Cyber Trust and Transparency with John Boomershine, BlackInk IT

Jara Rowe: Gather around, as we spill the tea on cybersecurity. We're talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is the Tea on Cybersecurity, a podcast from Trava. Thanks for tuning in to another episode of the Tea on Cybersecurity. Trust and transparency. Those are two fundamental principles of cybersecurity. On this episode, we explore why they're indispensable in today's digital world and their direct impact on our security. But as we know, I'm not the expert, but I definitely have one with me. Let's dive into practical insights and tips from Boomer, the vice president of security and compliance at Blackink IT. Hi, Boomer.

John "Boomer" Boomershine: Hello. Just another day in cybersecurity.

Jara Rowe: If you could go ahead and introduce yourself to our listeners, that'd be fantastic.

John "Boomer" Boomershine: My name is John Boomershine, AKA Boomer, it's a built in nickname. I've been in the IT space for, I'm embarrassed to say, almost 40 years. In cybersecurity and compliance, the last handful of years. I work for an organization based in Indianapolis, where I like to say the sun doesn't set on the networks we manage and secure. We work with organizations as small as two folks and as large as multinational organizations with billions upon billions of assets. I think what that has afforded me, over recent months and years in my career, is an opportunity to see different businesses and how they handle both security and compliance. It helps to give me a sense of why trust and transparency are such cornerstones of really securing a business and staying compliant.

Jara Rowe: Can you briefly explain why trust is such a critical component in cybersecurity? And especially for businesses.

John "Boomer" Boomershine: I think it's foundational to everything we do in cybersecurity. Understanding that, whether it's the system, the data, the organization, the platform that we have trust is a foundation to begin. Whether it's a transaction or multifactor authentication, the ability to identify and validate who we are, to maybe even secure communication where we know that both parties are encrypting the data. Or then, understanding that when I share data with a third party, that they're going to protect it as much as I protect it in order to protect my customers and organizations. Trust is foundational to both the relationship, interpersonal relationship, B2B relationship. Then also, we're having to convey that trust to our customers. How do they know, as a business, that we're looking out for them? Too often now, folks think businesses are just out for profits. There's examples in the media of that. But I think there are also a lot of businesses that are concerned and focused on being a trustworthy agent in protecting the data and systems that so many rely on.

Jara Rowe: How can a business effectively communicate their practices when it comes to data handling and privacy for the customer?

John "Boomer" Boomershine: A lot of things come down to first and foremost, how do you demonstrate some level of accountability? I think in a lot of cases, you do that through frequently asked question, or putting out on your website how you're protecting privacy, or data access, or security. Including that and building that confidence in your security practice, right through dissemination and communication about them, I think begins to mitigate concerns. That okay, yeah they're thinking about the right things. This notion of privacy is bubbling up more and more. There's three primary tenets that I deal in. One's security, one's compliance, and one's privacy. At the core, what we're trying to do is ensure the data that is shared remains private through different aspects of secure and compliant operations. Helping individuals or organizations understand where those controls are, if I think about it from a business perspective, an organization should adopt some type of security framework. Whether it's the NIST cybersecurity framework, or whether it's the CIS Version 8. I'm a big fan of CIS Version 8 because it's been around for so long. But what's also very nice about it is it's prescriptive. It helps guide an organization on how to protect and establish basic levels to advanced levels of cyber hygiene. But also, as a consumer knowing that there are these frameworks out there that organizations are trying to adopt to protect data. Again, it's that education. Then, the last thing is, and we all do it as consumers, we blow through end user licensing agreements. I watched my kids, when they were a little bit younger wanting to download games to their phones. Because we've all been there, as parents. But yet, if you begin to look at that, why does a game need access to a microphone or a camera? And understanding that, and I think that's where you have to be open and understand, " I have a responsibility as a consumer to read that agreement." As a developer, I need to put everything out there so that we can all come together and protect each other.

Jara Rowe: On the Tea on Cybersecurity, we talk a lot about frameworks and things like that. But we've not really gone into the CIS Version 8. Can you give a high level explanation of what that framework is?

John "Boomer" Boomershine: The CIS Controls originate from a company by the name of the Center for Internet Security. There are 18 different controls that incorporate 153 different safeguards. There are different levels of implementation. As you think about this, there's 18 different sections. The first one, I'll use Boomer speak, it's what do you have? What technology, what hardware are you using? If I'm trying to use the CIS framework and I'm trying to get what we call Implementation Group 1 or basic cyber hygiene, I know that I have to be able to inventory the assets that make up my enterprise. Well, okay, that's pretty easy. We're all sitting here with laptops that our companies usually give us, or maybe they give you access to a virtual desktop and you're able to use your own device. But, wait a minute. I have this personally owned cellphone that I'm using to get to email and to my Microsoft Teams, or maybe my Google Drive for my company. What's the relationship of the company to that cellphone of mine? If my company's allowing me to get data, then I may need to allow them to control a small aspect of that phone in order to protect that data. Well, in the first control, we're trying to understand are cellphones part of the enterprise asset? That's one component and the first component of the controls. Now they're put in order, from one through 18, and the one at 17 is always one that I'm interested in, the incident response management. Understanding whose going to do what in the event of an incident. I live in the time and place that I believe it's not a matter of if something's going to occur, but when. In an Eagle Scout, I always want to be prepared. An incident response plan, having that in place, having sat down with my team to understand the who, what, when, where and why, that's all part of this framework. In IG 1, understanding whose going to be on the team and having the plan, that's why I like CIS a lot. They've put a lot of thought into it. NIST has recently come out with their Cybersecurity Framework 2. It's integrated with other NIST standards. Regardless, and again back to this theme of trust, transparency, and the notion that it takes a team, bring a framework into that relationship. Adopt some type of cyber framework to assist your team. While it doesn't come out in CIS and say, " Trust or transparency," it's giving you the foundation to provide evidence of it. That's why I'm such a believer in the different frameworks.

Jara Rowe: Thinking back to data collection and usage again. What information should companies be transparent about, regarding those aspects?

John "Boomer" Boomershine: I think that's a tough one because in this day and age, there's this belief that there really is no privacy. Or at least, sometimes that's what runs through my head. When I get into websites, I always wonder, " What are they actually tracking?" In a lot of cases, you can go find that information but it's not the first thing on my list. I think in order to be transparent, you need to make sure your privacy policy is out there and that you also have ready access for the consumer, or even internally in a business, members of your team, to understand what they are tracking, what data they are pulling and seeing from a browser. What's very interesting to me is that I go to a grocery store every week, and I come home, and about three weeks later I start to get these coupons that very much look like what I bought a few weeks back. That tells me that by typing in or swiping that card, that frequent shopper card, they're tracking a lot of data. Yeah, I signed up for the card because I wanted the savings but yet, okay they've got all this data and they're giving me coupons, great. But who else is getting that data? What I know from working from different grocers, that data is paramount to how they allocate shelf space. They are supposedly de- identifying the data and sharing it with other manufacturers so that they can build these big analytics models on, " Okay, here's this 60- year- old guy that shows up at a store. Gosh, he must like to cook because he buys these things." What are they able to discern about me? I think if we're going to be a team, whether that's business- to- business or business- to- consumer, we have to be clear and transparent about the data we are collecting. If business is not transparent, regulatory agencies are going to step in and force you there. We're already seeing that with the different privacy acts in the different states and what have you, because businesses aren't being that transparent. But I don't see anything... I guess, as a consumer I'm more apt to trust someone who's upfront and telling me about it, and making it easy for me to do my own research about should I trust you.

Jara Rowe: We've given some tips on how to get everything in order. But what are some of the biggest challenges businesses face in maintaining transparency and trust when it comes to their cybersecurity practices?

John "Boomer" Boomershine: I think the biggest challenge is we live in a litigious society. Everybody is trying to blame everybody for what's going on rather than saying, " Okay, events happened. How can we come together?" I've been a party to way, way too many phishing incidents that lead to business email compromise, and that leads to all sorts of activities. Whether it's banking transactions that are fraudulent, or it involved giving access to systems. Again, it's not that I sit home and watch TV, but there was a special recently on how people socially engineered access to some gambling establishments out in Las Vegas, and how they shut down those systems. I think this notion of coming together, being able to work as a team to defeat this scourge that we call cyber incidents and cyber threat actors, is paramount to this. I think the only way you do it is as a team and that you come to the table first with the commitment to solve the problem. Again, if you're an incident, how do we contain it? How do we mitigate it? How do we know it's gone? Then what have we learned collectively as a partnership, what happened? Cyber criminals only have to be right once. Cybersecurity folks, my staff, you as a consumer, have to be right every time.

Jara Rowe: Yeah. We've talked about it on a recent episode, about how sometimes, especially as employees, we don't think that taking all of the cybersecurity precautions are that important for us. But it really is a team effort. The only way we're all going to be as safe as possible is if we all band together.

John "Boomer" Boomershine: There's this saying, " If you see something, do something. Click something, say something." So often, business is worried about being sued and individual is worried about being embarrassed that they did something. Everybody falls victim. I shouldn't say that. Everybody can fall victim to these. Again, having that communication, making it easy to educate folks. I'm amazed at how many invitations I'm getting now to different cybersecurity awareness programs. Whether it's from my bank, whether it's from my investment company, whether it's from my insurance company. I recently got one from my insurance company and I thought, " Wow, isn't that great?" That folks are trying to get together and educate everybody. Through that education, they're trying to show you ways to communicate and to raise your awareness that we'll never call and ask you this information. But how often do we get the calls? I'm hopeful that we will all come together. We will do so in a means where we're in it together and share the information to battle back.

Jara Rowe: All right, Boomer, it's been fantastic. But before I let you go, do you have any final thoughts on the importance of trust and transparency? Or just anything cybersecurity or compliance in general that you would like to leave our listeners with.

John "Boomer" Boomershine: We think about what we can do individually to protect ourselves or to work in an organization to protect the organization, the data or its consumers. The first thing you have to understand you've got a role and that role is to raise your hand. Because if I'm going to be transparent, I need to be able to ask questions in a way that, " Hey, I have concerns. Mr. IT, are you backing up the data and can I get my systems back? Hey, why aren't we turning multifactor on in this system?" Or, " Gosh, we're looking at a new software vendor. Maybe we ought to look at their privacy statement or have them provide evidence of what security controls and measures they have in place to protect the data that we share with them." That's a couple ideas from the business side. From the consumer side, it's very similar. Hey, if I'm going to be working with a bank, or an insurance company, or an attorney, are they asking the right questions, or protecting data, or giving the me the mechanisms to work with them that are secure? Can I very quickly go out and see hey, what's their privacy policy or what security controls are in place? These are all things that, regardless of business or individual, I think we all need to do in order to ensure there's transparent awareness building to trust. That folks are going to take care and look out for me, and my data, and my systems in a way to keep us all safe.

Jara Rowe: Fantastic. Well, thanks for taking time out of your day to chat with me. It's been super helpful.

John "Boomer" Boomershine: I appreciate your time as well.

Jara Rowe: Now that we've spilled the tea on trust and transparency, it's time to go over the receipts. One thing that Boomer told me is that trust is just foundational for cybersecurity in general. Especially when we think about it from a business aspect, we want our customers to be able to trust that we're doing the right thing with their information. Even if we needed to work with a third party vendor, we want them to have the same amount of trust in our customers' data that we do. We want to make sure that everyone is on the same page and that's going to do the appropriate things with the information that is collected. Then, be transparent with the customer about what that looks like. Another receipt that I have is how Boomer was talking about what to do if an incident were to actually happen. He stressed the importance of pulling people into the conversation, into the fold. From the beginning, let them know something happened. Let them know that the event has been contained, and then the steps that are being taken in order for the issue to be resolved. But also, how you plan on communicating with them that these are steps that I'm taking. Are you mailing them? Are you emailing them? Should they be looking on your website or social media? Just being transparent about where those communications are coming from. Then it's also important to keep us all updated, the entire way until the issue is fully resolved. Another takeaway I have from Boomer is about how businesses should communicate their practices when it comes to cybersecurity and privacy, and the best way to be transparent with this. Boomer talked about the importance of having an FAQ on your website, or even privacy statements. I've learned from hosting the Tea on Cybersecurity that I should probably be looking at privacy statements on people's website a lot, just to see what they're going to be doing with, say my email for instance, in case I were to sign up for a webinar. It really all comes down to education, and being open and transparent, there's that keyword again, with everyone about what the info looks like, what the data looks like, how it's going to be used and safe. To my business leaders, Boomer believes that one of the easiest way to show your customers that you can be trusted is by adopting a framework. We have talked about different compliance frameworks on the Tea on Cybersecurity. Boomer specifically talked about NIST, it's just basic, " I have all of these things in order," as well as CIS. He gave a great explanation of what CIS is. Again, it's just those basic things you should have in order when you're taking people's information. The final receipt that I have from this episode is that we all must protect ourselves. We all have a role when it comes to cybersecurity and keeping our personal safe, our company data safe, and it's important to have open conversations. Boomer also stressed, if you have a question, raise your hand. Don't be afraid to talk to the IT person at your company. But it's also, as consumers and user, it's important to take some of these extra precautions, like MFA. That's something we've talked about in probably every episode. Again, cybersecurity comes down to all of us. It's important that we all do our part. I hope you learned as much from this episode as I did. I'll see you in the next episode of the Tea on Cybersecurity. That's the Tea on Cybersecurity. If you liked what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.