NIST CyberSecurity Metrics for the Board

View Show Notes and Transcript

Episode Description

What We Discuss with Taylor Hersom:

  • Why do CyberSecurity Professionals need to think about talking Cyber Security to the board?
  • What kind of cybersecurity metrics works best for Board?
  • Is Fear, Uncertainty, Doubt (FUD) the right way to approach presenting cybersecurity to the board?
  • FAIR methodology to put $ value against each RISK – Risk and Governance is a great space to start for those who want to start in cybersecurity but are not too technical?
  • Does being knowledgable in datacenter governance beneficial in world of Cloud?
  • Can companies get NIST Certified or is it only NIST Compliance?
  • NIST vs ISO vs CMMC and Department of Defence affecting the industry?
  • And much more…

THANKS, Taylor Hersom!

If you enjoyed this session with Taylor Hersom, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank Taylor Hersom on Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at

Resources from This Episode:

Ashish Rajan: [00:00:00] Hey, everyone who’s joining in just making sure I’m going live is because I had a bit of an issue with Twitch earlier, too handsome. Five minutes later. I have Taylor. Hey Taylor.

Taylor Hersom: [00:00:10] Hey, what’s going on? My man,

Ashish Rajan: [00:00:13] how are you? How are you going? The, well, first of all, coffee check.

Taylor Hersom: [00:00:21] This isn’t coffee, but let’s just act like it is.

Ashish Rajan: [00:00:24] Alright. I was going to say what kind of coffee? Sorry. What kind of be a Beer?

Taylor Hersom: [00:00:30] You know, today I’m trying to, weird one. it’s mango habanero cider out of a brewery here in Texas. So, definitely out of my comfort zone, but it’s actually really good.

Ashish Rajan: [00:00:42] Oh, a can’t wait to try it, man. I sounds like. Wait, does it have mango flavors?

Is that with mango?

Taylor Hersom: [00:00:49] I think it’s actual mango for the side. I guess you can eat ferment mango. I don’t even know. I wish they put the ingredients on there, but. It [00:01:00] says with fresh mangoes. I don’t know. I don’t know how they got mangoes to turn into alcohol, but,

Ashish Rajan: [00:01:07] no. Well, that, that is definitely interesting in terms of like how you can, well, I guess you can make anything out of anything these days, so it’s just like, yeah, that’s true.

It’s like the number of options that we have in our supermarkets are just hilarious. but I wanted to start off by saying thanks so much for taking the time out and thank you for digging the beverage as well, including, cause I’d love to hear what people are drinking and all those things. Why?

Because people have different, they’re all in different time zones, so it’s always good to have, I guess the beverage right for the occasion. Like it’s like 8:00 AM over here, so definitely makes sense for me to go for a coffee. but it doesn’t make sense for you to go for a coffee unless you don’t want to sleep for the whole night.

Yeah, exactly.

Taylor Hersom: [00:01:50] It is 5:00 PM here, so I promise I’m not cracking a beer at 9:00 AM my time.

Ashish Rajan: [00:01:54] That’s right. He’s still ready. He’s still very LinkedIn professional with just that. It’s beer o’clock. [00:02:00] That’s pretty, that’s the only difference. That’s the only difference over here. I think. We kind of mentioned this for people who are joining in, the topic for today is cybersecurity for the board, and actually while maybe might make sense for people who are watching as well, if I just rename, that I don’t know how it will appear.

So cybersecurity for board, and I think the reason I, well, I’m not going to spoil the introduction, man. for, for people who don’t know you, Taylor, how would you describe yourself.

Taylor Hersom: [00:02:35] Great question. yeah. Hey everybody. Thanks so much for taking the time. So, Taylo Hersom, I’m the Chief security officer for, a company here in Austin, Texas called Cyber Compass.

I’m also the VP of business development for that company. And then I, I run a firm as well, right. Called Eden data. And then finally, I’m a board advisor for a few different startups in the cybersecurity space. [00:03:00] so my, my forte is in cybersecurity. I’ve had the great privilege of, being in cybersecurity for a number of years, started my career at Deloitte and expanded out, into the chief security officer role.

And now I do mostly virtual chief security officer, which is kind of a new, I guess field of, of private contracting. And, and so, yeah. Thanks again, man. This is, I mean, you know, I always have a great pleasure in talking with you, but, now I’m cool enough to be on LinkedIn lives. I don’t have myself, of course,

Ashish Rajan: [00:03:32] but apparently for weight, I think mine took about four months, I think

Taylor Hersom: [00:03:37] before it came in.

Ashish Rajan: [00:03:39] Yeah, so it took a while. Yeah. but, and I think it’s really good for me to have you because I think that for two reasons off late, one of the questions that I’ve been getting is about how do I address the whole board conversation with cybersecurity. But the other connotation that I’ve been getting is about, Christian governance as [00:04:00] well, which I know you’re pretty awesome at as well.

So we’ll definitely dig into that. the virtual Coffee, and I think it’s. You and I have spoken about this and I don’t know if anyone else over here knows. This one is millennial CSO.

Taylor Hersom: [00:04:14] Yeah, so I’m a millennial. CSO is like the brand that I’ve started on on my end. I use that as kind of my, my brand image of for blogging and doing my guest speaking.

I’ve had the pleasure of being able to speak at events and do podcasts and things like that, and I, I kind of wanted to tag it. to a certain brand that you and I have had many conversations about branding. But, one of the big things is that everyone always comes up to me and they say, I have a baby face.

And when I tell them I’m a CSO, then they usually give me a hard time. And so then I just started embracing it by saying that I’m the millennial CSO, but more importantly around that brand, I’m trying to showcase that the next generation of leaders in the, in the organization are like the generation X, Y, and Z.

And [00:05:00] we, we think radically different than, than the traditional ways of, thinking. And so, especially with something like cybersecurity where it’s like chief security officers, a relatively new role in the grand scheme of things. And so, I try to embrace the brand around, bringing those radically different thoughts to the cybersecurity space specifically.

Ashish Rajan: [00:05:20] That is amazing. I think. yeah, that is more to come from millennial size though as we go through the journey.

Taylor Hersom: [00:05:30] Nope. We lost, yeah.

Ashish Rajan: [00:05:39] My bad, my bad. I

Taylor Hersom: [00:05:42] was like,

Ashish Rajan: [00:05:46] you will live on your own. That was, that was pretty much, that was supposed to be a millennial sizes show. I just turned out to be like, I’m going to make a quick exit away,

Taylor Hersom: [00:05:55] man. I didn’t even make a plug. I had four seconds of alone time, then

[00:06:00] Ashish Rajan: [00:06:01] dropped the ball. Yeah. Well, you know, the funny thing is, in all of this conversation that I’ve kind of really, found that as a sizer, one of the hardest conversations for anyone who’s not technical or probably could, could be technical as well.

Talking to a board is a very different experience. Right? And I’m, I wanted us to demonstrate right then for people who are coming in, and for people who are watching on Twitch and, LinkedIn, if you have any questions, just drop it in there and pop it in the comment and we’ll try and answer them as we go through this.

So I’m going to start off with the obvious one. where do you see, and I think, yeah, why do you feel cyber security is important? at a board level?

Taylor Hersom: [00:06:48] Yeah. Great question. So cyber security in general has become a problem for, I would argue, every single company out there because every company is, in some essence, a data company.

[00:07:00] And so, we now have to make decisions around protecting that data. And those decisions have implications on the entire organization from brand to revenue to, third party relationships. To,, just overall, legal issues as well. And so when you talk about all these different factors than then it makes it obvious that the board has to have some say in these things.

And so, the, the board of directors very much has, sway over the entire strategic vision of the company. And when cybersecurity, infringes upon that, then, then they obviously have to be a part of it.

Ashish Rajan: [00:07:36] Sweet. I just realized, sorry, I’m going to quickly move the curtain because I wanted the window natural light.

Now I’m just like, yeah, I’m going to get, wait, give me one second. Sorry. Yeah, you’re good. Okay.

See fun part of doing live, right. You can just do a thing, but I feel like that’s kind of the best part about live [00:08:00] as well. You can, yeah. Make it, you can make it what you want it to be as well. So I want to get into the other other question, which is, okay, so if they understand the importance, okay, but does every company need to think about this?

Like not every company has a board as well, right? But how does it go with that?

Taylor Hersom: [00:08:21] No, that’s it. That’s a great clarifying question in that, not every question or not every company has a board, but those companies that don’t have board of directors, typically the leadership team, kind of displaces that or they, they take on that role.

and so you kind of have to have the same mentality when you’re pitching security to the board, or to just the leadership team in general. Yeah, and one of the big things with that that I’d like to point out is that typically board members and executive management at any company, they’re not cybersecurity professionals themselves.

They didn’t come from any sort of it background. They came from a strategic role. So everything from CEO [00:09:00] to CFO or maybe their cereal board members, maybe their investors, maybe there’s, there’s usually. the, the, the role of the board of directors or leadership team is very strategic and not very technical.

so I think that that’s something important to note.

Ashish Rajan: [00:09:16] Yeah. And taking a leave from that, then what’s the first thing people should be looking at or thinking about when they’re considering, how do I. I guess present this to the board so it makes sense and doesn’t come across too technical. And I’ve gotten a great example for her, but, as an, I’ve got a great example for how people describe it, but I would love to hear, what are the baby steps people should, can, can take, or how should they think about presenting cybersecurity to the board?

Taylor Hersom: [00:09:47] Yeah. I think the first tip on that would be talking in their language. So one of the biggest things I learned this trial by fire, I had to present to a variety of board members when I was at Deloitte. And then beyond, when [00:10:00] I started doing the virtual CSO route, and I, I realized that as much as I love to talk about the technical components of cyber security, and I felt that it was important, they don’t care.

They, they have no idea what the heck you’re talking about. And they, they zone out. And it’s so much harder to get your budget or to get your objective across, or to get any sort of buy in. if you’re talking like that. So the first thing is talking in their language and it, and it ties to what I just said about what types of members sit on the board or your leadership team.

These are very strategic, successful business leaders, that. Understand business from an operational standpoint, from a strategic standpoint, from a revenue standpoint. And so those are the kinds of things that you need to be talking about. So, for example, talking about cyber security as it impacts the bottom line, talking about cybersecurity and how it can protect the company’s brand in order to avoid,

implications, that are, that are far reaching in terms of, brand damage and, and overall brand awareness. Kind of [00:11:00] explaining to the board that, Hey, I know you think cybersecurity is something technical and that it’s just a cost center, but in fact, by us doing these things, it’s actually building a brand around that.

We, we take security seriously and it’s PR. It’s protecting us from, basically, Dell, I guess, guaranteed. security. Implications down the road. We talk about, it’s not a matter of if, but when. And so now we kind of live in a day and age where you just have to expect that you’re going to get breached at some point.

It’s how you mitigate the risk around that, how you mitigate the fallout from that. So explaining that to the board in a way that they understand that, that Hey, by investing in cybersecurity today, you’re saving us money and protecting us tomorrow. and, and kind of, because for the most part, the board of directors kind of understands if I put money towards something, I’m going to get immediate value back.

Whereas security, they don’t see that value immediately. And so that’s a very subtle difference, but it’s something important that you have to understand [00:12:00] that you kind of have to explain to them. when they’re, when they’re thinking about investment and returns in a certain way, you have to explain how security falls in that.

Ashish Rajan: [00:12:10] Oh, that’s really interesting point about buying it back to value and usually security is considered as a cost function and fine. I guess to your point about highlighting, it’s not, it’s when a then, or it’s not right now, but it’s really where it could happen any moment that 40 preparing for and sometimes it’s probably.

At an average, she’s not that popular, but a lot of people, it’s driven by a scare tactic as well, where it’s like, Oh, be like this. This is, like this ransomware going around and it’s going to affect us and blah, blah, blah. Is that the usual approach? like what, what’s your approach for this kind of like, what’s your thought around this?

I guess using a threat versus like, cause you know, how tying something to your point [00:13:00] about. Cyber security for the board. They don’t know what you guys do. Like they were just like, Oh yeah. It’s like the, they do monitoring. They do, I guess they have a firewall, I guess. What else do they need to have an antivirus or what else?

What else do you guys need? Is, this is my, I think, and it sounds very, very over simplified for people who are from a security background listening to this. Like, no, we have way more than anti wireless. We may all be way more than wanting security, but. Tying that back, dude, I can watch the, what’s that UV?

I guess what’s the easy way to address this without using it. A fear mechanism, I guess. Is there an easy way to do this without saying, Oh, you’re going to get run somewhere or anything else?

Taylor Hersom: [00:13:43] Yeah. So basically, how can you go in and showcase value without using the flood factor? The fear or doubt, right.

Yeah. Okay. What does that word

Ashish Rajan: [00:13:55] I

Taylor Hersom: [00:13:55] know know you, but you’re, you’re spot on. I mean, it is tricky because [00:14:00] unfortunately you feel like sometimes you need to, just almost strangled someone to get them to understand how important security is. And if they don’t have that context, us security professionals are typically very passionate about what we do.

And we see the day to day just absolute mess of, of, security and, or lack thereof. And so it’s very. It’s very frustrating to try to explain that to folks without, them seeing the value. And so sometimes we feel like we have to use fear, uncertainty, doubt, and tell them, start listing off statistics about ransomware and about phishing attempts and all that.

But I try to come into it. First and foremost with the positive of kind of showcasing how security can add value to the organization. I mean, I think you would agree that these days, if you are a, any sort of technology company and you are showcasing your security efforts, people appreciate that and tend to flock towards you.

rather than a way like, I never choose a vendor. Now. That does [00:15:00] not have the ability to showcase their entire it security program to meet either in a control’s listing or a SOC two certification, ISO certification, something to show me that they’re investing in security. I’m sure you’re the same way.

and so. Being able to showcase that, Hey, by us investing in security, we can actually brag about it. We can use it as a brand builder. it can increase our, it has the potential to increase our revenue. It has the potential to increase our customer awareness. things like that. I also think that making sure that they understand what we just talked about, where that by investing today, we’re, we’re, we’re staying away from,, the, the risk of, of a huge investment down the line.

It kind of ties into, I’m a big fan of the fair methodology. I don’t remember what fare stands for actually

Ashish Rajan: [00:15:53] Google it.

Taylor Hersom: [00:15:54] Yeah, exactly. But the fair methodology goes away from qualitative, which is like doing [00:16:00] impact and probability scores to gauge a risk, and it goes to quantitative. So you’re actually using percentages and number amounts to kind of gauge a range of what your risks are.

So you’ll, you’ll go in and you’ll say, okay. That if I don’t invest in better password policy today, then there is a 20 to 30% chance that in the next year, one of our users accounts will be compromised. And the impact of that is anywhere from $500 to a hundred thousand dollars. And so now you have a range and you know, for every risk that you’ve identified, you know where to put your money.

and so with those numbers, you can go to your board and say, look, we did a risk assessment based on these, these, based on the fair methodology, for example, and these are the risks and these are the implications. If we don’t address them, you’re now giving them a dollar amount and they’re going to be like, what the hell?

This is going to cost me a hundred thousand dollars if, if this [00:17:00] happens. Like that’s a very different, discussion at

Ashish Rajan: [00:17:03] that point. A hundred percent and that’s a, I’m gonna put the fair methodology in the show notes. Fenders gets put to the podcast, but it’s, it’s an interesting methodology where it lets you.

For the value against the risk as an like a dollar value against risk.

Taylor Hersom: [00:17:18] Exactly. Yeah.

Ashish Rajan: [00:17:20] Wow. That’s, that’s, that’s big because usually putting a dollar value against something, which is just a cost function. It’s probably hard because you’re not directly contributing into the product. I guess you are, but in a way, it’s not obvious.

It’s so transparent. Yeah. No one sees it. It’s kind of like, sometimes I, the analogy that I use is like, imagine your product is the Mona Lisa and you’re the glass in front of the Mona Lisa painting. And if you were not, cause you’re like, why do I ended up in class? I don’t want everyone to see it. But then if anyone touches it, it damages it.

And it’s like, I think it’s one, it’s one of those ones, right? I think it’s always there, but it’s so transparent that people [00:18:00] almost, unless you try and do something, you don’t realize, Oh, actually I do have security. But anyway, that’s my analogy of it. But I think it’s like a, I do definitely want to recommend people to use fair.

and I think, is that an easy way to kind of pick that up or do you have to be like a, I guess an expert and something to pick it up? I’m just thinking more people who’ve may be phased security professionals, but they have a board and they want to address, I guess improve cyber security and talk about how they can add value.

So can anyone pick this up.

Taylor Hersom: [00:18:32] Yeah. So they, they sell a book, on Amazon, at least here in the States, I would imagine for the most part, globally, they sell the fair methodology book that they released. And then the website, I think it’s fair,, but, we’ll, we’ll put it in the show notes. you can get on there and they have a ton of free resources.

and you can read all about kind of what the methodology is, but at the end of the day, you can do as little or as much as you want with it. It’s not like you have to throw. [00:19:00] you have to go get every certification out there and change everything that you’ve ever done. And it’s basically just changing your mindset to get away from guessing impact and probability on a one to 10 scale, like we all do, to going towards a more, quantitative of trying to give a range of dollar amounts and percentage amounts.

There’s a whole psychology behind it in that. Humans are a lot better at guessing ranges than we are guessing exact numbers. So if you and I were to gauge a risk right now, like on access management, we probably give it different scores for impact and probability, but if you throw the fair methodology at it, then we’re each choosing a range and then we’re doing a mathematical calculation.

I’m doing kind of a simulation, the Monte Carlos simulation to run the numbers again and again to kind of give you an average. And so then you’re a lot closer to what the potential impact and probability are from a dollar amount.

Ashish Rajan: [00:19:59] Sweet [00:20:00] and that, that’s pretty awesome. I love the methodology where we can put some dollar in mind cause I think your point board understands the dollar value because then from them, from their perspective, it’s a strategic decision.

It’s not a, I want to install this firewall so I get protection from blah. It’s more like, what is this firewall going to protect me in terms of costs that I may, I guess have to face if something was to go wrong. Are there any, I guess, is there any anti message, let’s go with that. Like, you know how there’s patterns and anti-patterns?

Is there like a, a method that should not be used, with the board when talking about cybersecurity? I guess everything else apart from fair, I guess.

Taylor Hersom: [00:20:43] Yeah, I would say first and foremost, don’t go in preaching about fair methodology itself. Don’t confuse the heck out of them. I probably already went too far down the rabbit hole just on this chat.

Even at high level, obviously you only have a limited time to pitch to them, but yes, [00:21:00] staying away from technical, I try to stay away from fear, uncertainty, and doubt. I can’t say that you can always do that. I think that if you’re, let’s say a healthcare company for example. right now they’re getting pummeled because a coven, for phishing attempts and, or what variety of malware attacks.

And so it’s good to kind of assign, a statistic to things like that when it really does have high implications on your company. but I would say above all else, just don’t do technical. Don’t sit there and try to rattle on to, they already know. I guess to put it a different way, they already know your competency or you wouldn’t be there in the first place.

And so you’re not trying to prove to them that, you know, cybersecurity, of course, you know, cyber security. and so now it’s, it’s really, it’s, it’s charisma at this point. It’s, it’s winning over the board because you’re trying to get a lot of money from them, and showcase the value behind what you’re implementing or requesting implement

Ashish Rajan: [00:21:58] very well put together that that’s a, [00:22:00] that’s a great answer as well.

and since you touched on Colvin. It’s pitching online. I get, cause no one’s really meeting in person or at least start in some countries. By the way. It was freely may be changing soon, which will be really interesting to see how we go back to office. But for people who are doing this in, in covert times, online and I guess in-person for me, I do different things in terms of you can see how the person is reacting.

you can. Engage the conversation better, but do you find like have you had to do any online yet? I have the board.

Taylor Hersom: [00:22:38] I have, I actually had two before coven before. so just being a virtual CSO, most of the time I’m remote for my clients. and I’ve had a couple instances where I had to pitch remotely.

but then I have had one instance for, coven specifically. It’s definitely not. the ideal scenario, I do [00:23:00] agree with you that being in person is always going to be more effective. but the way you can circumvent the, I guess lack of value you’re getting or lack of effectiveness you’re getting from virtual is establishing relationships with the board ahead of time.

So this is one thing that people forget all the time. I get asked all the time, how, how often do you think we should pitch to the board? How often should we meet about cybersecurity? The official answer is quarterly, but you should not wait quarterly to interact with the board of directors. You find, first of all, you should at the very least, invest in a relationships that you can have a quote unquote champion, someone that can back you up and that will always have your back at the board meetings.

but second, when you, you should work to establish. some form of relationship with everyone. And so if you kind of have a good rapport with these board members, then your virtual meetings right now, are, are a lot more effective and you don’t have as much pressure on it because you already know that people are going to be there to, to support you.

Yep. And [00:24:00] that seems like a cheesy answer, but I swear it’s true.

Ashish Rajan: [00:24:03] No, I was going to add to it, actually. I was going to say that, when in the beginning of cybersecurity, a lot of conversation that you may have as a team with your boss is all around, quite technical, technical things. It could be about.

Cloud security. It could be about a third CCPA before about in one of our previous episodes with were the first or something very specific from a legal perspective or a compliance perspective. But the higher up you go, and this is for people who may be listening in and probably are not, are at that level.

They’re like, Oh, I don’t need to talk to the board right now. I don’t even know. I don’t care. But as you kind of find yourself. Climbing that career ladder. At a certain point, you would find yourself either having stakeholders, which are board members or stakeholders, which are, important decision makers, executives, CEOs.

So it doesn’t have to be a board member. It could be a CEO who could be [00:25:00] from a nontechnical background. and, but the description of how you describe your service and the value you’re bringing in would not change. It would still be the same. It just, instead of addressing the board, you’re addressing the CEO now who probably who, and in our case, the CEO reports to the board, sort of irrespective.

I feel like at that level it becomes more of a human psychology thing rather than how amazing my tool is. Would you agree?

Taylor Hersom: [00:25:28] Absolutely. Oh yeah. It’s at that point, it’s 80% of just your ability to build a relationship and for pres presenting and, and winning over the crowd. if it doesn’t tie so much back to the technical components, at that point.


Ashish Rajan: [00:25:45] I think about, for, with the covert thing, which, which has made me realize a lot of the risk and governance pieces are then are updating. But it will be really interesting to see how they get affected by, you know, covert, because none [00:26:00] of people cannot do site with us anymore, or does, they’re like, Oh, well, everything’s remote now.

Do you do, and because you’re on that stream as well, do you see that affecting in, I guess the way. People are looking at risk and governance as well.

Taylor Hersom: [00:26:16] I think so. I think right now we’re kind of in a staggered mode. We kind of put the cart before the horse in the sense that everybody had to scramble.

First of all, side note, I was blown away with how many companies were not able to just work remotely. I, I guess I was completely ignorant to the fact that I’ve been able to work remotely. Every company I’ve worked with, or for, I’ve been remote. And so now you have all these companies that were just scrambling and it’s.

Not, it’s obviously there, there are many companies and it makes sense that they wouldn’t have a remote workforce, but there are some companies where it’s like they, I don’t know why they fought remote for so long, so it was mind boggling. But what, what we did is unfortunately scrambled to make sure that we could go remote, [00:27:00] across the world.

And so now I think people are going to have to retroactively come back and say, well. We clearly didn’t have the capabilities to go remote and therefore we probably didn’t have the appropriate security to go remote. And so now we’ve got to think about security. I, I don’t know what’s going to happen with like the, the board, I think at board meetings are going to have to go virtual for the most part.

which is going to be such a weird dynamic, but I think. with the remote workforce and the fact that we got hit with so many, ransomware attacks and just an uptick of cyber attacks across the world, I think that people are finally going to start taking security a lot more seriously. But if anything, I would say that there’s going to be a lot more regulation coming.

post coded because of all of this fallout that we have for, cyber attacks and the implications on, on businesses revenue and beyond.


Ashish Rajan: [00:27:59] there’s a reason [00:28:00] why I ask this question because I have one of my, I guess, connections on LinkedIn asked me this question recently. So I’m keen to know your thoughts on this as well.

his question was along the lines of, and I’m not going to name the person at the moment, but, cause I’m still waiting for him to respond back saying if it is, if it’s okay for me to use the questions, I’m not going to name him exactly. But, yeah, that’s right. So I’m going to generify the question as much as possible.

the, the question was more around for people who are coming from say, governance in a data center, space and because this is cloud security port cost and as probably like, cause this is going to go into the cloud security podcast. So worthwhile. considering that cloud security and risk governance, obviously.

We had a whole episode on it, but there’s like, people can go back and listen to it. But in terms of covert and Howard has affected risk and governance, [00:29:00] what it has also meant, I guess, or it has also meant is a lot of people have lost their jobs and they’re trying to, I guess requalify the coming into the whole governance in this space as Polly, because that’s, that’s one field where you don’t need to be a hacker to begin with.

You need to understand, the legal aspects. You need to understand, the, I guess the controls aspect, but do you find that people coming from a data center space where they might have worked in a data center for some time? I, is it easy for them to, like, I think, what do you suggest they qualify or how do they qualify for a risking Covenant’s role in a corporate world?

Because you’ve done this remote virtual sizer thing for a very long time now. And for other people who are trying to get in, get into the space in terms of risk and governance, which is an interesting, which is very important. And it helps get help to get into the board conversation, I think. I don’t think hackers get your talk, the board, they just like hacking away.

so I feel [00:30:00] like it’s a much harder job to be in front of other people and trying to convince them to understand the risk and, make them understand why it’s important. So. For anyone who’s listening, who may be trying to requalify and get into the space of say, risk and governance. considering it’s covered now, and I know no one’s prepared, no one was prepared for covert.

So maybe the answer may have been different before. Covert. what do you suggest or what’s your advice to people who are listening in and, are probably reconsidering that we should be qualify and get into the risk and governance space? What’s your advice for them on how to start. Yeah.

Taylor Hersom: [00:30:41] I love that question.

I think first of all, just note and be aware that you have a leg up that you were, I guess down in the weeds, for lack of a better term, and therefore had a deep technical knowledge that a lot like I personally am not even that technical or we’ve talked about this Ashish, but, I mean I started in, in [00:31:00] risk and governance and so I’ve had to learn technical and I, while I appreciate that route.

It’s very easy to go backwards and starting technical and then moving to more strategic. the, the first thing I would suggest is, is quite simple, is picking up the NIST cybersecurity framework, the CIS 20 framework, figuring out, obviously, you know, the technical components of, of what technologies need to be implemented in order to address the risk, which, is tied to a specific control in each of these frameworks.

But more importantly. Just figuring out how to go backwards, how to figure out what technologies, title, what risks, and why that’s important. Figuring out why and that’s a risk, what it’s causing from a macro level. I guess a better way to describe it is that these technical, folks that you’re talking about are, are micro.

They’re, they’re very much in the weeds of technology, but for risk and governance, it’s more than that. It’s that whole triangle. Of people, processes and technology. So you [00:32:00] understand the technology deeply. I would now tie their, your knowledge to understanding what the, associated processes and, people are.

And more importantly, the processes. I think with people, it’s just ownership of the control and the risk, which I think that, like a cloud center professional would, would understand already. so that was kind of a long winded answer, but I think that you’re not so far off the Mark. I think, the only other thing I would say is that you need to understand too, that you can’t now deliver your resume as a, as a cloud center professional with all that technical knowledge that we just talked about.

This is kind of like. Pitching to the board. You don’t want to go technical. You want to let them know that you understand the strategic implications of risk. You, you understand, security from an entire, governance perspective. And so you need to reflect that in your resume for sure.

Ashish Rajan: [00:32:54] Awesome and apologies for my dog in the backyard.

I don’t know if we can hear him calling.

Taylor Hersom: [00:32:59] No worries.

[00:33:00] Ashish Rajan: [00:33:00] It’s like he doesn’t like grout, like so hungry right now. Like more like, I think he does. He doesn’t realize his streaming label on LinkedIn, on Twitch right

Taylor Hersom: [00:33:13] now.

Ashish Rajan: [00:33:15] He doesn’t even realize that. It’s really good that you bought at the board connotation as well.

Because one of the other things that people talk about to board, it’s not just about cybersecurity and how much money do we spend on security, but also when you want to increase the size of your team, you need money for that. And that’s another conversation to have with your board. And how do you justify that?

And to your point, for people who are planning to get a new job right now. they probably are trying to qualify themselves in, different, I guess, different phases of security or cyber security. is there a, I guess, is there a. I was going to ask you if there’s like an a code back then that you see [00:34:00] for, should people focus on say, ISO compliance or NIST compliance?

Is there more, is a, is it almost like a graph where it’s more NIS compliance? So why don’t we start with this, because it’s, I’m sure this time pressure on people as well. People do want to study for the shortest time and get bang for the buck, get a job, and then learn on the job. Which, and by the way, there’s nothing wrong with lying on the job.

I think everyone learns in the job. No one’s like, I know everything in a job, so it’s completely fine. is there like a thing that people can pick up and is there like a professional qualification? People can go in risk and governance?

Taylor Hersom: [00:34:38] Ooh, yeah, that’s a loaded question. So first of all, I wish that there was some kind of graph and outlined what.

Companies care about? Like in terms I, I’ve seen it all. I get asked about every possible regulation out there. I would say NIST, leads the pack, but unfortunately for the security professionals on the, on the, [00:35:00] stream, you understand that NIS actually has a few different frameworks. They just released the privacy framework.

So now I can think of four frameworks that I hear about on any given basis. So. People throw that acronym out all the time. Oh, we’re, we’re NIST compliant. It’s like, that doesn’t make much sense. Like you gotta be a little bit more specific than that because that, that whittles it down to 1200 different controls.

so I would, I wish that resource existed. I will say from my professional opinion. most people know what NIST is, but I would say to get a little bit deeper, NIST CSF or cybersecurity framework is very popular. And then NIST one 71 because that is the framework that built the, is the building blocks for all government entities.

Now, I’m, you know, I’m sure people have heard of the, the new CMMC, so cybersecurity maturity model, certification. It’s like the U S government’s new way of, of gauging a security risk posture for every contractor [00:36:00] that does business with the government. But even that was built on NIST one 71

Ashish Rajan: [00:36:05] right.

Taylor Hersom: [00:36:06] Yeah, so people don’t realize that they keep giving them acronyms.

But the good thing is, back to your original question, is that I would encourage them to probably pick up NIST CSF and NIST one 71 because, the reality is that most of these regulations that are coming out and most of these other frameworks, they’re just copying it. It’s mostly. And if they aren’t copying the verbiage, you can find what we call in the industry across walk.

So you just go on to Google and type NIST CSF to ISO 27,001 crosswalk, and then you can find every control. For ISO that ties to a control in NIST. And so, I would say, invest in this, learn this, verbiage and, and then that will get you a lot further along, because you could technically say, now that [00:37:00] you have experienced with these other frameworks as well, since there’s that cross pollination.

Ashish Rajan: [00:37:04] That’s really interesting because what, as a, as a skillset that what you’re doing is you’re under, because this is public and if some, the U S government has said as well, you can go and look at it, read through, I think they have like over 300 controls or something. and they can use that for, I guess

Taylor Hersom: [00:37:24] your point,

Ashish Rajan: [00:37:25] once they go through it and they understand it, they can use that in the interview to say, Oh, I can help you get the next compliance.

Or is it more. The videos on this certification, is that, or is it just,

Taylor Hersom: [00:37:37] I’m sorry, I brushed over that part. And so unfortunately, the downside is that there is not a NIST certification. This is just kind of a third party accredited. I guess, I guess, I think I’m, I think they’re actually funded by the government, but they’re not a direct government entity.

They’re technically third party, but, they’re not, they’re just best practices. So certifications [00:38:00] like. That’s one of the most confusing elements in the security world is that depending on the advertisement, you see, some people will convince you that you can be NIST certified, or I just saw last week HIPAA certification, which is not a thing.

That’s not a thing at all. It’s, it’s hard to, you kind of have to talk to fellow security professionals to figure out what is certification, what is certificate worthy and what is not. But like, the big one in the industry is ISO 27,001. and so, in terms of there, there’s obviously the SOC, audits and certifications associated with those.

those are probably the most. Popular certifications. Yeah. I would say that one that’s not well known, but people should look into is GDPR is a privacy shield. So, GDPR itself is a regulation. I’m going to bore. So many people are thrown out. So many acronyms at this point. That’s what this industry is about and it’s ridiculous.

Ashish Rajan: [00:38:57] Well then you’re talking to the board. [00:39:00] Yeah,

Taylor Hersom: [00:39:00] exactly. I know I need to stop with the, where the acronyms, but GDPR is, is probably the world’s first data privacy, right? True data privacy regulation. So, the people think that there’s certifications with that and there’s not, it’s just a regulation, but there is.

A body called the privacy shield, group and it’s just privacy shield. And you can actually self-certify yourself saying that I have all of these controls and processes rolled out and they’ll put their name on their, website and you get a whole like sticker thing that you can put on your website.

So that’s another certification that I encourage people to kind of understand cause it’s pretty short. Yeah.

Ashish Rajan: [00:39:45] Without Sonya, without sounding dodgy. I was gonna say, so anyone who’s trying to get into this, risk and governance space, because NIST itself doesn’t have a certification, it’s probably a great example for someone [00:40:00] to understand this controls help companies get NIST compliant.

Not not certified compliant, which means that you have assessed the company controls against the controls on this, and you feel you’ve answered all the questions and you basically said, Oh, I’m this compliant. Which is a good thing for the board to kind of point out on their website or anywhere else that is compliant.

So to a point, they’re putting security first and not, not trying to fool the rest of the industry by saying, Oh, venous certified or HIPAA certified.

Taylor Hersom: [00:40:33] Yeah. Yeah, exactly. Well, and the way I explain it is compliance, is like getting a a 60 on your test score. Like technically or I don’t know how they score it in Australia, but that was a pass for, for here in the States.

Yeah. But your parents are still gonna be pissed. Like it’s not, it’s not all the way, so that you all, the way NIST is going above and beyond just the minimum requirements to have a, an appropriate security program across your [00:41:00] organization. It’s kind of the gold standard. Sweet.

Ashish Rajan: [00:41:03] So this is awesome. I think so we’ve kind of spoken about different aspects with walkabout, I guess.

how to talk about cybersecurity to the board. We also spoke about if someone’s trying to get into cyber security right now, probably, easier fields to get into. To start off, if, especially if you already have a technical background or you have that mindset, but you’re more of a strategic thinker, then you can go into the risk and governance space.

Don’t have to go and sit into hacking. we also spoke about, I guess how Cobra does change risk and governance. Is that from a board perspective, I actually, I love the part about the human psychology thing as well, where we were trying to address the human psychology side of things. I’m going to switch over to the fun questions.

I know we have done this before, but I just, I’m just wondering with the gold times, if your answers have changed, like what are you, how are you keeping yourself busy during Cobra? So, you know [00:42:00] how I sh so Mike. Or, or digital podcast question used to be that what do you do when you’re not working in tech?

But now it’s more like what do you do is to do before covert? What are you doing now? And

Taylor Hersom: [00:42:13] yeah, a great question. I think all of us are probably going a little insane and running out of TV shows to watch me. I, thankfully I live close to a Lake here in Austin, Texas. And so, I’m out on the Lake quite a bit.

I also have three dogs, so we take the dogs, my fiance and I a lot, out on the Lake. And,, we recently taught two of our dogs to jump on the paddleboards with us and we went around the Lake. And, that’s always fun. so yeah, we’ve been doing that a lot. So a lot of walks, a lot of going on the Lake.

And then of course, you and I have talked about this before, but it’s actually a great opportunity for folks, that are either just trying to own their skills or trying to get into a new industry. Now’s the time to do certifications. Now’s the time to study up. [00:43:00] And so I’ve been taking a lot of time to.

To read and kind of catch up on things. And, and even just like leisurely reading. I feel like we get so darn busy that now for the first time you have a little bit of reprieve. We’re not having to commute anywhere. And. And so I’ve been catching up on that

Ashish Rajan: [00:43:15] so much, so much time in hand. Like I think I’ve been been a lot of doing a lot of cooking, a made a Buffalo wings.

I always wanted to make Buffalo wings, but I never thought I had the time for it. But somehow covert 19 has made me feel there’s plenty of time. So my wife and I ended up doing, we made Jamaican jerk chicken a couple of weeks ago. Buffalo wings. I’m like, wait, what are these recipes? They looked pretty straightforward.

Now. But it’s almost too, to your point, before, Colbert has almost felt like, Oh, I don’t have enough time. That’s not a long time. I don’t think I’ve known for it, but now it seems like I’ve gotten plenty of time. I’m not going anywhere. I’m just going to be stuck at home anyways. I’m trying to go buy the essentials and just make myself something.

have you, have you jumped on the, [00:44:00] sourdough bandwagon yet?


Taylor Hersom: [00:44:03] have you seen the statistics behind like how many people in the world are baking sourdough bread and how much money is being passed around for these companies that just sell like, I don’t know, sourdough starter and basic utensils?

Ashish Rajan: [00:44:16] It’s insane.

By the way, the new trend is a pancake. CTOs. Have you seen that

Taylor Hersom: [00:44:22] pancake? What.

Ashish Rajan: [00:44:23] Pancakes, cereals, you know your morning cereals. So instead of using like a Kellogg’s or one of those corn flakes cereals, they, you make these miniature pancakes. And like you should, you should Google it. Just do it. I think it’s called hashtag pancakes cereal.

Taylor Hersom: [00:44:41] And

Ashish Rajan: [00:44:43] I’ll send you a link for it as well. And then it’s like, it’s super bizarre. And it could also be because of, I’ve recently, sorry cause my wife and I got so bored cause we feel like we’re too old to go to a club. But we love dancing. So we just started doing tick-tock videos now. And it’s [00:45:00] because you mean you want to dance, but the music and cloud clubs sounds too loud or not that I can go to the club anymore in doing cold times.

Anyways, so we started doing this thing where we’re doing, tick-tock videos and it’s like a thing which is really popping on. Tick doc, which is pancake cereal, is this like super miniature pancakes? And I’m like, what? And why are you adding so much make do it so people are eating pancake as if it’s like a cereal, but like it’s like miniature men.

Yeah. And I’m like, I just do not get, why would you make. Pancake and milk mixed together. It

Taylor Hersom: [00:45:35] just doesn’t seem right to me. That’s like,

Ashish Rajan: [00:45:37] no, it doesn’t.

Taylor Hersom: [00:45:38] The whole tide pod thing, man, that’s kind of weird. That doesn’t sound

Ashish Rajan: [00:45:43] right. And to make it even more weird that people have started making rainbow colored miniature pancakes so that they can match it to the, you know how there are different flavored conflicts like chocolate and all that.

And I’m like, why not just eat actual conflicts? Why? Go ahead and get. Yeah. Why

Taylor Hersom: [00:45:59] would I do [00:46:00] things that hasn’t been wiped out in the grocery store? So you can still get your hands on the normalcy,

Ashish Rajan: [00:46:04] but none of it’s too easy. Right. I can just buy and go and buy the, buy it from the store. I’m just going to make it complicated because I’ve got so much time that I’m used to just kinda make my own cereal.

Like I’m just like, so start point. I was going to jump on that bandwagon, but then I realized that, Oh, I don’t know if I can continue that. Plus I liked the sourdough for my local bakery so much. I’d be like, Oh, I’m not going to try and compete with them. Yeah, so it kind of works out really well, but it could.

My wife and I did definitely did consider making like an olive bread, sourdough, like that would be awesome. But anyway, that’s one of those ones that you’re like, Hmm, I can give it a shot. Plus I’ve started doing the colored beard now finally is the

Taylor Hersom: [00:46:44] thing. I think you need to tell the audience how the hell you’re still getting haircuts and COBIT because I’m over here starting to get bored.

Just ridiculous.

Ashish Rajan: [00:46:54] For anyone in Australia, barbershops actually open. They are. They are. And [00:47:00] I think they, what? They’ve started doing a may 11 foot tomorrow for me. And I guess they are for you. they have started easing down, log done.

Taylor Hersom: [00:47:10] restrictions. Yep. Okay. Nice.

Ashish Rajan: [00:47:13] So a lot of shops are opening up.

Taylor Hersom: [00:47:15] Nice.

Okay. They’re staggering it over here. So,

Ashish Rajan: [00:47:19] I think it was in Texas. They said mosques are compulsory,

Taylor Hersom: [00:47:23] right? Yeah. They’re, they’re, they’re mandatory still. Here. And so now it’s supposedly up to the business, but Austin, like overruled Texas and it’s been a mess. So yeah, haircuts is, so salons are still not able to open in Austin.

They’re open everywhere else in the state.

Ashish Rajan: [00:47:44] But I think I did want to say though, even though barber shops that are open, they’re not, they’re not trimming anything for, for beard or. They’re not doing anything with the beard. I don’t know how it’s looking for salon for the ladies, but for the guys that are only doing haircuts and not [00:48:00] doing a beard trims or nothing to do with the beard, cause apparently the beard holes or the saliva.

so they don’t want to get I, and I’m like, Oh, I have no idea. There was like a, there was this the thing. So, which is why a family, it’s a fashion thing now. And clearly I’m into fashion. So I had to do this and, to have a cold beer. And also because you can. You don’t have to go into the office so you don’t have to be clean shaven.

So, and people on the other end, they’re completely fine cause barber shops and are doing beards as well. So I’m hoping they’d start doing it soon, but at least I get a couple of months of growing the beard and see how that looks. Although I’m a bit concerned cause I’ve got a few white patches on my beard.

I’m like, damn it, I’m getting old. So I don’t know about that part though, but I think hopefully I can get up, get over my white batches and or even try put some like a dye on it, but [00:49:00] we’ll see how far we go. I don’t want to go down. That part sounds like sounds pretty wrong to be, I guess considerably yet.

Not, not like a teenager, but still young enough and having white beard, I guess. Although my dad’s loving his, I do. This was, this was really awesome, man. I think I, I did want to. Ask one more fun question cause it’s kind of a still a fun section. so if, if paddleboarding and spending time on Lake and reading, is there any book that you’re reading right now that you recommend to people, which is nonfiction or fiction or nonfiction?

What kind of books do you read?

Taylor Hersom: [00:49:35] You know, I, I’ve kind of given up on reading fiction because I feel like I don’t have enough time to set aside to read. Like I respect everybody that sets a time out. Sometimes I’ll read like two hours a day and sometimes I’ll, I’ll not read at all. I’m very inconsistent with that.

And so right now, one of the best books that I’m reading is the 48 laws of power by Robert Green, Robert Green. [00:50:00] Oh, right. It’s basically like the 48 principles of how humans act and how you should act to kind of, uh. To not, I hate the word manipulate, but, optimize your interactions with other humans.

so I like that one a lot. I just put a post on LinkedIn for a book that just changed my life called love is the killer app, which I had. It’s kind of an older book. But they should definitely pick it up. Just about kind of changing your mentality about helping others and kind of contributing your network and your knowledge to others without expecting anything in return and seeing how the benefit comes.

So I’ve been testing that theory for like a couple months now since I started my own company. And it’s insane how opportunities will come back to you. just simply giving free advice or giving free, uh. Giving free resources or, or whatever the case may be. So

Ashish Rajan: [00:50:53] say they go hot, hot tip for anyone trying to get into cyber security, just start with by giving free information out there, things [00:51:00] being free, like LinkedIn live videos, thanks to,

Taylor Hersom: [00:51:04] yeah.

So here’s my plug.

Ashish Rajan: [00:51:08] I’ll say, if anyone wants to reach out to you to talk about, talk more about the cybersecurity for board kind of condensation or risk and governance. what are your social that they can reach you on very more active.

Taylor Hersom: [00:51:21] I’m the most active on LinkedIn. So Taylor, her some on LinkedIn.

my Twitter following is pretty embarrassing. I never used Twitter. and Instagram I guess would be my second most active. So, definitely LinkedIn. I like LinkedIn the most and engage quite a bit on there with professionals. I would love to just throw out the statement that I’m here to help any security professional from veteran to novice to trying to get into security.

I’m always happy. to help and, and kind of contribute to the, to the greater good of a cybersecurity. We definitely need more cybersecurity professionals that understand risk and governance. I [00:52:00] know hacking was made super sexy by shows like mr robot or what I wrote, well, was it mr. Robot

Ashish Rajan: [00:52:07] robot. Mr. Robot.

Taylor Hersom: [00:52:08] Mr. Robot.

Ashish Rajan: [00:52:10] Bill Smith movie. That’s

Taylor Hersom: [00:52:12] what it was. You’re right. And it had nothing to do with hacking, so

Ashish Rajan: [00:52:16] that’s the other side of security, I guess. But you were talking about AI can

Taylor Hersom: [00:52:21] make a decision. The risk and governance. Yeah, taken over by robots.

Ashish Rajan: [00:52:26] That’s right.

Taylor Hersom: [00:52:26] No, but happy to, happy to connect with everyone.

Please connect with me on LinkedIn. so yeah, again man, thank you so much. I always

Ashish Rajan: [00:52:35] thank you for coming. Thanks for taking the time out and I do appreciate you brought your beer and I got my coffee so I do appreciate that as well.

Taylor Hersom: [00:52:41] Just finished it. Good timing.

Ashish Rajan: [00:52:43] Perfect timing cause it just, just hit Denmark as well.

Thanks so much for your time, man. You enjoy the rest of your day. And, for people who are falling, I guess you can just go on the website and I’ll probably put the podcast link. It’s on the show notes. So, talk to you guys soon, but thanks so much for your time again, Taylor. Really appreciate it doing this, man.

[00:53:00] Taylor Hersom: [00:52:59] Thank you everyone. Have a great day. Bye.

No items found.