Beyond the Firewall. Powered by HUB Tech
Beyond the Firewall is a podcast designed to help business and IT leaders understand how technology shapes performance, resilience, and long-term growth. Each episode delivers expert perspectives and actionable insights to help organizations stay ahead in a rapidly evolving digital landscape.
You’ll hear deep dives into today’s most pressing technology topics, including artificial intelligence, cybersecurity, IT modernization, and cloud transformation. Conversations center on real-world challenges and practical strategies leaders can apply to strengthen their operations, safeguard their environments, and prepare for the future of IT.
Powered by HUB Tech, the podcast is hosted by Chris Daggett, Director of Managed Services and Security at HUB Tech, and Adam Shaffer, an IT and eCommerce leader. Together, they sit down with CIOs, CISOs, CTOs, IT practitioners, public-sector leaders, and other technology innovators who bring forward the ideas, lessons, and perspectives shaping the modern IT landscape.
For more information about HUB Tech IT Solutions and Services, please visit https://hubtech.com/
Beyond the Firewall. Powered by HUB Tech
Closing the Cybersecurity Execution Gap: Why Strategy Fails Without Process
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Cybersecurity plans look great on paper until daily operations get in the way. The real reason breaches happen isn’t a lack of tools or knowledge. It’s breakdowns in execution.
In this episode, we sit down with Steve Brining, CISSP and Cybersecurity Evangelist at Acronis, and Chris Daggett, technology leader at HUB Tech, to expose the hidden gap between cyber strategy and real-world operations. They explain how “process debt,” misconfigurations, stale access, and delayed patches quietly create open doors for attackers, even in organizations with mature security programs.
Rather than chasing the latest threat headlines, this conversation focuses on what actually works: clear ownership, disciplined workflows, protected time for security hygiene, and leadership that drives accountability. Steve and Chris break down practical priorities for SMBs enforcing MFA, patching internet-facing systems, testing backups, and turning policies into repeatable habits.
You’ll also hear tactical advice on incident response culture, realistic security drills, measuring what matters, and taming shadow IT with defined ownership. If you’ve ever wondered why dashboards don’t equal resilience, this episode delivers a no-nonsense playbook for making cybersecurity operational, not theoretical.
---
For more information about all-in-one cyber protection, please visit Acronis at www.acronis.com
---
The Beyond the Firewall podcast features discussions with technology leaders and practitioners who provide valuable insights into today’s IT and business challenges.
Follow the podcast to stay updated on new episodes, and watch full episodes and video highlights on YouTube.
To learn more about HUB Tech and the services that support IT modernization, visit the HUB Tech website at https://hubtech.com/.
What's really driving the future of IT? How are leaders stay secure, efficient, and ahead of change? Welcome to the Beyond the Firewall Podcast. Powered by HubTech, where we go past the headlines to talk with technology leaders, industry experts, and IT practitioners shaping how we work, live, and lead. Let's get into today's episode.
Adam Shaffer - Host:Welcome to Beyond the Firewall, Powered by HubTech, the podcast where we talk about the real technology challenges leaders face every day. I'm Adam Shaffer, and today's episode is about a hard truth in cybersecurity. Most breaches don't happen because teams don't know what to do. They happen because execution breaks down. Organizations buy the right tools, they write the policies, they check the compliance boxes, and yet they're still vulnerable. Today we're talking about the gap between security strategy and real world operations. And I'm joined by two people who live this every day. First, Chris Daggett, technology leader, practitioner, and someone who works directly with organizations implementing real-world IT and security programs. And our featured guest is Steve Brinning, CI SSP, certified cybersecurity executive with over 20 years of experience building and leading security initiatives. Steve brings deep operational experience plus a unique leadership perspective as a commanding officer in the Arizona National Guard. Chris, Steve, welcome to the Beyond the Firewall podcast. Thanks for joining me today. Thank you, Adam.
Steve Brining:Appreciate having us. Thank you.
Adam Shaffer - Host:So oh, I'm very excited about having you guys on the show. So you know, just to kick it off, I mean I I I tried to do my little bit of an intro to introduce you, but but Steve, I mean everybody knows Chris at this point, but uh you know, Steve, did I miss anything cool and interesting about you that I didn't uh brag about?
Steve Brining:Um uh I guess I'm also a part of FBI InfraGuard as well. And uh it's it's it's closer to 30 years now, but it makes me sound younger, so I appreciate that, Adam.
Adam Shaffer - Host:I don't know where I got the 20 from. Okay, no, I forgot how old you really were. We round up or round down by the decade. What what's the FBI um um role? What is that?
Steve Brining:Uh uh just a member of uh FBI's InfraGuard. Um so uh threat intelligence feeds, things like that. Um seeing things a little bit more uh even outside of cybersecurity.
Adam Shaffer - Host:Um, you know, get alerts and so that's awesome. That'll add some value to the conversation. So let's get started and talk just like kind of big picture for a second. And and Steve, you know, let's start with you. And when you look at modern breaches, what's the most common root cause you see today?
Steve Brining:With modern breaches. Uh I would say execution failure, not necessarily the technology gaps. Um, you know, companies are always building um very sophisticated tools, but they they sometimes fail at fundamentals like you know, timely patching, doing access reviews, uh, even configuration hygiene. Uh to me, breaches it seems like they rarely exploit zero days in per se. They leverage misconfigurations, stolen credentials, unpatched systems that sometimes are actually left unpatched for months. So to me, I would call that process debt, right? Um, security activities treated as projects rather than a disciplined operation. So when when a team lacks um clear ownership, having some measurable cadence, if you will, and even leadership accountability for the execution, even the strong tools actually become ineffective, right? So it's not about buying more, it's about consistently doing what you're committed to. Um I did I did say something about um I said breaches rarely exploit zero days. Uh what I mean is uh zero days dominate the headlines uh since associated with like nation states, and they feel like they're very unstoppable. But really, I'm I'm seeing a lot of opportunistic hackers, you know, the ones behind say 90 plus percent of the ransomware out there, they take that path of least resistance, like fishing an employee or exploiting some old CDE that's not patched. So companies get obsessed on on all these advanced threats while say leaving say RDP exposed to the internet or skipping some quarterly access reviews, right? But for small to medium businesses, attackers are not crafting um novel exploits. They run like automated scanners, look for yesterday's vulnerabilities. It's not to dismiss the zero-day risk, it's just to prioritize correctly. If that makes sense.
Adam Shaffer - Host:Yeah, no, that does. That does. I mean, and and and that's what I figured. But Chris, from an IT operations perspective, do you see the same patterns?
Chris Daggett:Oh, absolutely. All the time. You know, even tiny missed tasks can compound the big, you know, the issue at hand. You know, you one skip patch, uh, one firewall rule that nobody ever revisits, uh, a monitoring tool that hasn't sent data in weeks. These are all technical failures. Um these aren't technical failures, rather, they're operational failures.
Adam Shaffer - Host:So are you by guys both saying that cybersecurity, you buy all these tools, you probably have the right stuff, but it's more of a leadership problem, not a technical problem. Is that is that what you're saying here? Process problem.
Chris Daggett:I would say yes. You know, you can buy all the tools you you can find. Um, however, you know, it comes down to ownership. Uh, that's a big piece of it, and being able to operationalize things and integrating it and you know, integrating the tools uh into the culture. You know, it's cybersecurity um is not a checkbox kind of item, it's a culture thing. And it starts with leadership.
Steve Brining:Yeah, I would definitely say overwhelmingly it's leadership. I mean, technology is the table sticks, right? But the differentiator to me is whether leaders will create um conditions for execution, right? Like uh Chris said, clear ownership. Um, but you got to give people protected time for their hygiene tasks, right? Um, look, technical teams know what to do, right? They know how to patch, they know how to segment, they know how to monitor. They fail when leadership um treats security as some kind of like interrupt-driven work rather than some core operation. Uh, but the leader set the tone, as Chris said, right? If quarterly access reviews are perpetually delayed, right, for more urgent projects, right? You kind of signal security is kind of optional, but culture flows from the top, as Chris was talking about. Culture.
Adam Shaffer - Host:Yeah, no, I love blaming the boss. It's my favorite. So uh we all know what we're doing if it's damn bosses. So, so, you know, um so so who should really, and and I guess I could put it out to both you guys, but whoever wants to use it, who should really own cybersecurity execution?
Chris Daggett:So, you know, the the way it plays out, Adam, is leadership, you know, they own the risk. The security team would own the strategy, IT would own the execution and the follow-through of the strategy.
Steve Brining:Yeah, I I was gonna say, Adam, really quick, like uh, you know, there's accountability and responsibility, right? Accountability can't be delegated, right? So the business leaders, accountability for the asset, you know, not just it, right? CISOs can own framework and guidance, right? Business unit heads may uh own within their domains, like CFOs own the financial system security, right? CMO, customer data, right? So um that's that's kind of how I see it. IT enables, but the business executes, right, in that situation.
Adam Shaffer - Host:So so so you're saying shared uh responsibility or or not shared responsibility?
Steve Brining:Uh for me, shared ownership fails when it's not structured with clear handoffs and escalation paths, right? You have to think of it like a um think of like uh in the Olympics, right? Like a relay race. If you got four runners that are jointly responsible for the baton, but no one knows exactly when to grab it, right? The baton's gonna hit the ground. Right? It's an analogy. I don't know how well that's gonna work. Um, but in securities, let's just say these things happen, right? Now let me give you an example. Like uh the SOC and the infrastructure team, right, will share ownership of vulnerability remediation, right? SOC identifies the flaws, infrastructure patches, but without any kind of defined service level agreements for the handoff, for example, um SOC will escalate critical vulnerabilities within four hours, uh infrastructure acknowledges it within one hour. The item sits, I will say, like in some email purgatory, right? So psychologically, shared ownership to me triggers very um a diffusion of uh responsibility. Um again, if if it's when say three leaders are accountable, each assumes the others are handling it. No one wants to step on each other's toes, right? So silence prevails until a breach occurs. Yeah.
Adam Shaffer - Host:So so no, that's that's that's a good that's a good point. So um I like the relay race. Um the ton pass good analogy. It works. I'm gonna I'm gonna copy that. Um so you mentioned Steve before SMBs, and and so I I you know talk to and work with a lot of SMBs, and they think, oh, I just need to put this thing on my system and and I'm covered. Nobody cares about us. We're too small, nobody's trying to break in. I mean, so what you know, where do SMBs usually fall short? I mean, I'm I'm I I see that, but I don't know if that's the norm.
Steve Brining:Uh prioritization analysis. Um, you know, they try to mimic some enterprise program with like a tenth of the resources, right? So instead of focusing on, say, the 20% of controls that prevent 80% of the breaches, like uh, I don't know, patch we talked about patching a backup MFA, they chase compliance checklists or shiny tools, right? So where SMBs succeed is when they, for lack of a better term, I know military, ruthlessly prioritize, right? What will cripple us tomorrow? Say the answer is ransomware, right? So they enforce MFA everywhere, right? They test resource back, um, say weekly. Um, they can patch internet-faced systems, say within 14 hours, right? So just be simple, measurable. That's non-negotiable. So prioritization analysis.
Adam Shaffer - Host:And and and just, you know, Chris, where do you see these SMBs? And the SMB just I it's small, medium-sized businesses, but I'm I'm actually thinking small business when I talk about it. And and so where do you see the shortcuts that they're taking? Are are you know, because I I can't imagine they're incredibly thorough. Yeah, I mean belittle them.
Chris Daggett:Essentially what happens, Adam, I mean, based on my experience with with the SMB market, is you know, the SMBs fail to uh document things, um, you know, have tried and true processes, follow compliance frameworks. You know, those are you know, typically they're understaffed and they just don't have the resources to put a good governance program in place and have that operational um you know process be rock solid. Um so that you know the end-to-end process breaks, you know, at the end of the day. It's you know, as Steve had alluded to, it's the handoffs, right? And when you're a one or two-person IT shop, you know, you're wearing lots of hats, you can only cover so many bases. Um, and security, unfortunately, tends to become an afterthought in many environments because they're too busy chasing, you know, the little minutiae problems around. Um, so where does that leave time in the day to iron out you know the end-to-end process, ensure that you know you have compliance checks in place, that the documentation is where it needs to be, you know, are they adhering to a Wisp? You know, those types of things. So, you know, Steve had alluded to, you know, IT is a lot bigger than you know, security. And, you know, that there's so many little pockets of IT these days that people need to be aware of, um, you know, in an effort to protect their own environment. You know, everybody is a target, you know, especially with AI. You know, these these hackers can really cast a wide net, and you know, they can take you down really quick. You know, it's it's the low-lying fruit that they're looking for. They just want to disrupt.
Adam Shaffer - Host:I'm sure everybody knows, but just humor me. Just like tell tell me what a WISP is.
Chris Daggett:A WISP is a it's a document, it's a written information security program, and it outlines how you run your security program from end to end. So typically there are you know underlying policies and procedures um that tie into the master document, but this lays out you know how you handle vulnerability management, how you handle incident response, you know, so on and so forth. So it's it's the foundation of any security program.
Adam Shaffer - Host:Thank you. Sorry, I didn't uh yeah, my guess is everybody knows that. Just wanted to make sure. And and so, you know, so now let's let's just stay with that small team for a second. So you got the small team, one or two people, they come to work every day. What should be their main focus every day? Like, is there a priority? They can't do everything.
Chris Daggett:You know, it's they have to worry about the reactive stuff first. You know, is there a is there a fire internally that I need to address? Because that's a a business stoppage issue, you know what I mean, depending on the severity of the problem. But there are daily checks um, you know, throughout the day. Um, you know, from a security perspective, you know, you're checking patches, patch levels, you're checking uh versions of agents, you're checking, you know, you're obviously checking your ticket cues and reports. Um, there's just so much data to look at. Um, you know, and especially if you have it set up correctly, you know, you you have a lot of different places you need to look to gather that data because it's not it's typically not in one single report. So, you know, there's this there's a lot to tackle.
Adam Shaffer - Host:Yeah. They can always outsource and get a managed service provider. That wouldn't be such a bad idea. Yeah, but I don't want to be a very that can be a very cost-effective measure for sure. But I don't want to be too pushy there. And then, you know, so Steve, what what do you see as the biggest execution mistake that these uh growing companies are making?
Steve Brining:Um I would say treating security as a scaling problem when it's actually a discipline problem, right? So say a company grows from say 50 to 500 employees. Um, I guess leaders assume that you know they can engineer their way out of risk. You know, hey, let's buy more tools, right? Let's hire a CISO, let's implement some frameworks, but they still neglect to like say institutionalize their operational habits and actually prevent breaches, right? So when something worked informally with 20 people, honestly, it collapses at 200. You know, at a startup, you know, um the founder might personally review every access request, but at 200 employees, that's impossible, right? But but but too many companies never replace that informal discipline with a scalable process. Instead, they'll and they'll take some IGA tool or some um identity governance and administration tool, and they'll say, Yay, we have victory while their access reviews still slip through the cracks, right? Because no one owns that workflow, right? No deadlines exist, right? Um, and leadership never measures completion, right? The tool's there, but the execution isn't.
Adam Shaffer - Host:Yeah, um that that's great. And Chris, going back to the Wisp or the written documentation, you know, I I know a lot of companies that have tools that people document everything, but yet somehow the written policies fail. I mean, in daily operations. You know, tell me if I have it wrong. Do you see that?
Chris Daggett:And why is that it's always the last thing. You know, every every time I meet with a customer, you know, I ask them about their documentation and they say they don't have time for it. You know, they're they're too busy working. That's that's the canned response that I normally will get. You know, these companies need to really change their thought process on how they handle um you know security. They need to make sure that everybody that's involved in the end-to-end process, the handoffs, you know, so on and so forth, turn into muscle memory. You know, that's really when you you have a nice streamlined, you know, process. You know, when when people don't have to think about things, they're cool about it, they don't panic, you know, they just go on with their day and everything is seamless, that's when you'll have the most success.
Steve Brining:Yeah, I was gonna say, let me just, you know, one one thing to tie into that. I would just say, you know, because you're saying policies, right? Fail and daily operations. My my old adage was policies describe ideals, workflows determine behavior.
Chris Daggett:Right. No, I would agree with that.
Adam Shaffer - Host:So so what's the difference of between the policy and the the workflow? Is that like you know, that's the tactics that you're taking?
Steve Brining:Well, a policy, a policy may say review access quarterly, right? But if there's no calendar um invite exists, right? No tools, you know, no tool that exactly. You know, yeah, as well. Exactly. So you got to translate policy into workflow, all right, and automate that access report, assign the owners and set the deadlines and things like that.
Adam Shaffer - Host:And and um you mentioned culture before, and I imagine culture comes from the top, but but Steve, talk a little bit more about why culture is important, like you know, why is that sometimes the secret sauce?
Steve Brining:You know, it's interesting. When I went to um when I went to Warren Officer School, they said, you know, do the right things when no one else is watching, right? So culture to me, it's like if you think it's like it's like the operating system that determines whether your controls actually execute when no one's watching, right? So um I would say that security culture, um it's three, I'm thinking three tangible ways. First, you got the psychological safety to speak up, right? In strong cultures, you know, some junior analysts might escalate some oddities without fear of embarrassment, right? Weak ones, people stay silent because false alarms are, you know, they get punished, right? And breaches really surprise resilient organizations, right? They surface, right? I would say shared burden versus siloed ownership, right? When security is the CISO's job, right? Um you have to look at it like uh uh you know what I'm just changing gears. I would say leadership modeling, culture flows downhill. Uh I had an old CEO say culture eats strategy for breakfast. Um, that just randomly came here. But culture does flow downhill, right? If executives bypass MFA, right, because it slows me down. Well, you've just taught the organization that security is optional uh for important people, right? But if the CEO publicly shares how MFA blocks, say a compromise password last month, that would signal to the company that security matters more than convenience, even at the top. Um, so and it's not really posters or annual training, right? It's got to be a consistent reinforcement of behaviors uh within a company as well. Um, weak cultures, they treat security as a constraint. Strong cultures, they treat it as really a competitive advantage to them.
Adam Shaffer - Host:I love the uh do the right thing when nobody's looking. I teach my kids that all the time. I mean, I think that's brilliant. I didn't have to go to the military for that though, but I mean I think it's uh it's it's it's it's uh it is true. I think that's uh learned I learned through a lot of push-ups. You know, I I just uh I read a book. So anyway, so uh but but that is a um a really good way of looking at it. And and so now kind of uh you know jumping around a little bit to kind of going staying, kind of going to leadership, but more about you, Steve. Like do you feel like the military leadership helped you become a great cybersecurity evangelist, management manager, uh all the different things you've done in security?
Steve Brining:Uh yeah, I mean they look, leadership is leadership. One of the things that the military is really strong in is training. And, you know, you're gonna have it just like in any organization, you have good leaders, you have bad leaders, but you'll learn from both, right? And over 20 years uh in the military, uh, you know, I've had some really great leaders and I've had so not as great leaders. And I've learned from both of those. And sometimes you say, thanks for teaching me not what to do. Uh, but also I've had people on the side as mentors, and that was really important to me from the military perspective. So I think it's it's really helped me like you gotta sometimes just stick your neck out there. And we always say, you know, pick the battles in order to win the war, right? And it's kind of the same thing, and you have to learn that with the ebbs and flows with your mentorship. So it's definitely helped me.
Adam Shaffer - Host:I thought you could just say something like uh it taught me this discipline or something like that, but uh, it's interesting that you talked about uh having good mentors.
Steve Brining:You know, the thing is, is uh there's there's two principles, right? And you know, there's commander's intent, right? And then discipline rehearsal, right? In the military, you determine the outcome. Well, we're gonna secure this terrain, right? Not every step, right? Empowered teams. Get to adapt. So in cyber, it means leaders will define the risk tolerance, right? We're going to have no unpatched internet-facing systems. But to let the teams choose the methods. The other to me for the military was um rehearsal execution until it's muscle memory, right? Tabletops aren't about perfect plans, they're about building some calm, coordinated response under stress, right? Crisis reveals training. It doesn't create it.
Adam Shaffer - Host:Yeah, I know. That's a good point. So, Chris, let's let's just say there's a cyber incident. How would an IT leader prepare their teams for the pressure when there is an incident? Is there pressure? I I would assume there is.
Chris Daggett:Oh, there absolutely is. Um, you know, as Steve had alluded to, you know, it's all about you know the tabletop exercises, getting people comfortable with um, you know, what's happening. There are going to be things that you're gonna come across that you've never seen before, but you have to keep a cool head.
Adam Shaffer - Host:Um you know, which you see people panic.
Chris Daggett:Oh, yeah. Yep. Yeah, people freeze up, um, you know, and then sometimes people just their anxiety builds up so much that they become, you know, kind of frozen. Um, but this is why it's very, very important, you know, to just continue to go through training until it becomes that muscle memory. And then it really takes that chaos out of that exercise. Because these cyber breaches, the the response, you know, instant response is a very common thing. And it's probably the number one thing that any company needs to focus on today. Um, you know, it's they will experience it and it will be consistent.
Adam Shaffer - Host:So so Steve, do you see people freaking out and and and losing it during an incident?
Steve Brining:I can write a book on this one, Adam. Um yeah, do you think that's true? Yeah, so I would say that the how a leader communicates during incident, right? I would say, you know, and I use the terms, the the term I use is um preserve cognitive capacity for responders, right? Panic is contagious. Um, calm is cat catalytic to me, right? So every message that you send either is gonna free up the mental bandwidth for the team to solve the problem or consume it with anxiety uh or ambiguity, or I'll call, well, in my case, political noise, right? So to me, I would make sure you over-communicate the cadence, not speculation. Um, that's the first thing. You gotta also shield the responders from the noise. You gotta be that good filter, right? Your job isn't to be the smartest person in the room as the leader, it's to be that filter. I always say that as commanding officers, we're we're the consummate filters, right? But if we translate that to corporate America, when the board says ask for hourly updates, you got to translate that pressure into maybe more some structured briefings, not constant pings to the incident commander, right? Um, a third would be um measured urgency, right? Tone matters more than words. If you're frantic in your updates, that's catastrophic, right? That that can trigger that flight or fight response to people. Um, we have a serious situation here. We've activated the plan, we've contained the initial scope. Next priority is determining the data exposure. I have confidence in this team. That it that's not sugarcoating. Um, I'm trying to do it with pressure without capabilities, right? It's hard, but you know, we're trained for hard. But I would say post-incident communication separates really good leaders from average ones. And I've learned this one. You don't wait for some forensic report to acknowledge impact, right? Share what you know, what you don't, and what you're doing to the affected parties, right? Transparency isn't admission of failures, just in my case, proof of control in this situation.
Adam Shaffer - Host:Who are you sharing with, though? Like when you say that, because I I often think, do they just keep it in their little team or do they let everyone in the company know what's going on?
Steve Brining:Well, it depends on what the workflow is in your incident response plan, right? Depending on timing, it could be the the PR team does it. It may be the CEO that actually does the messaging. And if the CEO is going to do the messaging, maybe the PR team needs to do it, right? If you translate that, you know, in military language or public affairs gets involved if the message has to go outside, right? But there's workflows, right? And that's why having those exercises about what is the proper workflow and who owns ownership of the communications is very important when it comes to um how you communicate, right? It could be communications, it could be legal, it could be um stakeholder updates. What I'm trying to say is everyone in that chain though, the tone really matters and being calm. Don't panic, any of them. And I think and get the messaging out to the right people at the right time.
unknown:Yeah.
Adam Shaffer - Host:Chris, I'm sorry.
Chris Daggett:Yeah, I think to add to that, you know, there are, you know, there are there are always lessons learned uh after any given incident. You know, you can always look to sharpen the pencil. And, you know, you need to modify incident response plans and disaster recovery plans accordingly, you know, based on findings and where your gaps are. So, you know, there's this one piece where it's the you know, the rock solid execution, and you might think you have all these bases covered, but you may uncover some things that you just haven't even thought of. And you know, you really need to kind of modify your process um and your documentation appropriately to make it a little more seamless.
Adam Shaffer - Host:Great. I mean, so calm leadership wins the wins the race, right? That's that's the game. I would never be able to do this job. I'd be freaking out, I'd be screaming. Uh so don't uh I'm not the cybersecurity leader. Sorry about that, guys.
Chris Daggett:You get a little desensitized to the uh anxiety Adam after time.
Adam Shaffer - Host:No, that's great. And um, you know, I you know, I guess it's it's like what habits should IT leaders build into their teams? I mean, is the habit um to stay calm, is the habit to follow the processes and the workflows? What is the habits? She talked about build a habit.
Chris Daggett:Well, everybody has a role. They need to understand their role, their responsibility. Um, you know, if you think about a racy model, right? Um, you know, you have parties that are responsible, accountable, you know, ones that are informed, things like that. That all comes into play with these incident response plans. You know, they're a you know, leadership needs typically needs to be informed. You have the feet on the street kind of doing their thing. Um, you know, everybody has a role to play. And it's just a matter of getting comfortable with the overall exercise and understanding what your role is in the big picture.
Adam Shaffer - Host:And how uh Steve, how often should you be testing? Like testing your operational plan?
Steve Brining:Um, well, I would say first you test differently based on criticality, right? Not on some single calendar schedule, right? You you want to have some tiered rhythm that matches business impact with uh what I'll call rehearsal intensity, right? So if it's mission critical workflows, um ransomware response, uh CEO account compromise, or some you got to isolate some cloud tenant, right? Maybe testing quarterly with realistic constraints, right? Not full table, full day tabletops, 45-minute pressure drills, right? Um it's it's 4 30 in the afternoon on Friday. SOC just uh confirmed the ransomware on three finance servers. You got 10 minutes to brief me on containment steps, right? And and who you've already notified. The goal, what I'm trying to say is the goal isn't perfect answers, right? It's revealing where handoffs stall, where and and who hesitates on pre-authorized decisions and whether uh communication channels work under stress. Um, but also I would say for how often, for more core hygiene processes like backup restores, access reviews, patching cadence. Me personally, I would look at it like testing that monthly through actual execution, not some simulation. Restore one production system from backup during business hours and measure that time to recovery. Pull a random sample of privilege accounts and verify re-certification, uh recertification happen. They're not really tests to me, they're operation validations, if you will, that get baked into those workflows. Uh, if you wouldn't do it monthly, you you're not really going to consider it critical. But if it's low frequency, right, but high impact, like say, in my case, uh, nation-state intrusions, uh board-level breach disclosure, you might want to go into some annual deep dive simulation with the executives present in that situation.
Adam Shaffer - Host:Is it like a surprise? Like you just don't tell them, and then all of a sudden you just say it's like on the submarine, okay, boom, boom, we're being attacked.
Steve Brining:Well, Brazilian organizations already expect this stuff, right? So it's a culture thing we went back to. I guess my rule of thumb on that would be if a plane hasn't been stress tested in the last 90 days, assume it won't work out when it's needed. Because muscle memory does degrade fast. I mean, you know, you work out and you're sick for two weeks, it's amazing how hard it is to get back in shape, right? But testing isn't about performing, right? It's about exposing the gaps before your attackers do. Um, because let's face it, during a during a during a real incident, you won't rise to your aspirations, right? You're gonna default to your training. So you got to make sure that the training happened recently under pressure, um, and then having uh consequences for improvement.
Adam Shaffer - Host:Cool. So so with that, you know, we talked about a bunch of stuff. What are we not talking about that we haven't touched on? Because I, you know, I I want to make sure that you guys have a chance to um, you know, kind of give us your final thoughts on cybersecurity in in general. You know, so what what are we not talking about that we should let people know about? Chris?
Chris Daggett:I think I think you know, ownership of tools is very, very important. You know, companies tend to have a lot of shadow IT happening, and what that means is you have uh folks from different business lines, not necessarily IT, they're buying tools off the shelf. And you know, IT needs to understand how to make sure that those tools are being you know used securely. But you know, the there's an ownership piece of it as well. You know, if you can have a robust tool stack, but if nobody has ownership of each tool and nobody is uh ensuring that the tools are rolled out securely, they're patched, or you know, the processes are in place, the handoffs are there, you know, so on and so forth, you know, then you know you're gonna have a lot of gaps in your environment.
Adam Shaffer - Host:That's no good. And and Steve, what what's your you know, kind of final advice of maybe stuff we're not touching, we're not talking about enough?
Steve Brining:Um measure I I if I had to finalize it, like measure your execution velocity, not the tool counts, right? Yeah, you gotta have ownership in the tool counts as Chris alluded, definitely, or the tools. But what I mean by say track cycle times, right? Days to patch critical systems, hours to acknowledge an escalated alert, right? Percentage of access reviews completed on schedule. Review these metrics weekly, right? Alongside revenue and uptime, right? Um, but stop buying your way into security, right? Start leading your way there, right? Measure execution, not the number of tools you have per se, right? Protect that time for the hygiene work, right? And then the comp the teams that are actually doing the fundamentals and doing them well, celebrate that, right? Um, because breaches aren't caused by missing tools, if you will, although tools are needed in the stack. To me, they're caused by missing discipline. People already know what to do, but you got to lead by execution with that.
Adam Shaffer - Host:Yeah, that's interesting. I always want I always want all the toys, I always want all the tools. But but Chris, you were saying I'm sorry.
Chris Daggett:And and you know, to add to Steve, you know, the the leadership, it it starts at the top. You know, it's uh again, it all leads back to culture and execution.
Adam Shaffer - Host:So what I learned that um I should definitely not be a cybersecurity leader. I want to buy too many tools, and I don't have a written process, but um, this is all incredibly important. I learned a lot from myself of what not to be when I grow up. Uh, but so so thank thank you very much for joining us today. I I also wanted to thank the uh folks at Acronis uh they're sponsoring this podcast and uh kind of a shout out to them. They've been they're a great partner and a great company to work with, so thank you, Sacronis. Uh that's all the kind of promo I'll do. And with that, I'm gonna say thank you very much for joining us today, and we'll be back in touch soon.
Chris Daggett:Thanks for having me. Thanks for having me. Thanks, everybody.
Announcement:People can go crazy trying to stop a cyber panic. Acronist takes a headache out of IT security. Thanks for tuning in to the Beyond the Firewall podcast powered by HubTech. If you found this conversation useful, follow or subscribe wherever you listen to stay updated on new episodes. For more information about HubTech's IT solutions and services, please visit hubtech.com.
