Aligning IT and security teams with the business is an oft-discussed topic and even though security professionals might say they are aligned with their businesses, many can’t articulate how the business makes money.
That’s not all—they should also know what the security strategy is that enables the technology to help make sure the business makes money, said Task Force 7 Radio Host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies.
The importance of knowing what buy in and alignment mean and the foundational elements of a security program were among the topics of conversation Monday night between Rettas and his guest, Sean Walls, vice president and CISO of retail and healthcare company Visionworks.
Security has evolved over time from and “matured from the server room to the boardroom,’’ said Walls. “We've watched it become more than just an extension of IT… It's more than just technology. It's an overarching discipline.”
He said it’s been a “privilege” witnessing the maturity of this functional group that didn’t exist some 25 years or so ago into an integral part of the business strategy for any organization.
Whether he’s consulting or in the context of his work with Visionworks, Walls said the first thing he does is “to meet all the significant influencers, the decision makers, all the way up to the board of directors to understand what the nature of the business is, how it makes money, what the plan is for that year and for two-to-five years down the road.”
That allow him to implement a security strategy that “doesn't get in the way, but empowers and enhances and enables the business,’’ said Walls.
For example, you might be working for a company whose top priority is to break into certain markets in California, which recently implemented the CCPA, Walls said. “Having a compliance program that's nimble, that's flexible, that's mature, that can move swiftly to be able to ramp up and meet those compliance requirements will help speed you to market, will help the organization beat the competition into that particular space, save money, and help drive revenue.”
Security teams can and should be perceived as generating value as opposed to just the group that preserves value, Walls said.
“We can generate value through … speed to market through compliance mechanisms and programs that are efficient, that are flexible” by securing them, he said. The goal during the product development lifecycle is to “make sure that security is baked into it. So you save money in the long run and make sure that when you go to market you're not dealing with lawsuits or issues because of the lack of forethought from a security perspective.”
The Importance Of Security Skills -- Both Technical And Soft
In response to a question from Rettas about whether information security skills can be transferred from one vertical to another, Walls said that security principles, standards, and best practices are all transferable.
Even though both financial services and healthcare are both heavily regulated and those regulations are different, “those security best practices may remain the same’’ with some nuances, Walls said.
The conversation then turned to the importance of soft skills to get people to buy in to security-related issues. Walls said a company’s culture and attitude toward security will determine how much security teams can accomplish.
The foundation has already been laid if you work in a highly regulated industry, so the business already understands the value of security, he pointed out.
Building an effective information security program requires soft skills, Walls said. “The interpersonal rapport, the trust and the credibility that you build with the business and with other functional groups within your organization is critical because getting buy-in to effect change within an organization is huge.”
Top Five Security Foundational Programs To Implement
Companies must identify and inventory what they have and then do gap analysis before starting to build a foundational security program, Walls said. “But you lay the foundation with programs that can identify and respond to threats that can ensure the continuity of the business. He cited five he said companies should strongly consider but added that you can grow security program “forever and ever. That process never ends.”
The first is prioritize is asset management. You might say, "Well, that's not securing anything,” but it's identifying what you need to secure, Walls said. “If you don't know what you have in your environment--what's permitted from a hardware, from a software perspective, what your architecture looks like, how data flows throughout your organization--then you're going to be clueless as to how to apply controls in an adequate way to secure the business.”
The second one is incident response. “Our number one responsibility as an information security officer or an information security officer is to ensure the resiliency of the business, the ability to respond to a threat and/or business impacting event in a way that allows the business continuity with the least impact,’’ Walls said.
Companies need to ask if they were to be hit with ransomware or some kind of malware, could they bounce back and restore their operations? “At the end of the day, that's your job: to make sure the business continues and any negative impact as a result of cyber threats are minimized to the greatest degree possible.”
Companies must also have a disaster recovery plan--the ability to restore business operations from a technical perspective.
They also need to have an identity and access management (IAM) plan coupled with privilege access management, he said.
Vulnerability management is another foundation companies need, Walls said. This means ensuring that you identify weaknesses within your organization and have a program or a process for mitigating it. “A lot of times, that goes hand in hand with patch management because 85%, 89% of our vulnerabilities are usually patch related.”
That means making sure you're scanning for vulnerabilities at the system level right up through the application layer, identifying holes, missing patches, configuration errors, and having a plan to remediate and address those.
Walls also stressed that companies need to train employees on what a threat looks like, how to respond, and how to notify the organization of malicious activity. Make sure “that you train your employees, who a lot of times are considered our biggest risk” because they are being entrusted with a company’s biggest asset: their data, he said.
Plan Of Attack For A New CISO
Rettas pointed out that sometimes a new CISO comes into a security organization that is already been built. He said he finds that “a lot of people don't want to follow a new CISO. And maybe that's why a lot of CISOs bring in their own people to make it easier on themselves.” He asked Walls if he sees that as well.
Walls replied that he does. The way around that is by “developing relationships with the decision-makers, the influencers within the organization, developing that credibility, that interpersonal rapport’’ he said. “Because in order to effect changes within an organization, you need to have allies and advocates and champions of cyber security within the various functional groups and divisions and business groups within the organization [otherwise] you're never going to change culture. You're never going to change people.”
He added that the culture is not going to change for security – the CISO needs to align security with the culture. “You’ve got to put a program in place that greases the gears and make sure that it fits within the culture and the way that an organization gets things done.”
The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes, click here.