Changing the Security Game
At CSC [CL2], our various business units each have a chief information officer (CIO), and as the chief information security officer (CISO), I work hand-in-hand with those CIOs to continually increase information security for employees and customers. As a trusted partner of eight of the top 10—and more than half—of the 100 Best Global Brands as ranked by Interbrand®, we have to keep security as the top priority.
The ability to provide continuous accessibility and support around the clock is paramount to ensure our global clients’ data remains secure and their brands stay protected. With eight business units within CSC providing a variety of services, keeping various customer platforms running, and fitted with the best security protocols, is number one on our agenda.
Continuous Global Collaboration
Well-functioning global corporations require constant collaboration. Smartphones, tablets, instant messaging, and other cloud-based tools have made collaborating a lot easier, but they have also eroded the traditional perimeter of the organization which can bring an increased risk of malware, phishing attacks, and other cyber threats. As I work with our CIOs, we must constantly balance the need for efficient communication with the inherent risks of the underlying technologies, as well as the human element with multiple technologies.
The ability to provide continuous accessibility and support around the clock is paramount to ensure our global clients’ data remains secure and their brands stay protected
The link between technology, employees, and users is critical to the CIO/CISO partnership. Looking at the 2016 Verizon Data Breach Investigations Report, we see that “cyber criminals are exploiting humans as the weakest link” and it’s the combined responsibility of the CIO and CISO to help customers, both internal and external, to think and act securely. We do this through continual education, testing, secure development practices, strong authentication and authorization frameworks, and security enabling technologies. Our product development teams, as well as our internal IT teams constantly revise and refine our technical tool set to enable individuals to collaborate safely.
Beyond Prevention to Preparedness
Data breaches and cyber attacks aren’t just happening to other companies. They are real, constant threats to every company, brand, and bottom line. It’s no longer “if,” but “when” you’re company’s data might be breached (either on your premise or a vendor’s), and how you’ll react. Over the last few years, CSC has been proactively investing in how we respond, and evaluating the tools we’d require in the event of an incident.
Having good technology in place, and continual employee education is important, but you also need an effective incident response plan. After you’ve created and tested an incident response plan, you truly see how well security, IT, marketing, and legal work together in the event of an incident. Who will be in charge of each piece of the response puzzle? How will evidence be preserved? How will you communicate with your customers (both internally and externally)?
These questions should be decided, planned, and exercised on a regular basis to ensure you are ready. Inevitably, when you go through this exercise, you’ll find issues with your design or plans that can be improved to further reduce the risk of having the incident in the first place.
Effective Partnership through Aligned Goals
What we can do to thwart cyber crime is work as a team to identify and reduce risk to an acceptable level based on the needs of a particular business. The CIO and CISO can align goals and identify risks in advance of any new roll out. Once it’s understood what data needs protecting, and where it goes, the CISO can provide a catalog of sanctioned services—providing boundaries and approved tools to let the business move with agility to react to the changing market. Alternatively, if all the CISO says is “no,” the business will find an unsecure way around that. Like my favorite quote from Jurrassic Park—“Life … finds a way.” And being constantly at odds with the technologies users want to implement—that they use in their everyday lives—also inhibits your competitive edge. It’s the job of the CIO and CISO partnership to find the appropriate way to get to “yes.”
I focus on mitigating the risk with solutions that don’t interrupt the innovation or workflow. For example, I’m part of evaluating vendor contracts and processes to ensure they have the appropriate security controls that fit into our sanctioned services, creating another essential partnership for the security of our company and customers. Once you have approved your vendors and set your standard for cloud usage, you can work diligently with those partners to continuously assess your shared security responsibilities.
A good example of information sharing and partnership would be our implementation of two-factor authentication. Given the intrinsic issues with usernames and passwords, we have implemented a ubiquitous two-factor solution for our employees. We focused on finding a non-obtrusive, yet effective solution that would meet our security needs. Given the success of that roll out, we partnered with the business line CIO to implement that same solution in our product to secure our customers’ accounts. Sharing our experience and knowledge of the product gave us a significant head start, and brought to life a very important client-facing technology with very low risk and quick time to market.
The Cloud Conundrum
Companies are innovating daily—just think of the Internet of Things (IoT). There are now a vast amount of devices with varying levels of security in their design, including smart TVs, thermostats, refrigerators, and many more—all of which must be reviewed for risk. As these devices don’t live within the typical perimeter of an organization, their security must stand on its own—and mostly lives in the cloud.
Before cloud computing, CIOs could believe the illusion that if we secured our permiters, with a good, defensive, in-depth strategy, we were safe. We bought products, worked to secure the permiter and put only a secondary focus on driving security into development practices, segmenting networks, and incident response. But we can no longer live in that illusion. The perimeter is gone.
In today’s world, your users may never come onto your network—they can get all their system needs from cloud resources. The cloud is a reality in nearly every organization and it forces us to design for security across all layers. Even those who think they aren’t in the cloud, they are to some extent. Call it “shadow IT,” or unsanctioned usage; it exists. The cloud will continue to grow as part of your infrastructure. It’s an enabling technology to innovation. It reduces support costs to previously self-hosted applications—forcing vendors to run the software that they wrote. It can free up the CIO from worrying about commodity work to focus on delivering business value. We work to help advise the CIO on best practices and proper vendor selection for continued security and availability in order to obtain this increased agility.
Only through this partnership, of having everyone’s attention on the security imperative, can both the CIO and CISO look forward to long-term, successful careers delivering effective business solutions in a timely matter for the business.
At CSC, this teamwork comes naturally for us. Our company purpose has always had a customer service focus, and that bleeds into our internal structure, driving us to work together towards a common goal. This has allowed us to move faster and deliver better service than our counterparts. We have been able to be innovative in ways other companies have not yet, through partnership.