Sonja Hammond, Vice President & CISO at National Veterinary Associates, brings her love of animals and more importantly her love for security basics down to the Ranch this week. The buzz around new cyber technology and security protocols can easily warp our perspective on what’s most important for CISOs. Sonja spends some time in this episode explaining why cybersecurity organizations instead need to focus on simple tech and strong security processes and training protocols.
[00:00] Breaking down basics of people, process, and technology
[06:59] Where tech stack is failing us and how to keep the vendor community on hold
[10:31] Building a good GRC team with a focus on NIST CSF
[14:13] Training the right way for GRC and cyber professionals
[19:30] Understanding the end user and setting your cyber team up for success
Thank you to our sponsor Axonius for bringing this episode to life! Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
What does that mean to you, in cyber specifically, getting back to the basics?
Getting back to the basics is a common theme no matter your industry, but Sonja’s focus on it feels especially surprising when so much of the security world isn’t simple at all. Sonja explains throughout the episode that NVA strives for simple yet effective, not for something shocking or eye-catching. Especially considering Sonja’s work contains sensitive client data, she emphasizes that a basics-centric approach keeps the animals in NVA’s care and the people who love these animals safe. Although it may not be flashy, Sonja is proud of the well-oiled machine of her team and the security of their data.
“You have to get rid of your tech debt and bring your environment to current. You want modern, supportable technology. That's really key in order to keep everything secure.”
What's the opposite of your "get back to the basics" vision there?
Cybersecurity technology is often far from simple, but adding unnecessary bells and whistles only succeeds in further complicating things. Sonja’s back to the basics mindset encourages tools that cut out the unnecessary and strive for a streamlined approach. Sonja sees the appeal of a fun product to add to any protocols, but warns that fun rarely means secure. When there’s too much focus on the new and the shiny, that often means that focus is turned away from what’s most important: keeping data safe and preventing vulnerabilities from being exploited.
“There are groups that are implementing some security tools that are shiny, new, and lots of fun, but they still have those basic security holes, so they get compromised.”
What are we doing right when it comes to the people in our organizations, and what aren’t we doing right?
Sonja is happy to separate NVA from the pack by explaining their focus on involving cybersecurity practitioners in the everyday operations of their organization. Many companies keep these roles separate, letting tech and cyber professionals remain in their own roles without context of what their end user might be experiencing on their end. Instead, NVA strives to put cybersecurity employees in the shoes of their end users and day-to-day employees, giving them further context around the people they impact and the roles they influence, as well as providing them further insight into potential security risks that might be slipping through the cracks of daily operations.
“Get the cybersecurity people exposed to what really happens in the day-to-day, because if they can walk in the end users’ shoes, then they can understand where there are security implications.”
For the people that are checking in the patients and taking them back, how much do they learn about security?
It’s one thing to train security professionals in the day-to-day of an organization, and another to train other employees about the world of cybersecurity. To combat the often frustrating process of checking security compliance boxes, Sonja tries to change up training tactics with employees by sending playful videos and short informational emails. Keeping things short highly raises your chances of the content actually being read, Sonja explains, and it also limits the monotonous moments in the training process for employees who have very little experience in cyber protocols.
“We try to make it not quite so obvious that [our employees] are always getting training. We certainly do the traditional online CBT type stuff, to check the compliance boxes, but then we try to do some other things, like funny videos…Just simple things to remind them.”