Ron Gibbs

Accomplishments

Zero Trust-Alameda County

  • On May 12, 2021, The Whitehouse issued an Executive Order on "Improving the Nation's Cybersecurity". The order gave 60 days to develop a plan to implement the Zero Trust Architecture (ZTA). I led a team to understand the executive order's implications  and develop a strategy around ZTA.     
  • Our first goal was to fully understand the ZTA and develop a strategy to communicate this to the 22 agencies within Alameda County. We did this by developing a County-wide Cybersecurity Policy adopted by the Board of Supervisors that declared that all technology hardware needed to be approved through our organization where we can vet it against a ZTA. The main goal in a ZTA is to 'assume a breach' and bring as much continuous monitoring to the endponts. This allowed us to focus on reducing our threat footprint. Among the initial projects we enabled were:
    • We implemented Privileged Access Management which reduced the threat footprint of our admin credentials.
    • We implimented a Role Based Access Control which utilized the least privilege principle to only give accouts the access necessary to do its role.
    •  We enabled 2FA and Windows Hello which helped to further localize our authentication.
    • We moved from a localized AD to a cloud based ADFS which federated our AD structure, reduced the number of Iidentity stores,  and allowed us to enable conditional access. 
    • We began migrating our network to implement micro segmentation which helped us reduce our threat landscape should a particular environment become compromised.
  • Although this was our initial effort, Zero Trust is a journey and we understood that it would take time to fully implement. We built into our cybersecurity roadmap several additional phases such as continuous monitoring of servers and endpoints for vulnerabilities and changes in security state, enabling external feeds to provide the ability to protect against sophisticated attacks in all workflows. And frequent audits to validate that our efforts are aligned with the latest ZTA and cybersecurity best practices and standards.

 

Security Awareness

  • My first career was teaching high school and college science. The most valuable aspect of that experience was understanding that people had different learning modalities, or was to learn. A comprehensive and successful program would need to incorporate many different learning styles in interesting ways in order to be successful. Several of the methods I developed and implemented that I found successful were:
    • Live trainings for new hires. I would develop these trainings around breaches I heard about in the news and the latest threats. I would then engage my audience to create discussions around how these threats would affect their roles and what they could do to mitigate them. Many times, my live trainings were highlighted as the most intersting and rewarding portion of their onboarding experience.
    • Cybersecurity forums and fireside chats. October is a great month to kick off any new security awareness reachout with the national security awareness month. I have organized company-wide seminars with guest speakers with speakers coming from the FBI, or CISCO's threat center. I have had our CEO chat, and have also made it more personal by getting speakers for different agencies to discuss how they approach security and what their unique concerns may be. The more interesting the speakers and topics, the more audience participation I can get and the more it is retained by the employees.
    • Security Champions. I have found that in different departments and agencies, there are usually people who have a hightened interest in information security. I work with these people directly to give them additional insight into the cybersecurity world and to understand their department/agency needs. I then have them work directly with their peers in supporting the cybersecurity initiatives and good practices. This has worked out extremely well in that the security champions are accepted much more readily within their organization as their peers have a desire to support their own folks.
    • Cybersecurity Stars. I built a program where people are recognized for contributing to the overall cybersecurity presence. This can be from reporting a possible security incident, phishing email, etc. They are then recognized in our newsletter as well as highlighted during our cybersecurity forums.
    • Competitions. Healthy competitions with bragging rights have always worked well with our program. The competitions can be as simple as a completion rate for a security awareness training, or obtaining a low 'click rate' in a phishing campaign. 
    • Working with HR is a key component to managing a successful program. I try as much as possible to create an interesting, positive experience for the employees, but ultimately it is the employees responsibility to act in a secure manner, complete the trainings, and respond accordingly. I built a tiered model of intervention with HR ranging from additional trainings and discussions with the employee up to the possibility of termination. I have not yet been and hope not to be in a position to terminate an employee for endangering the company through activities not conducive to good security practices, but it is something that must be on the table to indicate the seriousness of maintaining a solid cybersecurity environment.

 

Incident Response

  • Incident response is an area that one hopes never to enact. However, I have led several cybersecurity incidents throughout my career. It's a unique experience to be called by the FBI indicating they've found some of the company's data on the dark web and then investigating to find that you've been compromised.
  • The key to responding to an incident occurs long before the incident occurs. It involves extensive IR planning which includes identifying all roles that may be involved in an incident and playbooks outlining possible scenarios. As we developed these documentations, we realized that this is a continual process. As new attack vectors emerge, new responses need to be included in our playbook. We want to minimize as much guess work as possible during an incident and lay out as many check list steps as possible. We review our playbooks quarterly or when a new unique threat has emerged.
  • Once our documentation workflows are in place, we engage with the people we've identified for specific roles, and  conduct tabletop exercises. I try to get scenarios and support from outside sources and keep the topic and scripts to a very small group of people to keep it fresh for those engaged in the exercise. I prefer to conduct these exercises over a few days, with each day bringing a new set of information into the escallating scenarios. These thought exercises can happen both through email and through short meetings. On the final day, I bring the entire team together for a discussion and lessons learned. These lessons learned then feed back into our living documentation cycle to better align our IR plan. One of my favorite scenarios is bringing in information from two separate attacks. It's a natural human reaction to try to bridge these scenarios as a single incident, but this exercise highlights how critical it is for the team to remain diciplined and not jump to conclusions.
  • With proper preparation, addressing an actual cybersecurity incident should be less stressful. One of the key stressors I've found from experience is, after verifying an incident, giving the appropriate people the authority to contain the incident. This may involve shutting down a server, or a certain portion of the network and identifying those people who can and giving them the authority to do so is absolutely critical.

 

Security Policy and Procedures

  • Part of any good Information Security Management System (ISMS) is having a well defined process to create and regularly review all cybersecurity policies and procedures. At Blackhawk Networks, after leading in the development of the ISMS through the ISO 27001 certification program, I developed the process for creating and reviewing policies and procedures. At Alameda County, I assisted in developing the County's first Cybersecurity Policy approved by the Board of Supervisors. Many of the agencies had their own security policies and had little to no review processes or enforcement mechnisms. The county-wide cybersecurity policy allowed me to review and consolidate the various agency policies. I developed a process for review that included key stakeholder input. The majority of the approved information security policies at Alameda County have been written by me and gone through the approval process I've defined.

 

Customer Trust

  • At Everlaw, the sales team had challenges in addressing security questions from potential customers. I was hired to bridge that gap and provide timely and accurate responses to the potential and existing customers. To set the appropriate expectations, I created a process document outlining how to request responses for such things as RFIs, contracts, compliance, privacy, and security questions complete with SLAs. Once established, I was able to meet those SLAs for every request submitted, including those that were expedited. Although those questions could be very complex, dealing with various regulations and laws such as GDPR and German privacy laws, my responses were accurate and well within the expected time. My efforts to minimize the response times while communicating the expectations of the new process were so successful that I was soon asked to take on two additional pillars of the GRC; security awareness training and 3rd party vendor risk management.

 

People Management

  • I pride myself on my ability to be an effective and productive manager. This stems from the fact that all companies succeed through the efforts of highly productive employees. The art of generating productive employees is from understanding what they are capable of and finding effective ways to motivate. A great example of this is when I was hired as the cybersecurity manager for Alameda County. Although Alameda County consisted of 22 different agencies and 10,000 employees, I had inheretied only 2 employees who's focus was account provisioning. I started by questioning my employees to understand the areas within cybersecurity that most excited them, then got them training on those areas while I managed the remaining security domains. I also found someone within the server team who was very passionate about cybersecurity and was able to convince him to join my team as a security engineer. Lastly, I was able to hire a Sr. Security Analyst with a deep understanding of security from the perspective of the DoD. Within a few months, I was able to operatinalize a very effective cybersecurity team consisting of a security engineer, senior security analyst, and two security analyst. Although still small for a 10,000 employee sized company, we were extremely effective because I took the time to understand their passions, provide effective training and guidance, and give them the tools they needed to suceed.

 

 

Certifications

  • Certified Information Security Manager (CISM) #1841436

  • Certified Incident Handling Engineer (CIHE) #14282-162-075-8681

  • ISO 27001 Lead Auditor (TPECS)

  • Certified Project Manager (CPM)

  • Project Manager Professional (PMP)