Secure IT Operations: How to Shoehorn Security into a Small/Medium Business

Good afternoon. Welcome to V-Sides Las Vegas.

This talk is Secure IT Operations or How to Shoehorn Security into a Small-Medium Business by Carl Hertz. A few things before we get started. Please make sure your cell phones are on silent as a courtesy to people on YouTube and also people in the audience. Secondly, if you would like to ask a question or participate, I would love if you could speak into this microphone that I am holding so that YouTube can hear you. Without further ado, Carl, take it away. Hi, everybody. Thank you. Thank you. Thank you. You're my people. So we're going to talk about secure IT operations or how to shoehorn security into an SMB. Normally when I do presentations, when I have bad news coming up, I try to put something really fun and

silly on the previous slide, like goats being goofy or whatever, just to soften the blow. There's none of that in this. Sorry. It is nothing but bad news. So because of that, let's just move on. Hi. Who am I? I'm Carl Hertz, Silly C on Twitter. I'm the IT director at Elevate, currently in the transition to becoming the security director at Elevate. Thank you. Thank you very much. That's appreciated. I'm old. I have 33 years of being fully employed in IT and security. 18 of that has been in the utility space, mostly the energy utility space, specifically electrical.

I am on the board for Blue Team Con, which is in just a couple of weeks. If you can make it to Chicago and you're a Blue Teamer, please come up. I am also a co-founder of Cocktail Con, which, yeah, thank you, thank you. But for those of you who do not imbibe alcoholic beverages, we always make sure that we have non-alcoholic cocktails, shrubs, stuff like that as well. So we try to be very welcoming and open for people who just want to experience cocktail cultures, even if you don't want to experience cocktails. And if you do decide, if you have really bad judgment and decide to follow me if you're not already after this, I am Silly C on Twitter. Don't expect

much security on there, just so you're aware. So what should you expect from this talk? This is a non-technical talk. I have been in management way too long to be allowed near a computer that has access to things, which is good, right? That's good security.

I'm going to be talking a lot about systems and not necessarily computer systems. So that's part of it. Just how things are interrelated. Because one of the things that I want to talk to you about is getting out of the idea that security is its own thing. Okay. I'm going to be talking about the opportunities in security for small to medium businesses. There are lots of advantages that you have from being small. in security, lots. And I'm not just talking about security through obscurity, right? Just because you have less internet facing IPs, right? There are other advantages. And I'm also going to talk, unfortunately, about the ridiculous number of challenges that we have doing security for

small to medium businesses. And there might be some shenanigans, who knows? So

How did we get here? So this is going to be a bit of autobiography from my experience working with small businesses. I've, again, been doing this a long time. I've worked at Fortune 100 companies. I've worked at startups, work currently at a nonprofit for the past 12 years, actually. But what is always the reason why a company decides to pivot on their IT or security strategy, right? I'll tell you what it is. Something very, very bad happened every time, right? Because we all, you know, do the chicken little sky is falling, sky is falling. FUD plays a big part of why people don't listen to us on that front. But there's the whole idea of

unrealized costs, right? And especially in a capitalistic society, unrealized costs are really, really hard to pitch inside an organization, any organization. It doesn't matter if you're a nonprofit or a fortune 100, right? So one of the things that you have to learn how to do, whether or not you're at a big company or a small company is how to communicate that up, that,

And of course, if any of you have gone through, and I'm gonna talk a little bit later about risk assessment and trying to figure out the cost of controls and stuff like that. But they don't speak that language, right? So it's kind of a cat and mouse game that you get to play as you go along. So the first thing that I will say is once you're brought in And you're expected to fix the problem, whatever the event that brought you into that position, um, work with empathy, right? Um, someone, something bad just really happened and hopefully you weren't the cause, right? Sometimes you do have to clean up your own mess. Uh, but you have to

really understand that. Someone who may still be at the company could have been the root cause of that. Right. Um, you can't be like the it guy in Saturday night live and just go move. Right. You have to understand the politics of the situation. You have to understand that people's jobs are on the line and make sure that when you're addressing the situation, when you're brought in to take that over, that you are. Empathetic, not just to. Anyone who may still be around that was part of the root cause. A lot of times they're not. Right. Um, but also empathetic to the company's need. They brought you in to fix the problem. Right. And if you go

in there with a very specific mindset of what you want, what you as an individual want to get done, it can be difficult. Focus first thing. on the incident, right? Even if you're not an IR person, they're saying, hey, we lost X. Your job when you first get in is to show the competence that you can resolve the issue, issue X. And that can happen ridiculously early. I have one anecdote for you here. It happened to me in the interview process once at a company. So I was brought in for the interview and they were starting to ask some tech questions and pretty basic stuff, right? And they said, Hey, um, so what would you do if there is a very important Linux system

that the person who, uh, set it up. Isn't here anymore and didn't write down the root password. So my response was, this isn't hypothetical, is it? And they're like, Nope. I'm like, okay, this one's for free. Hopefully you'll hire me. Uh, you know, and y'all who knows the answer. Raise your hand. Go ahead. You raise your hand first. Boot the CD, right? And you get in route without a password. Perfect. Right. Okay. So yeah, that was a bunny. It was an easy question, but for them, it was just like, oh, this guy knows magic. So, um, you have to, again, be empathetic. Don't be the asshole who goes, I know better than you. Um, but pay attention to what the problem is and resolve it, right? In this particular

case, not only had that happened, but they had lost another primary server and the backups didn't work. So that was the mess that I was brought in to clean up. So what did I focus on first? Despite when I would first normally get to a company, I wouldn't think that data recovery would be the primary mission. But for six months, I made my mission to make, not only fix the initial issue, but make their data recovery, their backup recovery process resilient, redundant, et cetera. Right? And then they're just like, oh, you can do all that? Well, here's this whole mess. And yes, I know I've been looking. So, which leads on to the next step, learn the damn organization. Right? Many of us

like to go, I'm just an IT guy. I'm just a security guy. Whether you're in the SOC, the NOC, your help desk, whatever it is. Right? But the fact of the matter is IT and security are both there for one reason and one reason only. For people to work. Right? That's it. And unless you know the work that your company is doing or the company that you're supporting is doing, you cannot do a good job. You may be technically proficient. You may be fulfilling the job description, right? But you must learn the company. And that means talking to people. And I know that can be scary. As an introvert, believe it or not, I am an introvert. This is burning the candle at both ends for

me. I enjoy it. but I would much rather be in the cubicle in the basement by the loading dock doing my thing. But you really, really, really need to learn the people in the company. Who are the people in the company? Well, actually, I'm going to take it a level higher because we're going to talk systems, right? How many of you, show of hands only, know the mission statement of your company?

out of third. Okay. So, you know, yes, mission statements are bullshit, right? But they are also not bullshit, right? Because, and this, you can see this as CYA, cover your ass, right? Whatever you want. But the fact of the matter is, if you, as someone who helps people work. And that is the mindset that you have of my job is to help people work. That mission statement will save your ass so many times over because you can use that when you get into debates about costs, about anything, right? You can say, well, you know, our mission is this. Here is how it helps deliver on that mission. Right? Whether or not you

agree with the mission is a totally different talk. And I'm not going to go into that now because I have way too much material. Learn who the leadership is. If you have access to the leadership in the organization. I know a lot of companies really firewall off the executives, especially at bigger companies, right? But in, especially if you're in a position that is deploying security in any way, shape or form, whether it's as IT or an actual security department, you tend to get a lot more access to those people than your average rank and file employee. Because again, your job is to help people work, right? And they need just as much help, if not more. Yeah. Anyone work service desk here? Service desk, show of hands.

You know what the executives are like, right? So make sure that if you have access to the executives of the company. Pick their brain when you have a chance. Five minutes in the lunch line, whatever it is. Learn all of the legacy IT. Whether you're in IT or security, find out everything. Do as much discovery as you can without getting in trouble. Even if it's outside of your realm. There are ways to discover things that isn't using Nmap blasting things off the network. There's human intelligence, whatever, right? Learn everything. It will save your bacon and it will actually help you when you are working on your stuff to go. Someone's like, well, we need to do this and spend this money on this. And then you can go,

well, that department over there has already got it. Why don't we talk to them, right? You have no idea how many times I have been asked to procure something only to find out later in the investigation process that four different groups had already bought said things separately because the procurement process, especially for cloud services, especially cloud services. I'll get that a little bit more later, that they're already in the company, whether or not it's actual IT or shadow IT. Right? So find out what you can about all the systems. You know, again, if, oh, hey. I mentioned shenanigans. And they've shown up. Oh. So I'm going to switch hats real quick to one that looks like a miter.

And I am now not Carl Hertz. I am now a bishop of the Church of Wi-Fi. And if anyone would like to have communion with the Church of Wi-Fi, you're welcome to come up here. There is no pressure. But if you would like to be an honorary member of the church of wifi, please have some alerts. It's delicious and nutritious.

So I'm just going to set this out so I can keep my talk going. Um, but, uh, go ahead and start pouring yourselves and I will tell, Oh, you need to run. I'll do two shots. I'll do one with you. Thank you so much. Sure. Take it off. Take it off. Cheers. Thank you. Alrighty. Thank you. Oh, tastes like the day dad left. Um,

so, uh, hi camera. Wow. Look at all of these people. I love it. Yeah. Make those, make those pores. No, we're good. We're good. So, um,

I'm going to go on and I mentioned shadow IT briefly. Every company has it. And it's, it's, if there is security in the organization, I will blame it a hundred percent on security. If there's not, I'll blame it on IT. But the fact of the matter is every organization has shadow IT and that is part of what you should be mapping out when you're doing your mapping. It's amazing what you can find that people have signed up for free using their personal email addresses, whatever, right? I mean, we all know the security risks of shadow IT. I'm not, this isn't a talk on shadow IT, but map it out as if it's part of your IT, right? Don't ignore it because it's not your responsibility because it

will eventually be your responsibility. Okay. Um, so make sure you're paying attention to shadow. Um, Another one, and this one hurts the most for me, these are where my biggest fights come is understand your company's fiduciary positions. That's just a fancy way of going, learn what they like to spend money on and what they don't like to spend money on. Right. Um, because it's going to make a major impact on your life at a small to medium business, because the answer is they don't want to spend any money on security period. Right? I've been at my current job for over 10 years. And as I said, I am just now pivoting to getting the position of director of security from director of IT

because we finally convinced everyone that our IT, our secure IT operations is mature enough that we need to start firewalling the two. That in order to get higher up the ladder of iterative improvement, it needs to happen. Right? So the answer is no one wants to spend on it, especially at small companies, right? And then...

I would love to keep that as a parting gift. It is beautiful. Thank you so much. All righty. And last, find out what your company's appetite for risk is. And if you have access to the executives, It is actually really easy to find out what their appetite for risk is. What do I mean for appetite for risk? Well, again, it goes back to that mission statement, right? So I've worked for utilities. Can you guess how big their appetite for risk is?

None, right? I also work for charities. You know what their appetite for risk is? Is it going to save that person's life? Is it going to keep that person from being homeless? Fuck it. Do it. Get it done. Right. Two very different challenges, but they're both challenges that you have to pay attention to and put into any math, any calculus you're doing inside your head when you're trying to think about how to deploy security in a small business. So definitely pay attention to that. It will be an excellent guidepost for you when you're making serious decisions on what to spend your limited budget on. So

I'm going to talk a little bit here about some more challenges, right? And I'm going to break it down specifically to something that as security people, you're probably familiar with the CIA triad. Even though this is more of an IT talk, again, I want you to think not that IT and security are different things, but they're the same thing, right? If you're at a small business, which one of these is the most critical to the business? Thank you. Accessibility. They don't, this doesn't even come into mind. Confidential and integrity. Right? It only comes to mind when there's an incident, but at a small company, accessibility is going to be a challenge for IT from the get go. Right? Even if you're at a startup

that has just had oodles of money thrown at them from, uh, from the vulture capitalists, right? They don't want, they don't care about anything, but can my people work? Right. Um, That is always going to be your hardest lift is a making sure accessibility actually works. Right. In the case that, and that I mentioned before, they lost their primary file server. That's all they cared about. How do I get to my files? Right. Um, you know, uh, integrity, whatever. Um, they, they're like, You know, many small businesses, the same person is doing accounts receivable as accounts payable on the same system. There's no firewall, right? The integrity issue, it's just not even on their radar.

So the first thing that you need to do is make sure that accessibility is working, right? The second thing you need to do is get them to understand the impact of confidentiality and integrity, right? And again, I'm talking in generalizations. I'm talking from my personal experience, but again, I've been around a long time and been at a lot of different companies. And these are things that you see over and over and over again. And I'm sure by some of the reaction in the audience, you've seen it as well. So we're gonna move on from the initial, you stepped in, and you're trying to figure out the lay of the land to how you actually start engaging the company, the organization. And

again, I'm going to use a security framework in this case to talk about IT and secure IT operations. And that of course is CIS. For those of you who haven't, anyone not know what CIS is? Do I need, okay. We got a few. So it's the Center for Internet Security, right? And they have what they call critical security controls. And these are a hierarchical step, right? Number one, I didn't number them, but this is going one through 17, 17, 18, 18 controls. They have 18 controls by which they measure the maturity of a security program. And I'm really only going to focus on the first two here real quick, but add a little bit to it. So these are the first eight, right? And the

reason why they are ordered the way that they are is that any slubs early on are going to directly impact your ability to work on the controls farther down the line. Okay, everyone say it with me. What is the single most important job of security? You should be able to tell by looking at the chart. Inventory.

You can't protect what you don't know you have. Period. How companies do not have chief inventory officers is beyond me. If you don't know your assets, and I'm not just talking about assets with MAC addresses. If you don't know your assets, you cannot secure it. And this is why defense is always slower than offense. The red teamers will always have an advantage every single point, because even though CIS has been around for that many years, it's still step one, 99% of companies don't get this right. And I'm going to sound a lot like a doctor from the 1950s with a lot of this. A lot of it is no brain stuff in theory. But in practice,

inventorying everything in your company, and again, I said pay attention to shadow IT, right? Inventorying every asset, whether it's network assets, servers, desktops, people, software, cloud services, knowing at any given point in your company what's active, what's available, is literally an impossible task. Who here is familiar with ITIL? ITIL? Okay. ITIL is just like, wouldn't it be great if?

If the world actually worked like ITIL, a lot of our security problems would go away. And again, because security is not separate from IT or literally any other department in your company. ITIL is literally about inventorying. That is the whole thing. And people have tried to come up with cloud services, software, whatever, to maintain all of it and actually conform to the full ITIL standard. It's like communism. Wonderful in theory. Wonderful. At scale, nada. So I'm going to just flip to the second slide real quick. These are, once you get higher, surprisingly, malware defenses, which most companies First thing they do, oh, we got to put AV on our machines. Number nine, according to CIS,

for a mature security program, right? That one always surprised a lot of people. As I mentioned at the place that I went, data recovery is number 10. But because my company had a very specific issue regarding data recovery, I had to focus on that for the first six months. I had to ignore CIS and make sure that they were comfortable with their data recovery situation because that was what was directly impacting them at the time.

Time, okay. So again, these are roughly in priority. I'm gonna talk mostly about inventory because it is the most basic and also the most difficult. Security awareness, I wanna talk about, because that's on here.

Where is it? There it is. So it's towards the end. Don't wait. It's toward the end because this is talking about formalized processes. I'm very skimming over this very lightly. Security awareness. They're talking about a measurable security awareness program. By the way, fuck No Before. I just want to say that officially on the camera. If you're using No Before, I'm very sorry. So, and if you're from No Before... Hi, sorry.

When you're at an SMB, do it yourself to start with. Don't worry about measuring. It's literally just the awareness component, right? You need to make them aware of how social engineering happens. You need to make them aware of

the very basic concepts behind data labeling. Because eventually, if your security program is gonna be worth its weight in salt, you're going to be doing data labeling, data ownership, stuff like that. Introduce the concept early on. Tell them it's coming. Don't worry about it now, but you have to understand some things don't leave the company and other things are okay to leave the company and that someone needs to have the power to decide what's what. It is critical that you start teaching people that early. This was a little harder lesson for me to learn because again, I was trying to stick to CIS a lot at other companies. And if you don't get ahead of it,

it just makes that culture change so much harder. Who knows? You've probably all heard it. Culture. eats strategy for breakfast. 10 times out of 10, right? You may have the best intentions in the world, but your company culture is going to defeat it every single time. It is undefeated everywhere. So you have to be a agent of culture change inside of your organization. And this is what I'm talking about when I'm talking about systems, right? How many of you have really thought that as a security person or an IT professional, that I need to be an agent of change inside of my company? It's an, especially when you're at some soulless 2 million employee company or God forbid the federal government, Alan.

Um, yeah, we have a fed in the room. Thank you. I want to stand up, introduce yourself. Spot the Fed. He's in the sparkles.

You really, really need to focus on that. Again, just like with the awareness training, in the end, awareness training is a cultural change, right? We always, we want to go, oh, the stupid user clicked on the link. Again, for the fifth time, and they're going back to remedial training, and we're not going to let them reply all anymore. The fact of the matter is, is that what we do on a daily basis is not normal. Humans do not think about risk, generally speaking, in general, right? I'm talking risk, capital R, hovering in the clouds. We think about immediate risks and we have an entire system in our body limbic system that is built to deal with it.

And by the way, that same limbic system that helps you survive also kills you when it's not necessary, right? Your limbic system is leading to heart disease and stress. And you know, you shouldn't get fright, flight, or freeze when you accidentally reply at all to an email that should not have been right. That is not a life or death situation. but your body is hardwired to do that. So

when we get on end users because they're not thinking about risk, just remember ignorance is bliss. It's our job to put that on our shoulders. And there's a reason why there's high burnout. And there's a reason why there's heavy mental health toll on us. And there's a reason why there is substance abuse in our community. It's because we are doing something that inherently, physically is killing us for a living. Be careful out there, folks.

Okay, I gotta move on. There's so much more to talk about. I can ramble a lot, if you hadn't noticed. This is actually a very different talk for me, because I'm really used to speaking about something very specific. because I can talk about forever. And this is a cloud level talk, 50,000 feet. So I got to limit myself here. So let's talk a little bit more about inventory. I love the scenes so much. Philip could have a good weekend in Vegas with all this stuff and one of them is a nine millimeter. So

assets, we already mentioned that, right? What are your assets? Anything with a MAC address. Anything with a MAC address, including your user's home equipment in this day and age, right? Software, a little bit easier once you know all the assets, if you know all the assets, and there's a reason why assets come first. Services, this is where shadow IT is going to bite you in the ass. Because everyone has signed up for everything and use it for work. Here's a fun one. Uh, so we got a contract from the city to do some healthcare stuff for them. We're not a healthcare provider, but we were literally just sending back and forth healthcare data from the city for a program that we were running. You

know, unbeknownst to me, problem one, problem two is

What I did know is that the city of Chicago was supposed to be handling all of this in their portal before the program started. It was supposed to be set up. And this was a federally mandated program. So if you're not running when the federal government says you're running, big problems. So the workaround became scanning documents with iPhones and sending them to their Google accounts. and then sending them to the city of Chicago, who would then email said personal health documents back to us, unencrypted.

This is shadow IT. And again, organization, high risk, get it done. People will die if we don't do this. No one died. But when this hit my desk, shit my pants. Right? Like, it stops now. Right? But because I was aware of it, I was able to very quickly come up with a solution and really yell at the city of Chicago for coming up with that. Because again, we're SMB, city of Chicago says, oh, just do this. Well, the city said to do it.

People, how many people in their organization have an HRIS system? Raise your hand. Federal government has one. It gets hacked a lot. How many people have their HRIS system tied into their master IT directory, whether it's active directory or whatever? Anyone? Right. Do they match up 100%? No. So even if you have that, it's going to be your job to keep track of who has access to what. In the end, obviously rule-based access control is needed right before you even put our back in place you need to start checking out who has access to what right accounts because it's not just people that have access to it how many people have internal software development hmm how many of the how many of you are aware of how many of

their personal accounts get shared amongst the entire team to access to GitHub, whatever, right? Yeah. Or you don't know, but they are, I guarantee you. So you also need to invent, don't just think about people, which is important, but you also just need to think at the account level as well. So I'm going to talk about a couple of quick solutions real quick. I'm going to move on. Snipe IT, Snipeyhead makes it fantastic free product for inventory. If you don't have anything available to you, get this. They have like $6 a month. You can get the cloud version where they host it. Otherwise, it's free to host on yourself. Absolutely fantastic open source free system for inventory.

Nessus Essentials. I like Tenable. And that is, from my opinion, much better than any of the other options, both as a practitioner and as a an executive who sees this stuff. And then lastly, a new product. I don't know if anyone's heard anything about this. Fletch? No? So Fletch is a free product that is basically applied threat intelligence that hooks into your vulnerability, here we go again, vulnerability management system. Uh, and they are startup and they want feedback. Um, whether or not you have a vulnerability management system, um, it's a good source because it's a free threat intelligence source and there aren't that many that are free. I'm going to rant on that later. Managing risk. Okay.

So again, I talked about risk appetite before. Um, I can't tell you what to prioritize. Every organization is different, right? This is why you need to get to know your organization. What field are they in? Are they utility? Right? What kind of assets do they have? It's discovery. I find searching for risk enjoyable. It's almost a creative process. And I wish I had more to tell you other than you really need to learn how to prioritize. what you're going to focus on first. And that is not just company specific, but specific to that moment in time with your company, because it changes over time. Humans are terrible at assessing risk though. Terrible at it. Again,

why when I hit reply all when I didn't mean to, Do I tighten up? Right? We're good at immediate risks. We're not good at hypothetical risks because hypothetically it's anything. It's infinite. Our brains don't deal with infinity well. We just. So

there's qualitative and quantitative risk, right? As a small business, forget about being able to do quantitative risk. Any of you who've done your, your SISP, right? They teach you about quantitative risk. Unless you're at a big company, quantitative risk is out the window. You are not going to be able to figure out if the cost of your control is more expensive than the value of that control. How do you even, that second part is the key. How do you ever come up with a financial number for what would happen if you lost X. Now, yeah, there's contracts involved. Okay, we lose it. There are certain things that are quantifiable, but there's always everything that touches it that you can

never quantify. So I just wanna say, don't try to do it. Go on to qualitative risk immediately, okay? Legal, our favorite. You need to become friends with legal, sorry. You have to become friends with legal. If your company doesn't have a legal department, I'm sorry, because compliance is all about legal, whether it's federal, governmental compliance, or just complying with contracts, because a lot of what you're going to be doing is are you in compliance with contracts, right? If you don't have legal, get it. Policy, the big risk in policy is not being able to actually do what your policy says. Period. You will, the world of hurt is when you have a policy that says we

do this and you're not doing that. And then an incident happens and your third party goes through discovery and says, oh, your policy says you were doing this. Show us, not just tell us, show us. You will be

Write properly fucked. Policy, for every single policy in my organization, two pages max. And three quarters of that is boilerplate about who's responsible for what, right? Procedures, stuff like that, those can be however long you need them. Policy, short, sweet. We will do this and we are doing this. If you can't do it, Don't put it in your policy. Take it out. Okay?

Insurance. Sorry. Gonna touch on cyber... laughs. Gonna touch on cyber insurance real quick. You have to have it. It's only getting worse with ransomware because they've had to pay a lot of money and now they're trying to not pay. The most important thing for your organization is that your cyber insurance covers Yes, you have to have to ride this ride. You need 5 million, 10 million, a hundred billion in insurance, whatever. But if that insurance does not cover communication of breach, you're fucked. Again, very technical term, right? You're fucked. Because for state's attorneys, every single state, no, not every single, last I checked, There are 48 different policies around the country about how you need to report

breaches. That includes when you report it within a certain amount of time, when you report how it's resolved, what kinds of things you need to report, right? And for every single miscommunication, there is a fine, right? We all, everyone likes to think about the reputation risk of a breach and having to report a breach. And everyone shits bricks about the reputation risk. Executives, board, whatever. They're all, what about our reputation? There's no reputation to be had if the state's attorney sues you out of existence. Right? So watch your insurance, look at your insurance. Okay, I'm running short in time because I talk too much. I didn't move forward. Okay. How do you get buy-in? Unfortunately, there's no answer. But you

need, excuse me, no is not the answer. Let me get that right. You can't be the department of no. You have to be the department of we can't do that, but here's what we can do. Or if you don't know what you can do, we can't do that, but I'm going to find out what we can do. Right? No, create shadow IT. Shadow IT is your biggest enemy. They will work around you to get the job done. Don't be no, say not that, but offer solutions. And if you don't have the solution right then and there, say, I don't have this now, but I will have it for you by X and give them a solid date that you're going to

have an answer by. Cause you can always say, Oh, I don't have it now, but I'm going to move X out to here. Let them know that an answer is coming. Reassure them, establish that trust. Board sponsorship. I went ahead once. You're not going to actually get an actual security department started or get funding for security tools or security contractors without going to the board because your CEO or you're more likely your CFO is going to be like, well, do we need that to run the business? It's going to be the first thing to go when they're told every single time that we need to reduce the budget company-wide by 10%. Those non necessary expenditures are the

first to go every time, every time. So you need to get someone on the board of directors on your company to be the sponsor for security, because when those budget meetings happen and all the executives and the board members are in a room going over the annual budget, And you're in there as the director, whatever the lead of security, secure IT operations. And they go, well, we need to cut pen testing this year. And you're explaining that it's you saying that actually, because the CFO has handed you what your budget is. Right. And you're like, well, we were going to do this, but there's no budget for it. And then your advocates going to go, well, why don't we have a budget for that?

And then you put it back on the CFO to explain why security is not necessary. Right? Executive buy-in is very similar. Five minutes. Excellent. Okay. Uh, executive buy-in is very similar to board buy-in. Um, but executive buy-in is what helps make the culture lift easier. The board buy-in helps you put pressure on the C-suites. get you funding, but executive buy-in gets the buying into the change of culture much, much easier because no one wants to piss off the executives, right? Or they do because they want their job, but eventually they're executive and they have the same pressure from the board on them. So executive buy-in is what helps you with that culture change. Alrighty. Very little

time for my last section because I talk a lot. Planning, what are the opportunities and challenges, the risk of thinking like a security person. And what do I mean by the risk of thinking like a security person? That security is somehow its own entity. Again, I want you to think of it as the organization, as a system, as a body, right? What does blood do?

What else does it do? Oxygen, nutrients, yes. Right? And your immune system is mostly based in your blood, except for the part that's tied to the lymphatic system, which, oh, by the way, is directly connected to the vascular system. Right? None of these things stand alone in your body. Neither do they stand alone in an organization. You have to think holistically. And many of us want to go, Oh, don't use SMS to FA because someone can just hijack your SIM. And, but you know what? It's another step that keeps that attacker and slows them down. They have to bother to SIM jack you, right? Rather than just not having it. Don't let perfection, the idea of,

well, the best way to do security is this at a small business, any incremental change is better. Don't. fall into the trap of going, if I can't do this the best way possible, I'm not doing it. Okay. That is why I say about the risk of thinking like a security person, because I get into so many arguments on Twitter from people just going, well, you know, you can't do that because someone could do this. Well, there is literally no such thing as a secure system anywhere in the world. There's no such thing. Anything can be bypassed. Now it may not be able to be bypassed digitally, at first. It may have to be a multi-factor

attack in some way, shape, or form. But there's literally no such thing as a completely secure system. So don't get it in your head that you need to make a completely secure system because it doesn't exist. Due diligence, very, very important. Last step that I want to really talk about. Due diligence will save your bacon nine times out of ten. Unless you're a CISO. Sorry. Due diligence just means can you prove that you have done what you said you were going to do? Right? In the end, this is what compliance is. It is based on due diligence. ISO 27001?

All it is, it's a framework that says, what are you doing? Did you do it? Okay. That's ISO 27001. Again, just like policy, don't do anything. Don't write a policy that you can't comply with. Don't say you're going to do something and not do it. That's what due diligence is. I've gone through so many breaches, so many events that people get pissed at first and everyone's scared. Everyone's limbic system is going out the door. But if you can step back and show that you did due diligence or even show where due diligence broke down and understand why. You're going to be okay unless you don't have insurance.

That covers communications. Okay, I'm going to rant. If you're from a vendor, hardware or software, if you make me pay extra for single sign-on, fuck you.

Just fuck you. If you make me pay extra for sandboxing, I know that's a little higher level. As an SMB, fuck you. Because my security awareness training is not 100% effective. I could be the best trainer on the planet. I'm pretty good at training my staff. Doesn't matter. You got people who are clicking because they're preoccupied. They're thinking about something else. If you are providing a service that is supposed to protect someone from technical fishes, whether, you know, however it comes from, whatever, whatever vector it comes from, and you have sandboxing capabilities in your product and you're not giving that to me as part of your product, fuck you. Okay. Um, what else? Um licensing.

I'm sorry, I can't afford your product if the minimum purchase for the enterprise product is 10,000 units. I got 200 employees, useless. Oh, you can use our SMB product. You mean the one that just has a slide bar from more secure to less secure? No, just no. There are so many products like that where they just, they give you a super dumbed down version for a small business. I don't want it dumbed down. Again, I have the advantage of being a small company with less assets that I can actually know what I've got relatively well. Let me have that full control from your enterprise product to lock things down so that I can get my cybersecurity framework 1.2 certification.

and not have to spend $120,000 a year of my budget to get the product that is required for me to get certified for that, to get contracts with the federal government, to get contracts with utilities, right? If you are a vendor providing to SMBs, rethink SMBs, especially if you are aggregating their data to help your product out in any way, shape or form. I'm sorry, but the surveillance economy is bullshit. Pay me for my data. Give me your product. I'm fine. Use it for what you want. Put it in whatever studies and say, this company sucks. Look at how bad they are. But give me the services for that data. Right? You can afford it. You've got IBM. You've

got companies with more money than God as clients. I got a couple hundred people. I got 25 people. I got five people. Whatever. Give it to me. You get more than enough data because as we are, as we know, especially if you are a small business that is a third party to government or critical infrastructure, the adversaries know this and that's who they're going after. You're the low hanging fruit, protect the low hanging fruit for the love of God. We need it. I've been very fortunate at my current position to have a very outsized budget for a company our size for both IT and security. And I am still uncomfortable every day at work of what I'm going to find because there are

tools that I need, not blinky boxes, software that I need to automate because I can't just keep throwing bodies at the problem, especially because I'm at a nonprofit. Every body I throw at the problem is a body that is not out there helping save someone's life.

systems, right? Nothing stands alone in a vacuum. If you're a vendor, please, for the love of God, start talking to your salespeople, start talking to people about giving your products or drastically reducing the cost to SMBs because, again, there's a reason why this is from this movie. It's not a happy ending.

Right? We're fucked. And it's not just SMBs that are fucked. Our critical infrastructure and the government is fucked because no one will protect us. Anyway, resources. Here's some of the things I talked about. Slide deck is going to be available. I still need to put the alt text on all the GIFs. So once I have this done, I'm going to put it up. There's my email, there's my Twitter. If you want a copy of the slide deck once it's ready to go, do it. This is just a little bit of the stuff. For those of you who are in the nonprofit sector, TechSoup is your best friend because companies donate hardware and software to them and you just pay them a fee for handling it.

I get my Microsoft 365 E5 licenses for $7 a head. Just to give you an idea. Still expensive for us because we're a nonprofit, but it's not $35. So, um, Oh, I skipped over. I know I've gone over. I'm sorry. All right. Um, table topping another free thing you can do. Oh dear. For the love of God, tabletop people, even if your company isn't going to go, okay, we're going to bring someone out to tabletop. Black Hills InfoSec. Wonderful company. If you're not familiar with them, they have pro bono training available up to free. If you can't afford it, they don't always offer that, but regular, like at least quarterly, they offer free pro or

pro bono training. Um, they have a card game called back doors and breaches, which is a tabletop and game that you can use also at that link. If you scroll down a little bit, they have a online and a discord version of it. That is free. that you can use inside your companies, inside your IT and security departments to do tabletopping. So you don't need an expert on trying to come up with these ideas. They've gamified it for you. Another free thing. As I mentioned, Fletch before. Fletch, normally you have to go through the whole process and meet and greet, yada, yada, like startups. This one actually bypasses all that and just lets you start playing with it. So fuck around with it, people. Nessus Essentials,

for those of you, Tenable is a great product. Tenable I.O. might be a great product someday. But Nessus Essentials is, again, if you're at an SMB, a free, as in beer, vulnerability management system. That should, I haven't played with it yet, hook into Fletch as well. And if not, I know the guy who writes the API for at Tenable, so I'll bug him to make it happen. And then CISA, who all made it to the Dianna Initiative keynote this morning, where CISA Jen was there? She's amazing. Anyway, they have a website of all the security tools that they keep track of for free, tools and services. I wanted to put some, it's a ridiculous list. I'm like,

what the hell is that? It's cool. So make sure you check that out. Open source is your friend at an SMB. Oh, hey, it's four o'clock. So I think we'll skip the Q&A and I'll just take it out there. Okay? Is there a, where'd it go? All right. Thank you everyone.