Original Post from SC Magazine
Author: Doug Olenick
Mark Eggleston, VP, CISO and Privacy Officer at Health Partners Plans
Session: What vendors and hackers say vs. what you should really care about
Uncertainty and Doubt (FUD) — is it still alive and kicking or have we as an
industry gotten past this? Why or why not? Are there some corporate CISOs still
struggling to get buy-in of cybersecurity resiliency and risk management plans
at this point from their C-level executives and boards?
Eggleston : FUD
is certainly alive and kicking, but on the decline in most reputable
organizations. The reason why, is that
CISOs have become business enablers vs naysayers. Fear, Uncertainty and Doubt is just no way to
run a rodeo! It might get you initial
attention, but not in a good way. Today’s leading CISOs must empower business
growth and view risk as an opportunity – after all it is where the most reward
is. Best method to gain executive buy-in
and support is start with a conversation to explore and define what matters to
your executive team. For example, are we
at risk and if so where? Where are we
(in our risk posture) compared to the competition? I’ve found most executives have a sincere
interest in learning more about cyber, but we as security professionals must
work hard to ensure our points are brief and salient to keep executives
SC: In our
current state, what are or should be some of the priorities to confront
top-of-mind security challenges right now? What about a year from now?
Eggleston : Current
priorities for most security professionals should include recruiting in the
face of skill shortages, instilling privacy by design principles into new
systems, and employing a mature framework to select and implement security
controls. As we continue to embrace the
cloud for maximum agility and growth, we should be ramping our resources to
strengthen cloud security controls vs perimeter security controls. For example,
allocating budget to Cloud Access Security Brokers (CASB) will help your
business compete with agility, while providing assurances that only authorized
users are using SaaS and can only manipulate data locally if there endpoint
meets specific security criteria.
SC: When trying
to navigate the legion of cybersecurity solution and service offerings now out
there to determine what is needed in your own particular environment, what
would you suggest CISOs and their teams take into account?
Eggleston : I’m
eager to discuss this more at the conference.
First off, take heed of what YOUR requirements are, do not succumb to
the sales tactics and slick demos. Going
to any vendor prior to do your homework is like grocery shopping when you are
starving – you are bound to come back with all sorts of stuff you don’t really
need or that is good for you. Also
remember, what may have worked great for a peer at another organization may not
work as well for you. Typically, I start
with a narrative on why my company needs to invest in the product or service,
and include refined requirements. I also
include use cases specific to my environment I want the vendor to demo (not the
other way around). Also, given the
skills shortage we all will inevitably face, ask the vendor what managed
services they offer or how they ensure customers are highly successful w/o
charging extra for things like training.
We all want partners to enable our success, not just vendors or
resellers. The former takes the time to
invest in a relationship and understand your needs, while the latter can
disappear after the invoice is paid.
Networking with peers at events I’ve found tremendously helpful to
identify up and coming vendors you may not read about from the large research
firms and get unabashed reviews.
Empowering team members to initiate skunkworks projects to toy around
with tech also can help security professionals get invested in the next chosen
solution, while ensuring the product is a fit in YOUR environment. Last but not least, look for products to
solve a problem you have efficiently and cost effectively; do not invest in
products looking for a problem to solve.
SC: In working
with particular vendors, what should be the necessary top standard questions to
Eggleston : I
like to screen novel vendor or cold calls simply by asking that they provide me
with any of the following: (a) a brief .pdf or description of what they are
soliciting me – to help me efficiently view succinct product details on my
time, (b) a list or some references of who they have worked with in my vertical
or companies like mine – chances are I’ll know a person or place they mention
so I can follow up later to get the inside scoop., (c) list of
competitors. While vendors want
typically do not want to defer business to their competition, this helps me
understand the space they compete in, as typically I already have procured a
competing solution. It is OK for them to
say they are kinda like X but offer more Y too, this information just helps me
get my bearings straight in the interest of time and my attention.
SC: In reviewing
the current threat landscape, what should any company ensure they have covered
in their risk management strategies?
Eggleston : Always
address the basics first and defer the glitzy new toolsets for later. For
example, know your network and what is on it (vulnerability management), ensure
only authorized users have access to only the minimum necessary (access
control) and assume you will be breached at some time (incident response). If you look at the overwhelming amount of
prior breaches, these three controls would have stopped the majority. Additionally, as more and more companies
embrace mobility this causes a lot of the legacy perimeter defenses to not be
as effective as they once were, so ensuring the adoption of a zero trust
network helps ensure you only have authorized people using resources. One of the most mature and helpful
technologies here is 2FA. We simply
cannot rely upon a single factor like a password to be all that stands between
the internet and trusted computing resources.
Using 2FA helps stop credential stuffing attacks and any other attack
where the password is know to others.
The post RiskSec Preview: Mark Eggleston, Health Partners Plans appeared first on SC Media.
Go to Source
Author: Doug Olenick