[00:41.700 --> 00:42.340]  My
[00:55.520 --> 01:02.700]  name is Seth Ott, Director of Security for Pottawattamie Ventures, here in South East Wisconsin.
[01:03.060 --> 01:08.740]  I know a lot of you probably hear that Pottawattamie name and think, cool, can you get me in at the casino?
[01:09.000 --> 01:09.480]  Nah.
[01:09.480 --> 01:11.960]  Different company, I'm afraid, Pottawattamie Ventures.
[01:11.960 --> 01:15.520]  So we're an investment company.
[01:15.520 --> 01:20.020]  We've got a whole bunch of different businesses underneath us.
[01:20.240 --> 01:26.240]  IT security is a shared service, and so we provide the security for all of those companies.
[01:26.240 --> 01:28.900]  Think a real small Berkshire Hathaway.
[01:29.280 --> 01:33.900]  So what I'm going to talk about today is building an IT security department.
[01:34.720 --> 01:39.940]  Over the last several years, I've been doing just that.
[01:39.940 --> 01:42.500]  So I'm currently, as I said, at Pottawattamie Ventures.
[01:42.620 --> 01:47.320]  When I got there about three years ago, there was no such thing as a security team.
[01:47.600 --> 01:49.820]  And so I started building it.
[01:50.400 --> 01:52.340]  Before that, I was at Briggs & Stratton.
[01:52.340 --> 01:56.580]  They were going through a major shakeup, and they were rebuilding their security team.
[01:56.580 --> 01:57.960]  So I was helping them with that.
[01:57.960 --> 02:01.380]  Before that, Master Lock, same sort of situation.
[02:01.380 --> 02:02.660]  Major shakeup.
[02:03.000 --> 02:05.880]  I was brought in to help rebuild their security team.
[02:05.980 --> 02:11.000]  Before that, I was at a company called SkyGen USA, also here in southeast Wisconsin.
[02:11.120 --> 02:13.200]  They were building their security team from scratch.
[02:13.200 --> 02:15.720]  I was a junior member of that as well.
[02:16.200 --> 02:22.720]  So over the last about nine years, I've been at various companies building the security team, and I've learned a thing or two.
[02:22.720 --> 02:25.800]  And so I thought, hey, I can give a talk on that.
[02:27.980 --> 02:31.600]  So with that in mind, let's set the stage.
[02:31.600 --> 02:37.340]  So let's pretend you have just been hired, small to medium-sized business.
[02:37.340 --> 02:42.280]  You are the first person for IT security at that company.
[02:42.320 --> 02:43.300]  Congratulations.
[02:44.160 --> 02:45.240]  Now what?
[02:45.920 --> 02:46.800]  All right.
[02:47.460 --> 03:00.800]  Now, if you're like most security professionals that have spent a lot of time doing individual contributor work, you might walk in and say, hey, what antivirus are we using?
[03:01.000 --> 03:01.540]  That sucks.
[03:01.540 --> 03:02.120]  Get it out of here.
[03:02.120 --> 03:03.140]  You want this one.
[03:03.360 --> 03:03.780]  Right?
[03:04.100 --> 03:08.880]  Or maybe you'll take a look at the email security gateway and say, well, that's a terrible one.
[03:08.880 --> 03:09.920]  Why are we using that?
[03:09.920 --> 03:10.960]  Let's get a new one.
[03:10.960 --> 03:11.240]  Right?
[03:11.240 --> 03:12.540]  We'll focus on technology.
[03:12.540 --> 03:13.740]  We're technology people.
[03:13.740 --> 03:14.880]  It's what we like.
[03:14.880 --> 03:15.820]  It's what we do.
[03:16.280 --> 03:19.380]  I'm going to suggest there might be a different way.
[03:20.640 --> 03:26.160]  Instead of focusing first on the technology, I'd encourage you to ask a few questions.
[03:26.160 --> 03:30.580]  Actually, I'd encourage you to ask a lot of questions about yourself.
[03:30.800 --> 03:31.340]  Who are you?
[03:31.340 --> 03:32.400]  Where do you come from?
[03:32.400 --> 03:34.260]  What have you done before you did this?
[03:34.400 --> 03:34.940]  Right?
[03:34.940 --> 03:36.180]  What's your work history?
[03:36.540 --> 03:37.160]  Right?
[03:37.400 --> 03:39.220]  Have you done this before?
[03:39.280 --> 03:40.520]  Maybe, maybe not.
[03:41.620 --> 03:41.940]  Right?
[03:42.240 --> 03:44.000]  Think about these sorts of things.
[03:44.000 --> 03:47.600]  And then I would say, ask about the business.
[03:48.220 --> 03:49.640]  What does the business do?
[03:49.640 --> 03:51.100]  Is it a public sector?
[03:51.100 --> 03:52.280]  Private sector?
[03:52.500 --> 03:53.020]  Right?
[03:53.020 --> 03:53.640]  Manufacturing?
[03:53.640 --> 03:54.420]  Healthcare?
[03:55.500 --> 04:02.280]  All of these sorts of things will change your perception of what it is you need to do.
[04:02.700 --> 04:07.360]  And as you're asking these questions, write it down.
[04:07.980 --> 04:10.800]  You'll hear me say that several times in this presentation.
[04:10.840 --> 04:11.980]  Write it down.
[04:11.980 --> 04:17.200]  Because as you're asking these questions, you're learning about the business, you're going to start creating a list.
[04:17.200 --> 04:21.460]  And that list is going to tell you what it is you need to do.
[04:21.760 --> 04:23.560]  You're going to look at compliance.
[04:23.560 --> 04:25.440]  You're going to look at technology.
[04:25.440 --> 04:26.760]  You're going to look at people.
[04:28.680 --> 04:29.880]  Write it down.
[04:30.300 --> 04:37.160]  Because once you've written it down, then you need to start figuring out, where do I go?
[04:37.320 --> 04:38.700]  Where do I start?
[04:38.700 --> 04:49.100]  And this is where a lot of individuals kind of get that decision paralysis, and they start to think, man, I've got all of these different things that I need to get done.
[04:49.560 --> 04:50.900]  How am I going to do it?
[04:51.000 --> 04:52.400]  Where do I begin?
[04:52.400 --> 05:01.680]  And you run into this wall, and we end up with a situation where you get almost nothing done in the first year.
[05:03.040 --> 05:04.500]  So write it down.
[05:04.500 --> 05:05.660]  Make a list.
[05:05.660 --> 05:07.640]  And then you have to start to prioritize.
[05:08.580 --> 05:15.880]  And I would offer, before you start looking at technology, again, look at compliance.
[05:16.120 --> 05:16.660]  Right ?
[05:17.860 --> 05:23.060]  Public sector, you're looking at Sarbanes-Oxley, healthcare, HIPAA, HITRUST, a few others.
[05:23.760 --> 05:30.720]  But as you're looking at compliance, remember that compliance, being compliant, is not being secure.
[05:30.720 --> 05:35.380]  But also, on the reverse of that, being secure is not being compliant.
[05:35.840 --> 05:49.020]  We were running into this recently, where I got in right away and didn't fully understand all of the compliance requirements on all of the various different businesses, and I started writing policy.
[05:49.560 --> 05:51.600]  I wrote great secure policy.
[05:51.600 --> 05:55.620]  It was very focused on security, but it wasn't focused on compliance.
[05:55.760 --> 06:06.220]  So now, as I got to understand the compliance of the business, now I have to go back and rewrite those policies, and put those compliance points in there.
[06:07.440 --> 06:21.820]  Another point about compliance, these compliance frameworks, as you figure out which one it is, I think a lot of us have learned that they're very good at telling us what to do, but they're terrible at telling us how to do it.
[06:22.940 --> 06:26.700]  Let's take a look at NIST 800-171, for example.
[06:27.800 --> 06:30.400]  Limit unsuccessful logon attempts.
[06:31.120 --> 06:32.180]  That's it.
[06:32.620 --> 06:33.780]  How many?
[06:33.780 --> 06:34.920]  How often?
[06:35.100 --> 06:35.580]  Right?
[06:35.580 --> 06:37.400]  It doesn't tell you, it just says limit.
[06:37.780 --> 06:43.660]  You can say, hey, one unsuccessful, and you're done, and you're compliant.
[06:43.660 --> 06:46.000]  You can do 20, you're still compliant.
[06:47.540 --> 06:50.760]  Or prevent reuse of identifiers for a defined period.
[06:51.080 --> 06:52.300]  How long?
[06:53.560 --> 06:54.700]  Right?
[06:55.420 --> 06:56.480]  Six minutes.
[06:56.480 --> 06:59.920]  You're good, you're compliant.
[07:02.080 --> 07:13.300]  So as you're doing these, fortunately there are some where you can get supplemental guidance, but be careful with these frameworks and leaning on them in trying to be secure.
[07:16.050 --> 07:22.010]  So once you understand your business and the needs of the business, where do you start?
[07:22.010 --> 07:24.850]  I would suggest policy, not technology.
[07:24.850 --> 07:26.430]  Policy before technology.
[07:26.430 --> 07:27.230]  Why?
[07:27.230 --> 07:35.470]  Well, you see right there I have written, this establishes the ground rules and gives you something to enforce against, right?
[07:35.870 --> 07:41.990]  You start creating tests for your users, phishing tests.
[07:42.150 --> 07:44.310]  You have a user that just fails repeatedly.
[07:44.930 --> 07:45.710]  What do you do?
[07:45.710 --> 07:49.870]  Well, you want to fire them, or retrain them, because they just don't get it.
[07:49.870 --> 07:54.930]  Well, if you don't have a policy to enforce, how are you going to fire them, right?
[07:54.930 --> 07:57.310]  You have to have something to fall back on.
[07:57.590 --> 08:06.230]  And as you're writing these policies, I really encourage you to work with leadership, work with HR, HR especially, right?
[08:06.230 --> 08:10.130]  They are going to be your number one source for enforcement.
[08:12.090 --> 08:17.070]  So when you get into the policies, personally I like to use a three-tier hierarchy.
[08:17.210 --> 08:18.710]  I started top policy.
[08:18.710 --> 08:19.970]  This is very general.
[08:19.970 --> 08:23.610]  This is how do I feel about a particular subject, right?
[08:23.610 --> 08:28.070]  What does the business feel about a particular subject?
[08:28.270 --> 08:29.590]  It's very general.
[08:29.790 --> 08:33.030]  Then I move into the procedure for that same policy.
[08:33.030 --> 08:35.750]  The procedure, we start to get more specific.
[08:36.750 --> 08:42.410]  As you get more specific, you might start mentioning technology types, but I would avoid using vendors here, right?
[08:42.430 --> 08:48.970]  Anytime you use a vendor in a policy in any sort of document, every time you change that vendor, you have to go back and rewrite the document, right?
[08:49.090 --> 08:51.270]  So then we get to playbooks.
[08:51.270 --> 08:54.730]  Playbooks are where I finally start to use vendors, right?
[08:55.170 --> 08:56.830]  Playbooks are very specific.
[08:56.830 --> 08:59.810]  We take a look at incident response policy, for example.
[09:00.510 --> 09:05.750]  Maybe we have playbooks for ransomware or specific virus types, right?
[09:07.630 --> 09:14.490]  So once you figure out kind of a hierarchy, then I would recommend starting with these policies.
[09:14.710 --> 09:16.690]  Start with your IT security policy.
[09:16.690 --> 09:17.810]  This is your north star.
[09:17.810 --> 09:19.030]  This is your guiding framework.
[09:19.030 --> 09:25.570]  This starts you off with everything else that you're going to be doing for your IT security program, right?
[09:25.910 --> 09:31.170]  After that, incident response policy, included in there is a procedure and playbooks.
[09:33.270 --> 09:45.550]  I can't tell you the number of businesses that I've talked to over the years where they never touched their incident response policy until they had an incident, and that's the worst time to touch any policy is when you need it, right?
[09:45.550 --> 09:52.470]  So within the first couple months of getting in the door, building that security program, build those policies.
[09:52.470 --> 09:53.950]  Build the IR policy.
[09:54.130 --> 09:55.330]  And here's the other thing.
[09:55.370 --> 09:56.890]  That's going to get you talking to the business.
[09:56.890 --> 10:00.330]  It's going to get you talking to HR, leadership, C-suite, right?
[10:00.330 --> 10:04.070]  Because you're going to need them when that incident comes around.
[10:04.450 --> 10:06.970]  You might as well talk to them now, right?
[10:07.070 --> 10:08.790]  Make sure they know your name.
[10:08.930 --> 10:10.490]  You know theirs, right?
[10:11.230 --> 10:14.470]  And then from there, vulnerability management, employee training.
[10:14.470 --> 10:18.590]  Maybe not necessarily in that order, depends on the needs of your business, right?
[10:18.590 --> 10:22.230]  Think about the business that you're trying to secure.
[10:22.470 --> 10:27.490]  Think about the employees, what's their security awareness, right?
[10:27.870 --> 10:35.230]  And again, the employee training and awareness, this is probably where you're going to get that enforcement mechanism as well.
[10:38.180 --> 10:42.320]  Once you've got your policy nailed down, then we can start talking about people.
[10:42.740 --> 10:45.040]  Still not at technology, right?
[10:45.040 --> 10:46.900]  You want to go to technology?
[10:46.900 --> 10:47.740]  We'll get there.
[10:48.200 --> 10:49.440]  We got to do people, right?
[10:49.440 --> 10:54.740]  If we take a look at the people in our organization, they are our weakest link.
[10:55.000 --> 11:01.600]  If you ask the WEF, as much as 95% of breaches have some sort of human factor at their beginning.
[11:02.800 --> 11:07.680]  Verizon, DBIR, if you haven't read it, read it every year.
[11:07.880 --> 11:09.940]  There is great information in there.
[11:10.780 --> 11:18.980]  Anywhere from 72 to 76% of breaches investigated by Verizon start with some sort of human factor.
[11:19.920 --> 11:22.740]  People are our biggest attack surface.
[11:23.000 --> 11:26.760]  So get your training in place, get your testing in place, right?
[11:26.760 --> 11:34.900]  This will be far more effective in protecting your business than any technology you take a look at.
[11:34.900 --> 11:39.760]  Smart employees are the key to a secure business.
[11:41.580 --> 11:44.180]  Be ready to show your work, right?
[11:44.180 --> 11:50.740]  And we talked about that list of things at the beginning of what you need to do at the business.
[11:50.920 --> 11:55.380]  In this case, from a testing perspective, be ready to show your work, right?
[11:55.380 --> 12:04.820]  Have those baselines of phishing tests for your employees and show progress, show it to the board, show it to leadership, right?
[12:04.820 --> 12:12.720]  This is how you make sure that the business understands the value of your security practice.
[12:15.580 --> 12:17.580]  All right, we can talk about technology now.
[12:18.380 --> 12:21.160]  So now we're talking about technology.
[12:21.160 --> 12:23.620]  We've got the people in place, we've got policy in place.
[12:24.760 --> 12:31.940]  Now we've got to think about priorities from, again, a business perspective and your perspective, right?
[12:33.700 --> 12:35.900]  Single vendor, best in breed.
[12:35.900 --> 12:41.980]  If you're at a manufacturing company, small to mid-sized manufacturing company, probably don't have the budget for best in breed.
[12:42.140 --> 12:42.940]  Maybe you do.
[12:42.960 --> 12:44.600]  Maybe it's in aerospace manufacturing.
[12:44.720 --> 12:45.500]  I don't know.
[12:46.320 --> 12:49.680]  That's all the questions you have to ask yourself is what can we do here?
[12:49.780 --> 12:51.000]  What do we have?
[12:51.000 --> 12:52.140]  What assets?
[12:52.140 --> 12:53.040]  What gaps?
[12:55.560 --> 12:56.480]  Should you build?
[12:56.480 --> 12:58.220]  Should you buy, right?
[12:58.580 --> 13:01.080]  MSSP, managed security service provider.
[13:01.240 --> 13:02.560]  Or should you build a team?
[13:03.480 --> 13:07.140]  Me personally, you know, I talked about preferences at the beginning there.
[13:07.240 --> 13:08.480]  I'd rather build.
[13:08.560 --> 13:10.200]  I want that control.
[13:10.360 --> 13:13.060]  I think most security professionals want that control.
[13:13.480 --> 13:17.480]  MSSPs are dirty words in a lot of security offices that I've worked in.
[13:19.220 --> 13:21.340]  But what does the company want?
[13:21.360 --> 13:22.540]  What does leadership want?
[13:22.540 --> 13:23.900]  You may not have a choice.
[13:27.330 --> 13:29.710]  Don't be afraid to challenge historical norms.
[13:29.710 --> 13:40.310]  I walked into an environment several years back, and they had Cisco antivirus on all the endpoints.
[13:40.750 --> 13:43.970]  Old school Microsoft EDR.
[13:44.110 --> 13:45.190]  It wasn't even EDR.
[13:45.190 --> 13:47.810]  Microsoft Defender on the servers.
[13:48.710 --> 13:50.050]  Personal preference.
[13:50.050 --> 13:57.190]  That was before Microsoft really shoved a ton of money into AV, and they just weren't good yet.
[13:57.450 --> 13:59.070]  Additionally, personal preference.
[13:59.070 --> 14:03.510]  I didn't want to be in two interfaces if I had an AV alert.
[14:03.570 --> 14:07.730]  I wanted to be able to correlate in one interface what's going on in my environment.
[14:07.770 --> 14:11.370]  So I said, let's get AV on everything, the same AV.
[14:11.890 --> 14:20.690]  And within hours, one of the servers had been flagged as having a Bitcoin miner on it.
[14:21.170 --> 14:21.970]  Cool.
[14:21.970 --> 14:22.990]  Big win.
[14:23.250 --> 14:24.010]  So what do I do?
[14:24.010 --> 14:25.050]  I go to sell it.
[14:25.050 --> 14:26.570]  I tell the other IT individual.
[14:26.570 --> 14:27.730]  I tell leadership.
[14:27.730 --> 14:34.510]  As I'm talking to the other IT, one of the server techs is like, wow, you found what?
[14:34.910 --> 14:39.130]  Apparently, they had been having issues with performance on that server for months.
[14:39.290 --> 14:40.530]  Nobody could figure it out.
[14:41.510 --> 14:42.750]  Quick win, right?
[14:42.750 --> 14:43.590]  Simple.
[14:43.670 --> 14:44.330]  Simple.
[14:46.030 --> 14:52.250]  And of course, no talk at CypherCon would be complete without some sort of mention of artificial intelligence, right?
[14:52.250 --> 15:04.330]  So some of the more astute viewers probably noticed that there's something not quite right with most of the images in this presentation so far.
[15:04.330 --> 15:06.610]  That's because they were all made with artificial intelligence.
[15:07.690 --> 15:09.630]  I'm not saying artificial intelligence is bad.
[15:09.630 --> 15:10.810]  Quite the opposite.
[15:10.850 --> 15:14.450]  I'm just saying you have to be careful with how you use it, right?
[15:14.450 --> 15:16.630]  Images are weird.
[15:16.630 --> 15:24.930]  Some people might have heard this issue with trying to get AI to generate a completely full glass of wine overflowing.
[15:24.930 --> 15:26.130]  Just couldn't do it.
[15:26.430 --> 15:28.330]  It had no reference on the Internet.
[15:28.330 --> 15:29.890]  It couldn't do it.
[15:29.910 --> 15:33.850]  Half full, three-quarter full, overflowing, nothing, right?
[15:33.850 --> 15:36.010]  So be careful with images.
[15:36.650 --> 15:40.170]  Text, on the other hand, AI is great.
[15:40.630 --> 15:44.590]  We just had an active security event happening.
[15:44.590 --> 15:48.570]  Our users were being attacked via SMS phishing not that long ago.
[15:48.970 --> 15:50.570]  I didn't have a canned e-mail.
[15:50.570 --> 15:51.270]  Shame on me.
[15:51.270 --> 15:53.470]  But AI is a rescue.
[15:54.090 --> 16:02.130]  Generate for me an e-mail to my team that says there's an active SMS phishing attack and tips to keep them safe.
[16:02.290 --> 16:08.430]  Within seconds, I had a canned e-mail that I could edit quickly, send off to the business.
[16:08.430 --> 16:11.830]  CEO e-mailed me back afterwards saying thank you, right?
[16:11.830 --> 16:14.250]  AI is awesome if you use it right.
[16:20.120 --> 16:23.740]  Another use of AI, go back to the policies a little bit here.
[16:24.380 --> 16:32.000]  You think back not that long ago, if you walked into an environment and said, hey, I need a new security policy, what do we do?
[16:32.800 --> 16:38.660]  Hop on the Internet, pick your browser of choice, pick your search engine of choice, start punching in.
[16:38.660 --> 16:41.020]  Hey, give me an incident response policy.
[16:41.020 --> 16:50.620]  Scour the Internet and find a bunch of templates, download them, start reading through them, start synthesizing and putting it together for a template for your business.
[16:50.780 --> 16:53.440]  AI can do all of that upfront work for you now.
[16:53.540 --> 16:54.740]  I do it regularly.
[16:54.840 --> 16:58.040]  I need a new policy for work from home, BYOD.
[16:58.440 --> 17:02.280]  Hey, copilot, hey, chat GPT, I need a policy.
[17:02.680 --> 17:03.640]  And it will give you a template.
[17:03.640 --> 17:08.120]  It does all that scouring for you and then you can customize it for your business.
[17:15.830 --> 17:17.290]  Build the right team.
[17:19.230 --> 17:32.610]  As you're thinking about that gaps and assets as you had at the beginning there, eventually you're going to have to start building a team to support that.
[17:32.610 --> 17:35.270]  And, again, business may dictate this.
[17:35.270 --> 17:36.190]  Do you have the budget?
[17:36.190 --> 17:38.070]  Do they have the foresight?
[17:39.770 --> 17:43.250]  Before you start thinking about that team, think about yourself.
[17:43.250 --> 17:43.950]  Who are you?
[17:43.950 --> 17:44.670]  What are your strengths?
[17:44.670 --> 17:45.630]  What are your weaknesses?
[17:46.370 --> 17:47.250]  Are you a talker?
[17:47.250 --> 17:48.130]  Are you a doer?
[17:48.190 --> 17:50.510]  Do you want to be a hands-on keyboard person?
[17:50.670 --> 17:58.790]  Or do you want to be that leader that's going to be guiding the direction and the future of that department?
[18:01.820 --> 18:08.280]  And once you figure out what your strengths and weaknesses are, then you can start thinking about who do you need to support you.
[18:08.880 --> 18:17.940]  Who is that magic set of people that's going to make you as successful as possible?
[18:19.660 --> 18:21.440]  Man, I love this image.
[18:23.080 --> 18:24.720]  There's some good ones.
[18:26.260 --> 18:28.080]  And, again, write it down.
[18:28.300 --> 18:30.680]  Write it down.
[18:32.980 --> 18:36.980]  Keep track of the things that you've done.
[18:36.980 --> 18:44.940]  Because I guarantee you, it comes to that annual review, and you're thinking, over the last 12 months, what did I accomplish?
[18:46.080 --> 18:49.940]  You might think of the last month, maybe two, if you're lucky, three.
[18:50.240 --> 18:53.700]  If you didn't write it down, good luck remembering what you did 12 months ago.
[18:54.080 --> 18:55.280]  So write it down.
[18:58.500 --> 19:00.780]  Also, metrics and benchmarking.
[19:00.780 --> 19:02.920]  This is critical.
[19:02.920 --> 19:07.140]  Again, thinking about the business, thinking about what they need.
[19:07.500 --> 19:08.840]  Think about success.
[19:09.160 --> 19:12.480]  Success for you, success for the business, success for the department.
[19:14.340 --> 19:17.220]  And as you're doing this, think also about your audience.
[19:17.540 --> 19:19.900]  What do you need to know that you're being successful?
[19:19.900 --> 19:23.940]  What do you need to know that your team is doing well?
[19:25.220 --> 19:28.260]  But also think about what does the business need to know?
[19:28.260 --> 19:34.200]  What do they need to know to say, yes, that is an awesome security team.
[19:34.200 --> 19:40.540]  They are keeping us safe and making it so that we can do business better.
[19:42.160 --> 19:48.260]  Because doing business better is what they want to do, and we have to be a part of that.
[19:48.260 --> 19:52.400]  We can't stand in the way of business for security.
[19:52.400 --> 19:57.980]  We have to figure out how to do business securely.
[20:02.580 --> 20:09.980]  And as you're talking to the business, as you're talking to leadership, this metrics, this benchmarking, this is critical.
[20:10.160 --> 20:15.040]  This is where you sell your program, everything that you've done, everything that you want to do.
[20:15.040 --> 20:20.000]  If you want to make sure that those purse strings stay open, this is where you do it.
[20:28.150 --> 20:29.450]  That's all I got.
[20:29.450 --> 20:33.390]  So, again, write it down.
[20:34.030 --> 20:35.310]  Keep track of it.
[20:35.430 --> 20:37.090]  Know what the business wants.
[20:38.030 --> 20:41.810]  And at the end of the day, you might have some success.
[20:42.090 --> 20:42.710]  Appreciate it.
[20:42.710 --> 20:43.490]  Questions?
[20:55.870 --> 20:57.910]  Managing expectations from leaders.
[20:57.910 --> 20:58.930]  Great question.
[21:00.050 --> 21:07.010]  So, a lot of times it's about getting ahead of that, right?
[21:07.010 --> 21:08.990]  You need to define it for them.
[21:08.990 --> 21:13.070]  Because if they're defining the expectations, you're going to get surprised.
[21:13.270 --> 21:19.730]  But if you're defining the expectations and telling them what success looks like, right?
[21:20.090 --> 21:21.810]  It's not a surprise then.
[21:23.070 --> 21:26.990]  You just got to control the narrative before it gets out of hand.
[21:28.150 --> 21:29.470]  Anyone else?
[21:42.090 --> 21:48.270]  The question is, how do you decide outsourcing versus using an internal staff?
[21:48.270 --> 21:54.870]  So, it all depends on what resources do I have available.
[21:54.870 --> 21:58.910]  Take stock of the skill sets of your staff.
[21:58.910 --> 22:00.130]  Ask them questions.
[22:00.410 --> 22:02.990]  Maybe they want to learn that skill set, right?
[22:02.990 --> 22:05.810]  Provide them opportunities to develop and grow.
[22:06.310 --> 22:08.390]  And if there's interest, great.
[22:08.770 --> 22:13.330]  But if you just don't have the skill set internally, then, yeah, you might have to take a look outside.
[22:13.330 --> 22:19.110]  But again, from a security perspective, most security professionals really want to grow that stuff in-house.
[22:19.110 --> 22:21.010]  They want to keep it close to the chest.
[22:21.410 --> 22:26.550]  And it's just nothing but frustration any time you have to deal with that external team.
[22:27.590 --> 22:28.430]  Thank you.
[22:28.670 --> 22:29.430]  Yes?
[22:54.990 --> 23:04.290]  Yeah, so the question is around how do you balance best-in-breed versus a single vendor?
[23:04.290 --> 23:12.210]  So, for me personally, I really like to get as close to that single pane of glass as I can.
[23:12.210 --> 23:18.470]  Because if I'm bouncing all over, checking logs over here, logs over there, that's time wasted, right?
[23:18.470 --> 23:26.470]  If I'm fighting an active attacker, the faster I can get to the root of the issue and figure out how they got in, the more effective I'm going to be.
[23:26.470 --> 23:29.430]  Mean time to respond, mean time to detect, right?
[23:29.790 --> 23:35.290]  Mitre attack chain, all those fun models that we use to figure that out.
[23:35.870 --> 23:39.190]  So the closer I can get to that single pane of glass, that's really what I'm looking for.
[23:39.190 --> 23:45.290]  And if I can get there with a single vendor, I may investigate that.
[23:45.290 --> 23:53.330]  If I can get there with close to best-in-breed, but still talk to each other, I'll go that route, too.
[23:53.330 --> 23:59.450]  To me, it's more about how do my different tools talk to each other?
[23:59.490 --> 24:04.130]  And if I need some sort of orchestration over the top of that, I'll go that route.
[24:04.130 --> 24:08.890]  But native communication between them is the core to that for me.
[24:09.570 --> 24:10.710]  Anyone else?
[24:10.710 --> 24:11.370]  Yes.
[24:14.310 --> 24:15.670]  Convince them otherwise.
[24:16.210 --> 24:17.850]  Or pivot, right?
[24:17.850 --> 24:19.010]  There's always a backup plan.
[24:19.010 --> 24:20.530]  Always have a backup plan.
[24:20.530 --> 24:27.450]  You have 1-3-5, I'm going this way, and I'm going to do my darndest to convince leadership that this is the correct way.
[24:28.790 --> 24:38.730]  And if they say no, well, then I'll just kind of come around this way, and I'll still get there, at least from a process perspective or a goal perspective.
[24:38.730 --> 24:43.130]  It may look different than I initially thought, but I'll still get there.
[24:44.150 --> 24:45.310]  Anyone else?
[24:54.710 --> 24:57.910]  That's tough, because I'm actually fighting that right now.
[24:59.910 --> 25:02.690]  You have to ask a lot of questions, honestly.
[25:03.510 --> 25:20.630]  Because you need to get to the core of why they're pushing that direction, and if you can do that, you should be able to find a hook to say, yeah, I see what you're trying to do here, but if we go this way, right, we're going to get there, and we're going to do it my way,
[25:20.630 --> 25:27.270]  and we're going to do it the right way, and not what this vendor over here has been putting a bug in your ear about, right?
[25:29.370 --> 25:29.970]  Awesome.
[25:29.970 --> 25:30.650]  Great questions.
[25:30.650 --> 25:31.450]  Anyone else?
[25:33.570 --> 25:34.590]  Well, thank you for coming.
[25:34.590 --> 25:35.570]  I really appreciate it.
[25:35.570 --> 25:36.710]  Appreciate your time.
[25:37.810 --> 25:39.190]  Enjoy the rest of CypherCon.