Guest: DEWAYNE HART discusses what is a cybersecurity mindset, how cybersecurity visibility helps and cybersecurity behavior patterns. He shares key insight from his book "The Cybersecurity Mindset" and we discuss best practices.
Key topics include: 🎤 what to know about cybersecurity behavior pattern, 🎤 cybersecurity visibility, explanation of cybersecurity mindset, 🎤 cybersecurity mindset for leaders, 🎤cybersecurity behavior pattern examples, 🎤 cybersecurity mindset understanding, 🎤understanding cybersecurity behavior patterns, 🎤what does it mean to have a cybersecurity mindset, 🎤 the meaning of a cybersecurity mindset, 🎤how to create a cybersecurity mindset, 🎤 how to develop a cybersecurity mindset, 🎤cybersecurity mindset, and 🎤what is cybersecurity mindset.
We reviewed his book which you can grab a copy of here: https://dewaynehart.com/cybersecurity-mindset/ Find out more about his company here: http://semais.net/
VIDEO Episode Link: 👩💻 https://youtu.be/RgSbdzy4DGw
Thanks for watching! -David, Mark, Kylie and Team @CCJ
Want EXCLUSIVE Content? For only $4 SUBSCRIBE to Cyber Crime Junkies PRIME
Please consider subscribing to our YouTube Channel for ALL Video episodes.
It's FREE. It helps us help others.
Our YouTube Channel @Cybercrimejunkiespodcast https://www.youtube.com/channel/UCNrU8kX3b4M8ZiQ-GW7Z1yg
What is a Cybersecurity Mindset. New Ways To Think About it. With Guest Dewayne Hart. Cyber Crime Junkies Podcast, David Mauro and Mark Mosher.
[00:00:00] There's a link called Book Cyber Talk. Yeah. And it lists some of those topics up there, but, but we'll talk about all that. So I don't wanna spill out the beans now. Yeah, that's good. I'm sitting there listening. I'm like, this is great stuff already. . Yeah. I love that. So, yeah, so, so you've got some speaking events coming up that's fantastic.
[00:00:19] Yeah. Yesterday I posted my first sizzle on my YouTube channel because a lot of agency want to. See you speak. So what I did was I did a five minute speaking password, but I kind of made it funny. Right. Okay. And, and, yeah. And it goes around one of my speaking topics and I share it with you, and I'm pretty sure you want to have a discussion about it.
[00:00:42] It's called, well, you heard it once. Now hear it again. Stop feeding the hackers Appetite. Okay, that one. You know, you know I'm getting a lot of people that tell me, you know, that's catchy. Yeah. You like that. It's, it's okay. So, so I have, on that website, there are like five main speaking topics that I. You know, I'm talking about cyber defense workforce development, having a continuous visibil visibility program in place.
[00:01:10] And you know, one of the strongest elements that I've always focused on is even, so my company is focused on organizations and showing them how to build a. Vulnerability management program because Yeah, absolutely. Yeah. We, we, we talk with that with organizations all the time. It's so , it's so critical, right?
[00:01:31] Yeah, it really is. All right, so we're just about to go live. This will be a natural conversation, man. Dwayne, this is awesome. Yeah, this cool. All right, I'm gonna put us all backstage. We will. I'll get ready to go.
[00:01:49] You don't have to do anything. I just, I just put you backstage. Don't worry.[00:02:00]
[00:02:27] Lucky to work for a great group of people you really believe in. Find yourself making an impact. Technology is a river that flows through every aspect of an organization, and today is different. We put ourselves and our organization's literally at risk of complete destruction every single time we get online.
[00:02:46] One click, one distraction is all it takes. Hi, cybercrime joke is this is your host, David. Along with co-host Mark Mosher, come join us as we explore our research into these blockbuster true cybercrime stories, along with interviews of leaders who built to protect great brands,
[00:03:09] and now the show.
[00:03:21] All right, well, welcome everybody to Cybercrime Junkies, the podcast livestream. I am your host, David Mauro, and in the studio today is my always positive. Always insightful co-host Mark Mosher. Mark, how are you man? I'm doing wonderful, David. Thank you for that lovely introduction. Yeah, that's good.
[00:03:43] It's from my insincere things to say to Friends app that we we work effective. Yeah, it's a, it's a sister app of the insincere things to say to coworkers, so. Oh, good. It's, it's quite good. Yeah. We are I'm very excited about today. We are joined in the [00:04:00] studio. Yeah. We are joined in the studio by Dwayne Hart.
[00:04:04] Mr. Hart, welcome sir. So, so thank you. So excited to to, to have you here for those that are first meeting Dewayne, he's an executive director for the Diversity Cyber Council. He's an author of bestselling book, the Cyber Mindset, which we're gonna get into today. He's also the C e O of of cma. And we're gonna get into all of that.
[00:04:27] So welcome Dua. Thank you. Thank you for having me here. It's always great to be at a place you know, talking about cybersecurity, you know as a kid, I grew up talking a lot. Okay, that's, well, I was just about to ask about all that. That's awesome. So, so tell us about it. Great segue. Thanks Wayne.
[00:04:47] So tell us about it, man. Tell us.
[00:04:49] Well see. See, like as a kid, I was like the one that told on everyone. All right. And I just like to talk. So now you told on everyone. What do you mean? You were like the one that would like rat everybody out, like you be Oh yeah, yeah. . Yeah. I couldn't be quiet. . So what I like to say that in this world of cyber security, and being able to speak to people and being able to write and to have discussions.
[00:05:18] Having that background and being a tattle teller kind of transitions over really well and parallel skill set there. Yeah, right. So I always like to call it cyber talk because I just like to talk about cybersecurity mostly. mostly any topic because I've always stated that in order for cybersecurity to survive people and corporations have to look at it from 360 degrees.
[00:05:47] Okay? Yeah. You know, it's kind of like that ring, right? Mm-hmm. , and, you know, on the, on the inside red. Is everything about cyber security now being able to talk a lot about cyber [00:06:00] security, but also too, you know, before you can talk about it, you know, there's a level of experience and background that you have.
[00:06:06] And so when I look at cyber security and looking at being an author and having a business owner and also too going and talking and speaking and podcasting, you know, they all in a family, right? . So I find myself a, you know, a lot of times when I'm having like business discussion, it's to, it's, it's to go turn off that podcast switch , right?
[00:06:32] Because I usually start talking and people stop. And they look at me, they say, wow, this, that's good. And, you know, and then everything kind of diverts into a conversation about cybersecurity. So, so I'm learning to turn that switch off into transition over to a business framework when I'm in the business setting.
[00:06:53] But but cyber talk is what I do. And cyber talk is love, love. Well, it's really important. And the reason we always do it is because we have to socialize it. Right. We have to explain it. We have to t. The bits and the bites and the technology piece into everyday. Yes. For, for people to understand it and for people to really keep security top of mind for themselves, for their families, for the organization's brand that they serve, whatever it might be.
[00:07:23] Right. That's really the whole, the whole point of having discussions around cybersecurity, which is a formal way of saying cyber talk. Right. That's why Yeah. You know, plus, if you like true crime, Right. , cybersecurity's got a lot of true crime. They've got a lot of colorful characters. You know, today's, today's, you know, ransomware gangs and cyber gangs are a lot like the mafia of the 50, of the 1950s, right?
[00:07:52] They've got colorful personalities, they've got families, they've got, you know, all of these, these little nuances that are [00:08:00] pretty interest. . Right. Not to glorify it Right, but to Right. But to study it and to evaluate it. So, so tell us, so tell some of the listeners how you got to where, where you are when you were, when you were a kid.
[00:08:13] What did you want to be when you grew up? You know, as a child, I was always engaged into science and technology. . Even, even so through high school, you know, I took courses on electronics and electrical engineering courses and building switches and playing with circuit boards and power supplies. So I was always that person that was inquisitive and wanted to touch something.
[00:08:38] And I remember at times when. When I used to see the older people work on televisions, I was always was the one in the back with a light, right? Shining it, , and trying to figure out, trying to figure it out. What was. And as I grew and, you know, once I decided to figure out my next stage in life, it was either going to tech school mm-hmm.
[00:09:08] And to study nationals. Yeah, right, because when I was getting outta high school, you know, that was the major, major type of jobs because the computer industry was starting to grow a little bit. All right? And then I said, okay, I really have to explore my options. I. Likewise about 50% of high high school students kind of think about the military.
[00:09:34] So what I did was I went to all the military recruiters. So I went to the Air Force and you know, the Air Force recruiter said, I cannot guarantee you that you're gonna have the job, but I can get you in there force. So I went to an Army recruiter and he said the only thing available now is driving tanks.
[00:09:54] So, ah, I knew that wasn't gonna work. So I did not wanna go [00:10:00] to the Marine Corps because I figured they was a little too tough. Yeah, it seems really tough, right? Like the whole, like storming the beaches being the first one. Yeah, the first one. And you know, even if they throw you in San Diego for the bootcamp, it's still really hard, man.
[00:10:17] right? But so yeah. So, so what, what, which, which division did you start off? Well, when I started off in the Navy because I went Okay, great. A Navy recruiter and the Navy recruiter had all these fancy pictures on the board of these submarines and these high tech equipment, right? Yep. You know, from some sonar equipment to satellites, to radars to all the computers and you know, the blue pictures and you see people on the ship and you know, and they some marine and they were traveling to different countries and immediately I was drawn to.
[00:10:52] So as I talked to the recruiter, he said, I can get you in a six year advanced electronics field. He said, you're gonna be working on computers in the Navy. . I ran home and I told my family about it. I said, I'm joining the Navy. And I kept calling with, I kept calling to a recruiter every day. I said, I wanna go.
[00:11:10] I want to go. I wanna go. And he said, he said, I'm gonna put you in the delayed entry program. And I signed up for the Navy. For six years. Right. Oh wow. And I was, he was supposed to do six years, but I stayed 20 . Wow, that's great. . So, so while I was in the Navy, you know, my primary mission job was to focus on weapon system, intel and all your computer system.
[00:11:36] And also did, did training as well too. And you know, I always make the argument that military. I have a leg up when it comes to cyber security because I would agree if you look at the way that cyber security operates, you know, in the world of secrecy and also the world of data and the world of.
[00:11:57] intelligence, all of that comes from the [00:12:00] military. Absolutely. So e even, even in business when it's implemented, right, there's operational resiliency. We've met people that have been in military and they're now in cybersecurity and they talk about. , you know, people create these policies and these plans, but do they practice 'em while in the military?
[00:12:17] They train people on war games and the practice so that when the stuff hits the fan, they know what to do, who, who does what, what happens next? And that, and that practice, that annual like operations, those exercises they all got from the military, it's really, really relevant. You are, you are a spot on to that because of all the ships I've been in.
[00:12:40] You know, on those ships, you know, we constantly train in practice. Oh yeah. So it's real combat exercises and we simulate systems are going down and how do you bring this system back online looking at the aspect of redundancy and, you know, just continuously training on those systems. But, but as I went through the military, you know, my last, last couple years in the military I was actually doing it.
[00:13:07] And also too, I was doing training and so I trained on leadership is what I taught Junior, junior sailors. So as I transitioned through the Navy, I said, okay, I can train and I have technology. So when I got out of the military, although I had a degree in it, I said, you know what? I want to be a leadership coach.
[00:13:31] And after looking at the current industry and looking at some of the practices and the things that had to go on, I said, you know what? I'm staying it. And so I worked on some government contracts for a bit. Then I kind of transitioned over and I got my C I S S P certification. You know, that test for six hours?
[00:13:52] Yeah. It was grueling. Yeah. So, hey, let's, let's, let's talk about that for, for for a second because a lot of people are [00:14:00] looking at what certifications to get, if they wanna break into cybersecurity or if they just want to advance their career. The C I S S P, I've actually studied for it. I think it's phenomenal.
[00:14:09] I haven't, I haven't managed a SOC for five years, so I don't know that I, even after taking the test, if I'm gonna be able to even get it if I qualify. But I still wanted to learn it. Right. Because, right. It does a really good job at a high level of touching every aspect of cybersecurity, so. Right. My question to you is, what made you pick that to learn?
[00:14:34] Right. Like what? Like of all the certifications and there's tons, right? Why? Why did you, why did you aim for that one? Well, there was two reasons why. One is because when I was in the military, you were always taught to challenge yourself. . Okay? Absolutely. And that against was pretty green. Yeah. Okay. Is to, is to not be afraid of anything.
[00:14:58] So that was one. Two was because when I was a junior analyst, , I was noticing that all of the people that had a C I S S P were always having phone calls during that lunch break, and those phones calls were recruiters begging them to take a job. . Yeah. So there you go. Well, that's true. Yeah, that's true.
[00:15:20] Right? We, we look at, we, we post a lot of job postings that we see. And I'll oftentimes, even if there's not. Let's say there's, there's no college degree required, right? There's gonna be a C I S S P required oftentimes. So, yes, it's, it's, it's, it's really good. So what I did was that, that I took the. C I S S P, and I've, and I passed it.
[00:15:46] And I will admit, I came from the area of studying and studying the Sean Harris area because Sean Harris was, was the mother of Jesus. Of the, of the search. Okay. Yeah. Because she had a company [00:16:00] called Lat. Go security. And so I went through that training pipeline. In fact, I still have the videos and the audio files now that I that I kind of go back through every once in a while just to get some learning pitches.
[00:16:15] Yeah, because of the way she used to talk, because she made it so simple. But, but I took the C I S S P and I can tell anyone in the industry now, you know, Outside of what you have just mentioned, one of the benefits of the C I S S P is that, that it prepares you to move into the cybersecurity do domain, and it also gives you that foundational knowledge to, to learn every aspect of cybersecurity.
[00:16:47] Yeah. because none of us are, you know, really? No one's gonna know it all. Right? Yeah. Right. But what is total, total expert. Yeah. But, but, but the idea is that when you learn the C I S S P, and if you have a job interview, you can figure out exactly what the question is. Mm-hmm. , and you know how to answer that question because the C I S S P was written by a group of people that.
[00:17:12] Doctorates. Okay. They're not normal people, so Right. , that's exactly right. Doctorate program. So if you pass that certification test, I'm not gonna say that you are in a doctorate program, but you're touching base with the people that written the program because Yeah, because when you take the CSSP training, you are following, following things that the industry.
[00:17:38] That what is required for, for like certifications and IT people at that particular time? Because if anyone goes to the ISIC website, and I should look at the board members and look at all the committees that are put together to figure out what should this C I S S P represent, maybe the next year you see some high level people[00:18:00]
[00:18:00] Absolutely. Absolutely. So, so you want, let me ask you this. So let me, let me just shift gears here real quick. Ha. You've, you're doing some speaking, right? You're, you're beginning to do some public speaking and you were talking about, like, heard it once, gonna hear it again. Stop feeding the hacker's appetite.
[00:18:21] Tell us about that because I, I, okay. I think that's really interesting. Okay. What, what I like to say is that, as common users. One of the things that is always forgotten is that you can become the weakest link now. Absolutely. Now. Now with that said, hackers like to find the weakest link. Okay. Because, because nobody wants to work hard
[00:18:49] So let's, let's just be honest about it. So that's real . So with humans can. Humans can become the weakest link. Excellent. And once humans themselves become the weakest link, that's when you become a target. So what the speaking topic does is to bring into discussions some of the behavioral patterns, some of the industry standards, and some of the unknowns that people may not think.
[00:19:20] When it comes to their cybersecurity practices and how that aid hackers, okay. Because at the end of the day, hackers are going to be hackers, okay? Yep. They're going to carry out their tactics. We, as human beings have to counter those hackers by by counter beating them to the finish line, because I make a distinction and state that if you have normal users in lane A and hackers in lane, The one that make it to the finish line will win.
[00:19:52] So, so if you don't feed the hackers appetite, then you'll be able to make it to the finish line. Yeah, absolutely. And when, when we talk about [00:20:00] hackers, we, we always make the distinction because hackers themselves, I mean, we employ hackers. Our, our organization employs ethical hackers, right? Hacking is the act of breaking things down, finding, exploiting, vulnerabilities.
[00:20:16] There's nothing wrong. Hacking in and of itself, it's the threat actors that we're talking about. Yeah. It's the criminal adversaries. And I just wanna make that distinction for the listeners. Cause when you, when you're saying hackers, that's what, that's, those are the people that you mean. Right? Right, right.
[00:20:32] You know, you know, I always make a distinction to it. Say it's state. State That is the unethical hacking versus the ethical side of that. Yeah. Right. No, that's a good delineating. Yeah. Yeah, yeah. That's, that's, that is kind of where the topic goes, but the topic is also focused on some of the best practices.
[00:20:52] Looking at social media, looking at your email I always like to use an A knowledge there and say, okay, then let's just say for instance, if, let's say that when you go to a re. and a normal menu that you have, you know, the appetizer may just have something, something like some french fries. And I said, okay.
[00:21:15] Do you know what the appetizer of a hackers menu looks like? It's called a weak password, right, . Okay. So yeah, so if you go down to the entree, and normally everybody wants a piece of. But a hacker has assets to 1 million bank accounts. All right, so, so I make that distinction is, is that don't, don't go play into the tactics and don't become the weakest link.
[00:21:41] Absolutely, absolutely. Absolutely. Because that is the most simplest way of actually looking at the way of feeding the hacker appetite. But, you know, there are other ways that can be done as well too, especially from a business side, because for the, you know, on the business, You know, you have to have [00:22:00] different type of programs that are very, very, and very effective.
[00:22:04] One of those is to making sure that you have an a, a resilience program in place that works. Okay. So walk us through what you mean by that. Like a a, a resilience program. Okay. When you think of a resilience program, you are going to be able to. sustain cybersecurity through like all type of changes. Let's just say for instance, if you are, you are a major, a major corporation, and let's say for instance that you have a data center there.
[00:22:38] Mm-hmm. . And let's say for instance that you lose power in that data center, but that data center provide services to like 20 million customers. All right? If you have a resilience program in place, and if you effectively test that data center out through like your different training exercises, then you'll be able to have redundancy in place.
[00:23:00] Because what should happen is that as you lose power, To that data center, it should have failover. It should automatically fail over to to your backup power and actually stay in operation. Now, this is a part of a resilience program. So, so when I look at the idea of resilience, it also too is making sure that cybersecurity services are always available, right?
[00:23:27] One of the common ways to align it is talk about the availability of services. Okay. Right. Making, making, making sure that it's always in place and working. Now to have that resilient program means that companies have to. Continuously testing out their cybersecurity services, maybe on a semi-annual basis.
[00:23:49] Maybe so, maybe and maybe so on a monthly basis, just like a couple weeks ago. You know, they also shut down at one of the air airport, you know the airlines, right? Yep. I, [00:24:00] I sat back and said, okay, do they have. . Right. You know, it's me thinking because have they practiced this well, when I see an an airport, yeah.
[00:24:08] When I see an airport shut down, I'm like, just like doing a fire drill. Right? Where you have to practice, which hallway do you run down? Which door do you go out? Who does what? Right? Who notifies whom? All of that, have they practiced that every quarter, every year, whatever. And I don't think it just applies to major corporations, right?
[00:24:30] I think small businesses, nonprofits, this, this is something that all of 'em need to be doing. , right? They all have acceptable use policies. Can you bring your own device? Can you not bring your own device? Can you do this? Can you do that? Well, all all of those standard policies, a lot of 'em are, are starting to implement those, but, but they're not practicing them.
[00:24:52] Right. And so when it happens, they don't know what to do. Right. Well, and that's, that's really where, again, we become the weakest link. Yeah. Well, well, you know, the way, way that I say that you can remediate those issues is to you know, I used to word you as in the public and all genres of people.
[00:25:13] Mm-hmm. is to, is to think that anything that touches it has to have cyber security. . Right. There is no separation. So, yeah. So if you are a church, if you are a non. Corporation or if you are an insurance company, you are all falling under the same domain when it comes to cyber security, and that is to make sure that you are protected.
[00:25:38] And I make that statement known that much of the talking sessions that I do, because about two years ago I was at a meeting. and I was talking to a gentleman and one of the questions he asked me, he said, Hey, he said, if my corporation has not been hacked, can I assume [00:26:00] that we are protect. I almost dropped my bottled water.
[00:26:05] And so really interesting point though, the mindset there. Right? Yeah. We don't know that we've been breached yet, so are, can we assume that we've been secure? Well, well that was the moment of opportunity. Absolutely. Okay, because, cause in my book, I actually has a chapter called The Responsible Actions and Ownership, which is talking about seizing that opportunity.
[00:26:34] And that was my time to seize the opportunity and to explain to him about how cyber security operates. And I made it very simple. I said that in your car, let's say for instance if you had a bad park. I said Eventually, I said, you keep riding in your car, but eventually it's gonna break down on you. He said, yes.
[00:26:53] I said cybersecurity is the same way. I said there could be little promise in the crevices of your organization that you don't know about, but I said that you have to have a growth mindset and you have to continuously engage cyber security and follow certain practices because there can be a smaller issue that can turn big.
[00:27:16] Okay. Yeah. And, and it seems to be twofold too, right? There's the systems in place for the actual technology, but then there's also the ongoing training of the people, right? Because when we are the weakest link, look, it doesn't matter. How much in organization, small, nonprofit, large, none of it matters how much they invest in their technology and their infrastructure if the people let them in.
[00:27:44] Right, right. There is, there's, there's a continuous engagement. It has to happen because. , one of the ways to make cybersecurity so successful is to be proactive in most of everything you do. [00:28:00] You know, it can be as simple as your staff not, not waiting until something happens, you know, to say that we need to straining , right?
[00:28:10] Yeah. Okay. It can be a part of onboarding. Okay. And you know, having that proactive engagement is very, important. But also too, one of the areas that I found out in this world of cybersecurity is that a lot of people are very, are very afraid to speak up. Let's say, for instance, if you have a problem, why is they Take me to why and take me to the sizzle.
[00:28:38] Well, well because, well, because of the responsibilities, action model that I just spoke about. Yeah. Is because, . A lot of organization or like users thinks that when there's a problem, it's a point of failure, but it's a point of success as well too Now. Mm-hmm. , I do not state that every organization or person should have failures, but if they do happen, that is the moment to say, Hey, where?
[00:29:08] Correct. Right. Yeah. Yeah. Okay. That's, that's the, that's the moment of opportunity there so that you can do some lessons learned and you can see where your weaknesses are and you can close the gaps. Yep. Because so, oh no, go ahead. I'm sorry, bud. Because, because imagine if, if a situation is bad, was bad and someone doesn't want to speak up, right.
[00:29:33] Right now, now that's a risk in itself. It is. It is a risk in itself. That's exactly right. so you continuously will pile on different risk dates and you know, before you know it, it, it would be hard to catch up. Yeah. It would be so hard to catch up. Absolutely. You need to create a culture and a process where when they see something, they can say something without, right.
[00:29:57] Without repercussion. Yes. [00:30:00] Yes. Even if, even if they feel like they might have made a mistake, they want to feel safe in bringing it. You need to create that safe zone where they can. To the CISO's attention or whoever is owning the, the initial vision of security. Yes, yes. That's, that's one of the principles that I think that operates well.
[00:30:21] But, but as part of that culture building is to go and have, have your staff, and have your people to have an open type of communication where they will. On those issues, especially early because you don't wanna wait. And try to play catch up, which is the absolutely emergency mode. Yep. Because as I said before, you know, risk, risk will continue to grow and they will continue to pile up
[00:30:51] So you Absolutely. Right. So let me ask you this, like, let's talk about your book, I mean mm-hmm. You, you wrote the book, the Cybersecurity Mindset. Great, great insight in that book. So for the listeners and the viewers, what, you know, first of all, let's, let's talk generally. What is a cybersecurity mindset?
[00:31:13] What do you mean by it? And then let's get into kind of why you wrote the book. Okay? When you think of this cyber security mindset, it's about that thinking process that has to be in place for cyber security to operate, but also to focusing on road mapping and cybersecurity, right? So, so I've always thought of this cybersecurity mindset as a model, right?
[00:31:38] how can you think proactively about cybersecurity, but also carry it out from point A to point Z, but be successful at that. Yeah. And so, so when you think of the cybersecurity mindset, it is the practices it it is the engagements, it is the technologies we use. But [00:32:00] also too, how do you make efficient use of those tech?
[00:32:04] Because the cybersecurity mindset comes with two different fold. One is cyber security. Yes. And the other folder is the mindset is our thinking process. Okay. Alright. Because if we can think proactively about how we engage cyber security, much of the risk and much of the issues out there can be. Taken care of.
[00:32:26] You know, because if you look at the nature of the different cyber incidents that happen, and once the root cause analysis always surfaces, majority of everyone that is involved with cyber security say, how did that happen? Mm-hmm. , why? Well, it's part of the mindset. It's part of that mindset and being proactively so, so, so, so the cybersecurity mindset is a model and it focuses on industry relatable terms, topics.
[00:32:56] You know, I talk about the SOC environment, I talk about other areas of cyber you know, from, from looking at the sizzle over onto your risk managing program, business programs. May surface. Okay. And, and just for the listeners that might not be technical or, or, or delving into security, when we saw talk about the sock environment, we're talking about the security operations center.
[00:33:20] The, the IT people in an organization that's sole duty is to monitor and manage the security aspect as opposed to just keeping the lights on and fixing your, your PC. . Yes. Yes. One of the, one of the points I want to point out is that the, is that the outcome of the cyber security mindset focuses on three main principles.
[00:33:47] One is to simplify cyber security because in this industry, cyber security can be seen as very complex. Absolutely. Yep, yep. Many and many people that I have spoken to [00:34:00] have always said that I just do not understand the nature of cybersecurity, so, so what I do in the book is that I present the information in a common sense language, so that every genre a professional can read it.
[00:34:16] If you are a college student and if you are working on your resource paper. You know this cybersecurity mindset can help you out if you are a seasonal professional and cybersecurity, this is your modern playbook, okay? , absolutely all. Now, last, if you are in that executive area, if you are upper, upper level management, this is your toolkit.
[00:34:40] This is you coming in one day and stating, okay. I need to find ways to get my employers to work together. I need to find ways to modernize my workforce development program. I wonder how I can get it done. I also want to take a different view into risk, not, not so much from the area of saying, okay, I scored 90% on this assessment, but you know, I wanna look at risk from a holistic.
[00:35:08] Mindset and figure out exactly what's going on in my organization. And third level for all these executive people, let's say for instance, if you have to go into a boardroom and if you need that sales pitch, I'm pretty sure in cybersecurity mindset you can.
[00:35:29] That's great. Yeah. So, so let me ask you this. Did you w. When we think of organizations today regardless of size, you know, what are some of the things that they need to.
[00:35:46] I guess what I'm curious is, based on what you've seen and based on what you're seeing, what are some of the top things that are, that are different today in 2023 compared to just a few years ago? I mean, [00:36:00] obviously the rise in ai. Chat, G p t, others like that. It's really speeding things up quite a bit in terms of the ability to socially engineer the ability to craft phishing emails faster, things like that.
[00:36:15] What, what can help organizations gain a better kind of situational awareness? Okay. Well, so you're striked on one, which is the situational awareness is the, is the number one. But also too, there are a couple of components that go along with that one. One is that I always like to talk about having a continuous visibility program.
[00:36:42] That's the number one at the top of the list because when I think of a continuous visibility program, it is looking at an organization. And having observation into your risk state. Now, under that continuous visibility program, there are some functional parts. One is that your hardware and your software infrastructure, a lot of organizations lose track of those too.
[00:37:08] All right? I've actually seen companies that have assets out there. That they don't know that, that they don't know of. Right. And so, so with these assets, they can be in the wild and they can be a rogue device. And if your SOC team is monitoring a threat log, and let's say for instance maybe someone say, Hey, it's just been out there.
[00:37:34] A year and it's okay, but no, but you have to investigate that so, so if you lose track of your hardware and your software infrastructure, that is number one. Problem two is the configuration management programs. A lot of organizations have to have a configuration management program in place because of the fact that you deal with changes.
[00:37:56] You don't want unauthorized users making [00:38:00] changes to your system states because when they make changes to those system states, and if they don't communicate those to different teams, then other teams may just think that it is an event or, or pretty much is a negative event that happened. And so now they start to take action on it and when it's not a negative event.
[00:38:20] Third level is your vulnerability management program. It's very important because we have log four J vulnerabilities in the wild and all other type of vulnerabilities out there. If, if corporations can find a way to manage their vulnerability managed program and, and I mean, Just manage that program and know exactly your true risk states, because when I speak of a true risk state, I am exactly talking about outside of your vulnerability tools that you have.
[00:38:55] onboarding, other type of knowledge base that you can get because every organization has a vulnerability management tool. Mm-hmm. , but you need other tools to work along with that. Because I worked on different, different projects where you had Tenable Nexus, where you may have qualities. What you use S E C M, what you use, Microsoft, the offender.
[00:39:17] And also too, just like DHS is always ing out some CB's through their catalogs. So you can take all of that data and you can work on that as well too. Now speaking of tools, you know, you have to make great use of tools because a lot of times, you know, I've seen a lot of organization that, that have tools, but they don't make great use of those tools.
[00:39:39] You know, they only use No. A lot of times it turns into noise, right? Like a lot of times they have like, SIM tools that are just alerting for everything, and then it just turns into noise and it's just human nature, right? When everything's a priority, nothing's a priority, and so, right. That's why engaging with.
[00:39:58] A soc if [00:40:00] like most small to mid-size organizations can't afford to have their own security operations center. Right. Engaging with the organizations that actually provide that is so critical because then somebody's actually watching the traffic 24 7 and and looking for those anomalies, looking for those weird, looking for odd things that are going on because, you know, criminal adversaries, threat actors, they're in.
[00:40:26] An organization's network for quite a while, right. Before they even know about it. And that's really scary. Well, well you are right about that at a hundred percent. And you know, there's one more element to is data. Yes. I've, you know, your data quality analysis program because if you look at the common type of environment and looking at all, all.
[00:40:52] Threat feeds that they have. Oh yeah. Some kinda way You really have to massage that data. I know that artificial intelligent platforms are rising now, where, where those platforms are able to manipulate the data and actually process that data a lot faster than humans. That is another com component of that continuous visibil ability program to.
[00:41:19] But, but I always like to state the continuous visibility program because cybersecurity itself is kind of like the shield, right? Mm-hmm. . So if an organization want to look at all of their different type of departments that they have, hr, it, legal, and their procurement departments, and let's say we make a pie out of that, but you know, the outer ring is cybersecurity and that's where the visibility happens.
[00:41:47] And hackers are trying to break the shield. So I've always stated that the reason that hackers can survive is because it's the unknown. Mm-hmm. . So, [00:42:00] so if that contains visibility program is, is it's like very high. You can actually. Predict incidents and you can predict incidents from, from happening now that's, that's kind of the way I always look at it because when it continues absolutely visibility program, it will encompass everything else from, you know, risk to the CIA triad, to, to the different programs, to like, to like data loss prevention looking at zero trust, looking at all the other different type of.
[00:42:33] Technologies that are surfacing, all of those are helping your continuous visibility program out. But the, but the idea is to know what's on your enterprise. Make sure that you manage those changes. Make sure you know. What actual vulnerabilities are there and make great use of those tools, but also to making sure that you have some type of data quality AI analysis program in place.
[00:42:58] Absolutely. So you, you mentioned the CIA triad. Can you elaborate on that and explain for the listeners what that is? Okay. You know the CIA triad is the foundation to cyber security, right? Mm-hmm. , so there are three components to it. One is the art of. Confidentiality. Right? So which, so which means that that is only a need to know basis.
[00:43:25] So it's just protecting data, making sure that only designated people have access to data, right? Two is the integrity concept, right? Free. Free for modification. So that means that once you save data and once you transmit data in a certain format, , it should re, it should be received on the other end. Let's say, for instance, if somebody wants to send a spouse and email that states, I'm gonna send you a thousand dollars just to go shopping for Valentine's Day, right, now.[00:44:00]
[00:44:00] Now, if it gets to the other side. And if it states $10, okay, someone changed the email around right now. Somebody's gonna have an argument when they get home. But I'm just making a statement that, that the world of integrity is about making sure that. Data leaves and arrives in the same format. Okay. With the availability is about making sure that cybersecurity services are always in place, right?
[00:44:31] When you have those three, that's when the C I A triad is formed. Part of that c i triad two is that, that it helped you reduce risk and when you can reduce risk, so that means that the different threats and vulnerabilities that you have, Are also going down. So I may get distinction in that concept that, that if you in the world are cyber, okay, if you think about threats and vulnerability, you know, the ideal is to reduce them to the lowest level possible.
[00:45:03] Yeah. So let me ask you this, of those three, in those three buckets or three sectors that securities viewed through the CIA triad to me, Hey, look at that. . To me, the the confidentiality one is the one that we struggle with the most because even when there's a compromise and somebody gets in through social engineering, through fishing, whatever it might be, Multifactor authentication tr fatigue, right?
[00:45:35] Like we saw in the in the Uber, the most recent Uber breach, right? They just kept pinging the multifactor until the person eventually let 'em in. Okay? But once they're in, , right? What can they access? And that's really where that, that the, they had been able to get to the core element, right? Like to their, to their core [00:46:00] source and to all of these really, really confidential aspects that maybe that user shouldn't have been able to access.
[00:46:05] And so I think that's, that's, let me ask you this, like, is, is that where you see organizations really struggle, meaning. Not all breaches are the same. Would you agree with that? Like somebody gets in, but if they compromise a user or a user's account, but they themselves, that user doesn't have access to the core intellectual property or core source, then okay, it's a breach, but there's not that much damage.
[00:46:32] Right. Or even if they do ransomware, but it's limited and it's controlled in that one sector you might have. A device or two or three that are damaged, but that's it. Right? As opposed to most organizations, when they configure things, different people that shouldn't have access to a bunch of stuff have access to it.
[00:46:51] So when they get in, they're able to see stuff that they shouldn't be able to see. I've. I've seen through, through my entire career, you know, as someone that started off as a junior analyst, as someone that owns a company problems that you just spoke about. Mm-hmm. , okay? Mm-hmm. is the, is the actionable use of data.
[00:47:15] And, you know, here's, here's the reason why, because. Because the actionable use of data goes back to, goes back to a traditional thought, trust, but verify. Right? Right. Once you win, We trust you. Mm-hmm. . Okay. So, so, so when that happens and see that opens the floodgate up. Yeah. And, and I, and I think a lot of people are still kind of in that frame mind now, because with Zero Trust is pushing that away now.
[00:47:47] Okay, so we're changing things with Zero Trust, but, but I've seen that happen. How does Zero Trust differ from trust, but verify for the listeners? zero. And you know, zero trust [00:48:00] is that, that you never trust really. Right. Okay. So you have, so you have now, now, now that a lot of people are working remotely.
[00:48:12] Mm-hmm. and also too, that you have people that are working in the office, then the. The traditional way of having a cyber security network perimeter have changed a lot. Mm-hmm. . Okay. So with zero trust in, so you have to set up different, different zones now. Okay. So we are now moving to a point where what, you know, people are having to authenticate through like different zones now.
[00:48:41] Right? Because, because the traditional way was that everybody was in a. So you had the pool that pretty much was around the building, but now there's only a certain group of people in the building, but outside of the building, there are people that are working as well. Right. So you have to have a little bit more stringent way of Yeah.
[00:49:00] And a VPN's not gonna do it because Yes, yes. What they have is they've got their crack, Comcast firewall router thing that they get from their cable. Right. And then they get encrypted. Right. Or. Have they get compromised and then they just go right in to the company network through the vpn. And so, yes.
[00:49:23] And, and, and, and so Zero Trust really says we're not gonna trust until we verify at every level. Yes. Right? At every zone. Yes. Yes. So, so that's one of the ways. of now that it's trying to improve, you know, with this with the sharing of data, I actually wrote in the cybersecurity mindset under Situation Awareness.
[00:49:47] There's a framework that I created, which is about the sharing of data. And it's just that looking at it from, from a perspective of saying, okay, before you share. . [00:50:00] Okay. Well, you have to identify why, why is it that you wanna share data? Like you just don't share it? Right? Because, because someone need it.
[00:50:08] Okay. You know, the second case is who, who are gonna share. Right. Who are you sharing the data with? Has that been verified? Yeah. . Right. Okay. Then, then you go to how, how, maybe you're gonna share it through email or like so forth. Right. Okay. And, and you know, the last segment is when , when, mm-hmm. when doesn't need to.
[00:50:29] Okay. So, so you have to look at those areas when you share data. But just going back to the question is about over the past couple years, I think that when it comes to data, because we are so dependent on data now because about 30 years ago, Everyone that used data were probably writing things on a sheet of paper, and it was putting it in a shoe box and throw it in the closet.
[00:50:56] Yeah. But now everything is on digital devices. Yeah. We talk about that all the time. Right? Because 25, 30 years ago, and I was in business. Then like you had two forms of everything. Yeah, there were computers and stuff, but it was like an electronic version of what you were really doing, and most everybody was still really doing things physically.
[00:51:17] So if the computers went south, right, okay. We could still do business. Right. Today, you, you can't, right? You can't render medical care. You can't conduct a sale. Right? Point of sale systems and retail, et cetera, and, and, and transactions online. And like when things go down today, it's, it's, everything is digital.
[00:51:41] And so the impact is, is far greater. Well, well, you are correct. You know, one of the areas that I, that I discussed in the cybersecurity mindset is about this digital monetization area. Mm-hmm. . Okay. And, and, and just that because we are in [00:52:00] a area now, where say that technology changing and, you know, we are in a different type of threat landscape.
[00:52:07] Looking at the way that organizations have to protect their assets, looking at the way that cybersecurity is moving and shaping organization always and always have to think about digital monetization because portion of digital monetization is to make sure. That from a technology side that you modernize your system because a lot of systems are probably out there now that are not cybersecurity ready because they were built back in the 1970s.
[00:52:37] and you know, it's hard to transition those system over because of proprietary programs that were used, you know? Yeah. Uh, So, so if you have those, those type of system and trying to transition those over to a digital monetization area, it can be difficult. It can be very, very difficult. So, So what I like to say is that in the cybersecurity mindset, because there are four main sections, you know, the first section is gonna talk about the culture, right?
[00:53:11] It's how you build your cybersecurity culture. Yep. Then they want to talk about situational awareness and knowing your cybersecurity environment, and then it moves into, Thinking about risk. Okay. It's just understanding that having that risk-based attitude is very important and, and then after that, it transitions over to a business side and focuses on what a business needs to do as far as transformation.
[00:53:40] Okay. Looking at business transformation, typical topics are like workforce modernization. Yeah. Looking at digital modernization and like, one of the most famous topics that, that I like the most is like wearing the hackers hat. Okay. . Yeah, exactly. Like getting inside the mind of a hacker. And, and, and I'll [00:54:00] tell.
[00:54:00] The listeners and, and, and those that could be watching that the way you lay out the book is phenomenal. It's very easy to digest and to to read. It's very organized and structured. It's a really good read. So we're gonna have links to it in, in, in the show notes on both our YouTube channel and our podcast.
[00:54:19] So please please check that out. Check out that book. It's phenomenal. Oh, yes. Oh yeah. Thank you. Well, well, you know, I've always. , I've always said that you know, the simplest way to make cybersecurity operate is to have talking sessions. Mm-hmm. When I was writing the cybersecurity mindset, I started off by just saying, okay, I'm going to write a BookCon.
[00:54:44] How to be a hair care. But I said, you know, there's like 50 books out here on this topic, . Yeah. And I from, from people that have served time in federal prison for being hack care. Right, right. And you're like, okay, let's let them cover that topic. Yes. So, so I said to myself, I said, I said, okay, what is actually missing?
[00:55:04] Mm-hmm. , what could I present to people? Where, where they can start off on the bottom and they can, and they can have a progressive way of thinking and they can read and they can see cyber security on a big scale. But also too, you know, the content is still there. And so I said, Hey, what? What about having a cyber security mindset?
[00:55:26] And I kind of did some research on the topic and I went around for a bit. I said, yeah, I said, I think I could write that. And I will tell you that I had the greatest time. Writing the book. Well, it's, it's a really good one. I could not wait until it was published. Yeah. And you know, my publishing firm is probably going to listen, listen to this podcast, but you know, we, you know, we had a couple rounds because see, I didn't like the cover at first.
[00:55:53] Right. And I was like, I held my own cover. And so, oh, first firm goes, we [00:56:00] think this cover will go work, but. . But at first I was, I was kind of thinking, and I said, you know what? I don't like it. But as I looked at the book, then I realized what the cover was supposed to mean. Yeah. Because it has a lot of dots there.
[00:56:16] And as you learn cyber security, that's when you can connect the dots together. Yeah. And, and, and so I think my publishing firm for that, because I probably. Went in the wrong direction, which you cover. I Well, and they are in the business, so Yes. Right? Yes, yes. Yeah. So they know that Well. Hey Dwayne Hart, thank you so much for joining us.
[00:56:36] We really, really appreciate it. Learned a lot, great topics. Not gonna be the last time we speak, I promise you my friend. No, it's not. This is just absolutely fantastic. Ladies and gentlemen, please take a look at the book cybersecurity Mindset. We'll have links in the show notes. Phenomenal discussion.
[00:56:53] So Duane, thank you so much, sir. We really appreciate it. Thanks D. Thank you. Thank you too. Hi, cybercrime Junkies. Thanks for listening and watching. Got a question you want us to address on an episode, reach out to email@example.com. If you enjoy our content, then please consider subscribing to our YouTube channel at Cybercrime Junkies.
[00:57:14] Connect with us on all social media like LinkedIn, Facebook, and Instagram, and check out our website. It's cybercrime junkies.com. Cybercrime junkies.com and thanks for being a cybercrime junkie.
We cover key topics like:
What is Ransomware As A Service? parenting tips for kids online safety, Parenting in a tech world, real cyber crime stories, best security practices for business, cyber crime podcast, best security practices for individuals, best security tips for enterprise,
top data breaches in healthcare
top data breaches law firms
best ransomware protection for enterprise
best cybersecurity practices for business
how to prepare for a data breach