We are pleased to announce a new team member at Ericius Security!

Corey Keating is a cybersecurity professional with ten years cybersecurity leadership experience in the healthcare industry. He’s led cybersecurity, risk management, and training efforts at a large hospital. He has over a decade’s experience teaching technology and cybersecurity topics at the college level. Corey also has a long personal practice of consulting with and providing training to missionaries on personal and corporate cybersecurity. I wouldn’t be surprised if many of you already know and recognize him because of all his contributions in the missionary world through Mark 5 Ministries.

Corey holds a variety of certifications, including PHD in Cybersecurity, Certified Information Systems Security Professional, and SANS Security Awareness Professional, and joins the Ericius team as our head of training. He will lead our efforts to provide cybersecurity training to missionaries and NGOs both virtually and face-to-face. With his help, we’re greatly increasing the capacity that we have for training and exercises.

If you or your team need a booster shot of cybersecurity training, a custom training session for your specific needs, or tabletop exercises, please reach out to me to schedule something! We’d be happy to help.

When he’s not busy training, Corey helps the Ericius team as one of our Ericius C2 cybersecurity cohort managers and helps us improve the quality of our assessments and coaching services. I am overjoyed to welcome such a wise and proficient communicator to our team.

Need training? Email us at hello [at] ericiussecurity.org

You may have missed our new podcast. If so, that’s because you’re not signed up for the newsletter!

As of today, we’ve published two episodes, one with Andy Galpin from Tree and Leaf Partners and one with Brandon Giella from SnapMarket.

Here are some highlights from the show with Brandon:

Brandon on redemptive marketing:
"...If you're familiar with Praxis, they have a redemptive entrepreneurship--redemptive finance--all these other kinds of things. And so we're taking on that with redemptive marketing and trying to build a marketing organization that is not centered on fear, uncertainty, and doubt (FUD) which... I hate... I don't want to create more fear, uncertainty and doubt in other people. Why would I want to do that? That is not what I'm called to do as a human being is made in the image of God. ..."

Brandon on business culture:
"...Some of the projects that I was working on clients were wanting to talk about... 'How do you build a culture at your organization? How do you create employee retention or employee engagement? How do you build like mission/vision/values or set a purpose for your team...?'

And I'm thinking in my head like, well, those are theological questions! What is the purpose of a company? Well, that's a huge philosophical question! What is a business? What is capitalism? What is money? You know? And how should it be used?... that's what was going on in my head just because the way I've been trained as a seminarian..."

This summer we delivered our third iteration of “Building Cybersecurity Programs” and were pleased to capture a ton of B-roll. We’ve assembled it together as videos that you can use to improve your cybersecurity efforts on-demand at no charge.

This training not only gives you a 301-level course on improving your organization’s cybersecurity efforts but also gives you a view into how we think about consulting, strategic advisory, and virtual Chief Information Security Officer services.

Access all six training modules here

I’d also like to take this opportunity to remind you all that Ericius Security is a nonprofit that helps high-risk nonprofits build cybersecurity programs so that they can keep their people safe.

High-risk usually means a combination of missionaries, counter-crime, and counter-human trafficking. Though, we do help people broadly regardless of what sector they are in—I don’t like seeing people left behind by the cyber industry regardless of industry.

Being a nonprofit means (among many things) that we control our prices as best as possible. Not only do try to pitch our services at the bottom end of appropriate costs, but we also rely on donations to drop prices further.

Imagine that we’re providing month over month support for a small, 30-person nonprofit working counter-trafficking (which we are). Normally, that’d cost just about $4000 to align an adequately skilled cybersecurity expert to the problem and provide a meaningful amount of value.

You can imagine that a small not-for-profit can’t afford that amount of cybersecurity aid. You’d generally be right.
That’s where our donors come in. Month over month donations help us cover the cost of acquiring and maintaining expert talent so that we can reduce the amount of that cost that must be passed on to clients. That then gets us into “low-bono” territory, which gets more work out the door.

If you’re interested in joining the group of donors subsidizing our work for missionaries in creative access areas, counter-crime groups, and teams rescuing and rehabilitating trafficking-victims, please sign up to give here.

Cybersecurity (hence forth, “cyber”) is the art and science of securing and defending assets in cyberspace so that your business can go to market and win. Or, so that your mission can go to the field, succeed, and stay there longer.

I’m continuing from the last newsletter, where I (incorrectly?) asserted that cyber’s use of “security” and secure communications’ use of the word are different. This time, instead of saying they’re different definitions (they frequently are), I’m asking: what if we adopt cyber’s definition and force it to go work for us more broadly. You don’t need to read the last newsletter to understand this one.

Before we explore what cyber says about communications security or secure communications again, let’s see what cyber has to say about our team structure.

Cyber is a function of your business. It’s subordinate to the needs and goals of the mission and it’s a repeatable, persistent part of your work. Pulling from CISA’s mission statement, The Cyber Defense Matrix (“CDM”), and Sounil Yu’s general brilliance: Cyber is comprised of both security and defense because it is concerned with both “left of boom” and “right of boom.” In other words, it’s concerned with prevention (“left of”) of negative events (“boom”) and response to negative events (“right of boom”).
Accordingly, it’s concerned with both managing the structure of your IT environment and the situations that impact it—so called incident response. Situational management, of course, requires people with margin.

Organizations who don’t view cyber as a function of the mission tend to camp in the PROTECT function of the NIST Cybersecurity Framework (see this older article) and focus on cybersecurity as a static condition or point in time (I’m adapting the style of CDM for clarity). At Ericius, we see this all the time.

Viewed this way, cybersecurity only covers about twenty percent of the value it should provide. This static viewpoint and lack of coverage has dire consequences. Most obviously, mistaking PROTECT for whole-functioned cybersecurity ignores emergency preparedness and incident response.

Next, static-cyber leads to a tendency to understaff and under-resource cybersecurity. It not only leads to viewing cybersecurity as a condition that can be purchased and deployed but also results in constrained staffing because situational management isn’t allowed to drive the creation of margin and thereby manpower.

Then, what staff is made available is under skilled, managed with low expectations, and undertrained because they are expected to make sure cybersecurity is properly deployed and not expected to manage emergencies which require professionalism, expertise, and aplomb. Even though there’s no world in which cyber or IT staff will be able to avoid managing emergencies.

Crippled manpower in turn leads to the creation of and overreliance on heroes: people so committed to the mission they would rather die than take defeat. Heroes train themselves, they work long hours regularly and even longer hours during crisis—and then they burn out. Missions who rely on heroes may succeed in the short term, but when the hero burns out and quits, retires, gets hit by a bus, or becomes sick, the mission will suffer. The mission will then struggle to replace the hero because heroes, by definition, are rare. After all, there would be nothing uniquely praiseworthy about a champion if everyone behaved valorously everywhere all the time.

In the traditional domains of air, land, sea, and space this approach to situational management would never fly. In the visceral realm of physical emergencies, missions broadly recognize the need for expertise-driven teams of people available to help in time of need. It is no different in the fifth domain.

“In the RED CORNER, born from HACKERS and FIGHTING out of corporate America, it’s CYBERSECURITY!

And the BLUE CORNER, emerging FROM THE ASHES of the CRYPTO WARS, your returning champion SECURE MESSAGING!” – Bruce Buffer or Schneier, maybe

There’s a tension between cybersecurity and secure messaging, particularly in the word “secure.”  Cybersecurity is the art and science of securing and defending assets in cyberspace in order to enable your team to go to mission and win. But secure messaging is… encrypted messaging?

These are two drastically different senses of the word “security,” but we throw them around in similar contexts as if they are the same… and it’s confusing. On the cyber side we have something that sounds like full, team driven, multi-functional practice. On the messaging side we have well configured tools.

Using the term “secure messaging” is, in my opinion, a little misleading. It sounds like we’ve found something static or Platonic, an inviolable principle. In terms of build-time controls or configuration that sounds useful. But operationally we need both well built walls and defenders on those walls.

Really, we should talk about “encrypted messengers” or maybe “protected messengers,” then we can map something useful between how the tools are configured as part of our IT environment into a broader picture of our operational security and cybersecurity. A well-built, properly developed and configured messenger with encryption maps into the PROTECT function from the NIST Cybersecurity Framework. We’re performing a function of blocking and logging. And it likely fits the NETWORK asset class from the Cyber Defense Matrix (“CDM;” I’m adapting the all-capitals convention from Sounil Yu and his excellent book, The Cyber Defense Matrix). “Secure communications” is never less than the PROTECT function but it’s often much more.

Namely, on the internet it includes the rest of the NIST Framework’s function: IDENTIFY, DETECT, RESPOND, and RECOVER.

For something to be secure in an operational sense, we need to know its boundaries, control it, and monitor it (i.e. we need structural controls, building the logic out from The Cyber Defense Matrix). Then we need to be prepared to defend it by detecting when something is on fire, respond to fires, and recover from fires. In other words, we need structural controls (good walls) and situational controls (soldiers on the wall to respond to attacks).

Secure messengers, secure video call solutions, etc. not only need to be well-encrypted but also need to be monitored and actively defended. We don’t argue about it much on Twitter/X/whatever-it’s-name-is-today, but we subtly expect tool developers to deploy and manage well defended infrastructure. We need to bring that expectation to the forefront of our minds when selecting and evaluating tools:

End-to-End Encryption is not enough, we need defensible and defended infrastructures.

Fortunately, we seem to get something like that from the big providers—or do we? Signal, Threema, etc behave in a way that implies they have defenders managing infrastructure and developers constantly improving code, but very very few of their attempts to build credibility talk about how they defend themselves against advanced threats as opposed to how well built their walls are (Though Signal might spend upwards of $600K on IT this year, maybe that includes some defense spending? https://www.crunchbase.com/organization/signal-foundation/technology)

But if we might be getting defense from commercial tools, we (as a broader missionary and high-risk nonprofit sector) definitely do not do a good job of expecting defended infrastructure from our self-hosted solutions. I’ve found that we tend to talk about self-hosted solutions in terms of time and cost to deploy, but not in terms of time/cost to operate, maintain, monitor, and actively defend. If we’re going to accurately count the costs, we need to acknowledge how difficult this is to achieve, ESPECIALLY if your team is small.

There’s no right solution, but defense has to be one of our most important criteria when navigating our various tradeoffs.