In a 21-year career in cyber security with some of Canada’s biggest companies, Vivek Khindria has seen trends come and go. But doing the basics right is still the most important part of securing the enterprise, he told a conference on Tuesday.
“Hygiene is fundamental,” Khindria, now vice-president of cyber security and risk at Loblaw Companies, said at the annual International Cyber Risk Management Conference in Toronto.
“A lot of companies get distracted by what’s the latest silver bullet technology to buy and lose track of the fundamentals: Vendor management, asset management, understanding where your crown jewels are etc.”
Khindria and co-panelist Nick Steele, deputy CSO at Dell Inc. were paired on a panel on the views of security practitioners, and their advice ranged from hygiene, how to talk to boards and the promise of artificial intelligence in security.
The issue of hygiene was raised by moderator Doug Howard, vice-president of global service at RSA, who noted many data breaches today don’t have complex causes, but can be blamed on issues like patch management and open ports.
In addition to hygiene, Khindria said top of his mind for securing an enterprise includes finding IT security talent, including bringing more women into IT to diversify the department.
Another problem is the move by many firms to agile software development, with one or two-week sprints of work followed by small incremental changes to fix problems. Agile puts pressure on security and risk, he noted.
And there’s securing the ever increasing adoption of cloud services. In many cases cloud is the new shadow IT, he said, referring to employees quietly signing up for unapproved services.
Still, “I say without any hesitation the potential for security in cloud architecture is much higher than any organization, with the exception of major banks or a large organization. Most companies don’t have the resources to manage all the complexities, all the resources, the technologies … to maintain hygiene to the level of threats we see”
Cloud providers are racing to bake in more security by default, he added.
Steele didn’t disagree hygiene is important, but said it has to have context: What does the organization care about most, how will it be protected? So to him, hygiene is a part of risk management. Define your baseline so you can apply hygiene across the enterprise, he said.
With patching so important, that led Howard to ask how a CSO can decide patching priorities.
“Each company needs to build its own threat model,” Khindria replied. For example, if the assets that hold the company’s crown jewels are a priority, think about who is attacking them, why, what are the mitigating controls.
“When you start counting vulnerabilities you get caught in a trap,” he said. But the threat model will be the guide to setting patching priorities.
Your environment will also be a factor, he added. If a firm has 12 virtual servers, six can be shut for patching with no outage. Then bring them up and patch the next six “The appetite is to patch faster, take more risks because you can fix it faster” in virtual environments.
Vulnerability scanning is just one of the pieces of a CSO’s tools, he said, which include penetration testing, code scanning, log analysis, behaviour analytics — all of which help detect anomalies, and again, are factors in a patching decision. Data needs to be knitted together in an automated way. “Without that kind of instrumentation, if you’re managing thousands of servers you can never catch up.”
Loblaws typically synthesizes a billion items a week and boil them down to 30 actionable items, he added.
Risk management is about good decision making, said Steele, “but you can’t make everything a decision. “If everything becomes a risk decision you end up in paralysis … if you know what is important, define your regime and stick with it.”
Speak business
On dealing with boards and non-technical managers, both stressed the importance of CSOs leaning how to speak in non-technical language.
“If you don’t learn the business language and don’t learn to communicate with the business in the language they understand you lose that audience pretty quickly,” said Steele.
Khindria agreed. “I’ve had the pleasure of coaching several hundred people [for security management] and can say the best security people are business-minded, because the most crucial thing is to be able to communicate to the business … Learning security is a little bit easier, learning the business is hard.”
Finally, Khindria said combining Canada’s expertise in artificial intelligence with the power of current computing platforms should make it a leader in easing the load on infosec teams.
“What I’m excited about is taking it [AI]to the next step,” which he defined as linking anomaly detection with fraud detection. “I think we’re on edge of something great here. Continuous monitoring, continuous testing and continuous analytics is an opportunity like never before.”
