Decentralized Centralized Perimeter Security with Brian Honan

Hello from Cybrary and Delinea, and welcome to the show. If you've been enjoying the Cybrary Podcast or 401 Access Denied, make sure to like, follow and, subscribe so that you don't miss any future episodes. We'd love to hear from you. Join the discussion by leaving us a comment or a view on your platform of choice or emailing us at Podcast@Cybrary.it. From all of us at Cybrary and Delinea, thank you and enjoy the show.

Brian Honan:

The best... If you're into Formula One racing, the best overtake maneuvers happen at corners where cars with the best brakes can drive faster, longer, and take the corners safer.

And that's what cybersecurity should be. We should be the brakes on the business. Not to slow it down, not to stop it, but to enable it to do what it needs to do, in a safe and secure way and navigate its way through.

So we shouldn't be saying no. We should be saying yes, but this is how we need to do it and these are the risks we need to do.

And that approach can get more buy-in.

Joseph Carson:

Hello, everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm the host of the episode, Joe Carson, Chief Security Scientist, Advisory CISO at Delinea.

And this episode has been a long time coming. This one has been something that has been in my mind for a long, long time. And it's such a special moment, because I have got such an amazing guest on the show today. Someone who I've known now, I don't know if you realize, it's now 23 years.

Brian Honan:

Oh, wow. That long. Whoa.

Joseph Carson:

It's quite scary, when you think about it.

Brian Honan:

I've know you longer than my kids.

Joseph Carson:

Or my kids. And my wife.

So welcome, Brian, to the show. Just give the audience a bit of a background of who you are, how you got in the industry and what you do.

Brian Honan:

Yeah, so Joe, thanks for having me. It's great to be here.

So yeah, my name's Brian Honan. I'm CEO of BH Consulting. So we're an independent cybersecurity and data protection advisory company, based in Dublin, Ireland, but we have clients all over the world. And we offer a range of services, from virtual CISOs, virtual DPO, advisory services on anything to do with cybersecurity and with data protection and privacy.

And yeah, I've been in the industry for a while now. I've been working in IT since the '80s.

So my start in security, I was going to say cybersecurity, but it wasn't cybersecurity back then. It wasn't even information security. It wasn't even IT security. It was just security.

Joseph Carson:

It was a key to the room with a computer.

Brian Honan:

It was. Well, when I started, my job was looking after Wang mini systems in the company I worked with, which was a large life assurance company in Ireland called Irish Life. So they had Wang mini systems and an IBM mainframe. That was the computer environment back then. So basically, centralized computers with dumb terminals.

Joseph Carson:

Yep. Old McDonnell Douglas VT100s. Those connections.

Brian Honan:

The team I worked in was called Office Technologies. And it was true there, that the first PCs were introduced into Irish Life.

And so my career has evolved over the decades, as IT has evolved and as computers evolved.

And as we went into the '90s, we had downsizing or rightsizing, from an IT point of view. More data, more systems, were moved off the mainframes onto mini systems, onto PCs, onto LANs, et cetera.

And my role was making sure those systems worked and were secure.

So yeah, that's how I've been involved and just over the years, it's changed as we kept going.

Joseph Carson:

Absolutely. It's continuous learning. It's one thing you never stop learning and there's always something new. And there's new technology, new distribution. The foundation is always kind of similar, but how you apply it, tends to evolve slightly. It's the best practices.

Brian Honan:

How quite funny you should say that, Joe, because last Wednesday night, we actually had a reunion dinner with the team I worked with in Irish life. And the last time we were all together was 34 years ago.

Joseph Carson:

Whoa.

Brian Honan:

So it was a good night of reminiscing. And somebody asked me that question, how have things changed from a security point of view? And I actually laughed and I said, "It's very funny."

A lot of the basics, we had way, way back then. Access control. Privilege, access management. Backups. Perimeter protection and stuff. The fundamentals and the basics are still the same as we had back then.

But as you said, applying it now and how you apply is different.

And yeah, look, it's an industry that if you want to be continuously challenged, is a great place to be because, as you said, Joe, not only does the technology change by how businesses apply and use that technology change as well.

And even how society uses technology. Back when I started in the '80s and '90s, nobody had home computers. Nobody had smartphones. We had no tablets. There was no Internet there. We didn't have smart devices in our houses. We didn't have smart cars. None of that stuff.

So how technology is being used, like technology changes, but how it's being used and how it becomes ingrained in our personal and business lives changed as well. And the threat landscape changes.

Joseph Carson:

Absolutely. The motives and the attackers change their techniques all the time.

Brian Honan:

Exactly.

Joseph Carson:

And where they're coming from as well.

I remember seeing a funny meme just recently, where it was like how you unfollowed people in the '90s, was you got your house phone and you took it off. You just took it off the hook.

Brian Honan:

Yeah, exactly.

Joseph Carson:

That's how you got peace and quiet. That's how you disconnected from the Internet, was you got your phone, you just took it off, so that no one could call you.

But that absolutely, it's evolved quite a lot and even through my times, I've seen a lot of changes from even the '90s, where it was very centralized to decentralized, and then back to centralization again. And how people are applying it.

I think the big thing, though, what else changed, is that the change is how the impact can have, it's such more severe now than I remember. Your SLAs back in the '90s, could have been a couple of days. You could have had some things where the urgency was not so much there.

But now businesses have become so dependent on digital services, that even minutes can have severe impacts.

Brian Honan:

Yeah, I think it's interesting as well. You talk about, if you like the what's old is new and what's new is old and decentralized and centralized, but I actually think we've now gone to a decentralized, centralized model because people talk about oh yeah, we're back in the '80s, '90s with mainframes, and now we've got the clouds. So we've now gone back to centralized computing.

But not really because back in the '80s and '90s, when you had a centralized computing model, it was in your own data center, on your own systems.

Joseph Carson:

Correct. It was connected to your own power supply.

Brian Honan:

We've got one part of our business, critical part of our business with one cloud service provider and we've got another one with another cloud service provider and we another part with somebody else. And we also now have remote workers and people connecting from devices we don't know anything about. So yeah, you can talk about, maybe it's centralized but it's not really. It's probably more distributed than ever. Just a decentralized centralization.

I'm going to trademark that one. The decentralized centralized perimeter. There we go. We've got a new model.

Joseph Carson:

We got a new buzzword we can use.

Brian Honan:

Exactly. I was just going to say that.

Joseph Carson:

We're always missing marketing terms. And I think marketing, they're missing a few new key items. We've had that whole pendulum from blockchain to... Was it AI? And now we're missing something. Zero trust has kind of come and gone.

Brian Honan:

I was just going to say Joe, we can call it now because zero trust is dead. The new thing now is decentralized centralized perimeters.

Joseph Carson:

Oh, fantastic.

So one of the great things, when I get to chat with you, it brings back so many memories.

So the audience probably don't know, I did mention at the beginning, that we've known each other longer than our kids and my wife, that we go back 23 years.

I remember, I was just coming off the back of Y2K and patching the ambulance services systems.

And I remember standing in the emergency call room because the ambulance service was responsible for the call center, for distributing the calls to the fire, to police, and also ambulance and paramedics.

And I remember even standing in the control room, waiting for that, the midnight, the millennium clock and just waiting for a nightmare to happen, because at that point, you just feared. There was emergency calls coming in, I remember. It was interesting hearing the calls, but I was just standing there in fright, about what was potentially going to happen. And it just came and it went with nothing.

Brian Honan:

Yeah. Well, I think that's a good analogy for how a good cybersecurity program works. You only know cybersecurity is around when it fails. That's if you're doing a good job. And Y2K, as an IT industry, I think everybody had done a great job. There was so much work, went into prepping for that and getting ready for it and being prepared.

So a big event became a non-event. And it kind of like, "Well, what was a big deal about it?"

Joseph Carson:

It's because we did our job.

Brian Honan:

Yeah. Well, now with cybersecurity, same thing as well. We're saying this is a big business threat and people only sit up pay attention when it goes wrong.

Like here in Ireland last year, we had the HSE ransomware attack, which took down the whole health system for the country.

And then people go, "Oh, my God. Yeah, it's really serious."

And then this year, I was reading the World Economic Forum cyber crime report. And it had the top five risks per country. And in Ireland, cyber is not mentioned, even though 12 months ago, it was a problem.

Joseph Carson:

The priority changes so quickly.

Brian Honan:

It does, yeah.

Joseph Carson:

But just for me, absolutely, I still think I've still got my Y2K floppy disk somewhere because I spent so many times just going around, putting that in so many computers and just patching the systems.

Brian Honan:

Yeah.

Joseph Carson:

And you're absolutely right, is that sometimes you have to stop and think and thank the security team when it is quiet because that's when you can celebrate.

So quick question. So what do you see? I read the World Economic cyber outlook report. Cyber was up there as, again, a top risk. And I think even it was even to the point where they were looking at major catastrophe type of impact over the next two to three years.

What types of threats do you see is the things that businesses should be worried about today? What are the things that they should be prioritizing and defending against?

Brian Honan:

Yeah, so look, I wear several hats, I suppose. One, as I said, I'm CEO of BH Consulting and we have helped victims, of cyber crime and cyber attacks, recover their systems.

But I also founded and head up IRISS-CERT, Ireland's first computer emergency response team. And I'm an advisor to several other companies and stuff like that. But quite common across a lot of them, the main threats I see, right now, ransomware is the number one threat. And it's simply because it's the quickest and easiest way for cyber criminals to monetize their work. They can make money very quickly.

Joseph Carson:

The urgency is there.

Brian Honan:

Urgency. They're criminals. They want to make money and they want to make it quickly and they want to make it easy.

So hacking into a system, stealing credit card data, personal data, trying to monetize that and sell it on. Or hacking in and stealing intellectual property and trying to monetize that. That's still happening. Don't get me wrong. That is still happening. But that's a more long game and long time to return.

Ransomware it's in your face. Your systems are down. And from the criminal point of view, either you pay some money or you don't-

Joseph Carson:

Or you're rebuilding.

Brian Honan:

... Yeah.

Joseph Carson:

Or you hope that the backup is solid enough that you have something to recover.

Brian Honan:

Exactly. So the criminals are out there. They're looking to make money and they're looking at ways to... And they're even altering their model. So it's not just holding your data to ransom. It's also, if you don't pay this ransom, we won't give you the keys to decrypt your data.

But also here's another ransom, so we don't publish that on the Internet. And by the way-

Joseph Carson:

We're also ransoming your customers as well.

Brian Honan:

Yeah. And that's happening in some cases, where the criminals have gone to customers of those companies and said, "We've got your personal data. If you don't pay up, we're going to put it onto the Internet."

And I've heard of cases where criminals have gone through emails of companies and have identified unethical, or in some cases even illegal behavior, and threaten the companies to blackmail, in saying, "We'll release this to the regulator if you don't pay up."

So criminals want to make money and that's why ransomware is going to continue to be the biggest threat.

Now, I do have a bone to pick with our industry about ransomware.

Joseph Carson:

What would this be, if you didn't have a bone to pick?

Brian Honan:

Exactly. And I think one of the things ransomware is, in many ways, is a very big red flag to show how our industry has failed.

Ransomware, at its core, is just another piece of militia software. It's nothing fantastic. Yes, we joked around about the marketing people, but yet we have companies making new products to stop ransomware and you're going, "Well, shouldn't that be built into your security product already?"

So all these security products we've bought and how we manage our IT, what ransomware is actually highlighting is how badly as an industry we're failing to protect our data. Because, fundamentally, if you look at a lot of the ways to protect and prevent ransomware, it's all the stuff we joked about at the beginning. It's the basics.

Joseph Carson:

Yeah. The basics.

Brian Honan:

It's the things Privileged Access. It's access control.

Joseph Carson:

Good password choices.

Brian Honan:

Exactly. It's getting in there. So ransomware I see as being the number one.

The other one we're seeing is social engineering, but particularly in SEO, or invoice redirection fraud.

Joseph Carson:

Yes, business email compromise. And changing, modifying invoices. Changing the routing of those payments.

Brian Honan:

Where we're seeing a change now as well, is not just on email compromise, but using other messaging platforms, because we've joked, Joe, that you and I are older people in the industry. And there are other channels that people are using nowadays. It's social media, WhatsApp, other messaging systems.

And criminals are impersonating CEOs and senior people on those platforms and targeting people in the organization.

So we've seen fraudulent behavior from criminals who have created fake WhatsApp profiles of the company's CEO and sent that message then to staff via WhatsApp or whatever and getting them to buy...

Joseph Carson:

Gift cards.

Brian Honan:

Gift cards all to process an invoice quickly.

So that's where we see a lot of... So messaging platforms are going to be abused to facilitate fraud because let's not put a fancy name on this. It's fraud. It's not email compromise. It's fraud.

Joseph Carson:

It's fraud. Fraud, it's almost getting... I always like to try and distinguish, one of the things I learned from you, was always make sure you distinguish the technique from the motive. What is your underlying category?

And I also learned it as well, in Estonia, when I remember one of the cases, working in 2007, when Estonia had the cyber attack.

And the reason, what I always get into, is they always make sure you understand what category it falls under.

One of the banks, when they did basically their remediation to a DDoS attack, was that basically they brought up a secondary system. So DDoS attack, they brought up basically a secondary transactional system. And that was actually their worst mistake, because ultimately, the DDoS was not consistent. The production system was up and down, up and down, up and down. And the backup system was also taking the transactions.

They ended up having two systems where the source of truth of transactions went through. The DDoS attack lasted for a few days. But it meant that they had to now maintain two production systems for the rest of the financial year. And that was more costly than actually if they just waited out the DDoS attack itself.

So they actually created a bigger problem by not looking at what it was they're dealing with. They just looked at it, thinking, "Okay, we've got a service outage. The production system is unavailable. What's our to-do list say? It says bring up the backup system." Make it production. Turn it from was it inactive standby to an active?

And that ultimately, was the worst case. And even going back, that's what I always remember, is always make sure you fully understand that what is the motive here? What is the intention? Business email compromise is just one of the techniques they use in order to get financial fraud.

Brian Honan:

Yeah. I agree.

Joseph Carson:

It's one of the paths.

Brian Honan:

Exactly. Yeah.

And then I suppose the other threats I see, and businesses need to be worried about, is so many business have migrated to the cloud primarily, in response to the pandemic, COVID-19 pandemic, and to facilitate remote working, et cetera, is account hijacking.

So be that you've moved your email to a cloud email provider, or your CRM system, or whatever. We're seeing a lot of attacks trying to compromise, so either force attacks, or the next threat then, is targeting the people in your organization, is trying to fish credentials or getting to click on links or whatever else.

So to me, they'd be the top four ransomware fraud... I wasn't going to call it…

Joseph Carson:

What do you call it? Financial fraud.

Brian Honan:

Financial fraud. Cloud account hijacking and targeted individuals.

And all of those kind of overlap as well because there are controls you can put in place, that can reduce the risk, based on each one of those.

So it's going to keep us busy for quite a while.

Joseph Carson:

It definitely is.

And I mean I've even been having fun with ChatGPT as well, about helping it craft interesting messages for me.

So asking this way, can you help me create an email? And it actually will create it for you, that it will actually be perfect, that it looks authentic.

So even for me, it's just natural language understanding and automation. It's a simple way of creating without me having to do the work.

And it's great at doing that. I think seeing that also evolving, towards helping much more in the automation side.

Brian Honan:

Yeah, well, look in fairness as well, is you don't need ChatGPT to craft an email to convince somebody to click on a link or whatever. It's when you investigate some of these issues and you just see what the email was that came in, it can be very basic.

Joseph Carson:

Yeah. And even from my... Because I myself get targeted quite a lot from the phishing scams and it's also looking, and I'm pretty sure you also probably get a lot of them as well. It is getting quite difficult to distinguish. Some of them are well crafted.

Brian Honan:

Oh, yeah.

Joseph Carson:

And also have really good ways of bypassing a lot of the filters so it does get to the person, ultimately.

Brian Honan:

Yeah.

Joseph Carson:

So that's also an area that we have to really look at. So one of the things.

Brian Honan:

Just to kind of nicely loose track into my rant earlier on as well, it gets the person and then somebody clicks on a link or an attachment, and it brings down the whole environment. And everybody goes, "Oh, my God. That user clicked on a link. It was their fault."

No, it's not. You didn't have the right controls in place. You didn't have the right protections in place. Your whole company shouldn't grind to a halt just because somebody does what an email is designed to do. Email were designed to have attachments, to have links in them.

Joseph Carson:

The Internet was created to click on things.

Brian Honan:

They click on attachments.

Joseph Carson:

It was created to click on things.

Brian Honan:

Yeah.

Joseph Carson:

The whole purpose as a browser, was to click on, was to make life easy.

So absolutely. That's one of the things I hate, is blaming it on users. And that's for me, I think, one of the things we have to, as an industry, get away from and start looking about. We're really there to help them. We're there to navigate them in the right way. And clicking on a link should not have a path to taking the business down.

Brian Honan:

Yeah. Even if you think of the phrases we use in IT, we call people users. As far as I'm aware, there are only two industries that call their customers "users," IT and drug dealers.

Joseph Carson:

It's the similarities, they're so aligned.

Brian Honan:

It is. And then we wonder why people don't like us when we go and try and fix things.

Joseph Carson:

That's why we created an IT. We created a whole industry, which is the help desk team, to be the immediate filter between IT and the people in the organization.

So one of the things I wanted to ask you on today's episode as well, was that you do a lot around compliance and standards and stuff. How important is that for businesses? How important is it for organizations? Is compliance the goal? Or is it really to find themselves in some type of where do they sit? Or where's their risks exposed to? What's the path? How do organizations do it right? What's the right path?

Brian Honan:

Well, I think, Joe, we could tie up a few episodes just talking about compliance. And I know there's a lot of various views out there.

And look, my point is you can be compliant. It doesn't mean you're going to be secure. You could also be secure, it doesn't mean you're compliant.

I think you've identified the key thing there, is that risk is the key thing to running a good security program, that takes compliance into account as well.

And compliance is going to become a much bigger thing. When people think about compliance from a cybersecurity point of view, we think PCI GDPR.

Well, if you're going to be operating in the EU or doing any business in the EU, there are a lot more regulations coming down that are going to make your life much more difficult.

You've the Digital Services Act. You've the Cybersecurity Act. The cybersecurity strategy. You've DORA. You've got various other regulations coming through, which are going to impact not just the end users of technology, but also the suppliers of technology.

So regulation is coming in to try and raise the bar that companies should meet, to protect information.

And people complained about PCI. "Oh, my God," when it came out. First of all, "Oh, my God, it's really tough to get to PCI."

And I'm going, "No, PCI is what you should have in place anyway."

Many regulatory frameworks are just saying, "Look, good security. This is what you need to have in place."

But from a business point of view, I think, firstly, you need to look at your whole cybersecurity program as a frame as to how are we managing risk to the business? How are we managing risk the organization?

So obviously a lot of that risk is going to be technical risk. We talked about ransomware and stuff like that.

But then there's also human risk. So financial fraud via email, or via WhatsApp messages, or via-

Joseph Carson:

Even voice today.

Brian Honan:

Or voice or video calls or AI or whatever.

It's targeting the human. But there are still processes that happen outside of IT, like issuing a payment and authorizing a payment and et cetera. There should be checks and balances there, that don't necessarily rely on cybersecurity controls.

And the same then, with your compliance, what regulations apply to your business? And how do you match that that into your security framework? And communicate that to the board and communicate that to senior management, so they understand, "Oh, okay so we're doing this to manage this risk." As opposed to sort of saying, "Oh, look. We get 1 million attacks on our firewall per day, so we need to buy another firewall." They just go, "What?"

Where if you can talk in business risk on business terms.

Joseph Carson:

Yeah. You got me thinking about a very important thing and it was always something that I always did, as a practice myself. And I think in IT and digital and security, that we probably have to do better at it.

I think one of the things that I find is that one of what distinguishes from the criminals that go in and does this, what they do really well is they don't just understand the technology really well. They understand your business really well.

And I think that's where probably the gap is, is that we, in the IT, tend to focus more on the technology side. And the attackers, what they do is they go in.

You just look back and the... I'm trying to remember the guy that was either Lithuanian or Latvian, that basically did the financial fraud for Meta, Google. And basically was just changing the invoices and sending invoices and just understood the financial payments really well in those organizations, to take advantage of it.

And I think that's what criminals are doing really well, is they start to understand the business processes really well, and find weaknesses in them and take advantage of that.

And I think that's what we should be doing more, is trying to understand about how do the processes work in the organization, not just from the technology, but ultimately the end-to-end service and find out where the risks are in that, whether it being people or whether it be... Where's the checks and balances to make sure that we minimize the risk were possible?

Brian Honan:

Yeah. And sometimes people might say, "You're getting outside your box. You should be stuck over there with IT and cybersecurity. Don't be coming to us about financial controls and stuff."

But I think this is where we need, as we evolve in cybersecurity, to become a more critical and critical as the business, it's helping manage business risk and we need to get allies out there.

So instead of going in and sort of saying, "No, you can't do this because of security," well, then it is as you said, Joe, it's talking to that person who's running that project and saying, "What are you trying to achieve? What is the business reason behind this?"

I often use the story and the analogy about saying that security is like brakes in the car. And when I ask people, what do brakes in the car do? They all say, "Well, yeah that makes sense, brakes in the car and security cause it slows things down or it stops things."

And now I go, "No, brakes on a car make you go faster."

And they look at me and go, "What? Brakes on your your car make you go faster?"

And I say, "Yeah, think about it. If you've no brakes on your car, how fast could you drive?"

If you're into Formula One racing, the best overtake maneuvers happen at corners where cars with the best bricks can drive faster, longer, and take the corner safer.

And that's what cybersecurity should be. We should be the brakes on the business, not to slow it down, not to stop it, but to enable it to do what it needs to do in a safe and secure way and navigate its way through.

So we shouldn't be saying, "No." We should be saying "Yes, but this is how we need to do it and these are the risks we need to do." And that approach can get more buy-in.

And even when I'm talking at some seminars, I often ask the CISOs in the audience, or IT security people in the audience, how many of you have read your company's annual report? Are many of you aware of what the business plan is for the business or what its business goals are?

And sadly, very few hands go up in the audience, but if you're to ask that same question, and I have done because I've talked to audiences that have been in financial people or whatever, because they're looking to become more aware about cybersecurity and I've asked them, "Well, how many of you have read the annual report?" And the majority of their hands go up.

So if we want to champion cybersecurity and we want cybersecurity to be taken seriously within the business, then we have to take business seriously as well.

Joseph Carson:

Ask the right questions and we're involved.

That's one of the things that I've done, is whatever industry I'm working in, I try to put myself in the person's position to understand about what it's like to be in their shoes, what it's like to be in the day-to-day activities.

So one, is it helps me understand about the environment they work in. The other thing is also how they get measured for success because people don't get measured for security, they get measured in how well they do their job.

And my goal is always about how I can make sure that what I'm doing helps them be successful.

And that's ultimately, I think, that's the translation. A role was missing.

And I think that's an important point, is to make sure that we, as an industry, also really understand what are the ultimate business goals and try to align ourselves to that. And try to ask the right questions. And also measure security in such a way that actually shows the value to those business goals as well.

Brian Honan:

Absolutely. And we need to design controls that are not blockers to people.

I've dealt with a security instance where there's been a data leak because somebody was working remotely, or a salesperson out on the road decided, in order to log in to get email, they have to log into the VPN and they have to have a token to plug into their computer, they have to have a password to log into their laptop, a password to log into the VPN. And then oh, now you have to have another password to log into your email. And they just go, "I'll just set forwarding rules on my email, to my Gmail account, and pick it up from there, my other online account."

Joseph Carson:

Or they make all the passwords the same.

Brian Honan:

Or make all the passwords the same, yeah.

It's not that people want to do their jobs in security. They just want to do their jobs.

So we need to make sure we're putting things in place that are transparent and the user experience is pleasant.

Joseph Carson:

One thing you just mentioned, really important measurement, and one of the things you mentioned, you talked about earlier, about how many attacks to the firewall are blocked.

But one of the things I remember, talking to a few CISOs, and they started talking about some of their new metrics that they're looking at, and it's user experience. It's about how well is the user enjoying security? What is their net promoter score for security?

And it's almost ironic. But that's a great measurement because the more people that enjoy, use it, because I think, to your point about having all of those steps, just create friction.

And ultimately, the idea is removing friction. Whenever we put something new in place, it should always be looking at how do we make it better than what they had before?

And we find security is always hard, that it does create friction, but we always have to think about how we make it better. How can we make it better for that person? So that this experience is actually better for them.

And therefore that they don't see security as a blocker. They see it as something that becomes almost just in the background, that doesn't cause them to not hit their goals and metrics and not get their bonus or not get what their performance outlook is for the year.

So to your point, is that security needs to be quiet.0

Brian Honan:

It does. You don’t notice it. You shouldn't notice security. It's like driving your car. You don't notice the crumple zones or the airbags or anything else until you absolutely need it.

And you don't need to be an engineer to make sure those things work in your car either.

Joseph Carson:

Absolutely. It just needs to be there when the bad things happen.

Brian Honan:

Exactly.

Joseph Carson:

And it makes the biggest difference.

So for organizations and stuff that's going down this path, what would be the top thing that we'd recommend for them to do? What would be that one thing? How to get started? One of the big things they have a lot of problems with, is things like getting resources today. Who are the right people? Should they try doing this alone? Should they get help? What would you recommend an organization? What would be the top thing?

Brian Honan:

That's a very big question, Joe. I don't think there's a simple answer to it.

I think it depends on the industry you're in. It depends on the resources you have. It depends on which country you're in as well.

There are some countries that have good government-led initiatives. Others don't and fallen behind.

I've just realized I've just given you the typical consultant answer by saying, "It depends."

Joseph Carson:

It depends.

Brian Honan:

I would strongly recommend anybody who's listening to this now, whether they're in Europe or elsewhere, that there's a lot of great resources available on the European Agency for Cybersecurity, ENISA. So that's ENISA.eu.

They have a whole lot of information there, on not just what you need to do from a technical point of view to manage security, but also from risk and the different regulations and stuff that are coming through. How to manage risk. How to manage the cloud. How to do good instant response.

I'm involved in some of the working groups with ENISA. And one of the latest publications that came out last year was a complete guide to small businesses on how to manage cybersecurity in the business. And they have a 12-step guide for business to follow.

So even if you're a large organization and if you've got no experience in cybersecurity, that will be a good start because it gives you, again, we talked about a good understanding of the basics.

Joseph Carson:

I think that's really important, what you're saying. And we'll definitely make sure. I'll look to make sure we get that included in the show notes, the link to those because sometimes people just don't know where to find them. And if you search, it's not always going to be the first thing that comes up in your Google searches. And if it's not on page one, it gets lost.

Brian Honan:

It is. And there's so many stuff out there, but I would recommend completely ENISA, because, A, it's an independent body. It's EU-funded, so it's not sponsored by any vendors or anything like that.

For us, in Europe, it's quite good because not only are the publications in English, but they're also in all the member state languages.

So Estonian, it's available in Estonian. It's available in French. Germany. So all these guides are available in the different languages.

And we talked about the human risk. They've released now Awareness-Raising-in-a-Box, which is a toolbox that you can use, to kick off your security awareness program and it's free.

Joseph Carson:

Important. The free part.

Brian Honan:

Yeah, great price point. It's free. I can't give you a better discount than that, Joe.

Joseph Carson:

So I think that's fantastic and I think that's a great place to leave the audience on, is resources, how to get it.

Again, it's just finding those and then you can apply it yourself. And find out then, what's the best practice for the business and then go through that understanding about, as we mentioned, understanding what your business goals are, what the risks are, and then lots of resources, to help you make sure you kind of apply it and depending on what the business goals are. So it's fantastic.

Brian, this has been amazing, chatting with you. And it's been too long since we last been had a drink in person.

Brian Honan:

Yeah. I think the last time was the summer last year. Wasn't it?

Joseph Carson:

It was summer last year, yes. It was the first conference.

Brian Honan:

That's right. Yeah.

Joseph Carson:

That was fantastic.

One of the things I enjoy definitely about the in-person is just surrounding yourself with such amazing people, including yourself.

And usually, when I'm talking to a lot of industry, you always get the fear side of things.

But when I talk to you, it makes me laugh and it makes me enjoy what we're doing because sometimes we almost have to look back and think that, at the same time, it is strange place to work in and you do see a lot of bad things, but sometimes you just have to sit back and just enjoy it and have those moments of laughter because what else is life?

Brian Honan:

Life is too short to be taken seriously.

Joseph Carson:

Absolutely. And so fantastic. I mean, 23 years. Let's hope we have another 23 left.

Brian Honan:

Hopefully.

Joseph Carson:

So Brian, it's been awesome having you on the show. And so really, hopefully, that at some point in time we get to catch up this year for a good Guinness and a good drink.

And for the audience, it's been fantastic. Definitely take some of Brian's advice and the recommendations. And hopefully it's been very valuable for you.

So any final thoughts of wisdom, Brian? Because I know you. Any good jokes or anything?

Brian Honan:

Oh, God. No. My kids will tell me, I don't have any good jokes at all.

But no, I think just as you said there, Joe, is steer away from the fear and the foot because that's not what security is about. Security is not about scaring things. Security is about enabling people and enabling businesses and enabling society to function properly.

Joseph Carson:

That's very important. Don't focus on the scary things. Let's focus on what we can make a difference to the world.

Brian Honan:

Exactly.

Joseph Carson:

That's what it comes to.

Fantastic, Brian. It's been awesome. And again, I look forward to seeing you.

For the audience, again, this is the 401 Access Denied podcast. We've had awesome Brian Honan on the show. And definitely go follow him on social media. You'll always definitely get lots of laughter and lots of wise advice as well.

So tune in every two weeks and stay safe, take care, and see you again soon. Thank you.