3rd Party Risk Management , Governance , Risk Management
John Pescatore of SANS Institute on Essential Steps to Take• March 11, 2019 John Pescatore of SANS InstituteCISOs need to work with partners in other departments to help ensure the success of major security projects, says John Pescatore, a director at the SANS Institute, which offers cybersecurity training and certificates.
See Also: Live Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.
In a presentation at the RSA Conference 2019 in San Francisco, Pescatore offered a good example of how this works.
When the security team at health insurer Aetna was looking for ways to ensure the success of its efforts to implement the Domain-based Message Authentication, Reporting and Conformance, or DMARC, for email delivery and authentication, it collaborated with the chief marketing officer to gain buy-in.
The security team showed the CMO that DMARC would not interfere with the company's marketing plans and email blasts to customers. Once the DMARC protocol was ultimately implemented, it actually improved email campaign click-through rates, apparently because customers knew they could open emails without fear of phishing attacks or spoofing, Pescatore explained
More Work to Do
More and more CISOs are buying into the strategy of involving members of the C Suite as well as other leaders in key projects, Pescatore said.
For instance, CISOs at power plants and other large manufacturing facilities are working with COOs to show how business results are affected when systems are offline due to a ransomware attack or another type of cyberattack, clearly demonstrating why there's a need for better security to improve reliability and resistance in the face of an interruption.
In his presentation, Pescatore offered four examples of how CISOs can work with C-Suite:
Convince the CIO that security can enable IT cost reduction. For instance, reducing permissions for employees to download applications can make PCs and other equipment more secure by reducing malware downloads while cutting down on call desk time. Inform the COO that reducing downtime by adding security can have a positive return on investment. This relates back to the example of better protection against malware and ransomware within power plant facilities. Show the CMO that improved privacy can help increase click-though rates as part of email marketing campaigns. Demonstrate to the head of human resources that offering data security training to staff members so they can take on new roles can save money because recruiting and retaining security professionals is so difficult.When CISOs want to add strong authentication and encryption into various enterprise projects to help better the overall security hygiene, Pescatore added, they should first demonstrate to the members of the C suite how those steps can help the business and improve ROI.
DevOps
Another area where CISOs face challenges and must collaborate with others is building security into the DevOps process.
One of the challenges with creating a good DevSecOps strategy, for example, is that security can sometimes slow down the application development process. The security team may not understand the goals of the development team and may lack the skills to keep up with the rapid pace of application development, Pescatore explained.
"So the slowdown is really two things," Pescatore told me after his presentation. "The first is not understanding how the business works. It's about saying no to everything when sometimes there's no risk that anyone will care about. The second is skills - the security team might not be up to the task of going as fast as the other side."
Monitoring Third Parties
For some projects, CISOs must work with other departments to make sure the software they want to use meets security requirements.
CISOs should use security scorecards and other tools to help rate the software, carefully assessing the risks that it might pose to the company, Pescatore suggested.
He pointed out that Boeing made nearly 1,000 third-party software providers that it used as part of its supply chain undergo an authentication process to ensure security. Nearly 700 were able to complete the task immediately - it was all a matter of asking.
"When it comes to the players we are not used to dealing with, and we don't have the right checks in place, what should we do?" Pescatore asked. "You need to create those standard approaches in order to make it work."