How to Secure Your Organization During Employee Turnover

Transcript

Opening

Welcome everybody to What's the Problem, the show that explores problems that buyers, practitioners, operators, and managers in the security space are facing in today's world.

Today, we are fortunate to have security veteran Jack Borchgrevink with us from Houston, Texas.

Conversation

Mike Krass: Jack, say hello to the listeners.

Jack Borchgrevink: Hello, everyone. I’m glad to join you today, Mike.

Mike Krass: Hey, Jack, we are glad to have you on the show. Let's dive right into that first question. Why are you qualified to talk about security?

Jack Borchgrevink: I've been in the industry a long time from the vendor perspective going back even before Nortel in the networking and security space. I did some startups there and then through Juniper and Cisco and now into my current role with VMware. I've been helping folks buy and implement complex network solutions and how to begin to secure the environment and the ecosystem to start to protect themselves from the bad guys.

Mike Krass: I heard some traditional legacy names there that I haven't heard for a while. As someone with your experience, I'm sure that there are a lot of eyebrow-raising security concerns or problems that you see in our industry. Let's talk about one of them. Could you name one problem you'd like to explore with our listeners today?

Jack Borchgrevink: I think some of your other guests have stated, when you get around the state and local government and education space as well as the SMB space, the real issue that these folks have is they bring folks in that are pretty talented, and as they get their experience and certifications, they move on and move out to higher-paying roles and maybe more complex roles with larger organizations. So it's just constant movement through these talented organizations, and it's hard to hold them and begin to build that cohesive security strategy required to protect. So in light of that, how do you begin to maybe shape and change what these organizations should be looking at in terms of how and what they buy, and more importantly, how do they plan. I think those are real quick key issues.

Mike Krass: A quick clarifying question talked about state and local government. In your experience, do you tend to see more or less turnover based on the size of the public organization, as a municipality versus an entire state organization?

Jack Borchgrevink: That's a great question, and I think it depends. Normally, you'll see that the smaller the organization, the more constrained they are to pay. The turnover seems to be higher there as you get to. In large organizations, say the state of Texas, there is more opportunity to, say, move around and move up. You may find folks staying a little longer, but it's still the same issue. The public sector typically can’t pay as well as, say, a very large Fortune 50 or Fortune 100 or even a security vendor.

Mike Krass: So, they're moving around. I hear some alarm bells about what that means for security within your organization. Is there anything you want to expand on there for us?

Jack Borchgrevink: A couple of things. If you think about it, in many instances, these folks are coming in, and maybe something is a bright, sharp person that's got the role, and they start to build this posture. They begin to develop the processes and procedures so that you can protect your organization, but they don't document. There are no playbooks, and there's nothing written down.

So they leave, and it's like, now what? It's a start over, but, in the meantime, there's this anxious period where if something did happen and nothing's documented to be able to deal with the issue at hand and the intrusion at hand. How do you deal with that? Part of what we see a lot of is playbooks aren't written. So someone leaves, and now you get hacked. You've got an intrusion, an event going on, and now you're panicking interest trying to react versus calmly stepping back and saying, “Hey, we've rehearsed this, we've practiced this. Let's go to our playbooks, walk it through, and calmly mitigate this risk, intrusion, and malware that's just hit us.” So that's what I'm seeing.

If people aren't putting into practice what they need to play down the road, it's no different than any great sports team. If they don't practice and go out there and play, it shows on the court that they lose to the well-practiced team versus just doing what they're supposed to do, and everyone has their part. So I think if I couldn’t emphasize to those who are listening to us, start working on that, get those plans in place, practice them run events, run tabletop exercises, and make sure that everything is kept up to date. So if someone leaves sick and on vacation and you get breached, you're ready to go what to do to begin to put everything in place and stop what's going on.

Mike Krass: I'm thinking of a quote by a gentleman named Jack Dailey, and he says, “Life happens,” and he's referring to life happening within a corporate environment or just a workplace. Life happens to people that they're out for a day, month, a year, and it just happens. It's the same concept of if you got hit by a bus tomorrow, who would be able to come in and do X, Y, and Z that you're currently responsible for and accountable for. Is there a certain within these organizations on the public sector side? Are there certain roles that you think are better suited to create those playbooks, whether it's a title or a position, it might not be who's currently creating them or not creating them, but is that kind of role that you think is like, this is the person who is really just this is the right seat for him or her?

Jack Borchgrevink: If you step back and say who will manage the process and more or less. It mandates a strong word but certainly says, “Hey, we have to do this. It should become out of the office of the C.” So if there is a C, if not, the CTO should certainly be handling it. This is just a general procedure to say this is the best practice that we have this stuff documented and just start to bring folks into play and set the team down and say what are we doing today. If we were breached right now, what would we do? And that really should be your start point to understand everyone's role and various functions inside of the organization in the event of a breach? How do you handle it? How does everyone act and then react and work as a team? So everyone's doing their role. Sports analogy, but you're staying in your lane. And at the end of the event, it's done promptly or as promptly as possible. And you go, yeah, we've worked as a team on this and provided our best effort and mitigated this malware and intrusion as rapidly as possible.

Mike Krass: The other thing that comes to mind is redundancy. Even if we have a plan, what happens if Junifer is supposed to do numbers one, two, and three, and she's out sick? What kinds of redundant systems, whether people-oriented or technical, to just think about that in the plan? When the worst thing happens, you've got a couple of different fallbacks. Engineers love redundancy for a good reason. Things sometimes break, and your primary sometimes isn't available, so you've got to have a redundant system.

Jack Borchgrevink: As engineers go, they plan to fall back and then back. From people's perspective, if I have role A and I'm not there, who will do what I'm supposed to do and if a person is not there, who covers that person. So I agree with you. Laying down on the backup is hugely critical. No different than if I have my databases inside my application and workloads, are they protected from the initial workload? But more importantly, Where's that backup? Is it in a safe place? Is it secure? Do I maybe feel like this is so important, and I should have two backups or lots of incremental in the event of ransomware? I can just take it down and rebuild my environment quite rapidly. Those are the things that need to be well thought out. So that data is parked in secure locations.

So if the primary is compromised, we've got a couple of backups. If you can just afford one, then just make sure you have that one, and you have lots of incremental stacked on it so that you can catch it where you need to and begin to restore and get back to work quickly.

Mike Krass: Before we transition to our fun question on the way out of the episode, how do you think about these tabletop exercises and building plans with redundancy and backups to the backup? How do different security vendors play a role in that? You work for VMware right now. So if you had a customer come to you and say, what would they be saying to you if we want you to participate in this tabletop exercise, or would you be coming to them? Is that happening at all between vendor and buyer?

Jack Borchgrevink: Yes, it is. There's a combination of proactive approaches to saying, “ Hey, here's what we see elsewhere, other organizations, groups, or county agencies that are best practices. Here's what we think. Here are the things we think you all should be enabling and working on.” And there are services that we can provide to help them get there.

There are a lot of great integrators, as we call them partners, that are out there that have their team of experts that can say, hey, not only do you have stuff from VMware, but you have stuff from all these other vendors, let us come in and help you build that cohesive tabletop exercise. Some folks can help them get there and provide that expertise and intelligence. So not only is it done, but it's continual because it shouldn't just be a snapshot in time. It should be an ever-evolving playbook that's always getting better to close down with. If you think about football and if you want to mark it with a hit or went to the game with a head coach who hadn't changed his playbook since 1975, you're likely not going to be super successful. A coach like Nick Saban evolves the plays every year, every game, every quarter, and the game plan. Those folks know how to make the changes, keep it moving and win. And it's really about winning against the bad guys.

Mike Krass: I'm glad you brought up the partners. I believe it's still called BSPP or used to be called BSPP. VMware is a very active partner program, a lot of support for folks standing up VMware, any sort of virtualization products sold by VMware, and I imagine that they were a hot commodity. Even though there's a bunch of folks in that partner portal it was, I think they were all pretty dang busy.

Jack Borchgrevink: That is a very true statement.

Mike Krass: Let's get to the fun stuff here. Jack, take us back a couple of decades and tell us about a terrible haircut that you had.

Jack Borchgrevink: I was thinking about this, and I'll have to take you back a couple of decades as we all remember the fun of the boy bands and everyone they came out and had that look with the spike tear. The blonde that dead unnatural blonde tips on the top and four pounds of gel. So your hair was almost straight up and wouldn't move in typhoid in a typhoon wind. Did we think we all looked cool? And you look back on and go. Yeah, maybe not so much, but it was cool at the time, but I am one of those haircuts that just didn't hold up over time.

Mike Krass: Jack, I appreciate you being vulnerable there. I can see that haircut, and I feel that haircut on the gentleman by the name of Guy Fieri, and he's still rocking that dude, started the 90s and never got another haircut. It's an evergreen haircut for that guy.

Jack Borchgrevink: No doubt. That's a good point.

Mike Krass: Thank you, Jack, for joining us. And thank you to the listeners for making it to the end of this show called What's the problem, the show that explores problems that buyers, practitioners, and business folks in the security space are facing in today's world. We'll be excited to have you on the next show. Jack, thank you again for your time.

Jack Borchgrevink: Thank you for having me. I truly appreciate it.