Lessons from the CrowdStrike outage

QPC Security - Breakfast Bytes

MP3•Pagina principale dell'episodio

32:08

Did you know there’s an actual science to uncovering your hidden genius? It’s not about filling out a “dream job” worksheet—it’s about understanding how your brain is wired, identifying your natural aptitudes, and using them to thrive. This isn’t just a self-discovery exercise. It’s a game-changer for your career, your relationships, and how you show up in the world. Betsy Wills and Alex Ellison are redefining how we approach career discovery, proving that finding the right path isn’t just about landing a job—it’s about creating a life that aligns with who you actually are. ✅ Betsy Wills – Cofounder of YouScience, a groundbreaking psychometric assessment platform reshaping how we understand our talents. She’s also the Director of Marketing & Branding at Diversified Trust and a frequent lecturer at Vanderbilt University and NYU’s Stern School of Business. ✅ Alex Ellison – Founder of Throughline Guidance, a global college and career counseling practice. She’s a sought-after writer, speaker, and expert in college readiness and career development. ✅ Together, they co-authored Your Hidden Genius: The Science-Backed Strategy to Uncovering and Harnessing Your Innate Talents. Discovering your hidden genius isn’t just about career success—it’s about tapping into what makes you, you . Connect with Betsy & Alex: Website (Free Downloads): www.yourhiddengenius.com Book: https://www.harpercollins.com/products/your-hidden-genius-elizabeth-m-willsalexandra-ellison Related Podcast Episodes: How To Be You, But Better with Olga Khazan | 288 Finding Purpose Through Human Design with Emma Dunwoody | 228 195 / Finding (And Using) Your Voice with Amy Green Smith Share the Love: If you found this episode insightful, please share it with a friend, tag us on social media, and leave a review on your favorite podcast platform! 🔗 Subscribe & Review: Apple Podcasts | Spotify | Amazon Music…

circa un anno fa 29:18

As we delve into the conversation, Jeff and I explore the core issues surrounding CrowdStrike, including its lack of trustworthiness as a counterparty and the legal implications of delayed security updates. We discuss the broader impacts of the incident, such as the staggering $5.8 billion in losses faced by companies worldwide, and discuss how technology decisions could have eliminated the impact.

Through engaging storytelling, Jeff and I break down the complexities of cybersecurity, offering practical solutions and strategies for organizations to consider. From the importance of testing updates to the choice of operating systems for critical infrastructure, this episode is packed with valuable takeaways for IT professionals and business leaders alike.

Join us as we navigate the nuances of the CrowdStrike controversy, highlight the lessons learned, and provide actionable advice to help you safeguard your organization against similar pitfalls. Whether you're a seasoned cybersecurity veteran or just starting your journey, this episode of Breakfast Bytes is a must-listen.

95 episodi

#Tech #qpcsecurity #MBA #Business News #Business #News

QPC Security - Breakfast Bytes

Lessons from the CrowdStrike outage

QPC Security - Breakfast Bytes

published circa un anno fa

MP3•Pagina principale dell'episodio

95 episodi

#Tech #qpcsecurity #MBA #Business News #Business #News

Tutti gli episodi

QPC Security - Breakfast Bytes

1
Mastering Operational Maturity: The Secret to AI Success 27:31

6 weeks fa27:31

27:31

Welcome to another episode of Breakfast Bytes with Felicia King. In this gripping sequel, Felicia delves deeper into the concept of operational maturity and its vital role in driving organizational profitability and AI readiness. If you've ever wondered why achieving consistency in management across departments can be challenging, this episode sheds light on the ubiquitous struggles faced by organizations regardless of size or industry. Drawing from her extensive 30-year career, Felicia shares eye-opening, real-world anecdotes that reveal the tangible barriers to operational maturity. Imagine a world where processes run smoothly, unaffected by the presence or absence of key personnel. A world where toxic workplace drama is curtailed by structured training, setting boundaries for employees, and instilling a culture of accountability. Through fascinating real-life examples and practical solutions, Felicia paints a vivid picture of how a lack of training and consistency can cause unwarranted drama and productivity loss, and how a mature operational framework can prevent such chaos. Managers play a crucial role, and Felicia discusses how they're uniquely positioned to counteract drama, empower their teams, and facilitate training that aligns with company standards and processes. As AI adoption becomes increasingly crucial, Felicia emphasizes that a solid foundation of operational maturity is not merely beneficial but essential. This episode not only highlights the risks of neglecting these elements but also inspires action by showcasing how adopting and enforcing standards can transform organizational culture, improve profitability, and ensure readiness for the technological advancements AI brings. Felicia King emphasized the importance of operational maturity in driving profitability and readiness for AI adoption, highlighting the risks of not achieving it and the need for a shared responsibility model. She discussed various issues such as misconfigured phone systems, lack of accountability, and the negative impact of a sales-centric culture on employee retention. Felicia also stressed the importance of proper training, decoupling roles from individuals, and moving away from loyalty to individuals towards a more role-based approach to improve process documentation and prevent businesses from becoming overly reliant on one person. Operational Maturity and AI Readiness Felicia King discussed the importance of operational maturity in driving profitability and readiness for AI adoption. She emphasized the risks of not achieving operational maturity, citing her 30 years of experience working with various organizations. Felicia also highlighted that most organizations face similar challenges and need to undertake the same actions to improve operational maturity. She then hinted at providing solutions to these problems in future discussions. Operational Maturity and Its Consequences Felicia discussed the importance of operational maturity in organizations, emphasizing the need for consistency, standards, and policies. She used real-world examples to illustrate the consequences of a lack of operational maturity, such as wasted payroll and toxic drama. Felicia stressed the importance of training and accountability in preventing such issues. She also highlighted the role of managers in proactively managing toxic drama and ensuring they have a solid command of the technical systems used in their departments. Felicia concluded by emphasizing the need for a shared responsibility model and the importance of using the resources provided by the company, such as the knowledge base. Misconfigured Extension Causes Toxic Drama Felicia discussed an issue with an employee who misconfigured their phone system extension, causing problems. The employee was not held accountable for their behavior, and instead wrote a manual to guide others on how to avoid the same mistake. Felicia highlighted the toxic drama that can arise when employees are not held accountable for their actions, and the potential for further issues if the problem is not addressed. Accountability and Adhering to Company Policies Felicia discussed a problematic situation involving an employee who caused weeks of disruption by forwarding business calls to an external individual's personal cell phone. This led to potential legal issues and a complaint against the company. Felicia emphasized the importance of accountability and adherence to company policies and processes. She also highlighted the issue of blaming IT departments for poor performance, which she described as a cancer that can negatively impact an organization's profitability. She suggested that managers should take responsibility for knowing what is right and wrong, and not be bamboozled by employees' claims of IT-related issues. Improving Accountability and Productivity Training Felicia discussed the importance of proper training and accountability in the workplace. She highlighted the issue of employees not utilizing company-provided technology effectively, leading to inefficiencies and a lack of business continuity. Felicia suggested that managers should create development plans for employees, utilizing company training resources, to improve accountability and productivity. She also pointed out the negative impact of a sales-centric culture on employee retention and the overall payroll. Decoupling Roles, Ensuring Business Continuity Felicia discussed the importance of decoupling roles from individuals in organizations to ensure continuity and efficiency. She argued that job rotation and quality control measures can improve process documentation and prevent businesses from becoming overly reliant on one person. Felicia also emphasized the need for organizations to move away from loyalty to individuals and towards a more role-based approach. She suggested that smaller businesses are better positioned to achieve operational maturity due to their ability to make decisions and set policies without needing a committee-based approach.…

QPC Security - Breakfast Bytes

1
Driving Cultural Change Toward Profitability and Operational Maturity 27:32

6 weeks fa27:32

27:32

In this enlightening episode of Breakfast Bytes, Felicia King draws upon her three decades of business experience to guide us through the crucial steps organizations must take to flourish amidst today's challenges. With a focus on operational maturity, Felicia unravels the strategies businesses need to implement to harness the power of AI without compromising data security. Explore the pitfalls of inadequate governance in the age of rapidly advancing technologies and discover why the absence of a robust data policy could be detrimental. Felicia also delves into the cultural shifts required within organizations to ensure not only survival but also increased profitability. As businesses navigate generational labor market shifts and the complexities of AI integration, this episode serves as a narrative roadmap. Listen in to learn how to foster a culture that supports both employee growth and organizational resilience. Summary Addressing Labor Challenges With AI Felicia King discussed the challenges faced by businesses in finding reliable, capable, and dependable employees. She highlighted the increasing use of robotics and AI as a response to these challenges, and the need for organizations to decouple their business processes from individuals. Felicia emphasized the importance of operational maturity for organizations to effectively utilize AI, and the lack of executive management wanting to put constraints around AI. She also noted that sales executives often drive the agenda in organizations, which can lead to a lack of focus on protecting company assets and customer data. Unregulated AI Usage Risks and Solutions Felicia discussed the dangers of unregulated AI usage in an organization. She emphasized the importance of having company policies and employee training to ensure proper use of AI technology. She stressed the risks of losing company data and increasing legal liabilities when AI is not controlled and its boundaries are not set. Felicia also highlighted the need for security measures like data loss prevention and digital rights management in AI usage. She noted the difficulty and time-consuming nature of implementing such measures, and the need for a paradigm shift in an organization's approach to technology. Data Retention Policies Drive Operational Maturity Felicia discussed the importance of data retention policies, data classification, and data sensitivity labels in driving operational maturity and cultural change within a company. She emphasized that these measures are crucial for an organization's readiness for AI and can lead to increased profitability. Felicia also highlighted the challenges faced by Generation Z workers due to their habits, which can negatively impact their employability. She noted that some employers have found it more cost-effective to deal with the gap of not having an employee than to manage the negative impact of an unprofitable employee. Operational Maturity in AI Adoption Felicia discussed the importance of operational maturity in organizations, emphasizing that it is crucial for adopting AI without risking data and customer safety. She highlighted the need for policies, standards, processes, and key performance indicators (KPIs) to drive cultural change and achieve higher profitability. Felicia also warned against solely focusing on metrics like time to close a ticket, as it could lead to ignoring potential issues. She suggested that operational maturity is necessary to prevent employees from becoming the biggest risk factor. Felicia concluded by stating that she would provide more tangible steps to achieve operational maturity in a future discussion. Addressing Common Business Challenges Felicia discussed her extensive experience in consulting for over 450 businesses, highlighting common problems such as underutilized resources, inconsistent outcomes, and compliance issues. She emphasized the importance of maintaining consistent outcomes, adhering to compliance requirements, and avoiding policy violations. Felicia also stressed the need for businesses to make tough decisions, such as firing underperforming employees, to ensure operational maturity and avoid adverse impacts on the organization. Understanding Monthly Expenses and Profitability Felicia discussed the importance of understanding the monthly expenses per knowledge worker employee, excluding salary, which can range from $300 to $400 monthly. She emphasized that businesses should aim to cover total per-employee expenses three to four times over to ensure profitability. Felicia also highlighted the shared responsibility model for profitability, stressing the need for both the organization and employees to improve their operational maturity and skills. She concluded by noting that this approach is not only beneficial for profit-making companies but also for nonprofits seeking to provide wage increases while staying within budget.…

QPC Security - Breakfast Bytes

1
Mastering the AI Landscape: A Guide for Businesses 27:55

10 weeks fa27:55

27:55

In this episode of Breakfast Bytes, Felicia King delves into the intertwining worlds of AI and technology adoption for businesses. She sheds light on how small and midsize businesses can leverage AI safely and the pivotal role of adopting the right technology. Drawing from three decades of experience, Felicia explores real-world scenarios, such as a 100-person law firm facing a potential $9 million data risk, highlighting the necessity of robust data governance and security measures. Listeners will gain insight into the vital decisions that executive management teams must make to remain competitive. Felicia discusses the importance of informed risk management decisions, advocating for comprehensive training, data governance, and enforcement to empower employees and safeguard company and customer data. Throughout the episode, Felicia emphasizes the need for businesses to engage with the right advisors, particularly in the realm of AI strategy, and not just rely on IT departments. By sharing real-world examples, she illustrates the significant risks and costs associated with inadequate guidance, and offers solutions for businesses to thrive in an ever-evolving technological landscape.…

QPC Security - Breakfast Bytes

1
Survive and Thrive in 2025: Empowering Your Team with Continuous Learning 28:55

15 weeks fa28:55

28:55

In this episode of Breakfast Bytes, join Felicia King as she sits down with Chris Gross, the Director of Product at Breach Secure Now, to explore the revolutionary impact of continuous education in cybersecurity and productivity. Discover how Breach Secure Now's unique approach to training empowers managers and employees alike to enhance organizational culture, productivity, and security awareness. Learn why weekly micro-trainings are more effective than traditional annual methods, transforming end-users into informed, accountable team members. Chris shares the insights into the seamless integration of AI and security training with platforms like Microsoft Teams, and how this strategy keeps vital information at the forefront, ultimately cultivating a proactive workplace environment. Tune in to understand the significant role of employee empowerment in reducing risk, improving efficiency, and creating happier workplaces, while breaking down the traditional barriers of IT-led transformation. Finally, uncover how simple, actionable tools like the Security Risk Assessment can guide your organization in achieving operational maturity by 2025. Related shows: https://qpcsecurity.podbean.com/e/operational-maturity-practical-example/ https://qpcsecurity.podbean.com/e/why-you-need-a-cto-avoiding-costly-mistakes-in-document-management/ Improving Operational Maturity for 2025 Felicia and Chris discussed the importance of improving operational maturity for businesses to survive and thrive in 2025. Felicia emphasized the need for training, an AI strategy, and policies to prepare for competition and potential threats. She also highlighted the importance of implementing technical controls to protect company assets and the need for a cultural shift and policy management. Felicia suggested that a comprehensive tool like Breach Secure Now could be beneficial in this process. Chris agreed with Felicia's points, and they both agreed that a business needs to function as a whole, with all components working simultaneously, to be successful. Implementing Effective Cybersecurity Measures Felicia and Chris discussed the importance of implementing effective cybersecurity measures in organizations. They emphasized the need for a cultural shift within companies to prioritize cybersecurity, which requires the support of executive management teams. They also highlighted the role of AI tools like Copilot in enhancing cybersecurity, but noted that these tools are only effective if used in conjunction with proper data classification, retention, and management practices. They concluded that partnering with the right MSP and using the right tool set are crucial for successful implementation. Implementing Effective Strategies for 2025 Felicia and Chris discussed the importance of implementing effective strategies for businesses in 2025. Felicia highlighted the need for policies, operational maturity improvement, AI readiness, and security risk assessment. Continuous Education and Accountability Chris and Felicia discussed the importance of continuous education and accountability in the technology world. They agreed that traditional once-a-year cyber training is ineffective and that regular updates are necessary. Felicia highlighted the effectiveness of Breach Secure Now (BSN) in improving overall organizational awareness and driving accountability. She also emphasized the importance of empowering managers to manage their teams effectively. Chris and Felicia discussed the integration of BSN with Microsoft Teams and the introduction of AI training in shorter segments called Nanos. They agreed that educating employees on how to use technologies effectively, proficiently, and securely is crucial for business success. Cyber Security Focus and Training Tools Felicia commended the team for the accuracy of their material, noting a high success rate. She also expressed her appreciation for the platform's newsletters and a cyber security assessment tool, which she has incorporated into her job candidate assessment process. Chris emphasized the importance of demonstrating a cyber security focus culture and providing education to new employees. Felicia further highlighted the effectiveness of the platform's training tools in promoting cultural change, particularly the integration with Teams and the optional nano trainings. Improving Cyber Posture and Employee Training Felicia discussed the importance of improving the overall cyber posture of employees by presenting solutions directly to them, rather than treating it as an IT problem. She highlighted the use of Keeper Security's Breach Watch component, which alerts users to potential security issues. Chris agreed, emphasizing the need for employees to change their passwords immediately after a data breach and to undergo additional training to protect against sophisticated scams. He stressed the importance of continuous education and staying updated on the latest scams to mitigate risks. End User Empowerment and Upskilling Felicia and Chris discussed the importance of end user empowerment in their organization. They emphasized the need for tools that implement the right process, rather than relying on traditional methods that involve sending reports to the IT department and chasing managers for time from end users. They highlighted the effectiveness of their current system, which provides unique and actionable data to each individual end user, leading to better accountability and reduced friction. They also discussed the importance of upskilling employees to improve job performance and retention, and the potential for a positive culture within the organization. Felicia shared a personal anecdote about a struggling office that was not utilizing the available training resources, highlighting the cost-effectiveness of investing in employee training. Training, Accountability, and Workplace Culture Chris and Felicia discussed the importance of training and accountability in the workplace. They agreed that short, regular training sessions of 5 to 10 minutes a week are more effective than longer, less frequent ones. They emphasized the need for a cultural attitude towards training and the expectation that employees will use tools and follow policies competently. They also highlighted the benefits of rewarding employees who go above and beyond in their training. Felicia added that promoting a 15-minute daily training routine can help reduce disciplinary issues and improve payroll efficiency. They concluded that training should be bite-sized, fun, and not overwhelming, with a scoring system to track progress. Employee Training and Cybersecurity Assessment Felicia and Chris discuss the importance of employee training and proper tools for managers to assess productivity. Felicia emphasizes the value of the Security Risk Assessment product, which helps organizations identify deficiencies and track progress towards improving cybersecurity. Chris adds that the product provides a clear path and templates to address recommendations gradually, rather than overwhelming organizations with too many changes at once. They agree that the risk assessment is beneficial for both HIPAA-regulated and non-HIPAA entities, as it facilitates a comprehensive understanding of an organization's security posture.…

QPC Security - Breakfast Bytes

1
Survive and Thrive in 2025 27:16

18 weeks fa27:16

27:16

In this inspiring episode of Breakfast Bytes, Felicia King delves into the pressing strategies businesses need to adopt to thrive in the year 2025. With intriguing insights, Felicia articulates why companies must stay competitive and adapt to the ever-changing landscape—focusing on the integral role of a Chief Technology Officer and the imperative cultural shift towards continuous staff training. Felicia sheds light on the complexity of finding competent talent, the importance of establishing and enforcing effective policies, and the necessity of blending technology with human oversight. She compellingly emphasizes that regardless of workforce demographics, training needs to become a staple and an evaluated performance metric. The episode is rich with anecdotes and expert advice, warning against the risks of ignoring technological and cultural progression, even as it highlights the detrimental impact of inadequate policy management and technical incompetency in various sectors. Felicia’s narrative provides actionable insights into aligning your organizational structure for maximum efficiency and effectiveness in the looming future. Quick recap Felicia King emphasized the importance of having a Chief Technology Officer (CTO) and a cultural shift towards ongoing training for staff to ensure compliance and productivity in businesses. She also stressed the need for effective utilization of technology, data classification, and vendor risk assessments, and warned against the lack of technical aptitude and security capabilities in marketing agencies. Lastly, she highlighted the importance of executive management teams taking an active role in managing risks and issues within their organizations, and the need for strategic adoption of technology and operational maturity. Next steps • Executive management team to establish a partnership with a qualified CTO/CISO for strategic technology guidance and risk management. • HR/Leadership to implement a mandatory ongoing training program for all staff, with accountability measures tied to performance evaluations. • IT team to develop and maintain a risk register and project backlog, with monthly budget allocation for addressing identified issues. Summary Surviving 2025: CTOs, Training, and Payroll In the meeting, Felicia King discussed the key factors for businesses to survive in 2025. She emphasized the importance of having a Chief Technology Officer (CTO) to provide leadership and guidance on technology and policy matters. Felicia also stressed the need for a cultural shift towards ongoing training for staff, regardless of age, to ensure compliance with company policies and improve productivity. She warned against the misconception that a younger workforce automatically solves these issues. Felicia concluded by urging businesses to view their payroll as their primary inventory and to efficiently utilize it to avoid wasting resources. Lack of Training and Policy Enforcement Felicia shared a scenario where despite providing extensive training, staff members failed to use a technological system effectively due to a lack of enforced policy and cultural shift. She emphasized that if a manager had advocated for a policy and cultural shift, the staff could have taken just 15 minutes a few times a week to move the needle on their problem. However, because the manager did not prioritize training, the staff did not read the instructions and missed out on efficient use of the system. Felicia concluded that if everything else is secondary to sales, as the manager had told the staff, then training is not considered important. Respecting Employers and AI Implementation Felicia emphasized the importance of respecting employers, coworkers, and company policies for efficient technology utilization. She highlighted the need for understanding best practices and avoiding unnecessary tech support requests. Felicia also stressed the importance of data classification, retention, and policy management systems for AI usage and adoption. She underscored the necessity of a combination of policies, training, technical controls, and accountability to ensure successful implementation and utilization of AI in 2025. Marketing Agencies' Technical Limitations Felicia expressed her belief that marketing agencies struggle to execute effective marketing services due to a lack of technical aptitude and security capabilities. She attributed this to the agencies' refusal to hire qualified CTOs or CSOs, and their lack of technical training. As a result, they lose business due to ineffective marketing strategies and poor security practices. Vendor Risk Assessments for All Felicia discussed the importance of vendor risk assessments, highlighting that they are not only relevant to tech companies but also to law firms, accounting firms, medical offices, and investment brokerages. She mentioned that her company, QPC Security, offers vendor risk assessments and counterparty risk assessments, with a baseline cost of $300. Felicia emphasized that failing a basic vendor risk assessment can indicate serious issues within an organization's IT infrastructure. Addressing Competence in Organizations Felicia expressed her concerns about the lack of competence in various organizations, regardless of their size. She cited examples of IT service providers and larger companies where the collective intelligence of the employees was insufficient to identify and address public-facing security risks. Felicia emphasized the importance of having competent professionals in IT roles and the need for executive management teams to surround themselves with objective, knowledgeable advisors rather than yes-men. She concluded by urging the need for deep paradigm shifts in 2025 to remain competitive. Maintaining Risk Register and Project Backlog Felicia discussed the importance of maintaining a risk register and project backlog, and the need for organizational commitment to allocate time and budget for these tasks. She emphasized the necessity of regular meetings with the designated CTO and CISO, ideally quarterly or monthly, to discuss planning and initiatives. Annual meeting frequency is insufficient. Felicia also suggested a SWAG number approach for budget allocation, with the goal of completing a certain amount of work each month to address issues on the project backlog and risk register. She stressed the importance of teamwork and collaboration in managing these tasks. Executive Management's Active Risk Role Felicia emphasized the importance of executive management teams taking an active role in managing risks and issues within their organizations. She warned against the practice of delegating and abdicating responsibilities, which often leads to poor decision-making and unresolved problems. Felicia shared an example of a client who finally resolved a long-standing issue after the CEO took the time to have a crucial discussion. She stressed that the executive management team should be willing to have meetings and be informed about risks, even if they don't become experts in the subject matter. Strategic Risk Management and Technology Felicia discussed the importance of managing risk and adopting technology strategically. She emphasized the need for a policy and standard around printer technologies, as well as the adoption of wireless technologies, to avoid interference and reliability challenges. She stressed the importance of operational maturity and the need for a partnership with a CTO to achieve this. Felicia also warned that failure to make cultural shifts, adopt AI correctly, and implement technical controls could lead to a loss of competitiveness and potentially even business closure by the end of 2025.…

QPC Security - Breakfast Bytes

1
The Hidden Risks of Data Centers: A Deep Dive with Dr. Eric Woodell 1:23:33

23 weeks fa1:23:33

1:23:33

In this episode of Breakfast Bytes, host Felicia King sits down with Dr. Eric Woodell, founder of Ameris and a leading expert in data center infrastructure and operations compliance. Dive into the world of data centers as Dr. Woodell reveals the shocking truths behind their operations and the risks that could be lurking behind the scenes. Dr. Woodell shares his journey from nuclear submarines to becoming a key player in the data center industry, highlighting his relentless pursuit of truth and transparency. Discover why he believes that the current standards for compliance, such as SOC 2, may be nothing more than a façade, and how his groundbreaking audit program can change the game. Explore the complexities of counterparty risk management and the importance of having real control over your data infrastructure. Learn about the potential pitfalls of relying on colocation facilities and public cloud services, and why owning your infrastructure might be the most cost-effective and secure option. Join Felicia and Dr. Woodell as they challenge conventional wisdom, offering a fresh perspective on data center management and the critical need for accountability. Whether you're an IT professional, a business decision-maker, or just curious about the hidden workings of the digital world, this episode promises to engage and enlighten. Quick recap Dr. Eric Woodell and Felicia discussed the issues with the co-location industry, the importance of strong leadership in business, and the complexities and costs associated with maintaining multiple sites for redundancy. They also emphasized the need for proper documentation and certification in critical infrastructure and cybersecurity, and the importance of evaluating risks in business decisions. Lastly, they proposed the need for a significant industry alert regarding the unreliability of certain security standards and the development of a new standard in risk management. Addressing Industry Issues and Certification Process Dr. Woodell discussed the issues with the co-location industry, particularly the lack of proper maintenance and potential for fraud. He mentioned developing an audit program to track these issues but noted that the problem persisted. Eric criticized the SOC2 certification process, suggesting it was designed to generate fees and lacked legitimacy. He highlighted the inadequacy of the current certification process for cyber security, emphasizing the need for pressure to rectify these issues. Eric and Felicia also discussed the lack of a quality control process in their current system, with Eric sharing an example of a compliance issue at Equinix. The conversation ended with Eric expressing concerns about the legitimacy of a situation where a company lost their maintenance records due to a dispute with a labor provider. Addressing Counterparty Risk in Vendor Evaluation Felicia and Eric discuss the importance of addressing counterparty risk when evaluating vendors, particularly related to data extraction and contract terms. They criticize companies for writing contracts without clearly defining roles and responsibilities, leading to a lack of consequences for service disruptions. Felicia argues for the cost-effectiveness of owning and maintaining servers on-premise over using public cloud services. Eric agrees, acknowledging the potential for lower costs and better control with in-house IT management. They also discuss the challenges small to medium businesses face due to overreliance on public cloud services and the risks of data exposure from negligent co-location companies. Leadership, Waste, and Oversight in Business Eric and Felicia discussed the importance of strong leadership in business, using Apple as an example of a company that has thrived due to its leadership. They also shared their personal experiences of uncovering waste in organizations and the challenges of addressing it. The conversation then shifted to the issue of conflicts of interest and lack of oversight in the cyber security industry, with Equinix being cited as an example of stock manipulation and fraud. They also discussed the concept of 'unjust enrichment' and the lack of control and standards in the industry. The conversation ended with Eric sharing his positive experience with Vanguard, a company that was meticulous about compliance. Managing Multiple Sites and Vendor Complexity Eric discussed the complexities and costs associated with maintaining multiple sites for redundancy. He highlighted the exponential increase in complexity and costs as more sites are added, and the potential for introducing new problems. Eric also mentioned the frustration and indirect costs associated with dealing with multiple vendors. Felicia agreed, emphasizing the complexity of managing multiple vendors and the soft, indirect costs involved. They both agreed that having a small core set of sites, properly maintained, could be a more viable option. Eric pointed out the alarming rate of data center outages, likening it to the airline industry, and questioned why IT executives continue to pay for such unreliable services. Competent Assistance and Counterparty Risk Assessment Felicia and Eric discussed the importance of competent assistance in decision-making for clients in the industry, emphasizing the need for a CTO for contract review. They highlighted the issue of CEOs and CFOs seeking advice from friends rather than professionals, which can lead to legal issues and confirmation bias. The importance of independent audits and assessments in mission-critical facilities was also stressed, with Eric suggesting he could provide a solution for the lack of a standard for evaluating critical facility security. Felicia concluded the discussion by asking for Eric's recommendations for business decision-makers who want to better understand counterparty risk and make more informed decisions. Industry Alert and New Risk Management Standard Eric and Felicia discussed the need for a significant industry alert regarding the unreliability of certain security standards, particularly for critical facilities and cybersecurity. They highlighted the increasing scrutiny from insurance providers on third-party information security risk management and the importance of a high-quality CTO and CISO or a dedicated compliance manager. They also discussed the need for a new standard in risk management, particularly in the context of vendor and counterparty relationships, and agreed that the current approach was insufficient.…

QPC Security - Breakfast Bytes

1
Why You Need a CTO: Avoiding Costly Mistakes in Document Management 27:43

23 weeks fa27:43

27:43

In this riveting episode of Breakfast Bytes, host Felicia King delves into the often overlooked but crucial aspect of business technology: document management platforms. With a sharp focus on how organizations of all sizes can benefit from these systems, Felicia underscores the importance of operational maturity and strategic decision-making. Through compelling narratives and real-world examples, she illustrates the perils of inadequate technology leadership. From misguided IT directors to costly missteps, Felicia shares stories from her 30-year career, shedding light on the vital role a Chief Technology Officer (CTO) plays in safeguarding a company's resources and ensuring seamless technology integration. Listeners are invited to explore the intricacies of technology planning, from policy formulation to platform selection, and the far-reaching consequences of neglecting expert guidance. This episode is a must-listen for business leaders eager to avoid lighting money on fire and to achieve sustainable growth through informed technology investments. Quick recap Felicia King discussed the importance of document management platforms and the need for a technology executive in organizations of all sizes. She emphasized the significance of strategic architecture choices, operational maturity, and inclusive decision-making in implementing these platforms. Felicia also highlighted the challenges of managing contracts with consulting firms and stressed the importance of having a clear engineering and implementation plan before purchasing any technology. Next steps • Business leaders to consult with a qualified CTO before making strategic technology decisions, especially for document management platforms. • Organizations to develop written requirements, document business processes, and create an engineering/implementation plan before purchasing new technology systems. • Companies to review and potentially modify contracts with technology vendors to ensure compliance with organizational policies and support protocols. Summary Document Management and Operational Maturity In the meeting, Felicia King discussed the importance of document management platforms for organizations with more than one employee. She emphasized the need for operational maturity and the use of systems to scale a business. Felicia also highlighted the necessity of a technology executive, even for small organizations, to navigate complex issues. She stressed the importance of understanding these matters, as they are too complicated to be handled by IT support alone. Importance of Technology Executives in Orgs Felicia discussed the importance of having a technology executive in organizations, emphasizing that an IT director often lacks the necessary skills and capabilities. She shared a past example where an IT director made a costly mistake due to lack of oversight, leading to significant financial losses and compliance issues. Felicia advised business decision-makers to use their technology executive in an advisory capacity to avoid such problems, particularly when making large purchases or embarking on significant projects. Avoiding Costly Technical System Mistakes Felicia discussed a long-standing relationship with a client that migrated to a new system, resulting in numerous issues. She reviewed the service contracts and master services agreements, discovering that the client was sold a system that was technically impossible to achieve an effective outcome with. The system violated its own requirements, leading to constant issues and financial losses for the client. Felicia emphasized the importance of using a chief technology officer to avoid such costly mistakes. Strategic Architecture Choices in Document Management Felicia discussed the importance of strategic architecture choices in document management platforms, emphasizing the need for operational maturity, understanding of business processes, and inclusive decision-making. She highlighted the cost implications of using platforms like Atlassian, Sharepoint, and iManage, and the need for a written set of requirements for any project. Felicia also pointed out the challenges of outsourcing document management platform implementations and the need for a highly qualified CTO for consultation. She suggested that Microsoft 365, with its advanced premium licensing and purview, could be a viable alternative to other platforms. Managing Contracts With Consulting Firms Felicia discussed the challenges of managing contracts with consulting firms and the importance of having a CTO to navigate these complexities. She highlighted the need for clear communication and contractual agreements to ensure project success, as she has often encountered issues with support protocols and project kickoffs. Felicia emphasized the importance of having a CTO who understands business, legal, and economic aspects to ensure smooth project implementation, completion, and ongoing support. Clear Engineering Plan for Tech Purchases Felicia emphasized the importance of having a clear engineering and implementation plan before purchasing any technology, likening it to buying a server without understanding its capabilities. She stressed the need for a Chief Technology Officer (CTO) to review proposals and ensure they meet the business's requirements, as well as to avoid potential breaches of contract with other vendors. Felicia also highlighted the value of having a CTO with the right skills, rather than relying on IT personnel, to make informed decisions.…

QPC Security - Breakfast Bytes

1
Navigating the Cloud: Unveiling the Hidden Costs and Risks 27:34

27 weeks fa27:34

27:34

In this compelling episode of Breakfast Bytes, host Felicia King delves into the complex world of cloud computing, exploring the intricacies of public cloud, private cloud, self-hosting, and premise servers. With insights from a newly recognized expert in the field, this episode promises to challenge conventional wisdom and offer fresh perspectives on hosting decisions. Felicia unravels the hidden costs and maintenance challenges of managing workloads, whether in the cloud or on-premise. She highlights the significant financial implications and the importance of competent management, urging listeners to reconsider the assumptions surrounding the efficiency and cost-effectiveness of cloud solutions. The episode takes a surprising turn with revelations from Dr. Eric Woodell, whose groundbreaking work questions the reliability of current data center practices. Felicia discusses how Dr. Woodell's findings, backed by Lloyd’s of London, cast doubt on the presumed dependability of cloud-hosted environments, drawing a startling analogy to the aviation industry’s safety standards. As the narrative unfolds, Felicia emphasizes the critical need for effective vendor risk management and the pitfalls of relying on inadequate compliance certifications like SOC 2. She challenges listeners to rethink their approach to third-party risk management and the true value of certifications in ensuring data security and operational integrity. Join Felicia King in this thought-provoking episode that not only informs but also inspires a reassessment of the assumptions driving today's cloud computing decisions. It's an essential listen for anyone navigating the evolving landscape of IT infrastructure and risk management. Quick recap Felicia discussed the importance of competent management and cost considerations in cloud hosting, and introduced Dr. Eric Woodell, an expert in physical data center and infrastructure industry. She also highlighted the high failure rate in the data center industry, the challenges of outsourcing workloads, and the limitations and misuse of the SOC 2 certification in the data center space. Lastly, she criticized the inefficiencies in vendor risk management processes and recommended a shift in focus towards real integrity processes. Next steps • IT teams to reassess their reliance on SOC 2 certifications for vendor and data center evaluations. • Business leaders to review and update their Written Information Security Plans (WISPs) to ensure alignment with actual practices and legal defensibility. • Organizations to develop more robust vendor risk management and counterparty risk assessment processes, considering factors beyond standard certifications. Summary Discussing Cloud Hosting and Legacy Workloads Felicia discussed the topic of public cloud, private cloud, self-hosting, and premise servers, emphasizing the importance of competent management and the need to consider the cost of capital expenditure when comparing on-premise servers with cloud hosting. She highlighted the historical maintenance costs of legacy workloads, such as servers on-premise and in the cloud, and the potential cost-effectiveness of hosting physical servers in someone else's data center. Felicia also mentioned a newly recognized expert in this technology who is involved with a company that certifies cloud hosting providers for insurance by Lloyds of London. Limitations of SOC 2 Audits and Expert Insights Felicia discussed the limitations of SOC 2 audits, which are conducted by accountants (CPAs) who may not have the necessary expertise to assess data center operations. She introduced Dr. Eric Woodell, an expert in physical data center and infrastructure industry with extensive experience in auditing major organizations' assets in public clouds and colos. Dr. Woodell expressed his opinion that CPAs are not qualified to audit data centers and their operations, as they lack the ability to build and maintain them from scratch. He also shared his findings from years of audits, indicating that third-party vendors often fail to fulfill their maintenance obligations. Data Center Industry Failure Rate Comparison Felicia discussed the high failure rate in the data center industry, comparing it to the aviation industry. She used a metaphorical analysis from a speaker, who claimed that if the aviation industry had the same level of failures as the data center industry, there would be approximately 530 plane crashes per day. Felicia emphasized the significance of this comparison, noting that if people knew about these statistics, they might not use airplanes. She also mentioned that Lloyds of London, an insurance company, uses the speaker's certification program to assess data center risk. Felicia concluded that she believes in the speaker's numbers and calculations, and that the data center industry's failure rate is a cause for concern. Outsourcing Workloads Challenges and Vendor Risk Management Felicia discussed the challenges of outsourcing workloads, particularly in terms of reliability and support. She emphasized the importance of vendor risk management, counterparty risk management, and the underlying assumption of competency. Felicia also highlighted the need for workloads to be hosted where they can be supported by competent individuals. She mentioned the work of Dr. Eric Waddell, which has raised questions about the reliability of cloud-hosted services. Felicia also noted the shift in focus towards vendor risk management and third-party information security risk management, particularly in the insurance industry. SOC 2 Certification Limitations and Misuse Felicia discussed the limitations and misuse of the SOC 2 certification in the data center space. She highlighted that SOC 2 certifications are often conducted by CPAs rather than infrastructure architects, and thus may not be a reliable indicator of competency. She also pointed out that the certification is often used as a check-box exercise by business decision makers, rather than a genuine evaluation of a company's infrastructure. Felicia also touched on the HIPAA space, noting that the use of Business Associate Agreements (BAAs) is not always appropriate and can lead to unnecessary costs and risks. She emphasized the importance of third-party information security and risk management, and suggested caution when dealing with SOC 2 certifications and BAAs. Addressing Vendor Risk Management Inefficiencies Felicia discussed the inefficiencies in vendor risk management processes, particularly in relation to compliance certifications and the Written Information Security Plan (WISP) for tax preparers, accountants, and car dealerships. She argued that these processes often lack legal defensibility and do not align with reality, instead being mere theatre. Felicia also mentioned a class action lawsuit against a breached company, suggesting that the focus should shift to real integrity processes around vendor risk management. She recommended watching Joe Brunsman's YouTube channel for more insights on this topic.…

QPC Security - Breakfast Bytes

1
Exploring Network Security and AI Threats with Crystal Redmann 28:49

33 weeks fa28:49

28:49

In this riveting episode of Breakfast Bytes, host Felicia sits down with Crystal Redmann, the inquisitive Operations Director from Redmann Farms, to dive into the intricacies of network security. Crystal brings forth compelling questions about network segmentation, shedding light on how this fundamental security measure can protect even the smallest of organizations. As the conversation unfolds, Felicia and Crystal explore the evolving landscape of cybersecurity threats, particularly focusing on the alarming use of AI by cyber criminals. Through vivid analogies and real-life examples, Felicia illustrates the critical need for advanced security measures and the role of zero trust in safeguarding digital assets. This episode promises to not only educate but also captivate listeners with its deep dive into the world of cybersecurity, making complex topics accessible and engaging for all. Tune in to discover practical insights and proactive strategies to protect your digital world. Quick recap Felicia and Crystal discussed the importance of network segmentation and micro segmentation for enhancing security, and the challenges of balancing security and functionality in an organization. They also explored the potential risks of deep faking in financial transactions, the evolving threat landscape, and the need for vigilance in device maintenance. Lastly, they emphasized the concept of zero trust in computer security, the significance of personal data protection, and the need for enterprise-grade security for home use. Understanding Network Segmentation and Security Crystal expressed her need to understand more about network segmentation and its benefits, particularly in terms of security. Felicia explained the concept of network segmentation, emphasizing its foundational role in network layer security. She elaborated on the concept of micro segmentation, which involves treating different assets differently based on their needs and requirements. Felicia highlighted that this approach can bring enterprise-grade security to even the smallest organizations, making it economically feasible and sustainable. Security Profiling for Device Segments Felicia discussed the importance of creating a security profile for different segments of devices, such as printers, to prevent unauthorized access, data leakage, and the spread of malware. She emphasized the need to restrict communication between devices to enhance security. However, she pointed out the challenges in implementing this approach across various devices, including TVs, printers, and corporate laptops, on the same subnet, stating that it would be practically and economically impossible. Crystal agreed with Felicia's assessment. Balancing Security and Functionality in AI Felicia discussed the importance of balancing security and functionality in an organization, using the example of the unregulated use of AI leading to potential risks. She emphasized the need for a governance system and leadership that prioritize risk management. Felicia also highlighted the potential of AI being used by cybercriminals, mentioning its use in creating deepfakes and its ability to collect and analyze vast amounts of data. She suggested using services like Abine's Delete Me to reduce the number of lists an individual is on and advised against publicly listing employees on company websites. Deep Faking Risks in Financial Transactions Felicia discussed the potential risks of deep faking in the context of financial transactions. She highlighted an instance where seven people at a company were deep faked, with one legitimate participant, who was the only one to realize the fraud. Crystal expressed her concern after learning about this case. Felicia further explained that AI could potentially execute a video conference call deep fake to manipulate financial decisions, emphasizing the importance of having proper protocols in place. AI Training and Evolving Threat Landscape Felicia emphasized the importance and effectiveness of the AI training they offer, highlighting its practicality and relevance. She also discussed the evolving threat landscape, particularly the increasing sophistication of malware and the emergence of ransomware kits that allow even novice users to generate their own variants. Felicia pointed out the limitations of signature-based detection in the face of such evolving threats and advocated for a zero trust approach. She also expressed skepticism about the effectiveness of paying ransomware demands, suggesting it to be a naive approach. Computer Maintenance and Device Integrity Concerns Felicia explained the challenges and potential threats in computer and device maintenance, emphasizing the need for vigilance and dynamic live updating databases. She highlighted the risks associated with malware and the need to question the integrity of peripherals like USB devices, keyboards, and monitors. Felicia also discussed the importance of procurement policies that prevent the use of unverified or potentially compromised devices. Crystal expressed concern about the threats posed by USB phone chargers, leading Felicia to suggest the use of wireless chargers as a safer alternative. Zero Trust Concept in Computer Security Felicia explained the concept of zero trust in computer security, emphasizing the importance of assuming all unknown or unclassified computer behavior is malicious until it's been inspected. She detailed how this approach, coupled with machine learning and AI, has led to no breaches among clients under their full management. Felicia also clarified the term's significance, stating that 'antivirus' only represents a small portion of the necessary protection capabilities for an individual computer. Crystal, on the other hand, questioned the effectiveness of antivirus software and its impact on machine learning. Personal Data Protection and Enterprise-Grade Security Crystal and Felicia discussed the importance of personal data protection and the need for enterprise-grade security for home use. Felicia emphasized the risks of using unverified or low-quality devices and highlighted the significance of brand reputation in ensuring security. Crystal acknowledged her previous naivety about these threats and expressed her commitment to further inquire about these issues. Both agreed to continue this discussion in future meetings.…

QPC Security - Breakfast Bytes

1
The Real Skinny on Penetration Testing: Debunking the Myths 19:03

34 weeks fa19:03

19:03

Welcome to Breakfast Bytes with Felicia King. Today, we delve deep into the often-misunderstood realm of penetration testing. As business owners grapple with the necessity and costs associated with these tests, Felicia demystifies the process, drawing from her three decades of cybersecurity expertise. In this episode, discover why traditional penetration testing might just be a costly theater act and learn the importance of continuous vulnerability assessments. Felicia shares compelling anecdotes and practical advice on how to genuinely safeguard your business without burning through your budget. Join us as we explore the intricate dance between IT teams, automated tools, and the critical decisions that can make or break your company's security posture. This is not just another tech talk; it’s a narrative that could redefine how you view cybersecurity investments. Quick recap Felicia emphasized the importance of understanding the objectives of the test, and cautioned against overpaying for tests that may not be necessary or effectively scoped. Next steps • IT team to implement continuous vulnerability assessment and penetration testing platforms for regular, automated security checks. • CTO/CSO to assess and oversee the implementation of security tools like Tenable One and Senteon for secure configuration management. • Executive management team to allocate budget and provide support for IT department/MSP to implement necessary security changes and tools. Summary Test Scope and IT Consultancy Management Felicia also advised that the test should be scoped correctly and conducted by the IT consultancy that manages the company's networks, servers, and applications. She cautioned against overpaying for tests that may not be necessary or effectively scoped. External Testing Approach and Cots Definition She argued that the approach of bringing in an external third party to conduct a test without proper consultation and scope can lead to incorrect results. She emphasized that this approach would be more effective in identifying and addressing vulnerabilities, and would provide demonstrable results. Felicia also clarified the term 'COTS' as defined by the National Institute of Standards and Technology in the context of information security technology. Enhancing IT Configuration for Business Acquisition She argues that this approach provides more meaningful and actionable information, enabling IT configuration personnel to effectively address identified gaps. Felicia also highlights the importance of using recognized and professional tools like Tenable One and Senteon for secure configuration management. She emphasizes that this approach offers a better return on security investment and is more beneficial for businesses seeking to be acquired. IT Testing and Business Decision Makers' Guidance She suggests that business decision makers should provide clear direction and funding for IT before such tests are conducted.…

QPC Security - Breakfast Bytes

1
Lessons from the CrowdStrike outage 29:18

36 weeks fa29:18

29:18

Good morning and welcome to another episode of Breakfast Bytes. I'm your host, Felicia King, and today, I'm joined by my colleague, Jeff Birner, hailing from Florida. Our riveting discussion centers around the recent CrowdStrike incident that has sent shockwaves through the cybersecurity community and beyond. This episode promises to offer insights and perspectives you won't find in the typical news coverage. As we delve into the conversation, Jeff and I explore the core issues surrounding CrowdStrike, including its lack of trustworthiness as a counterparty and the legal implications of delayed security updates. We discuss the broader impacts of the incident, such as the staggering $5.8 billion in losses faced by companies worldwide, and discuss how technology decisions could have eliminated the impact. Through engaging storytelling, Jeff and I break down the complexities of cybersecurity, offering practical solutions and strategies for organizations to consider. From the importance of testing updates to the choice of operating systems for critical infrastructure, this episode is packed with valuable takeaways for IT professionals and business leaders alike. Join us as we navigate the nuances of the CrowdStrike controversy, highlight the lessons learned, and provide actionable advice to help you safeguard your organization against similar pitfalls. Whether you're a seasoned cybersecurity veteran or just starting your journey, this episode of Breakfast Bytes is a must-listen.…

QPC Security - Breakfast Bytes

1
Navigating the AI Frontier: Caution, Control, and Opportunity 28:29

40 weeks fa28:29

28:29

Good morning, you're listening to Breakfast Bytes, and I'm Felicia King. Today's episode takes a deep dive into the world of artificial intelligence, offering a perspective that challenges the mainstream narrative. Instead of jumping on the AI bandwagon, we'll explore the importance of cautious engagement and risk management when dealing with this powerful technology. We'll delve into the profound implications of AI, discussing the potential risks and the measures you can take to mitigate them. From the economic challenges of running closed AI systems to the dangers of data leaks and professional pitfalls, this episode covers it all. Hear about real-world examples, such as the attorney sanctioned for relying on faulty AI-generated content, and learn how to navigate these treacherous waters. Discover how AI is reshaping industries and the critical need for policies and training to ensure safe and effective use. We'll discuss the importance of governance, accountability, and transparency in adopting AI, and how regular, ongoing training can make a significant difference in risk management and productivity. Join us as we uncover the darker side of AI, from its role in technocratic control to the enhanced capabilities it provides to bad actors. Learn how to protect yourself and your business in this rapidly evolving landscape. Whether you're a small business owner or part of a large corporation, this episode is packed with insights and strategies to help you make informed decisions about AI. Tune in to Breakfast Bytes for a thought-provoking discussion that will leave you better prepared to navigate the AI frontier with caution and confidence. Quick recap Felicia discussed the potential benefits and risks of artificial intelligence (AI), emphasizing the need for caution and thoughtful risk management in its use. She highlighted the importance of operational maturity and the role of technology executives in developing customized policies for clients. Felicia also underscored the significance of maintaining relationships with service providers, having consistent policies and strategies, and regular training to effectively manage risks and improve productivity. Next steps • Business owners to develop and implement an AI policy for their organization, including staff training on AI risk management. • Organizations to consult with technology executives (CTO/CISO) to create appropriate AI usage guidelines and risk mitigation strategies. • Companies to implement regular (preferably weekly) cybersecurity and technology training programs for all staff to reduce risks and improve productivity. Summary AI Risks and Potential Applications Discussed Felicia discussed artificial intelligence (AI) in her radio show, "Breakfast Bytes." She emphasized the need for caution and thoughtful risk management when using AI, highlighting its potential implications and the importance of understanding its deep impacts. Felicia pointed out that AI could be beneficial in areas like marketing content and sales promotions, but warned against using it for financial, medical, or legal matters due to the potential risks. She also advised against using AI chatbots, citing the lack of security and the risk of data leakage. Felicia's Operational Maturity and AI Advice Felicia argued that over 80% of businesses, regardless of size, lacked operational maturity and were not utilizing AI appropriately. She claimed that smaller companies could more easily achieve operational maturity and consistency in policy, while larger companies struggled with governance, accountability, and transparency. Felicia also highlighted the potential cost of not seeking advice, relating numerous examples of organizations that had incurred significant expenses due to their lack of consultation with technology executives. She further indicated that operational maturity not only reduced costs but also increased profits, efficiency, and reduced waste. AI Policy and Risk Management Strategies Felicia discussed the importance of providing clients with an AI policy and risk management courses to mitigate potential risks. She emphasized that these tools, which are part of their Vcto and Vc services, are designed to help clients proactively manage risks. Felicia further pointed out that having a technology executive, such as a CTO or CISO, is crucial in developing policies that are customized to the client's specific needs, as opposed to relying on a generic template. She criticized the use of templates and reliance on attorneys to develop policies, stating that this approach is ineffective and can lead to non-compliant and misleading policies. Managing Relationships With Service Providers Felicia discussed the importance of managing relationships with service providers such as lawyers, tax advisors, and recruiters. She highlighted the benefits of having ongoing relationships with these providers, allowing for budget planning and better service. Felicia also raised concerns about the misuse of AI, particularly in the staffing industry, emphasizing the need to carefully consider the nature of the relationships with customers and the confidentiality of information. She suggested that if information is non-confidential, it is acceptable to use AI, but organizations should always approach AI usage with a risk management approach. Consistency, Accountability, and Transparency in AI Governance Felicia discussed the importance of having consistent policies and strategies across an organization to prevent conflicts and unproductive activities. She emphasized the need for organizations to consult with their technology executives to devise such policies and to provide training to their staff. Felicia pointed out that a lack of governance, accountability, and transparency could lead to challenges, particularly with AI, which could be exploited by bad actors. She highlighted the importance of driving accountability within the organization and utilizing technology effectively. Regular Training for Risk Management and Productivity Improvement Felicia emphasized the importance of regular, ongoing training for individuals and organizations to effectively manage risks and improve productivity. She suggested that training should cover both company policy recommended strategies and how to use technology, such as Outlook and OneDrive. Felicia also highlighted the increasing threat of scams due to lowered technological barriers, advocating for proactive measures to combat this. She warned against over-reliance on AI, which could lead to digital control and profiling of individuals, and encouraged further research on this topic. Lastly, she offered her assistance in developing a sophisticated, highly effective risk-reducing program for businesses.…

QPC Security - Breakfast Bytes

1
Understand implications of IT procurement using cabinets as an example 29:22

45 weeks fa29:22

29:22

Felicia stressed the importance of informed decision-making in technology services and products, and the need for involving skilled professionals in decision-making processes. She also discussed the longevity of structural furniture, the challenges in network switch installation, and the need for a formal procurement process in the IT department. Furthermore, she highlighted the issues with current wall-mount cabinets and open racks, the business impact of operations beyond regular hours, the need for proper equipment maintenance, and the importance of having an on-site technical point of contact at every facility. Action items • Felicia recommends ensuring the IT department follows a defined procurement process with oversight from a technology executive. • Felicia recommends establishing written requirements and standards for IT infrastructure like racks and cabinets. • Felicia recommends implementing a policy for designating on-site technical contacts to handle basic equipment issues. Summary Informed Decision Making in IT Services Felicia emphasized the importance of informed decision making in technology services and products, which is beneficial for all IT stakeholders. She pointed out the persistent negative financial impact caused by ill-informed decisions, often made by business leaders delegating to inexperienced internal IT departments. Felicia advocated for the involvement of skilled professionals, such as CTOs or senior architects, in decision-making processes to mitigate these adverse effects. She also cautioned against the common practice of selecting the cheapest bid as a decision-making criterion, highlighting it as a recipe for failure. Structural Furniture Longevity and Design Felicia discussed the longevity and durability of structural furniture, particularly cabinets and racks. She emphasized that these pieces, often made of steel, aluminum, glass, and possibly plastic, can last for decades if not physically damaged. Felicia argued that considering a 20-year life cycle for such hardware is a more realistic approach than starting from an acquisition cost requirement. She also highlighted the advantages of a four-post full floor standing cabinet over a two-post rack, especially for secure and critical infrastructure. Finally, she noted the importance of wheels in cabinets from a maintenance perspective and referred to cabinet design as an art form. Felicia's Network Switch Installation and Maintenance Insights Felicia shared her extensive experience and insights on the challenges and considerations in network switch installation and maintenance. She emphasized the preference for a 4-post configuration due to the weight and depth of modern switches, and the issues that may arise with alternative setups. Felicia also highlighted the importance of understanding the ramifications of equipment placement, sharing a troubling example of a poorly executed setup. She suggested ways to prevent such issues from occurring in the future. Improper Procurement Process in IT Felicia discussed the lack of a formal procurement process in the IT department, which leads to inefficient and often unnecessary purchases. She explained that the department, composed of individuals not highly proficient in business value justification or total cost of ownership articulation, often sourced items themselves using credit cards, without proper checks and balances. Felicia emphasized the need for a written requirements list to facilitate better decision-making and prevent the focus on apparent acquisition cost. She indicated that she would provide two examples to illustrate these points. Addressing Inadequate Infrastructure and Procurement Felicia discussed the recurring issues with the current wall-mount cabinets and open racks in the infrastructure, which were not deep enough to accommodate modern switches. She emphasized that this problem wasn't new and had been ongoing for at least a decade. Felicia pointed out that previous investments in these inadequate setups were essentially wasted, not just in terms of money but also project time and potential business unit outages. She underscored the need for an appropriate procurement process and oversight to avoid such issues in the future. Managing Operations Outside Regular Hours Felicia discussed the business impact of operations extending beyond regular business hours. She highlighted that this not only affects payroll and product but also has implications for business continuity outside of IT. Felicia emphasized that IT personnel, such as PC technicians and IT managers, often only consider their own needs, which differs from the perspective of a technology executive. She stressed the importance of a different mindset, drawing from her experience as a chief operating officer and service manager, to effectively manage a large number of remote offices. Client's Server Outage Due to Unauthorized Access Felicia shared a story about a client who opted not to spend $350 on an idrac enterprise card, a decision that led to a server issue causing an outage. She emphasized the importance of proper equipment maintenance and restricting unauthorized access to technology cabinets. Felicia pointed out that allowing staff without proper training or maintenance responsibilities to have access to such spaces can lead to unintentional damage, as seen in the case of the client where a staff member put a box on a server keyboard, causing an outage. She underscored the significance of having a mature policy in place regarding remote support and access to technology cabinets. On-Site Technical Point of Contact Importance Felicia stressed the necessity of having an on-site technical point of contact at every facility to handle minor technical issues. She used the example of rebooting cable modems, which she stated often require physical intervention and should not disrupt other equipment. Felicia also emphasized the importance of setting up the facilities in a way that allows easy access for the on-site technical point of contact to perform these tasks without causing further problems. She underscored that this is a common requirement and should be considered in the facility's setup. Technology Executive's Role in Procurement Felicia emphasized the importance of having a technology executive oversee procurement policies and standards in IT departments to ensure good outcomes. She highlighted that the IT department alone should not be making procurement decisions, as they often lack an understanding of the total cost of ownership. Felicia also rejected the idea that a dollar amount should be the sole determinant of procurement decisions, citing the potential for malware to compromise the system. She advocated for a designated technology executive to establish policies and standards, warning that failing to do so could lead to adverse financial outcomes for the organization. For more information, review this resource about racks and cabinets. https://www.qpcsecurity.com/2024/04/26/why-buy-racks-and-cabinets-from-qpc-security/ Peruse the value of vCISO services. https://www.qpcsecurity.com/vciso-services/…

QPC Security - Breakfast Bytes

1
What is zero trust cybersecurity? 28:52

48 weeks fa28:52

28:52

Welcome to an insightful episode of Breakfast Bytes, featuring an in-depth discussion about Zero-Trust Cybersecurity, a vital approach to modern cybersecurity practices. Understand why this network layer protection strategy is essential to guard your business and residential networks against harmful threats. From a reflective analysis of the cybersecurity landscape four years ago, Felicia highlights the repercussions of a weak cybersecurity posture, emphasizing the necessity of a resilient and efficient cybersecurity stack. She elaborates on the integration of various concepts like endpoint protection product (EPP), endpoint detection and response (EDR), and managed detection and response (MDR) into a single efficient agent, stressing the significance of regular patch management and advanced reporting. Dive deeper into specific cybersecurity products that embrace the robust Zero-Trust model, like Panda Adaptive Defense 360 and ThreatLocker, and understand how they can suitably fit into varying scales of businesses and homes. Felicia additionally debunks a common misconception about technology by default ensuring security and clarifies the crucial need for actively adopting an apt security profile catering to specific contexts. In this episode, we also discuss the importance of equitable administrative access, insist on local data collection and prevention of unauthorized data file collection, and delve into the need for stringent network security in the face of growing security breaches and ransomware attacks. Understand the comparison between different products, their cost differences, and the underlying need to harmonize cybersecurity mechanisms with operational structures, concluding with an open invitation for consultations on effective and budget-friendly cybersecurity solutions.…

QPC Security - Breakfast Bytes

1
Incident response and mitigating supply chain attacks 28:44

48 weeks fa28:44

28:44

In this episode of Breakfast Bytes with Felicia King, we navigate the complex but crucial realm of cyber security. We explore the emerging menace of supply chain attacks and underscore the vital need for proactive incident response planning. Felicia reveals the staggering average cost of a cyber-attack, per employee and endpoint, and explains why smaller businesses might suffer even greater losses. King sheds light on the often unnoticed aspect of incident response planning: the critical period between discovering a potential compromise and confirming a successful attack. She also scrutinizes the implications and expenses of in-house response strategies for sizable businesses and outlines how smaller establishments could face heftier costs. Offering valuable advice, Felicia provides business-centric recommendations on methods of dealing with a reported incident. She addresses important issues such as identifying data breaches and managing downtime during a crisis, stressing the importance of having a contingency plan for extended recovery periods. Moving on to supply chain risks, King critiques the increasing trend of outsourcing in the IT sector. She cautions against granting upstream providers unrestricted access to systems, noting counterparty risk as an area demanding heightened vigilance. Deeper discussions on access control, audit logs, automated compliance reporting, and other factors in selecting an efficient identity and access management system also unfold. King further navigates the topic of APIs - the lifeblood of numerous industrial integrations - offering crucial insights into associated risks. She concludes with a call for a mindset shift required to tackle supply chain attacks effectively. In contemporary threat landscapes, relying solely on the cybersecurity kill chain is a losing battle. This episode underscores the need for encompassing multiple defensive strategies for cybersecurity, such as multi-factor authentication, and conditional access for all accounts. Real-time analytics, endpoint protection strategies, and a zero-trust posture are championed as critical for preventing malicious activities and providing swift threat responses. We delve into the pros and cons of network layer security, a powerful yet complex technique requiring specific expertise. When appropriately utilized, it presents a scalable solution managing traffic filtering and robust protection from supply chain attacks. The episode concludes with the importance of having a solid incident response plan as a vital proactivity measure in cybersecurity.…

QPC Security - Breakfast Bytes

1
K12 Technology and Cybersecurity Challenges and Solutions 29:12

48 weeks fa29:12

29:12

In today's episode of Breakfast Bytes, hosted by Felicia King, we delve into the pressing issue of cybersecurity in K-12 education with special guest, Chris Rule, a Technology Director with 25 years of experience. We discuss the urgent need for tangible action in this area and explore operational maturity practices like third-party information security risk management, vendor risk management, vulnerability management, and password management. A focus of the episode is the need to translate cybersecurity concerns into strategic actions at the executive level. We also discuss the impact of cyber insurance programs and the severe disconnect between cybersecurity compliance requirements and their implementation at the school level. We dive into the critical necessity of creating operational structures that prioritize cybersecurity, incorporating crucial regulatory compliances such as CIPA, FERPA, and COPA. A poignant part of our discourse is managing the 'human element' of cybersecurity as cyber-attacks are increasingly centered on social engineering. This necessitates not just a technical solution, but a cultural shift in organizations, making cybersecurity training a mandatory part of human resource management. This episode also touches on the challenges of implementing IT security measures in small school districts. It emphasizes the importance of an institutionalized onboarding program that includes both technology aspects and basic legal knowledge. We highlight the need for better collaboration between board professional organizations and security companies, and discuss parental demands and voluntary programs that schools can utilize to assure their commitment to student data protection. In conclusion, we explore the practice of hiring fractional CISOs and CTOs to help IT directors manage their various responsibilities within limited resources. Tune in to this comprehensive episode to learn more about the challenges of and solutions for implementing cybersecurity in K-12 education.…

QPC Security - Breakfast Bytes

1
Practical example of how operational maturity improves productivity while reducing risk 28:20

49 weeks fa28:20

28:20

In this episode of Breakfast Bytes, vCISO Felicia King of QPC Security uses an example of dark web data and how it can be leveraged. She describes how operational maturity in an organization can make that organization more competitive, lower risk, improve collaboration, improve culture and employee retention, while reducing risk. She explores why actioning relevant, specific data is more critical than simply having it available. Learn how the combination of constant training and right data can effectively reduce risks and add value in a business of any size. These methods are practical for large and small organizations. QPC has deployed these tools and methods for orgs as small as one user! This episode takes you through the potential uses of dark web data and platforms like Telegram, leading to better risk mitigation strategies. Felicia, with her hands-on approach, shares the best practices adopted for her own clientele. She emphasizes empowering end users by presenting them the relevant information at the opportune moment. By fostering a culture promoting consistent training, businesses can enhance operational efficiency and employee satisfaction while reducing conflict. The episode also stresses upon a culture of shared responsibility to make risk management more cohesive and less confrontational. The responsibilities lie not only with the CEO, but also under the active purview of CTO, CIO or CISO in an organization. With the advent of affordable cybersecurity training platforms capable of dark web monitoring, organizations can now lower risks attributed to their data. But what makes the real difference is how these platforms are utilized. The episode extensively discusses the gap between compliance and security, drawing focus towards the need for proactive, contextual security measures. Discover the significance of a cultural shift, with due attention to training, policy enforcement and personal responsibility in maintaining top-notch information security. A well-informed staff equipped to deal with real-time issues, not only boosts productivity but also helps in managing IT costs. Tune in to this episode and delve into the world of dark web data, risk management, and securing a technology-driven business environment today. Check out our supporting article on getting value from dark web data. https://www.qpcsecurity.com/2024/04/25/dark-web-value/…

QPC Security - Breakfast Bytes

1
Unlocking Strategic IT Investments and Information Security 1:16:18

1 year fa1:16:18

1:16:18

"Unlocking Strategic IT Investments and Information Security: Expert Insights with Gina King" dives into the critical aspects of IT investments and infrastructure. Felicia King, host of 'Breakfast Bytes', engages in a captivating conversation with Gina King, a leading Chief Information Security Officer. The extensive dialogue sheds light on necessary expenditures on Information Systems and Technology, managing and optimizing security investments, and realigning perceptions of IT as a valuable strategic asset. Through their enriching discussion, Felicia and Gina tackle widespread issues of underinvestment in IT, encouraging businesses to understand and optimize their IT expenditures. Pointing to the risks of non-compliance and inadequate IT security measures, they illustrate how a thorough approach to IT spend analysis can tremendously impact a company's financial bottom line, customer satisfaction, and overall client experience. The episode highlights the importance of a proactive and continuous IT security investment to nurture an effective information security risk management program. Felicia and Gina underscore the significance of considering cybersecurity as an aspect of overall business risk, rather than an isolated problem. They also emphasize the value of tech-savvy leadership and security education in fostering a vigilant workforce and strengthening an organization's security posture. Switching gears to effective risk management amidst the digital landscape, the episode ends on a call for creating clear policies, continuous vigilance, and an understanding of organizational identity to safeguard online infrastructures. This engaging discussion is a must-listen for anyone involved in IT procurement, investments, security, and overall business operation.…

QPC Security - Breakfast Bytes

1
Domain/DNS hosting, account ownership, security issues and TCO 58:52

1 year fa58:52

58:52

Join us in this insightful episode of Breakfast Bytes with Felicia King, along with our guest Kyle Wentworth of the Wentworth Group. We delve into a balanced exploration of business needs vs IT security needs, demonstrating the magnitude of this issue with a case study of a massive spam operation hijacking over 8000 trusted brand domains. https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html In this detailed conversation, our experts elucidate steps towards prevention and emphasize the significance of effective domain ownership and control. Kyle highlights the central role of Technology Management departments in mitigating IT risks and stresses the importance of a comprehensive understanding of orderly processes for DNS management, timely publishing of DNS records, and the related cost implications. This episode underscores the need for operational maturity in businesses, and how maintaining domain infrastructures and adhering to robust protocols can protect your business from digital threats. Listen to gain invaluable insights into how businesses of all sizes can level up their understanding of the intersections of business and IT security systems. The episode also draws attention to the potential vulnerabilities of newly registered domain names and the common pitfalls relating to outsourcing these functions. We underscore the necessity to take caution or face serious losses and discuss the ramifications of transferring control of key business aspects to external vendors. With a candid look at the dangers of ill-considered network security and the hazards of transferring all risks to an external IT service provider, we make a strong case for integral security measures. Listen in to gain an understanding of the importance of viewing technology as a business partner rather than an expense and to learn how focusing on strengthening your network security can pave the way for business success.…

QPC Security - Breakfast Bytes

1
Cyber Insurance versus Cyber Warranty 1:25:57

1 year fa1:25:57

1:25:57

In today's episode of Breakfast Bytes, we are delighted to have Joe Brunsman from Brunsman Advisory Group as our special guest. Known for his extensive knowledge on the intersecting worlds of insurance and cybersecurity, Joe offers beneficial insights on the evolving sphere of insurance exclusions and how businesses can navigate these changes amidst the increasing threats of cyber warfare. Tune in as we explore the importance of adopting risk mitigation strategies with tangible security investment returns rather than relying solely on insurance coverage. Join our profound discussion on the role of senior management in establishing a secure digital environment, starting from understanding IT risks and challenges, creating actionable plans, and sticking to a consistent policy. We also delve deeper into topics like legacy technical debt, the role of a Chief Information Security Officer (CISO), gaps in current insurance policies, and breaches of customer contracts owing to the lack of managerial insight in the IT sector. In this knowledge-packed episode of Breakfast Bytes, we help you understand the intricate relationship between insurance and cybersecurity, and how enhancing comprehension in these two areas can secure your business in this fast-paced digital age. Listen as we unwrap various complexities surrounding cyber insurance and the emergence of warranties as an alternative, exploring their potential pitfalls and inconsistencies. From diving deep into the history of insurance to shedding light on the impending exclusions in the upcoming insurance policies, we've got it all covered. Moreover, we highlight the need for skepticism and caution while dealing with Cyber Insurance, emphasizing comprehension over rushing headlong into the risky space of cyber warranties. Also, discover the correlation between proactive security measures and reduced insurance coverage needs, and understand why more insurance doesn't guarantee better safety. Lastly, our guest Joe Brunsman sheds light on the seldom-discussed aspect of cyber insurance and data security. Learn how states are regulating insurance companies for holding sensitive data and the shockingly minimal regulations surrounding warranty companies. Get enlightened about the real-world realities of cybersecurity and how, despite utilizing SaaS platforms, corporations are not as secured as they think. This episode guarantees both enlightenment and critical thinking around cyber insurance and data security. Tune in to gain a wealth of knowledge on this important but often unexplored domain!…

QPC Security - Breakfast Bytes

1
Demystifying IT Services and the Shared Responsibility Paradigm 33:45

1 year fa33:45

33:45

Welcome to another eye-opening episode of Breakfast Bytes hosted by Felicia King. In this episode, we dissect prevalent misconceptions in the IT industry particularly regarding services like NOC, SOC, XDR, and SOAR. Explore the conundrum between cybersecurity checkbox exercises and the pivotal need for legitimate risk reduction efforts. Moreover, discover potential pitfalls of co-managed IT and strategies to sidestep them. We delve extensively into co-managed IT services, illustrating their significance, pitfalls, financial risks associated with improper executions, and real-life challenges and liabilities. Emphasis is also laid on the involvement of the clients and their responsibilities in relevant scenarios. Our host Felicia does not just spotlight the issues in the IT sector but equally provides insightful solutions and pragmatic advice. Crucial facets like service evaluation, defined requirements, discrepancies between 'theater' and real risk mitigation are discussed at length. This episode includes a discussion about shared responsibility, a cornerstone to successful IT operations. Unravel the importance of clients understanding policies, embracing HR enforcement, and being proactive in managing potential IT and security risks. We further cover the vital part they play when ensuring efficient IT systems and cybersecurity. We question the practice of delegating SOC to third parties due to its contribution to fragmented security operations and poor risk management. Instead, we advocate for a converged NOC and SOC model. Explore how greater comprehension and collaboration paired with user training, self-reliance, and policy adherence can prevent catastrophes like litigation. Beyond outlining potential risks and solutions, this episode offers practical advice for managing complex escalations and ensuring secure configurations, all through the converged NOC and SOC model.…

QPC Security - Breakfast Bytes

1
How establishing requirements properly results in best outcomes 29:51

1 year fa29:51

29:51

Felicia is joined by fellow CISO Dawn Montemayor, partner at PureCyber, which is a security minded business consulting firm. Learn from two CISOs about how vital it is to use operationally mature processes in requirements definitions in order to achieve effective outcomes while avoiding toxic behavior in complex entities. the importance of vulnerability assessment and management requirements in contracts It is imperative for resource owners to be designated and held accountable to outcomes. Exit strategies must be established as part of the procurement process Lack of right to audit clauses in cloud services contracts How the lack of an effective paradigm leads to destructive decision-making IT must not be seen as the dumping ground or janitor. Instead the business must be charged back for the real proportional costs for the cost of service. True TCO calculations must be made as part of the procurement requirements definition. Systems integration and interaction maps are incredibly valuable IT must be seen as a business partner and involved in decision-making. Just because IT wants to say yes to help the business does not mean the business gets to disrespect IT standards. Talking to the CISO can lead to utilization of an already vetted, approved platform making the pace of business faster. Why procurement justification statements are imperative Why it is necessary to track TCO and actual costs for product and services associated with a business function Why it is essential to use operationally mature processes in a paradigm focused on governance, accountability, and transparency Why the CISO and CTO should sign off on procurement of anything for which there is not already an approved policy standard on. Why your CISO needs to review the contracts for a service or product before an officer of the company signs the contract Why business leaders must consider how their revenue is event driven Why the shared responsibility model is imperative. Resource owners must be defined and made accountable.…

QPC Security - Breakfast Bytes

1
Operational Maturity is required to have Information Security Risk Management 2:01:30

1 year fa2:01:30

2:01:30

Felicia is joined by Laura Conrad, a Security Architect with 30 years of experience in enterprise environments. Laura currently reports directly to a CISO, and has been an integral part of the information security program at two large enterprises. Felicia has consulted with 26 large enterprises and numerous SMB organizations in the last 30 years. She finds that the same problems occur in every organization that lacks operational maturity. Are you a person working in information security frustrated by the lack of progress of a security program in an organization because of the org's lack of operational maturity? Do you struggle in dealing with toxic, unproductive people? What approach could address these problems and more? Learn from two experts how they have seen companies engage in self-destructive and resource wasting approaches simply due to the lack of drive by executive leadership to install a structure for governance, accountability, and transparency in the organization. Org structure required for CISOs to be effective This article and its impact are briefly covered as they are related to this topic. https://www.darkreading.com/cybersecurity-operations/cisos-struggle-csuite-status-expectations-skyrocket It is quite a good article, but it implies that if the CISO reports directly to the CEO, the problems in an organization will be reduced. While that is partially true, that by itself will absolutely not fix the problems. Felicia and Laura deep dive the decision-making failures that occur throughout an organization and what drives them. Also discussed are methods to truly and structurally correct the problems across an entire company. 95% of information security risk management issues are HR management issues Executive management want to run the company, not manage people. This leads to toxicity and unproductivity being tolerated when personnel issues are not fully investigated and actioned. The desire to make an emotional problem go away cannot override the need to get to the core of the issue and put a system in place to prevent it from happening again. This is not about firing people. This is about instilling a culture where the facts matter, personnel issues will be investigated, and structural systems will provide the governance to drive productive staff behavior. Org executives are unaware of the real costs of inputs It seems to be a pervasive problem across most organizations that there is no financial management structure which facilitates the tracking of expenses as inputs to a service or product delivery to customers. Without this real understanding, leaders persistently price products and services incorrectly. This leads to one business division or a product line losing money and needing to be subsidized by another. Executives rarely understand that by tolerating operational immaturity in their organization, they are actually failing in their duty to stakeholders to effectively manage the assets of an organization to maximize value. Drive change and org-wide staff effort alignment with dashboards that drive transparency and healthy internal competition Felicia and Laura discuss in detail the how and why of dynamically updating dashboards which help CTO, CIO, CISO manage upward to the CEO and board, while driving downward alignment to objectives. Governance, Accountability, Transparency in IT Security Felicia and Laura discussed the importance of governance, accountability, and transparency in IT security and business processes. They emphasized that these principles could help prevent problems caused by a lack of collaboration and understanding between IT and business units. Felicia cited instances where poor prior planning led to unnecessary expenses and internal toxicity, which she believes could be avoided with a more mature approach to operations. Laura added that these principles could also lead to cost savings and risk reduction. Harden the procurement policies Felicia and Laura provide many examples of problems that could have or were avoided by having an enforced procurement policy which resulted in all technology purchases being signed off on by the CISO or security architect and often the enterprise architect. It is infinitely easier to rectify issues before an implementation and before signing a contract than to do so after a purchasing decision has already been made.…

QPC Security - Breakfast Bytes

1
Managing the impact of changing IT service providers 29:43

1 year fa29:43

29:43

Felicia shares insights on the pitfalls of changing IT service providers or MSPs for both clients and the IT service providers themselves. This content is based upon a number of questions that other MSPs have posed to Felicia asking for advice as well as numerous first hand experiences on the subject. This podcast is primarily for IT service providers or MSPs, but business decisions makers who are considering making a change would also benefit from the content.…

QPC Security - Breakfast Bytes

1
CMMC and latest DoD memo implications and far reaching effects related to FedRAMP 29:25

1 year fa29:25

29:25

Special guest Tobias Musser of MNS Group generously shares with the Breakfast Bytes audience his wisdom and insight into what is a challenging and nuanced regulatory landscape that has far reaching business implications. https://mnsgroup.com/ A vigorous discussion of the implications of the latest DoD memo about DFARS 7012 FedRAMP or FedRAMP moderate. FedRAMP Compliance Challenges and Hybrid Approach Tobias and Felicia discussed the implications of a DOD memo mandating FedRAMP compliance for all products used by a DOD contractor or subcontractor. They explored the potential challenges, especially for small businesses, and the difficulties in achieving equivalence. They considered the idea of using on-premise solutions as an alternative, but noted the need for specific documentation and careful implementation. Tobias and Felicia also deliberated on the potential benefits of this approach, including the severability benefit of on-premise solutions. They discussed the challenges of finding cost-effective, user-friendly FedRAMP tools, noting their high cost and complexity. They also touched upon the implications of a recent memo that increased the requirements for FedRamp compliance and the potential security issues associated with it. Tobias emphasized the need for increased security to protect soldiers and the country. They concluded that a hybrid approach was necessary, but the current tools were not up to the task.…

QPC Security - Breakfast Bytes

1
Why the ship has sailed on BYOD 29:38

1 year fa29:38

29:38

Tom Dean of Consulting Adventures joins Felicia for part three of the analysis on mobile devices and the problems with them. OKTA breach, IT admin’s password getting stored in gmail password synced manager Two-way problems. Personal on business and business on personal Lack of clarity around device wipe, device use policies, apps running on devices Compliance is easier when business owns the asset and delineation of ownership of asset and data is clear. If the configurations are not managed, the cost profile to the company is a lot higher. Credentials and MFA spill over in both directions Data compliance issues DLP and encryption issues Lack of ability to define device security settings like PINs How are you doing effective device configuration backups? How do you prevent malicious apps from being installed on the devices? How do you have leveraged support capabilities from the mobile devices? Asset inventory is mandatory Compliance costs can be drastically reduced by having company owned assets that only get approved applications. This is another reason why end users CANNOT have admin access. No VPN access until someone has been part of the company for 30 days. Onboarding and offboarding is crucial to information security Information security is not a technical controls issue, it is a HR management issue. Verizon fell for fake “search warrant,” gave victim’s phone data to stalker https://arstechnica.com/tech-policy/2023/12/verizon-fell-for-fake-search-warrant-gave-victims-phone-data-to-stalker/ As if all that wasn't bad enough, if an employee of a company has issues in their personal life, it will spill over to business and especially in the context of allowed personal use of company assets.…

QPC Security - Breakfast Bytes

1
Threats to mobile devices and how to manage them, part 2 29:47

1 year fa29:47

29:47

Part 2 of a series on threats to mobile devices and through mobile devices. Tactics and techniques to deal with those threats. Cohost: Tom Dean – Consulting Ventures Tom has decades in capital goods manufacturing industry (fortune 500 scale) Years of experience in marketing, sales & interfacing with independent dealers/distributors (small/medium scale) Current focus is strategy & risk management consulting Lifelong learner and an interest in technology. Strategy + risk management ---> mobile devices Topics: Apple find my network; useful feature, but privacy considerations SSO risks where there are too many items that can be compromised if there is a single compromise of a single system Out of band SMS Problems with Twilio and 10DLC for VOIP SMS Know your customer regulations, implications with SMS validation for ownership establishment Synology came up with their own Synology MFA app and the problems with that Do not call registry updates; Good news!…

QPC Security - Breakfast Bytes

1
Physical threats to mobile phones, SIM hijacking, out of band SMS, and Yubikeys 29:34

1 year fa29:34

29:34

Part 1 of a two-part series on threats to mobile devices and through mobile devices. Tactics and techniques to deal with those threats. Cohost: Tom Dean – Consulting Ventures Tom has decades in capital goods manufacturing industry (fortune 500 scale) Years of experience in marketing, sales & interfacing with independent dealers/distributors (small/medium scale) Current focus is strategy & risk management consulting Lifelong learner and an interest in technology. Strategy + risk management ---> mobile devices Personal travel: Laptops have transformed to mobile devices (phones and tablets) Risk was more contained with laptops, but the impact is much higher with mobile phones. A lot of nuances around "was the password revealed?" Biometrics are convenient but quite dangerous Biometrics are a proxy for a numeric passcode on a mobile device. Physical compromise is a 5-alarm fire situation. Physical loss when it is not compromised is not that big of an issue as long as authenticators are backed up. Must have erase after 10 bad password attempts. Turn off notifications on screen lock. Do not have notifications turned on to display on the lock screen. Avoid banking apps. The first things that the baddies go after are Venmo, Apple Pay, Cash apps. Out of band SMS for MFA SIM swapping risk, or eSIM embedded in the phone Put a PIN on your physical SIM. MySudo – Can clone that instance to other phones. Password manager on phone Disaster if this is based upon your biometric. You can use a different or secondary PIN. You can use Yubikey. Password manager helps you recover. Segmentation strategies They can see all the emails on your phone and change passwords or password reset is typically done via email Screentime on Apple can be helpful, but there are weaknesses there. The only way to really secure the device is to use a MDM. You still need to be concerned about MFA and account takeovers. Need to have an out of band mechanism to receive alerts and ability to remove kill the device. Microsoft Authenticator and Google Authenticator do not have a separate PIN. Authy is free. It has its own separate PIN. Yubikey is great but assumes that you can manage controlling the physical access to that. Do not store on your key chain. Diversification strategy with inventory. MDM Kill apps Apple configurator – small scale Apple Business Manager Jamf – requires Apple Business account for security Inexpensive “Jamf Now” for small businesses. Minimum is one device. The first 3 are free. Still affordable beyond that. Don’t let anyone change the account on this device. You have to figure out a lot on your own and block URLs that you don’t want accessed. Apple devices need to be in supervised mode, so it matters how you buy them. Intune Risk examples loss of device (resiliency e.g. MFA) theft of device involving passcode surrender (loss mitigation) SIM swap (cellular store employees) SIM card theft (removal of SIM card from phone) Risk reduction / resiliency OS decision (iOS vs. android) Note that one is not better than the other Risk reduction is all about an individual's ability to manage the risks based upon platform selection MDM (remote data wipe): small-scale co (Apple Configurator or JamfNow) vs. corporate MDM MFA backup/diversification (SMS via cell or VOIP providers vs. TOTP vs. passkey/yubikey etc.) App selection (OS-based or Independent) App protection (‘independent’ PIN protection vs. face/touch ID) ‘Attack Surface’ – minimization of exposure (e.g. banking apps, cash apps, findmyfriends etc.) Resources https://www.darkreading.com/application-security/okta-flaw-involved-mgm-resorts-breach-attackers-claim https://arstechnica.com/security/2023/09/a-phone-call-to-helpdesk-was-likely-all-it-took-to-hack-mgm/amp/…

QPC Security - Breakfast Bytes

1
How to analyze workloads and decide how they should be hosted 29:28

2 years fa29:28

29:28

The process of determining how workloads should be hosted is very complex and not a decision that should be abdicated to the IT service provider. Business decision-makers must be involved in those decisions as only they are able to define the key criteria that all other factors are dependent upon.

QPC Security - Breakfast Bytes

1
How a lack of understanding of business processes relates to adverse financial impact 29:37

2 years fa29:37