CSO Talks Pyramid-Shaped Risk Framework, Cyber ‘Agility’
'TF7 Radio' Guest Tom Pageler Talks Certs, Risks
From inherent risk to certifications and cyber investment, the June 25 episode of “Task Force 7 Radio” had it all.
Information security executive and show host George Rettas began the program with a talk on institutional investment in cyber security, and ultimately competition between newer figures in the space. He then dedicated much of the show to risk mitigation, with BitGo Chief Security Officer and frequent “TF7 Radio” guest, Tom Pageler.
Rettas said that investments have been “pouring into” established companies at an “astounding rate.” He cited three companies, Cylance, Carbon Black and CrowdStrike, which have raised $800 million in funding between them.
Rettas said Carbon Black, which had an initial public offering (IPO) in May, is in “unicorn” territory, meaning it is among a group of companies with values that exceed $1 billion.
He also cited $100 million in revenue from Cylance, a 177% increase year over year. “(These are) mammoth companies battling it out in the cyber security version of an avatar cage match,” Rettas opined.
In the show’s next segment, Pageler discussed balancing risk and implementing a risk-based approach in the enterprise.
On the combination of the Chief Risk Officer (CRO) and Chief Security Officer (CSO), Pageler said “it appeals internally and externally, including with all of the stakeholders. (That’s because it’s saying) you understand risks, you know you have multiple risks and limited resources, and you go after the top risks.” Then, as the security head, you take necessary steps to secure the organization.
On the risk-based approach to security, Pageler said, “Cyber security, and IT, is growing every day. Devices are going online, processes are becoming automated… (We’re seeing this) more and more every day. The risk-based approach is a great way to get a playbook together.”
The guest said that the playbook includes: asset identification and resources to mitigate. Then, he added, you can target X and mitigate threats in certain areas. He compared the process to sports, where teams have certain strengths and build their rosters/playbooks accordingly.
In understanding the organization’s adversary, Pageler underscored the importance of having a clear risk framework (with internal controls, fraud deterrents and standardized likelihoods, etc.).
In prioritizing risks to the business, Pageler endorsed a register that is visible and populated and can help identify, classify and reduce risks. Pageler also said that convening a risk or security council could prove helpful – especially for purposes of risk management, ownership and mitigation.
Members of finance or those with budgetary control can and should be on the council, too, the “TF7 Radio” guest explained. This helps if there must be a budgetary adjustment; at this point the Chief Financial Officer (or whomever) would understand why.
Overall, it seems there still must be a change in security, or at least in the way it’s perceived. Pageler said, “We need a change as security leaders, from being people hidden in the basement, or behind closed doors. There is a (general) fear of us – that we’re going to do an internal investigation.”
Pageler likened the shift to being a Secret Service agent working and collaborating with local law enforcement. In effect, the investigatory team widens with the help from different areas. He said this must be done in the private sector, too. Pageler suggested those in the business be “deputized,” to become a part of security and help alleviate some cyber-threats.
In arranging policies and procedures – an integral part of the framework construction – Pageler said there is “a lot of work up front” and that it is not “agile and fast in the beginning.” Nevertheless, a painstaking review of policies and procedures could prove immensely helpful in the end.
Is there a true way to quantify risk – and in what way can you label return on investment (ROI)? Pageler said if, for example, you’re installing a firewall, after establishing the workload and segregation of duties between security and IT ops, the ROI comes in its functionality, and the actual cost involves the “box,” input on access and a new member of the security team.
Risks embedded in the registry should also be evaluated on a monthly or quarterly basis and shared amongst executives. That helps with transparency, and even information-sharing with customers. (For that, one might say the enterprise has a “robust risk register and is transparent about its practices.”)
Other best practices include regular red-team exercises and penetration (“pen”) testing. Pageler recommended an annual red-team exercise, and frequent pen tests and phishing campaigns.
Externally, the “TF7 Radio” guest suggested that certifications be obtained to show compliance. This helps with business growth, data security, third-party vendor risk management and brand reputation. The specific certifications, Pageler added, depend on what industry the organization resides in. It could be anything from a SOC 2 report to the NIST framework, to global ISO standards, or HIPAA requirements in the medical space.
“I think certifications are good,” Pageler added. “They provide a way to standardize and have a minimum. It’s important to show going ‘above and beyond.’”
He continued: “(You need) good hygiene to run a security program in today’s world. Fortunately, when you do that, it’s well-documented, and maps really well to what certifiers and auditors will look at.” The BitGo CSO said there is value in that “high-level exam,” but it is not the “answer.” Instead, it’s more of a “sales tool.”
Third parties, too, must be held to the same standards, Pageler said. Otherwise, the organization is “as good as the weakest link.”
“The third-party program needs to be as robust, otherwise even if you’ve put a great fortress together, you might have a wide open backdoor, with (data) being handed off to someone on a loading dock.”
The CSO rounded out his time on “TF7 Radio” with wisdom on the “shape” of the risk framework. He said it should be viewed as a “pyramid,” with good practices at the base – allowing for easy adjustments, and room to build upward.
The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes of "Task Force 7 Radio," click here.
Be sure to connect with Pageler, here.
Be Sure To Check Out: Catch Up Or 'Swat Flies': Cyber Expert Touts AI, ML