July 27, 2022
by Cyber Ranch
Sonja Hammond, Vice President & CISO at National Veterinary Associates, brings her love of animals and more importantly her love for security basics down to the Ranch this week. The buzz around new cyber technology and security protocols can easily warp our perspective on what’s most important for CISOs. Sonja spends some time in this episode explaining why cybersecurity organizations instead need to focus on simple tech and strong security processes and training protocols.
[00:00] Breaking down basics of people, process, and technology
[06:59] Where tech stack is failing us and how to keep the vendor community on hold
[10:31] Building a good GRC team with a focus on NIST CSF
[14:13] Training the right way for GRC and cyber professionals
[19:30] Understanding the end user and setting your cyber team up for success
Thank you to our sponsor Axonius for bringing this episode to life! Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
What does that mean to you, in cyber specifically, getting back to the basics?
Getting back to the basics is a common theme no matter your industry, but Sonja’s focus on it feels especially surprising when so much of the security world isn’t simple at all. Sonja explains throughout the episode that NVA strives for simple yet effective, not for something shocking or eye-catching. Especially considering Sonja’s work contains sensitive client data, she emphasizes that a basics-centric approach keeps the animals in NVA’s care and the people who love these animals safe. Although it may not be flashy, Sonja is proud of the well-oiled machine of her team and the security of their data.
“You have to get rid of your tech debt and bring your environment to current. You want modern, supportable technology. That's really key in order to keep everything secure.”
What's the opposite of your "get back to the basics" vision there?
Cybersecurity technology is often far from simple, but adding unnecessary bells and whistles only succeeds in further complicating things. Sonja’s back to the basics mindset encourages tools that cut out the unnecessary and strive for a streamlined approach. Sonja sees the appeal of a fun product to add to any protocols, but warns that fun rarely means secure. When there’s too much focus on the new and the shiny, that often means that focus is turned away from what’s most important: keeping data safe and preventing vulnerabilities from being exploited.
“There are groups that are implementing some security tools that are shiny, new, and lots of fun, but they still have those basic security holes, so they get compromised.”
What are we doing right when it comes to the people in our organizations, and what aren’t we doing right?
Sonja is happy to separate NVA from the pack by explaining their focus on involving cybersecurity practitioners in the everyday operations of their organization. Many companies keep these roles separate, letting tech and cyber professionals remain in their own roles without context of what their end user might be experiencing on their end. Instead, NVA strives to put cybersecurity employees in the shoes of their end users and day-to-day employees, giving them further context around the people they impact and the roles they influence, as well as providing them further insight into potential security risks that might be slipping through the cracks of daily operations.
“Get the cybersecurity people exposed to what really happens in the day-to-day, because if they can walk in the end users’ shoes, then they can understand where there are security implications.”
For the people that are checking in the patients and taking them back, how much do they learn about security?
It’s one thing to train security professionals in the day-to-day of an organization, and another to train other employees about the world of cybersecurity. To combat the often frustrating process of checking security compliance boxes, Sonja tries to change up training tactics with employees by sending playful videos and short informational emails. Keeping things short highly raises your chances of the content actually being read, Sonja explains, and it also limits the monotonous moments in the training process for employees who have very little experience in cyber protocols.
“We try to make it not quite so obvious that [our employees] are always getting training. We certainly do the traditional online CBT type stuff, to check the compliance boxes, but then we try to do some other things, like funny videos…Just simple things to remind them.”
Learn more about Sonja Hammond on LinkedIn
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord
Allan takes the show on the road again, this time at his all-time favorite conference: CISO XC! He asks a unique question of each guest, who represent a great deal of breadth in our industry: Dave Belanger, CISO at Bestow Insurance - What is the most...
Howdy, y'all! Allan is taking this week off to spend time with family and to give thanks for all the wonderful things in his life - including y'all! For those who don't track it, there is no Cyber Ranch Podcast four times a year: American Thanksgiv...
Warning, there might be some naughty language in this one! The challenge was issued!!!! Allan teamed up with TWO other podcasts to take on the insufferable marketing that floods the cybersecurity industry in the month of October! Who won??? "Won"? Th...
Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest today is Evan Wolff, partner at Crowell & Moring, and Allan's favorite cyber attorney. Evan has led and managed 100s of investigations including cybersecurity, data breach, insider...
Howdy, y’all, and welcome to The Cyber Ranch Podcast! That’s Tim Rohrbaugh, Founder/Principal at DefaultDenySec, former CISO for JetBlue Airways, advisor, investor: yup! Another Cyber Ranch guest with an awesome history! Tim and Allan were chattin...
Howdy, y’all, and welcome to The Cyber Ranch Podcast! We're joined today by Jacqueline (AKA “Jack”) Powell, CISO at Allianz Life and former Deputy CISO at Hanes. She has also consulted, and has worked at Chevron, General Dynamics, and SACI. Jack h...
Howdy, y’all, and welcome to The Cyber Ranch Podcast! That’s Kymberlee Price, strategic security consultant, Black Hat content review board member, former Sr. Director of Product Security at New Relic, former Principal Security Manager at Microsoft ...
Chris Tillett is a well-known figure in our industry. He is in product management and R&D at Palo Alto Networks. He is also a great guy, funny, and can wield the snark quite well. He is the perfect foil for Allan Alford as the two of them take...
Howdy, y’all, and welcome to The Cyber Ranch Podcast! Joining Allan this week is Ron Nissim, CEO @ Entitle. Yes, this is one of our rare shows with a vendor as a guest. Why? Because in this case, the vendor was more highly informed than any of Al...
Allan is joined by AJ Grotto: William J. Perry International Security Fellow and Founding Director of the Program on Geopolitics, Technology and Governance at Stanford University. He also serves as the faculty lead for the cyber policy specializatio...