Planes, Trains, and Risk Assessments — Thinking Like a Security Consultant

we are about to start a fabulous new talk about planes trains and risk assessments thinking wait thinking like a security consultant take it away testing can everybody hear me is it working awesome all right hello everybody my name is marissa i'm really excited to be here today a long time volunteer first time talking so thank you for joining me my talk is called planes trains and risk assessments and the reason why i chose this talk is twofold number one people glamorize travel when you're a consultant i'm happy to talk to anybody about that uh i hated it i didn't hate it uh but it just wasn't for me um but number two when you're a security

consultant you're really required to think holistically when i saw b-side started an industry challenges track i wanted to show security practitioners that not only do we have the fast-paced realm of i.t security and cyber security technology but we need to check our foundational skills you may not realize this but sometimes the way you approach things may be the barrier between you and accurately assessing risk so the things that we're going to review today aren't super technical they're small tips and tricks that i learned and they are able to help me fully and accurately assess risk within an organization i'm going to be talking in the context of consulting projects but you can definitely bring a lot of these tips and

tricks back to your everyday job alright so introductions first hello my name is marissa i am a grc consultant at cso we are hiring so please we have a table back there please check it out i believe we have a devsecops position and a senior grc consultant position open and i really do love my job i'm not saying that because my bosses are sitting right here i actually do really like my job so please check it out and see if you would be a good fit i also work in operations at women in tech pittsburgh what we what our goal is to really help upscale women in technology in pittsburgh i think to summarize that it's we want

to help them get paid more so we provide opportunities for women to enter the tech industry as well as be promoted once they're inside it by offering them skills thank you before before i was at cso in wit i was a senior sap sap security and grc consultant where i got to learn these skills from the best of the best at a big four and i got to travel to like 10 countries and most us states it was really fun and exciting for that time of my life and then my industries were technology healthcare food and beverage those were the ones that i primarily worked in personally i love to cook if you know me

i if i like you i've cooked for you before i love to work out i go to mecca fitness in mount lebanon if anybody else goes there and then travel i was trying to do 30 countries before i'm 30 but unfortunately kovid set that off i'm stuck at 19. if you look up there that's my dog tulip uh i foster failed her earlier this year that's my boyfriend um and she was not super excited to be picked up but i love that photo all right so before we get started uh on our deep dive i really wanted to level set and talk about what exactly security consulting is i think my favorite question when i tell people that i'm a

consultant is what do comments do a lot of people don't really fully understand so i think when you're a consultant security consultant you have three main objectives your first objective is to assess implement and redesign security measures so when you're talking about implementations it could mean implementing anything secure coding process standing up vulnerability scanners i do grc so i do governance procedures processes things like that so what you start with is either with a client who doesn't have anything and you're going to give them something or they have a tool and maybe they're not using it appropriately to best practice or maybe they're not using the full extent of their tool so you're just going to help them

get using use their tools to their best ability then next is the things we know and love finding threats and vulnerabilities and remediating them and then most near and dear to me in i.t security is the cia triad confident confidentiality integrity integrity and availability of data and i want to mention that also when we're talking about this we're talking about true consulting there's sometimes when we talk about true consulting it is project based so has a clear scope beginning middle and end sometimes when you talk about consulting you're stuck talking about staff augmentation which is you go and you fill a role for a couple months until they find a full-time employee what we're talking about is experts

knowing things and doing them within a client so next is soft skills and i personally do not believe that we talk about soft skills enough in it in general and soft skills when you're in consulting is the most important part of your job my theory is if you're a good consultant you could literally not know anything and your way out of anything and go and google and find the answer later so talking about some of the soft skills that i really appreciate in consulting number one is leadership you want to lead your clients you want them to be confident in you and you also want your teams to be confident in you if they believe that you can get them there and

you actually should be able to get them there then you're going to have a really good working relationship next is charisma if you don't look like you want to be there your clients don't need to hire you back to be there so having charisma and being enthusiastic about what you're doing is really important especially in consulting when you're doing it over and over again third is reading between the lines this is the most important soft skill that you have in consulting in business we talk about people process and technology and in people process and technology those are the ways that you need to solve solve skills solve problems so in a security practitioner's example let's

say somebody comes up to you and says hey my employees passwords are being hacked what is your first thought probably put in a technical control multi-factor authentication something like that but when you go back to people process and technology you might realize that it might not need a technical control you might just need to train your people so if you train your people not to give away their passwords how to you know stop phishing attempts things like that then you're able to read between those lines and solve their problems because maybe they can't afford a technical control or maybe that's just not right for them right now and then finally adaptability adaptability is extremely important

because when you're a consultant you have a specific timeline to do things and sometimes you go down a path and you realize it's not working but you still have to finish by november 30th so what you should do is stop take a step back and realize that what you're doing isn't working and reassess and move forward sometimes doing that can really hurt your pride so when you're adaptable and you realize that it's just part of life that makes you more flexible and able to solve problems all right so talking about what types of jobs are out there i literally just googled this some of these things i don't know what they are but i just

really the point of this was to show that when you're talking about security consulting you could anything you can do in industry you can do as a consultant if you're really good at it the redundancy might be great for you sometimes people don't like that they don't like doing projects but personally for me i like having a beginning and end i like starting over and solving different problems yep so these are the types of jobs all right so to make sure we're on the same page i wanted to walk you through exactly the steps of like a consulting project realization because we will be walking through what a consulting project is so here you have your client identifying a gap

this gap could be a risk that they found when they were looking in their systems they could be a new company and they just want to you know start thinking about security it could be from a third party let's say that they want to work with a government contractor and that government contractor says that they need to be cmmc compliant or something like that so first the client identifies a gap and then the consulting a consulting firm creates a proposal this could be you have a good relationship with them and they want to hire you or they could put out a request for proposal which is an rf it's called an rfp and that's where people throw numbers around and

pitch things client makes a decision who they want to work with then they hire a consulting firm to do the work if you see this fun lit up box here this is where we're going to be living in the context of our presentation so first you have an assessment assessment kicks off you do interviews you do the technical assessment you create a report recommendations are proposed the client accepts your recommendations and then the implementation work starts this is extremely straightforward a lot of things can go wrong in this piece let's say that you don't do a good job you make recommendations but your client doesn't like the way that you went about that they could go with another consulting

firm and you know not look at you so this is an extremely straightforward workflow all right so let's get our project started our client puts forth a request for proposal um and that is the client wants to become iso compliant due to a third party requirement and they need an assessment completed to have a better understanding in order to become compliant so congratulations everybody we won the assessment so it's time to get started so it's really important to point out that risk is not arbitrary risk is not arbitrary there's a lot of thought leaders in this room who probably believe that things are riskier than they might be or have different opinions about how risky things could be

but when we're talking about clients we need to make sure that we're always working towards best practice there always needs to be a framework something regulation scoring system something like that to talk about everybody's least favorite word is because the auditor said so everybody hates that so when we say risk isn't arbitrary you should always use a framework regulation or scoring system when discussing with your clients so how do we know which one to use with the client in our example somebody told them they need to be iso compliant so they're going to try to be iso compliant but that might not always be the case you might come with a client who says oh i want to be cmmc level 5 and they've

never done security before in their life so you need to make sure that you are communicating and honest and upfront with them that hey maybe cmmc 5 is not achievable let's start with ranking you at a cmmc3 do the analysis and see where that goes so being open and honest with your clients about what is acceptable will help build that trust

all right so now we're going to start our interviews with the client so what interviews are going to do is help you better understand what's happening and it's really important to make sure that your interviewees feel at ease when you come in and you're a security consultant the first thing people are going to think is that you're here for their jobs and fortunately in our in security we're not typically there to cut out jobs that's what management consultants do uh just kidding i actually don't know what management consultants do i just heard they cut jobs um but so starting off with a light conversation finding things in common making sure everybody's relaxed before going into

the interviews is definitely going to make sure that you're getting the most accurate answers if you look up here you can see i have animal crackers one time i went to germany italy and the czech republic and we had to do workshops there we flew with an entire suitcase packed with these things these frosted animal crackers and that was a really good ice breaker for us because we could you know we were like oh hey have you ever tried these before and the overall analysis was they were too sweet because that's what everybody in europe says about american snacks but it really helped us form a relationship especially in a place where maybe not everybody speaks the language the same

language as you we had to use translators but this was a really good way to help bridge that gap so making the interviews feel at ease and then second is recognizing not everybody is a security expert making sure you level set and come prepared with direct questions is really going to help you in the long run even if the conversation doesn't go that way if they are security experts i like to use this conference as an example i meet a lot of people here who are super passionate about a lot of things but they don't really level set they don't ask me my knowledge you know and they start talking at me and even though

they're really excited i can't express the same amount of excitement because i don't really know what's going on and i leave that conversation feeling you know a little off and that's not what we want to do because people are less likely to talk to you and be honest with you if they're not sure exactly what's going on so if you can recognize those gaps and come from a place of knowledge and collaboration and understanding you're definitely more likely to get the information that you want out of those interviews and then finally and this i think is the most important part always make sure you're asking for evidence those evidence could be design documents like posts excuse me post incident

reports network diagrams all those things we're not auditors we're not here to comb through and tell them everything that's wrong but what you can do is you know double check and make sure that they're actually doing what they say they're they're doing

all right so understanding the types of folks you'll be interviewing it is an important strategy to also produce produce the most accurate information i picked the four biggest archetypes that i see i would like to note that these are just archetypes that i made up i am not coming to attack anybody in this room um so you should be able to identify the type of person when we're when you're in that kind of pre-conversation where you're trying to make them feel at ease you know they might say oh hey this is something that i'm really good at or hey this is something that maybe i don't have a lot of information about so we're going to start off with

security sal i recognize that some people in this room might be security sal where they have a program that they set up and it's their baby and they've done so much with it or maybe they just came in and you know they're kind of at odds because this isn't you know they're still trying to understand the program things like that he may be ready for this change or he may think that you're here for his job so i think that the best approach for this person is to be really interactive with them and don't call them out so recognizing their strengths is super important and using those to your advantages and when you talk about their weak points you

need to use that as a point of opportunity to help you build so when security style is like oh yeah i bet you know maybe this is something that i really want to improve on jot that down and have it in your findings because that's a way that you can help build that trust and build that relationship and then he knows that you're here to help

next is annie anxious annie is probably part of the business hr is somebody that we we talk with a lot maybe finance i used to do socks controls and anxious annie has no idea why they're why she's there and she doesn't think that her job has anything to do with cyber security i.t security anything like that i think the best approach is coming with really direct and straightforward questions get in get out get going and also using this as a chance to explain to her why exactly she's there so making sure that they understand their role in security while also being really direct and straightforward will make them feel like they actually understand okay i'm a

puzzle piece and this is how i fit exactly into this world next we have talkative tom um talkative tom will tell you everything about the company things that he does not believe he should be telling you things that you know maybe he tells you about the bagel he ate for breakfast this morning um talkative tom is really just likes to talk and i know we talked about collecting evidence if something sounds too good to be true it probably is so definitely making sure that you're going back and you're double checking exactly what he's saying is the truth before you trust everything that he says and then my final archetype is ceo carl i'm not talking about my boss joe over

here but ceo carl is obligatory older white man so ceo carl is probably funding this project and wants to make sure that everything goes super smoothly ceo carl probably got in his role because he knows best practice and that's probably what he's going to tell you is happening within his company he's not going to recognize that there might be gaps because he doesn't work and see the everyday he's signing off on process documents he's signing off on risks you know he's giving money to these programs so he's going to tell you that everything is operating smoothly and exactly as intended the problem with ceo carl is if he's in the room when you're interviewing everybody else what are they going to do

they're going to lie they're going to say that their program is running great and everything is wonderful because they don't want ceo carl to think that they're not doing their jobs so making sure that he's not in the room during these interviews is really going to help you get the most accurate information

all right so we got our information um let's get our presentation ready

so the art of not surprising and building trust your final presentation should not be the first time that everybody is seeing what you're offering i put some ideas of the way that you can give these updates having regular status meetings giving draft reviews working sessions as you're producing the report or you know at the end of every interview maybe working with them but i think the for the best bang for your buck it's going to be quick wins what a quick win is is something that wouldn't be an entire project um i'm gonna use brandon for an example um brandon had a security awareness program that he hasn't put forward yet i hope that's okay brandon

[Applause] um so yeah he has a security awareness program and a quick win is hey publish this that's definitely um one of the things that uh you could do that's like this is really quick get that forward and you're going to check that box also another little push maybe they're working on a proposed aren't excuse me non-proposal procedure documents that they haven't published yet something like that and what that does is really show that you care because you do care about your clients um you really do care about the things that they do and you really want them to know that so it's not just here for money all right so when trying to communicate risk to a

group it's really important that it's easy to understand the way that i like to do this the most is using an impact matrix starting with high high impact low effort and working your way around so a lot of the times the people that you're delivering to they're probably high level maybe one person in the room is the person that you've been working with but um they might not be super knowledgeable about risk rankings risk ratings things like that when you use this matrix what this does is it allows you to help them prioritize so if it's somebody that maybe has a lot of money you could probably start high impact high impact low effort and then move to

high impact high effort if it's somebody who's just trying to get their program you're going to start high impact high effort and work your way around so this is very easy you can find it at a glance and it'll help you build a roadmap so everybody better understands what the risk is excuse me one second

all right so next is breaking things down monetarily this is my least favorite approach but it's one that's worth mentioning so i had a chemicals client and i did an itar assessment at a chemicals client and they did an itar assessment because they were in the talks for having a government contract and when i walked through this beautiful i think it was the longest report i ever did was like 43 pages i walked through 43 pages with them and they're like we don't care because we got this contract and we have to do it so just give me a number so i was like okay you know your number is two million dollars congratulations but

when you lay things out monetarily make sure that you're always also telling them exactly what they're going to get from that so you definitely need to make sure that it's presented with maybe the risk of not implementing so hey if you don't implement you're going to miss out on this two million dollars worth of contracts or hey like um if you don't implement then you know there's other clients out there that are looking for this this framework assessment things like that you're gonna make sure that they know what they're missing if you're presenting monetarily first all right so make tips on making recommendations the do's and don'ts i'm going to start over here with the

do's i think these automation and tool reuse is something that everybody is probably familiar with whenever you're making sure that you're using tools that clients already have they're going to be more likely to work with you because they don't have to spend as much money and i think it's going to be easier for you because they already know these tools and you don't have to do a lot of training and automation is something that speaks to everybody in this room i'm sure making sure that you know less hands-on work the big one in here is adjusting recommendations while still maintaining integrity so let's say a client says they don't have money to invest in a huge risk that

they have what i would recommend is making sure that you're breaking it down into smaller more manageable pieces because what might happen is they if you seem to reduce the risk they might think oh this risk isn't as big of a deal is because you know we can't afford it so we need to like rush over it you need to maintain the integrity of the risk you need to make sure that you're still communicating that it's important even though they can't afford it or you have to find worse ways to work around that and the don'ts so do not exaggerate risk what i mean by this is as a consultant they're coming to you and trusting you

because they really care well excuse me they're coming in and trust you because they really think that you're the expert i'm gonna use zero trust as an example i really think that xero trust is just a way for consultants to sell more work and because you know you're saying oh like you need to lock everything down lock everything down that's not true i mean maybe it is in in certain scenarios but with xero trust you're just selling selling more and making those recommendations when maybe they don't need it so making sure that you maintain integrity when you're discussing risk and only doing what's necessary is extremely important next is back channeling i know we talked

about earlier in the presentation that with back channeling you know you should be telling them things don't be inconsistent i think when i say back channeling that's the problem if you say something's a big deal but then on your presentation you say it's not that makes you lose trust in your client like that makes the client relationship lose trust and they might not want to work with you in the future and then finally be realistic don't over or undersell effort if another consulting firm is saying that it's going to take six months and you say that it's going to take two months they're going to be like why why are these people saying it's going to

take six months when you say it's going to take two months are you not doing your job or you know are you doing something really fast where these people might only be you know be dragging it out for more money things like that so making sure that you're accurately assessing things is really important for not only you but to manage your clients expectations all right so congratulations we won the implementation let's deliver for our clients all right so independence and integrity um you are the security expert and they're coming to you you have to protect their data as security consultants we may have access to things like insider trading information um i worked at a large beverage company

that extremely protects their secret um what is that there's their recipe in a vault yeah their secret sauce spongebob excuse me um so we worked at a large beverage company that protects their recipe in a vault and i was digging through their sandbox when i was still an sap consultant and i found a bill of materials for uh a recipe for their thing and i was like you know my heart stopped because i'd seen it in this vault in the you know in down in atlanta and i went and um i told someone i was like hey you guys have a bill of materials here like this is your recipe and you really protect this

i said something because i didn't want anybody else to find this you know when i was just digging around in a sandbox they're like no no it's sanitized you're fine you know that we sanitized the data when we brought it down from prod i was like oh thank god i don't think i could have resisted looking you know but that's what i mean by maintaining integrity if something seems wrong or something seems like it's off it's your job to do something about it so let's walk through some scenarios so these are ethics questions kind of so this is your ethics exam in the context of security consulting so your client asks you to change technical

configurations that do not coincide with best practice how do you approach it does anybody want to try to take a guess

yeah slap them upside the head anybody yes yes that is a great but they still say no yes yes yes sorry he said explain the risk he said try to bring them towards beck's practice do you have another one yeah yes yes those are all great things and those are all the steps that we were going to walk through good job everyone so first is why they might have a good reason could be you know they need to let somebody in something like that yeah so first is to discuss the risk you should be documenting as you go let's say they still decide that they don't want to do it document document document if something goes wrong you might be

responsible for that so as a trusted advisor you want to make sure that that does not come back on you and it was their decision opening a risk acceptance form is one of the examples that you could take but making sure that everything is written down so that doesn't fall back on you is extremely important all right scenario two an individual your client says they're moving changes through proper change management channels they say that they are but you check the audit logs and find that they have been moving changes without approval what do you do

jewels anything

yes yes making sure that it doesn't come back on you is extremely important she said get a copy of the audit logs make sure they don't come back on you anybody else yes

that's a great one so he says go to the proper channels he says talk to them and see if maybe the process is too complicated those are all great examples um so i think what what i would do if i was in this situation is first discuss it with the individual see exactly why they might not know that they're doing it wrong and educating them would be a great first step if they still continue to do it it's your job to raise it as a red flag escalate make sure that you know they are finding that you know that you're taking them through the correct path it's your job to be that advisor so making sure that you tell them

exactly what they're doing wrong or making sure you're telling the client exactly what they're doing wrong because if they know that you saw it it might come back on you and you definitely don't want that all right job everyone um so great we continually sold work and we all buy bmws and we live happily ever after so thank you all for being in my consulting firm

so discussing key takeaways risk is not arbitrary making sure you pick your favorite framework level setting who you're talking to um making risk easy to consume for all parties so making sure everybody knows exactly what you're talking about and they they understand maintaining integrity and then finally don't write hip on your resume this i didn't talk about this but i think this one's really important to hit on uh because i'm sure that this happens all the time huh uh he says he throws them away and that's coming from a security consulting ceo all right so anybody have any questions

yes

so from a security from a security consulting perspective um if you make a mistake you're going to get fired um i mean it's it's just like that they're paying you to be there uh there's mistakes do happen um and i think that there's a certain threshold of trust and integrity that you know people can understand but if you're consistently messing up if you're consistently having problems then your client can just simply choose not to work with you anymore so i think those are some of the ramifications when you work for like a big four like i did before sometimes that person would be kicked off the project and they could continue their project you know because those are typically

millions of dollars so those are some of the ramifications that i've seen thanks for the question anybody else yes

so i only heard the first part of the question so what are some of the challen what are the challenges that i've seen that don't align to best practice

it's not the same with each client so what are some of the challenges you face as a consultant even with all your experiences that you're still trying to overcome um i think right now is employment a lot of our clients have uh there's not enough people to support i think that's been you know i've been a consultant i think going on six years now so i a lot of there's not enough shoes to fill the roles that they have and work does not get done on a fast enough timeline and when work is not getting done on a fast enough timeline that pushes you back so um i think that's one of the big challenges

another one is to with people um a lot of the time like when i'm talking about security style like i've been working with people who had been in their jobs for like 40 years and they don't want to be told that what they're doing is wrong so making sure that you're really developing a good working relationship with that person is very very important because then they might be able to you know move make changes and adapt appropriately thank you for the question all right oh money money is a big problem too nobody has money any other questions all right well thank you for coming i really don't use social media i do have my linkedin here

um if you find me on twitter you can use osint to do that and then i want to do a shout out to women in tech pittsburgh as well we do have a lot of opportunities we're going to do a kubernetes workshop in q1 of next year so you can contact me directly or just start following us on socials and we'll be doing a new hacking barriers which is a workshop for women of color entering the tech industry in pittsburgh so all right thank you everybody i appreciate it [Applause] you