Cybersecurity Lingo Explained: vCISO, PII, and More

Marie Joseph: Those threat actors and hackers are making us have to change the way we do security on a daily basis because they're maturing, so we have to mature too. So that often means that we have to change the way that we're securing our company. So that's why it's always continuous, it's never going to stop. There's always going to be that bad guy out there that makes us have to really continue compliance on that aspect.

Jara Rowe: Gather around as we Spill the Tea on Cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. Hello, and thanks for tuning in to another episode of The Tea on Cybersecurity. Cybersecurity is full of terms and acronyms that most people don't know or understand, and it can honestly feel like you're listening to a foreign language. So on this episode, we're going to break down even more terms, and I have my go- to cybersecurity expert to help us gain a better understanding, Marie Joseph. Hey, Marie, please introduce yourself for our listeners.

Marie Joseph: Yeah, I'm Marie Joseph. I'm a senior security advisor at Trava Security. I help a lot of our customers with compliance specifically, so that will include security certifications and privacy, focusing on those. And then, yeah, anything security related too. I also help with some risk assessments and security- specific things because security and compliance are different, but I mean we've talked about that before in other episodes.

Jara Rowe: Yeah, truly my go- to expert. You have the best way of breaking this stuff down so I can understand it.

Marie Joseph: Exactly. I try.

Jara Rowe: I appreciate it. All right, so let's go ahead and get into it. So to keep us organized, I have the episode broken down into sections, and so the very first thing we're going to cover are all those crazy cybersecurity acronyms. So first up Marie, we have vCISO. What is that?

Marie Joseph: So vCISO stands for Virtual Chief Information Security Officer. So at most companies, especially larger ones, you'll hear it probably without the V. That's kind of like your C- suite level. And those people are really running your data security program at a super high level. And if I'm being honest, they're usually a very expensive salary, so having the virtual ones gives a lot of businesses the opportunity to not have that salary in- house, and just have the hours when they need it. So having the virtual consulting in that sense is where small businesses really get a lot of benefit because it's at a cheaper level, they get the help they need at the hours they need because they don't usually need someone that's a full- time staff because their infrastructure is not at that larger level.

Jara Rowe: Right, that totally makes sense. And just so everyone understands, the V in this acronym is actually a little V and everything else is capitalized, and we do have an entire episode dedicated to this and be able to help us understand a little more of how SMBs can benefit more, but Marie did a great job at explaining it already. So, next up, PII.

Marie Joseph: So this one usually gets into data, more privacy. PII stands for Personally Identifiable Information, and it's anything that can directly or indirectly identify someone. Best examples of this, it would be first name, last name, social security number, place of birth. Biometric records is also one, which I think is one people don't think about in your geographical location. It can also sometimes be email addresses and phone numbers, but it's kind of like looking at it as if it's a combination usually of a couple of those. And if you combine them, would you really be able to identify that person? And that's when it becomes PII, basically. Some of those old standing alone could really identify someone too and their information, you wouldn't want some threat actor getting ahold of in any capacity or anyone besides yourself. So that's kind of what that is.

Jara Rowe: Yeah. All right. So next up, BCP, and how it's different from just an incident response plan, which I'm giving some of it away already.

Marie Joseph: Yeah, all the acronyms. So BCP is Business Continuity Plan. You most likely, if you've heard of this at all, have heard it in a combination with other acronyms too. So sometimes you hear BCDR, which is Business Continuity and Disaster Recovery, because they often go hand in hand. So a short and sweet way to look at it is a BCP looks at the bigger picture of keeping operations running in a business while an incident response plan focuses on managing specific security threats and minimizing damage from them. So I always think BCP is more higher level, and operational focus gives kind of your business leaders what they need to do in some capacity, who they need to contact while the incident response plan becomes more specific. And sometimes people will put specific incidents that have occurred or common occurrence ones and how to act on those, so it kind of gets more technical in that sense. It's kind of different teams look at them, but the CP, I would say every team looks at it, because it kind of involves everyone, especially at the higher level at your company.

Jara Rowe: All right, yeah, that's helpful. So, SIEM, what is that and what role does it play in cybersecurity?

Marie Joseph: This one always, if I'm being honest, this is an acronym that sometimes even I get stumbled on because it's kind of long. So it also gets called SIEM every once in a while too. You'll hear that as how it's said. So it's Security Information and Event Management. Basically, this is a central hub for security monitoring and alerting, and it can pull in from other tools you might have or it can be its own solution depending on the company that you get the SIEM from or buy from. And it collects, analyzes, and correlates that security data across your whole organization. It's giving that real time alerting and real time response that your company needs. A lot of people use these to enhance their security program or for compliance specific.

Jara Rowe: All right. So next step is kind of a weird acronym, but DevSecOps. What is that?

Marie Joseph: It is a weird one because typically you hear them all separately. You hear Dev, Sec, and Ops separately because it's development, security, and operations. So what I like to think about it is a lot of us work in positions where we wear a lot of hats, so this person's just wearing three hats. So that's what it really stands for. And I would say you often hear DevOps because people don't really focus on security. No offense to them. It's not a priority in some companies at the time or they have someone else running the security aspect, so that position just kind of correlates and can be the middle person for all three of those operations. And, yeah, I think they sometimes leave it off because a lot of development doesn't lead with security in mind, so adding the Sec part really makes sure that they're building their software with that security aspect in mind.

Jara Rowe: Okay. So DevSecOps is a position at a company?

Marie Joseph: Correct.

Jara Rowe: Got it. All right. So the last one that I have in our acronym section is BCRA, which I know is more of a Trava term, but this could be for a potential new customer or anything like that. What is a BCRA?

Marie Joseph: Yes. So BCRA stands for Baseline Cyber Risk Assessment. You probably typically hear it if you've done anything within your business, just regular called a risk assessment. These are something that need to be done annually. We call it baseline because usually your first one with us is going to be your baseline of your security maturity program. So that's what those risk assessments are doing is it's analyzing your security posture or lack thereof. And then as you go on and do them annually, you should be increasing your maturity posture, and that's what those are really defining, and it's proving to your prospects, your customers, your auditors too, because usually you have to do it for most audits, it's proving to them that you are working on your security program when you do enhance that score every year, and it gives you goal usually of like, " These are our weaknesses, we should focus on those."

Jara Rowe: Yeah, that's super helpful. Okay. So next up, new section. We're going versus. A lot of these I think are common terms that people hear, but sometimes it could potentially be interchangeable even though they may be a little different. So first up, a threat actor versus a hacker. What's the difference? And then why do these terms even matter?

Marie Joseph: So, hackers, usually how you see it is they're usually a more technical person, so they are someone that they could break into your system whether they're hired to or not. So they have the ability to be a bad guy or a good guy because some people do hire ethical hackers, which they purposely purchase someone's ability to break into their system, which is good to find the holes and the gaps in it. Threat actors, they're more so could be an individual or a group with malicious intent. So it's not necessarily like they're going to compromise your system but could possibly do it, but they usually aren't as technical as a hacker would be. In some cases, a threat actor could accidentally get into your system and not have had that malicious intent or they don't have the technical skills and just got there, or they don't get into it at all but attempted to. That's how they correlate and are different. I did read somewhere where it explained it where it was not all hackers are threat actors, but all threat actors could potentially be hackers depending on their skill level, which I thought was interesting and that's kind of a nice way to explain it.

Jara Rowe: Yeah. So I honestly thought that they were the same thing. I was one of those people that thought it was interchangeable, so I'm glad I asked this and you broke it down for me.

Marie Joseph: I used to think that too. And then in grad school I had a professor that was like, " You need to stop using the word hackers. Use threat actors when you're talking about anyone, basically. Stop using hackers basically as a whole."

Jara Rowe: All right, noted. Okay. So next up, again, something else that I might think is a little interchangeable. Firewall versus antivirus. How are they different? And then what can small businesses need these for?

Marie Joseph: Any business needs both of them, basically. A firewall is there and it kind of is literally like a wall, like a defense wall. So it monitors, it controls network traffic and usually prevents unauthorized access and acts as a barrier. While an antivirus, it's usually some program installed on your laptop or in device, and it's usually scanning for any sort of malicious software like viruses or worms or any other sort of things, and it's actively detecting activity on your system to make sure there's no bad guys in it or someone trying to get in. So essentially the firewall guards the network and then the antivirus protects your individual device from internal threats.

Jara Rowe: Okay. Again, I did not know that. Very, very helpful. Okay, the last set of terms in this section, a risk appetite versus a risk tolerance. What's this?

Marie Joseph: If I'm being fully transparent, this one can be complicated to me too sometimes. These show up often on when people fill out risk registers. So that's when you review your business and security risks on an annual basis, quarterly basis, whatever cadence at your company. So a risk appetite is usually broader and more strategic, and the risk tolerance is more specific, and they're both related to risk management in some way. So the risk appetite refers to the overall level of risk organization is willing to accept to achieve its objectives, so it's what they can accept, while the risk tolerance defines the acceptable deviations from that risk appetite, and that's where it gets kind of more specific. So it's essentially setting some sort of specific boundary for how much risk you can take in. I would say most people don't put these on their risk registers, but usually as they mature and become a mature program, then they start more specific with these using appetite and tolerance.

Jara Rowe: Okay. You mentioned a risk register.

Marie Joseph: Yes.

Jara Rowe: What is that?

Marie Joseph: Yeah. So risk register, it usually includes business risks, security risks, and those are things where you individually usually do some sort of assessment and it's things that could impact your business in a negative way. So it's things you want to look at on a frequent basis. One of the big ones would be fraud. A lot of people would list that, or internal threats, including your people, like your people are often a risk, so they have the capability. I mean, humans are usually one of the bigger factors there. And natural disasters could be one too. That's a risk some people have to impact depending on where they live. Those are kind of just examples. So it's kind of identifying like, " Hey, this could happen. We have it documented that it could happen, and here are the steps. This is how much of the risk we can accept from that." And that's where the appetite and tolerance come in.

Jara Rowe: Okay. Next section. So we're getting into security basics. First up, what is patch management?

Marie Joseph: I think of it like a patch is like a band- aid, basically, as if I could give you a theory on it. Usually companies will have some sort of tool monitoring your systems, so monitoring your laptop specifically, and it's looking for continuous updates on software in your operating systems, on your laptop basically. And then they will push out patches or band- aids when they notice something is outdated and needs to be fixed because usually when those updates come about, usually it has some sort of security aspect in mind. So companies will push those out to cover vulnerabilities, bugs, performance issues. So the patch management is kind of working on healing your device in some capacity.

Jara Rowe: All right. Like a band- aid. Noted. Okay. And then this next term is something that I hear a lot. I'm always like, " What is this? I understand, but I don't understand." Okay, so attack surface, what does it mean for a business and then how can a small business manage it?

Marie Joseph: I know it kind of sounds fancy and scary at the same time in a way. It's harder to visualize when you're looking from a cybersecurity aspect, because you can't physically see most of the attack surface when you're talking about software. So the way to look at it is if say you were living in a building, your whole attack surface is going to be the outside of that building, and honestly under and below, so it's the entire surface of that. So the attack surface from the software standpoint and where people come from in cybersecurity includes everything that you can see, your endpoints, your laptops, and your servers could still be your physical office building too. But then when it comes to the software, it also would include that cloud network that's included in anything that your data and your customer data touches kind of becomes your attack surface. So the bigger you grow and expand, all of that becomes your attack surface and stuff you need to work on protecting with some sort of security mechanisms. So thinking as battleground.

Jara Rowe: Yeah. Okay. Exactly. All right. Man, attack surface is like a battleground. Is that what you just summed it up as?

Marie Joseph: Yeah, it's like everything you could attack. I always think of it as a castle and the wall around the castle basically, and all of that is where your enemy could hit.

Jara Rowe: All right, man. Okay. We don't want that to happen.

Marie Joseph: No.

Jara Rowe: All right. So next section, which I honestly feel like is Marie's bread and butter a little bit. So we're getting into compliance and strategy. So what is continuous compliance?

Marie Joseph: Continuous compliance means that you're continuing to upkeep your security program. The best way is you do become certified in SOC 2 or ISO, for example. You have to continuously monitor all those controls you put in place. I think some people take the aspect of like, " We got the certification, we hit the finish line, we're done." But no, it does not stop there. You've now developed a whole program that people are counting on you to keep up. So once that part hits, you have to make sure all of your controls are continuously for the next year and beyond running effectively, more so the continuous happens too because security and technology is changing every day. Those threat actors and hackers are making us have to change the way we do security on a daily basis because they're maturing, so we have to mature too. So that often means that we have to change the way that we're securing our company. So that's why it's always continuous. It's never going to stop. There's always going to be that bad guy out there that makes us have to really continue that continuous compliance on that aspect.

Jara Rowe: All right, that's important. So data retention policies, what are they? And then why does it even matter for compliance?

Marie Joseph: Those data retention policies kind of set guidelines for the organization to follow and manage how long they can keep data. So keeping the data, storing it, and eventually deleting it. The deleting it is where most people question that. So it's ensuring compliance with legal regulations and best practices, so it defines that retention period, which data is crucial. And then if they have any sort of legal obligations that they need to be meeting, because different countries or different companies ask you to delete their data at specific points or at end of contract efficiently managing the storage of the data you consume. In a simpler way, in an everyday way, it's like a policy of when to clean out your closet, basically. You have to look at it like you know you're never going to wear those clothes. You've had the same clothes for five years. We might as well ditch them. I haven't touched them. And that's kind of like you take the data, I haven't touched that data in five years, it's not applicable anymore like it's just get rid of it. And essentially, because if you were to keep all of that, you would have to probably buy a bigger place with a bigger closet or pay for more storage. The same thing comes for data where the more data you keep in store, you're going to have to buy more storage, whether it's a physical server or in the cloud, you have to buy more cloud storage. So that's why people also keep retention policies because otherwise they would keep having to buy all the cloud storage.

Jara Rowe: Man, I actually have some things in my closet from five years ago that I need to throw away. I can't buy a bigger house, so we've got to get rid of it.

Marie Joseph: Exactly.

Jara Rowe: All right. So what is a cybersecurity maturity model?

Marie Joseph: A lot of risk assessments use these by the way, but a cybersecurity maturity model is usually some sort of framework that evaluates the organization's cybersecurity posture and it will outline different levels of security, maturity, and readiness, and usually is a way to also identify any gaps in your program. So it can range from awareness of being a great control that you have in place because it usually will go by controls within the framework, then it will focus on ways you can improve. A lot of more mature programs and levels that get used in cybersecurity, maturity models is they go focus on initial managed, defined, controlled, and optimized. So usually I think of that at level one, two, three, four, and five, basically. You want to hit the defined one that's like the middle. Usually, that means you have everything well documented and controls well in place. So you're like you're there, you're happy medium, basically, and then you can try to go above and beyond.

Jara Rowe: All right. Man, that was super, super helpful. So we know that the cybersecurity is full of acronyms and terms. Hopefully, by the end of this you don't feel like it's as much of a foreign language. Marie, I really appreciate the time that you've taken to answer these questions for me. Is there anything else you would like to point out before we wrap this episode?

Marie Joseph: Yeah, I think the final thing would just be the cybersecurity and tech world as a whole have a lot of acronyms. I think those sometimes can often be changing too, and I think a lot of people also have different meanings for some of them, so I'd always recommend clarifying with people being like, " Is this truly what you meant by using this acronym?" Just to have that clarification just because some people like to make them up because there's a lot of them out there, so making sure it's a common one and that we're all talking about the same thing.

Jara Rowe: Yes, absolutely. Do not be afraid to speak up during a meeting. You want to make sure that you're understanding what is being discussed. Anyway, that's another episode of The Tea on Cybersecurity. Thank you. Now that we spilled the tea on those cybersecurity terms, it's time to go over the receipts. Marie really covered a lot of information for us during that episode. So let's go over the main things that I took away. Receipt number one is what is a vCISO? And Marie framed that as a security expert that is really at the C- level, and that helps a company develop their cybersecurity strategy plus more. And it's easier for a smaller business to obtain a vCISO versus a CISO, which is a full time position, as a vCISO is more of a contractor and it's hourly, making it affordable for those smaller businesses. The next receipt that I have is another acronym, which is PII, which is Personally Identifiable Information, which literally is information that can identify a person. So this is anything like a social security number, an address, or even an email. Receipt number three, what is the difference between a threat actor versus a hacker? I honestly thought these terms were interchangeable, but Marie helped me understand that they are in fact different. A hacker is a little more technical and can be good or bad because some companies can hire an ethical hacker, they have permission to come in and figure out where those weak spots are, where a bad hacker can get into a company. And a threat actor can gain access, sometimes it could be by accident or anything like that, but a lot of the times they do have malicious intent behind that. Another receipt that I have is patch management, and Marie framed that as being like a Band- Aid for software. So if something needed to be updated or anything like that, patch management is able to patch, fix the problem so that hackers can't access it. And the final receipt that I have for this episode is cybersecurity maturity model, and this helps look at a company's posture and the maturity of their cybersecurity. It can help identify gaps to make sure that the company is in good standing and that it is in fact protecting its data. Wow. We really covered a lot of information during that episode of The Tea on Cybersecurity. I hope you listener took away as much as I did. Stay tuned for a future episode of The Tea on Cybersecurity. Thank you. And that's The Tea on Cybersecurity. If you liked what you listen to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.