July 27, 2022
by Cyber Ranch
Sonja Hammond, Vice President & CISO at National Veterinary Associates, brings her love of animals and more importantly her love for security basics down to the Ranch this week. The buzz around new cyber technology and security protocols can easily warp our perspective on what’s most important for CISOs. Sonja spends some time in this episode explaining why cybersecurity organizations instead need to focus on simple tech and strong security processes and training protocols.
[00:00] Breaking down basics of people, process, and technology
[06:59] Where tech stack is failing us and how to keep the vendor community on hold
[10:31] Building a good GRC team with a focus on NIST CSF
[14:13] Training the right way for GRC and cyber professionals
[19:30] Understanding the end user and setting your cyber team up for success
Thank you to our sponsor Axonius for bringing this episode to life! Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
What does that mean to you, in cyber specifically, getting back to the basics?
Getting back to the basics is a common theme no matter your industry, but Sonja’s focus on it feels especially surprising when so much of the security world isn’t simple at all. Sonja explains throughout the episode that NVA strives for simple yet effective, not for something shocking or eye-catching. Especially considering Sonja’s work contains sensitive client data, she emphasizes that a basics-centric approach keeps the animals in NVA’s care and the people who love these animals safe. Although it may not be flashy, Sonja is proud of the well-oiled machine of her team and the security of their data.
“You have to get rid of your tech debt and bring your environment to current. You want modern, supportable technology. That's really key in order to keep everything secure.”
What's the opposite of your "get back to the basics" vision there?
Cybersecurity technology is often far from simple, but adding unnecessary bells and whistles only succeeds in further complicating things. Sonja’s back to the basics mindset encourages tools that cut out the unnecessary and strive for a streamlined approach. Sonja sees the appeal of a fun product to add to any protocols, but warns that fun rarely means secure. When there’s too much focus on the new and the shiny, that often means that focus is turned away from what’s most important: keeping data safe and preventing vulnerabilities from being exploited.
“There are groups that are implementing some security tools that are shiny, new, and lots of fun, but they still have those basic security holes, so they get compromised.”
What are we doing right when it comes to the people in our organizations, and what aren’t we doing right?
Sonja is happy to separate NVA from the pack by explaining their focus on involving cybersecurity practitioners in the everyday operations of their organization. Many companies keep these roles separate, letting tech and cyber professionals remain in their own roles without context of what their end user might be experiencing on their end. Instead, NVA strives to put cybersecurity employees in the shoes of their end users and day-to-day employees, giving them further context around the people they impact and the roles they influence, as well as providing them further insight into potential security risks that might be slipping through the cracks of daily operations.
“Get the cybersecurity people exposed to what really happens in the day-to-day, because if they can walk in the end users’ shoes, then they can understand where there are security implications.”
For the people that are checking in the patients and taking them back, how much do they learn about security?
It’s one thing to train security professionals in the day-to-day of an organization, and another to train other employees about the world of cybersecurity. To combat the often frustrating process of checking security compliance boxes, Sonja tries to change up training tactics with employees by sending playful videos and short informational emails. Keeping things short highly raises your chances of the content actually being read, Sonja explains, and it also limits the monotonous moments in the training process for employees who have very little experience in cyber protocols.
“We try to make it not quite so obvious that [our employees] are always getting training. We certainly do the traditional online CBT type stuff, to check the compliance boxes, but then we try to do some other things, like funny videos…Just simple things to remind them.”
Learn more about Sonja Hammond on LinkedIn
Check out National Veterinary Associates on LinkedIn and the NVA website
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
Becoming a CISO means changing a lot of perspectives. Individual contributors need to learn this, and the CISO is the best one to teach them. "They're never going to get it!" is a mantra used by both sides of that dialogue, and that is not a soluti...
This episode is a story about an entire vendor encounter gone horribly wrong. Allan is joined by Paul Moreno, VP of InfoSec at Catawii, formerly SVP of Cybersecurity at Adyen, investor and advisor. Paul found a cybersecurity vendor. Paul found goo...
Join Allan and Dr. Mike Brass (whose degree is in archaeology!) as they jointly explore the technical side of the house vs. the GRC side of the house, noting that GRC can be a great path to CISO. Hear Mike's journey from IT technician to GRC to CISO....
We have this idea that we can be perfect. And we know that idea is unsound. So we settle for imperfection. But are we doing that purposefully? Do we have a conscious plan for embracing imperfection? How can we, as cyber professionals, embrace ou...
In this episode, Allan is joined by Omkhar Arasaratnam, a force in the industry and an expert in the intersection of software and security (you may remember Omkhar from an earlier show about supply chain security). They challenge each other to a game...
Join Allan, Shaun Marion (CISO of McDonald's) and ChatGPT itself for a lively conversation about the implications of this new tool, AI in general, and nuances about ChatGPT's usage. Even after controls were put into place to prevent ChatGPT from help...
How important are communications after your company has been breached? They can make or break customer perception, and the perception of the world. Bad communications are perceived as bad intent. Joining Allan this week is Heather Noggle, owner of ...
Do you want to be a CISO one day? Are you a CISO today who wants to strengthen your ties into the rest of the business? The Business Information Security Officer (BISO) role is one you should explore. The role can vary quite a bit, as you will hear...
Joining Allan today are two folks who are passionate about leadership – not just practicing good leadership, but instilling good leadership in future generations. Joey Rachid is CISO in the ecommerce and financial services industry, is on advisory b...
This week Allan is joined by Nipun Gupta, and industry veteran who has been a consultant, practitioner, vendor, advisor and investor. The topic is "What are we really protecting in cyber?" and the nuances of that question are explored in depth - as w...