You may have missed our new podcast. If so, that’s because you’re not signed up for the newsletter!

As of today, we’ve published two episodes, one with Andy Galpin from Tree and Leaf Partners and one with Brandon Giella from SnapMarket.

Here are some highlights from the show with Brandon:

Brandon on redemptive marketing:
"...If you're familiar with Praxis, they have a redemptive entrepreneurship--redemptive finance--all these other kinds of things. And so we're taking on that with redemptive marketing and trying to build a marketing organization that is not centered on fear, uncertainty, and doubt (FUD) which... I hate... I don't want to create more fear, uncertainty and doubt in other people. Why would I want to do that? That is not what I'm called to do as a human being is made in the image of God. ..."

Brandon on business culture:
"...Some of the projects that I was working on clients were wanting to talk about... 'How do you build a culture at your organization? How do you create employee retention or employee engagement? How do you build like mission/vision/values or set a purpose for your team...?'

And I'm thinking in my head like, well, those are theological questions! What is the purpose of a company? Well, that's a huge philosophical question! What is a business? What is capitalism? What is money? You know? And how should it be used?... that's what was going on in my head just because the way I've been trained as a seminarian..."

This summer we delivered our third iteration of “Building Cybersecurity Programs” and were pleased to capture a ton of B-roll. We’ve assembled it together as videos that you can use to improve your cybersecurity efforts on-demand at no charge.

This training not only gives you a 301-level course on improving your organization’s cybersecurity efforts but also gives you a view into how we think about consulting, strategic advisory, and virtual Chief Information Security Officer services.

Access all six training modules here

I’d also like to take this opportunity to remind you all that Ericius Security is a nonprofit that helps high-risk nonprofits build cybersecurity programs so that they can keep their people safe.

High-risk usually means a combination of missionaries, counter-crime, and counter-human trafficking. Though, we do help people broadly regardless of what sector they are in—I don’t like seeing people left behind by the cyber industry regardless of industry.

Being a nonprofit means (among many things) that we control our prices as best as possible. Not only do try to pitch our services at the bottom end of appropriate costs, but we also rely on donations to drop prices further.

Imagine that we’re providing month over month support for a small, 30-person nonprofit working counter-trafficking (which we are). Normally, that’d cost just about $4000 to align an adequately skilled cybersecurity expert to the problem and provide a meaningful amount of value.

You can imagine that a small not-for-profit can’t afford that amount of cybersecurity aid. You’d generally be right.
That’s where our donors come in. Month over month donations help us cover the cost of acquiring and maintaining expert talent so that we can reduce the amount of that cost that must be passed on to clients. That then gets us into “low-bono” territory, which gets more work out the door.

If you’re interested in joining the group of donors subsidizing our work for missionaries in creative access areas, counter-crime groups, and teams rescuing and rehabilitating trafficking-victims, please sign up to give here.

Cybersecurity (hence forth, “cyber”) is the art and science of securing and defending assets in cyberspace so that your business can go to market and win. Or, so that your mission can go to the field, succeed, and stay there longer.

I’m continuing from the last newsletter, where I (incorrectly?) asserted that cyber’s use of “security” and secure communications’ use of the word are different. This time, instead of saying they’re different definitions (they frequently are), I’m asking: what if we adopt cyber’s definition and force it to go work for us more broadly. You don’t need to read the last newsletter to understand this one.

Before we explore what cyber says about communications security or secure communications again, let’s see what cyber has to say about our team structure.

Cyber is a function of your business. It’s subordinate to the needs and goals of the mission and it’s a repeatable, persistent part of your work. Pulling from CISA’s mission statement, The Cyber Defense Matrix (“CDM”), and Sounil Yu’s general brilliance: Cyber is comprised of both security and defense because it is concerned with both “left of boom” and “right of boom.” In other words, it’s concerned with prevention (“left of”) of negative events (“boom”) and response to negative events (“right of boom”).
Accordingly, it’s concerned with both managing the structure of your IT environment and the situations that impact it—so called incident response. Situational management, of course, requires people with margin.

Organizations who don’t view cyber as a function of the mission tend to camp in the PROTECT function of the NIST Cybersecurity Framework (see this older article) and focus on cybersecurity as a static condition or point in time (I’m adapting the style of CDM for clarity). At Ericius, we see this all the time.

Viewed this way, cybersecurity only covers about twenty percent of the value it should provide. This static viewpoint and lack of coverage has dire consequences. Most obviously, mistaking PROTECT for whole-functioned cybersecurity ignores emergency preparedness and incident response.

Next, static-cyber leads to a tendency to understaff and under-resource cybersecurity. It not only leads to viewing cybersecurity as a condition that can be purchased and deployed but also results in constrained staffing because situational management isn’t allowed to drive the creation of margin and thereby manpower.

Then, what staff is made available is under skilled, managed with low expectations, and undertrained because they are expected to make sure cybersecurity is properly deployed and not expected to manage emergencies which require professionalism, expertise, and aplomb. Even though there’s no world in which cyber or IT staff will be able to avoid managing emergencies.

Crippled manpower in turn leads to the creation of and overreliance on heroes: people so committed to the mission they would rather die than take defeat. Heroes train themselves, they work long hours regularly and even longer hours during crisis—and then they burn out. Missions who rely on heroes may succeed in the short term, but when the hero burns out and quits, retires, gets hit by a bus, or becomes sick, the mission will suffer. The mission will then struggle to replace the hero because heroes, by definition, are rare. After all, there would be nothing uniquely praiseworthy about a champion if everyone behaved valorously everywhere all the time.

In the traditional domains of air, land, sea, and space this approach to situational management would never fly. In the visceral realm of physical emergencies, missions broadly recognize the need for expertise-driven teams of people available to help in time of need. It is no different in the fifth domain.

“In the RED CORNER, born from HACKERS and FIGHTING out of corporate America, it’s CYBERSECURITY!

And the BLUE CORNER, emerging FROM THE ASHES of the CRYPTO WARS, your returning champion SECURE MESSAGING!” – Bruce Buffer or Schneier, maybe

There’s a tension between cybersecurity and secure messaging, particularly in the word “secure.”  Cybersecurity is the art and science of securing and defending assets in cyberspace in order to enable your team to go to mission and win. But secure messaging is… encrypted messaging?

These are two drastically different senses of the word “security,” but we throw them around in similar contexts as if they are the same… and it’s confusing. On the cyber side we have something that sounds like full, team driven, multi-functional practice. On the messaging side we have well configured tools.

Using the term “secure messaging” is, in my opinion, a little misleading. It sounds like we’ve found something static or Platonic, an inviolable principle. In terms of build-time controls or configuration that sounds useful. But operationally we need both well built walls and defenders on those walls.

Really, we should talk about “encrypted messengers” or maybe “protected messengers,” then we can map something useful between how the tools are configured as part of our IT environment into a broader picture of our operational security and cybersecurity. A well-built, properly developed and configured messenger with encryption maps into the PROTECT function from the NIST Cybersecurity Framework. We’re performing a function of blocking and logging. And it likely fits the NETWORK asset class from the Cyber Defense Matrix (“CDM;” I’m adapting the all-capitals convention from Sounil Yu and his excellent book, The Cyber Defense Matrix). “Secure communications” is never less than the PROTECT function but it’s often much more.

Namely, on the internet it includes the rest of the NIST Framework’s function: IDENTIFY, DETECT, RESPOND, and RECOVER.

For something to be secure in an operational sense, we need to know its boundaries, control it, and monitor it (i.e. we need structural controls, building the logic out from The Cyber Defense Matrix). Then we need to be prepared to defend it by detecting when something is on fire, respond to fires, and recover from fires. In other words, we need structural controls (good walls) and situational controls (soldiers on the wall to respond to attacks).

Secure messengers, secure video call solutions, etc. not only need to be well-encrypted but also need to be monitored and actively defended. We don’t argue about it much on Twitter/X/whatever-it’s-name-is-today, but we subtly expect tool developers to deploy and manage well defended infrastructure. We need to bring that expectation to the forefront of our minds when selecting and evaluating tools:

End-to-End Encryption is not enough, we need defensible and defended infrastructures.

Fortunately, we seem to get something like that from the big providers—or do we? Signal, Threema, etc behave in a way that implies they have defenders managing infrastructure and developers constantly improving code, but very very few of their attempts to build credibility talk about how they defend themselves against advanced threats as opposed to how well built their walls are (Though Signal might spend upwards of $600K on IT this year, maybe that includes some defense spending? https://www.crunchbase.com/organization/signal-foundation/technology)

But if we might be getting defense from commercial tools, we (as a broader missionary and high-risk nonprofit sector) definitely do not do a good job of expecting defended infrastructure from our self-hosted solutions. I’ve found that we tend to talk about self-hosted solutions in terms of time and cost to deploy, but not in terms of time/cost to operate, maintain, monitor, and actively defend. If we’re going to accurately count the costs, we need to acknowledge how difficult this is to achieve, ESPECIALLY if your team is small.

There’s no right solution, but defense has to be one of our most important criteria when navigating our various tradeoffs.

If you’re trying to improve your business’s cybersecurity you’re going to encounter the concept—or rather role—of the CISO. The Chief Information Security Officer.

There’s a lot of discussion online about what a CISO does and who they (should) report to in an organization. To summarize it all very briefly, the CISO is in charge of leading the cybersecurity team and efforts of the business to ensure the business’s success. That means they aren’t security analysts reviewing alerts from network intrusion detection. Rather, they set the goals for cybersecurity, build the team, get the team rowing in the right direction, write cyber-policy, direct training, etc.

You run into the concept of the CISO early on when trying to build the security function of your business because it needs the leadership CISOs offer: they’re leaders, team builders, and strategists. Without leadership, you end up paying for risk assessments and penetration tests that ultimately don’t serve your business.

So if you need a cyber-leader, how much do they cost? Well, Forbes says they average $584,000 per year in salary, not including bonuses and equity (https://www.forbes.com/sites/forbestechcouncil/2023/02/28/why-hire-a-virtual-ciso-in-2023/). That’s extreme and not normal. According to Salary.com CISO salaries range between $220,000 and $275,000 per year with an average salary sitting in the ballpark of $250,000 (https://www.salary.com/research/salary/benchmark/chief-information-security-officer-salary).

Honestly, that’s one-quarter million dollars a year that your business probably doesn’t have. But cybersecurity as a function (made of people, processes, and tools; not a feature built from software) needs leadership.

The odds are that you don’t need everything a $250K CISO brings to the table and if you were to hire one they’d be overkill for your organization. Especially if you’re just getting started, what you need in the short term is a skilled cyber professional that can:

• Evaluate risk and shortcomings and present them in terms that non-IT leaders understand

• Build plans and strategies to mitigate risk

• Set direction, write policy, and design procedures that work for your business

• Manage vendors and security training

• Set budget

There’s more strategy and documentation in those requirements than leadership. That’s because a new cyber function likely leverages existing personnel and fills gaps by buying services. With a sufficiently well versed cybersecurity professional, you can manage the function while relying on existing people business leadership practices. That sounds more like hiring a technical program manager (TPM) who works directly for the COO or CFO.

Returning to Salary.com, TPMs have an average salary of $150,000 per year which is at least going to save you $100,000 while still saving you the headache of making your COO manage the cybersecurity awareness training or the CFO manage the IT helpdesk vendor (https://www.salary.com/research/salary/posting/technical-program-manager-salary).

Alternatively, you can further lean into buy-over-build while your business continues to grow by bringing in an outside or virtual CISO (vCISO) to accomplish the specific functions you’re missing while pairing them with an empowered leaders within your organization to drive change. The vCISO functions as a strategist, coach, and consultant so that you get the cybersecurity help you need now while you lay a proper foundation so you can continue to grow towards better safety and stewardship.

In contrast to any kind of full-time employee, a vCISO or security consultant can flex to meet you where you’re at and produce the change you need to see right now. Some vCISO services can be quite expensive but for us that normally translates to about $4000 for our for-profit clients—or about one-fifth of the cost of full time CISO.