As I’ve worked in cyber security I’ve noticed a few trends. If you’re in cyber security you may have noticed the same. We could, I think, utilize these unfortunate trends in a way that they improve each other. That’s the main point here. But before we get into that, let’s talk about the trends.

1. There are more people who want to get into cybersecurity than there are entry level jobs
   • There are more mid and senior level jobs than entry level jobs in cyber.
2. The greatest need for cyber security support is the small business market
   • Good cybersecurity tools and advisory services are typically priced out of small businesses’ budgets
   • 82% of ransomware attacks target small businesses
   • 60% of small businesses that are victims of ransomware will fail within six months

There are ways to approach both of those issues. Though I don’t have a comprehensive solution, I do think there’s an opportunity for both parties to benefit, and I’m calling that opportunity “Guerrilla GRC.”

What is Guerrilla GRC? Wait, what is GRC?

GRC stands for “Governance, Risk and Compliance.” It is, by far, the least sexy branch of cyber security. You’ve got “red team” — the hackers who break into stuff. You’ve got “blue team” — the hackers who defend stuff. And then you’ve got … GRC. You’d think they’d be, maybe … green team? Because of the G? Nope. They don’t get a team. They get an acronym. GRC.

But GRC Is the unsung hero of cybersecurity. They make sure that policies are in place, that risk is managed, and that an organization is compliant with appropriate standards or regulation.

And that last one matters WAY more than you realize. See, very few organizations are in a position where they need to reinvent cyber security. They don’t need innovative new solutions or even novel techniques.

Most teams just need to do the basics, and that will protect them from a HUGE portion of attacks.

Think of it like this. To play basketball you need to be able to dribble. You need to be able to move up and down the court. You need to pass and shoot. If you do all those things then you’re getting 90% of the benefits of basketball, which is better health and, hopefully, time with some friends doing something you enjoy.

Some people DO need more than the basics. They need to be able to shoot 40% of threes. They need to be able to dunk (maybe). They need to be able to read a high level offensive set. They need to understand how the triangle offense works (or at least run a pick and roll).

Those people are professional basketball players. What do they get out of basketball? A paycheck! Literally millions of dollars! And those dollars depend on them being able to execute at an EXTREMELY high level. But you, the random basketball enjoyer, don’t need a paycheck. You need health and friends, and so running and shooting and passing will do for you.

Cyber security is just like that. Most organizations don’t need to defend against incredibly complex attacks (especially small businesses). They need to defend against normal attacks — phishing, ransomware, business email compromise, etc.

Those organizations don’t need high level skills. They need to do the basics really well. THAT is where GRC comes in. They can help an organization find an appropriate standard, then help that organization comply with that standard — help them know how to implement the controls they need to defend themselves. They can help them learn the cyber security equivalent of passing and dribbling, and that is much more valuable than people realize.

There are organizations that need more. Governments or defense contractors or financial institutions. But someone’s bakery that they’ve dreamed about opening their whole life? They need the basics. They don’t need a red team expert. They need GRC. The green team (it’ll be a thing, trust me).

Great, I know what GRC is. Now what’s this Guerrilla part?

Guerrilla warfare is how an over-matched group can find victory against someone better resourced than they are. Though we think of it as a modern invention, in China a military leader named Peng Yue is credited with inventing many of the strategies we identify with guerrilla warfare over two thousand years ago.

Around the same time in Rome the “Fabian Strategy” was invented — instead of attacking head on you kept retreating and leaving ambushes and flanks in your wake.

Both generals determined that they weren’t in a position to overwhelm their opponents and both came to the conclusion that they would have to use unconventional strategies — they didn’t have huge armies, so they needed to use what they had in any way they could.

Small businesses are similarly over-matched. They face relentless attacks from an entire industry of cyber criminals, and they do not have the resources to defend themselves like a big enterprise. So what can they do?

We need to use what we have to defend them instead of telling them to get a big army like the big businesses. That leads us to the first principle of Guerrilla GRC:

1. Something is better than Nothing

As I’ve talked to small businesses I’ve realized that they often don’t have any knowledge about cyber security. Shocker, right? That someone who spent their whole life learning how to make amazing tables, perfecting their craft, wouldn’t have taken the time to get their Security+?

In this situation ANY cyber security knowledge is better than none. That’s why someone who is relatively new in cyber — maybe they’ve only gotten their Security+ — can still provide much needed advice. Because they don’t have to explain complex subjects to them! Here’s a list of things a small business that just started out probably needs, but doesn’t have (and doesn’t realize they need):

1. Everyone should be using work email instead of personal email
2. That email should have spam filters turned on
3. Everyone should be using MFA for anything sensitive
4. You should be backing up your sensitive data (and most OSes build that in already — they just need to pay for it and turn it on)
5. Every computer should have end point protection installed (something they didn’t get for free online)

Are these complicated? No. Can the average Security+ holder help a small business know about these, and maybe even give them pointers on setting them up? Absolutely! Will the company be more secure if they do these five simple things? Of course!

Something is better than nothing.

I know that some people will point out that someone who only has their security+ certification might make mistakes. They might not know how to properly communicate some of these concepts. They might get the business owners worked up about the wrong things. All of these are valid fears. But the fact remains.

Something is better than nothing.

But let’s address some of these fears with the second principle of Guerrilla GRC:

2. Focus on finding the right wheel, not inventing one

GRC is all about finding an industry-proven standard and helping an organization comply with it. The hard work has been done! Research has been done. Experiments. Thousands and thousands of organizations have used the major cyber security frameworks and their feedback has been rolled up into them.

In GRC the goal isn’t to invent something new. It’s to find the right standard for an organization, and help them apply it. It’s not about reinventing the wheel — it’s about making sure the right wheel (say, a bicycle tire) gets put on the right vehicle (I’ll give you a hint — it’s not a dump truck).

If an entry-level analyst is focusing on a specific framework, ideally one that includes prioritization, it reduces the chances of wasted effort or mistakes in focus. It can still happen, but going back to principle 1: something is better than nothing. I would argue (and, to be clear, I do think you could debate this, but for the sake of this idea I’m taking this position) that a standard applied haphazardly is better than no standard at all.

And hopefully. HOPEFULLY, the teachers of entry-level cyber security skills are helping their students learn how to find, compare, and apply existing frameworks. If that’s not the case then one of knowledge gaps any kind of “Guerrilla GRC” course would need to fill is which standards are good for which situations, and how to apply them.

Of course, even with a good standard someone could still fail in communicating what cyber security is and why it’s important to the owner of a business. They could scare them instead of encourage and empower them. They could just … be obnoxious. Security people can be obnoxious! Sometimes that’s a good thing, but probably not in Guerrilla GRC. So let’s talk about that.

3. Cyber security is a people problem, not a technology problem

The technology exists. The standards exist. The training exists. More tools exist than you can possibly deploy. There are 900 different endpoint protection vendors. There are 472 SIEMs. There are an even ten thousand backup and restore providers.

Everything is there, but people still suffer from ransomware attacks and wire fraud. Why?

Because it’s not just the technology. It’s the people.

For someone to be protected a few things have to happen:

1. They have to know what they are protecting against
2. They have to be motivated by understanding why it’s important (or what the stakes are)
3. They have to know what they can do to protect themselves
4. They need to do those things
5. They need to keep doing those things

Many nascent cyber security efforts have ended on step 2 when a cyber security analyst (or executive) can’t fully explain why Multi-Factor Authentication is important.

And that’s understandable! It’s not horribly complex, but it’s esoteric, so it takes effort to get our aforementioned baker or table master to understand what it is, how to do it, and what it protects against.

The Guerrilla GRC practitioner who has a standard in hand and all the technology in the world will still fail to make meaningful improvement if they cannot communicate. THAT’S the key to Guerrilla GRC and that’s the main thing I hope it brings. Not new technology or procedures or anything. I hope that we can find better ways to communicate cyber security concepts to EVERYONE. But especially bakers and people who make tables (I might be hungry while writing this).

Much of what I write about Guerrilla GRC (if this does indeed become something I write about) will be about communication and psychology. It’s the area that entry level cyber security practitioners (and many advanced ones) would most benefit from. It’s what may help them make a lot of big differences in small places, which leads us to our final principle:

4. Take the Win/Win

Small businesses need help with cyber security. Cyber security hopefuls and enthusiasts need reps. They need experience that they can put on their resume to demonstrate that they’ve done something with cyber security.

So the purpose of Guerrilla GRC isn’t to convince a bunch of people to start one-person cyber security consulting businesses. It is to encourage anyone who is interested in cyber security to look around them and find the opportunities they already have to help other people with cyber security.

You can help your family. You can help your friends (and their family). You probably already know some people who run small businesses — or maybe you frequent one and really appreciate their Pao de Quejo and/or tables and have struck up conversations with the owners about how delicious their Brazilian Cheese Bread is.

There are people in your life already that probably need help. Odds are good they’re not the sort of people you would ask money from, so don’t! Take the win/win. Take the experience, and help someone you love (who makes delicious bread).

I can’t promise it will open doors for you in the cyber security world. It can be tough! I linked to that above. But, and you’re going to get tired of me saying this, BUT

Something is better than nothing.

Hang on one second

This is just an idea, and I really, REALLY want some feedback. If you’re getting into cyber, do you read this and go “This is insulting and also impossible!” If you’ve been in cyber do you read this and go “You’re unleashing HELL on these poor small business owners!” I would like to know!

BUT I would also like to know what you think should be done instead. It’s easy to crap on an idea, and this idea has a lot of holes, I’m not going to lie. But the need is there, and I’m trying to do something with the resources we have. If you know of a better way to do it, though, I’m all ears.

We’re working on a small organization that will target these types of businesses where I work and we’re doing our best to help out, and I’m pretty excited for it. But the more I thought about it the more I realized that it will take more than one org to make a meaningful change. Maybe releasing a book or youtube series or something about this concept, along with the resources we’ll make available through the company I work for, might be helpful. But I’m not sure, so let me know what you think.