Gaining the Technology Leadership Edge, Episode #61

The One Cybersecurity Mistake That Could Cost You Millions

Show Notes

About the Guest(s):

Brent Neal is a seasoned professional in the cybersecurity industry with a rich history spanning nearly 25 years. He has served significant roles such as CEO, CIO, and currently, he is the vCISO, and principal advisor for Vanguard Technology Group. With extensive experience in helping companies stay compliant and secure, Brent Neal specializes in strategic planning, building security and privacy programs, guiding through audits, and aligning with various compliance regulations. His expertise extends to providing services as a fractional CISO, where he offers strategic leadership in cybersecurity.

Episode Summary:

In this riveting episode of “Gaining the Technology Leadership Edge,” hosts Brent and Mike engage in an enlightening conversation on the intricacies of cybersecurity and how businesses can navigate the evolving threat landscape. The dialogue begins with Brent sharing his background and the nature of his work at Vanguard Technology Group, emphasizing the importance of cybersecurity in business compliance and strategy.

Moving deeper into the conversation, Brent and Mike discuss the evolution of the cybersecurity landscape, the necessity of modern security technologies, and Brent’s unique approach to data security assessments. This exchange sheds light on the ever-changing world of data protection, the significance of aligning security measures with business goals, and the need for continuous improvement in security protocols.

Key Takeaways:

  • Strategic Prioritization: Brent emphasizes the importance of prioritizing data security by assessing risks and establishing actionable strategies to protect business platforms and sensitive data.
  • Security Culture: The episode highlights the need for a security-first culture and the importance of aligning security measures with business objectives while avoiding a compliance-only mindset.
  • Behavioral Strategies: Modern endpoint detection and response are discussed, showcasing the advantages of behavioral strategies over traditional security measures to prevent cyber attacks.
  • Proactive Planning: Brent underscores the significance of threat modeling and vulnerability management in creating robust incident response plans and avoiding common security pitfalls.
  • Ethical Responsibility: The dialogue touches upon the ethical duty and responsibility businesses have in protecting user data and implementing sustainable cybersecurity practices beyond compliance checkboxes.

Notable Quotes:

  • “I perform a data security gap assessment. And essentially I map out where the greatest weaknesses are, where you’re the most immature.”
  • “We have to support the business and making money. It can’t be a no first [approach]. We need to discuss … what things we can put in place to overcome the obstacle.”
  • “Security was really a part of IT. And in fact, it was almost more of security was your managed switch and a firewall.”
  • “You start building the relationships. You start working with product managers early on … so they count on you to provide advice.”
  • “In the day, we’re all there to make the business money. It becomes a balance of the business with the risk and with the things that we need to do that’s appropriate for who we are and where we are and what industry we’re in.”

Watch Episode #61 on YouTube

Subscribe on YouTube

Episode Details

In an era where data breaches and cybersecurity incidents are becoming increasingly prevalent, understanding the nuanced and evolving aspect of cybersecurity is crucial for protecting businesses. The recent conversation with Brent Neal, VCISO and principal advisor for Vanguard Technology Group, sheds light on strategic approaches to cybersecurity and compliance in the information technology space. The insights provided highlight critical aspects of risk assessment, aligning security strategies with business goals, and ensuring that cybersecurity measures are not merely compliance checkboxes but integrate tightly with the corporate culture.

Key Takeaways

  • Strategic Risk Prioritization: Bespoke methodologies assess risks, with a focus on protecting data and platforms critical to business revenue, leading to more effective cybersecurity strategies.
  • Cultural Shift and Alignment: A move away from a ‘checkmark’ compliance approach to one that ingrains security first thinking in company culture is essential for effective cybersecurity.
  • Incident Response and Preparedness: Real-world examples like the MGM ransomware hack illustrate the importance of stringent authorization processes and ongoing threat modeling to prevent breaches.

Strategic Risk Prioritization in Cybersecurity

Cybersecurity is no longer just about having a firewall or antivirus software; it now encompasses various domains that require strategic planning and a nuanced approach to risk prioritization. According to Brent Neal, companies must start by identifying the platforms that generate revenue and the data that come under regulatory compliance. His approach involves a “data security posture gap assessment,” which evaluates fifteen domains related to data security to identify where a company shows greatest weaknesses or immaturity.

“I essentially look at 15 of those that deal with data security, and essentially I map out where the greatest weaknesses are or where you’re the most immature.”

Aligning Cybersecurity and Business Goals One crucial aspect of this strategic approach is aligning security measures with business objectives. This means not only complying with regulations but also integrating security into product development, IT infrastructure, and business practices as a whole. The ultimate objective is to ensure that security strategies support and do not hinder business operations.

“That’s where you prioritize, you know, a couple of different areas. That’s that platform that makes you money and then the data.”

Cultural Shift Towards Security-First Thinking

A significant theme echoed throughout the transcript is the need for companies to shift from a compliance-focused attitude to one that places security at the forefront of business culture. This is particularly salient in departments like IT support, HR, and finance where social engineering poses a great risk. Brent Neal suggests more than just policy enforcement; practical training tailored to specific departmental processes is required.

“It’s really… implementing the right, you know, procedures and processes that really overcome those obstacles.”

Building Security Awareness The right combination of policies, training, and culture change can dramatically reduce the risk of breaches. The MGM ransomware hack serves as a case study for the need for stringent verification protocols for sensitive operations. By consistently communicating the importance of security across the board and implementing targeted training, organizations can better protect themselves.

“Security awareness training, everybody’s doing it right… But they haven’t gone the extra mile.”

Incident Preparedness and Real-time Threat Modeling

The discussion also sheds light on the preparation required to respond effectively to security incidents. This preparation is not just about having plans in place but also involves an active understanding of potential threats — a concept known as threat modeling.

“You have to start asking the questions and posing questions that are sometimes difficult or sometimes people don’t want to hear.”

Constructive and Realistic Planning An effective incident response plan takes into account the unique threats a company faces and includes an in-depth analysis of the company’s technology and data flows. By understanding where data travels and the systems at play, companies can create specific incident response runbooks for various types of events, enabling a swifter and more accurate reaction when incidents occur.

Final Thoughts

Brent Neal’s perspective on cybersecurity emphasizes the importance of adopting a strategic, culturally aligned, and proactive stance. In today’s complex threat landscape, it is not enough to adhere to regulations superficially. Companies must integrate security into the very fabric of their operations and culture, focusing on the protection of vital platforms and data. Furthermore, thorough preparation and realistic threat modeling must drive incident response strategies, ensuring that when attempts to breach a company’s defenses do arise, they can be countered with precision and clarity. Cybersecurity is not a static field; it’s a continuously evolving challenge that demands strategic planning, cultural alignment, and rigorous preparedness to navigate effectively.

Contact Information for Brent Neal



Timestamp Summary
0:00 Prioritizing Cybersecurity Risks in Technology Leadership
1:52 From IT Expert to Fractional CISO: A Cybersecurity Journey
3:14 The Rigorous QA Process in Finance Tech
3:59 The Evolution of Cybersecurity Landscapes
5:23 Revolutionizing Cybersecurity With Behavioral Detection
7:33 The Persistent Threat of Online Scams and Phishing
8:49 Prioritizing Cybersecurity Risks in SaaS Company Strategies
12:36 Aligning Security With Business and Compliance Goals
16:09 Overcoming Tech Team Obstacles and Embracing Work Challenges
17:17 Cultivating a Security-First Company Culture Beyond Compliance
19:18 Preventing Ransomware: A Case Study on MGM’s Hack
19:50 Enhancing Security Through Targeted Training and Verification Processes
23:29 Mitigating Social Engineering and Data Security Threats
24:33 The Shift From Checks to Electronic Transfers in Business
25:26 Lessons in Cybersecurity and Corporate Responsibility
26:52 Strategizing Incident Response Through Threat Modeling and Data Flow Analysis
29:37 Misguided Solutions in Data Security
30:51 The Importance of Robust Security in Source Control Management
32:24 Engaging With Security Expert Brent Neal Online