In today’s digital age, cybersecurity stands as the cornerstone of every successful business. Safeguarding sensitive data, protecting against evolving threats, and ensuring regulatory compliance are paramount.
Mass Technology Leadership Council’s Security Manager, Joanna Rosenberg, sat down with Grant Thornton’s Chief Information Security Officer Partho Ghatak for an illuminating Q&A session about the importance of cybersecurity in organizations covering everything from educating employees and integrating seamless security controls to combating sophisticated phishing techniques. Read on for more in his own words.
During your panel session at Mass Technology Leadership Council’s conference, the Business Impact of Security, you discussed the importance of protecting what matters most to businesses. In other words, protect your crown jewels. Can you provide an example of how a security organization you worked with was faced with the challenge of building layers of control and how they succeeded in doing so?
Partho Ghatak:
When we say, “protect what matters most,” our focus typically revolves around three key aspects: People, Processes, and Technology.
People are an important asset for any organization. It’s crucial to ensure they are well-informed and understand their roles in maintaining security. We need to foster a culture where security is a collective responsibility. Cybersecurity education is vital, preparing the workforce to effectively combat threats like phishing and social engineering attacks. After all, they serve as the first line of defense.
Technology plays a pivotal role in securing an organization. Multiple technical controls and tools are part of the security infrastructure. These controls should work harmoniously to focus on the right events or incidents. If these tools operate independently and fail to synchronize, it can lead to redundant efforts that might not yield fruitful results. Therefore, cohesion in the security technology stack is paramount.
From a layered protection perspective, organizations should adopt a defense-in-depth strategy, beginning with perimeter defense and then proceeding inward. Security is embedded in each layer: perimeter, network, platform, endpoint, user, application, and data. This layered defense model ensures that each layer is fortified with appropriate processes, tools, and techniques. These layers can be orchestrated to feed into a centralized security incident and event management (SIEM) platform, where event information is collected and correlated. For example, we are often faced with phishing. The SIEM platform is fed with data from external security sources or threat intelligence providers like Recorded Future, CrowdStrike, or Mandiant. The Security Operations Center (SOC) utilizes this information to correlate internal and external events. When indicators align, threat levels are elevated, and appropriate actions are taken.
For example, consider the common challenge of phishing. While no security tool is infallible, we have different tools at our disposal, such as email security gateways, to protect against phishing attempts. However, some phishing emails may bypass these defenses and reach end-user laptops. At this point, it’s up to the individual to recognize these phishing attempts and take appropriate actions. Users are a crucial component in the layered-defense approach – they are the first line of defense.
Endpoint security controls are another layer of defense. They involve different agents installed on endpoints, such as laptops. These controls work in tandem with people, processes, and technology to safeguard the organization’s confidential information and crown jewels.
Speaking of “crown jewels,” these are an organization’s critical assets. Most organizations deal with a vast array of technology assets, and sensitive information, including proprietary data. Identifying and safeguarding these assets is crucial in building a robust security program. Just as in our daily lives, where we place our most valuable possessions in a bank locker for safekeeping, organizations must protect what truly matters. Additionally, regulatory requirements related to data protection and privacy must be considered.
It’s important to recognize that no organization is without vulnerabilities at any given point in time. When deciding which vulnerabilities to prioritize, you must consider factors like the criticality of the asset, indicators of compromise, data classification, and whether the system is hosted internally or externally. Prioritization is key to effective patch management.
Another critical consideration is cyber resiliency. Organizations must be prepared to recover and continue their operations in the event of a disaster. Understanding what is critical and defining recovery point objectives and recovery time objectives are fundamental to business continuity planning.
In conclusion, asset criticality is a vital factor in decision-making across various aspects of cybersecurity, from vulnerability patching to disaster recovery planning. Understanding what truly matters allows organizations to make informed choices and build a resilient defense against the evolving landscape of cyber
Talking about the layer defense model, what is the easiest or the most difficult to deploy realistically for a lot of organizations?
Partho Ghatak:
The complexity of technology isn’t solely a matter of ease or difficulty. Each technology carries its own level of intricacy, and this complexity tends to increase as you move closer to the end-users. When technology is introduced without sufficient testing, it can potentially disrupt business operations. For instance, consider the critical role of email in today’s work environment. If the configuration of email security policies, both for inbound and outbound messages, is not accurately set up, it can result in a complete email blackout. Email is an indispensable tool for virtually every business.
Implementing security on endpoints or laptops poses its own unique challenges. It’s essential to strike a balance between robust security measures and ensuring that users can continue their work without unnecessary hindrance. The complexity varies based on the specific aspect of security being addressed. The challenges faced at the perimeter firewall level, for instance, differ from those encountered at the endpoint level. If these firewalls are not configured correctly, they have the potential to block all incoming traffic into your network and infrastructure.
The true art of security lies in achieving a level of protection that safeguards your business effectively while still allowing for smooth operations. It’s a delicate balance. We can function offline when disconnected from the internet, but in reality, we are always connected. The fundamental design of the internet is centered around the sharing of information, rather than concealing or entirely protecting it.
You mentioned before that as AI continues to advance, tactics like deepfake phishing will also evolve and become more sophisticated. How can companies remain resilient and maintain that culture of security awareness amidst this?
Partho Ghatak:
AI is obviously a game changer, undeniably a transformative force. Despite some organizations initially approaching it cautiously, the AI landscape is evolving rapidly. It has become a tool that’s not just an option but a necessity for staying competitive. However, it’s essential to recognize that AI also introduces security risks, particularly in the context of phishing attacks.
In the realm of phishing attacks, AI-powered tactics have raised the bar for sophistication. These emails can now closely mimic the branding and language of well-known companies like Amazon, making them appear remarkably genuine. Traditionally, phishing attempts often included grammatical errors and telltale signs of spam, but this new breed of attacks has become far more convincing.
Education is paramount in addressing this challenge. Many organizations provide their employees with annual security training, which is often treated as a checkbox item – once completed, it’s swiftly forgotten. Instead, I strongly advocate for a shift towards continuous training. By breaking down training into bite-sized, ongoing programs, companies can regularly deliver key security messages throughout the year. This approach helps employees stay vigilant and adapt to the ever-evolving threat landscape.
When talking about building customer trust, and some of the trends you’re seeing around compliance and audit requirements; How are companies trying to simplify these requirements and roll them out in ways that are easier for them to work through? And when they have these processes in place, what are the best ways to communicate them to organizations?
Partho Ghatak:
Every organization is on a unique journey, and where you stand on that path depends on various factors. From a compliance standpoint, your position is influenced by factors like your industry vertical and geographic location. It’s imperative for every company to adopt a framework for developing policies, standards, and controls. To start, it’s crucial to understand your regulatory requirements, particularly concerning privacy.
Consider a range of cross-sectional frameworks and tailor them to create your own control repository that aligns with your organization’s specific needs. Once you’ve defined this cross-functional framework, it’s time to implement it. This entails establishing a compliance program that continuously evaluates the effectiveness of these controls and consistently strives for improvement.
When it comes to auditing, obtaining ISO certification is a valuable achievement (we are proud to be ISO certified). However, if your organization operates in the public sector or government space, you may need to pursue other federal certifications that are relevant to your domain.
Ultimately, you should aim to create a trust portal for your organization. This portal serves as a means for your customers and clients to gain insight into your commitment to security and compliance. Certifications such as ISO, HIPAA, SOC, among others, significantly boost the trust your clients place in your organization. This elevated level of trust is what propels your business forward and fosters enduring partnerships.
