[06:15] Tell us about Semper Sec.

We do the arts and crafts of cybersecurity. A typical engagement is when a customer has signed up for something and needs to ensure compliance, so we go in and make that process sucks less. We craft the policies, facilitate the surveys, and create everything in the company’s vernacular.

[08:00] A lot of people don’t understand that this is a big deal. If you don’t do it right, it can have serious repercussions.

Exactly. You have two metrics as a CSO – did you pass your audit, and did you get hacked? You need to prove that you can act in good faith. People say compliance isn’t security and that’s technically true, but if you can’t meet compliance, you’re in trouble. This is the easy stuff. Every company’s culture is different, and you have to make it work for them.

[12:30] Often, companies don’t understand the requirements needed to work with businesses such as credit card companies.

They don’t think they can meet all the needs and certifications, but they need to realize that they can and they can do it cheaply. A lot of cybersecurity companies will try and upsell you on unnecessary software for an extra cost, but we don’t do that. All you need is the ability to run the required programs correctly.

[14:45] How do you help companies figure out what they actually need?

We try to teach people how to identify priorities. It’s your job to identify risks, so go to the risk owner and let them help you to prioritize.

[16:08] A common theme I see is businesses thinking they have to have it all or it isn’t worth it. It’s actually a balance.

Often, you can treat it with policies. You need to get them outlined, in writing, and specific. You need to factor in how your business operates. I recommend breaking training up into two groups: sales/customer service, and devs. It’s about tailoring the conversation to who is listening.

[19:00] Tell me about your podcast, Blue Team Warrior.

I built the podcast based on talks I did regarding guerilla tactics and the Blue Team. With any tactics, you need a certain amount of propaganda with any action. As the Blue Team, it’s your job to inform. What is your message? How are you communicating it and keeping people updated? My recommendation is to make your tabletops like a “choose your own adventure” book. Map out scenarios and various consequences so that you can demonstrate real-world repercussions and reasoning for actions. If you want people to care, make it about them. If they are part of the story, they are much more likely to pay attention.

[27:30] When I talk to companies about security, I find it’s a matter of narrowing the scope.

It’s also about activities. What business processes matter? Some matter more than others and are more of an availability thing than a confidentiality thing. What does it mean to secure things? This is where we come in. Sometimes, internal IT departments aren’t effective communicators, but if a consultant comes in, they get listened to. Even if it’s the same thing that the internal team has been saying.

[30:00] CIOs and CSOs have to be incredibly flexible in today’s world and have to balance everything.

Exactly, it’s hard to keep track of everything and what to actually care about. There’s a lot of information coming from all angles. Start with the basics. If you don’t have cybersecurity insurance, get it. To do that, you need a program. You need to ensure you have the correct certification and compliance for whom you are doing business with.

[40:00] A good starting place is to ask if your company was to go down, what would you bring back up first?

Exactly. Not only that, but what is the minimum level of security? I prefer working with ISO because you can write the rules for risk and cover the whole company with it and add on things as needed. There are always aspects where you may need help. There’s always something you can outsource to make life easier and smoother.

[51:00] What is the future of IT security?

I think the future is the past. Everything people are doing is the same stuff that has been done but with new tech. Automation is good in moderation, and I think we will be stepping away from the Cloud.