Never assume your company is too small for a security breach
The Enterprisers Project (TEP): Arbella Insurance is a $800 million insurance company, yet in the global scheme of things you’re considered a ‘midsize’ company. How does an enterprise of your size approach online security?
Paul Brady: I have a dedicated person that is leading the development of our environment’s overall security framework — our policies, our procedures, our toolsets, and our Internet response. At the same time, as a midsize company, I need to leverage external expertise so I can weed through the filters and alerts to find the actionable items.
TEP: How does a midsize CIO build a good partner ecosystem in security?
Brady: Right now we’re looking for one or two partners — ideally one partner. That one partner would act as a single point of contact, and basically an aggregator of information. They would help me weed through the thousand different products that have 90 percent overlap. Because I don’t want to buy 1,000 products and I don’t want to buy 10 products that are 90 percent the same. I need a vendor that knows the security landscape, knows the products, knows all the players, knows what other companies are doing — what’s worked and what’s failed — and they can narrow down that list to two to three products or two to five products that give me that 95 to 100 percent coverage. I don’t want redundant shelfware that’s sitting there because there was an awesome demo by a great salesperson.
TEP: Based on the industry you’re in and the size you are, are there particular kinds of exploits that are mounted against your company, or is it more the same flavor of ransomware and phishing attacks and so on that everyone is getting these days?
Brady: I’m hesitant to say anything because I don’t want to jinx myself, but as a midsize company you need to make sure that you’re doing everything that big companies do. So you can’t say, “I’m a midsize company, I’m not going to be attacked.” We need to have that same level of diligence, that same level of information and data security, but at the same time, there is some truth to the fact that we’re not front page of The Wall Street Journal, we’re not a national company. But just because we are not a national company doesn’t mean that we let down our guard.
TEP: Can you suggest a couple of best practice steps for a CIO who might not be not as far along in their evolution as you?
Paul Brady: I would say you need three things: communication, acceptance that you have a problem, and partnership.
One thing that worked is that I didn’t sit there and give a three-hour presentation of all the security risks and get into bits and bytes and how the exploits work, but I educated the executive team as well as my board of directors on the security landscape. I’ve educated them about the fact that organized crime and ransomware trojans like CryptoLocker are going to potentially make billions of dollars. So they’re aware.
It’s important to accept that you need help, that the landscape has changed, and to communicate effectively to your executive team, to your board of directors, showing them how the landscape has changed — showing them that you’re not sitting there on your hands doing nothing. But also you need to be transparent to the extent that the landscape is changing every day, so there will always be some level of risk.
Depending on the company, if you’re a large company and you just brought in 20 or five or even two external security experts from you-name-the-vendor, then you might have some internal talent where you can rely upon them 90 percent of the time. The fact is I have some really talented people in my security team. But they can’t know everything. So it’s finding the partners that not only knows the industry, but also knows what some of your peers and some larger companies are focusing on and where are they are making their security investments.
TEP: Do you have a formal CISO or someone who owns security or is that you?
Brady: At the end of the day, I own it. I do have someone that leads my security practice, but he is not a CSO. I would say most midsized companies, if they have a defined CSO, I would question whether that person has breadth, the depth, and the end-to-end knowledge of the security landscape and the industry and comparative companies to be highly effective. In many respects, the external partners I work with are a proxy for a CSO. Like a fractional CSO, or whatever you want to call them. But that’s what they’re doing.