now browsing by tag
#cyberfraud | #cybercriminals | How Veterans Affairs CISO Approaches Risk, Recruiting Talent and Proving Cyber’s Business Value
Paul Cunningham sees some similarities between his first stint in government service—flying helicopters as a lieutenant commander for the U.S. Navy—and his current role as chief information security officer at the Veterans Affairs Department.
“Risk management—from the aviation and cybersecurity perspectives—are pretty important,” Cunningham told Nextgov, speaking from his office at VA’s headquarters in Washington, D.C. “You want to drive down risk to as close to zero as you can.”
At an enterprise as large as VA, eliminating risk entirely is impossible because it’s simply too big. VA currently employs some 404,000 people across 170 hospitals, 1,200 clinics and 130 cemeteries across more than 25,000 acres of property. VA manages the largest medical network in the country—providing care to approximately 10 million veterans annually—and each year processes about $120 billion in financial transactions. VA’s Office of Information Technology alone is comprised of several thousand federal IT professionals, managing programs and overseeing networks across the country.
“If we were a private-sector company, we’d be in the Fortune 10 or Fortune 5, on par with companies like that,” Cunningham said. “We’ve got to start thinking like a business in those kinds of numbers alone. We want to show cyber has a business value.”
That’s where risk management comes into play. In government, you want to spend the money you’re budgeted, and a common sense approach to risk management helps a CISO determine where best to obligate funding.
“If we have one more dollar to spend, do we spend it on training employees on phishing scams or invest it in our firewall?” Cunningham said. In IT security decision-making, Cunningham said you first acknowledge risk and either accept it at face value, attempt to mitigate that risk or add value to the accepted risk. Decisions on whether to implement new technologies like artificial intelligence or internet-of-things medical devices, are weighed against other factors, such as total cost of ownership, security risks and potential returns on investment.
Cunningham became VA’s CISO in January 2019, having served in the same capacity at the Energy Department for 7 years and more than a year as a branch director for the U.S. Immigrations and Customs Enforcement. The stakes at VA are high, he said, because millions of veterans depend on the agency for health care, support, small business loans, education services, disability benefits and other services. Cunningham, a veteran himself—along with approximately 60% of VA OIT’s staff—said veterans sacrificed a lot to earth those rights and services, and their experience receiving those services should be as seamless as possible.
Yet delivering quality, timely services to veterans requires a bit of a balancing act. VA, like all agencies, has to comply with numerous federal laws, regulations—and as of late—an increasing number of binding operational directives from the Homeland Security Department. Cunningham called DHS “first among many” in terms of cybersecurity partner agencies across civilian government. It’s at this three-way intersection of compliance, cybersecurity and customer experience where Cunningham really earns his paychecks.
“When I look at it, it’s the balance of how quick we can serve veterans and reduce their burden, but what are the things we have to do to meet our federal requirements and what makes sound sense,” Cunningham said. “We still do compliance chasing, but we’re putting measures and metrics on priorities. Our job is to service the veterans. If we’re not looking at that first, then we’re probably missing the mark.”
For all the talk of silos in government, VA’s executives work closely with each other and meet often. In matters of IT and cybersecurity, the CIO and deputy CIO steer the rudders, while C-suite executives meet at least weekly to address governance matters on issues like architecture, finance, requirements and acquisition. The governance board meetings also serve as a time to get buy-in on potential solutions, and for executives to address big-mission items.
The biggest right now is VA’s transition to a new electronic health records system designed to be interoperable with the Pentagon’s electronic health records system. The multibillion-dollar Cerner Millennium platform, originally scheduled for a March launch, was delayed last month to July after clinicians asked to be trained on a full version of the system.
Cunningham said VA wants to learn from the challenges the Defense Department experienced rolling out their health records system “to help us slingshot” to their own successful rollout. While executives from both agencies are partnering together to ensure interoperability between both systems, Cunningham said the partnership will extend into the digital realm, sharing threat indicators and having the “full force of DOD protecting our network as well.”
On the horizon, Cunningham foresees the government’s tech workforce challenge as a major obstacle. Technology, he said, “is moving faster than the budget cycle can support,” and it is becoming increasingly difficult to recruit tech talent to the government ranks. Data from the Office of Personnel Management suggests VA is among the most challenged agencies when it comes to recruiting young tech talent. There may be no singular solution to this challenge, but Cunningham said increased partnership with the private sector—creating a sort of revolving door where techies move in and out of government with relative ease—may improve the government’s outlook.
“We’ve got to look at where we can partner with the private sector, for them to train people who can feed our machine and our people can feed back out in a more porous manner, so people don’t feel like they’re taking a big hit,” Cunningham said, noting the salary discrepancy between private and public sectors. “If you’re young and want hands-on experience, getting in the federal space is one way to do it.”
Cunningham also stressed the importance of role-based cyber training. Every employee, Cunningham said, has to be trained to be cyber and privacy warriors, but a standard one-size-fits-all cyber training isn’t enough. Employees require training relevant to their specific duties, and VA organizes a variety of summits and campaigns to “keep it at the forefront.”
“We’re trying to teach them habits that empower them without distracting from their jobs,” Cunningham said.
For aspiring CISOs, Cunningham recommends rounding out those resumes. A variety of career experiences is typically better suited for a CISO role than someone who has been in a singular role, Cunningham said. Further, while technical chops are great, they are not necessarily required for a policy-heavy role.
“For someone who wants to be a CISO, go read a job description and see what you can’t answer well, and then move your career to fill in those voids,” Cunningham said.
View full post on National Cyber Security
Fresh off a financial settlement over its 2017 data breach that affected roughly half the U.S. population, Equifax is forging ahead with a $1 billion-plus investment in a new security plan — and CISO Jamil Farshchi was eager to tout the credit reporting agency’s progress so far in a session this week at the RSA Conference in San Francisco.
Farshchi, who was hired as CISO in February 2018 after previously helping Home Depot clean up its security practices following its own breach, said that moving forward, the company is focusing on three key pillars: assurance in its data and controls, automation and generating security awareness among senior leadership, as well as lower-level employees, who will be scored on their security practices.
Farshchi asserted that Equifax has already succeeded in improving its corporate culture, controls and compliance, while also partnering with customers and industry organizations to share lessons learned. Indeed, he was particular effusive about the company’s openness about its recovery efforts so far.
“[I]t is extraordinarily rare for an organization to be transparent about what they’re doing and the initiatives that are underway to be able to transform after that breach,” said Farshchi. “Most organizations, you put your head down, you grind it out and that’s that. The problem what that approach, in my opinion, is that it doesn’t afford the opportunity for everyone else to learn from the things that you’ve gleaned trough that crisis event.”
Since the breach, the company has hired more than 1,000 employees in IT and cybersecurity, despite a shortage of talent in this field. The company also had to regain its compliance certifications after losing them as a result of the incident.
“[I]t is infinitely more difficult to be able to regain a certification once you’ve lost it than it is to get it in the first place and certainly to renew it on an annual basis. So we went through a huge effort to do that,” noted Farshchi, who had undergone the experience perviously with Home Depot.
Farshchi spent a bulk of his presentation further detailing plans and objectives for improving assurance, automation and awareness.
The assurance component involves maintaining focus on basic fundamentals and regularly testing data controls and the entire security stack to make sure the company is not making false assumptions about its security profile. In essence, Farshchi wants multiple data points that offer a multi-layered view of the network environment, rather than relying on a single source of truth that might be unreliable.
Farshchi cited the company’s migration to the cloud using the Google Cloud Platform, noting the company has instituted assurance on top of its controls there. “So as of today, we can measure around 120 of our controls in that space — and the beauty of it is, unlike an on-prem environment, everything is standardized, so I can know real time, all the time, the effectiveness of every single one of those controls across the entire estate, which is really, really powerful…”
Meanwhile, Equifax’s effort to increase automation — in areas such as risk-scoring and remediation of network weaknesses, for example — is intended to streamline activities and get controls in place faster by relieving IT employees of burdensome, time-consuming manual processes. Farshchi asserted that the company is not trying to displace employees or downsize, but rather optimally leverage its employees.
Finally, to improve awareness, Farshchi’s team is instituting measures to better communicate with Equifax’s board of directors and the general workforce.
For the former, the team has developed framework designed to plainly communicate current security goals and posture to senior leadership. The framework includes a control map that details what controls the company has already implemented, as well as the predominant threat vectors Equifax must watch out for. This allows the directors to see where the company is best protected, where risk still exists and how the security team intents to reduce that risk. Equifax plans to open source this framework for other organizations to use.
To address the general workforce, the company is instituting a system to score employees on their security practices much like they rate consumers’ credit scores. For example, if employees click through on a simulating phishing email, that will adversely affect the scorecards they receive on a monthly basis, and hopefully influence more responsible behavior in the future.
“We’re doing this because our DNA in Equifax is obviously credit scoring and so we know how to do analytics… on this and we’re just applying that same skill set to this problem,” said Farshchi.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans The debate over who the CISO should report to is a hot topic among security professionals, and that shows no sign of changing soon. That’s because there is still no standard or clear-cut answer. Ask CISOs themselves for their opinion, and you will get a variety […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans Enterprise VulnerabilitiesFrom DHS/US-CERT’s National Vulnerability Database CVE-2019-15625PUBLISHED: 2020-01-18 A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim’s memory processes to extract sensitive information. CVE-2019-19696PUBLISHED: 2020-01-18 A RootCA vulnerability found in Trend […] View full post on AmIHackerProof.com
Chief information security officer, or CISO for short—it’s a very popular title lately, being added to C-suites at companies of all sizes. It seems corporate boards feel a company isn’t considered serious if it doesn’t have a CISO or similarly titled executive in board meetings. And due to their popularity, they are not cheap positions to fill. According to Salary.com, the average base salary for a CISO runs $168,000 to $287,000 per year. And yet, a survey by Bitglass showed that 38% of the Fortune 500 did not have a named CISO.
Company size alone may not indicate when it’s appropriate to add a CISO to your executive team. Other factors come into play, including regulatory requirements, industry, geography and whether there’s a focus on information security as a corporate priority.
Do You Need a CISO?
The most important factor as to whether a company has a CISO seems to be how regulated their industry is. In fact, many compliance regulations require having a named officer in charge of security, privacy or related matters. The FDIC and OCC, major regulators of the finance sector, both highly recommend in their guidance documents having an owner at the executive level for security functions. The GDPR (the sweeping EU privacy regulation) and CCPA (a similar law covering California residents) require officers managing the privacy of their customer’s data. Health care, gaming, legal, transportation, energy and many sectors of manufacturing also require various levels of executive involvement in information security.
When a company is highly regulated, the size really doesn’t matter. Even the smallest community bank will generally have an information security officer, though sometimes these roles have a dual responsibility. Even if your industry regulations don’t specifically require a CISO position, you may want a CISO just to coordinate the large amount of security and compliance reporting at the management and board level. However, in compliance-focused industries, it is not generally recommended that CISOs report up through IT or operational lines. You don’t want the person checking the security of your corporate infrastructure to be the same person building that infrastructure.
Does Your Industry Need a CISO?
The industry also takes a larger role than size when it comes to needing a CISO. Certain industries seem to be more security-focused than others, which might be due to the regulatory concerns listed above, the value of trade secrets and IP, public safety or other considerations. For example, the transportation industry has the highest rate of CISO positions overall. This seems obvious when you consider we don’t want hackers inside our self-driving cars or accessing airliner flight systems. Technology companies also seem to have a higher number of CISOs, especially in the security sector, since their work is more likely to have digital and online outputs. The same study by Bitglass found the hospitality industry has the lowest level of security officer positions. And, possibly not unrelated, that industry has been the target of a number of high-profile, large breaches, with both the Hilton and Marriott chains suffering multi-million record breaches in the last few years.
Does Location Matter?
Geography also has a bit to do with whether a company has a CISO. Midsized companies in the European Union are more likely to have appointed a security officer due to the GDPR regulation, which affects every size of a company in the EU. Companies located in the United States and other first-world countries also have a higher rate of CISO penetration of the C-suite compared to those in less developed countries. Hackers are generally after the richer, more established companies, and where more of a premium is placed on information security.
Should Your Company Invest in a CISO?
Forward-thinking board of directors, even at midsized companies, are adding CISOs. This isn’t always just because of regulations or significant IP to protect, but because threats to company security are being seen as existential threats more than ever before. The near-total reliance on the internet and IT services at most companies means that having secure and available information services is as essential as having functional sales, marketing and accurate financial reporting. Indeed, with the increasing use of external SaaS services for those functions, the security and availability of those services must be there for the other departments to do their jobs properly.
So there are many reasons that a midsized company may decide to add a CISO to its management team. Above the smallest companies, it seems that size does not have as much to do with it as the company’s industry, the amount of compliance and regulation it faces, location and an increasing belief among boards and top company leaders that information security and privacy is a core business function worthy of C-level responsibility and management.
The post #cybersecurity | #hackerspace |<p> Do Midsized Companies Need a CISO? <p> appeared first on National Cyber Security.
View full post on National Cyber Security
Ed Amoroso, the former chief security officer of AT&T, once wrote a blog post grading the previous administrations in Washington in cybersecurity. They all rated badly. That included the recent Obama administration, which Amoroso said, got “too wrapped up in privacy.” He gave the Obama administration a simple recommendation on…
View full post on National Cyber Security Ventures