Presenter: Brian Hubbard
Please find below a transcription of the audio portion of Brian Hubbard’s A Disciplined Approach to Cybersecurity Program Management webinar being provided by MPUG for the convenience of our members. You may wish to use this transcript for the purposes of self-paced learning, searching for specific information, and/or performing a quick review of webinar content. There may be exclusions, such as those steps included in product demonstrations. You may watch the live recording of this webinar at your convenience.
[BH]- Thanks for having me and good afternoon. Again, my name is Brian Hubbard and I’m with Edwards Performance Solutions. I’d like to talk today about our approach and what we, how we like to approach developing this cybersecurity program for organizations and businesses. You know, key this, and why do we say disciplined approach, oftentimes cybersecurity isn’t treated as a true business program or a business issue and from a project management, program management perspective, is often not very disciplined in how it’s carried about. As a result, it often becomes a cost center or a cost to the company as opposed to a potential opportunity to increase the business revenue—so that’s where we want to focus our attention.
So just to start things off, if I can get my screen to move.
Why Should I Care About Cybersecurity?
[BH]- Why should you care about your cybersecurity program—it really boils down to:
There’s threats that impact every business regardless of your size, regardless of the revenue structure, regardless of what your product is or what your services are. It really doesn’t matter. You have threats coming at you from criminals, people that are just looking to take money, steal things from you, steal intellectual property, steal your finances through ransomware or what-have-you. Insiders, there’s a number of threats there with respect to disgruntled employees, with people that are maybe leaving the company and taking things with them that would be critical to your business. Also, accidental issues. For example, somebody gets an email, clicks on a link and doesn’t intend to have harm done to the company but actually creates harm. So that individual performance and individual education inside the firm is a big issue. Hacktivists, if you’re in a company that has interest to—folks out there that may make political statements or just make some kind of a point, they may come at you from that perspective. Nation States, so intellectual property stealing is common in many other countries and a lot of that is in the news so nation states are often a threat as well.
Again, it’s regardless of size and regardless of what your business is. In fact, the threats may not even be interested in your business at all. They may just be interested in your customers. If you look back at well-known attacks like the Target attack, that was not an attack directly on Target, it was an attack on their HVAC vendor who then used channel through to Target. So the HVAC vendor thought, “Well I’m not a target. I’m not a hacker target. I’m just a vendor of a small company,” and had no idea that they were a threat to actually Target themselves.
All systems are susceptible to exploitation regardless of how what you have in lockdown, you have to continuously understand what’s going on in those systems and monitor those changes, any changes to the configurations and understand how those systems might be exploited and what new vulnerabilities may exist or what unknown vulnerabilities may exist that may impact you over time.
Data and System Breaches are costly and it’s not just a one-time cost. It’s a continuing cost and often, if you have sensitive data like Personal Identifiable Identification (known as PII), you would have potential costs associated with that as well. It could cost your business and if you’re a small business, it can be devastating and take your business down.
Bottom line is your business IS at risk and therefore a cybersecurity program is important to your overall needs.
Why Do I Need a Cybersecurity Program?
[BH]- Just to continue on with that theme, why do I need a cybersecurity program? Great, cybersecurity is important but why a program:
Cybersecurity needs to be a critical part of your business strategy. Cybersecurity, if treated as a—just a function, just some other piece of IT, is not necessarily going to achieve anything other than cost your company money. You can’t decide, “Hey I’m gonna lock down these computer systems, make them really tight and really secure,” if what that does is basically cause your business function not to be able to operate. If you have a business process that is ongoing, you need to find a way to facilitate that. It needs to be a part of that overall strategy. You need to know how to do that for your business process but you need to understand how to do it securely and how to actually facilitate how cybersecurity can facilitate getting that job done in a way that won’t, ultimately, in the back end, eat away all your profits through fines and theft and that sort of thing.
Just to dispel a few myths about cybersecurity, we often hear things like “My business is too small, I’m not a target.” That’s not true. Like I mentioned, you may be a conduit to larger clients or, you know, small businesses are often viewed by hackers and criminals as low-hanging fruit. Go after the small businesses because they are probably not well protected. The concept of “I’m too small for anybody to care about” is very much a myth. In fact, even individuals in their home use are susceptible and, let’s say, a ransomware attack that is launched on general population—you’re a home user and you get all your pictures locked up.
You might pay some Bit Coin, right? You might be willing to pay fifty or sixty dollars or a hundred dollars to get all those things back cause it’s a lot cheaper than losing all of those photos. If a hacker successfully does that—not a hacker, there’s no hackers, there’s just attackers who are criminals—but if a criminal succeeds in getting, let’s say they launch an attack on millions of people at once and let’s say a hundred people come back with a hundred dollar ransom pay. That’s a pretty hefty payday, right, for a single attack that didn’t really cost them anything to launch. So yeah, individuals are targets and small businesses are targets. Definitely a myth.
Cybersecurity is an IT Problem!- I’m telling you that most of the problems that occur in an organization from a cyber, in a data leakage perspective, they don’t happen because of a technology problem. Again, the low-hanging fruit for criminals and the folks that would attack your system are the individuals. Making people, tricking people through social engineering to understand what somebody might be susceptible to—sending an email that would say, “Hey, here’s a new invoice for you. Click on it and please pay me as soon as possible,” you know, a junior level accountant might click on that immediately just to see what it is and launch the attack into the environment. It’s really a people problem. It’s a business problem. It’s not an IT problem. It is partially IT in the solution set but it’s not an IT problem. It shouldn’t be dismissed from a cybersecurity program. It needs to be elevated up to a business risk issue that the businesses worry about.
Another often heard statement is “I outsource my IT to a cloud provider so I don’t really need to worry about it.” That’s not true. If you think about that statement, if a cybersecurity attack happens and your systems are attacked, is an outsourced IT provider the one that’s going to go out of business? Well maybe, but he’s gonna take you with him. It’s really still your problem. You’re still the custodian of the data that your customers are bringing in or that your, the IP that may be out there on those systems. You really need to be concerned about that as well.
“I bought an insurance policy, so problem solved! I’m good to go. We don’t have to worry about fines anymore because my insurance policy covers it.” Well that’s great, but you’re still out of business. Right? The fact that you have cyber insurance is a critical piece of critical risk mitigation for your business. However, it’s not the end all be all right. You can’t just rely on cyber insurance to cover everything that you’re doing. In fact, if you’re not doing basic cybersecurity practices and doing good cybersecurity hygiene, your cyber liability policies may not even be valid. They may not cover you.
Another one is “Hey, we can handle the problem when it occurs. I don’t need to worry about it right now. I don’t need to put any plans in place. A cybersecurity program is just gonna cost me money.” Well that’s great but if you’re worrying about the problem after it occurs or if you even know it occurred and your business it hacked, it’s a little late to be thinking about it. If you don’t plan ahead and have a cybersecurity program that can take care of it, your business is going to be damaged ultimately. Ok and I’ve lost my cursor. Ah, there we go.
“I’m not a regulated business, so I don’t need to worry about it.” Regardless of whether or not you’re a, say a health care organization that has to worry about HIPPA or whether you’re a banking organization that has to worry about that has to worry about all the various regulations in banking or a governmental contractor or a governmental business that has various regulations associated with that—you still need to have focus on a cybersecurity program because regardless of the regulation of your business, it’s really about your business and protecting your business and having a program in place that facilitates your business thriving.
And again, if I have this whole silver bullet concept. “I can buy the right technology and fix this issue and not have to worry about it after that.” I’ve mentioned that people are, and I believe the studies have shown that 60 to 70 percent of the data breaches over time have been human error as opposed to a technology problem. Technology isn’t the only solution. It’s a piece of the pie and really, a cybersecurity program needs to focus on the people, processes and technology. Not just the technology.
There. Myth busted. So, a little fun graphic.
What Should My Program Look Like?
[BH]- What should my cybersecurity program look like? We will always emphasize to whoever will listen, whether it be the IT team, the CIOs, the CISOs or the CEOs or the CFOs that business outcome is the key focus. Now, a cybersecurity program, a great cybersecurity program that isn’t right sized for the business or isn’t really focused on the business outcomes will ultimately be a failure. The reason for that is you’re gonna cost the business money. You’re gonna stop business processes from occurring or you’re gonna interfere to the point that people are going to hate the cybersecurity program. It needs to be focused on success of the business and a cybersecurity program can do that and can do that very effectively. It can actually be a revenue generator for the business if done correctly.
It needs to be risk management centered. Just like all other good projects and good program management, you need to understand your risk and you need to focus your energy where the highest risk payoff is. If I have a set of risks and one is high risk, one is low risk and I’ve decided I have a new nickel to spend, I’m gonna spend that nickel for the place where I’m gonna have the highest risk impact, right? I’m gonna be able to buy down risk at the highest level. I need to prioritize things based on that business risk focus.
It needs to be scaled to maximize the return on investment and NOT break the bank.
Also, established on a solid framework and matured over time. One thing that often businesses make the mistake is they say, “Ok great. I’m gonna implement cybersecurity. I’m gonna out and I’m gonna have somebody come in and tell me how to do this and do it all at once.” Well, what they’ll find is that that’s gonna be extremely painful from both a cost perspective and from a business interruption perspective. What they need to do is they need to build based on a solid framework and we’re gonna talk a lot about that here in a few seconds and then mature their program over time as opposed to going through the big bang, trying to do it all at once.
It’s NOT a “whack-a-mole” game. Cyber risk is an ongoing business process. It should not be treated as a “Here’s a vulnerability. Fix it. Here’s a, somebody hacked my system. Fix it,” kind of process. If that’s the only thing someone is doing, they’re gonna lose. You know, to try and chasing, chasing those vulnerabilities and just try and put things out, put out those fires. That’s often what we find security organizations in companies doing, right? They are constantly chasing fires. What we’re trying to move in this overall theme of the disciplined approach to cybersecurity program management is to move from that whack-a-mole game, from the firefighting mode and into a more strategic view of cybersecurity and a program to support the business.
As I mentioned, a solid program is based on people, processes and technology. All of those three legs to that stool are required in order to have a successful cybersecurity program.
Compliance issues, and if you’re a regulated organization you probably understand a lot of this, your program shouldn’t be defined purely based on compliance requirements. In fact, compliance should be an outcome of a well structured cybersecurity program. With that said, your compliance requirements feed into your cybersecurity for certain, right. As you’re defining your projects and your programs around us, really if you structure your program correctly and structure it the way I’m gonna lead you through, compliance will be a natural outcome of that process as opposed to being the thing that drives your program.
I just want to illustrate that point with a couple of physical security requirements because cybersecurity illustrations are kind of boring because it looks like bits and bytes. I wanted to follow the physical security world.
What Happens When Compliance is the Driver?
[BH]- Imagine that you’re a project manager and you have a regulatory requirement that says you have a camera pointed at your door, trained on your door at all times and simultaneously, you have a business requirement that says “I want to have a monitor so that visitors coming into my front door can see it as soon as they walk in and see my marketing material (whatever I want to display) on that monitor.” The outcome of that, if you’re purely compliance driven, is something akin to this and I can hear the laughter over your muted microphones. Your camera is trained on the door. Technically, I am compliant. Am I secure? Probably not.
Another funny illustration of that is I have a requirement, a regulatory requirement that I have a gate on every driveway or every road that leads into my facility and that has to be met. So, there you go. I have a gate. Am I secure? I’m compliant but I’m not secure.
I have a similar requirement to have camera trained on my front doors in all entrances to my facility. You end up with a situation like this. I have cameras trained on every angle of the building. I said, “Oops. I forgot that the roof has access.” If you don’t look up there, you’re still vulnerable. You’re compliant, technically compliant because I have cameras trained on the doors as all the requirements told me I had to do but was that a complete security program? Obviously not, right?
Building a Program … The Cybersecurity Framework
5 Essential Functions to Protect Your Organization
[BH]- How do I build a program? Back in, I guess it was 2014 at this point because we just hit the five year anniversary of the new cybersecurity framework—President Obama actually issued an executive order for the National Institute of Standards for Technology to develop a framework for improving the cybersecurity of the critical infrastructure of the nation. We set out to do that and developed what’s been kind of known as the [inaudible] cybersecurity framework. It has a longer, longer official title but it’s, you know, the [inaudible] cybersecurity framework.
The framework is really industry agnostic. It was developed through cooperation of thousands of representatives from across multiple industry sectors and it really is being picked up and used, not only in national critical infrastructure areas like energy and health and others but it’s also being used in private industry: restaurants, restaurant hotel management, banking, getting healthcare—it’s being used across the board. It’s also gone international. It’s a way of structuring a cybersecurity program so that you can understand what you need and be able to communicate that up and down the chain. Up and down is a communication mechanism for up to the board and all the way down to the folks that have to implement.
The framework is consistent of five major functions. We’ll talk a little bit about each of these but Identify, Protect, Detect, Respond and Recover. You can think of it two ways: these are five distinct functions or they’re five interlocking steps of a process to develop a cybersecurity program.
Identify: Let’s first talk about Identify. So what is the Identify function? It’s really all about what are the risks associated with your business and what are the assets that you’re trying to protect or that are important to you and that should be protected in your cybersecurity program. It’s comprised of six categories. The functions are broken down into categories and then subcategories below that so you can understand “what are the outcomes I need to achieve in order to achieve a good structured cybersecurity program.”
Identify is focused on Asset Management. I need to understand where are my computers, what are the servers, what are the end points, what software is running on those end points and servers. In addition to that, what is my information? What are the information assets that I have and how is that information expected to flow across various business processes. All of those factors go into managing your assets to really understand your business.
You know, what is the business environment I’m existing in and how is it governed (Governance)? How am I structuring my program in order to appropriately have the appropriate management oversight and review of the overall program.
And then doing the risk assessment and managing that risk and dealing with the vendors (Supply Chain Risk Management). As I mentioned, one of the well known attacks was not a direct business issue. It was a supply chain issue. If I’m not managing my supply chain and ensuring that my information is protected by third parties that are working with me, then I have a major issue in my program.
Protect: And onto Protect. Protect may seem obvious. Oh, that’s where I buy the firewalls and the guards and the antivirus software and all the good stuff I put on my systems to protect myself. It’s also, in addition to that, how do I really manage all of that. What are my access control policies, procedures? How do I train my people (Awareness and Training)? What is, how am I protecting the overall data (Data Security)? What are my data classification processes? How do I categorize that information and protect it appropriately (Information Protection Processes and Procedures)? And how do I maintain my systems? If I have to send a PC or a server out for maintenance or let’s say a printer out for maintenance, how do I ensure there’s no proprietary or critical information on that machine before it goes out for maintenance or how do I ensure the maintenance personnel coming in, the printer services company coming in, doesn’t take information out? What are the firewalls and the protective technologies that I use to manage to protect my system?
Detect: Even though I have bought the best technologies and I’ve implemented the best processes, I still need to have and understand that things are still going to happen. There’s still going to be events that happen on my network. There’s still gonna be mistakes that happen by my employees. How do I detect those events? The detect function is focused on how do I define those anomalies or events? How do I monitor my environment to ensure that I’m picking up on as many as I can (Security Continuous Monitoring)? And what are the processes in place for doing that (Detection Processes)?
Respond: Once I have detected something, do I have a plan in place to actually respond to that event? Whether it be a live attack, that I’m having a major data breach—what are my response plans? What are my instant response plans in place? How do I exercise those plans? Have I communicated those plans to the organization? What are my plans in place to analyze and mitigate any concerns or any issues that may arise as a result? Over time, I need to continuously improve that planning process and those plans that I have in place to make sure that I’m learning from the lessons that have [inaudible].
Recover: Finally, given that you’re gonna have events. They’re gonna need to be detected and you have to respond to those events in some way. Once that event has occurred, how do I get back to business? How do I recover? Having those planning processes (Recovery Planning) in place ahead of time for, let’s say I’m a hospital system and I lose a whole bunch of patient information—at that point and time is not the time to start thinking, “Oh what kind of protections (Improvements) do I need to provide my patients? Is my insurance coverage going to cover me from all the fines I’m gonna get from the Office of Civil Rights and how am I gonna communicate to those patients that I lost their information to make sure they still are willing to do business with me, to make sure that they’re willing to come back and continue to get their care from me so I can continue to make money and stay in business.”
Putting all of those factors in place across all these five functions is really what constitutes a complete cybersecurity program that then you can evolve from and mature to—and the concepts around these make it easier because you’re communicating to the board. You’re communicating to the decision makers in your organization at a level they can understand where, “identifying your assets, what are the important things for your business, how am I protecting those assets,” and you know, based from a risk management perspective, if you can elevate that discussion to that level, you’ll be able to talk to them from a business risk perspective and get the attention you need to.
Cultivate a Culture of Cybersecurity
[BH]- It’s cultivating that culture throughout your organization (Cybersecurity at Every Level of the Organization) and it has to be at every level of the organization. It can’t just be the security team is the only one that really cares. It needs to be everyone from the board of directors all the way down to the most junior staff person in your organization that cares about cybersecurity and really understands when and how they need to proceed when they see something gone awry or how should they act when they get that phishing email to make sure that something bad doesn’t happen.
Again, you need to train your employees (Train Employees to Spot Phishing Emails). Part of building a business culture (Build Cybersecurity into Your Business Culture) is really giving the employees what they need to protect themselves. If you don’t equip folks to really have that good cybersecurity mentality, then you’re not really protecting them.
From a business culture perspective, it needs to be viewed from that perspective. If somebody does make a mistake, employees are gonna make mistakes—you know, it’s gonna happen. Even the most seasoned cybersecurity professional can sometimes make a mistake and click on the wrong link and trigger something. It’s just how do they know what to do at that point and if you blame the victim (DON’T DO THAT), you’re going to create a culture that people are saying, “Oh I clicked on that link but let’s make sure—I don’t want to tell anybody because I’m gonna get in trouble.” You gotta have an open door policy in order to have people make those mistakes and learn from them and then help your organization learn from them as well.
Employees, again, should be stakeholders in cybersecurity. They should understand the benefits to them, the benefits to the company and have them vested in the process. We can do that also through employee performance reviews and that sort of thing as well.
But also, it’s in critical—you know system administrators, and if any of you out there are IT system administrators, you’ll certainly understand this comment, right?—oftentimes mistakes happen in setting up, say, a new server, a new business application because everyone wants it yesterday. If you don’t give those folks the time to do it correctly, the time to make sure that things are configured correctly, it’s very easy to configure what could be a very secure system—it’s very easy to configure it in a way that’s not secure and is very vulnerable to attacks. It’s very critical to have that as part of the culture as well. Take the times to do things correctly from a cybersecurity perspective. And again, Empower Risk-based Decision Making at All Levels of Your Organization.
Cybersecurity Program Management
[BH]- We tend to wrap all this up in terms of cyber project program management office concept where we’re trying to move information security programs from that reactionary fire-fighting mode to that strategic business focused mode through a set of dashboards and what have you. The key to doing that is having everything focused on risk management and understanding how business risk drives every aspect of your program and it drives every aspect of your business.
If I’m dealing with a compliance management issue, I’m not necessarily going to—if I’m finding that I’m lacking in compliance in a particular area, I’m gonna have to assess “Am I gonna spend a whole lot of money on doing that right now or is that too low of a risk to spend money and I have a higher priority item that I need to take care of, and how do I prioritize those plans?” The same with vulnerability management.
You often hear all these patches, Microsoft has their Patch Tuesday concept and that sort of thing. All companies don’t move out at the same speed on those patches and there’s a good reason for that, right? You have to understand how do those vulnerabilities impact a particular application or particular business function and how do I prioritize that based on my overall business risk as opposed to just the risk of that particular vulnerability. I may choose to leave a vulnerability in place. That sounds strange but I may have to have some other mitigation that I put in place because I really, if I patch that, a business process can’t function properly.
I need to hear the situation but I need to do it from a perspective that actually manages the overall risk of business and doing that through this kind of process of understanding the risk, prioritizing the risk and then managing them from a security project management perspective and really using those project management skills that you have to really help drive the business because, at the same time the security team—if your organization has a security team—has been vested with a number of projects, most likely, that the board has said, “Hey I’m gonna fund you to do a particular thing but at the same time, put out all those fires,” right?
When I’m putting out those fires, how does that impact the programs I’ve been funded to do? Let’s say I’m rolling out a two-factor authentication across my organization and that’s a big investment for my organization and the board is really watching that program because it’s a major line item. They’re gonna ask me how I’m doing against that project but at the same time they’re gonna expect me to keep up with the latest ransomware attacks and maybe a Board of Directors member read an article and they’re gonna call the security team and say, “Have you looked into this? What are you gonna do? You gotta look into that,” and how does that impact the overall project schedules.
You know, all of those competing, competing for finite resources in your security team and how does the overall process work. Also, policy management needs to be part of the equation there as well. Policy should not be in place for the sake of having a policy. A policy needs to be in place as a business risk mitigation, right. There’s a reason you’re putting a policy in place and that shouldn’t be driven by some aspect of business risk that you’re concerned about. Overall, all that knowledge needs to be managed, it needs to be part of the education process within your organization and your employee education as well.
[BH]- I’ll sum things up and then open up questions. Organizations of all sizes need to implement cybersecurity programs and it needs to be from a business risk perspective. They need to be focused on the business outcomes and focused on business success because, again, a well-funded cybersecurity program that brings the business to its knees is not gonna be well funded beyond that year, right? It’s gonna collapse along with the company so you have to focus on the business outcomes.
Building on the NIST Cybersecurity Framework provides that foundation, that way to evolve your program over time at a pace that the business can handle.
We recommend managing Governance Risk & Compliance, that’s what GRC stands for, but managing that through a focused structured program within your organization.
And then a lot of organizations will assess vulnerabilities or assess a risk on a point and time basis. They say “the fourth quarter of every year, I’m gonna hire a pen tester to come in and do a penetration test for me on my systems or I’m gonna hire a compliance audit firm to come in and look at my environment to see if I’m compliant.” That’s great. That’s a start but really, in this dynamic world that we live where vulnerabilities are cropping up every day, new vulnerabilities are being uncovered, new attacks, new threats are coming out and my environment, my business environment is changing, my business environment is evolving throughout the year.
I need to be continuously aware of the impact that all those things have on my overall security program and be able to assess that, assessing that on an on-going basis so that I know that, “Hey this thing just happened in my business. What is the risk of that happening, what is the risk (or) this is happening out in the world, a new attack has just been launched against an industry and here’s the potential impact it could have on me and what am I doing to mitigate that?” If I wait until a particular time of the year to do that, it’s gonna be too late. I’m gonna be vulnerable to that risk and go forward from there.
I know I’m gonna finish up here. We have six and a half minutes left, I think, or something around that nature. I’ll open it up to any questions.
[Kyle]- Thanks so much, Brian. Just a reminder, if anyone has questions, you can check those over using the chatbox there and we’ll take those for you. Brian, in the meantime, while we wait to see if any questions come in, if people were interested in learning more from you or from Edwards, do you have any information on where they can reach out?
[BH]- There we go. I’m sorry. I forgot to flip to that slide.
[Kyle]- Oh, no worries.
[BH]- My contact information, my email address and the desk phone. Feel free to reach out. Happy to share any additional information or answer any questions offline that you may have.