Re: CISO Therapy Session

AppDefects · ‎07-25-2019

Has your CISO attended a cybersecurity therapy session? It's the latest trend in proactively managing the heath of the security group. What are the risks they fear the most? Listen now to the stories that that they tell sitting around the campfire shining flashlights under their chins.

Bad Database Engineering - The nightmare goes something like this. You receive a call in the early hours of the morning that your firewall detects a server in your environment sending bursts of traffic to an unlisted IP in a foreign country.
Third-Party Breaches - Supply chain attacks are among the scariest because they make you feel powerless.
Whatever is Going on in Your Email - Out of all the systems in your company, email is among the scariest due to the near constant barrage of gut-punches it can throw your cybersecurity practitioners.

Many thanks to Kevin Ford for bring this topic into the open in this blog post.

Steve-Wilme · ‎07-25-2019

You can probably add in first party breach and regulatory investigations to that list.

They are often the end of a CISOs tenure, as they're a tendency to throw the CISO under the bus.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

rslade · ‎07-25-2019

> AppDefects (Contributor III) posted a new topic in Industry News on 07-25-2019

> Has your CISO attended a cybersecurity therapy session?

Sounds like an interesting idea, although, from the blog post itself, I think it's
more of sales seminar come-on.

> What are the risks they
> fear the most? Listen now to the stories that that they tell sitting around the
> campfire shining flashlights under their chins.

And *that* sounds more like "CISO camp."

But I bet that, out of this group, we could probably come up with actual CISO
therapy.

First, though, I've *got* to have a little fun with the idea:

CISO Therapy session:
CISO: I'm terrified that hackers are going to break into my systems!
Therapist: OK, let's talk about that fear. Have you ever actually *seen* any of
these "hackers"?

CISO Group Therapy session:
Therapist: OK, group. Arthur, in describing his fear of ransomware and the loss of
all company data, has curled into a ball and is gibbering on the floor. Roger, how
do *you* feel about what Arthur said?

Therapist: OK, group, we're going to do some role playing about social
engineering. Alice, I want you to be the hacker, and offer Bob a candy bar to get
his password.
Alice: Bob, I'll give you a candy bar if you tell me your password.
Bob: 123456.
Therapist: OK, group, I think we need to work on some basics here ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
The ability to speak eloquently is not to be confused with having
something to say. - Michael P. Hart
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

rslade · ‎07-26-2019

OK, how come there are two different copies of this same topic? Creating two different threads?

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

rslade · ‎07-26-2019

The Forumites loved this, and one of them noted:

> Therapist: Now that we have exposed the issue, we need to recover. First we need
> to admit we are powerless over our hacker and our network is unmanageable.

So, I continued with:

2. We came to believe that a Power greater than ourselves could restore us to sanity.

3. We made a decision to turn our passwords and our networks over to the care of ISC2 as we understood it.

4. Made a searching and fearless port inventory of our networks.

5. Admitted to Bruce Schneier, to ourselves, and to another mere mortal the exact nature of our wrongs.

6. Were entirely ready to have Bruce Schneier remove all these defects of controls.

7. Humbly asked Him to remove our vulnerabilities.

8. Made a list of all users we had harmed, and became willing to make lame apologies to them all.

9. Made direct patches to such people whenever possible, except when to do so would exploit them or others.

10. Continued to take system inventory and when we found unpatched apps promptly admitted it.

11. Sought through study guides and simplistic practice questions to improve our conscious contact with ISC2, as we understand it, praying only for knowledge of our AMFs and the CPEs to carry that out.

12. Having had a technical and managerial awakening as the result of these Steps, we tried to carry this message to CISOs, and to practice these principles in all our systems.

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

Steve-Wilme · ‎07-26-2019

It's for the ex Naval personnel.

You've got to tell, then tell them you've told them.

Unlike to Army, where you have to tell them what you're going to tell them, tell them and then tell them what you've just told them.

Unlike the Air Force where you just tell them ....

It's an old joke 🙂

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

SamanthaO_isc2 · ‎07-29-2019

Just a quick FYI - I merged the two posts together, so there is just one now. This usually happens as the result of a connection issue where the Post button was hit twice and it creates two posts.

Samantha O'Connor
(ISC)² Online Community Manager