Attitudes About Security Need To Change

When bringing cyber security tools into your environment, don’t get lulled into thinking you’ve done your due diligence because that’s not enough. That was a message Albertsons-Safeway CISO John Kirkwood, had for attendees at CISO Exchange West last week in San Diego.

“You can’t just focus on what’s in your physical environment,’’ Kirkwood warned. “If anyone thinks you have a meaningful perimeter you need to wake up,’’ because often they don’t have visibility into what third-party providers and partners have access to.

Speaking on the topic “Proactive Approaches to Security with Evolving Technology and Emerging Threats,” Kirkwood started with a few startling statistics, among them, a prediction that by 2021 more than 70% of all cryptocurrency transactions annually will be for illegal activity.

Another stat he cited was that cyber losses are expected to be $6 trillion by 2021.

A New Approach To Cyber Security Needed

With a diversity today in use of operation systems and numbers of platforms as well as the advent of AI and machine learning, now is the time for new rules, Kirkwood said. At Albertsons-Safeway, they have a tool rationalization process, he said, and rely upon the SANS Institute’s 20 critical security controls. If a tool meets that criteria they keep it. But his organization has gotten rid of quite a few tools that don’t, he added.

See Related: “Albertsons CISO On Proactive Approaches To Security”

On the first day of the conference, Kirkwood had asked Vaughn Hazen, director of IT security and CISO of Freeport-McMoRan which was most important to have: people, processes or technology? Hazen replied that he couldn’t choose. Kirkwood was more definitive, telling the audience “People are foundational. That’s a shift I see going on. I no longer try to see the ‘expert du jour’” who is the penultimate in security or DevOps or AI or integration or SOAR (SSI/SSDI Outreach, Access and Recovery).” Instead, Kirkwood said, “I try to find someone who really understands you have to think of security in an interesting way.”

His security team relies on an MSSP “because we don’t have all the expertise. We may not know how to assess an Azure environment, so we ask questions and then we retain some of the expertise. I think it’s great to use people resources that way.”

Kirkwood also uses interns because it’s important to train people, and “personally, I make sure we continue the industry. We all need to replicate ourselves.”

As important as people are, however, “I live by process. I cling to process,’’ Kirkwood noted. “If I had to choose between tech and people, I’d choose process first,” followed by people and then technology.

Antivirus software and firewalls “are past their lifecycle,’’ he said, and “passwords have gone bye-bye.” Albertsons-Safeway is implementing second-factor authentication, he said.

“Process is also important because you’re dealing with third parties and they’re responsible for how meaningful your compliance is,’’ he said. “I’m very concerned about being able to demonstrate the efficacy of my controls — and concerned that our providers and cloud providers are not going to live by our rules.”

Many companies forget about processes when they implement systems, he observed.

Kirkwood added in culture as the fourth rule and said this is something organizations need to be mindful of. “As your culture changes, as your requirements and innovation change, you need to be able to manage the attack surface,’’ he said.

The “new reality concepts” he left attendees with were that attack is easier than defense; software will continue to be written poorly; attacks will continue to scale for connected devices; and that the “only hope may be security by design. [The] key is agility, survivability and recoverability.”

CISOs And GDPR: Privacy Should Be Emphasized Everywhere

Attendees also heard from Kevin Kiley, vice president of One Trust, a provider of privacy management software, on “A CISO’s guide to the GDPR and California CPA.” The California Consumer Privacy Act is going into effect at the end of the year.

“Privacy is a very human issue, as opposed to focusing on technical controls,’’ Kiley said. It’s up to an individual to determine how to handle information your customers are turning over to you.  

Echoing Kirkwood, he asked, “your security may be bulletproof, but are your vendors? And their vendors?”

He also stressed that “GDPR is not a flash in the pan,’’ and although a lot of emphasis is being placed on the privacy law California is enacting, privacy laws will be cropping up in many more states.

A couple of years ago, privacy was the domain of legal departments, but now operations teams are a lot more involved, he said. “Build privacy champions across the organization who can report back and act as your mouthpiece and share what needs to happen and build awareness,’’ Kiley advised. “There are many ways you can align privacy with existing business processes. This is something regulators will want to see.”

He also suggested CISOs expand their privacy teams and he gave the audience 10 steps for how to do this. Among Kiley’s recommendations were to do a gap analysis and look at what information is being collected. It’s also important to build out a record of processing activities, build into vendor contracts language about how data is being hosted and shared and where is it going. This should be part of the onboarding process in requests for proposals, Kiley said.

Organizations should also overhaul their consent notices to ensure they are transparent on what information they are collecting on people when they walk into your store or go to your website. They should also monitor and update web properties and do ongoing training.

Takeaways, Advice From Attendees

The tips from Kiley and Kirkwood resonated with attendee Laura Cummins, corporate privacy and security officer at Baptist Memorial Health Care Corp., the largest not-for-profit organization in the mid-south.

Her biggest challenge, she said, is the number of users “who are still naïve related to their accessing the internet and their use of email.”

She said they’ve had employees who have been hit with ransomware “and then they’ll get out their credit card and pay” for the return of their information. “Or they won’t notify IT,” Cummins said.

Although Baptist Memorial uses detection tools and officials conduct training, she said she needs to work on changing the culture so it can be done on a monthly basis rather than every quarter. One of the discussions at the Exchange was the use of punitive measures for people who are repeat offenders of clicking on suspect emails even with training.  

Cummings said that isn’t something they practice since “we’re all humans and going to make mistakes.”

One of the takeaways she got from the conference is that domains can be spoofed, and people often aren’t trained to see the whole URL on an email because they can so closely resemble your organization’s URL.

Mike Novak, vice president and CIO of global hospitality company Hakkasan Group, was a panelist for a session on “True Security Partnerships – Speaking the Language of Business and Technology.”

As much as IT does awareness training on phishing, Novak said it’s important to deliver “common sense” information. For example, people in HR think the emails they send back and forth with Excel spreadsheets are secure, but email should not be used to transmit confidential information. At Hakkasan, they have a different platform for that, said Novak, adding that he also wears the CISO hat.

Echoing what so many others said at the Exchange, Novak said his biggest headache is that despite all the education and technology, they still have employees who get phished. If he had his druthers, Novak said he would implement security-based technology for better reporting and analytics.

“My network is turning more into a utility and … we’re building a network to protect endpoints, since traffic is much more open now and people need full access,’’ he said.

His best practice for ensuring visibility of their data is to have a centralized, hybrid environment. And when it comes to being proactive about security, Novak’s advice is to build and test your incident response plan.

“How we respond to incidents can change the outcome. Do not speculate on what you think it is,’’ he stressed. “Get the facts, diagnose, contain, recover and document and report.  Too many times hypothesis inflate emotions. The more you test, the faster you recover.” 

See Related: “Day 1 Recap: CISOs Gather To Collaborate On Security Strategies”