Keeping The Line Of Trust Between Humans And Tech

The Chief Information Security Officer (CISO) Exchange is a flagship event bringing together the most innovative and insightful technology leaders across industries for in-depth discussions and exchanges of experience and ideas to address the emerging landscape of digital business in a digital economy.

Taking place March 24-26 at the InterContinental in San Diego, California, this year’s theme was “Empowering A Circle of Trust: Consistent and Collaborative Security from Inception.”

Here, Cyber Security Hub caught up with American Solutions for Business VP of Technology Mike Pfeiffer to find out what keeps him up at night, what initiatives he's focused on this year and tips for his peers.

Mike Pfeiffer
Vice President of Technology
American Solutions for Business

Mike Pfeiffer holds a degree in Computer Information Systems from DeVry Institute of Technology in Kansas City, Missouri. He has over 25 years of IT experience, having served at a data and marketing solutions vendor, a consumer packaged goods company and a trade management solutions provider. As VP of Information Technology, Pfeiffer leads a team of 35 individuals to manage American's infrastructure, including its PeopleSoft system and e-commerce technology. He joined the ASB Leadership Team in 2012.

CS HUB: When it comes to protecting your network, what keeps you up at night?

PFEIFFER: I would say the human component. We spend a lot of time working on cyber awareness and making sure our people know what a threat is and what might be a threat because inherently, they want to do the right thing, they just don’t necessarily know right from wrong. I don’t like the ethics of phishing your own employees — that breaks the line of trust. If we find there are certain issues with people, we do individual training to give them the awareness. I don’t think taking the internet away for a week [as some of the speakers mentioned they do] is the right approach.

We use Mimecast and Sophos for our endpoint protection. Between those two players we gain a lot of share on the protection level. The other thing I do that’s different is I extend the protection umbrella to employees’ home systems because if you’re practicing bad practices at home it doesn’t get cleared up at work. People regularly bring work home. So we extend that to their home computers, and we’ll recommend Sophos home premium, and if someone has an issue paying for it we’ll pay for it. It’s protecting our assets. If you have open Wi-Fi at home that’s been hit with malware, I don’t want that traffic on my network.

It’s more of a holistic approach to fighting the good fight together. Mimecast shows us our bad clicks and [we also do] sandboxing. When we started out, one in 235 clicks was on a bad site. Last month it was up to 700 so there’s been almost three times improvement through monthly awareness training.

CS HUB: Have you recently started adding any AI-embedded products to your organization’s security arsenal?

PFEIFFER: I’m a huge AI skeptic. I played video games and beat the hell out of them and don’t believe AI is a panacea for anything right now. It’s headed in the right direction, but I don’t think it’s evolved enough yet. To me it’s all marketing right now.

CS HUB: What are your best practices for ensuring visibility when your data resides in multiple and/or hybrid clouds as well as for classifying all connected devices?

PFEIFFER: One of things is we’re GDPR compliant and [with our use of] cloud, we try to ensure our data stays resident in the U.S. Sophos secures our endpoints completely so no one can plug something into their computer without checking with the help desk. That helps with the proliferation with devices. We use [Cisco] Meraki cloud and tools to routinely monitor our network for large transfers of data going back and forth from the size of the data to which emails are sending data to which other emails.

CS HUB: What’s on tap for this year?

PFEIFFER: Completing multifactor authentication. We’re using Microsoft Office 365, which has cloud-based multifactor authentication and by the end of the year it will be 100% complete so that every employee will have multifactor authentication turned on for their ID. To log into email they’ll have to enter a password and then they’re sent a code.

I think that is in and of itself way more effective than password cracking and strengthening. Somehow downloading passwords and cracking them — I would question the efficacy of doing that. I think password in next five years will go away completely and will role to multifactor authentication, which is the start of the wave of identity-based authentication.

Just changing our password requirement from eight to 10 characters was a massive improvement for the triad of risk — meaning what I consider to be the three riskiest plays in security whether [it involves] a person or a company. That is your work email, personal email and LastPass, or any password manager. Those are three things you have to multifactor and make super secure. If you secure those three things you’ll protect 99 percent of your issues.

CS HUB: When it comes to being proactive about security, what’s the one piece of advice you’d give your peers that you think is not practiced enough?

PFEIFFER: The URL protection with Mimecast is huge. That way I know there’s no unprotected clicks in my environment because it will go through [Mimecast] first. That’s been one of the game changers for us.

See Related: "CISOs Gather To Collaborate On Security Strategies"