In this candid interview, Chris Hodson, CISO at Tanium, caught up with Anthony Belfiore, CSO at Aon and member of Tanium’s Board of Directors, to discuss the impacts of the distributed workforce on the cybersecurity function, board engagement, business resilience (or lack thereof) and cyber budgets.
Shifting the risk equation to cyber resilience
Chris Hodson: The first question is around traditional risk equations and board engagement:
In my experience, the high-impact, low-likelihood events tend to elicit a “well, that’s never going to happen, we don’t need to worry about that” response. From a board perspective, do you see a change to a profoundly different risk culture towards availability considerations of pandemic planning or other high-impact, low-likelihood scenarios, or is it too early to say?
Anthony Belfiore: I think there are a couple of things. One, what companies are really experiencing right now is they’re understanding that their business really isn’t resilient, and that business resilience is probably the most critical thing for their corporation.
Two, I think companies will be focusing on everything from remote working and virtual conferencing, to actual security, continuity testing and disaster recovery (DR) tracking.
Three, companies are going to reassess their critical business processes and the technologies that support them. You’re going to see a lot of issues coming out of that within the next two to three months and I think a lot of companies will start to realize that they really didn’t know just how bad their security posture was. Just because you’re secure from a cybersecurity perspective, and compliant with COBIT, NIST, or ISO, does not give any indication of whether or not you are cyber resilient and will be able to get up off the mat once you get punched.
I’d say you’re going to see a huge shift to people being focused on business resilience, core business processes, how they operate, and the people, processes and technologies to support those efforts. You’re going to see an increase in tracking, prioritizing, documenting, aggregating and memorializing of the protocols and ensuring business continuity and disaster recovery workflow visualizations are going to be big.
Cyber resilience is a subset of business resilience, and a subset of that is your cybersecurity. It’s hierarchical. Your overall business resilience is made up of cyber, human capital, policies and procedures.
Bringing visibility to the forefront
Hodson: Anthony, this leads into my second question, around people misappropriating business continuity. Many IT teams “get it” at an IT level – they can fail-over server infrastructure from datacenter 1 to datacenter 2 – but they don’t have an understanding of the services, applications and processes that the system is intrinsically part of. How do you see the holistic continuity planning changing?
Belfiore: It’s about contextualization and that’s where Tanium can come in. These business processes run on critical infrastructures and application ecosystems. Being able to draw that line is the most critical thing, and being able to have visibility into the performance, health status, quality of services and the security of the data is key.
It’s like taking a business architecture-led approach to understand your business processes and services, understand the application services and infrastructure. You decompose it down the stack, and then provide visibility up and down the stack. Then you can manage it. You can’t manage it right now.
The need to overcome the pandemic challenge
Hodson: That leads me to my next topic related to the pandemic situation: Project prioritization. Strategies seem to be abandoned in favor of anything availability-related, exacerbating the existing friction of priorities and budgets. The anecdotal feedback I have received from CISOs is that the ones who report to the Chief Risk Officer, Legal, or directly to the top, are still able to articulate the security priorities and abstractive, immediate IT issues. The ones who report into CIOs are being asked to re-evaluate all immediate and planned funding. What are your thoughts on this?
Belfiore: It’s a difficult situation. You’re being baked off against physical security, business continuity and disaster recovery, front office, middle office and ops needs, all with a finite amount of funding, time, cycles and people. And that’s just money and the ability to get work done. It’s the most rudimentary, intuitive impact, but now you also don’t have the workforce and the capability you had. You can’t work as quickly or as agile. And people are really stressed out and worried. That’s really the biggest stress I’m dealing with right now.
The genie is out of the bottle
Hodson: Let’s shift our focus to security policies and standards. Many organizations have limited resources and are forced to adopt a bring-your-own-device (BYOD) policy. In many cases that means they also have to change their security policies and standards to ensure business continuity and to keep the lights on. It’s a simple technical change, but it will be extremely difficult to put that genie back in the bottle once the pandemic is over. Would you agree?
Belfiore: Yes, people are getting used to working from home. The secret is out. We don’t need all of this office space. We don’t need all of these things to be effective. This pandemic kind of proves it. It’s going to get really interesting.
Hodson: Let’s say that everyone’s working from home, including the Security Operations Center teams, the Incident Response teams, the engineers. Six months goes by and nothing materially negative has happened. How do you see security leaders, who had enormous budgets and said they need all of these controls, re-educating boards, who will undoubtedly ask “Why do I need all of this and why do we need all of these people if nothing happened?”
Belfiore: I think boards are realizing how effective remote working can be and that definitely justifies the cyber spend. This is the new normal. We don’t need all of this infrastructure or all of the people to work the way that we used to work historically. I think that’s the “wake up,” the disruptive revolution in IT and cybersecurity.
A new focus on business continuity
Hodson: Tanium is considered a critical business service for our customers. We provide IT operations, risk and cybersecurity capabilities which need to remain operational during a time of distributed working. As a result, I am fielding plenty of Business Continuity Planning questionnaires from (customer) compliance and risk teams. Some customers take a prescriptive approach to due diligence, aligned to ISO 22301/27001, while others are using more of a home-grown approach. What is your take on this?
Belfiore: Internally, we’ve never thought one standard was historically effective, so we actually took all the standards and built the best of breed. Our current standard is an amalgamation of pretty much every other one out there.
What many of our clients are doing right now is they teamed up to do things together in terms of how they rate third-party oversight vendors and their own internal processes. Their risk-based policies and frameworks tend to come from the Big 4 who do a massive exercise, looking at all the standards out there, their business and all the regulatory environments that they’re subject to, and come up with an amalgamation. Financial Services and Healthcare in particular tend to do that because they’re heavily regulated. The Government tends to come up with proprietary standards because of the high sensitivity to regulations. If you look at the other industries, they really just go with the basics and pick ISO or NIST. It really depends on the vertical you’re looking at and what they choose to do.
Ours is the mix of go-to-market standards for how we accept companies from a cyber insurance perspective, but we also mix in all the best practices from ISO, NIST and all the domiciles we operate in, like MAS in Singapore, HKMA in Hong Kong, FSA in Japan, FCA in the UK. We looked at all of their core standards and made sure that we build a minimum baseline of assurance into our current operating standard.
Hodson: That’s a good point on industry verticals. I have one more question: I’ve always struggled to get CXOs engaged with business continuity planning, be that crisis management, or table top exercises. Do you think that the global pandemic is going to change that?
Belfiore: Totally. I think we’re going to be doing table tops, and they’re going to be regulatory mandated. There’s no way we’re getting out of this one without the revolution of how we plan for business continuity.
Want to hear more from our experts? Register for the upcoming “Hacker vs CISO” webinar with Chris Hodson and former hacker Alissa Knight with Knight Ink.