The Year(s) Long Process of Building a Security Program for your Business with Warner Moore of Gamma Force

Transcript

Opening

Hello everybody, and welcome to What's the problem, the podcast that explores problems and other issues that folks in the world of cybersecurity face today.

Today, we are fortunate to have Warner Moore joining us.

Conversation

Mike Krass: Warner, wave hello to the listeners.

Warner Moore: Hello, everyone. I’m glad to be here. Thanks for having me, Mike.

Mike Krass: Absolutely. Let's get right into it, Warner. Why are you qualified to talk about cybersecurity?

Warner Moore: I started my career in the early days of the internet. And sometimes I say I helped build the internet. But that's a little more tongue in cheek. I was involved in the early days. And back then, one of the cool nerdy things to do with technology was playing with security. A lot of early security tools came out of open source. I worked for a payment company, and we created the payment space. And that was back when PayPal was in payment method and not all the things they are now.

Being in the payment space, we had to meet all these security requirements for the card companies and our acquiring banks, and that was before the Payment Card Industry Data Security Standard. I started out trying to build this security program to meet visa MasterCard and American Express requirements. And not so long into the project, PCI came out, and it created one standard.

We built a big project around security for one standard, not two or three competing ones. So that was my first security program back in the golden days. I've helped build multiple tech-centric companies across industries, build their security and privacy programs companies like chemotherapy, pull penguin, and cover my med. Later, I founded my firm, Gamma Force, where we help companies with technology and cybersecurity strategy. I've built seven security indoor privacy programs. I quit counting around that time. It's close enough. I know a thing or two about security, but many smart folks are doing smart things.

Mike Krass: Awesome. You talked about building security programs at gamma force and being in the payment space. My ears lit up when I heard about PCI compliance, I know exactly where you were at that time as the standards were coming out. Let's talk about a problem you see in building security programs if there might be more than one. There's probably a lot more than one. Let's get into it with the listeners and talk about the problem when you’re building a cybersecurity program.

Warner Moore: Focusing on strategy first is something I see that's a challenge. If we look at our security organizations in many industries and companies, we might have all these people dedicated to security, and they're super tactical. We build all these tools and capabilities. We subject our vendors, service providers, and business partners to all these requirements in our vendor management programs. We'll have these external compliance requirements driving our businesses and end up with these long lists of tactical things. We're just doing them, and we need to step back. Consider why we're doing these things. How are we managing risk? Is it driving value in our business? Does it even make sense for the products we're offering our customers in the marketplace?

IT security is a big deal. It's getting riskier and riskier across industries. Then something we should invest in and manage from the perspective of strategy for actively managing risk, not just working on arbitrary lists of things without putting any context to them.

Mike Krass: I talked about building a cybersecurity program and starting with strategies for the listeners. Are there certain pillars or tenants or buckets? I already heard you draw a dividing line between internal and external security, policy, and controls. Are there certain pillars or tenants that you look at in terms of the order of operations?

Warner Moore: I always think of the data involved in the risk to that data and often because that's what's going to drive a lot of compliance requirements. If it's a business-to-business company and if I'm hiring a business, I'm going to think first about the data. I'm sharing the access I'm giving to the vendor. If we think first about the data and things we're doing, and then next, who wants that? What assets do we have? Are they a value? Who would want to try and take those assets? Or do we not have assets? It comes down to my version of the risk, or just several versions of the risk formula, slightly different words but similar contexts. It always comes down to having an asset, something of value. That could be money, people, or intellectual property, something of value with a vulnerability and a threat.

You don't have a risk if you don't have all those three things. Because if you have a vulnerability and a threat for something you don't care about is something that has no value, there's no risk. If you have an asset that doesn't have a vulnerability, that threat is okay, and no one can get to it. We can go about that risk formula and asset with the threat and vulnerability from multiple perspectives.

A lot of us like to use words such as risk and not going to have any real context for what we mean. It's just a word we say. In the case of data, it's not always an asset. It's often an asset, but it isn't always an asset. If that data isn't an asset, you might not ever risk it. Stepping back, thinking about the data, the services being offered, and framing it in the context of risk. What's the business? I do things to manage security that drive value in the business, help increase market share, and provide more value to the customer. So in many tech products, that would include building security features because those are things our market our customers would appreciate. So many different angles to take, but those things are always what I think of first data risk and how we can create business value in the workforce.

Mike Krass: I'm building a cyber secure security program and starting with strategy. I will put my key executive hat on a super generic term. How long does this normally take? Is this a six-month journey with your group at gamma force? Are we doing this for 12 months? or 18 months? Or two years? Or five years?? What does that journey look like in terms of time?

Warner Moore: It's an interesting question. Legacy said before, and one of our challenges is tactics. I just met with the firm for one of my clients. Before we started this conversation, and I'm going through this risk assessment, the firm performed, and they're about to do another for us. And I'm looking through it, and it has this list of stuff with poor context. It checks the annual box for the risk assessment, which is why the client hired them.

Many firms just kick out reports and do these one-off engagements. I encourage clients that think of us as an extension of their team. My team often comes to the table to help in different areas; we're very bespoke. If you were to hire a CSO, but you get the benefit of having an instant security department where you don't before, where we can help you work through those things like what's driving the strategy of your security program, how to align it to your key performance indicators with your annual business objectives, and all different things around in between.

Most of our clients we work with for multiple years. Twelve months is often where we start. We have several clients we've worked with for years, and the reason why is we help them figure out what they need at the times that they need it. So as their needs evolve, we can help solve them in different ways. We don't have an ego in the Mac. We're not trying to sell them a bunch of stuff arbitrarily. We can adjust and help them solve the problems in whatever way provides the most value for them.

Mike Krass: If somebody comes to you, or I'm speaking more broadly, what's your advice? If you're growing with an engagement, and you can't help them be there, you don't have the technical proficiency, or you don't have the staff, what's your advice there?

Warner Moore: It comes up a lot where clients want a managed security services provider or security operations center. It does tactical folks watching alerts and maybe acting on them or escalating them. We do not do that. There are no plans to do that. We’re not an MSSP. If that is what a client needs, we can help them find the right firm. We often do things for our clients. In some cases, and might be building those capabilities internally, hiring the right people to build that capability.

In some cases, with younger companies, we have more modern technology solutions that work well with cloud-native companies. We can reduce early administrative overhead by building some of those capabilities. It can help get higher maturity capabilities without throwing a lot of headcount or a big services provider. We don't do an SSP, and there are other things we don't do. And if there's a lot of folks out there, we can help find them or work with other folks where it makes sense.

Mike Krass: Understood. The last question about building starts with strategy building these security programs, and you opened the door on this one earlier? Are certain stages of a business's maturation key mile markers regarding their security strategy? The first moment, a good example is when they realize they need somebody like gamma force to come in and help them or their mileage markers, which you've recognized over the years. And you say that when these types of things start happening with them, that organization, their security, has to mature with business.

Warner Moore: That's an insightful question. It varies a little bit, depending on the industry and type of business. If you're having conversations about security, if your clients are coming to you asking for it, if you start to have those conversations and don't have the professional background and security to frame them in the context of your business, sooner is always better.

One of the luxuries of our work is that we often build security programs for the first time. We have a lot of cloud-native clients, some of our HIPAA clients, or healthcare IT companies. We started working with them from day one when security and privacy came up, and we helped build the right things at the right time. They didn't do everything and go down a list. And an example of that is if you're a healthcare company, you will be thinking about HIPAA early on. But if you can build your product or business to way or handle protected health information in certain ways, it can reduce some of the things you need to do. You can build capabilities at the right size and time that mature with the company. And the client I'm thinking of is one of my favorite clients because they've done a great job. It's really easy. We see the counter just as often, or a company in that same situation ends up saying, “Yes, we're going to be hit.” or “ Yes, we're going to be SOX too.” And they reach out to firms saying we need to be HIPAA and SOX too, and then these firms do it to them. And it's just like, okay, you want to do this, and they do it. Then they add all this administrative overhead early on that's very difficult to unwind.

I have a client who did high trust, who never should have. They have a very mature security program but are still a young company with limited resources. And it reduces their ability to operate in their industry competitively. And they've gone so far down that path. It's very difficult, if not impossible, to say I'm going to stop doing high trust suddenly because they have a ton of customers they're contracted with committed to doing that. Had they had the right conversation with the right people earlier? They could have been the other example where they implement the right things at the right time and don't end up adding all this administrative overhead, an operating expense that doesn't add value to the business.

Mike Krass: Yeah, it's like a drove of pilings of their building 1000 feet into the earth. They probably would have been ahead of the game. They drove them down 100 feet and pop. And now that they're never out, the building sits on top of it, and that foundation, they're never going to unwind it like it's almost impossible to.

Warner Moore: We're not going to be the tallest building in the world. Were the Burj Khalifa here.

Mike Krass: Yeah. Cool. Warner, I appreciate you educating some of our listeners earlier in this episode. Let's get to this final question here. Tell the listeners about a terrible haircut you've had at one point.

Warner Moore: I've had long hair most of my life since about 12, and most haircuts I usually have is an annual haircut, where I'll donate my hair. Thanks to the pandemic haircut every couple of years, I started to chop a bunch off donated. Wigs can be made for cancer patients. In my early 20s, I got this wild hair that I wanted to do something different. It's been a few years trying to find a mid-length cut that wasn't that I liked. And well, my last attempt at a mid-length cut was during my wedding, and every time I see my wedding pictures, I cringe. It's probably my least favorite haircut.

Mike Krass: I've ever seen your most documented haircut most photographed there, but I'm sure

Warner Moore: Yeah, it's true. Well, in retrospect.

Mike Krass: We appreciate you joining the podcast and dropping some knowledge on our listeners. Commonly, the listeners reach out afterward, saying, “I'd like to talk to this guest.” How do folks get a hold of one? What's the best way to reach out to a professional?

Warner Moore: I'll say two ways, one on LinkedIn, and feel free to reach out to Warner Moore on LinkedIn. Be sure to say why you're reaching out, not just a generic message, and I'll respond or send an email to hello@gammaforce.io. I am always happy to chat about the tallest buildings in the world or how to build a strategic security program.

Mike Krass: I love it. Listeners, you heard it first, Warner Moore, that's two O's, M-O-O-R-E is the last name or hello@gammaforce.io, easy to get ahold of them and to our list. Thank you for listening to another episode of What's the Problem, the show that explores problems and issues that folks in the world of cybersecurity face today.