Host: Welcome, everyone, to a new episode of Scale to Zero. I’m your host, Pursutham Cofounder and CTO of Cloudanix. Scale to Zero is a forum where we collect questions from curious security professionals and invite security experts to learn about their journey and also to get these questions answered.
Our goal is to build a community where we learn about security together and leave no security questions unanswer with that. Let’s get started with today’s episode.
For today’s episode, we have Charles Mendoza. Charles is a CISO at Consortium Networks, where he guides businesses with their cybersecurity programs, works to set up information security, governance, risk management, compliance and corporate certification programs.
Prior to Consortium Networks, he was the director of Information Security at Scantron Corporation, where he was leading the enterprise security team.
Charles, Welcome to the show.
Charles: Thank you, Pru, for having me. I really like what you’re doing with the cyber security community. These discussions are important and helps continue the conversation how to solve these complex challenges we face every day. So thank you!
Host: Absolutely. Thank you so much for your kind words!
All right, so the way we do the show is we have two sections. The first one is Security Questions, and the second one is the Rapid Fire. So let’s start with the security questions section. And in that, I want to start with your work that you do with your customers. Right. You have worked and you’re working with many organizations to set up their security programs governance, risk management, the GRC, right.
What Are The Challenges That You Have Faced While Trying To Set Up A Program And How Did You Overcome It?
And For Security Leaders Who Are Starting Fresh, What Advice Do You Have For Them?
Charles: Wow, challenge is setting up the security program. Great question! So my advice to peers in this space.
Before spending on the latest tools and latest solution, figure out how your current solution is functioning. NIST and MIT are trusted frameworks that the community designed to protect your organization. If you’re not measuring against these frameworks, how do you justify your request for more budget? If you have extra budget, how do you know what tools to buy? We have had customers buy four tools that address the same thing because they didn’t know that each tool in reality was the same solution. It was just marketed differently. So my question to my peers, if you aren’t measuring your current risk, how are you justifying spend and how do you know you are fully protected?
Host: I love that answer. Like measuring how existing tools are used and looking at your current posture as well. Right. You need to understand what are the challenges. So one of the things that most organizations do to sort of look at their risks, if they follow a risk matrix where you have two dimensions, probability of a risk and its impact, sometimes it seems incomplete because there are multiple risks which fall in the same category, either critical or high. And prioritization can be a challenge. Right. So
How Should The Organizations Quantify Their Risks And How Should They Use That For Prioritization?
Charles: Right. So this goes back to my prior comments on risk. Without knowing your risk level, you won’t be able to truly know how effective your program is functioning.
If you aren’t measuring risk, you are basically throwing darts at a dartboard and relying on vendor assurance that your risk is being addressed. So you need a tool.
Host: Right. That makes a lot of sense. And one of the things that you might have noticed, and we have noticed as well, is when you are doing this risk assessment, you generally work across teams, right? You have multiple teams, you’re working with them. And one of the key factors in these engagements is your culture.
Every organization has a culture like either engineering driven, sales driven, security driven. There are many different types of cultures. As a security leader,
What Methods Would You Recommend So That Brings Awareness And Develops A Security Centric Culture And Mindset In An Organization?
Charles: Wow. Regarding culture is the clue. Another excellent question. So no matter what vertical you’re in, you’re going to have a web presence or use email, and you’re obviously connected to the internet, so unfortunately you are going to attacked.
Gone are the days of pleading ignorance. The adage of It won’t happen to me because I’m too small, my product isn’t that interesting, or we invested so much in our security program, we can now rely on technology to protect the organization. False. As long as we remain defenders, we are going to have to do our best to make sure that security is everyone’s responsibility. When I talk to my non IT friends. I like to use a simple visual when describing drivers security today imagine if you are in your house and a bad guy walks in and slaps you in the face, sometimes it hurts and sometimes you pass out and fall on the floor in agony as the tears are flowing from your face you slowly get up and the bad guy is still there and instead of fighting back you turn the other cheek and brace for another horrible blow this time it knocks your teeth up. This keeps happening over and over until you don’t get up anymore. So using this analogy, Since we can’t fight back or all we can do is make it harder for the bad guy to get in.
So we hire security tools. Cameras, Better locks, Fences these are all good but we forget to tell our kids to stop using the back door or garage door because they aren’t fortified. To their defense they didn’t know and assumed the cameras would stop the bad guy or they opened the door because the guy looked like a policeman from far away.
We have been trained as humans to trust and then verify but verification is hard and by the time we verify or validated the person they are slapping you again in the face, as security leaders we need to explain to our people that the tools are best effort and to slow down and look at suspicious requests then we need to reward the employees by thanking them make them part of the solution and they will gladly cooperate some orgs are punishing employees for failing a simulation by making them do more training. “Training is important but positive reinforcement is the key to success.”
Host: Yeah, That makes a lot of sense especially I love your analogy right where it’s very much accurate nowadays where a lot of companies are getting hacked and there are fishing attacks and everything going on. Right? Like speaking of phishing attacks or social engineering attacks there has been a rise in that tremendously to steal employee and customer data across organizations and many security analysts claim that human error is like the biggest factor for data privacy. Recently there were some significant attacks on Twilio and Cloud player so,
What steps would you recommend organizations take to prepare for such attacks?
And how should organizations react during and after the attack?
Charles: Wonderful, Human error and data privacy. Again, we need to establish an agreement with employees that this is everyone’s responsibility and not a technology problem Zero trust meaning gone are the days of trust and verified we get an odd request to transfer 50 by the CEO for example might seem simple enough and it’s only 50 but pretend it’s 500 or 5000 how hard is it to send a quick message via cell phone to your colleague or even the CEO himself to validate or ask another person before acting? Yes, it can be annoying but filing a report with it is more time consuming and now a time consuming forensic investigation has to be done using the House analogy. My CEO Tim Murphy had a nice interview with a large financial organization the other day. Not only should we make sure all our entry points, doors and windows are locked, buy, hire a watch guard or a watchdog, make it harder for the intruder to get in. How we do this in cyber? Instead of buying more and more tools, make sure you start with the essential or foundational control. Make sure you have a solid multi factor solution. Passwords are going to be compromised.
Sorry but guys, I figured it out. So when you layer in multifactor, you now added another layer for the intruder to get. To try to get into your organization, make sure you add it to all your key applications. Email, VPN and key applications like Salesforce instead of focusing on what happens after attack. That unfortunately is today’s primary focus that most organizations have been focused on. Which is good, but let’s try and prevent it from happening in the first place. We see companies investing in pen testing and vulnerability and forensics, but they pretty much left the door wide open because they aren’t using multifactor because it is too hard or to implement or inconvenient.
We are going to wait till next quarter. Sorry. I have witnessed too many companies post attack wishing they implemented earlier because now it costs them their job and millions of dollars in damages. Let’s try and avoid this. There are so many multi factor integrators out there.
Host: You would spot on with the MFA. That sounds so basic, but a lot of organizations don’t follow that for even, let’s say email or VPN or Salesforce as you highlighted. Right. But when you think about it, it’s like MFA, right? That’s like the first line of defense in a way you should have very much. Makes sense. It makes a lot of sense. So I want to transition to one of your focus areas like your compliance certification.
And compliance is considered one of the core pillars of the security program setup. Right.
For a midsize organization, What is the right time to invest in improving overall security on top of certifications like SOC2 or ISO?
Charles: Right. Compliance! Over the years compliance enforcement is really difficult back in the day. But now regardless of your size, more and more companies are demanding a sock to compliance. I definitely recommend sock to even if you don’t want to go through the full audit. For the past few years I have seen the soft two preparedness space grow like wildfire. It seems like there is a new company coming up every six months. I personally like the frame is doing. What makes them different is they hired former auditors that will assist you in getting compliant quickly and securing your operations in a few weeks versus months. No longer are the days requiring all handson deck approach. It can be assigned to one or two individuals versus five to ten it’s all about the processing experience that makes secure frame stand out. So anybody that wants to do business nowadays, SOC2 is definitely recommended because it’s a great way of doing your due diligence that you take security very seriously. But SOC2 is just one of the frameworks. Like ISIL, we just measure your company.
But SOC2 is becoming really well-trusted in the organization.
Host: Yeah, makes sense. And we see that with many organizations as well. They started with a security certification and then slowly invest in improving their security posture as well. Yeah. So thank you so much for these amazing insights. I hope our viewers will learn something new from it.
For me, here are the top three things that stood out.
- Measure your current risk posture using existing tools. This helps in justification of the spend and budget planning.
- Data privacy is a shared responsibility across all members in the organization. It’s not a tools problem.
- MFA should be set up for all the apps and services as a first line of defense. It’s the basic security that we should all adhere to.
So let’s move on to the rapid fire section.
The first question is a one liner quote that keeps you going?
Charles: I have to think about this one, but I’m just going to go and swim here. And this is something that I try to live by. There is nothing to fear but fear itself. Fear to me is made up and once I realize that I’m fearless, it helps me accomplish all the scary things out there, like jumping out of a plane or bungee jumping. But there’s still one fear I’ll embrace, and that is the fear of snakes. And I just don’t even want to go through the process to overcome that. I always still remain a fearful of snake, unfortunately.
Host: No, I love that the only fear is the fear, right? So it makes sense.
What advice would you give to your 25 year old self starting in security and why?
Charles: Well, advice to 25-year-old self besides investing in Google and CrowdStrike, as long as we keep a defensive posture, meaning we will continue to receive the proverbial slap in the face versus fighting back. Don’t give up. As a cyber professional, keep learning the best ways to measure your expertise is by certification. It helps you show your employer and yourself that you are fearless and you don’t give up. Certification is hard for that very reason to help you grow professionally and be the best that you are in your field.
Host: It makes a lot of sense. The last one is,
If you were a superhero of cybersecurity, which power would you choose to have with you?
Charles: Superhero? Wow. The power I would love to have, since I can’t use my lasers to blast the enemy, is compassion and empathy. So with compassion and empathy, I feel we are lacking that as human beings and when we hear a company getting attacked, we tend to say they deserve it for not educating their workforce or not buying the latest tools and that they got attacked. But since they got attacked and we can’t change that fact and we can’t change the past, we can definitely show empathy and use that moment as a learning experience and help them prevent the attack from happening again. I feel that’s my superpower compassionate empathy
Host: Yes, no, it makes a lot of sense. Empathy goes a long way, right? And one of the things that I hear repeatedly from Microsoft CEO, like Sachin Nadela, is all about empathy. He talks about empathy to his employees, to his customers, and empathy is a big proponent of his success as well. So, yeah, that is spoton. Makes sense. So thank you so much, Charles. It was very insightful to speak with you. Looking forward to learning more from you in future.
Charles: Thank you. It was my pleasure. And I definitely would love to have another conversation with you in the future.
Host: Absolutely. And to our viewers, thank you for watching. Hope you learned something new. If you have any questions around security, share email@example.com.
We’ll get those answered by an expert in the Security series. See you in the next episode. Thank you.