Cybersecurity with Thomas Johnson pt. 2

Businesses worldwide are grappling with the need for robust cloud security. The COVID-19 pandemic has accelerated the transition to cloud computing services, leading to aninflux of cybersecurity threats. Today, businesses must navigate the complexities of vendor management concerning their cloud security obligations. Data from Risk Based Security suggests that data breaches exposed 36 billion records in the first half of 2020 alone. An Exabeam survey of 500 IT professionals indicates that many cybersecurity specialists cannot carry out their duties adequately. Partnering with a services provider that can handle cloud security needs is more critical than ever.

The Hitchhikers Guide to IT explores this core question with host Michelle Dawn Mooney and her returning guest, Thomas Johnson, the National Cybersecurity Leader at BDO Digital. The pair continue their dialogue on this pressing issue. They began discussing cloud security in a previous episode and delved further into the topic in this second discussion. Highlights from Mooney and Johnson’s second conversation include:

– Emphasizing the need to clarify roles and responsibilities with vendors, including defining incident management protocols

– Highlighting the essential elements of business continuity, resiliency planning, and availability in incident management

– The need for a robust, usable disaster recovery and business continuity plan and the role of incident response within this framework

Welcome to another episode of Hitchhiker’s Guide to IT podcast, brought to you by Device42. On this show, we explore the ins and outs of modern IT management and the infinite expanse of its universe. Whether you’re an expert in the data center or cloud, or just somewhat interested in the latest trends in IT technology, the Hitchhiker’s Guide to IT is your go-to source for all things IT. So, buckle up and get ready to explore the ever-changing landscape of modern IT management.

Hello and welcome to the Hitchhiker’s Guide to IT podcast series, brought to you by Device42. I’m excited to continue a conversation that we started in our last podcast episode about cloud security. And I am thrilled to bring on today’s guest once again, Thomas T.J. Johnson, who is the national leader of cybersecurity for BDO Digital. Thank you so much for being with me again, T.J.

You bet. I’m glad to be here and looking forward to the continuation of our conversation.

Yeah. So, last time we talked, you mentioned that businesses have a responsibility when it comes to managing incidents and by engaging a cloud services provider, this can create some complications. So this almost sounds like a continuation of our topic on vendor management. So talk to me about that.

Well, yeah, I guess it is a continuation of our topic on vendor management. The incident component of vendor management is one of those things that sometimes gets lost or convoluted when we start engaging with a vendor and it can create complications. When you outsource something, there is maybe this misnomer or misperception that we’re just basically going to forklift this effort over to the customer or over to the vendor. And that couldn’t be farther from the truth. I mean, there are still responsibilities that all organizations have when they’re outsourcing something and incident management is certainly one of those things. I see it overlooked often. I think there is misperceptions on what the vendor’s responsibilities are, what the assumptions are that they’re going to do, that they’re going to contact you, you’re going to contact them, and various misalignments. I think we talked about this last time also, but it just kind of harkens back to the principle of trying to figure out what the roles and responsibilities are between you and your vendor looking at the contract, seeing what the SLAs are, what it includes, what it doesn’t include. And even there might be some language in your vendor’s SOC to report under disaster recovery that might give you a clue as to what you should do or what you can do from an incident management standpoint.

One of the things I wanted to bring up is when we’re talking about incident management, it doesn’t only refer to security incidents. There are a lot of things that encompass business continuity, resiliency planning, and availability. If you think about the CIA triad, which is the holy grail of cybersecurity, which we’ve got the confidentiality, the integrity, and the availability, a lot of folks forget about the availability part. And I think that’s one of the pieces that we need to make sure that we have in place.

I find it interesting that with incident management, it also includes business continuity. So can you elaborate on that?

Well, as I just mentioned, you know, we’ve got this confidentiality and integrity and availability component of information security, the three tenets of InfoSec. And we’re always really concerned about the confidentiality part. And what are we going to do if a vendor has some kind of incident around confidentiality? But we also need to make sure that we consider the availability part. We can have an incident that relates to outages, vendor performance issues, they’re not able to do certain things. And quite frankly, many companies just don’t think about that or haven’t prepared properly for a vendor outage.

One of my favorite questions to ask is, do you know what you have to do if your vendor goes into disaster recovery mode? Do you have to do anything? You know, I think there’s a misunderstanding that, you know, if a vendor has an outage or something’s unavailable, that’s my vendor’s problem. Well, in reality, it is your problem too. I know you’re outsourcing something to a vendor, but if they have an outage, you need to make sure that you’re prepared for that.

You know, even, you know, I like to look at an example of Exchange Online for, you know, like Office 365, M365. You know, folks are starting to look at like out of band backup plans to cover for disastrous outages. I know, you know, the behemoth of Microsoft, the fact that they would have an outage is probably slim to none, but, you know, we have to make sure that we prepare for that. And that’s one of the things that I bring up. I teach a class at a college here in Chicago, and, you know, as part of the business resiliency planning, you know, we want to make sure that availability is always considered there.

And back in the day, it was, that was really more of what we concerned ourselves with from an availability standpoint when we have an incident. You know, incidents like cyber incidents are today, weren’t as prevalent or maybe even disastrous. They were more like nuisance based. So now the tides have turned and we’re starting to talk more about the cyber stuff. But, you know, we need to make sure we consider the availability part of it too.

To your point with regard to vendors, and you talk about how if they’re having issues, it isn’t your issue, but it kind of is. So how do businesses know what their vendor will be doing and then what responsibilities the business still has? Well, that’s a good question. And we talked about this a little bit last time, but it’s just a recurring theme, understanding what your cloud providers SLA and responsibilities are.

You know, this could be captured in a couple of different places. Like, like I mentioned, maybe an SLA document, maybe if it’s a vendor that might not have as much of a mature offering, you can probably maybe find something like that in a contract or maybe, you know, other documentation. You need to know what your responsibilities are.

I think one of the things that we need to make sure is that we have good processes and procedures from an incident response plan. And then, you know, I talked a little bit about, you know, business continuity and disaster recovery. I feel that incident response, disaster recovery, and business continuity are like the trifecta of resiliency planning for businesses, and they should all really work together. So you need to make sure that you have a good and usable disaster and business continuity plan with incident management wrapped around all of that.

And you know, we often think about disaster recovery as something like if something goes down, we’re going to be able to recover. But in this day and age of, you know, ransomware attacks and the threat actors doing things that can bring us down, disaster recovery and business continuity certainly plays a part in the incident management ecosystem when we have attacks.

So one of the, you know, actually a couple of questions that I would ask is, you know, do you have a good and usable disaster recovery and business continuity plan? Like I say, I emphasize usable, right? I’ve often seen that organizations try to put together a disaster recovery plan that, you know, it’s just kind of basic and generic and I, you know, don’t get caught in that, that, that sand trap of building a disaster recovery plan that’s based on like old equipment.

I was doing some work for a bank once upon a time that had a disaster recovery site, for example, and they had used some of their old equipment that they upgraded and they put it in their disaster recovery site. I said, well, you know, let’s do like a full failover. And they said, well, we can’t really do that because, you know, it just doesn’t have the power to be able to run, you know, our whole new system now. I was like, well, what are we doing with all of this equipment at this disaster recovery site if it can’t, you know, perform as our disaster recovery site? So think about that when you’re looking to retire old equipment and shove it over into the disaster recovery site. You know, if you can’t run in a DR mode at that site, that’s going to be a huge challenge.

Well, and it really comes down to being proactive, not only having everything in place but having things in place that are usable because, as you said, it’s really a moot point if you have all the bells and whistles, but they can’t actually be utilized. A lot of great information covered today. Any final thoughts as we wrap up here?

Certainly. I think it’s going to be important for you to make sure that you have incident response plans that cover your vendors. You know, do you have provisions in place that include your critical vendors? Last time we talked about making sure that you have a critical vendor list, for example. Do you know who your critical vendors are, what they have, what kind of data they have, and why you rely on them? Because you know, they might have critical data of yours, but some vendors might not necessarily have critical data of yours, but you rely on them from the availability standpoint. I’m thinking ISPs, for example.

Another thing is I always like to see if organizations are able to participate in their vendors’ DR testing, you know, do you know what you have to do if they have an outage or a disaster? There might be some things that you have to do as a consumer of services in order to participate, you know, especially in the testing mode. I love participating in the vendors’ tabletop exercises or testing if you can.

And you know, this also goes from an incident response from a cybersecurity standpoint. You know, if you do some tabletop testing, which I love doing, and that tabletop testing usually really surfaces a lot of good information, and it gets people engaged, and you can really see right away if you ask two quick questions of everybody in the room.

If you had a situation, which was predefined, happen to you, two questions are, what are you going to do, and who are you going to call? And it’s kind of interesting to see how that chain progresses, and all of the people that actually get left out that should be looped into that process. So just simple tabletop testing and walkthrough is super invaluable.

And like I mentioned, you know, don’t play the shell game with disaster recovery. Old equipment in the disaster recovery location is no good. And then, you know, like I mentioned, hold regular tabletop exercises. I can’t emphasize that enough. And then, you know, ultimately, engage with your vendor and understand what you need to do if they have to go into recovery mode.

Great information. I can only think a lot of people listening may have some more questions, or they might want more information. Can you direct them anywhere if they do?

Sure. You know, I think if you need more information on what your vendor is doing, you know, make sure that you contact them. You know, understand what your responsibilities are. I mentioned, you know, looking for information in your SOC 2, looking for information in your contract. If you have a formal SLA with the cloud vendor, make sure you understand what that looks like. And there are usually things that you, as a consumer of services, as an organization, have to do in order to properly participate with them as a vendor as a whole. Some of these things are certainly called out in the SOC 2 report under complementary user controls. So you should definitely look at that when you get that report for your vendor.

Perfect. Thomas, TJ Johnson, National Leader of Cybersecurity for BDO Digital. Really appreciate your time and a two-parter here because too much information for just one podcast. So really want to thank you for being with me again today. And I know a lot of people are learning and taking notes out there, and you gave them some great information. So appreciate your time today.

You bet. Looking forward to the next one.

Yeah, so am I. So I want to thank all of you also for tuning into the Hitchhiker’s Guide to IT podcast series brought to you by Device 42. And of course, if you’d like more information on Device 42, you can visit their website, device42.com. I’m your host, Michelle Dawn Mooney. We hope to see you on the next podcast.