Security Strategy & Budgeting

Security Strategy & Budgeting
Are you considering or planning for any of the following certifications for your business in 1-3 years?

Top Answer : This should be a “check all that apply” type survey. We have to be CMMC compliant by April/May 2021, and we are getting our SOC 2, and working on FedRamp.

For hospitals, what are the biggest security concerns going into 2021?

Top Answer : Security in a healthcare setting is always a top priority, from ensuring the security of the new products we deploy, ensuring the vendors we work with don’t add unnecessary risk, the list can be quite extensive. Areas that are top of mind to us are ransomware, phishing campaigns, inadvertent actions by employees, devices being added to the network without proper authorizations. Given there are several areas of concern, our approach needs to be unified from an enterprise perspective. Security is not only an IT issue, but rather all our employees are stewards to ensure we are keeping the valuable data being stored safeguarded.  The importance of security will continue to be communicated in the upcoming year, we’ve already seen reputable organizations have their data compromised and that’s raised a few concerns throughout the IT community - imagine the breaches that don’t make it to the newspapers, it’s a never ending ordeal.

Related Tags
Do you think the SolarWinds breach will have a significant or lasting impact on how IT approaches supply chain risk management?

Top Answer : I was pulled into a wide variety of peer dialogues from the day that the SolarWinds breach discovery occurred, because of my time at Intel and stuff that I had done there in supply-chain risk. My concern, when I was Chief Security and Privacy Officer at Intel, was always a nation-state actor looking to weaponize the technology that Intel created, to do harm. I always saw information security as inextricably linked to the product security and the technology. I think the SolarWinds issue is a clear example of that linkage. I've been at odds with a number of my peers in the industry who still see them as quite separate, now it's probably a little bit different, but many of them had InfoSec completely separated from product security and they very rarely intertwined themselves. And Intel, as I said, had this in their environment. When you think about that in firmware, Bios, validation engineers doing that type of stuff, it brings into question some aspects of the foundation of computing. Because if they were in Intel's infrastructure, if that report was accurate, and they did have a foothold, if it was that type of nation-state actor, they would be trying to do things more surreptitiously, well below the operating system to keep stronger footholds in other organizations. I think it's a Richter 10 type item but I've always seen this as a Richter 10 type item. I'm just, frankly, surprised that it took this long for this type of thing, at that level of infrastructure, to be found. And I'm sure it's not the first one. I'm sure there's other ones that are there that are yet to be found.

Will SolarWinds recover from this breach?

Top Answer : Here's something to consider, and I think that we're going to see this across the supply-chain piece because when you look at the real executive ranks, the CFO, CEO, COO, they care and they pay attention to market activity and share price. What does that look like here? We study companies. FireEye had a 10% drop after it's breach and it's up 50% since then. Up 50% since before the breach. Literally, people didn't care. And you can say, "Well, FireEye did a great job..." But really, once people realize that it wasn't going to really impact the business of FireEye they said, "Okay, we're pretty good” You get the initial emotional sell-off and then within a few weeks, a couple of months, a couple of quarters in some cases, it's above where it was before. So when you look at it from a public company and if you go to the theory that the board and the CEO's sole responsibility is shareholder value, the data says cybersecurity is irrelevant to shareholder value other than in a temporary fashion. And if their job is to maximize long term shareholder value, they shouldn't care about information security. That’s one of the reasons why we have an issue in the industry. If you remember, a couple months ago United Health Services had that big breach. It went from 110 down to 104 and it sits at 142 today. The organization that is impacted but still has not recovered from its breach is SolarWinds and I believe that the reason why is because shareholders are actually waiting to see, "Are they going to lose customers over this?" Because once they realize they're not going to lose customers, because it's super-sticky and no CIO is going to rip out their whole network infrastructure monitoring, the shareholders won’t care.

What can security professionals do differently to better manage supply chain risk?

Top Answer : I look back in my career and when I was a finance person in '93 in Intel's IT organization, I nationalized computing. And I built a supply-chain for hardware, software. Why? Because I was a finance guy. Inventory management is the only way to control cost. Well, when I circled back into security, luckily all of that was still there because everything funneled through the purchasing processes I had built eight years earlier. It wasn't perfect but I had 95% inventory management from the day I landed and it saved my ass. And then I pivoted from there, being a former finance and procurement guy and thinking about trust in supply-chain stuff even years ago, well before the whole third-party risk management stuff went out I started embedding third-party risk type stuff into the purchasing and financial controls. We had the whole notion that trust would become the attack surface and the thing you trusted the most was the thing that would make you most vulnerable, which then framed how we strategically really worried about things. Hell, when everybody was adamant about encryption, I was so flipping paranoid about the use of encryption. If we mismanage the key or somebody gets those keys, we're screwed. I was worried about ransomware in 2005/2006. Just with deployment of hard disk encryption and all that other stuff, because I'm like, "You get a rogue admin, somebody owns the box, you own this..." You could literally have created the ransomware events then, without even doing malware, if you just had the right aspects to the infrastructure and shut off certain things. I don't know where it's at, at Intel these days, but as I grew in that everybody always wanted to take away from me and I'm like, "No, I want to be the inventory manager because it will then give me the base of things." I still have debates with peers on that because they think of it as unglamorous but I go, "It's such a critical dependency to the role and if it's not being done right, take it over so that it can be done right. So, that you can then execute your role." I think that the whole third-party risk management approach is like doing a SOC 2, and it isn't sufficient. You go, "Okay, I've got some basic controls and I can answer some policy questions, but doesn't tell me that they know the risk issues and that they're managing them well." Which was why, when I was at Intel, when I was at Cylance, hell even at Cymatic, I go have a conversation with my peers at my critical vendors that could cause me substantial harm and then potentially my customers. The lawyers and compliance team might want all those questions and stuff like that, but I want to know my peer and go, “Can I trust you?” And you're going to answer my direct questions. And if there's any wishy-washiness, then I worry. This approach also allows you to take more risks. The riskiest technology in early adopters of technology should be the security team. Why? Because we're the risk manager so we should be the ones taking the risks ahead of everybody else so that we can figure out how to manage them before everybody else gets there. And instead, we create all these encumberments to innovation that then causes people to go around us, which means we're actually generating risk by slowing people down. And we should be the first mover. Run to the riskiest things first. Once you're there you can sort it before other people get there. It's completely counterintuitive to our DNA, which is to be risk-averse. We should be the biggest risk takers on technology because then we actually manage risk to our organization better.