Do you have something cool to share? Some questions? Let us know:
The hosts, Timothy Peacock and Anton Chuvakin, introduced the core theme: building digital resilience on a budget. Chuvakin highlighted that while "resilience" has become a buzzword, many discussions are high-minded and assume unlimited resources, leaving smaller organizations behind. The hosts emphasized a practical, "low-budget" approach, citing a real-world example of an IT/security leader who also mows the hospital's lawn.
Errol Weiss opened the discussion by framing the push for resilience as a response to recent, high-profile "marketing events," such as the CrowdStrike outage a year prior. He noted that such incidents underscore the fact that security isn't just about protecting the enterprise but also about preparing for system unavailability. He defined resilience as having a mindset of fast detection and even faster recovery.
The Role of ISACs
The conversation then delved into the role of Information Sharing and Analysis Centers (ISACs). Weiss described ISACs as a "virtual neighborhood watch program" for critical infrastructure sectors. He used the CrowdStrike event to illustrate their value, explaining how members across different time zones could share observations and quickly converge on the root cause—a problematic software update. He revealed that ISACs were established by the U.S. federal government after a study found that the private sector owned 85% of critical infrastructure. He concluded this section by strongly recommending that all organizations, especially those that are resource constrained, find and join their respective ISAC, stating that the value gained often far outweighs any contribution.
Shifting to a Resilience Mindset
A key part of the conversation was about how to help leaders adopt a resilience-focused mindset instead of just a traditional cybersecurity one. Weiss advised that this shift is not about new tasks but about a fundamental change in thinking. He stressed the importance of practicing for failure through tabletop exercises, simulating a complete system failure, and regularly testing backups. This practice, he argued, is critical for learning and improving.
Resilience on a Budget
The discussion then moved to the core challenge: building resilience with minimal resources. Weiss provided several actionable, low-cost strategies:
Leverage Free Resources: He recommended using free and open-source resources such as CISA’s Known Exploited Vulnerabilities Catalog and its free external scanning services.
Utilize Sector-Specific Guidelines: He pointed to resources from the Health Sector Coordinating Council, including cybersecurity practices, incident response guides, and checklists.
Implement Cyber Performance Goals: Weiss is a strong advocate for the CPGs (Cybersecurity Performance Goals) which define basic hygiene, staff training, and incident response planning.
Embrace Information Sharing: He highlighted the immense value of ISACs, which he described as offering a "huge value for money" and serving as an extension of a small team.
Leverage Cloud Services: Both Weiss and Peacock emphasized that cloud services provide an implicit way for small organizations to "hire" highly skilled security and reliability teams (like Google's SREs) that they could never afford on their own.
Making Yourself a Smaller Target
The conversation shifted to the topic of making an organization a smaller target. Weiss focused on three key cybersecurity hygiene basics that are particularly effective against ransomware, a primary threat to the healthcare sector:
Patching: Staying up to date on software updates.
Backups: Regularly performing and, crucially, testing backups.
Multifactor Authentication (MFA): Implementing MFA universally to prevent account takeovers.
Chuvakin raised the common challenge of organizations having a 30-day (or longer) window for patching critical vulnerabilities. In response, Weiss suggested two practical countermeasures:
Detection and Monitoring: Implement monitoring to detect if an attacker is exploiting a known vulnerability while awaiting a patch.
Prioritization: Use CISA’s Known Exploited Vulnerability Catalog to prioritize patching based on what is actively being exploited in the wild.
He also stressed the need to audit MFA implementation to ensure there are no exceptions or workarounds that could leave accounts vulnerable.
Advice for Extremely Under-Resourced Orgs
For organizations with extreme shortages of budget and personnel, Weiss offered a hierarchy of priorities:
Info Sharing: Start with a simple, high-impact action like participating in an information-sharing network. He shared an anecdote about a small-town hospice CIO who views her Health-ISAC membership as an extension of her own team.
Patient Safety First: Prioritize defenses that directly protect patient safety, with a particular focus on ransomware prevention due to its severe human impact (diverted ambulances, delayed procedures).
Tabletop Exercises: Practice, practice, practice. Both Chuvakin and Weiss agreed that tabletops are a low-cost, high-value way to prepare for incidents by identifying procedural gaps and fostering communication.
Vendor Security
The conversation concluded with a discussion on vendor security. Weiss advocated for a "partner" approach, where larger organizations actively work with their smaller suppliers to improve their security posture rather than simply pushing contractual requirements onto them. This collaborative model, he argued, is a more effective way to address the risks posed by third-party providers.
Closing Remarks
Weiss's final advice for organizations beginning their resilience journey was to adopt a risk-based approach. This means understanding your digital surface area and prioritizing the most critical vulnerabilities first. For recommended reading, he suggested following Brian Krebs, praising his work as a valuable source for staying current on the latest threats.
Podcast Timeline
Intro & Framing the Topic: The hosts introduce the topic of digital resilience, emphasizing the need for a low-budget approach and moving beyond high-level, expensive strategies.
Defining Resilience: Errol Weiss explains resilience as a mindset of rapid detection and recovery, using a recent major outage as a key example.
The Role of ISACs: The discussion shifts to the purpose of Information Sharing and Analysis Centers (ISACs) and their importance in fostering collaboration during widespread security incidents.
Mindset Shift: A discussion on how to transition from a "cybersecurity" mindset to a "digital resilience" mindset, with a focus on the value of practice and tabletop exercises.
Low-Budget Strategies: Weiss provides a list of free and low-cost resources and methods for organizations to build resilience, including leveraging cloud services and free public tools.
Basic Hygiene: The conversation narrows down to core, high-impact hygiene practices, including patching, backups, and multifactor authentication (MFA), and strategies for actually implementing them in practice.
Advice for Resource-Constrained Orgs: Weiss shares specific advice for organizations with extreme resource limitations, highlighting the importance of info-sharing networks and focusing on threats like ransomware that directly impact patient safety.
Vendor Security as Partnership: The discussion concludes with a segment on managing vendor risk by fostering a "partner" relationship rather than a purely contractual one.
Concluding Tip and Reading Recommendation: The guest offers a final piece of advice and recommends a specific source for ongoing security information.
