If a theme emerged in the National Technology Security Coalition’s (NTSC) recent conversation with Aric K. Perminter, Chairman and Founder of Lynx Technology Partners, it’s that CISOs are seeking services and solutions that enable simplification, automation, and integration of strategic, operational, and IT risk management processes and data. As a security visionary and leader, Perminter guided Lynx Technology Partners through its founding in 2009 into a multimillion-dollar information security and risk management company. As chairman of the Board of Directors, Perminter is responsible for formulating and executing long-term strategies and interacting with clients, employees, and other stakeholders. During his 25-year career, Perminter has held a wide variety of leadership positions across key parts of information technology businesses—including serving as Lynx’s CEO through August 2015.
In this interview with the NTSC, Perminter talks about how CISOs should approach governance, why compliance is an essential part of information security, and a set of best practices that CISOs can apply to grow diverse teams.
Businesses of all sizes face the risk of insider threats. The entire C-suite, not only the CISO, recognizes in the real world that an insider threat is simply a threat coming from people within or closely related to an organization. Regardless of how or why the threat is introduced to your environment, the potential damage can be catastrophic. For example, take the story of the Georgia-Pacific sysadmin who was laid off in 2014. After he was terminated, his user credentials and VPN access were never revoked. Unhappy with being let go, the sysadmin logged on remotely and began causing trouble with the paper manufacturer’s operations at the Louisiana plant. For two weeks, he had his way with the factory and caused more than $1.1 million in damage due to work stoppages and waste.
Recent studies have revealed that insider threats, including those posed by workers making unintentional mistakes or failing to follow standard security protocols, are the cause of 60–75 percent of all workplace data breaches. Yet, solving these threats can be even more difficult to catch, and stop, than an external attack. After all, insiders are supposed to be there. So what do you do? At a high level, you must:
I think most will agree that any business, regardless of size, can benefit from following these simple steps.
My definition of cybersecurity governance is “the way rules, norms, and actions are structured, sustained, regulated, and held accountable.” It isn’t natural for humans to want to be held accountable. We’re all hidden free spirits in a way. For instance, if you ask most people if they are secure, the question strikes fear and dread into their heart. Their initial gut reaction is to respond, “Well, that’s a complicated question.” The reason it’s complicated is because security is never really “done.” If that’s true, cybersecurity governance and the need for people to be held accountable isn’t going away. It’s the bully that never lets you walk home in peace.
Based on my discussions with multiple CISOs, I believe that shifting from Governance, Risk and Compliance (GRC) to an Integrated Risk Management (IRM) model will help streamline communications across IT, security, risk, and executive leadership since it enables simplification, automation, and integration of strategic, operational, and IT risk management processes and data. CISOs recognize the need to go beyond traditional compliance-driven GRC technology solutions to provide actionable insights aligned with business strategies, not just regulatory mandates. In my humble opinion, those who can deliver a vertically integrated view of risk starting with their organization’s strategy through its business operations and ultimately into the enabling technology assets will be most successful.
There’s an old saying that compliance does not equal security, and I couldn’t agree more. Compliance is a massive time suck on a CISO’s resources, which is very frustrating because it impedes their ability to demonstrate tangible value in a short period. CISOs prefer a risk-based, data-centric approach to security compliance activities. Hence, the shift from GRC to IRM referenced earlier. Not to beat the IRM drum per se, but IRM helps identify redundancies and inefficiencies in organizational compliance and security, allowing CISOs to eliminate processes that add no value, allocate funds and human resources more effectively, improve compliance and security functions on all levels, and free up employees to work on projects that further their companies’ goals.
As an ever-increasing number of Americans are referring to GDPR as a model, not many appear to comprehend what GDPR requests. The ambiguity leaves individuals more, not less, confounded regarding what GDPR includes and, maybe not circumstantially, enables organizations to falsely guarantee they are giving GDPR-like assurances.
I am optimistic about the US examining privacy in ways that parallel GDPR. In fact, states already enforce data breach notification statutes which, in my opinion, are the nearest resemblance in the US to extensive data privacy regulation. For the most part, these rules require a company to tell the impacted people in an incident that it endured a data breach resulting in the loss of Personally Identifiable Information (PII).
During an event last week, I exchanged contact details with a recent cybersecurity college graduate who logged into LinkedIn from a “secure” browser on his mobile phone. I asked, “Why have you not downloaded the app?” They replied, “I do not download any apps on my phone to avoid unknowingly granting access to my private information.” Initially, I thought his decision was overkill, but after giving it some more thought I gained a greater appreciation for the due care they took with their sensitive information. So, while I remain optimistic about the US seriously examining privacy, I’m equally concerned with the impact our approach to privacy will have on businesses and individuals.
Cyber ranges provide a relevant, integrated environment for demonstration, training, exercising, tool development, and testing a full spectrum of cyber capabilities. Recently, I was talking to a CISO at a large healthcare organization about the retention of his team. I asked him, “Do you have much staff turnover?” He said, “Not really. Everyone is excited about the work we do. Our biggest concern is that, because things are going so well, my team isn’t getting enough experience fighting the fight.” Cyber ranges bring practitioners into the fight, help keep them sharp, and ensure they retain the skills needed to perform exceptionally well in their job.
Also, cyber ranges help with security technology capabilities. Think about how much time and money teams spend evaluating different technologies only to purchase them and ultimately learn the solution didn’t mitigate the intended risk. A cyber range enables teams to jumpstart how they will manage the technology and make the best decision for the organization. It’s not just an education or skills resource. For the CISO, a cyber range allows the testing of technologies in as close to a real-world scenario as possible before investing in cybersecurity technology.
CISOs must provide clear and measurable cybersecurity career paths if they intend to attract top talent. A few things they can do to grow a more diverse workforce include: