Transcript for Masterclass – Latest Challenges in Cybersecurity Compliance
Matt Kelly: All right. Good day, everybody who is attending our webinar here. This is ComplianceLine’s latest Masterclass webinar to discuss cybersecurity. I am your host today, Matt Kelly, and I am editor of “Radical Compliance” and a business partner of ComplianceLine. And we have a great lineup here today to talk about current cybersecurity issues for corporations and how compliance professionals can approach those, we’ll call them issues, risks, challenges, because there are a lot, and how you can help your enterprise understand what the cybersecurity risk management efforts are, what the CISO should be doing, instead of IT security, what compliance might need to do to help the CISO, and how the whole enterprise can get a grip on and a sustainable approach to all of the risk issues we have today.
We have a great lineup. I will introduce them momentarily. Broadly speaking, we’re gonna go for about one hour here today. If any of you who are listening have any questions that you want to submit to our panelists, by all means, please do so whenever they come to you. We love questions. We’ll try and work them into the discussion as we can. I know there is a Q&A function on your screen, or on your panel, so when a question comes to you, type it in, enter it, and some of the behind-the-scenes people here will feed them to us, and either we will weave them into the conversation as it happens, or we will set aside some time toward the end to work our way through questions then. But everybody here is eager to make this as interactive and useful of a dialog as possible for all of you who are listening. So, by all means, if you have something on your mind, speak up, let us know.
What we’re going to do today is try and talk about a couple of large issues. Number one, we have some specific regulatory news, such as the executive order on cybersecurity that the Biden administration issued in May, and what that involves. Number two, we have large regulatory pressures, such as the compliance…the Cybersecurity Maturity Model Certification, CMMC, which was already in train for defense contractors. That is a brand-new cybersecurity standard that, if you do not achieve it in the fullness of time and you don’t have your CMMC’s compliance squared away, you will not be able to bid on defense contracts.
And then we have just a couple of operational questions we want to get at today, such as what is the CISO supposed to do for new cybersecurity regulation? What should compliance do? You could easily make the argument that some of the measures companies will have to take feel compliance-ish. There are third-party due diligence. There are risk assessments. There’s oversight, internal reporting questions…like that. That’s all stuff compliance has done before in other contexts, so how would we sweep that into the corporate enterprise today? What’s the compliance officer’s job? What’s the CISO’s job? What are other people’s jobs? How are we all supposed to approach this? That’s what we want to look at with our discussion today.
So, we have a great group of speakers lined up, and I’ll introduce them now. I’ll introduce each of them, and then if they wanna introduce themselves more fully once we lob a question their way, they’re certainly welcome to do so. But we have Dia Black. Dia is a senior security consultant with Online Business Systems. So, Dia, welcome.
Dia Black: Thanks. It’s great to be here.
Matt: We also have Patrick Barry, who is the CIO of Rebyc Security. Patrick, Welcome. And is it true that Rebyc is actually “cyber” spelled backwards? Did I miss that until somebody pointed it out to me?
Patrick Barry: That is correct. It is “cyber” spelled backwards.
Matt: All right. Next, we have Jamal Theodore, who is a financial services professional with a lot of experience in cybersecurity. But more notably, Jamal is chair of the National Black Compliance & Risk Professionals Association. So, Jamal, welcome. We’re happy to have you here.
Jamal Theodore: Oh, thanks, Matt. Happy to be here. Appreciate it.
Matt: And then we also have Monica Reagor, who is in cybersecurity and risk governance at Crestron Electronics, but also is the vice chair of the National Association of Black Compliance & Risk Professionals. So, Monica, welcome.
Monica Reagor: Thank you so much for having me. I look forward to the conversation.
Matt: So, first, I think, Patrick, I want to maybe lob a question to you, since you’re the CIO and, you know, the guy who’s in charge of security probably more than anybody else in our panel here right now. But the Biden executive order had three big goals. In brief, it was more mandatory disclosure of cybersecurity attacks, if you are a government contractor. So ransomware attacks or other things like the SolarWinds attack that happened last year, all of that is in addition to all of your regular privacy attack disclosure, breach disclosure duties you already have under state privacy laws. But this would be for other types of attacks, mandatory disclosure.
You also would have more cybersecurity protections that the federal agencies will want to put into place, which really means the IT contractors and government contractors working with the feds would have to put that into place. And that would be things like multi-factor authentication. It’s going to be zero-trust architecture, which, for any listeners out there, if you don’t know that, zero-trust just means a lot more challenging of identity on the corporate network, a lot more access control and challenging people moving around to determine their credentials. But more technical measures like that.
And then third is going to be more oversight of the software supply chain and how you, the company, ascertain the providence and security of any third-party code you grab from somewhere and put into your products for the government or other customers. How do you assure that other suppliers you’re using are giving you secure material so that you’re not the cybersecurity risk. But it’s supply chain oversight. It’s tighter security. It’s more disclosure of attacks.
And maybe if you could just tell me a little bit about, where do you think this is…what’s driving all of this now? I mean, clearly, cybersecurity has been a big pressure for a long time, but, you know, we’re seeing more invigorated attention to the issue. In your observation, what’s behind that?
Patrick: Well, you know, I certainly think some of the most recent events…you know, you touched on the SolarWinds breach. You know, we had the zero-day Microsoft Exchange attacks that affected a lot of organizations, and, you know, not only private organizations but government organizations as well. I mean, you know, they were also part of the SolarWinds breach. They were part of the Microsoft Exchange zero-day attacks. So what we’re seeing is that they’re becoming more significant. And I think what really kind of pushed this over the edge, or what was, you know, the turning point for the executive order was when our actual infrastructure was affected. When people were lining up and couldn’t get gas. You know, there was the lesser-known JBS meat market, or meat producer, that was breached, that was possibly gonna cause a meat shortage.
Once it starts affecting daily lives of the citizens, I think, at that point, you know, it was time to, you know, at a government level, get something in place. Again, and I think it’s all excellent ideas. It’s all great on paper. But again, I think it’s certainly gonna present a lot of challenges, you know, moving forward for organizations as we have to go back and look at all of those potential pieces of code and identify where they came from, and are they secure, and, you know, how many lines of code are there, how many pieces of code did we import from third parties. It’s gonna be a lot of work for some organizations.
Matt: Dia, let me ask you, and then Jamal and Monica, I would also love to get your thoughts on this too. How would you describe cybersecurity concerns and regulations right now, like, what we’re trying to achieve? And I think we’ve moved beyond the old idea of keep all hackers out of the network to…what, exactly? You know, what is the operating state that the federal government would like to see for cybersecurity?
Dia: Yeah, I think that there is an inherent tension in that a cybersecurity attack is pretty inexpensive. It doesn’t take a lot of resources, and to be on the defensive side, you have to get it right every single time. And I think balancing the volume and frequency of attacks and the devastation that those can have is really difficult because, obviously, if you’re a vendor or company, you don’t necessarily wanna disclose that you have some kind of vulnerability. And I think that’s where we see some interesting initiatives, sort of, coming through with disclosure. What kind of protections do you afford companies to try and encourage them to disclose any vulnerabilities? Is it gonna impact their insurance, if they have cybersecurity insurance? And then just looking at the overall regulatory framework. But it’s gonna be complicated, and I think it takes a lot of discussion and good partnership with government and industry.
Matt: Yeah. Jamal and Monica, what do you think about the demands, the objective the federal government is trying to achieve here with all of these orders?
Jamal: Yeah. Thanks, Matt. Well, before I get to that, I just wanna do a quick…say thank you for having us here. Monica and I come representing a rather new organization called the National Association of Black Compliance & Risk Management Professionals, NABCRMP for short, and that was a mouthful. But we serve as the chair and vice chair, respectively of a privacy and data security group. So our aim is really to be able to participate in things like this, which gives minority professionals and practitioners of compliance and risk a voice and bring new people into the fold, into the…industry.
So, to your question, so, before finance industry, fortunately, I spent a number of years as…government civilian working in operations, cybersecurity operations, and also as a contractor. And I see one of the main concerns, even back then, for me, talking about, you know, a few years ago plus, supply chain management was a big issue, and that’s one of the big things…focuses of the executive order. So it’s not just keep the hackers out of, let’s say, affecting, you know, the direct vendor of the product or software maker or whatnot, or the service provider, but what components are they using, and how can hackers exploit long-dormant pieces of code that have been vulnerable, never really been looked at, and use that as a foothold into government and other organizations.
So, for example, for all those folks aware of, like, IoT, internet of things devices, a lot of those devices, you know, your home commodity routers you have up here, that you have at home, switches, TV sets, refrigerators, yes, as brand-new as they are, as whiz-bang as they are, they’re using code, or pieces and libraries that are from, you know, maybe 15, 20 years ago that have never really gone through a really full audit. And just that being open-source is really not enough to really protect those things. So I think government really has a lot of different fronts that they’re fighting on and that they’re trying to use their influence on the contractors and vendors to, really, affect all of industry, which I think, in some cases, is a good thing. But I think Patrick kinda alluded to, sounds nice, but it’s very hard to implement, in some cases, especially for smaller providers.
Matt: Monica, what do you think?
Monica: Just to echo Jamal, as well, I wanna offer it from the vendor side of it. The vendor is providing a great solution, right? These great products that could make ease of our day-to-day operation, or, you know, from scheduling panels to streaming devices, all of those things. But the moment you become a part or you connect to a network, you are somehow connecting to the internet. You are now opening yourself up to potential doorways, gateways, opportunities for someone to peek in. And I think, oftentimes, as a consumer or as a vendor, we just want our products sold. We wanna, you know, give this great presentation of how we can make today’s life better. And, in retrospect, your product does, but it also adds additional risk, because as a consumer, as a vendor, you don’t want to find out after a full investigation or forensics that your product was the gateway or the doorway into someone’s potential breach or hack.
So coming from the government sector, because the government needs the fastest data, you know, it needs to be able to give information quickly on the internet, but it contains some of the most classified information. Someone has to say and disclose, you know, “We had a breach.” But no one wants to say that, right? Because we lose the trust of the American people, we lose the trust of other organizations, and trust is earned. And so it is definitely scary to hear. And also, you know, from a compliance perspective, nobody wants compliance. Let’s just be real, you know. No one’s interested in, you know, myself walking in a room and say, “Hey, is this documented?” They’re not interested in that, because it takes time. But it’s this document that is either going to save us for following process and documentation, or it’s going to be the document that’s missing, that once one questions what happened, what is your response?
Jamal: And Monica…
Matt: Oh. Go ahead, Jamal.
Jamal: No, I was just gonna try and make…because she kind of woke another conversation, or maybe even reminded me of another conversation I had recently about what, kind of, also brought this on, too, is that people are getting used to these news clippings and headlines of cybersecurity breaches, right? And I think that’s not a good thing in terms of kind of lulling us to sleep a little bit. So, people are starting to get used to, you know, these big retailers being hacked and your credit card information being stolen, right? Over the last few years. They’re used to, just, free credit reports. They’re used to, now, which is started to happen, a lot of ransomware stuff.
So the question is, you know, what can both industry and government do to, kind of…both education but also just put in the right regulation and compliance to the necessary level, right? That’s always the big question, to really ensure that, you know, even though people are kinda getting used to being hacked, unfortunately, companies are used to being breached, and people don’t have the same bad reaction to it as they did before, still have some type of protection, still have some type of, you know, proper response to it.
Matt: Well, Jamal, that’s an interesting point, because, like probably everybody on this call and everybody listening, I have been hacked numerous times. I’ve had to go and replace my credit cards or my Target card or get credit monitoring services, or whatnot. And you’re right that it’s annoying, and then I swear I’m never gonna do business with this company ever again. And then three weeks later, I do because I’ve gotten over it. And, like, that was the mentality. But I’m wondering how much ransomware, in particular, and maybe the more invasive espionage of, like, the SolarWinds attack, how much is that changing pressures in the boardroom that, you know, if you can’t actually pump gas to 100 million Americans, or you can’t get meat off of the loading dock, which happened with JBS, that’s a whole lot different than, we’re just going to annoy and exasperate our customer base for a while and endure some bad headlines.
But the operational threats, I’m wondering how much they have focused the mind and…I don’t wanna say boards hadn’t taken cybersecurity before. I’m sure they did, but this latest manifestation of security attacks really kind of lights the fire under them like nothing we’d ever seen, and it’s leading to a more rigorous response. Patrick, maybe I’ll ask you about that. You know, if you’re dealing with clients or talking with board members or CEOs, like, do they have a different view of it now that, “Oh, my god. This is for real. We could be totally shut out of our systems forever.” Like, what’s going on?
Patrick: Yeah. And Matt, so that’s part of our job as consultants, is going out there and showing the executives, showing the board members what is the actually potential. You know, I think, in our industry, we’ve kind of fallen into a rut of, “Okay, well, we failed the phishing test, you know. Well, we’ll train our users.” Or, “Okay, well, we failed the pen test. You know, we’ll put some patches and, you know, fix it, and we’ll be better.” But what they don’t realize is, you know, if it wasn’t a good guy doing this and it was a bad guy, you know, “Here’s all of the information I stole from your organization.” I can promise you there’s nothing that grabs the board’s attention, when the payroll goes out, when the offer letters are stolen, when the board meeting minutes are there, when legal is stolen, and I have the entire compliance folder with all the audit results. That really goes to show, you know, not only can I disrupt your operations…
And what we’re starting to see now is, kind of, the ransomware, with the blackmail on the back end. “We’ll encrypt your files. You’re gonna have to either pay us or rebuild from backup. But also, by the way, if you decide to rebuild from backup, we also stole your files, and now we’re gonna publish them on the dark web.” So we’re starting to see that a lot more as well. And that’s really starting to get the attention of the C-level and the board folks.
Matt: Yeah. Dia, let me ask you this question, and then maybe Jamal. I know you do a lot of, say, penetration testing and forensics, and I’ll want your thoughts as well. But back to the Biden executive order, one of the things that it says is, not only must you disclose if you have a ransomware attack, but you have to preserve as much data and forensics about the attack as you can. And you have to cooperate in the investigation that somebody somewhere might do. And I’m curious, in your observation, how prepared are companies to do that sort of a thing, especially if you have to submit, say, data to an…I don’t know, a U.S. agency that’s investigating the attack, but you have to think about consumer privacy data that you might be handing off. This might go to the justice department, who’s going to indict some activist in North Korea or Iran, and now, suddenly, your legal department is like, “We disclosed what to whom, and I have to cooperate with the investigation?” Like, do companies know exactly what they’re getting into when they’re told, “You have to cooperate and be prepared to dig into what’s going on”?
Dia: I think they do have an idea of the extent of what might be involved. I think it’s very different, depending on your organization and your business. For instance, a company like Microsoft works pretty closely, my understanding is, with the government in terms of vulnerabilities, getting them patched, getting them disclosed and, you know, trying to address them quickly. But I think we have a real problem unless we get into potential fingerprinting and the blame game. Who’s gonna be left holding the bag for loss of business, loss of whatever it is? And depending on where you are in the food chain, if you’re a vendor, if you shut down, you know, 100 million households and they don’t have heat, what does that lawsuit look like? And so it’s not as easy as just agreeing to share data, because you get the lawyers involved, and, you know, everyone kinda wants to be protected.
I think it’s interesting with the discussions of whether ransom payments should be tax deductible. Does that then create some kind of perverse incentive to, kind of, reduce your tax liability? Like, “Hey, we didn’t quite get that patch installed. But I think it will be very difficult. There are some examples through the…of these partnerships existing and the communication being open, but I think it will be very hard for privately held, publicly traded, nonprofits. It’s just such a huge universe out there in terms of what could go wrong by whom and what the impact would be.
Matt: Yeah. I should mention, since we mentioned ransomware, the justice department has already told corporate America, “If you pay ransomware and we track it back that you accidentally paid money to North Korea or Iran, yes, you might have a sanctions violation that you’re gonna have to deal with.” Or if your ransom payment goes to terrorists, yeah, you might have a really big problem with the National Security Division of the justice department calling your company. And I don’t think that would be a fun conversation to have.
Dia: Right.
Matt: That you could definitely get caught coming and going with what to do about ransomware. But, Jamal, I did wanna circle back to you. I mean, maybe talk a little more about, you know, how well do you think companies are prepared for some of these demands that the executive order is gonna bring to pass, like forensics and cooperation? You know, how robust and mature are their capabilities there?
Jamal: Yeah, I really think it depends on the size of the company, the experience of the company dealing with either regulators…so, for example, even if it’s the finance industry or finance institutions, the executive order also addresses beefing up logging and things like that, which will, of course, assist being able to send information to the government and assist in investigations. But I think…in general, I think it’ll be a hard problem for a lot of the smaller…especially when we’re talking about government contractors and vendors, meaning that, you know, it’s one thing if, you know, you have a larger company or midsize company, you can quarantine off a few folks to, you know, participate with the government and help with the investigation.
But if you’re a smaller company, you just run a few folks, you still have to also keep business going. You still have to address clients. You still have to do other stuff. So that’s expense. That’s resourcing. That’s also just inexperience to some. I mean, you know, some folks may have prior government experience.
So I think it’s gonna be about how much, as the details come out about what cooperation looks like. You know, like the things that, you know, you brought up, Matt, and also Dia, about just the effects of, let’s say, the company intermittently deals with both private industry clients and government. So there’s a breach on one side and now the other side, but now you have to turn over information to government about, let’s say, you know, your clients have nothing to do with government, and maybe they don’t like to know that their information is getting turned over to certain departments, right?
Because right now, I think it’s gonna be a bit complicated, a bit complex. And, really, the agencies will really have to hammer out, like, specifically, what details, what attributes at the login, how to do minimization, standardization of the data, or else you’re gonna have, you know, lobbies and other folks in public speaking out against that, too. So I definitely think there’s a lot of work to be done on the legal side.
Matt: And Patrick, I wanted to pose one question to you about the other big cybersecurity effort that’s underway right now with the federal government, which is the CMMC compliance for defense contactors. Now, that is a long lead time of about five years, and it’s starting with large defense contractors now, but five years from now, anybody in the defense industrial base, which I think is about 300,000 businesses in the United States, will have to be CMMC compliant. And there are five levels of it, depending on the security risks that you might face, and the more you have, the more controls you need to implement, and the higher the level.
But Patrick, I have to tell you, I have been struck by the number of compliance officers who aren’t really familiar with CMMC, and I was just wondering, what has your intersection with that been right now, and, you know, how difficult do you think it might be for some of the firms out there? Are they gonna learn the hard way that this is not an easy thing that they can just put off until later?
Patrick: Yeah, absolutely. We’ve been having these conversations more frequently over the past couple of months. It’s really ramped up, you know, as the guidance continues to come out. You know, the CMMC, I think a lot of those 300,000 companies are gonna have to be up to level 3, which I believe is somewhere around 150 to 170 controls, maybe 110, I don’t… All the levels kind of blur together at this point. But there’s a large effort…I mean, it’s a large effort, especially for some of these organizations that don’t have a mature cybersecurity infrastructure, or, you know, some folks are just understaffed. You know, it’s very difficult.
And what we’re seeing is, you know, from a cost perspective, it’s going to be expensive. From a time perspective, it’s going to be resource intensive. You know, it’s a lot of documentation, a lot of policy, a lot of procedure, and as Monica said, you know, people don’t like that stuff. That’s compliance. “I don’t care that it’s not documented. I know you’re doing it. Just get it done and move on.” So a lot of folks are really having to kinda take a step back, look at all of their documentation, really beef it up. And again, we’re seeing folks, you know, they’re concerned. You know, some of our smaller organizations are saying, you know, “We don’t see how we’re going to do this. We don’t see how we’re going to budget this. We don’t see how we have the resources to do it.”
And, you know, a real-world example…I’ll tell you for the folks that aren’t aware that it’s coming, it is. We have a client that it’s already affected their business. I won’t say who it is or who they were contracted with, but because they did not have a…they were unable to bid, and that quickly went from an IT project to a CEO and CFO yelling, and “Get the ball rolling.” So it quickly became a business issue and not an IT-only issue.
Matt: And then, Monica, talk to me a bit about…I’ll try and tie both of these programs together, but the new executive order that’s coming down, the CMMC, a lot of it is going to be about managing your supply chain and documenting that your vendors and their subvendors and so forth, they’re passing cybersecurity muster for you before you go and bid on the contract or work with the feds, or something like that. So, how challenging is this going to be? I mean, on one hand, vendor risk management isn’t a new idea, but I’m curious how you see, how difficult is it going to be to bring vendor risk management up to par for the challenges that are coming down the road now?
Monica: Great question. I wanna preface it and then answer it. So, I wanna start with in the early or late ’90s, early ’90s with the Enron debacle, right? And they had all the, you know, anti-money laundering and, you know, fraud accounting. It wasn’t a new thing. There were regulations in place, but no one followed them, and then there was not an echo or a consistent message from the government for the CEO, the CIO, CFO saying, “Let’s follow these protocols.” And so after that exposure, then compliance and risk management became a huge deal, right? It was like, “Get someone in here that knows what this is supposed to do.” Everybody wants to prohibit themselves of being Enron, right?
Now we are facing cybersecurity ransomware that has literally almost crippled the U.S. We’ve already had a pandemic. We’re still in a pandemic that has crippled the world. And so oftentimes, and I remember and when I’m working in the transit market for federal government, it was, “Oh, you know, let’s have a disaster recovery plan or a business continuity plan. And what if there is a pandemic?” And everybody was read a sentence, because no one would have thought that in 100 years we would be in the middle of a pandemic.
Now, today, vendors have to attest to, “If there’s a pandemic, what is your backup plan? If there is some type of natural disaster, like in Louisiana where there was several hurricanes and earthquakes and what have you, what is your plan? Is there some redundancies?” And it is not just, “Oh, this is what we do,” or “We’re going to leverage just AWS or Azure,” or any other cloud hosting product. We have to spell out, what is our operation process, and what is our team going to do when it’s necessary? So when we take CMMC, you’re gonna have to document no only what your process that you’re gonna attend to do, “Oh, we’re gonna do 24 hours. We’re gonna notify our clients,” etc., etc. You have to prove it. There has to be some evidence and artifact.
With the Biden administration mandate that’s coming out, listen, they’re trying to protect our way of being, right? And because everything from our cars to our airplanes, my goodness, to just air and electricity, all of that is on the internet, and it has some connection to, you know, data and analytics. And all it takes, and as Jamal has already said, one slice, one spit of code to cripple our airlines, to cripple our utilities, to cripple just our way of life. So I think it’s really important. It’s gonna be very difficult because, now more than ever, many vendors or many companies have been able to skirt by a little bit, right? Just with, you know, “Oh, we’ll write a sentence. Here it is,” and give you a documentation. Now, the government’s gonna ask, “Oh, that’s great that you have a piece of paper. Now show me that you’ve been following this process along the way. And then if you don’t, that’s okay. But give me a plan of action. Give me a form of mitigation.”
So you have to provide artifacts and evidence of what you’re doing and why you’re doing it. And so it’s more than just doing something. It is now something that we have to echo from the top level. We have to have, like, a consistent message. And here’s the thing about compliance, compliance and risk management and government. And that is getting the buy-in. You have to get the buy-in of your governance board, your board of committee, then forget trying to get just your top leaders’ buy-in, but then you have to get your employees’ buy-in. And that has always been the larger pillar of challenges or hurdles that anyone in compliance has had to overcome, is that you have to get their buy-in and educate them, “Listen, this is really important, and it’s more important than ever.” Because, again, we’re in the middle of a pandemic, and literally, the pandemic literally shut the world down.
So I think it’s gonna be very…a lot of heavy lifting for vendors to bring these massive documentation together. And we’re not talking just a manual, we’re talking a whole policy processing procedure on role-based ethics control. We’re talking on policy and procedures on disaster recovery. If there’s a disaster, what is your plan? We’re talking business continuity. Are you scanning your critical services? What does that look like? And do you have the artifacts to prove it? So I think there’s a lot of components that people are not really considering at this moment, but they’re gonna quickly realize shortly, here.
Matt: Well, that brings me to another point that I wanted to get to. It’s about who owns this? And at this point, I’m not even sure exactly what the word is for this, because it’s more than cybersecurity. But, you know, you’re talking about policies and procedures. That sounds like something compliance owns. We’re talking about evidence. That sounds like something internal audit might do. Or if we’re talking about the results or, say, more embedded security controls, that sounds like something that CISO might own.
So, Jamal, maybe I’ll put it to you first, and then Peter and Dia, if…or Patrick and Dia, if you have other ideas, you know, who should own this? I know we’re gonna try and punt and say this is a team approach, but, okay, in that case, who should be on the team, but who’s still going to be chair of the team? Like, Jamal, what do you think?
Jamal: Yeah, I mean, depending on the organization, the way it’s structured, I mean, it’ll either be the CIO or I think probably the CISO reporting to the CIO will own it. Now, in some instances, I have seen where the CISO is kind of separate from the CIO. They give a little bit more autonomy, and, you know, they feel that works better. You know, that’s up for debate. But I think one of those roles, at the end of the day, will have to really own it. And then, you know, depending on the size of the organization and so forth, pretty much like you said, Matt, actually, you have to set up your lines, your first line, second line, third line, spanning audit, spanning, you know, operational risk and discovery and governance, and also those hands-on testing.
But, you know, at the end of the day, who reports to…you know, who owns it, whether CIO or CISO. So, you know, I think you have to have a robust vulnerability management program, robust instance response program. But also, what I think some folks miss, even aside from the compliance and governance piece, is really folks that are dedicated to looking at, like, the security structure policies and architecture of all these systems, all these assets coming into your organization that really can define or kinda write the documentation like, “Hey, this is how things have to run. Whenever you enable, flip a switch or anytime you bring in a new IT asset, it needs to adhere to these standards.” And then, you know, some other groups, such as whether it’s the pen testers, internal audit and so forth will actually put those things to the test.
Matt: Okay. And Patrick, you’re the resident CIO on the panel, so, per Jamal’s comments there, do you own it? Or if you own it, it seems like you can’t do it anyways without several other parts of the company being instrumental to doing it. But what are your observations?
Patrick: So, you know, you can call it…you know, I’ve heard it called business owners or process owners or application owners. But again, any type of system on my network, you know, I’m not the administrator for everything. You know, especially as you get to these larger companies, you’ve got hundreds of administrators working on thousands of different systems. It is a process. But again, you need to get with these business owners, the folks that are using these systems day to day. Now, you know, is that somebody…is that the CISO? Is it the CIO? Is it somebody underneath me that’s gonna roll up to me? But we wanna understand, you know, how are the actual employees of this organization using the software?
You know, a lot of times, IT is tasked with, you know, “Put this online, give it an IP address and let us go to work.” And we don’t understand what’s important, you know? Well, where does that data go? You know, as long as it’s up, IT thinks, “Okay, well, we’re good. We did our job.” Well, no, now we need to understand, you know, “Well, what is that data? Where does it flow to?” You know, “What kind of protection does it need?” And we need to have those conversations with that application owner and get an understanding of, you know, the way the business uses the applications. That’s where we really had some meaningful conversations being able to find, “Okay, you know, maybe this application isn’t all that, you know, required for security, but down the line, this data does roll up to another application, and then there it becomes, you know, really sensitive, and we need to ramp up some controls here.”
So, really understanding, you know, kind of, the business processes well, you know, getting the CIO, the IT staff involved, and kind of working with the business owners that use those systems is generally a good approach to getting that information.
Dia: Yeah, I think we’re moving to a time where you need to have a compliance program. You can’t just…you know, let’s say you’re going to the dentist. You can’t just brush your teeth that morning. You need to have brushing, flossing, the whole 9 yards, or you’re gonna end up with some very expensive dentures. I think it’s sort of where things are going. And we’re seeing a shift from marketing, where you want to collect as much data as you could. It was easy to collect. And we don’t know what we’re gonna do with it, but it’ll be useful sometimes, or somehow. Now we see companies stopping and thinking, “Do we really want this data? Do we wanna use the resources and have the technology in place to protect…don’t want it after all.
And who are our vendors? The same thing. Your whole chain of supply, looking at everything you’re working with and, you know, do you need it? Do you wanna work with them? Where’s your data? And you just can’t skate by without having a very robust compliance program and this system in place. And it has to be a company-wide discussion with multi-stake holders.
Monica: And also, I just wanted to just jump in really quickly to add to that. For companies who potentially don’t have, you know, a CISO or a CIO, your chief compliance officer will have that as part of their component, right? The compliance, corporate ethics, all of that, again, having that robust…like Dia said, having a robust compliance program is going to have all those components. Oftentimes, compliance is considered or looked at as from an HR perspective, you know, what those compliance or regulatory requirements or standards are. But if you have a good, diverse chief compliance officer that can compartmentalize each of those components, yes, you can have a director of IT security and let them build out that program, but all of that information rolls up to one person.
And again, if you have a large company and you can actually have those C-levels to really take full ownership of each component and compliance, great. The only drawback to that, I think, is that a lot of times, it comes compartmentalized. So what the CIO is doing, if his IT support team, IT services team may not communicate like they should with the CISO team, or IT security, you know, what they’re doing in internal audits. Or you may have two separate internal audits going on. And then also, that same conversation when someone is terminated, on their last day. What’s their last day of work, right? What’s that policy? What’s that process? Well, you may need to have information going to the CIO’s team, which is, again, the corporate IT services, but you also need to be communicating with the CISO’s team, which is IT security, and make sure all the access is, you know, removed. And what does that look like?
But oftentimes, for those who have…are a medium to large component where they’re not necessarily breaking down each of those components as a whole department, a well-diverse chief compliance officer is, I think, the owner of this. But again, this compliance officer has to be able to build inter-department relationships, because it’s gonna go to the HR, it’s gonna go to your operations, it’s gonna go to your IT team, and, you know, I think there’s gonna be more pressure and more of a level of a standard when it comes to that level.
Matt: Now, I have to admit that my Wi-Fi conked out for a moment or two a few minutes ago. So forgive me if I ask a question that has already been answered, because, Monica, it sounds like you were getting ahead of my agenda. You were giving a great answer there.
Monica: Oh, my fault.
Matt: I was curious, you know, basically, where any of you have seen companies handle this poorly, for lack of a better word. Because it is a lot of cross-disciplinary relationships that have to be built, and a lot of clarity around, “How does the transaction actually work, and how does it flow? So what does this mean for our security risks?” You know, I don’t know, maybe Jamal, I’ll ask you first, and the Patrick and Dia, if you have any other observations. But, you know, where would you fear that a company might accidentally drive into the ditch with what it’s trying to do here? What could it get wrong?
Jamal: Well, actually, I’ll pass it to Dia on this one. Unfortunately, up until recently, I don’t have as much visibility into that.
Matt: All right. Dia, what do you say?
Dia: Oh, man. Well, of course our clients are excellent, right?
Matt: Sure.
Dia: So, the people I work with. It’s just headlines, things I’ve read and heard about. I think one thing that companies…the first thing I would recommend is having a current inventory. If you see something in the headlines like, “Oh, there’s a breach of Solar…” You know, at SolarWinds, you can look at your company assets and say, “Oh, we don’t use SolarWinds. We’re good there. We don’t need to worry about it.” You will save yourself so much time and energy if you don’t have good communication and tracking within your company. And it turns out, actually, yeah, it was installed two months ago or a year ago. That’s a very different problem.
So I think that’s…we’re seeing a lot of that, that having good asset inventories, good handle on your environment, what might be secure, any kind of network segmentation. An example of that would be Target…not to, you know…sort of beating a dead horse on that one. But it came to the HVAC system. You know, what does patching look like? Do you have things segregated, segmented, and kind of tucked away? Or, you know, what are your access controls? So the very basics that you learn in a Cybersecurity, kind of, 101, or Information Management 101, are you adhering to that? It’s surprising how often big problems arise from very small fixes, things that everyone sort of knows…you know, phishing. It was an email that you just shouldn’t have opened. And I think just staying aware, staying on top of what the headlines are or what the news is, looking for vulnerabilities, breaches, you know. And it’s hard. It’s really hard. It takes a lot of time and energy, and I think the trick is to be able to have logging, monitoring, things like that.
You will get breached. Everyone is gonna get breached or hacked. The question is, how quickly can you identify it? How quickly can you get any potential bad actors out of your systems, and how well is your data protected? Is it encrypted, for example. So I think just basic things like that are helpful.
Matt: You know, it’s funny that you bring up asset inventory, because I know, for example, the Securities and Exchange Commission has been telling publicly traded companies, “If you were a victim of the SolarWinds, we expect you to disclose that to investors.” And they have made it abundantly clear, they don’t believe every single company that has been victimized has come forth and disclosed. And the SEC has also, lately, been fining a company for disclosure control failures, because IT security maybe knew that they had a problem, but they forgot to tell somebody else or, to your point, somebody forgot to tell IT security or compliance that, “Oh yeah, we installed SolarWinds three weeks ago, and, you know, oops.” You know, and the…deadline has already passed and you have a mess. So it is very topical, in multiple ways, to know about your asset inventory.
Patrick, what do you think? You know, where do you see companies struggling, or practices you would recommend people avoid?
Patrick: I was going to kinda chime in with what Dia said. And, you know, unfortunately, you know, whether you wanna call it cyber hygiene or the blocking and tackling. But quite honestly, it gets set up wrong from the beginning. We’re getting the basics wrong. And it’s an operational decision, and I think, you know, maybe 15, 20 years ago, yeah, just give that person local administrative rights and let them install a printer so they can quit calling the help desk. You know, so that’s just the way they’ve always operated, and it’s really, really difficult, once you give your employees permissions, to take them back.
You know, “Hey, I can’t do this anymore. And once I used to be able to do this, now I can’t. And now I have to call every time.” And that’s frustrating for them. They can’t do their job, and they see it as a hindrance. But, quite honestly, that really could, quite honestly, stop probably 90% to 95% of the attacks that we see. You know, just the basics, not assigning local administrative rights to the end users, you know, enforcing a strict password policy, you know, having some technical controls available to check passwords that have already been breached and not letting your users use those types of passwords. Again, like I said, relatively, basic things that you would hope most organizations get right.
And then, again, I think a couple of folks mentioned this, we only need to find one account. You know, once you are talking about, you know, a 20,000, 30,000, 50,000-employee organization, it might not be that difficult to have one or two accounts slip by. The way it works, you know, I’ve been on both sides as the auditor, and getting audited, and being pen tested in the pen tester. It’s just guaranteed that if there’s only one or two accounts that you’ve missed, that auditor or that pen tester will find it while they’re there.
Matt: Yeah. Here’s a question from the audience. Oh. Jamal, did you have something?
Jamal: Yeah. Yeah, I’ll just be real quick. Yeah, I just wanna chime in and second everything that Dia and Patrick kinda brought up. You know, I put on my, kind of, like, adversarial hat. So, like Patrick said, you know, if I’m doing a pen test or doing a red team engagement, you know, my goal is to simulate what a, you know, third actor who’s likely to target that organization would do.
And the things from this executive order that kinda stand out to me, which I think, no matter what, these organizations, these companies need to implement, are things such as the zero-trust model, things such as multifactor identification, things that would either slow me down or cause some frustration from an adversarial standpoint. Because it’s not always about just finding some vulnerable piece of software or some exploit. It’s really about, kinda like what Dia mentioned, finding the weaknesses and the processes and the communication lines. How long can you stay in the network before this person races up to this other person or to the compliance officer and says, “Hey, something weird is going on with my computer. You know, this person is supposed to be on leave, but I saw that they were active.” Or they didn’t shut down…like Monica was saying, they didn’t shut down this account after this person left, but they seem to still be active.
So when we do these red team engagements, that’s really what we focus on is making sure that the processes and the communication lines are as they should be. The exploits and stuff are just kind of like toppings on a cake and really, you know, not a big deal when it comes to these real serious adversaries.
Matt: Here’s a question from the audience. “Any advice on how to get started with a cybersecurity risk assessment for my supply chain? What sort of attestations or representations should I be asking for? Do I get SOC 2 audits on everybody?” Dia, maybe I’ll pose that question to you first, but what advice would you give them?
Dia: It’s a great question. It depends on what your business is and who your vendors are, but I think, certainly, looking for things like SOC 2 audits, PCI, DSS, or ROCs, and attestations of compliance. You can look at who their…if…that you have clearly contracted, that you have a right to audit, or, you know, get whatever regulatory requirement or framework is appropriate, are they adhering to NIST, doing due diligence, making sure you have a robust vetting program before you engage any vendors, things like that. If they’re publicly traded, you know, doing a little Google search. But I think a lot of…you know, there are so many different frameworks and formal reports that you can get copies of, and just make sure that those are in your contracts.
If you’re using a cloud service provider, you might wanna see who that is, where your data is, what right you have to know about where it’s stored. We’re seeing a lot of offshoring, and you have no idea what country your data’s in. So, is it subject to GDPR? Or, as we say in Boston, GDPR. What do you need to worry about is important. And just don’t be afraid to ask those questions. If you don’t like the way a company answers them, there are lots of vendors out there.
Matt: Sure. Monica, do you have any other advice? I know that you’re spending a lot of time thinking about these kind of issues.
Monica: Absolutely. For just for starting out, you know, one of the things is sending a vendor questionnaire or some type of risk assessment questionnaire. And I believe it’s the cloudsecurityalliance.org that has what they call a basic…it’s a massive questionnaire that you can send or tweak that you can send out to your vendors, and they have to attest if it applies to them or not. And it covers an array of questions from endpoint devices, to HR policies, to risk, to internal, all of those things. And again, it really depends…like Dia said, it depends on your organization. But if you mean, like, a starting point, “Where do I start?” I will recommend that, because that whole questionnaire is aligned with the NIST cybersecurity framework, which is your baseline, right? And so if you start there, you can start developing your own what’s really important to you and what isn’t.
Matt: You know, here’s a question I have is, what would you recommend that be reported to the board about cybersecurity? Because on one hand, you can weigh down the board with a lot of discussion about regulatory compliance with CMMC, or HIPAA, or potentially new government contracting orders, or whatnot. But that always seems to me that you are weighing down the board with the details. And I’m trying to figure out what other sort of more strategic questions they might want to get answered, as in, “Do we fully understand our software supply chain? It’s not going to be a risk. We don’t have to worry about that as we pursue our business objectives.” Like, what sort of bigger-question issues should be discusses with the board? Patrick, what do you think about that?
Patrick: Yeah. And I think, you know, that that’s a great question. And I think part of it is, you know, hopefully, the CISO or CIO or whoever’s presenting to the board, you know, has a good relationship with the board, understands their level of, you know, understanding of technology and risk and the threat landscape today. You know, I’ve been in some instances where, you know, the board members really didn’t care about cybersecurity. It was a cost. That’s all they saw it as. You know, that’s all they were doing. You know, every time we were proposing something, it was always just, “Here’s a piece of paper for a project” that they didn’t understand. “Please give us hundreds of thousands of dollars, and we’ll be on our way.” You know, in today’s world, I think we need to do a better job of, you know, raising, you know, not only those questions of, you know, “Well, where are our risks coming from? And let’s understand what our true business objective is, and how do we align our IT strategies with the business objectives to make sure that, you know, we keep the organization secure and moving forward.”
But again, we also need to explain what we are doing. Again, like I said, most of the folks on the board, you might get lucky and get one that has a solid IT background, but in a lot of instances, they might not. And I think it’s our job to explain, you know, some of these protections that we’re putting in place, the money that we’re spending, the budget that we’re asking for, the training for our employees that we’re asking, you know, to keep up with these threats. And I think we need to do a good job of explaining to the board that, you know, we’re not just asking for money. We’re keeping this organization secure, and, you know, a lot of things of this business most likely do run through IT and the systems that we try to secure.
Matt: So, we only have a few minutes left, and I just would like to maybe pose a closing question to each of you. Maybe if you could take 30 to 60 seconds, and that’s it. But, basically, I’ll ask Jamal and Monica first, and then Dia and Patrick. How will we still be struggling with this, say, five years from now? How much more progress do you think we will have made, or are we still going to be struggling with cybersecurity in these fundamental ways, here? What do you think? And Jamal, like I said, I’ll start with you, and then Monica and Dia and Patrick.
Jamal: Yeah. So, you know, someone from the inside of government, in five years, most definitely still, in my opinion. Things will take time to be adopted. And, you know, we kinda focus a lot on just…you know, from the vendor and from the, you know, company and supplier standpoint. But even within the government itself, you know, they still have to get their ducks in a row. I mean, CISA, as an agency and organization, is still rather new. And the other organizations, the agencies that will be involved with this are still trying to spin up their new departments and resources and teams. They have all the normal politics at play, and stuff at play. So I think five years from now, most definitely, we’ll still be struggling with this.
So the question is really like, hey, how will we look, to be honest, maybe 15, 20 years down the line? But then you have new vulnerabilities and new technologies to deal with. And I’ll pass to Monica.
Matt: All right.
Monica: Absolutely.
Matt: Monica, what do you think?
Monica: I absolutely echo Jamal. I would say that in five years, we are still going to be having the same conversation, because again, it comes down to the buy-in. Oftentimes, if it doesn’t happen to me, then it has no relevance. But once it happens to me, it does have relevance. So, unfortunately, I think as the continual attacks take place and we see this big exposure of these companies, where they’re losing trust, and they’re having to backpedal their policies and procedures, then more people and more companies are going to take this more seriously. So we do have a long way to go because, again, no one wants to write documentation, no one wants to read policies and regulations, and until it happens to them, then it’s not gonna be necessarily relevant to them. So I think, in five years, we’ll still be having this conversation.
Matt: All right. Dia, what are your thoughts?
Dia: Yeah, I think we will continue…if we could have this panel in five years, I’d be curious to see where we are in some of the information sharing with, particularly, federal government and private industry. I think one thing that we need to do is work with people who don’t work for companies that have routine phishing exercises and things like that, so people who either aren’t in school or aren’t at companies where they’re working on trying to help with cyber hygiene. So I wanna make a small…to reach out to maybe your parents. If…gone through phishing exercises, and I think that that’s something we need to look at is looking at people who aren’t being reached by, sort of, corporate training exercises, and how we educate the broader public about the risks and dangers and ways that we can all protect ourselves. And I’m guessing passwords will probably…we’ll see a bigger evolution in that. I think that’ll be probably the bigger change we’ll see in five years, passwords and more multifactor authentication.
Matt: And Patrick, you get the last word.
Patrick: Well, as, I think, Jamal could probably attest to, you know, the tips and attacks and tricks that we used 15 years ago worked 10 years ago, worked 5 years ago, work today, and they’ll probably still work in 5 years from now at some locations. So again, I think organizations will take some time to really get this. And, as Monica was saying, if it doesn’t happen to them, they don’t really care. But I can tell you, some sales calls I’ve been on before, trying to sell some of our services, pre them getting breached and then post them getting breached, easiest sale I’ve ever made. You know, it was a piece of cake afterwards, because they realized what a real issue, what a headache, what the downtime was, what the true cost was, and then they took it seriously. So I’m hoping more organizations will take the proactive approach, but again, I don’t think five years is gonna be enough lead time for that.
Matt: All right. Well, we are out of time, so I want to thank all of our panelists here. And thanks to ComplianceLine for sponsoring this and making it possible. So that concludes this webinar today, but again, everybody, thank you very much. Covered a lot of ground, gave us a lot to think about. We appreciate it.
Dia: Thank you.
Jamal: Thank you.
Patrick: Thank you.
Matt: All right. And for everybody listening, thank you for joining us, and have a good day.
