How Building a Solid Foundation Will Help Grow Your Cybersecurity Program
Cybersecurity is such a broad subject that many times, an organization can become stifled when trying to develop a full cybersecurity program. Some organizations that have already put a cybersecurity program in place can also unpleasantly discover gaps in their efforts, making the entire venture seem moot. One way to effectively get started, as well as to prevent gaps, is to build a good foundation upon which a cybersecurity program can grow and mature.
I recently had the opportunity to speak with David O’Leary, Sr. Director of Security Solutions for SHI/StrataScale. David’s experience dates back to the inception of network and cybersecurity, so he has a lot of real-world experience that can be drawn from to assist any organization in starting, scaling, and maturing their cybersecurity program. David, can you tell us a bit about your history and where your journey to cybersecurity began?
David O’Leary: Yes, and thanks for the opportunity to talk with you today. It’s been a great ride into what has developed into cybersecurity. I like puzzles, and I like to put multiple puzzles together at the same time. I also enjoy building automobiles. While this is not necessarily cybersecurity-related, my hobbies allow me to translate that mechanical mindset into my work.This gave me a solid background in methods and processes.
When I was younger, around 20 years old, I was fortunate to work in a data center, building out core infrastructure. I worked on every component of a data center, from routers, to Unix systems, and whatever else they threw at me. I was soaking up this experience and loving it, and it was all good technology. I had my fingers on the keyboard and my hands on the data center. Back then, when you had to build, push things into racks, and physically put everything together, it gave you a true sense of all the parts involved in the data flow. One day, the company decided that they wanted to be on the Internet. They wanted me to do it because I had all the skills and knowledge about the physical and logical workings of the equipment.
Back then, in order to set up an email system, the firewalls had to be built from scratch, and you had to map protocols and block protocols to secure the environment. So, that was the beginning of the journey. I was just enthralled and happy; this was just another level of cool technology.
I progressed through multiple cool jobs, developing a lot of perspective from working on the client side. Over time, I switched over to solving problems for clients and leveraging cool technologies to do so. Today, I’m focused on bringing good solutions and good people together, listening to what’s happening on a global scale, as well as having a finger on the industry. It is still a lot of fun.
PL: Thanks for that background. When you’re working with the large customers such as Fortune 50 giants, often those organizations will try to work with particular security frameworks. Those frameworks often play a vital part in their security programs. What frameworks are you seeing, and on the level of experience that you’ve gained, where would you recommend that organizations invest their time?
DO: Frameworks are a very vital part of a solid security program because they’re a guideline that a company should use to develop a roadmap. There are lots of frameworks, so I’m very open to all of them, for clients have different types of businesses with different needs. It’s best to be very open to the various frameworks that are out there. The best starting point is to understand what the business needs are. For example, if you have managed services, and you develop that in any capacity – whether you’re on the technical side oraybe you offer a service through a data center to a client base, you need a SOC 2 – you’ve got to add that into the mix. You may be coming to FISMA on the financial side or other types of compliance frameworks. So, fundamentally, a framework needs to be in place.
There are choices of capabilities. My advice to any client is to ensure they’re picking one, interpreting it, and sticking by it, for this gets into how to adhere to compliance regulations. Compliance regulations ride on top of frameworks. It gets into how we think about the technology controls, which are vitally and fundamentally important. The NIST CSF is all encompassing, so if you haven’t chosen a framework, start there. It covers cloud, and it covers business aspects. It is very, very, comprehensive. Have a framework in place, and align your business to it.
PL: I want to dig in a little bit deeper on the framework mentality and customer security roadmaps because it’s difficult to look into the future. When you’re talking to your customers and evaluating their security roadmap and their frameworks, where are the three or four key areas that you would tell an organization to really focus on?
DO: Great, great question. Whether the company is a huge multinational or even a small organization, a key component is that whoever is responsible should understand their roles and responsibilities. They should also be plugged into an ecosystem of other individuals that have different responsibilities, for security is tangential. It’s plugged into so many aspects of an organization including lawyers, C-level executives, and other technology teams. Cross-team engagement is extremely important. It’s fundamental for IT operations, as well.
It is always important to start by examining the current state of an organization’s security program as well as the current security architecture. So, gaining an understanding of the technologies that are deployed, how well those technologies are deployed, and how comprehensive they’ve been deployed is also important. So, a question that also needs to be answered is, “Are they using all the functionality that’s in the suite of products that are in use?” In today’s day and age, any given company has between 25 and 50 tools deployed, and this can be confusing. You’ve got to remove those complexities, allow the teams and the resources to focus on the job at hand, as well as have the tools in their toolbox to do the job. The good news is the industry is responding, and manufacturers are building portfolios. They’re looking at this from a solutions perspective.
The next thing that’s really vital is the following question: “What are the objectives of the program?” And on a related note, “How aligned are they with what the business outcome that they are seeking?” A company is in business to perform a job, and we need to perform to help the business continue to grow, sell a product, and deliver a service. Objectives are key in that regard. They need to be measurable. They need to be aligned with business goals. And then, a mature security program has agreement and acknowledgement on what the level of risk is and how they’re managing the threat landscape for that business. And that’s at an executive level.
PL: It’s incredibly important. Whether leading a security team, a compliance team, or wherever it may be, communicating the value of a security program up to the executive suite needs to be part of the equation. The idea is to match the program with regards to the inner workings of making sure that the organization is successful.
As you look at organizations that have these frameworks in place and that have these multiples of tools, how are organizations monitoring their success? Or when identifying the gaps that they currently have, whether they’re based on their business goals, risk posture, and or frameworks, how do you measure that?
DO: It’s really incumbent upon security leadership and also leadership in the organization to be able to understand what they’re doing from a programmatic perspective. It’s the chief security officer’s job to educate all the fundamental teams that are around him. And again, it needs to be aligned to the business objectives, so it has to be done at a business level. If you think of a pyramid from the top of that business level to the bottom of that pyramid, you have to speak the language that applies to each level.
Additionally, self-assessment – that is, knowing where you are at any given point – is crucial. It’s like walking through a city. If I’m in New York City, I’ve got eyes all around my head, I’m going to watch out for where I’m going and what’s going on. I’m going to do whatever I can to ensure that I’m not taken by surprise. Similarly, with an organization’s security, there has to be some honesty within the program and allowance for third-party review. Assessment at that level can be complex, and if we internalize it, and we don’t talk about it at the right level. We’re not going to be optimally successful.
PL: It’s often said for organizations that being compliant doesn’t mean that you’re secure. Just because you can potentially check a box in a certain area doesn’t necessarily mean that you have the best possible security posture. What would you say to an organization that’s looking to do just enough to pass their compliance audits but not necessarily drawing a direct line between compliance and security?
DO: What’s extremely important is to recognize that every organization is different. There are different technologies, and there are different people that are running those technologies. They’re at different levels of maturity and capability. It’s extremely important. This is an age-old concern. If you build a solid security program, you will achieve compliance. Organizations need to be diligent and build a solid, mature security program. That’s key.
PL: You mentioned a strong security foundation, and I often draw parallels between security foundation and security integrity or system integrity. When you hear the term “system integrity,” what does that mean to you, and how does that play into security compliance or operations?
DO: It means a lot. Let’s think about this. If we can’t confirm the integrity of our systems and our data, then we can’t ensure our business. Integrity is a fundamental component. It’s integral for a business and for a chief security officer to have faith in the program that they’re putting together. If they can’t understand that level of integrity, then they can’t ensure that the business is secure.
PL: I appreciate that observation. I’d like to switch gears a little bit and talk about some of the challenges that you’re seeing out there in the marketplace in general, whether it’s financial services, or through your experience. How are cyber-attacks changing? What are the biggest threats companies need to focus on?
DO: There are so many varying degrees to consider. The “people skills” concern is one that every organization is facing. The good news is the industry is responding with fantastic capabilities around managing their products or a piece of the puzzle for those organizations. They’re providing some of that basic skill that’s needed. So, we are seeing some changes there. The challenge is also that the attackers are smart. As products and technologies and the industry matures around artificial intelligence and machine learning, attackers are using those same tools, and they’re building on top of existing malware strains.
If we take a look at the variant that was used in the SolarWinds attack, it was out there for a while, and the attackers used an extremely intelligent approach to leverage that. We’re going to see a lot more of that. Ransomware and malware are continuing to increase, as well. When we consider the rapid shift to an all-remote workforce as a result of the COVID pandemic, we went from a constrained regional office model to some degree to an office of one. That opened up more variables, so more of that threat landscape grew tremendously. Many companies weren’t equipped to evaluate or have visibility at that level to control what was happening. Attacks are getting smarter and faster. Attackers are starting to share their successes and failures within their criminal networks, which makes defense even more challenging. Both the attackers and defenders are equally intelligent. The criminals are also very well-funded.
PL: Supply chain risk is also a big, big part of discussions today. How are companies working through that risk, and are there any best practices that you could potentially share?
DO: Third-party and fourth-party relationships are not at the same priority as the core business. The SolarWinds attack woke up the industry, and we’re seeing a change. It gets back to fundamentals, visibility, walking along where your data moves, understanding that threat landscape, and applying good security controls.
PL: A lot of times, humans are often referred to as the weakest link, which I think is absolutely the wrong way to look at it. They’re actually our strongest allies when it comes to keeping the organization safe. What security or awareness training should be offered to employees, and are there any particular areas that you recommend as the main areas of focus?
DO: That’s a really wide question. I completely agree with you that people are vitally important to our business, and it’s an organization’s duty to ensure that they have what they need to do their job in this day and age. Part of that is ensuring that the employees are part of the security program. What I see is that organizations do a great job signing up for a training service, and then they deploy it, and it’s mechanical and it’s black and white. However, cybersecurity is gray. It’s not black and white. So, what has to happen is that training needs to be reinforced repeatedly.
A security awareness program needs to be tested with the employees, and you’ve got to train at the various levels where they exist in the organization and teach them what they’re dealing with. For instance, in a business office, an admin is moving data back and forth. In a manufacturing or critical infrastructure facility, there will be Industrial Control Systems (ICS). There are different levels of concern here, requiring different trainings. Across any organization, there are different levels of training that all need to be targeted at security. What we talk about with our clients is how to get prescriptive and help create a training program that teaches the employees how it affects their specific job. That, to me, is the responsibility of the security program in today’s day and age.
PL: It’s great how you take that one step further, tying it back to business outcomes. Unfortunately, some of the security awareness programs that I’ve seen, or at least how they’ve been rolled out, are presented as one size fits all. It needs to be more dynamic.
DO: That’s right. Flexible and supportive of those business goals.
PL: What are your thoughts on ransomware and how the human element plays into how malware gets into an organization?
DO: It gets back to the education and really tailoring that education (as well as testing) with individuals all the time. Ransomware has grown exponentially, and it is not going to go away. It plays on human instinct. The human element is key. It gets back to the topics we’re talking about within that program. We’re never going to be able to completely deal with the human element, but we’ve got to educate them as much as possible. On the flip side of that, let’s talk about how easy it is to restore from a ransomware attack. How quickly can we respond to it when that incident occurs. This is also a vital component. We have to be ready for that. It’s a cross-team exercise. We have a bunch of people in IT operations who are managing our backups and our recovery capabilities. These are the lessons we have to learn. It’s unfortunate when we see clients who just haven’t taken some of those steps yet.
PL: And when you look at moving beyond the human element, how does foundational security and system integrity play into the way ransomware has gotten into the organization?
DO: I want to be careful because the term of foundational security is elusive. I would rather define it as getting back to basics with an adjustment for the current day and age. Integrity and understanding the threat landscape are important foundational components. If you don’t build a good foundation, the building falls down at some point. So if I have capabilities to monitor the integrity of my systems and the integrity of my data elements that are moving between possibly multiple compute environments, that’s a solid block. I’ve got to pay attention to that. If I have capabilities to understand where the vulnerabilities lie in my infrastructure, to gain that visibility, and to match that up with the integrity, then I can have the right level of foundational understanding. There’s a lot of information out there that I can pull from, systems that are monitoring integrity, and systems that are monitoring vulnerabilities. I need to be aware of all this for visibility.
PL: How does an organization know what “good” looks like for their environment? Once you baseline that, then you can understand what’s actually happening when something changes. You can see if a change is intentional or malicious.
DO: Or was it an accident? That would indicate that I’ve got to re-educate the team that’s leveraging that information.
PL: Right. You’ve got to build from that place.
DO: So, “fundamental” should be the ability to focus on that without it being complicated.
PL: Definitely. I couldn’t agree more. When you’re talking to security leaders, building out these recommended structural plans, and explaining how the organizational goals need to align with the business objectives, eventually you’re going to get into the incident response questions. What do you see as some of the key areas that an organization should think about when they’re building out their incident response program?
DO: Yeah. You know, there are lots of words that are out there to describe incident response programs. But this is again where you’ve got to keep it simple. So, first of all, security officers and security programs should be prepared. And that’s really about tools, teams, and process. That’s fundamental. I need to have my alignment in place. I’ve got to know where to go. For example, if the fire alarm is ringing, do I fit out the window that’s in the room? Or should I find the emergency exit?
The second component is that you need to test the plan. Security is a continual test. It’s a continual test of building the solution, detecting, reporting, and communicating every step. Even if I think I smell smoke, I want to make sure that everyone near me understands that I think I smell smoke. There’s an analysis component.
What we run into is in larger organizations, there could be multiple teams, and sometimes, we see disconnects in the incident response roles and responsibilities – the fundamentals of where those teams connect. We want to help teams move towards proactive efforts around incidents. If we have a good foundation, let’s go build some proactive hunting into this equation so that we can be ahead of what might possibly occur. Communication is key.
PL: I appreciate that. One of the things that you mentioned is people, process, and tools. It seems that business leaders going to hear “money” and things getting in the way of the business. When it comes to communicating the Return On Investment, what is the best way to communicate what these security investments mean to other stakeholders? How do they get buy-in on that?
DO: There are a couple of facets to this. First of all, there’s so much amazing information out there from a cybersecurity perspective. The good news is that most organizations and most executives understand what’s happening, for it’s also happening in their personal lives. It’s imperative to prepare that information and provide it to executives at a level that they can consume and in a way that aligns with that business whether it’s financial, pharma, manufacturing, or a candy factory. You’ve got to be honest about the program that’s in place. And you’ve got to have metrics and Key Performance Indicators in place that are supporting that business.
To use an example of a candy factory, what happens if a ransomware attack occurs that halts the candy manufacturing operations? What are the different levels of risk if the attackers steal the formulas for that candy? The factory stops current production, perhaps a trade secret is leaked, and the candy is duplicated somewhere else. That could wipe the business out. Those are two different levels. It’s important to present this information in that manner.
Then, there’s the technical aspects. Be realistic about the program that’s in place. I coach teams to make better use of the technologies and capabilities that they have or replace those technologies if they’re not doing the right job. I also talk to them about leveraging a “simpler portfolio” approach. Lots of technology companies are now combining solutions, making it easier to deploy those tools in an environment, for they have a unified look and feel. Having an efficiently run tool is better than having the tool that’s the market leader at that moment in time. Right? I would do this if I were back running my own shop, for it’s important to have those building blocks in place.
PL: I think you just summed up a lot of our conversation perfectly. You’ve touched on how to educate people in different roles, how to build the right technologies and have them ready and prepared, as well as how to portray these ideas to a CEO who’s driving a financial goal.
DO: All of this is extremely important, and cybersecurity is complex, which is why I keep saying, “Let’s try and keep it simple.” Everything gets back to foundations. Optimize and leverage what we have and fill those gaps. And do we do that? We formulate an intelligent opinion, and we get another set of eyes to look at it, as well.
PL: I agree. I appreciate that, and I really appreciate the time that you have been able to spend with me to speak and work through these myriad topics. I greatly appreciate your willingness to share your insight, your experience, and your thoughts around these topics.
DO: I really, really appreciate the opportunity to be here.