3 Executive Strategies to Prioritize your IT Risk
May 08, 2013
Do you want to know how ‘best-of-breed’ enterprises prioritize their IT risk? Join Richard Mason, Vice President & Chief Security Officer at Honeywell, whose team is responsible for global security, during a roundtable discussion with Pat Clawson, Chairman & CEO of Lumension and Roger Grimes, Security Columnist & Author. Uncover strategies beyond traditional antivirus signatures and learn a more holistic approach to effective risk management. Find out ‘how’ and ‘why’ you can make security a prioritized function within your organization.
Roger: Hello, everyone. Thank you for joining Lumension's 3 Executive Strategies to Prioritize Your IT Risk. Thank you so much for taking this time out of your day. This is kind of a unique and interesting opportunity in that we've got a couple of CSOs and experienced people, people with literally decades of experience to talk about computer security and computer security risk. And especially as it relates to senior management. This is gonna be a little bit different type of presentation, than maybe you've attended in the past, in that we're really hoping this will be more of an open dialogue Fireside chat type where we'll talk and chat freely about different topics.
And we're hoping that each of you will participate and submit questions through your interface. And I'll submit those, I'll collect those questions, try to summarize and then submit them to our speakers today. But what I really wanna communicate is that this talk really is about the free flow of ideas, even some may be a little bit outside the box, some traditional and maybe, you know, some things some people might even take their little controversial to traditional thought. And how we're hoping to do those is to have some unscripted open dialogue between professionals. And again, thank you for attending.
So today's agenda, we're gonna talk about how to evaluate risk tolerance, what is risk tolerance? And even using the word "tolerance" means that you're going to accept some risk. Then we'll go on and talk about leveraging reputation management services. And I think we'll get into some good ideas, talking about reputation management services in the traditional sense and also in some of the new senses. And then we'll go on to "How to Secure Prioritized Data Depositories," the things that you really need to protect, and then finish with "Recommendations," and along the way, take lots of questions, hopefully.
So today's panelists is myself. I'm Roger Grimes. I'm a Security Consultant and have been for about 25 years. I have written eight books on computer security and hundreds and hundreds of magazine columns. And I also, at one point of my life, was the VP of IT and moved into a CSO position. But I'm probably, for once, not gonna be doing most of the talking. We have two invited C level employees. Rich Mason is a highly respected CSO at Honeywell. I've worked with Rich in the past over the years and found him to be one of the most innovative and really in the know chief security officers that I've met. He's worked well at his Fortune 500 company and also has participated in organizations. He participates and have gone on to advise very senior level people at other companies and also within our government. And I can let Rich talk a little bit more about himself now. Good morning, Rich.
Rich: Great. Good morning. Good morning, everybody. Thanks for the intro, and I appreciate the kind words. So, yeah, Rich Mason. I'm the Chief Security Officer Vice President for corporate here for Honeywell Global Security. It's one of those converge missions that has cyber security, physical security as well as a government security mission. And I'm actually calling today from Washington, DC. And I think we have a lot of synergies. In fact, with what we're seeing on the corporate networks and the corporate risk challenges with the same things that the government's tackling from a critical infrastructure perspective. So I think there's a lot of analogies there and a lot of analogues, if you will. We can help government and they can conversely help us achieve the sort of risk tolerance mission.
Roger: Great. Thanks a lot. And lastly, we have Pat Clawson, the Chairman and CEO of Lumension. We're glad to have him with us today to get his perspective. Not only he's a, you know, leader at Lumension but also just a chairman and CEO because those perspectives aren't always known within the IT working force. So, hopefully, we'll have a broad range of discussion and opinions and questions from an IT security worker all the way up to the boardroom. So I think, Pat, if you could go ahead and introduce yourself a little bit.
Pat: Yeah, sure. Hey, everybody. This is Pat Clawson. And again, thanks for the intro. I'm currently Chairman and CEO of Lumension, which is interesting because as Rog has stated, it's a balancing act of how do you protect your own entity and the processes that you go through to make sure that those things that are critical to you and your business are exposed to the least amount of risk. And how you constantly evaluate those, interact with those who are responsible for executing, budgeting, everything that goes with that. And at the same time, I'm the guy that travels around the world, sitting down with CIOs, CSOs, CISOs and every nook and cranny across a lot of different verticals. And it's often interesting hearing the varying views, thoughts, and/or the preparedness that our customers or prospects have around the world and what's the priority to them. And that clearly changes over time. And, like I have an opportunity to share some of that with the crew today.
Roger: Great. Fantastic. And Pat, I loved your point where you talked about how, you know, where Lumension is a computer security company, but really a big part of your role is security in Lumension. I mean, certainly, a lot of the world's largest computer entities have faced hacker attacks. And in some case, have been successfully exploited just over the last year too. So, it's definitely a dual role thing.
Pat: Yeah. The company before this one was a public company and it had different constraints. But, you know, in an effort to always practice what you preach, it's easy to say and harder to do sitting down with people and articulating strategies that narrow your risk profile, identifying the things that are most important to you to protect and moving on. So I'll turn it back to you.
Roger: Okay. Fantastic. And again, for anybody listening in to this webcast today, feel free to submit your questions and we'll try to give them to the experts as they come on in. Now, we'll go. The first topic that we're gonna talk about is how to evaluate risk tolerance.
Rich: Yeah. Well, I'd love to weigh in on that. This is Rich. So, you know, I guess, maybe I'll caveat this by saying not everything that I express here is going to be the opinion of my employer. Some of these things will be my opinion. Obviously, I try to get that opinion expressed in Honeywell whenever possible, but it doesn't always tick [SP].
So when I look at the challenge of risk tolerance, Honeywell is sort of a unique piece. We're a conglomerate so we're actually comprised of four very different business units, all that have varying degrees of risk tolerance, different sectors, if you will, all the way from defense and space, which is probably one of the more conservative business sectors. And then there's others that are more manufacturing traditional and, perhaps, more receptive taking on some risks. But I think the key for any security professional is to walk in and have that conversation. Obviously, there're some things that are non-negotiable, those are the regulatory things, and that just table stakes that everybody has to be minimally compliant. But beyond that, it's a risk tolerance. And we like to think of that in terms of the maturity curve. So we can be all the way from one end of the spectrum, the left side being very reactive which would be an expectation of anyone providing due diligence. But as you go up the curve, it goes from reactive to proactive. It ultimately goes to a more preventive posture.
And I think what we're seeing now, the trend and the expectations for the most conservative elements, is that concept of predictive. How can I not only prevent the attacker from violating my control? How can I predict where they're going to be tomorrow? Where they're going to try to be attacking a week from now? And that really requires a much larger investment in terms of information, of intelligence. And there's also lots of automation that could go into this. You can do a lot of it with manual processes, but automation seems to be another key indication of maturity. So, whether it's the maturity of the security function from reactive to predictive or the maturity of the technology from manual to automation, finding those intersections with your business and figuring out where the risk tolerances are, that's just the beginning of the process. Only from there can you start to design the right types of controls that meet those expressed business needs.
Roger: Yeah. And actually [crosstalk]
Rich: Right. I'm sorry. Go ahead, Roger. I was just gonna ask Pat if he had any thoughts on that.
Roger: Yeah. That's good. That's perfect. Pat?
Pat: Yeah, I do, clearly. And I agree with you totally. But what I'm trying to articulate in the thought process for a wide variety of potential listeners and even while sitting down talking to CEOs and CFOs and CIOs around the world, there's this whole range of size of customer on the planet. They find it very difficult or business, it finds it very difficult to get that concept of risk tolerance in their mind at least, as it deals with IT security. And one of the things I try to get people to do is, first of all, make sure that the people you have in your business can actually communicate with you, you know. Can the CIO communicate with the CEO? Can they research the biggest risk items to their business from an IT security perspective? Prioritize those so they can sit down and have a board level conversation about what those might be. And then some recommended paths for reducing the risk in those areas.
I also try to help people understand that in any size of business, you can't solve world hunger all at once, you can't do everything at one time. So do try to work from, you know, some sort of an educated approach that identifies risk that it can do certain things for your business. Those things that could impact shareholder value, those things that would impact your brand, those things that would directly impact your customers and, ultimately, your shareholder value. Try to figure out what the things are. You don't need to be a scientist to do that. Work with the teams within the organization to put some form of remediation strategy in play to do not only…to be preventative but what happens when things break. They inevitably will. You will be attacked. Something will happen, an employee will let you down. If something goes on, how do remediate? What are your processes for doing that? But don't try to tackle all 20 things in the list at the very same time. Really work through your list, and constantly be making your business, you know, safer and healthier. It's just a very high level thought relative to a more mass audience.
Roger: Right, great [crosstalk]
Rich: And I love the way the question was phrased from a concept of risk because often we steer into the conversation of talking about security as if you can talk about it outside of the context of business. When we get the right level of support, if you have a risk counsel, if you have those right stakeholders that's just legal, human resources, finance, a representative from the audit committee. If you have that sort of a council making informed business decisions based upon risk like any other sort of risk, it becomes less a discussion about tools and toys and technology and more about how do we effectively meet the expressed risk tolerance expectations of the company.
Pat: Yeah, absolutely.
Roger: I wanted to break in, if I could. We're getting a lot of questions in and I'm bringing a couple of questions for this section. The first one, this might be more for Rich than Pat but it says, "When contracting with government agencies, whether it's a vendor or a cloud host, there are special requirements. How does this enter in to the equation for risk assessment and solutions?"
Rich: Yeah. I think it's key to make sure that at least, initially, you know, and maybe it's part of that maturity curve, that you have a representative of your function in that role of contract review, of procurement processing. So that particularly as we all start moving more aggressively to the cloud, that we have a level of comfort that the requirements of the controls are being adequately satisfied. I think long term, that's not a sustainable model. You know, we talked about manual versus automation. Having a body in there looking at every contract is really not a very scalable model. And what I would be looking for is more automated ways of doing that, giving standard work, standard requirements to the contracts and procurement organizations as we look to leverage things like cloud providers. There will be services if you look at what the U.S. Federal Government, at least, is doing on FedRAMP. There will be third parties that will be approved to certify these places as secure, so you'll be looking for that sort of a reputation management, a way of automatically saying who I can trust and who I shouldn't trust in the cloud and leveraging those relationships to streamline the process.
Roger: Great. And actually we have one more question for Rich before I send one over to Pat. But this is a good question, I think somewhat related. But it seems like our government is still willfully unprepared when it comes to cyber defense. What are your thoughts regarding public-private policy and partnerships to better prepare our industry and nation against cyber attacks?
Rich: Yeah. It's interesting. We're just reviewing all the various bills, six on the House side and two on the Senate side right now. You know, I'll give you the Rich Mason perspective which, again, not my employer's perspective. I think all too often, when the Government gets involved, there are agencies that are jockeying for budget. And so, sometimes, the true mission of trying to keep our nation safe gets lost in the prospects of growing an agency's budget. We've seen a lot of those empire-build issues. I think this is probably the year that we're going to see some sort of a reasonable agreement between the various parties. And, you know, once we can satisfy some of the outline Privacy and civil liberties' concerns, I think at the end of the day, it's less than 0.1% of the data that's being transmitted between government and private in the proposed legislature would have any sort of personal information. I think you couple that with the need for some sort of a policy around not violating any end user agreements that you already have with, how you're protecting an end user's data. You do that and we can really get to the meat of the problem which is, how do we get real-time threat intelligent sharing not only of the threat but also of the countermeasures? We've gotta focus as a community on what's working in the countermeasure space and less focused on just sharing a list of IP addresses every day. That's not a sustainable model and it's not a terribly effective one.
Pat: [Crosstalk] I'm kind of [inaudible 00:16:04] about this one. I've actually blogged on it for several years now, trying to get people to think about it. And so for our listening audience, at a high level, you know, as a nation state, ourselves, and most of our friendlies are competitive corporate environments. I think Richard Clarke, who was a cyber security czar several years ago, made a statement, which I think, helps us understand this a bit better. So even if the United States government and all of its assets were absolutely impenetrable and unable to be compromised in any way, shape, and form. And I'm paraphrasing here, they only control 40% of the critical infrastructure of this nation.
So, to protect us as a country, somehow or another, we have to understand critical infrastructure as both private and public. And we don't always fully get that. And if you would take a look who would likely be our most [inaudible 00:17:00] adversaries in an electronic campaign, in a precursor to or in the middle of a war state, it's countries like Russia and/or China. And both of those have a very, very high state-owned component. And in the high state-owned component, they're able to demand and do certain things in terms of understanding the threat across all of critical infrastructure in a way that we can't, because those businesses are public or completely private companies that in many cases, it's not even legal for them to share data with anyone, not to mention the Federal Government.
So trying to get to a state where relevant data can be shared so that we, as a nation, could understand risk across our critical infrastructure, real-time, as it's happening, both government and non-government entities would be an ideal stake. But getting there is a very long path that has to do with laws, the regulation or the ability to modify laws. So there's some sharing of data that doesn't impact, you know, privacy, is able to be shared. It's quite a long process. But it's a goal at some level to be able to get there.
Rich: I think the other key component to that is to make sure that whatever we do, it's sector specific. The challenge becomes when you start to put groups like Honeywell and Facebook and Google all into the same sector. Of course, it rattles folks from a privacy perspective. If we truly looked at this as a sector by sector threat sharing challenge, I think that's the way to go. We'd only share relative to how we protect critical infrastructure. And obviously, not violate any sort of expectations of privacy, of consumer type data since we don't have it.
Roger: Okay, great. Great. I actually have one other good question before we move on. Actually, I have lots of good questions. We'll be getting to as many as we can during this talk. But here's a very general question that fits perfect with the slide. But it comes from somebody that asks and says, "Every organization is different. How do you decide what your risk tolerance it is and what drives it?"
Pat: Rich, do you wanna start with that one?
Rich: Sure. You know, you can't come in and prescribe what the company's risk tolerance is. Again, I think it starts with just coming in with your ears wide open. I think you look at first at the sector. So if you're in the finance sector, you probably have a very conservative view. If you're looking at the defense, similarly, you'll be in that same conservative view. So there's that perspective of looking around at the herd and finding out what you're doing. You either wanna be, at least, in the center mass of the herd or on the leading edge, if you can afford to be. But you definitely don't wanna be straying from the herd. Second of all, you need to find ways to measure your controls, your key controls, not necessarily all control. And make sure you've got the right individuals or risk council, if you can, taking a look at the health of those controls, the ability for them to maintain control over a situation.
As you've done that, you'll start to get the feedback of yes or no that exceeds my risk tolerance. But I don't think it's a binary thing. It needs to be a dialogue, it needs to be a conversation saying, "This is where we are, this is where the industry is, and this is the health and welfare on a control by control basis." I think it's…you require that big data, that analytical piece of it, to be able to fully build a risk management model.
Roger: [Crosstalk] I like what you said before where you said it's a boardroom issue.
Pat: It is. And so as this will be played around the world in all kinds of sizes of businesses. I have a couple...I completely agree with what Rich said, so I'm gonna try to bring it back to the kind of a middle layer style of business that exists around the world. I think the first thing is that CEOs, myself included, all of us in this category, need to do a few things. And first, quit being the college kid who's afraid to look at their checkbook because it's likely to be at zero. And, you know, when it comes to information security, you actually have to the leader in this respect as well. You have to read a few things, you have to understand regulations that are imposed upon your industry, if they are. And then you have to be considering due care. Am I doing the right things to maintain brand, to maintain shareholder value and protect my customers and my employees? Right. Am I asking my people and am I personally asking the questions about what risk exists within our enterprise that can ding with those things? That I'm trying to be very high level here because a lot of people can't see the forest from the trees or don't know where to start. So ask those questions.
And I challenge you to make a boardroom issue like we do our performance numbers, our finances that get audited, our development numbers, whatever those might be. This is one of those things today that could bring your business down or significantly dent it. Put your employees at risk, put your customers at risk, put your shareholders at risk. So, to that end, ask the questions. Try to get to prioritize this. Make sure the people in your organization are the right people who can actually answer those questions and provide you and your board with meaningful data.
And I'll say this to you, and this is both to the CEO and those people who report to the CEO, you gotta make sure you can communicate down and you gotta make sure you can communicate up, right? You have to have the right people in the organization that can assess the problem and document the problem, provide remediations or suggest remediations so that as a group of managers and as a board, you can make solid decisions about what risks you believe face your entity and what the right ways to start mitigating that risk might be. And there are definitely bigger companies, they have more budget they can put at this, there's automated ITGRC tools for real-time assessment, etc. But a lot of medium businesses don't have that. You're wanting from smart behaviors, from documented process, from having the right people in the right places, etc. So, I'm just trying to get this to the average, you know, 1,000-employee business in Jakarta as well. So it's a little bit more common sense.
Roger: I just switched slides on the screen. And again, I appreciate the free flow of dialogue. I think it's very valuable more than just PowerPoint bullet points. But I'm looking at the next slide and it has in the middle statement, there are a lot of [inaudible 00:23:48] checklist security, doesn't always equal security. And I wonder if you all have thoughts on that.
Rich: Sure. In fact, in our recent response back to [inaudible 00:23:58], the Government is trying to figure out the same thing. That was one of our main points is, "Look, guys, checklist security doesn't work." If we wanna talk about compliance, and I'll make a distinction between compliance and resilience, a compliance is the checklist. It's the industry norms, it's fairly static. And that's a problem when you're dealing with a dynamic threat. I think there's a question queued up on APT, advanced persistent threat. By the very nature of that threat, it's targeted. And it's targeted by an intelligent entity that's willing to shift and evolve their attacks to execute the mission. So you can't have a dynamic attacker versus a set of static controls. What you need is dynamic controls.
I think, the key therefore, checklists will always be there. They'll always be the industry norms as to what's minimally acceptable. But what we need within government and what we need within industry is these incentives to harden our key assets, our own critical infrastructure, if you will. That's where we need to be resilient. And when I think of that maturity curve again, I think my domain controllers, for example, my PKI servers, the keys to my kingdom for identity management, etc. Those are the things that I not only want a preventive solution in there to make sure someone can't break in, can't make an unauthorized change, but I also want that intelligence piece. I want that real-time monitoring, that real-time data that gives me the predictive view of if someone attempting to break this control, where are they coming from, where are they trying to head, and what am I going to do about it? At the end of the day, intelligence isn't about the what. And I think the industry has lost sight of that. We keep focusing on reverse engineering, getting very granular on understanding a given threat. But not so good at the "so what," the business intelligence side of it. What are we going to do as a corporation in response to this threat to get a few yards, hopefully, a few miles ahead of it before we go down?
Pat: Yeah. So, you know, and my view is very much the same way. I might say it even, interestingly, dovetails on to the previous question in a way that what we see around the world are people fulfilling what they consider to be IT security requirements from a checklist and/or what they consider to be audit requirements. I need to have this, this, and this, and that's what I get. And that's fine. Checkbox Mr. CEO, we're good. Right. I've done my job.
And that's, in some cases, more damaging than, "Hey, boss, these things are probably important at some level, but this is our business and this is what we need to be considering." And the prescriptive, "These are the common technologies you should have and, therefore, you are saved," is a complete fallacy, and it's a problem. And I'll express it in a couple of ways. I have the benefit of sitting on a board, probably the largest BDAS protection company in the world right now. And what we see real-time with those attacks, echo exactly what Rich said. And with those attacks, these aren't things where people are just throwing volume of something out there to clog up your world and make it hard for your customers to get to your websites. These are attacks that have gone from 15, 20, 30 gigs to 130, 140, 150 gigs. These are attacks that are unique, and based on the entity and what their infrastructure looks like are programmed to impact that infrastructure. And the same one being run against bank A is not run against bank B. I mean, these are highly intelligent, highly structured, bandwidth knowledgeable attacks from the BDAS' perspective.
We're also seeing the same thing from a malware attack perspective. And the stuff that customers or prospects are worried about this noisy antivirus malware stuff is really just that. This is noise out there today. The real attack, they don't want you to know anything about customized malware being delivered by the way...almost 80% of it is delivered via USB sticks still last year. The stuff that your basic tools and all those tick box prescriptive items are never gonna catch. Because our world has changed. It's not what it was five years ago or six years ago or 10 years ago. So, the prescriptive approach, we'll get it done. It's not [inaudible 00:28:39], it's not relevant and useful, but we have to look at it differently than we were several years ago.
Roger: Okay. This is Roger, I wanna break in a little bit because what you've said, I think, is great. And you are educating us. Both of you are educating us. I have two questions. One is, and let me say both questions because I think they're kinda related. One essentially is, do you have any thoughts on how to better educate our employees and what we should be doing on this front? And the other is, how do you think...you know, what areas should you focus on when you have an immature organization and executives to have a better security understanding? So one's towards the board level and senior level executives and the other is towards employees. How do you both think that we can do a better job of educating them on the types of risks that you all both just talked about?
Rich: I'd like to add a third category to that and then break it down. And I think for those of us that have taken shots at security awareness programs, we learn from what works as well as what doesn't work. What doesn't work is the one-size-fits-all approach. Trying to train everyone on everything and I think all too often, we've all been caught trying to teach everybody, "These are the requirements, these are the threats," and get into lots of minutiae on there. And folks glaze over and they're gone.
I think if we start looking at by persona, who are we targeting for what message and keep that as relevant as possible, we call it visual cues. So hopefully, it's embedded in the parent system, it's built into the system that they're using versus bolted on as a stand-alone training module. But, yeah, executives need to understand in terms of risk, and I think we've tackled a lot of that already. So to the extent that you can translate all the security information, you know, frankly, the number of hits against my firewall per day is on my scare factor number. But it really doesn't give the board anything in terms of how to manage risks. So we have to customize that message.
For the end user, I wanna give them built-in security awareness for the systems that they're using. And if there's a policy that I want those systems to be targeted and interactive. A great example is data loss prevention. So if you attempt to send a social security number out of the company, you're immediately getting a notice saying, "This is what you did wrong, this is how you do it right." So don't just say no, say how. Right? That's great targeted awareness, and you can bet that person is probably gonna go talk to their boss and say, "It looks like I screwed something up. Can you coach me on this?" That's great targeted awareness.
The other group that I'd like to target is...I don't know if folks or [inaudible 00:31:22] shops, but think of it as having service owners. So we would have a service owner for email. We have a service owner for desktop, for certain cloud financial services. We need to target those service owners very differently to say, "Okay, these are the requirements that need to be built in inherent to your service. Don't build us a service and say someone else is going to secure that." Warranty is part and parcel of service delivery. So we have to make sure those services are designed right. And if the security requirements are built-in. And that service owner has the right visual management, has the right tiered accountability, has the right continuous assurance and monitoring of the controls because they're ultimately going to be the first line of defense. If a service is operating well, they're going to be monitoring from a performance perspective, from an operations perspective. And that's a great boom for security to have that extra set of eyes looking for anomalies. You can't rely exclusively on a security team to deliver security for an entire company.
Pat: So I'll jump in. And again, I completely agree with what Rich is saying. I will try to tailor it a little bit more to you medium size businesses around the world. And education is important, right, at some level. And I agree that one-size-fits-all probably in a bigger business gets lost. In a smaller business, some form of education would clearly be or any form would be good compared to what's out there today, which is often absolutely nothing. No one wants to tackle it, don't know who could do it. And so, some form of education on the employee base that's consistent. If your technology can help support that, that's powerful but regular, consistent education of the employee base is key and critical.
The second one, that's a bit of a controversial comment. If you got managers who don't get it, change your managers. Sorry, that's just the way this is. You know, you wanna have the right people on your bus, otherwise your bus is not gonna be a fun place to be. So there are smart people out there that get this. If your world or your business is one that has a significant portion of risk and you're on a call like this trying to figure out what I can do, make sure you got the right people on the bus with you. And the people that actually get risk. And then, you know, like, I don't think there's much else to change what Rich said. He's [inaudible 00:33:55] money. These things are critical.
Rich: I think you hit on an interesting point though relative to, you know, the wrong people on the bus. I think many organizations, security organizations right now, are struggling with this concept of enforcement versus enablement. You know, we've tried to re-invent our self as the business enabler to the extent that breaks, allow you to go fast. I think there's an enablement play there. But we really have to push to help the business succeed, to be the brakes on the car that let the business go fast. The only way to do that effectively though is to have an enforcement component. It doesn't necessarily have to be in the security arm, but to the point raised, if you got someone on the team that just doesn't get it, that's gonna sabotage you every time. You've got to act fast and get that personnel.
Roger: And if it's possible, right? Sometimes, those are protected people. But you're right, it's one of the many challenges that we have. So moving on to the next slide here...and somebody had asked a question about...in the previous slide we talked about asset classes. And they said, "What is an asset class?"
An asset class really can be anything you wanted to define. It can be a service, an application, it can be all my exchange servers, it can be all of my top secret information, it can be all the top secret systems or something like that. But, I guess, one of the simple thing with risk tolerance is that not everything have the same level of risk tolerance. Not all assets and data should be protected equally. And you must identify what are the ones that should be protected the most. But rich and Pat, do you have something to comment on that slide?
Rich: Yeah. You know, this has come up in a couple of ways. One, just from a strategy standpoint, we learned early that the one-size-fits-all approach doesn't work, and it doesn't work for systems and it doesn't work for people. So coming up with what we refer to as a concentric circle model which, I think, is similar to your asset class model, right at the core of that. This is your most sensitive stuff. This is from a systems standpoint, critical infrastructure, domain controllers, identity and access management systems, firewalls, etc. That's the heart of your system.
Likewise, I think the data repositories that have your most sensitive information there, critical business knowledge is key. But you'll have other asset classes. You'll have your service that are internet phasing, you'll have, from a less riskier standpoint, service that are internal phasing. And then you have endpoints as their own asset class.
Now, the old model was the hard crunchy outside stuff that we set our model. The endpoints may have been perceived as a few layers in and hardened. But I think we all know now that the endpoint is the new edge. In fact, it's the preferred target of attacks with things like spear phishing. So you really need to take a good hard look at the endpoint from a protection strategy.
Since we can't boil the ocean per-se, we do have to figure out how we focus. So from a systems perspective, focus on your core critical infrastructure which includes both data and systems. From a people, same thing, the high value targets, if you will. These are the folks that you've seen or can expect to see targeted attacks against executives, people that do mergers and acquisitions, people that are negotiators, top sales professionals, etc. Expect to see that. I saw one of the questions talking about small business versus APT. You can expect to see it if you haven't already. We have a saying that there's really only two companies out there, those that have an APT problem and know it, and those that have an APT problem and don't know it. So hopefully you're in the former category. At the end of the day, even small businesses end up being in the overall supply chain, and they will go after the weakest link and after whatever helps them get a competitive advantage. So they'll be coming that way.
So the other people personas is back to the reputation piece of a security organization that gets beat up for being a disabler. If you can drive your service owners and IT and operations to deliver services catered to different personalities, whether it's engineers, road warriors, administrative manufacturing, whatever, that's going to reduce some of the concerns you get by disabling certain people. You don't have to go with the one-size-fits-all. You can, perhaps, enable an engineer to have more control over their endpoint while an administrative professional, you lock down and you don't let them install software. So having that persona approach really helps you customize your security plan and become more of an enabler.
Pat: Yeah. So [inaudible 00:38:53] again, I'll jump in on that one. We actually invested in a company a few years ago that's in the IT governance risk and compliance space. And part of being in that industry is helping companies understand your kind of foundations of that question. And vulnerability is a classic example of exploring where and when you actually care about that vulnerability. So you have critical vulnerability on a server OS. And you have, you know, 25 servers that have that software on there. But the criticality to your business is predicated on where they are and what they're doing. If they have 24 of them in the data center and doing mission critical things, that's probably something you're worried about, hence, prioritize it differently than if you have 24 of them in a test environment only that's curtained off from the rest of the world and not touching anything.
So, it's where risk really exist in your enterprise and at what level is it posing risk upon your business? So I don't think a lot of businesses fully understand that and I think there's probably a little bit more investigation for people to put into that. So I think Rich said everything, you know, [crosstalk]
Rich: I'm a big fan, by the way, of GRC. I think when you think of a security organization, we are the stripe across the top. And we break that down as strategy, response, intelligence, policy, and enablement. But the real controls live down in operations primarily for this topic in IT. And that DMZ between those two disciplines, the bifurcation of security, if you will, between operations and the strategic side that the middle ground between those two is a data warehouse. And that data warehouse is really going to give you your GRC, your governance risk and compliance a common dashboard, a single source of truth as to who owns our controls, are those controls performing, and can you upload evidence to show that they're in control? That basically takes the compliance issue off the table. And now let's just focus on a higher order objective which is really managing risk and getting into the "What's next?" So what the predictive side of the house?
Pat: Yeah. I think one of the other things those tools, in general, do for you, once you get them implemented and once you have that source of truth and you understand compliance and get it probably for the first time actually, understand compliance and get it to a state where it's a part of your role, one of the things they do that's interesting is they help you understand changes to your risk posture. So, effective ones will look at, okay, if I have a million dollars to invest in my IT world right now, and here's my current risk profile as a business. If I spend a million dollars in these particular areas, do I only a 2% improvement or reduction in my risk profile?" Or, "If I spend it over here, do I get a 70% improvement?"
So it's helping you make better and more informed decisions about how you impact your risk profile with invested dollars. It's not the only thing that's useful for but it is one thing that I find people enjoy.
Rich: The challenge in the boardroom is when that million dollars comes up, we have to convince the senior leaders that this is no longer an arms-race about building higher walls. Because frankly, the bad guys have the advantage. They build a taller cheap ladder and we have to build an expensive taller wall. That's not going to be a scalable approach. I think when we can demonstrate to leadership that our goal is, right now, to build speed bumps to slow the bad guys down and speed cameras to be able to see what's going on and predict where people are going, that's a wiser investment. We just can't let the expectation be so high that resilience means impenetrable. If your board of directors or your leaders get to that perception that, "I'm gonna spend a million dollars to guarantee that I never get compromised," don't take that check. Don't take that responsibility or accountability. Invest those dollars in visibility and start trending towards this predictive space so you understand your adversary and where they're heading.
Pat: Absolutely. Great analogies.
Roger: Fantastic. Moving into the next part of the presentation is one of the things that does seem to have some promises is reputation management services. In the slides, we talked about some really basic things, but in the real world, I've seen some other computer security writers write about this is that a lot of what we do in the real world is about trust, about interacting and having reputations with people before we interact with them. You know, the example might be you have somebody that calls you on the phone, that you know and trust and they ask certain information. You may give them that information if you trust that company, but if you've never heard of the company before, you might be a little bit more elusive in giving out the same information.
You know, in the computer world, we call it trust or assurance. And the idea is that if we come across, we're dealing with somebody or an email or a digital content or something that we have more trust and assurance with, we would give a greater access than we would to somebody that or something that we don't trust as much. And some traditional examples are, you know, PKI digital certificates, content filtering and websites, maybe trust and reputation services. But I was hoping, Rich and Pat, that you all could talk a little bit more about some of the more growing reputational management services that you see are promising.
Rich: Yeah. I think the first thing that we want to acknowledge is that business or at the least the businesses shouldn't be buying tools, they should be buying solutions to business problems. And so we often confuse that and get wrapped around trying to get a capability. I think this tool can let me manage this white list and this black list. Well, frankly with the resource constraints on the side of money and personnel, you don't necessarily want to take on list management. That's a lot of manual overhead. It'll be a lot of disruption as something like take cloud, for example, if you wanna manage the reputation of different cloud providers. I'm currently doing an assessment of over 2,500 different cloud providers and understanding how my business intercepts with those. I don't want to have somebody dedicated to going to every cloud provider, you know, 2,500 audits. And by the time they get done, they're all going to be updated and then we'll be off to the next 2,500 by then. That's just not scalable. So, getting away from a list management and finding those trusted brokers that have the right intelligence on the back and the right process to keep that data clean and accurate and have that business relationship where we can say, "Look, if this is my criteria for trust, if you exceed that criteria, 80%, for example, we're going to trust that party. Below that, we're not going to trust that. Maybe we can manage exceptions in the form of white list and black list. That's probably scalable and achievable." But, yeah, we don't wanna take on an additional burden of overhead in terms of managing tools and adding more people to process.
Pat: Yeah. This is Pat. I mean, the whole concept of reputation service comes from a million different areas that I interact with around the world. Part of it is then the reputation. And I think there are a lot of tools out there today that help businesses get a solid look at vendor reputation, if they're making an investment decision to go with the vendor. I think the second thing is, and they should try this out to the healthcare industry, is once you have chosen a vendor, how do you maintain the integrity of what was solely yours at one stage and now it's shared with, in this case, call it a cloud provider that you've established is credible as an appropriate reputation. But now that they're taking your data and handling your data, what does that chain of trust look like? And are you asking that cloud provider to provide evidence that they are doing the same basic things to do what you are doing and that they will not, in any way, harm your own policies, your procedures, your regulations or the controls within those regulations and put you in a bad stage? So I think those are some of the things. We have customers asking us a lot of that right now.
And then lastly, in industry it's like, we get at a very granular level. We get the concepts or we have questions we get asked around. "Wait a second, you guys are in this, you know, whole application operating system. Should I use it, should I not use it?" stuff. And how do I know what the reputation of this particular application, of this version of this particular piece of software is and whether or not I should use it or not use it?
And, you know, those are really interesting questions going forward on a lot of different levels. Our world, we're less interested in reputation than we are on something called provenance. If I don't have a direct relationship with the manufacturer so that I can assure, then you are into a reputation. And it's like, "This is what we think we know about this." But even that, from a software perspective, is in question. And it gets bitsy and bitesy [SP] but we saw something explored by what was our government theoretically and whole flame, you know, style of software attack which is something called MD5 hash collisioning. And that was a particularly nasty piece of engineering that really allowed the hijacking of any software manufacturer's update process in a completely blind fashion.
So, even though you think you trust this software provider, they could theoretically have been attacked using MD5 hash collisioning. That update process could be hijacked and that what was once a good form of reputation is now no longer. So it's a really influx kind of a state right now as it pertains to software manufacturers.
Rich: And if you combine a couple of these concepts that we've discussed, the asset class if you will, would I want a reputation-based service to intersect with my critical infrastructure? No. Right. This is probably something I want in those outer tier asset classes. Maybe for end user systems that we say, "Look, I'm going to...if the reputation is higher than 80, I'm gonna allow it to be on my endpoint within certain categories of software." That makes sense to me. When we look at critical infrastructure, I'm more focused there on change control enforcement. And by directional change control enforcement, what I mean by that is you can't make change on the system without it going through a change control approval and vice versa. Any change that happens on the system, it's looking up to see if that changes there. So it works both ways. That would be a stronger position but probably more appropriate for those top tier asset classes.
Pat: Yeah. You know, dovetailing on that one, people think I'm crazy when I say this, but the software that we find that's most commonly running on Windows servers in data centers around the world that's not supposed to be there and no one ever knows how it got there, is Microsoft Office. Because someone has the ability to sit down there and reach out to a share and download Office because they wanna check their email or they wanna use the browser or whatever, and that was the easy thing to do. Those change control processes aren't in there, yet that software is running on there. It's not being patched. So it's sitting there, exposing that server to all vulnerabilities associated with what was ever downloaded.
And that is more common, and this is a little takeaway, everyone tells me we don't have that problem here, but when we get through the process, guess what, almost everybody does. And then there's older versions of Adobe that are sitting on there. So the one takeaway, go look, I promise you, it's sitting there.
Roger: Okay, great. I'm just gonna move us along a little bit to the next section, which is "How to Secure Prioritized Data Depositories." I think it proves the what we call the golden egg assets. Let's say the, I think Richard called the center circle, somewhere along there. So these are some of the things, some of the bullet points that we recommend for better securing those privatized data depositories. Rich?
Rich: Yeah. I think that this is not just an IT problem. This is where you need to have a business problem and you need to get the right functional representatives there. Take a good look at your data classification, because really, at the end of the day, data classification is a contract between the data owner, and in this case, IT. It says, "Look, this data is restricted, it's unrestricted, it's internal only." Whatever language you are using, hopefully, it's not one-size-fits-all language. And hopefully, there's training and criteria that tells people what to mark and how to mark things.
Once that's been done, the service owners for these data repositories can provide the right tier of services. If it's a crown jewel type of service, this is your high end and this is where you're doing things like information rights management, data loss prevention. You're doing a permission assurance and attestations by TeamRoom owner, for example. You'd be doing some of those high order governance pieces. If this is the equivalent of public data, internal all data, you don't need all of those same controls. But, again, trying to break the mold of services one-size-fits-all and getting those security requirements built in by service, at the end of the day, the policy is driving the service, the services driving the solutions, and then we ultimately train people to the solution. You have built in visual cues so that people are constantly reminded how to operate within that system.
Pat: The only other piece that I would add to that that we find commonly across the world when there issues, and people...and to Rich's point, that's, you know, absolutely the way you gotta go about it. But if there's the weak link and all of it it's people and some sort of failure to do what Rich mentioned properly or even in the best designed environment. When we find risk has exposed itself, it's often people-related, and usually employees, and usually some source...one thing I always challenge people to think about is, you know, with the ultimate trusted employee. And that's great, but I don't care. When I've seen issues around the world, within the best designed environments with processes and technology and everything interwoven, it's often the person or the disgruntled that breaks it all down that's on his way out or way out or whatever that exposes you to the most amount of risk. So getting your arms around that people issue is just often quite a big deal.
Rich: And we call that human factors, but that's basically the Apple-esque. You know, we're claiming to be and aspire to be the Apple of the industrials. We have to make all of our, not just our products but our internal processes human-centric, human factor friendly, if you will, so that you're just secure by default. It's not something that you have to have a separate process for. It's built in the...I think the safety net can still be there from a security perspective. You start to do creative things like Index data matching, which would be a data loss prevention strategy. When you know where those crown jewel repositories are, you go out and you index them. And then you can look for percent matches 90% similar, this data matching something that's in that crown jewel repository. You can get fairly creative asset safety net, but don't ever allow the business to put that burden exclusively on security's shoulders. It starts with the data owners and the functional owners. We can provide built-in controls and safety nets beyond them.
Roger: Great. Fantastic. Our last section is to kind of bring everything full circle and give some recommendations. And a lot of these recommendations are just things that both of you, gentlemen, have said during the talk. But this data, the idea again, you know, what's the important stuff in setting risk tolerance? And, you know, I heard data classification, identifying your assets, focusing on attack vectors, not protecting everything equally. This is kind of, you know, both to Rich and Pat, just kind of the last minute or so where you can talk about what are your recommendations for the...if you maybe you can summarize or just wanna say anything in a different way to our audience?
Rich: Yeah. The one thing that I would recommend if I got to just pick one thing from today's conversation, it's focus on that governance risk and compliance framework. So that you clearly have a system that says, "We're gonna map our policies to our controls, our controls to our control owner, and control ownership to evidence of control." That's gonna be a shared system, a shared visual management system that allows us, as professionals, to move up the value stream to focus on what's next. So what risk management and to get out of the weeds of day-to-day compliance or even just in time compliance type activities. The biggest challenge we see there is a lack of control ownership. Folks are finding out from auditors that they own or control and that's the worst possible person to find out from. You need to have governance system to both assign that ownership and to roll all that up in the risk and have the business manage risk at the board level.
Pat: Clearly, being in that industry, I'm a big believer in what he just said. But at a very high level and on a global, I think my first comment is just people have gotta figure it out first. The CEOs wake up. This is something that you need to participate in and you need to demand that within the organization, you're moving forward to do the right thing.
Second, you gotta make sure you have the right people on the bus to help you get there. It's not gonna happen because you say so, it's gonna happen because people within your sphere of influence and the people that they hire get it, understand it, can work with you to exercise due care, to identify risk, to put processes in place, and help mitigate risk. There is no black box that will make you safe. It'll never happen. So, get that out of your mind, be worried about the things you don't know about.
And then, lastly, to Rich's point, there are some great tools out there today that help you understand it real-time and better. And quit chasing that nightmare with spreadsheets and always being on your heels. You know, the Governance Risk and Compliance Solutions are powerful, they're strong, they're not expensive. And one of the few things that I've heard today that literally cost justifies themselves. And not in a 12-year, I'm gonna pay you back or something, you just tell me. You know, how many steps does it take a person to walk through the datacenter to count something and then use some sort of a cost benefit analysis on that. This is real deal stuff that is not only operationally beneficial but cost beneficial.
Rich: And GRC will give you the bandwidth to get out of the firefighter model into the hunter model, which is where we really start to shine and bring value to the business.
Roger: Fantastic. Rich and Pat, I wanna thank you both for sharing your thoughts on this digital Fireside chat today. I wanna thank our audience members who are also participating and listening over the last hour. I see we have a couple of questions that are left unanswered but our time is nearing the end. I'll make sure to collect those unanswered questions and will present them to Pat and Rich for a follow-up. Thank you everyone for participating and hopefully everybody got something out of today's talk.
Rich: Thank you, guys.
Pat: Take care, thank you.
Roger: Goodbye, everyone. Till next time.