Clicky

CISO’s Playbook for Leading Security During COVID-19 – Futurum Tech Podcast Interview Series
by Daniel Newman | May 14, 2020

On this special edition of the Futurum Tech Podcast Interview Series, host Daniel Newman welcomes Mark Hughes, Senior Vice President of Security at DXC Technology to discuss the CISO’s playbook for leading security during COVID-19.

The Current Cybersecurity Landscape

Cybersecurity challenges and threats are not getting any better or easier to manage. CISOs confront new threats, new threat actors, and new strains of malware and ransomware constantly. We used to be concerned with confidentiality attacks where information was being stolen, but now there is an increasing escalation in targeted attacks like ransomware.

To deal with these threats, most companies are spending just enough money to have the framework to stop the most critical attacks. But many companies aren’t overspending on security to be safe. There are trade-offs between the risk-based decisions, but there are two things that are definitely true in the cybersecurity landscape right now.

  1. A lot of risks come from malicious intent, but not all so organizations need to be prepared on all fronts.
  2. Threats and risks appear very quickly. Many organizations can be secure one day and under attack the next.

CISOs are in a balancing act. They need to mitigate risks as quickly as possible while making sure that the organization is as secure as it can be with a limited budget. It can definitely be tricky.

New Challenges with Remote Work

Almost overnight, CISOs faced a whole host of new challenges as entire companies moved to remote work as a result of the pandemic. Until now, many companies had a few groups working remotely or were prepared for people to work from their own devices while traveling. They only had a small scale set up to manage little pockets of people, but now companies and CISOs have to do this with the whole organization. The job of a CISO got extremely complicated in the matter of a few days. Every CISO was now asked if the company had the scale and infrastructure to handle this new situation. And if they didn’t have the scale, CISOs needed to come up with a solution — and fast.

The second question many CISOs faced was can the security tools operate effectively in the new network environments we are now operating in. Are there particular groups that pose the highest level or risk that need access to critical tools? How do you layer security in a work from home environment so you can manage risk proportionately without hindering productivity?

Managing Security Risks

Companies have SaaS solutions, open source solutions, open stack, public clouds, private clouds, and a host of other initiatives and programs in use to help employees be productive. But each new program or solution adds a layer of complexity to security. And as much as a CISO might want to, putting stringent security protocols in place isn’t always the answer.

It’s a balance between four things: people, process, physical control, and technical control. CISOs need to educate people on the role they play in security. They need to help people understand the process of security. Then there needs to be physical and technical security controls in place that are manageable.

If you try to skew your strategy to only one bucket, like the technical aspect, users will figure out workarounds. But if you make sure that people know that security is the thing that needs to be done everywhere, by everyone, at all times, you’ll find more success. Education, however trite it may sound, is key.

If you do this well and do it consistently, you can massively improve your risk posture making a big difference very quickly.

If you’d like to learn more about managing your security risk and ways DXC Technology can help, check out their website. Be sure to listen to the full episode below and while you’re at it, make sure to hit subscribe.

Transcript:

Daniel Newman: Welcome to The Futurum Tech Podcast. I’m your host, Daniel Newman, Principal Analyst and Founding Partner at Futurum Research. On this episode we will be talking about the CISO’s playbook for COVID-19 and securing your organization. I have DXC Technology’s, Mark Hughes, joining me. Welcome Mark to the show.

Mark Hughes: Well, thank you Daniel. I really appreciate the time today.

Daniel Newman: Yeah, I’m excited to have you here. A big topic, we’re going to be talking a little bit about the playbook for the CISO, and it can be the CIO, the CTO, but basically the person in an organization responsible for leading the security efforts, and there’s a lot of talk about that right now. Before I kick off the show though, I do want to say we are in the middle of April, actually dead smack in the middle, it’s the 16th right now when we’re recording this. Not sure when you’re listening to it. Hopefully you’re listening to it the minute I put it out.

But as podcasts go, evergreen content, it could be may, it could be September, it could be 2022. But we are in the middle of a global pandemic, coronavirus, COVID-19, which means I’m locked in my home here in Chicago and Mark is in beautiful London, which looks sunny. We are on video in the recording. Unfortunately you, the listener, are only going to hear us, but it looks sunny there in a beautiful London.

Mark Hughes: Well thank you Daniel and thanks for the opportunity and the time today. Yeah, it’s good here in London and I do hope that when people are listening to this, they are either hopefully not impacted by the situation or were hopefully other side of it and hopefully returning to some degree of normality.

Daniel Newman: Yes, a new normal, which will be a nice start for us. But before we jump into our questions in the interview and I promise to keep the seat warm but maybe not too hot, talk to me a little bit about what you do at DXC Technology, so everyone out there gets a little bit more on your background.

Mark Hughes: Yeah, so DXC Technology is the largest end-to-end SI, system integrator, in the world. We manage various IT estates for many large Fortune 500 organizations across the globe. And I specifically, I’m responsible for security. So I’m here for making sure that we have the right security posture for all of the services that we offer to our customers. And that equally extends to ensuring that we have the right products, security products and services for our customers as well to ensure that they can take advantage of those and help them manage their risk proportionately on behalf of their client base.

Daniel Newman: Well, let’s start off broad. And by the way, congrats on all that you’ve done, but let’s start off big and broad. So I mentioned we’re in the middle of this crisis, but even before we entered this crisis, around COVID and the public health pandemic, we’ve been kind of fighting a war, to use a metaphor, on cybersecurity. Companies are constantly at risk, governments, and this is something you guys are very focused on is overall helping companies better understand risk, on how to mitigate, as you kind of said to me offline herd immunity. Some of these terms that we’ve only heard in terms of this health crisis, were actually terms, Mark, that you’ve been for some time in terms of cyber security. What’s the landscape overall, look like for CISOs right now?

Mark Hughes: Well Daniel, that’s a great question. And exactly, it is slightly surprising that some of those terms that we’ve used a lot are now really coming to the fore because it is about managing that risk and we see the threat environment, specifically for most CISOs out there becoming more concerned about new types of threat actors and also new types of strains of malware appearing as well. I would say one of the key characteristics that I’ve seen over the last few months is the increasing escalation in availability targeted attacks. We used to, perhaps in the past, be very focused on confidentiality type of attacks where information was being stolen. And of course, these two things are often linked, but now we see more and more of the sort of the ransomware type of attacks as well, which is more availability related. But overall, when I talk to many CISOs, as I do, from across the globe, it’s not getting any better. There are many new threat actors, new strains of malware out there that are testing us day in and day out. And so the risk equation is continually rebalancing in pretty well everyone that I’m talking to.

Daniel Newman: Yeah, the term was sort of whack-a-mole for a lot of companies, right? It’s kind of whack-a-mole because it’s like you’re getting it coming from many directions. And I’ll frame this a little bit with something I’ve long heard, right? So as an industry analyst, I don’t necessarily do it day-to-day, but I have to analyze it, read about it, learn about it and share it. And a lot of what I hear is that security, for many companies, cyber specifically, has often been sort of one of those balancing acts. Companies want to spend exactly as much where a breach where it would cost more if breached than not, meaning so instead of spending to say let’s prevent all breaches, let’s spend enough to make sure that we can stop the most critical and we have the right framework to do that. But let’s not necessarily overspend just to be safe. And that means people in your role and the companies you work with are juggling a lot because you’re not resourced enough.

Mark Hughes: And I think that’s actually characteristic in this health crisis. We see that it’s characteristic of many types of risk, in fact. Forget the cyber specifically for a minute or two, but actually, there are many things that many organizations face even as we do in our daily lives, we’re having to trade-off those risk-based decisions. I think the pandemic is a good example of that. If we’d been able to predict that and put everything in place, then we would have perhaps been in a different position from where we are now. But that is indeed the trade-off that we make all the time. And I think though, in cyber, there are things that are slightly characteristically different. Genuinely the threat actors are working against an organization, and obviously only malicious and intent, often a lot of things that we see in the tech world where risks manifest are not done through malicious intent. They are done because things go wrong. And that therefore means that your mitigation strategy is slightly different.

And the second thing about cyber is that often they appear very quickly. So you can go from being, having a posture that you can feel relatively comfortable about in terms of your risk control one day, to a whole new set of exploitable vulnerabilities appearing very rapidly. And therefore you have to very rapidly change your posture in complex IT environments. And I think in that sense, Daniel, that’s what makes the cyber conundrum quite tricky that yes, of course a trade-off like it is in many other things, but often that trade-off and the time that you have to respond to it, and therefore the way you mitigate that, is quite different from other risks.

Daniel Newman: Yeah. I think when I was talking about the trade-off too though, I’m talking a little bit about if you went to the organization’s leadership, the ones that tend to really hold the biggest purse strings and say, “I’ve got a tool that can be tech enabled that will raise our customer sat scores, our net promoter scores, by two points, which will yield X, Y, Z in additional revenue,” easy to get funding.

Mark Hughes: Absolutely.

Daniel Newman: And you say, “I think I can invest in an intrusion detection strategy that would reduce our risk by 20% of getting breached.” The question is going to be, well, what will that save us? How does that help us? Right?

And my point is you’re not wrong and I’m not right. It’s not even an argument. It’s just a matter of unfortunately, until a company gets that Equifax kind of moment where their whole business is suddenly hanging in the balance, a lot of times I think people are like, “Ah, we’ll get breached. We’ll get over it. We’ll get a denial of service attacks, we’ll get over it.” But there are real costs and trust is a real cost.

And so I want to touch base, I want to actually get you to a new thought though here, that builds off what I just said. I’m not even going to give you a chance to respond, but don’t worry, you’ll get your moment. Work from home has created a whole new categorical challenge for the CISO. Companies kind of used to have what would be sort of a safe area, in an area that is defined by the CIO or the CISO or the partnerships, development of a data center of a virtualization layer of storage and data protection. And there was no real time to prepare for this. This wasn’t a case where a company was like, “Hey, you got three months to prepare, we’re going to deploy 60% of our workforce from home.” It was like Friday, everyone went to work, and Monday everyone was working from home. This had to raise some red flags in security. I mean, what did CISOs, what could they do?

Mark Hughes: Yeah, that’s a very good question. And I think that whole thing around how you price in downside risk that you were talking about before applies exactly in this scenario as well because what is the risk? How do you quantify that? And now we’ve obviously thought about remote working in the context of a proportion of employees for many years, and have been successful at being able to manage that risk associated with it. But now I think the thing that has become very clear, Daniel, and I’ve been talking to a lot of people over the last few weeks about this is, hey, I’ve now got those people who would be writing the CIS admins, those types of people who would normally not be working remotely. Now everyone’s working remotely up to an including, for example, a CISO talked to me that day that his biggest challenge was about wet ink contracts, printing stuff to be able to wet ink contracts at home. How does that work on infrastructure that can’t be trusted?

So you’re absolutely right. There’ve been a whole host of new things that have suddenly appeared. A, there’s just simply the scale. So the first thing that I think most organizations are struggling with is, have they got the scale and the infrastructure to be able to cope with the types of controls and are the controls robust enough to be able to deal with that scale? So you now got, as you said, the entire workforce pretty well working remotely, is all the security tooling available, the privileged access type tooling, is that able to operate effectively in the type of network environments that we’re now operating in? So scale is one thing, and then there’s the specifics. Where are these now, specific groups, which are way beyond the traditional salesforce on the road type groups, which have hither to been fairly well provisioned from a bring your own device type of approach with all the controls you need there, to now how do you do this writ large across the whole organization.

So then you have to look, and what we’ve been working on and working with specific organizations with, is about how do you look at those particular groups that pose that highest level of risk, but still needs to be able to maintain service access to those critical tools? And how do you then layer up the security in those environments in a work from home environment, that allows you to be able to layer up your defenses so that you can manage the risk proportionately? So that’s how we’ve been going about it. But it’s a very, very good point because a lot of people are having to rethink their strategy almost outside in, as opposed to inside out, very quickly over literally, just a few days.

Daniel Newman: Yeah, we’re seeing the power of what cloud and new architectures can be, because obviously we’ve heard a lot about cloud as this catchall and perfect solution, and in itself, it’s not. There’s a reason only about 20, 25% of workloads have moved. Companies have loads of technical debt, there’s applications that have been built that were never designed to be running cloud. And there’s initiatives, open source, open stack, that are designed to help companies move to cloud native. But that’s a long tail. You’ve got VPN limitations, you’ve got a migration towards maybe software defined. So things like SD-wan will be probably significantly more robust and adopted in the wake of this. You’ve got a ton of SaaS being deployed globally. We’ve probably heard a lot about issues because everyone went to these work from home collaboration tools, has been both a boon and a bust for some of these companies, especially when it comes to security.

I mean companies saw a lot of scrum, skunkworks kind of projects where, “Hey, we like this tool,” Slack or Zoom or just different tools that everyone like. And they all have the capability to be secure but not by those people working at home. It needs some standardization, it needs some centralization. And so that brings me to kind of like cyber hygiene as a whole. So you have to be working with companies. It’s not just about centralizing because you’ll never win if you completely try to block out shadow IT. You’ll never win if you completely try to stop the BUs and line of business from being creative and implementing tools and deploying things that work and help them go faster. But if we totally let them run free, the cyber security and privacy and data risks become exponential. So what’s the hygiene to manage those things?

Mark Hughes: I always think there’s four things, Daniel, there’s people, process, physical and technical controls, and it’s a balance of all four things. So people have got to do the right thing. You have to have process controls in place, as well as the physical controls. Actually, as I said earlier, some of those things like printers and stuff you physically have to control those as well as the technical controls. And I sort of put the technical controls there last on the list, not that they are least important by any stretch of imagination. But really there’s a lot you can do by getting people to do the right things. And it’s all four of those things that have to work together to make it operate. But one thing, in my experience, it’s absolutely certain that if you try and skew your control strategy purely into some technical bucket and you make it hard for users to be able to do the right thing, they won’t do the right thing. Because we, by nature, want to get stuff done and want to find a way to do it in a way in which it facilitates to make it easier to do things.

So therefore, thinking hard about having a cohort of individuals in an organization, enterprise and in the extended supply chain, you understand what the risks are through some of that education. Yes, there are some red lines that can’t be crossed because it’s usually regulators and others who stipulate through some of the regulations that we have, that there are things that can and cannot be done. So understanding how the controls do that. But then making sure that actually security is a sort of thing that needs to be done everywhere, by everyone, all the time. And I know that’s a sort of trite expression, but it really is increasingly so. And what I mean by that is not only are the staff and people in the supply chain have an awareness of the importance of what their own responsibilities are regarding data and the like, and some of that is much better known than it used to be.

But also that when they are interacting with a tool that they are thinking about, “Well how should I set this up?” and is there some guidance that can be issued? Some of it may be centrally from a particular posture in terms of how an organization wants to operate. But that helps the users make the right choices, because as I often say, doing one thing one way or one thing the other might not actually cause any friction at all until you actually end up using the tool. Whether you have encryption enabled, for example, or something like that, but you end up with a very different security posture. And nowadays the good news is there’s a lot of security embedded in a lot of those pieces of the ecosystem that you were just talking about, and being able to use those tools within those ecosystems now effectively to create the right risk posture that you want to have is becoming increasingly much more frictionless than it was before.

However, it does depend on being able to educate users to say to look, these are the ways in which you need to do things. And even if you’re out there on your own and there is no guidance, then you’ll have a good sense of which way to go with a particular tool because you’ll have a good sense of knowing how important, relatively, a discussion on a video conferencing type tool is or not as the case may be. So I think things are becoming, on one hand, more explosive because there’s more things to do and more tools to use. But on the other hand, knowledge is really getting better in terms of individual users understanding a lot more what their personal responsibility is and how to then deploy that in whatever they’re using.

Daniel Newman: Yeah, I think it’s great, and it’s something that companies probably need to expand upon a lot, is helping individuals understand their responsibilities. I think individuals have taken to the tech clearly, the mobility, flexibility. I think a lot of people, mentally, were ready for some extent to go to more of a remote work. People enjoy the fact like, “Why do I need to be in the office all the time? I can do a lot of the work.” Now again, that depends on your role, your responsibility, where you sit inside of the organization’s operating models, but I think there is a desire. I think when it comes to security, there’s been an inherent laziness and an inherent lack of desire and a lack of, I would say sort of individual responsibility that people really kind of do expect the CISOs and the CIOs to run it.

And I think just like all companies, it’s culture and that you have to drive that culture where people understand that they are part of it. It kind of goes back, Mark, and I’ll make a joke, but a lot of security breaches are people putting sticky notes on the top of their laptop and visual hacking and people that are lazy and have the password, “Password” and the password, “Admin.” You know what I mean? There is still a ton of exposure for companies and because of individual’s own actions.

Mark Hughes: The biggest issue we have often in security is how we deploy these controls. We get the coverage and they’re controlled ubiquitously in these estates as well. When you look at most of the things that happen, it’s threat actors being able to exploit vulnerabilities where we have a poorly implemented set of controls. And some of that does come down to individuals not doing the right thing. Sometimes it comes down to, projects, security projects, not really getting to the point where they have that coverage right across the board. One thing I would say, Daniel, which has been very interesting in my experience, is often around things like Thanksgiving and Black Friday and those types of times when people are doing, Christmas and other times of year when people do a lot of shopping online and other things. I’ve often done a little bit of a, here you go, everyone, here’s some tips and tricks to know about, how to make sure that you’re running the latest software on your end point, making sure that the browser window that you happen to be working in at the time, that session is encrypted and secure to the extent that you can be sure, and some just some basic things.

I get unbelievable attendance in those things, because when it becomes really personal, when it’s your own money, people then really begin to want to sit up and listen and understand how to do things. And the good news is when you think about a lot of those types of controls that we use every day, when it’s our own personal money, there’s a direct read across into the corporate environment. So that really helps that education process as well as saying, “Hey, if I do a few things, but do them well and do them consistently well, like don’t have a flaky password and particularly bothered about my password for my Hotmail, Gmail,” or whatever mail account it is on the basis that, that’s often the conduit for exploitation. Yeah, there’s few things that you do them well and you do them consistently, you can massively increase your risk posture. And if you can bring that into a corporate environment, same sort of principles. Wow, you can make a big difference very quickly.

Daniel Newman: Yeah, and to your point, there are things that certainly can be done centrally. I’m just saying like there’s times when people just leave their laptops or their set their sleep on a laptop to not go to sleep for hours and then they’ll walk away from a computer and they’ll leave it sitting there and it gets stolen in an airport. And it’s amazing how weird little things that are just human behavior. You could have all the locks and the controls, meaning that when it was closed and opened you have, 32 bit, 64 bit encryptions, you can have very complex passwords. Part of the problem I have long said is too complex passwords leads to sticky notes being put on top of people, there has to be that balance where it can’t be so hard that no one can remember it.

Mark Hughes: There’s been some really good stuff, the National Cyber Security Center in the UK, for example, has produced a load of new guidance on passwords because we’ve been in this treadmill of having to reset passwords on a frequent basis and many organizations, and lots of users use many different passwords. When calculate it all up, you expect a user therefore to have to memorize some extraordinary amounts of digits and combinations or letters and digits, it’s really very challenging. So there’s some really interesting new guidance that’s come out in the UK and also through CISO in the US as well, about how to manage and what is manageable from a user point of view, to your point exactly. So this thinking is going to increasingly play a part and we see new technologies arriving with facial recognition and other stuff coming in as well, which is also very, very good. And then negates some of the need for users to have to remember so many passwords, which is I think really helpful and takes us in the right direction as well.

Daniel Newman: Biometrics and facial recognition will be big, of course, when used for good. There’s still a lot of issues. So we got to wrap this up. I got a one time for one quick last question for you, Mark. And thanks DXC Technology for being part of this podcast, great to hear your perspective. Everyone check out the show notes, I’ll get you some links. You can learn more about everything Mark’s talking about and everything the company’s doing about. But let’s wrap up here on kind of one thing, and that is this remote work and work from home. How permanent, what do you think is going to happen as we come back? Just give me your one minute prognostication on what it’s going to look like when abatement has sort of reached a level where we start to go back to work.

Mark Hughes: I think first off, we’ll know that our infrastructure has coped, because they are coping, and that we can do things which we didn’t necessarily in the past that were possible. So I think just the propensity of the workforce to be able to work in a much more distributed and remote way, is got to be something now that that everyone has realized that, that’s going to become much more the norm. Having said that, I don’t think it’s like every organization is now going to go to some entire remote working type way of operating in the future. I think there’ll still be a mix. It’s just that the mix will be different, groups that hither to hadn’t been necessarily seen themselves or indeed been thought about as being able to operate effectively in that mode, will now be able to do that. And that I think will open up more opportunities for many organizations and for individuals themselves as well.

Daniel Newman: Great take. Mark Hughes, DXC Technology, thank you so much for joining me today on The Futurum Tech Podcast  Interview Series. It’s been great to chat to you. Everyone out there, go ahead, hit that subscribe button. We’d love to have you as part of our community here. Our weekly show where we dive into everything from the biggest headlines to the biggest mistakes made in the industry. But for now, for The Futurum Tech Podcast, I have to say goodbye, but we look forward to seeing you again really soon.

This podcast is part of a special series focused around what leaders and companies are doing to help employees and customers deal with COVID-19. Be sure to subscribe so that you don’t miss out on amazing insights.

Disclaimer: The Futurum Tech Podcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such. 

Image Credit: AiThority.com
Daniel Newman