Conversations in Risk-Based Security

Optimizing the CISO’s Gameplan: Governance, Compliance, & Diversity

Posted by Lynx Technology Partners on Nov 4, 2019 10:03:49 AM
bigstock-Scheme-basketball-game-on-blac-81111083

Originally written and published by Kevin Howarth of NTSC (NTSC.org)

If a theme emerged in the National Technology Security Coalition’s (NTSC) recent conversation with Aric K. Perminter, Chairman and Founder of Lynx Technology Partners, it’s that CISOs are seeking services and solutions that enable simplification, automation, and integration of strategic, operational, and IT risk management processes and data. As a security visionary and leader, Perminter guided Lynx Technology Partners through its founding in 2009 into a multimillion-dollar information security and risk management company. As chairman of the Board of Directors, Perminter is responsible for formulating and executing long-term strategies and interacting with clients, employees, and other stakeholders. During his 25-year career, Perminter has held a wide variety of leadership positions across key parts of information technology businesses—including serving as Lynx’s CEO through August 2015.

In this interview with the NTSC, Perminter talks about how CISOs should approach governance, why compliance is an essential part of information security, and a set of best practices that CISOs can apply to grow diverse teams.

Insider threats of all types—whether negligent or malicious—keep steadily increasing. Organizations seem to have difficulty detecting and combatting these threats, increasing cybersecurity costs and risk. Why are insider threats such a problem, and what can CISOs do to manage this threat effectively?

Businesses of all sizes face the risk of insider threats. The entire C-suite, not only the CISO, recognizes in the real world that an insider threat is simply a threat coming from people within or closely related to an organization. Regardless of how or why the threat is introduced to your environment, the potential damage can be catastrophic. For example, take the story of the Georgia-Pacific sysadmin who was laid off in 2014. After he was terminated, his user credentials and VPN access were never revoked. Unhappy with being let go, the sysadmin logged on remotely and began causing trouble with the paper manufacturer’s operations at the Louisiana plant. For two weeks, he had his way with the factory and caused more than $1.1 million in damage due to work stoppages and waste.

Recent studies have revealed that insider threats, including those posed by workers making unintentional mistakes or failing to follow standard security protocols, are the cause of 60–75 percent of all workplace data breaches. Yet, solving these threats can be even more difficult to catch, and stop, than an external attack. After all, insiders are supposed to be there. So what do you do? At a high level, you must:

  • Create a security awareness program. Yes, this includes mandatory training programs. And yes, employees will complain. But training and an ongoing awareness program allows employers to reinforce basic learning requirements and update them as threats change.
  • Enforce a policy of least privilege and ensure separation of duties. For sysadmins, this means no more logging into your local PC with the domain administrator account. It’s better to lock things down too tightly and loosen them up only after taking a critical look at what access a role really needs to do its job.
  • Enforce complex password policies, turn on two-factor authentication, and ensure accounts and group roles are managed. Even today, account sharing and a password of “password” are real things that get account information stolen and cause intentional or unintentional damage. Lock things down—and make sure to train your users on how to manage their personal information.

I think most will agree that any business, regardless of size, can benefit from following these simple steps.

During many CISO discussions this year, we’ve heard about the challenge of getting IT, security, risk, and executive leadership onto the same page about cybersecurity governance. What challenges do you see CISOs currently having with governance, and what are some ways they are meeting (or can meet) this challenge?

My definition of cybersecurity governance is “the way rules, norms, and actions are structured, sustained, regulated, and held accountable.” It isn’t natural for humans to want to be held accountable. We’re all hidden free spirits in a way. For instance, if you ask most people if they are secure, the question strikes fear and dread into their heart. Their initial gut reaction is to respond, “Well, that’s a complicated question.” The reason it’s complicated is because security is never really “done.” If that’s true, cybersecurity governance and the need for people to be held accountable isn’t going away. It’s the bully that never lets you walk home in peace.

Based on my discussions with multiple CISOs, I believe that shifting from Governance, Risk and Compliance (GRC) to an Integrated Risk Management (IRM) model will help streamline communications across IT, security, risk, and executive leadership since it enables simplification, automation, and integration of strategic, operational, and IT risk management processes and data. CISOs recognize the need to go beyond traditional compliance-driven GRC technology solutions to provide actionable insights aligned with business strategies, not just regulatory mandates. In my humble opinion, those who can deliver a vertically integrated view of risk starting with their organization’s strategy through its business operations and ultimately into the enabling technology assets will be most successful.

The NTSC remains concerned that most security compliance activities do not help prevent data breaches. Instead, compliance requires heavy investments toward requirements that don’t necessarily protect consumers or improve the cybersecurity posture of a company. From your point of view as you help CISOs with compliance activities, what are some ongoing challenges you’re seeing and, if applicable, any improvements you’ve seen with compliance?

There’s an old saying that compliance does not equal security, and I couldn’t agree more. Compliance is a massive time suck on a CISO’s resources, which is very frustrating because it impedes their ability to demonstrate tangible value in a short period. CISOs prefer a risk-based, data-centric approach to security compliance activities. Hence, the shift from GRC to IRM referenced earlier. Not to beat the IRM drum per se, but IRM helps identify redundancies and inefficiencies in organizational compliance and security, allowing CISOs to eliminate processes that add no value, allocate funds and human resources more effectively, improve compliance and security functions on all levels, and free up employees to work on projects that further their companies’ goals.

It appears that the US may be seriously examining privacy in ways that parallel GDPR. The California Consumer Privacy Act could initiate a wave of privacy laws similar to the patchwork of national data breach notification laws. What are your thoughts on privacy in the US, and are you optimistic or concerned about where we might be headed?

As an ever-increasing number of Americans are referring to GDPR as a model, not many appear to comprehend what GDPR requests. The ambiguity leaves individuals more, not less, confounded regarding what GDPR includes and, maybe not circumstantially, enables organizations to falsely guarantee they are giving GDPR-like assurances.

I am optimistic about the US examining privacy in ways that parallel GDPR. In fact, states already enforce data breach notification statutes which, in my opinion, are the nearest resemblance in the US to extensive data privacy regulation. For the most part, these rules require a company to tell the impacted people in an incident that it endured a data breach resulting in the loss of Personally Identifiable Information (PII).

During an event last week, I exchanged contact details with a recent cybersecurity college graduate who logged into LinkedIn from a “secure” browser on his mobile phone. I asked, “Why have you not downloaded the app?” They replied, “I do not download any apps on my phone to avoid unknowingly granting access to my private information.” Initially, I thought his decision was overkill, but after giving it some more thought I gained a greater appreciation for the due care they took with their sensitive information. So, while I remain optimistic about the US seriously examining privacy, I’m equally concerned with the impact our approach to privacy will have on businesses and individuals.

With cyber threats becoming more complex each year, the new imperative for CISOs is to create a more resilient and highly responsive security posture. As a result, preparing cyber teams to become more responsive to cyberattacks is essential. One of Lynx’s core competencies is designing and building cyber ranges. How do cyber ranges help companies and cybersecurity teams with resiliency and responsiveness?

Cyber ranges provide a relevant, integrated environment for demonstration, training, exercising, tool development, and testing a full spectrum of cyber capabilities. Recently, I was talking to a CISO at a large healthcare organization about the retention of his team. I asked him, “Do you have much staff turnover?” He said, “Not really. Everyone is excited about the work we do. Our biggest concern is that, because things are going so well, my team isn’t getting enough experience fighting the fight.” Cyber ranges bring practitioners into the fight, help keep them sharp, and ensure they retain the skills needed to perform exceptionally well in their job.

Also, cyber ranges help with security technology capabilities. Think about how much time and money teams spend evaluating different technologies only to purchase them and ultimately learn the solution didn’t mitigate the intended risk. A cyber range enables teams to jumpstart how they will manage the technology and make the best decision for the organization. It’s not just an education or skills resource. For the CISO, a cyber range allows the testing of technologies in as close to a real-world scenario as possible before investing in cybersecurity technology.

You are the President of the International Consortium of Minority Cybersecurity Professionals (ICMCP), a group focused on getting a higher representation of women and minorities in the cybersecurity workforce. From your experience, what are some ways that CISOs can grow a more diverse workforce?

CISOs must provide clear and measurable cybersecurity career paths if they intend to attract top talent. A few things they can do to grow a more diverse workforce include:

  1. Be more creative about where they search for their workforce. They don’t always have to run to the Ivy Leagues or certification courses. Instead, start looking at community colleges and historically black colleges and universities.
  2. Clearly articulate growth opportunities within the company to potential new employees. If you don’t articulate these growth opportunities, then the individual will take your job until they get a next offer from a company that can offer growth opportunities.
  3. Relax some of the hiring criteria aligned with the job role that’s placed on candidates. For example, you don’t need to have a four-year degree or technical certification to read and understand NIST from a program management perspective. Assign it to a junior community college student or someone without a college degree and just say, “I need you to master this context. Any time I have a question about NIST, I will rely on you for the answer.” That person is still in cyber, but not in a technical role.

Topics: compliance, governance risk