Learning from the experience of others can save us time and trouble. Hybrid Pathways works with some of the country’s largest organizations and the information security teams that help those companies to be successful. It is interesting to hear the various approaches that those information security teams are taking. We were interested in speaking with Doug Graham, Chief Trust Officer, about his thoughts on building a modern security program. The following provides a glimpse into one of information security’s thought leaders.
Chief Trust Officer
Background of an Innovator
Doug Graham is the Chief Trust Officer at Lionbridge Technologies. He is responsible for Security, Privacy and Compliance. For the past decade he’s been either a CSO or CISO and has worked for companies like EMC and Nuance as well as several startups. Along the way he’s developed some expertise in privacy, physical security, and international sanctions compliance.
For 25 years, Lionbridge has been a leading provider of translation and localization solutions. They have operations in 26 countries and over 6,000 employees. Lionbridge customers include companies in highly regulated industries, like financial services and healthcare, as well as highly competitive industries like technology and gaming. Compliance burdens come from customer’s privacy requirements and operating in almost thirty countries.
If you are trying to change the culture of a company to be more secure, you are fighting an uphill battle. A better approach is to look at how you can use the company culture to further your security agenda.
Hybrid Pathways asked Doug: What is your approach when building a modern security program?
Here are the interesting and helpful approaches that he recommends...
Ride the Company Culture Wave
“When building a security program, there is no one philosophy or approach that will work with every company. I believe that your approach needs to fit the true culture of the company. If you are trying to change the culture of a company to be more secure, you are fighting an uphill battle. A better approach is to look at how you can use the company culture to further your security agenda. For example, at Lionbridge we are very customer focused. Customer satisfaction levels are everything to us and a huge focus throughout the company. It is what we truly care about, not just what’s written in a mission statement. So, if we have a true customer-first mentality, it makes sense for me to leverage that as I build my security program. If we look at security deployments in context of supporting our customers, it is a much easier and more successful sell within the company. In some highly regulated industries, you tend to see that the security program is built because regulators require it, this poses an outside influence rather than aligning with an internal company goal.”
Align with Company Governance Structure
“Similar to riding the company culture wave, it is important to understand the organizational design of the company. Is Shadow IT a big part of the organization? Is IT distributed or centralized? Is governance done on a department or division basis? Anytime you try to build a governance program, IT or otherwise, if you’re not clear on how the overall company is governed then you could be wasting cycles trying to impose a program that does not fit the company structure. When we choose technology, we need to consider how that technology can be operated. We design controls that can be operated by people in the lines of business rather than a big centralized security team. We work closely with the people in the departments to develop the controls, but we provide the governance, rules, policies, and oversight around the technology and services choices. We consider the persona of the user that will be operating the security tools. I need to understand the people that are out there operating the tools that could impact our security. I want to be sure we have a clear inventory of all the systems being used and the security measures out there.”
I want to detect and respond to a control failure with the same level of urgency as I detect and respond to an incident, because there's often a control failure that creates the vulnerability leading to an incident.
Focus on Detecting Control Failures (Before They Become Incidents)
“I like the CIS Critical Security Controls for Effective Cyber Defense because they are fairly technical and we use this to establish our benchmarks. As we pick tools, we look for options that can cover as many controls as possible. I want to detect and respond to a control failure with the same level of urgency as I detect and respond to an incident, because there's often a control failure that creates the vulnerability leading to an incident. If you're counting on static controls, clipboard checking, once a year audits or penetration tests, then you’re going to fail. We focus on evolving to where we have continuous monitoring of our controls and the ability to be alerted to a control failure. I’m not only building incident management to detect and respond to incidents; I want to manage control failures. In addition, I want to evolve the maturity of these controls.”
“The metrics that we are covering now are perimeter-based internet exposure and internal systems. With perimeter-based internet exposure I want to know how many hosts that we have and I want to know their vulnerability status at all times because this is dynamic and can change on a daily or even hourly basis. We are constantly scanning, doing reconnaissance on our network to identify changes. We also must look at building our inventory of internal systems, what’s the control coverage of these things. Fundamentally we are tracking vulnerabilities that could appear because of misconfigurations or a new vulnerability that needs a patch.”
Build Security Awareness for All Users
“CISOs and security leaders might think about security every day of the week (and even when we are on vacation) but let’s be honest, most people don’t think about this stuff. We have to work to build security awareness. It is the job of my team to help educate people and help them understand how security is part of their job, not just the IT teams but the system admin, the network admin, the end-users, and even the company executives. We need to continue to develop ongoing training programs that show why we are spending effort and money on security. If you’ve ever had to go through a major security breach, that is a lesson that you’ll never forget.”
Become A Key Member of the ‘C” Team
“To be an effective CISO, you need to have a strong relationship with every C level executive in the company. Regardless of reporting structure, the CISO must have unfettered access to shape connections across the organization. When the leadership of an organization has a strong understanding and appreciation for security, that approach will filter down through the culture of the company. Over eighty percent of work we do in security is about getting people to do things better or differently, whether that’s the engineering teams or end-users, having C level buy-in makes that work easier and more effective.”
of work we do in security is
about getting people to do things better or differently
Place Some Bets - A Unique Approach to Emerging Technologies
“I start with the basic premise that we need to improve how we do security and build from there. We have established goals and set budgets and I allocate a portion of my budget to investigating new solutions. I look for startups that are operating in a space that I am interested in developing. These startups may be coming at security with a different approach, maybe it’s a variation on a current theme or just a better mousetrap. The vendor is not driving my priorities or strategies but every year we look at solving problems and which vendors may be able to help us. The vendor must be far enough along to have a beta or first release. There are a number of benefits to giving these vendors a try for our company as well as the vendor. From our standpoint, we develop a design partnership with the vendor where we have access to their core engineering team to influence the solution. In addition to the opportunity to shape the solution, there are potential cost advantages in the early stages and it allows us to try before we buy. For the vendor, they get to work with live data and are getting constant feedback from a real customer. Of course, the danger is around vendor growing pains including loss of funding or management changes. You must be ready to pivot away if the vendor is not progressing in a direction that is helpful for your company. My approach may be harder for some of the bigger companies, but I like to have the flexibility to think differently and truly innovate.”
“When I look forward to the next five to 10 years I think that security will continue to get embedded into platforms. I think the approach for security teams will be less about security operations and more about security governance. We will still be managing policy and planning and be involved with enterprise architecture, but I think the days of the network security guy are numbered. (Sorry if you’re a network security guy.) We want network guys that can do security. We want system administrators to do security as well. We'll see a closing of some of the technology roles but will still see specialist roles in incident response and forensics, for example. Operations will continue to consolidate as well as products. Technologies will get bought and folded into larger products and platforms. Ideally, technology becomes embedded into our product to the point where the consumer is operating the security of their own product and you don't really need a big security organization. But that's the Nirvana.”
“Cyber risks are going to continue to evolve. Even if those threats are from nation states, your focus should be on getting security right every day, every time, because when you make a mistake is when you’ll have a problem.”
KEEP THE MOMENTUM AND BE FLEXIBLE
“I’ve got a starting point that I’ve measured by maturity level. I have an end state that I’m trying to get to. There are many different paths that I can take to get to my end state. If you get stuck trying to evolve in a sequential a-b-c-d path, you need to be able to adjust quickly and keep momentum towards your goals. Be flexible in your priorities and focus on outcomes and goals.”
ADAPT AND ALIGN
“Lionbridge is focusing on simplification right now. Anything that I can do that ties into that simplification agenda makes sense. We will change company priorities over time and rather than swimming upstream, be comfortable adapting your security strategy to align with the company strategy.”
HARNESS THE POWER
“You cannot be successful alone. You cannot protect your organization alone. Harness the power of your C-suite, all employees, and vendor partners to continue to build and refine your security programs.”
We are grateful to work closely with these thought leaders. Sharing our experiences helps everyone to grow.