminders, making sure all the stories that are happening in the industry you're sharing them. Small clients, some of our small clients, they have what they call a huddle meeting every morning to talk about security practices, security, good security hygiene.

00:35:24:07 - 00:35:48:25
Rami Zreikat
So, making sure that you're strengthening that weakest link is what gives you that strength to mitigate, because the rest is all about technical controls and how much money you want to spend to secure that. But essentially my focus would be on the training and awareness.

00:35:48:28 - 00:36:25:11
Trinh Ngo
Agreed, Rami, because your people, your people are your best defense and your weakest link. So, the more you can train them, the more they’re educated. So that's definitely table stakes. I think you are at New York strip. Okay. And your prime rib would be your onboarding and offboarding process. Making sure that when you're onboarding that they only get access to what they need, and when people are offboarding that their access is disabled right away, you know, you get back all of your assets.

00:36:25:13 - 00:36:39:29
Trinh Ngo
Those are your table stakes. Like that's your that's your prime rib right there, saying when people get on they get least privilege, only get access to what they need when they get, when they leave your company, you know nothing goes with them, right.

00:36:40:01 - 00:37:13:05
Rami Zreikat
Most companies also, I mean they're aware of security right. I mean it's almost like when you come home, even when you're using internet at home, you've already got a locked-up Internet. You know, you have your password at home. So, a lot of them are savvy. So, what you want to do is tie it back to the risk, make sure the controls are appropriate for your level of business and understanding that no matter what you do, you're going to be compromised.

00:37:13:06 - 00:37:29:20
Rami Zreikat
It's like John Chambers, what he said. It's not you know, there are two different companies, right? Some that have been hacked and know it, and some that are hacked and don't know. So, you're either hacked or you either hacked. One of those two.

00:37:29:22 - 00:37:32:12
Vidhya Sriram
You’re scaring us and the audience Rami.

00:37:32:15 - 00:38:05:19
Rami Zreikat
And that's what we tell folks, is education, doing due diligence. You definitely don't want to keep your doors open for attackers to come in and you don't want to be ignorant. And that's the purpose of this podcast, is for education, understanding your risks, understanding your landscape of potential risks and potential threats and potential weaknesses, and making sure that you're focusing on those high priority ones that are going to get that individual.

00:38:05:21 - 00:38:28:08
Rami Zreikat
And again, back to what Trinh said, it depends on the size of the business. People may not be interested in the small doctor’s practice, but they might be interested in using that to pivot to other right. Using robots as their servers to pivot to other, you know, what we call denial of service. And so we've seen that happen.

00:38:28:11 - 00:38:41:16
Rami Zreikat
And in my example where somebody had the supply chain website on somebody's server. It was medical information. They didn't care about that, but they cared about the CPU.

00:38:41:18 - 00:39:03:25
Vidhya Sriram
Yeah, no, seriously. But what you're describing is a good reality check for people to introspect and think about what's important for them. That makes me wonder. You talked about table stakes and previously you both gave examples and I remember the rollercoaster example Trinh, from what you said that risk is relative. So how do companies identify what is most critical for me?

00:39:04:01 - 00:39:10:04
Vidhya Sriram
What is important, what is critical for my business? What are the first principles in your viewpoint?

00:39:10:06 - 00:39:30:04
Rami Zreikat
So that's back to understanding your objective, right? Your company’s objective and what kind of data you have. I had a friend of mine that worked at IBM and that was a long time ago when I was first starting in, you know, risk assessment. And I said, how do you create controls? And he said Rami, it's all about the data.

00:39:30:07 - 00:40:10:17
Rami Zreikat
What kind of data do you have? And how do you protect it? So, once you understand the data and what how important that data is to your business, then that’s what drives the controls or the risks that you want to mitigate. So, if you have data that is sitting way deep in the organization that has no one's interest, now, they'll get to it and they will possibly get to it eventually if they're interested, if they're persistent, as we say. But you have data that is sitting in facing the world, and that's the data that you need to understand that.

00:40:10:20 - 00:40:19:27
Rami Zreikat
So, you base your risk based on the criticality of data that you're servicing or you're ingesting or you're communicating.

00:40:19:29 - 00:40:41:20
Trinh Ngo
I would say, what are your crown jewels? Right? That's really what the question is. What are your crown jewels? So, once you identify what your crown jewels are, you put your controls, you put it inside of a castle, like maybe up really high right and, you know, a gazillion stairs, or you put some knights in front of it right?

00:40:41:22 - 00:41:01:11
Trinh Ngo
Guard the stairs, you put a moat. So, it's hard to cross. With a bridge right with that and be guarding the bridge, get together and say, hey, what are our crown jewels from a data, like from a data perspective, right. And how are we, you know, how are we protecting them? What's the castle? What's the guards? What's the moat?

00:41:02:07 - 00:41:34:18
Rami Zreikat
And we've seen a lot of people focus on protecting outbound or what you say, inbound traffic. But what they forget is a lot of the information that is being stolen or you get compromised from the insider threat, not the outside. Now, a lot of people will say, Rami, what's an insider threat? Well, if I compromised your credential, I become an insider threat because I've just used, you know, Mike's credential to get to the data.

00:41:34:20 - 00:42:03:29
Rami Zreikat
Right. That's one way of looking at an insider threat. Another insider threat is a disgruntled employee right. They take the data. So, it goes back to understanding where your data is. How are you protecting it? You're not looking at outside. Have you thought about that inside weakness? Have you put the controls as Trinh said, role-based, or what we call least privilege, right, on a need-to-know basis.

00:42:04:01 - 00:42:37:27
Rami Zreikat
So, you have to understand your overall environment. You have to understand. We have some clients say, well, I have, you know, I'm going to create this role. It's called the guest role. It's going to allow people to see everything, but they can't do everything. They can see it. And I said, why? And they would say, well, because we trust our employees. Well, so did the county of San Francisco, when they trusted the system admin with the password and they never trusted anybody else, and he put robots for the city of San Francisco, and he was in jail.

00:42:38:01 - 00:42:55:02
Rami Zreikat
Terry Childs, I don't know if you've heard of him. He basically land mined the entire network and they went to him and said give us the password. Said no, you have a policy that says I'm not to give you the password. So now I tell my clients you put that password with exception unless required by law.

00:42:55:04 - 00:43:10:01
Mike Halstead
Yeah, well, hey, look, this has been a great podcast. I've learned a lot on cyber risks. I thank you tremendously both Rami, Trinh and Vidhya. Any final thoughts before we close today?

00:43:10:03 - 00:43:35:22
Rami Zreikat
Do not underestimate the exercise. Do not underestimate the need to do a risk assessment or at least understand your threat landscape, right, as an organization. It's very important for you to at least know that any time a server is connected to the internet, within 3 seconds that server is being scanned. So don't think you're not going to be protected.

00:43:35:25 - 00:44:01:21
Rami Zreikat
So, understand there are people that are interested in your data. If it's not nation state, if it's somebody who's just interested to practice. So, take that seriously. That's my thought. And bring in experts to help you with the risk assessment. Don't just focus on doing it internally. You might have a department internally if you’re a sizable organization that does the risk assessment, but do.

00:44:01:23 - 00:44:25:07
Trinh Ngo
My final thoughts are just this. If you're listening to this podcast, you're already on your way. So, you know, being aware, understanding, you know, and then just trying to identify your risks and then manage them and then communicate them.  Sounds really easy. It actually isn't that hard once you start doing it. It's just getting there and just doing it and learning as you go along.

00:44:25:07 - 00:44:50:16
Trinh Ngo
A lot of companies learn as they mature and so that would be my final thought. Just, you know, don't worry about it. Figure out how, you know, where you are if you want to get some, you know, assistance, if you want to learn some more, there’s so many resources and there's so many companies out there, it's just taking those first steps and actually doing the work, I would say that that's my final thought.

00:44:50:18 - 00:45:00:15
Trinh Ngo
So, wherever you are on your risk journey, I wish you good luck. And I'm sure you know, as time goes by, you're just going to get better and better. And thank you so much for inviting me.

00:45:00:21 - 00:45:19:15
Rami Zreikat
Yeah. Another thought that comes to my mind that I wanted to share is that risk, as Trinh just said, and that what's triggered that thought, it is a journey right? It is not something that you do once and then you place on the shelf, then you forget about it. You have to continuously assess your risk.

00:45:19:18 - 00:45:43:04
Rami Zreikat
And then the next step is that you have to do a risk assessment. And it's not about if you discover a risk and you don't have a control. It's not personal. It's okay to have a risk that you identified that one department didn't have the controls in place. We're not exposing anybody. We're just identifying and finding a solution.

00:45:43:06 - 00:45:51:03
Mike Halstead
Awesome. Well, thank you all for your time and expertise today and a great podcast, and we're going to end now.

00:45:51:05 - 00:45:52:22
Rami Zreikat
Thank you.

00:45:52:24 - 00:45:56:01
Vidhya Sriram
Thank you, Rami and Trinh. It was wonderful listening to you.

00:45:56:04 - 00:45:57:08
Rami Zreikat
We appreciate it.

00:45:57:11 - 00:46:18:02
Mike Halstead
Thanks, everyone, for joining us. Today's episode of Navigating Forward the Cybersecurity Series. Come back next week to get pointers for next steps on your cyber roadmap. And just a reminder that cybersecurity is 80% good habits and hygiene. But to start improving your health, you need a baseline. To learn more about how to develop your organization's future state of cybersecurity, go to launchconsulting.com/cyber.