7 Questions with REN-ISAC's Anthony Newman

• 10/23/23

Take that phishing example. You know this because you probably receive hundreds of e-mails a day. If you get an e-mail that says it's from Anthony Newman, and it looks and feels fine, but it's asking for something that I shouldn't be asking for — you're going to catch that. That's not based off of a technology; that's based off of cyber awareness, that's based off of your knowledge of cybersecurity and your knowledge of best practices. And that's what many forget: Even the most well-crafted e-mail will be picked up because at some point the attacker will have to ask you to do something. There's going to be levels of protection and layered defense — you're going to have some link protection and you're going to have maybe some boundary protection — but ultimately what it will come down to is when the attacker asks for something, does the recipient know they shouldn't do it? Maybe they clicked on the link, but now it's asking for a username and password. Why would this person send me to a site that requires me to log in? That's where, thankfully, we have humans to make that judgment.

But that assumes the person they're asking has some cybersecurity knowledge. That's where a lot of institutions are weak. In your total budget of "protect things," now you're saying, hey, in addition to this, we either have to staff a position that does cyber awareness training, or we have to go buy an off-the-shelf solution that does cyber awareness, which also isn't inexpensive. And the only way you typically get those approved is by having the executive leadership that understands cyber.

CT: Speaking of having to spend more money on cyber awareness, what else do you think institutions should be thinking about as they evolve their security strategies?

Newman: It goes back to the budget. Leaders need to stop focusing on things that don't matter. There are lots of controls you could look at, but the CIS Top 18 is a great one. Making sure you're doing all 18 controls really well will get you 99% of the way down the road. And then from there, it's a lot of checks and balances. Have someone from the outside conduct a third-party assessment. If you can't afford that, you could probably afford doing internal tabletop exercises. It's always best to have outside parties assist with that because they will ask questions you don't think about. But whether it's internal or through a third party, build an audit function on the cyber side to say, "Hey, you said you did 18 controls, but our assessment shows that this area actually isn't done, and we talked to internal staff and they confirmed our findings." If you do all of those things, you will be really successful — no matter how fast the pace of change is. CIS Controls have been around for years and years and years, and there have been adjustments, but they're not night-and-day different from what they were 20 years ago. They're still very similar. If you focus on those, that's going to help you no matter what you encounter. There's a reason that government uses a lot of similar controls in the Department of Defense space — it's because they work. When we say they don't work, it's typically because we miss something, or we didn't fund it properly, or something like that.

CT: REN-ISAC has tons of resources available, both to the public and for members. Where's the best place to start, to engage with the organization?

Newman: One of the things we're looking at doing is ramping up our social footprint. That's something I came in with a vision to do. And so you'll probably be seeing me and others on various platforms like LinkedIn, where we can provide free content for people to consume.

Ren-isac.net is a great place where you can read about news, events, our service offerings, our governance model, and how we operate. There's also a Contact Us page on there, and you can always e-mail us at [email protected]. Find me on LinkedIn, send me a message, and I'm happy to answer any questions.