Best Practices For Thriving In An Ambiguous World

From Our May 2020 Cyber Security Digital Summit



Seth Adler
05/25/2020

Christine Vanderpool is the VP of IT security and the chief information security officer for Florida Crystals Corporation and ASR Group, which sources the majority of the world’s sugarcane. Christine has been at Florida Crystals for almost two years. When she started, there was no defined cyber security strategy, so she created one from the ground up. Now, as COVID-19-related phishing and hacking schemes are on the rise, Christine offers sound advice on creating a solid cyber security infrastructure.
 

More Than The Basics

Most companies have some form of security measures in place. Application security, email security, and general antivirus programs are the low-hanging fruit of cyber security, but it isn’t enough to keep an enterprise free from vulnerabilities. Fortunately, current frameworks exist that work as a jumping-off point for a cyber security strategy. There is no need to reinvent the wheel when baseline options exist.
 
Christine makes an apt comparison between cyber security frameworks and school textbooks by saying, “When you think back to when you were in school and you had a textbook, you didn't just dive right into page one. The first thing you always did when you got a textbook was look at the table of contents. I think that's really what a framework does. It gives you that table of contents for your program.”
 
Christine aligned Florida Crystals’ cyber security loosely to NIST because of the five parts of the cyber lifecycle—identify, protect, detect, respond, recover—and its approach toward cyber attacks. Another advantage to the framework that its set of core principles are universal. Pitching the strategy to executives is more effective when the message is one they can understand.
 

The Five Parts of NIST

  1. Identifty – speaks to an organization’s ability to identify areas of threats. For example, GRC, policies & procedures, and vendors. Especially in a world where companies are benefitting from vendor and SaaS solutions, these tools and relationships must be carefully vetted and understood.
  2. Protect – One threats are ientified, basic application security promotes protection. Examples include identity and access management, network security, email security, and endpoint security. Anywhere something could sneak in through your people, processes, data, or machines, needs protected.
  3. Detect – Detecting threats early on is imperative in the effort to quarantine and shut it down before it spreads. SIEMs and MSSPs come into play here, spotting anomalities and indidcators of compromise.
  4. Respond – Responding to an incident entails containing it, communicating about it, and analyzing information surrounding the event.
  5. Recover – Naturally, incidents do occur. When they do, a recovery plan ensures that an enterprise is back up and running as fast as possible and works to make improvements to cyber security so the same thing doesn’t happen again.

Telling A Story

Christine walks through an effective strategy to get the C-suite on board with what quite possibly is a large dollar spend. She stresses the importance of telling a story beyond how much money it’s going to cost and what it’s going to do. One strategy is to use analogies. “When I'm talking to executives who don't understand cyber security and they don't understand cyber attacks, I like to relate it to a home invasion. I think it's really easy for a lot of people to understand a home invasion, even if they don't understand a cyber invasion.” She walks through each phase of a cyber security breach and matches it up with its home invasion counterpart. For example, she compares the way spear phishers case its victims to the way robbers case a house.
 
When the cyber security framework matches up with an apt analogy and there is a solution and a plan in place that also fits the analogy, it strikes at the core of the importance of cyber security and unshrouds the mystery behind cyber crimes.
 

IT As Part Of The Team

Next, Christine makes the point that IT is a service industry. IT’s customers are internal, sure, but it is still IT’s duty to provide good customer service. The point of this slight mentality shift is to keep the “people” part of a cyber security framework front and center. Christine bridges the gap between IT and the business as a whole with three service pillars: GRC; identity and access management; and threat intelligence, vulnerability management, the SIM and the MSSP. Once these frameworks are in place, it’s easier to test against them.
 
“It's really important, for a team to be successful, you've got to have good score carding metrics and reporting. If you can't grade yourself, how do you know you're getting better, right? It's really important to figure out how to grade yourself; how to monitor what you're doing to make sure that you're always making progress and you're always improving.”
 

Wrapping Up

Christine closes by summarizing her main points and adding in the importance of securing and protecting digital assets while enabling services through collaborative partnerships. To the cyber security team, she offers this: “If you don't understand what it is that you're protecting, how do you know how best to protect it? Work with [other departments], really collaborate with them, and figure out ways to improve their processes. Sometimes, the best thing about security in our world is we're all about reducing the ambiguity of situations. Because ambiguity, if I can say the word, usually introduces risk.”
 

To hear Christine’s full home invasion metaphor and the post-presentation Q&A, please go to the Cyber Security Digital Summit page, register, and then follow the link sent to your inbox.

RECOMMENDED