Sign up to save your podcasts
Or
Share How to Let Go of the "Gotcha" Mentality in Security with Brian Haugli
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
How to Let Go of the "Gotcha" Mentality in Security with Brian Haugli
Episode Summary
Implementing an effective security program has become a necessity over the past decade. And without a doubt, all businesses need to level up their security game to mitigate risks and protect their information.
But small- and mid-market companies are somehow left behind when it comes to security guidance and realistic capabilities.
In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis introduces Brian Haugli, the Managing Partner at SideChannel. They talk about the increasing demand for cybersecurity for all organizations, why the black-and-white view won't get us far in security, and the future of technology.
##
Guest-at-a-Glance
💡 Name: Brian Haugli
💡 What he does: He's the Managing Partner at SideChannel.
💡 Company: SideChannel
💡 Noteworthy: Brain is the co-author of "Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework."
💡 Where to find Brian: LinkedIn
##
Key Insights
⚡ There's an increasing need for security programs in the middle market. We often forget about small businesses and mid-market companies when discussing cybersecurity, risk management, and privacy. But Brian believes that all organizations deserve to have adequate security programs and that these programs are equally as important as other business segments. He explains, "There are a lot of companies — hundreds of thousands of companies — outside the Fortune 2000, and most, if not all of them, require some diligence on what their security program looks like. And the question is, 'Who's going to lead that? Who can lead that? And can they afford it?' The market is actually very hot when it comes to this space. We've grown tremendously over the last two-plus years, and it's an area that people are genuinely looking at. It's not just because of what's in the news but also because people are realizing, 'Hey, we should be doing our own diligence and security practices the same way we put wrappers and guidelines and posts around financials and sales and marketing.'"
⚡ Even when you move to the cloud, you still have responsibilities as the owner. Contrary to what many organizations think, you still have responsibilities even after you move to the cloud. Brian says this is one of the most common misconceptions in the field. "People are just thinking, 'Oh, all of this is done by the cloud or the provider or the SaaS platform.' And that's just not true. It seems to happen across just about every sector we touch. And again, especially with the middle market, which is traditionally both underserved and doesn’t have the expertise — it's an area where they're a bit naive about who's responsible for what."
⚡ We need to forget about the black-and-white mindset because it's not helping anyone. If you want to make progress in your organization regarding security, you need to let go of the "gotcha" mentality, as Brian calls it. "Black-and-white" thinking won't get you far. "Honestly, as security practitioners and as an industry, we really need to not just bury, but we need to completely kill this 'gotcha' mentality that stems out of old-school audit thinking or GRC analyst policy wonks or whoever's managing a system where their entire thing is, 'Well, I need these things managed. And if it's not exactly as this says, you don't get credit.' We need to move to risk management, where there is gray. There is the ability to accept risk as long as it's appropriate, but this pure black-and-white view and this 'gotcha' mentality that exists within security professionals — we just need to get rid of that. It's not helping anyone at all."
##
Episode Highlights
You need to test what you're training on in security training.
"I've always truly believed that you have to test what you're training on; it's like school. You study material, you then take a test. Are people actually understanding the material? Great. Move on to the next thing. We need to do that with security training as well. Maybe phishing tests are not part of that, but something else, maybe it's surveys. Maybe it's just more granular testing, not ‘gotchas.’ So, I don't know if we need to bury the whole thing, but we need to bury the aspects of this that don't seem to be really working but still seem to be getting much more play."
Learn what is going on within policy.
"That was the biggest change for me going from a real technical guy to somebody who could actually shape an information security program as a whole. So, the advice really is that even if you're a SOC analyst, even if you are a pen tester or you're in a hunt team or whatever, learn what is going on within policy because it'll help you a lot more than [others]. Conversely, if you've always been an auditor or a policy person, really try to understand what the actual technical components of those policies mean to the folks who are reading them, using them, and have to abide by them."
Ease of use is the future of technology.
"These seem like simple things, but you know how people interact with apps and everything. That is how people are operating and interacting with technology. We need to move those types of technologies to look and feel like that because that's what people are comfortable with, and the more people are comfortable with it, the less they're questioning the technicalities. So it's just ease of use."
View all episodes
By Orca Security
5
88 ratings
Episode Summary
Implementing an effective security program has become a necessity over the past decade. And without a doubt, all businesses need to level up their security game to mitigate risks and protect their information.
But small- and mid-market companies are somehow left behind when it comes to security guidance and realistic capabilities.
In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis introduces Brian Haugli, the Managing Partner at SideChannel. They talk about the increasing demand for cybersecurity for all organizations, why the black-and-white view won't get us far in security, and the future of technology.
##
Guest-at-a-Glance
💡 Name: Brian Haugli
💡 What he does: He's the Managing Partner at SideChannel.
💡 Company: SideChannel
💡 Noteworthy: Brain is the co-author of "Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework."
💡 Where to find Brian: LinkedIn
##
Key Insights
⚡ There's an increasing need for security programs in the middle market. We often forget about small businesses and mid-market companies when discussing cybersecurity, risk management, and privacy. But Brian believes that all organizations deserve to have adequate security programs and that these programs are equally as important as other business segments. He explains, "There are a lot of companies — hundreds of thousands of companies — outside the Fortune 2000, and most, if not all of them, require some diligence on what their security program looks like. And the question is, 'Who's going to lead that? Who can lead that? And can they afford it?' The market is actually very hot when it comes to this space. We've grown tremendously over the last two-plus years, and it's an area that people are genuinely looking at. It's not just because of what's in the news but also because people are realizing, 'Hey, we should be doing our own diligence and security practices the same way we put wrappers and guidelines and posts around financials and sales and marketing.'"
⚡ Even when you move to the cloud, you still have responsibilities as the owner. Contrary to what many organizations think, you still have responsibilities even after you move to the cloud. Brian says this is one of the most common misconceptions in the field. "People are just thinking, 'Oh, all of this is done by the cloud or the provider or the SaaS platform.' And that's just not true. It seems to happen across just about every sector we touch. And again, especially with the middle market, which is traditionally both underserved and doesn’t have the expertise — it's an area where they're a bit naive about who's responsible for what."
⚡ We need to forget about the black-and-white mindset because it's not helping anyone. If you want to make progress in your organization regarding security, you need to let go of the "gotcha" mentality, as Brian calls it. "Black-and-white" thinking won't get you far. "Honestly, as security practitioners and as an industry, we really need to not just bury, but we need to completely kill this 'gotcha' mentality that stems out of old-school audit thinking or GRC analyst policy wonks or whoever's managing a system where their entire thing is, 'Well, I need these things managed. And if it's not exactly as this says, you don't get credit.' We need to move to risk management, where there is gray. There is the ability to accept risk as long as it's appropriate, but this pure black-and-white view and this 'gotcha' mentality that exists within security professionals — we just need to get rid of that. It's not helping anyone at all."
##
Episode Highlights
You need to test what you're training on in security training.
"I've always truly believed that you have to test what you're training on; it's like school. You study material, you then take a test. Are people actually understanding the material? Great. Move on to the next thing. We need to do that with security training as well. Maybe phishing tests are not part of that, but something else, maybe it's surveys. Maybe it's just more granular testing, not ‘gotchas.’ So, I don't know if we need to bury the whole thing, but we need to bury the aspects of this that don't seem to be really working but still seem to be getting much more play."
Learn what is going on within policy.
"That was the biggest change for me going from a real technical guy to somebody who could actually shape an information security program as a whole. So, the advice really is that even if you're a SOC analyst, even if you are a pen tester or you're in a hunt team or whatever, learn what is going on within policy because it'll help you a lot more than [others]. Conversely, if you've always been an auditor or a policy person, really try to understand what the actual technical components of those policies mean to the folks who are reading them, using them, and have to abide by them."
Ease of use is the future of technology.
"These seem like simple things, but you know how people interact with apps and everything. That is how people are operating and interacting with technology. We need to move those types of technologies to look and feel like that because that's what people are comfortable with, and the more people are comfortable with it, the less they're questioning the technicalities. So it's just ease of use."