Skip to content
     
    401 Access Denied
    Episode 42

    Prioritizing Cyber Simulations with JC Vega

    EPISODE SUMMARY

    Do you know the difference between having a cyber incident response plan in place and being incident-response ready? Cyber simulations, gamification, and decisive action training should all be part of your plan. In this episode, Joseph Carson is joined by industry and Army veteran, JC Vega, to discuss the critical ABCs (Awareness, Behavior, Culture) of cybersecurity training and more.

    Subscribe or listen now:  Apple Podcasts   Spotify   iHeartRadio   Google Podcasts

    powered by Sounder

    Joseph Carson:
    Hello, everyone. Welcome back to another episode of 401 Access Denied. I'm your host for today's episode. My name is Joseph Carson, chief security scientist and advisory CISO here at Thycotic. And it's a pleasure to be here with you. I'm really excited about today's episode. And it's been quite a while since I've had the opportunity to speak to JC, so I would like to introduce you to my awesome guest. So, JC, give us a little bit about yourself and what you do.

    JC Vega:
    Sure. Hey. Joseph, it's been way too long here. So, I'm JC Vega. I'm the CISO at Devo, and we're a cloud-native log-in and security analytics company. And before that, I served with the US government for almost 30 years doing cybersecurity and doing a lot of the things that we're going to talk about here in real-world environments with real threats.

    Joseph Carson:
    Absolutely. It's fantastic to have you on the show, and I'm really excited because it has been way too long. That's what I love about the podcast because I get to talk to really good friends that I haven't spoke to in a long time, so it's always great to have you on. So, today's episode is all about the importance of cyber simulations and the importance of basically really bringing gamification into the business. It's so important. I always say that when I get involved in things like incident response, the problem is too many times in an incident response, it's sometimes the first time the organization's practicing their incident response plan. It's the first time they're even getting into other parts of the business being the involved into it.

    Joseph Carson:
    And when we think about securities, security's not just a security team response, it's not just an IT team response, it's a business response, and everyone must be involved. So, I mean, for you, you've done many simulations in the past and gamification, how important is it in the industry that we really need to make this a priority and really organizations practice it, not just to talk about it?

    JC Vega:
    It's a top priority, and some of us look at incidents, cyber incidents, as extinction events for organizations and extinction events for jobs, for certain individuals when they occur. And the important thing is we... Previously, we'd spend a lot on prevention and protection, and that has now shifted to being able to detect and respond and recover, have that resiliency within your organization when an attack occurs. That is a coordinated effort. That is an orchestrated event across the technology, but also across the business lines. If it was any other type of disaster, it wouldn't be the security guards protecting the organization, or wouldn't be the plumbers protecting the organization from flooding. It would be a whole of business response and the impact to the operation. For some reason, we've gotten the idea that cyber is only the technician's responsibility. It's a whole of business responsibility, especially when you look at even the most annual companies are dependent on technology now.

    Joseph Carson:
    Absolutely. I've had so many discussions because I've been talking about in some of my recent speaking sessions that I do, I've been talking about a specific incident response for a ransomware case. And the thing is that the organization, they had a plan, but the first time they were reacting to that plan was the time that the ransomware case was happening. And it meant that when they realized, one of the things they realized during that incident, was that their backup strategy was not protecting them against ransomware. That was the first time they realized, basically, because the backup was preventing them against things like hardware failures, data corruption. The ransomware attackers came in and they encrypted the production systems and they also encrypted the backup system because it was online using the same credentials.

    Joseph Carson:
    And this is something that organizations, it's so important that they do these simulations, they get into, for example, the HR team being involved in the simulations, the CEO, the executive team need to be involved because they need to know their roles and responsibility. They also need to make sure the legal team's involved because they might have to respond to things like law enforcement requests or data protection authorities and so forth.

    Joseph Carson:
    So, we have to understand, you're absolutely right, when we have an incident, it's a business response and, therefore, we can't basically rely on just the security team picking it up and saying, "They're going to protect the business." You're absolutely right that the organization needs to be ready. And I always talk about it's the difference between having an incident response plan, but actually being incident response ready. And if you practice, you do the techniques, you do lessons, you do the role playing, it will get more sinking into the memory, more into the repetitive tasks, and it happens much faster and you respond better. And therefore, ultimate, your incident response effectiveness becomes much more effective in being able to be resilient.

    JC Vega:
    You you've heard me say something before that I take this from my military experience, is you train like you fight and you fight like you train. However you're training right now is how you're likely going to respond to an incident, and if you're not training, that's very indicative of your response. Now I'm going to say something here that's very controversial. Your plan is worthless. I'll say this to everyone out there. Your plan is worthless, but your planning is priceless. And that's to say that the act of planning, part of that is exercising, part of that is coming up with what could possibly go wrong.

    JC Vega:
    And remember, the threat, we'd say in the military, the enemy gets a vote in your actions that you're going to take. Because they're going to respond and they're going to insert the things that you may not be prepared for, but during your planning process, you can look at their most likely course of action, you can look at the most dangerous course of action for you. You can look at those red herrings, those ideas that, "There's no way they would do that," but if they did, what would you do? And you can take into account what would you do if your backups failed? And as you start to think these through, there's probably, I'm just guessing here, 10 different things that you thought about but you wrote down one in your plan, just one, but you still have that knowledge of those 10 things that you thought about. So, when the actual incident or event occurs, you still have that background, that experience. We did think about that.

    JC Vega:
    We did not include it, but we thought about it already. And now let's take all these different things that the team was thinking about, and now we have to react. The plan is a guide. If you stick to the plan and that plan does not lead to success, then at some point you have to say, "I have to deviate from this plan." But you better know the plan that you're deviating from. You don't want to do this on the cuff. So, how do you do that? That's where you practice, that's where you put the organization through different scenarios, and that's where that gamification starts, or where it could really add great value.

    JC Vega:
    We talk about gamification, what is it? We all do it already. Most of us are competitive in one way, shape, or form. We want a better car. We want to wear nicer clothes. We want to be faster than the person next to me, or I want to score higher. What do all of those things do? It's putting you at a benchmark against something. It could be internally. It could be your own personal best. But the idea of being able to measure progress, being able to see where you compare to yourself and to others, and being able to have a method to improve that, you know what you have to do to run faster, you know what you have to do to have a nicer car than your neighbor or a cleaner car than your brother or sister as you're growing up so that they get in trouble and you don't.

    JC Vega:
    The whole idea of gamification now is taking those attributes and putting them in a digital form and also making it come to life. And that's where you get into this idea of a decisive action training environment, creating environments where decisions have to be made, where there's engagement, where it's unpredictable, it's scalable. And the outcome isn't going to be the same every time because your behavior, your decisions that you make or don't make are part of the variables in this very complex and scalable and adaptable environment.

    JC Vega:
    And creating that, it seems right now that I'm giving you the, "Oh my gosh, this is an impossible task that we can do," but it's not. It starts at a very basic level on you, the individual. What is it that you know? Where do you stand today? And we can get into that some more, but the idea of using this plan for incident response and testing yourself on how well you perform, measuring that and giving reinforcement. And sometimes it's not even assuming the role that you are trained or paid to do because sometimes that person who has that role isn't going to be there to actually make the decision. Someone else has to. And that may be you. And so, how do you react when you're degraded like that? The threat will still be there.

    Joseph Carson:
    And cyber attacks, they don't happen 9:00 to 5:00. They will happen... Even I remember, when some of the major... the likes of NotPetya and WannaCry, when I was talking to peers and CISOs, some of them were on vacation calling for help. They were on family vacations with very limited phone connections and internet connections in the middle of major incidents. So, you're absolutely right, sometimes other people, you have to sometimes practice those role plays and changing roles and being in other people's positions because sometimes you might need to pick that up.

    Joseph Carson:
    So, a question questions, JC, for organizations who really thinking about, let's say, gamifications and simulations, where's a good place to start? Where would you recommend they... Because many have been, in the last couple years, thinking about incident response and thinking about their detection and response and threat hunting, other types of activities. What's a good place to start for them? Do they need to have those discussions already with the board and the executive teams, other departments? what's the starting place for this?

    JC Vega:
    There's a lot of tools, there's a lot of organizations out there, and there's a lot of people who are willing to take your money to help you do this. And at some point, it does make sense to bring in external help to really professionalize and hone your skills, so I am not against that at all. In fact, we use outside services, I've used outside services, and we have used professionals for things like that. But I would say it starts with you and your organization, depending on where you're at. And first of all, identifying what are the most important incidents or events that you need to be aware of, and what we call these are your priority information that you need to have. Priority information reports. And one of them as your critical information report.

    JC Vega:
    And what I say to that is what is that? What are those handful of events that you would call your CEO on a Wednesday evening when you know he's walking his daughter down the aisle, or she's with her daughter when her daughter's giving birth, that you're going to call her at that time because she or he has to know right now that something happened? What are those events? And there aren't a lot. It's a category of events. It could be that you had a major breach and it's on the news right now and you want them to hear it from you first. It could be that there was a catastrophic failure of some sort in your environment. But talk about those and then share those with your senior leader and say, "Okay, in the event that this happens, what would you like us to do first? What are the first steps that you would like us to do?"

    JC Vega:
    One of those first steps is bring the team together. Okay? So, we talked about IT. It's a major data breach, so I'm going to call in the CISO, I'm going to call in the techs, I'm going to call in the security engineers, I'm going to call in... But who else should you call in? Call in your professional services teams, the one who have direct contact with your customers. Call in your corporate communications because they're the ones who are going to vet everything that leaves your organization. Have a way to notify every employee of what's going on so they don't hear it first on the news. That would be your HR team. And so, notice, I said there was a breach or some type of technical issue, but the last few people that I said to notify, none of them are the technicians.

    JC Vega:
    This is about getting the right people in place to prepare to defend the company from an extinction event. Okay? Call in your lawyer. Your lawyer probably has the incident response team on retainer. And then there's very methodical steps that have to happen and things that you need to do, but if you don't practice this and they're not prepared to take that call, then it could be chaos just getting those people together and then bringing them all together at a certain time. And then set up a cadence on what you're going to do after that. Now I'm getting more into the details, but first, bring the team together is one of those first things. Okay? So, I just said, bring the team together. So, what can you do right now? Who's the team? Who's the team that I need to bring there? What do they bring to this? So, that's very initial steps, is find out who your team is in the event of a crisis.

    Joseph Carson:
    Yeah. Because it is crisis management. I mean, that's absolutely right.

    JC Vega:
    It very much is.

    Joseph Carson:
    It's not an incident response. It's a crisis management. Incident response is part of that crisis management mechanism. And it reminds me, everything at the time I think about this, and reason why it's important to do simulations and do the gamification, is it always reminds me back to an incident. I'm based in Estonia, and many years ago in Estonia, we, of course, we had the 2007 cyber war attack. Me being the survivor of cyber wars, always a great story to tell. But it's part of that.

    Joseph Carson:
    One of the things I always remember is being an incident responder and helping organizations recover from that scenario, is that at the time that was happening... So, DDoS attack, bringing services down. And I always remember, when I always think about the cases that made me learn something, and I think it's always important to share, is that sometimes your DR or incident response plan is more harmful if you haven't practiced it, if you haven't went through that simulation. And a particular bank who did, basically, during the DDoS attack, they did have a Dr. Plan. They did have an incident response plan, but it wasn't customized to the type of incident they were having. It was customized for hardware failure. It was customized for data corruption, but it wasn't customized for DDoS attack.

    Joseph Carson:
    So, their DR plan, basically, brought up their disaster, their backup systems into production. So, end up having an active, active scenario, and that meant that they had two production systems online. One was periodically been hit by a DDoS attack and the other one was not. Meaning that that systems, because it was periodically online, transactions were also happening through that system, as well as the system is brought up as the disaster recovery. So, they end up having two, basically, systems telling the truth, and it meant that as their DR plan, as the DDoS attack stopped and went away, they now I had two systems that they had to keep maintaining for another year because they maintained those transactions and financial transactions.

    Joseph Carson:
    And that meant that their disaster recovery plan was more costly. Their response to the incident was more costly because it didn't customize, it didn't simulate, it didn't think about those scenarios, and it meant that, basically, from a financial perspective, this was something that they then decided that they needed to go through these simulations, they needed to ask those questions you're saying. What type of crisis are we going to be dealing with? What if this happens? What if this happens? And therefore, augment it and go through the simulations to see what things they should have been doing in those scenarios. And without doing the simulations, they don't have those questions.

    JC Vega:
    No, and that's important because one of the questions that you have to ask yourself is, "Where am I most vulnerable?" And we all know within ourselves, within our family, within our teams, within our organization, where we are accepting risk, whether we want to or not, but we know that we're accepting risk. So, if you know that you're accepting risk, you have to put some mitigation or something in place so that it isn't all the risk and you're just managing the residual risk. But the idea behind knowing where you're at risk, and if you see a threat that is attacking you there, it may change how you behave. Also, you want to know what kind of threats are out there, so what are you protecting against? So, part of this simulation or this gamification of cybersecurity...

    JC Vega:
    And keep in mind, so far, you and I have not even talked about that this being a technological event. This could be a tabletop. And I'm a fan of tabletops, but I consider tabletops a crawl phase of a crawl, walk, run mentality, where the best you can do right now is crawl. Once you learn to crawl, you can walk. Once you learn to walk, you can run with your planning. So, first, know yourself, know your enemy, and know what you need to defend and how you would likely defend that. Okay? So, now, put that in writing, share that with the organization. Now come up with a plan given that scenario, and now you have the beginning of your incident response plan, who would be involved in this. So, that's just a plan now. And probably just a handful of people know it. The one who knows it most is probably the incident response lead and he or she is going to be frustrated as all get out because no one else is reading it. Okay? That's a fact.

    JC Vega:
    So, how do you make it come to life? So, that's where the tabletop exercise comes, where now you put these scenarios in front of them and you... Everybody has the plan, everyone has a pencil with him, and then you start going through it and you start to say, "Okay, this is what happened. This is the external variable that occurred. What are we going to do?" And someone gives an answer, "Oh, well, the plan doesn't say that." Well, what's the right answer? You have the experts there. Well, the right answer is to do it in this order, not the order... Well, let's change that right now. Let's make that adjustment right now so then it's a living document.

    JC Vega:
    And what you do is you take parts and pieces of that plan... Because you don't want to do a whole run through because there's going to be updates and you want to do this continuously. It's a living document. And that goes back to the train like you fight, fight like you train. If you're always training as if there's going to be an incident, then you're updating. When the actual incident occurs, you're going to break out those plans, but you also have the resident knowledge in everybody to be able to contribute to this success of overcoming this event. I'll get into a little bit here what a decisive training action environment is. That's when you're immersed. That's when you're immersed in it.

    JC Vega:
    When I taught at West Point, that's where I... one of the founders of the Army Cyber Institute is one of the things I did before I retired from the government, is we had cadets, these are freshmen in college, every single cadet had to box as one of their requirements for graduation, had to learn boxing. And many think, "Well, it's because you're in the military because you fight and you do these different things." That's not the main goal. The main goal of boxing for cadets is that they taught how to defend themselves in a fight. Okay? So, they know how to block, they also know how to throw a punch, and they're taught, "This is how you block. This is how you punch." And you get to spar with somebody, but you're learning muscle memory there and it's being reinforced.

    JC Vega:
    Okay, but what makes this a decisive training action environment? When you're actually there toe to toe with an opponent who is your weight class, that opponent is really trying to hit you. That opponent is really trying to score points. And for some people they've never been in a fight before ever, and now you have an opponent, a worthy opponent, who is trained as much as you trying to pummel you and you have to rely on your training. And what does that instill? That instills fear, as you're naturally scared, but even though you're scared, you're having an emotional experience, you have to channel that training that you have and you have to be able to react and fight through it and defend yourself and hopefully win. But the training there is that emotional experience of being scared and being able to rely on your training and experience. That translates into a cyber incident of when one happens, you will most likely experience some emotions that haven't felt to that degree in a long time.

    JC Vega:
    When I have put people through a training environments, cyber training environments, I ask them, "When was the last time you felt this way?" One of them says, "I felt this way when I was getting ready to jump out of a plane just two weeks ago when I was skydiving." I said, "It was that emotional?" He said, "It was." And it's amazing what that does, is that changes your composition, but you also remember, you remember the experience. So, when that happens again, our fight or flight comes back and says, "I know what I'm supposed to do. I'm going to run to this fight and I'm going to do my part." Because when you're in a high stress environment like that, predictability of behavior is very important with your team members. You want to know how they're going to behave. You want to know that if they did it wrong, you want to give them a reinforcement on what to do right. If they did it right, you want to praise that so that you can give that immediate reinforcement, because that's where you're going to change behavior, and that's where you're really learning.

    JC Vega:
    That's what's so great about online gaming is the feedback is immediate. You have a scorecard, you have a progress card. You have a progress bar. You have leader boards. You're measuring how good you are and you're getting that response right away. We can do that in cyber. We have capture the flag events, we have other events that we do where we're taking this event, we're digitizing it, and now you have a new way of absorbing knowledge in a very experiential platform. So, taking this plan, exercising it with your team, and then doing a no notice, "Here's something just happened. Hey, this is just an exercise. You can tell the key people."

    JC Vega:
    When you do a phishing campaign, you're doing that, but what are you going to do with it? How are you going to get immediate response? What I do when we have our phishing campaigns and somebody writes to me and says, "Is this phishing?" I send them huge amounts of praise. We even give gift cards away to people for reporting something that... Not to everybody because there's some unpredictability that you want in there, but you want the behavior of, "Let me know," as opposed to, "Of course this is phishing. Duh. Why are you sending to me? You should do the right thing." That's also reinforcement, but it's not positive.

    Joseph Carson:
    Yeah. It's a negative for point, is that what you're doing is that they will remember that the next time, and they won't respond because they get that... You don't want negative reinforcement because that basically deters people from doing the right thing.

    JC Vega:
    That's right. I would much prefer over-reporting then under-reporting. And so, the idea of creating that whole environment. Go ahead.

    Joseph Carson:
    No, absolutely. It does, remind me, is that we want to make sure, as a pen tester and going through ethical hacks in the past, the one challenge that I find is that when you get into organizations, that employees are not afraid to report, they're not afraid to speak out, they're not afraid to ask for help. That's basically organizations where it's very, very difficult to stay hidden, for the attackers to be stealthy. And if it's getting positive reinforcement for people to do it, that turns the employees into a powerful defender in organizations. And that's what we want. If they're on the front line... and I hate the term of employees the weakest think, I hate that term because it's that negative reinforcement. We want to turn them into powerful, basically, allies to the organization's defense, so that when they do see something suspicious, they're not afraid to ask questions, they're not afraid to ask their colleague, "Does this look right? Is this something I should click on? Should I report this?" And if we recognize that and reward that mechanism...

    Joseph Carson:
    It reminds me of a book, the ABCs, which is the awareness, behavior, and culture. And it's important. Awareness is one thing. It's a point in time measurement, but we have to change that. We have to get to where it's that immediate, it's continuous, and that's where you focus around the behavior side of things. But ultimately, you want to get it as part of the organization's culture where everyone's working together, everyone's not afraid to ask peers for advice or report things. To your point is that over-reporting allows you to at least have a baseline of where you can actually look for potential threats and filter those out. That's where attackers, attackers, when they're looking at organizations, when they see organizations where...

    Joseph Carson:
    I have a couple of methodologies, one is it's the amount of time it takes me to do something, how much resources it takes me to do something, how much it's going to cost me. But my fourth one is how stealthy can I remain? What's the potential of me being detected? And that's always the difficult one to measure. And if you get organizations where people talk, you're going to be detected early in that attack path. So, you're absolutely right.

    Joseph Carson:
    And another thing that reminds me that goes into the ABC side of things is I read a book earlier this year, which was Atomic Habits, and we want to get that where it becomes a habit, that you've done it so often... As you talk about in simulations in gaming, you get into a habit that all of a sudden it becomes almost assimilated. You sometimes don't even know you're doing it because you practice it so often, and that's where we want to get it into where it just becomes a natural process, it becomes a habit. So, that's important.

    Joseph Carson:
    And I also think that we're actually getting into where I've started seeing even hacking becoming almost like a eSport, where basically people are actually going to be watching people and learning from those skills. I think we're in the change in the industry where that immediate responses you're talking about, that positive reinforcement and learning and the gamification is going to be what's really needed because I think it's important that we get into... Rather than being reactive, we've been very reactive security threats, we're always fixing the threats of yesterday and not thinking about what's the future proofing. And future proofing does mean that we need people to be involved in that. We can't just have them as being, let's say, passengers in this. They have to be involved, and therefore, they also have them included. And that will get us to where we can get to the point where we can be more resilient against the future threats. We need to start future proofing security threats, rather than just always this being reactive approach.

    JC Vega:
    No, and that is so true. I'm going to highlight one point you started with there, and that is the people are the eyes and ears. You know what is right from your field of view. You know what is normal. You know when something is out of place. I coming in to assess something, I may not be able to see what you see so it's important that you report those anomalies. And the idea of training the people... You mentioned where we're going today. I mean, if you look at our attention span now, it's very short. If you're scheduling me for an hour long meeting, it better be good and it better have different parts to it because you're going to lose me otherwise. So, your meetings now have to be adjusted in very small increments.

    JC Vega:
    I was part of a very large conference with the previous company and everybody... In fact, you and I presented at one of those conferences together. And the presentations, a lot of them were an hour long, and then we found when we went online, that the attention span was 18 minutes. 18 minutes. And so, the other 42 minutes, no one's paying attention that much, so you had to adjust from there. Look, when you're online now, say TikTok or whatever, they're just very, very short videos and you may watch them forever and not realize that you just wasted an hour of your day. But there's a value proposition there, and that is, is it worth it to me? Am I getting enough out of this to continue doing this? Because there's other things I could be doing with my time. So, that's where you have to make your training very impactful and short burst.

    JC Vega:
    And then you got to measure whether they're retaining that skill, they're retaining that experience. And then what you do with that is you reengage. This isn't a one and done. This is what you did last time. This is what you scored. This is where you did very well, and this is where you needed improvement. Notice I didn't say where you failed. This is where you needed improvement. Now, the second time around I'm going to measure you on those same things, plus I'm going to add additional tasks. I want to see if you're maintaining that success of the things you did well, and oftentimes that gets overlooked. We only focus on where you need improvement, and so there's so much effort that's put into that, that the things that you are really good at fall to the wayside. Now you need to improve on that. So, you have to acknowledge what someone did well, where they need improvement, and then you add to that. And then you compare them, "Here's your progress."

    JC Vega:
    And again, you have to have some unpredictability to that so that your performance will determine the outcome. And you can do that at the individual level, you can do that at the... Now, I'll say for a lot of the people who are probably listening here, you have two roles in individual. You have your role as individual contributor and you have your role as a leader, and sometimes you're not the same persona. So, be sure to test yourself in both where you're just a member of another team that may be larger but you also have a leadership role where you have ... to account for.

    JC Vega:
    And then look at the role of the performance. One thing that I stress is that it's a team. Whenever I'm hiring somebody or taking over a team or joining a team, I tell them, "I don't want the MVP. I don't want the most valuable player. I don't want that award." I'm not concerned whether anyone on my team gets the MVP award for the whole company. I want the most valuable team team award. I want the team success. Because if I get the team success and everybody succeeds, the organization succeeds, and that means sometimes you don't get to choose your team, but you do get to choose how you're going to train and prepare them. And the idea of taking that individual, again, you as an individual contributor, you as a team leader, your team, then you can break it out to your division, your directorate, and then the whole of organization and you start building on that.

    JC Vega:
    But there's certain things that we all need to know, and that goes to that individual contributor. They have eyes and ears. When I ask who's responsible for security in our group meetings, I expect everybody to raise their hand, from the person working the front desk admin, to the janitor, to the cleaning team, to the developers. Don't wait for someone else to check your code that it is secure. You should own that. They're checking to see that it's the standard or if it can be better. You should do what you can. Don't push that onto anybody else. And the idea of practicing that and getting everyone involved. Because, once again, if they have ownership in this, they have skin in the game, they will want to make it better. And you never know who might be that hero of the day, that hero of the battle, because people will step up, but you got to create that environment where that desired behavior is rewarded and you don't have people waiting for direction, you have people leaning forward.

    JC Vega:
    And that's a whole bigger discussion of what are the parameters? How do you prepare them for that? Because you don't want your janitor getting on a keyboard to fix something, but you want to say, "Hey, within your scope, you know what right looks like here. You're seeing somebody who's acting strangely or..." You often say when you go to a university, if you want to know what's going on, get a pulse on the students, go to the cafeteria. Talk to the cafeteria workers. Same goes with your organization. Talk to the people who are having encounters with everybody. And it's amazing what you could learn. And use that for the benefit of the company. Not against everyone. Again, you want it to be a very positive experience.

    Joseph Carson:
    Yeah. You just reminded me of... I did a project 11, 12 years ago which was about, it was a policy enforcement into an organization, we were doing awareness training and stuff like that. It always reminds me that we were failing. We considered we'd failed because we were enforcing security. We weren't embedding it in a, let's say, in a way that it was positive or empowering. We were forcing, "You must do it this way. This is the secure way. There's no other way." And ultimately, I remember, we were back to the drawing board, and it got to a point where kids were doing a project at the workplace and we said, "You mind if we ask the kids some questions? We want to just get their feedback into something we're working on."

    Joseph Carson:
    because we just decided that we needed to take a different approach and this was just one opportunity. So, we asked the kids, and ultimately the result was that they said, "Well, what if you do your policy as like a cartoon, like a storyboard?" And we thought, "Oh, that's interesting. That's a different approach that we hadn't thought of before." So, we thought, "Okay, we'll take these little," as you mentioned, small attention spans of little... like four scenario drawing board and put it into like different use cases of plugin USBs or phishing campaigns and stuff like that.

    Joseph Carson:
    And then we got into how do you think we should communicate it to the organization? What's the best way? And they came back and they said two things was put these in the canteen, the cafeteria, and the second place was in the back of the bathroom doors. I always remember that. And they said, "You'll get two minutes of uninterrupted time per day where the employee is paying attention to your security policy." And I loved it because it meant... It was reinforcement. It was funny. It reduced things like translation costs and other things. And we could simply just rotate it every couple of months, put a new message on the door, in the cafeteria, on the elevators. It really brought me up into thinking about that we need to make things that are very focused, very short, and easily available. And ultimately, that just reinforcement gets into creating good habits.

    Joseph Carson:
    And the second part that came out of it, as well, was that we realized that the best people to communicate sometimes was the victims of previous cyber attacks. They become your best advocates because they know what the impact's like, so involving them. And I think this is where really organizations can really benefit from, is going out to other organizations... Because one of the things within the industry, what we really do is, unfortunately, is that when organizations become victims of cyber attacks, we point and we blame. It's because you didn't do good practices. You didn't do this. But what we should be doing is saying, "Hey, let's hear your story. What happened? Let's learn from those lessons."

    Joseph Carson:
    Because hearing their story and understanding about what things went well and what didn't go so well, why did they become a victim, where was the failures, we can learn from that. We don't want organizations hiding their incidents. We want them bringing them in the forefront early enough so that we can make a difference and we can include them in our own simulations so they can actually teach us about things that we could have done differently or we should learn from them. I think that's something that we should get in the industry, is really saying, rather than this finger pointing, when incidents do happen, I think we should basically come together and be more caring and work together, involve them in our incident response simulations, invite them in. Because the best people they can tell you when you might have an area for improvement is those who's been through it before, those who have seen it, those who have been in an incident response that didn't go so well. I think that's where the future simulations where we can really improve on.

    JC Vega:
    Yeah, that's a great point. Two points that I'll comment on here is the victim shaming, is we have to get away from that because... We've all heard it and it's already one of those things that you hear it... It's not whether you're going to get hacked, it's a matter when you're going to get hacked. It just goes on and on and on. But the idea of... We call them gray beards, gray beards, get those people who have been there, done that. Get their knowledge and use it in your organization.

    JC Vega:
    And I'll bring up a second point to your incident response that you made earlier. It's who do you bring in? Who do you bring in? Don't just bring in your team. I ask people when you had a crisis, who did you call? Let's see. If it was, let's say, a crisis at home, you probably called a family member, you probably called a neighbor, you probably called emergency medical assistance or law enforcement or somebody, and you quickly realized that the help came from outside your organization. So, bring them into your crisis response. How is law enforcement going to help you? What can they do? What can they not do? And if there's a gap, how do you fill that gap? What is your incident response team that you have on retainer going to do or not do? What other asset do you have that you could bring to bear?

    JC Vega:
    I participate in a lot of different communities for cyber professionals, and I'll tell you, as much as I do coaching and mentoring, I'm also the recipient of a lot of coaching and mentoring. So, when I need somebody, I have that relationship established well in advance so that I have an expectation of who I'm going to call as opposed to having a crisis and wondering, "Oh my gosh, I'm at my most vulnerable state of my organization right now. Am I going to trust this person?" I use this line here, is that you move or you respond at the speed of trust, and if you don't have that trust established in advance, it may become a hindrance.

    JC Vega:
    So, as you look at your incident response, who are some of the service providers that you are relying on? I participated in one exercise where not only did a major organization do their exercise, they brought in one of their partner companies that they had dependencies on into the exercise because they realized that if one is hit, it would impact both of them. And this organization was from the financial institution and they took a lot of risk in exposing their processes with this other company, but it showed the dedication and the confidence and trust that they had in one another. Because when the event occurs, there's going to be dependencies there that they're going to rely upon.

    Joseph Carson:
    Absolutely spot on. Yeah.

    JC Vega:
    That's so important.

    Joseph Carson:
    One of my sayings is that even for a security professional as myself, I know that I can control certain aspects of my security, but I'm only as secure as the society around me. And that's why it's really important that we all have to realize that as organizations, that we're only as secure as the society, as the partnerships and relationships that they have established. So, therefore, when you want an incident response plan, you can't do it alone. You must involve those. It's fundamental that you must involve that social sphere around you that you become dependent on. So, I I'd like to summarize it up here. And JC, it's been fantastic having you on. I really enjoy this. I'd love to discuss and go on for more time. But any final thoughts? Any things you want to sell the audience, and maybe some good resources are recommendations that you've learned along the way?

    JC Vega:
    Sure. So, one thing is I like that one, "train like you fight, fight like you train." Because if you take that mantra, you're going to be as ready as you possibly can for the incident that may come up. And you heard me say it, you move or you respond at the speed of trust. Develop those relationships in advance, so identify who you have dependencies on and who has dependencies on you, not just inside your organization, but outside your organization. Reach out to law enforcement and your community. If it's the United States, reach out to InfraGard, which is a threat sharing organization run by the FBI, the Federal Bureau of Investigations, but there's a lot of other communities and organizations around the world that do this sharing. What that introduces you to is a network, a team of teams that you could rely upon because their network may hold the key to your success and the next incident.

    Joseph Carson:
    Absolutely. Very wise words for the audience. Definitely JC's an expert in this area. Definitely take his advice. I highly recommend. It could save you when the time comes and you're in the middle of an incident. So, JC, it's been awesome having on this show. Fantastic. Very knowledgeable and very experienced. So, thank you for taking the time, and hopefully we can have you on the show on future episodes for other discussions and topics. It'd be great to have you back on. So, again, 401 Access Denied, subscribe. We come out every two weeks with new guests, new themes and topics to keep you in the know and updated and educated on the latest cyber security trends. So, thank you very much, Joe Carson, and joined here with JC. So, it's been a pleasure.