RevCult is now OwnBackup Secure! In 2021, OwnBackup acquired RevCult, enhancing the cloud data protection platform with proactive data security. With OwnBackup Secure, you will strengthen security posture by understanding data exposure risks and proactively taking action to protect and secure your data -- all within Salesforce.
Six months ago, we hosted a webinar focused on big ideas and strategies for security leaders going into 2021. Our expert panelists for “CISOs Talk Shop” included Thomas Davis, CISO at Terminix (ServiceMaster), Pat Benoit, VP, Global Cyber GRC/BISO at CBRE, and Jonathan Hay, CISO at Cadence Bank.
Considering the webinar’s popularity and the significant happenings in the security industry, we decided to do a follow-up conversation. We invited our same group of speakers back for another round of talking shop—here’s a summary of the most important points and takeaways from their discussion.
Here are their 10 best pieces of advice:
Our panelists gave listeners a synopsis of their biggest piece of advice from the previous webinar. (You can also read the full recap here.)
Pat Benoit: Focus on the basics instead of shiny objects.
“We spend far too much time stylizing and getting fancy, whether it be with technology or process, before we really understand what needs to happen. Take that step back and look at the basics: asset management, process, process review, and risk management documentation. Make a business decision about a process before you start throwing technology at it.”
Thomas Davis: Always have a strategy.
“It’s really about not being reactive to the business or the issues of the day. Have a strategy, have a plan, and understand what you're executing against.”
Jonathan Hay: Extreme agility.
“Have the agility in place for teams to be able to respond to new products and service requirements from the organization; face new, emerging threats in the environment; and keep up with rapidly changing technology.”
In the months that have passed since the first “CISOs Talk Shop” webinar, there has been some material changes in the arena where our speakers’ expertise lies. From ransomware to data breaches, cybersecurity and data security continue to make headline news. Keeping those industry changes in mind, here’s what our speakers think will be the next new normal for security leaders.
Since 2016, over 4,000 ransomware attacks have happened daily in the U.S. The COVID-19 global pandemic has only added fuel to the fire—hackers have capitalized on the remote workforce and escalated attacks on corporate systems. Both the frequency and scale of attacks are increasing exponentially. For example, malicious emails are up 600% due to COVID-19 and the largest ransomware payout was made in 2021 by an insurance company at $40 million.
“More than ever, security leaders need to stay up to speed on the news because they’re going to be asked questions about it,” says Davis. “You have to be prepared to talk about the T-Mobile or Colonial Pipeline hack, or anything that’s happening in the industry and in the news, and then be able to translate highly technical things into business knowledge and business acumen.”
More press coverage and public awareness means security leaders will need better ways to communicate with executive teams and other stakeholders who care a lot about mitigating risk, but don't really understand what that means.
“Ransomware is just another exploit,” says Benoit. “Your incident response should look very similar. Your monitoring should look very similar. Your recovery process might be a little different, but not that different. But your documentation may have to change to reflect new language because The Wall Street Journal and Forbes published articles about ransomware and it’s the shiny object on the board. Whether it changes the process significantly or not depends on the threat.”
“One of the things we did to improve communication with stakeholders,” Davis continued, “was break it down to the layers of assets that we're trying to protect: our data, our networks, our people, and our applications. And then we explained the associated risks at those various layers, and the controls that we can apply to mitigate those risks.”
Security leaders are faced with a hybrid responsibility, from two perspectives. Not only do they need to mitigate risks in both legacy and cloud environments, but now also have the added complexity to protecting a blended in-office and remote workforce.
Davis says, “We're living in this hybrid world where you’ll have incidents on your legacy environment and in the cloud. You really need tools, people, and processes to handle those incidents in both environments.”
Bad guys are in the business of making money and hackers have seen a huge increase in ROI in recent years. Security leaders need to expect attacks to get more aggressive and more sophisticated.
“I think part of our new normal in information security is the increased supply chain attacks,” comments Hay. “We’ve seen a few highly successful ones over the past few months and it’s going to get worse, as far as integration of ransomware threats into supply chain attacks.
“Supply chain attacks will get more sophisticated, and there will be other variants of ransomware attacks that will be highly effective against security controls, utilizing machine learning capabilities to sidestep detection. Approaching security from a pure ‘just keep the bad guys out’ standpoint, either at the perimeter or in cloud environments, isn’t good enough anymore. We have to bolster defenses utilizing a defense in-depth approach.”
More and better attacks, plus more press coverage…equals more oversight. Security leaders should expect more regulations in the near future.
Hays continues, “[Because of recent events like the Colonial Pipeline], more people are paying attention and the SEC is getting extremely interested in cybersecurity events at publicly traded companies. The regulatory pressure is going to get even more excruciating.”
Conversing about risk mitigation, our speakers went into their philosophies about governance versus security—or rather, process versus tooling.
“We approach things like vulnerability and patch management from a governance perspective first. We first do a process maturity assessment and risk assessment to determine the gaps we have in processes, as well as document those processes.
We tie our findings to service ownership and the level of maturity our CIO desires for the services that are delivered to the organization. And then we do a gap analysis, determining where we are now and what it takes to get to the desired service maturity levels. And finally, we backstop with solutions that fulfill any of the technology gaps.
But ultimately, the best and shiniest, top-quadrant technical solutions won’t help if you don’t have the people to support those solutions. If you have inadequate staff or inadequately trained staff, then the technology is worthless.”
“I look at everything from a risk-based perspective. We determine the risk, the threats coming at us, our vulnerabilities, and where we stand. From there, we apply our controls to that determination to get our residual risk—what we’re left with, if you will.
Then, we think about the end game. What are we trying to solve? What are we trying to mitigate? And finally, we apply process and tooling. To echo Jonathan, the most important aspect is training your people. You can have the best tools in the world, but if you don’t have great people who are trained appropriately, it will get difficult pretty quick.”
“The idea of risk management is obviously critical. We’ve purposely gotten rid of the term data governance in favor of data risk governance, because it’s really all about the risks to our data. Data is our lifeblood; it’s the oil that that runs the engine. Whether it’s the data you’re processing for clients or your own data, it’s the difference-maker for any organization.
When an enterprise experiences some sort of attack from the outside, there's generally not a requirement to notify if they didn't get any data. That tells you something about the importance of data and the risks to your data to begin with. Data is what matters.”
Whether your role is InfoSec or IT, applications or auditing, you can benefit from the words of wisdom shared by our speakers on this webinar, as well as from solutions like OwnBackup Secure. We make it easy to implement, manage, and prove security controls on Salesforce, keeping your data secure in the most dynamic and complex environments.