Assessing and addressing risk is essential to the role of a CISO as well as being a core factor in minimising disruption to business operations. Martin Redmond assists CIOs and CISOs with implementing relative controls outlined in their frameworks, and he is currently doing this for John Deere Financial.
Martin Redmond is CEO of Analytic Risk Intelligence Management and is currently working with John Deere Financial in the role of CIO/CISO on a consultancy basis.
Redmond helps CIOs and CISOs in various organisations apply their programmes and implement the controls that are outlined in their particular frameworks. He is currently supporting the executive team at John Deere Financial to implement its organisation-wide transformation effort with Scrum-at-Scale. The effort is transforming the company’s software development life cycle to become more agile and to implement the Scrum-at-Scale approaches across the entire IT infrastructure.
Scrum-at-Scale is a framework in which a network of teams operating consistently with the Scrum Guide can address complex adaptive problems, while creatively delivering products of the highest possible value.
Redmond discusses how to prioritise risk and how companies are operating securely in the current working environment, in more detail.
What prompted your interest in a career in cybersecurity?
Having a Masters in electrical engineering led to systems engineering and a big part of systems engineering is security. At the time, security was not a clearly defined role – you couldn’t measure it and it was not clearly defined in system design principles. Thus, contractual Statements of Work were missing security requirements, service level agreements and operational level agreements which enabled contractors to deliver systems with little or no security controls in place. This was a huge problem at the beginning of my career so it was a good area to focus on – making sure that security controls (policies, processes, people, technology) are implemented as part of the system development life cycle (SDLC). To this day, I am still helping organisations implement security controls as they embrace the new SDLC process of Rugged DevOps or DevSecOps as part of a cloud-first initiative.
How can organisations implement a risk assessment strategy and how do they prioritise the risks?
Risk can be calculated by impact and needs to be done on a continual basis because the organisation’s risk posture changes from second to second, especially during zero-day exploit attacks. The first key aspect is Continuous Monitoring – how do you automate the integration of all your logs and use Bayesian statistics to develop risk scores. A human link can’t ingest and process the volume, velocity, variety, veracity and value of all the data. So, you need to build Artificial Intelligence algorithms on top of your Big Data lake where you’re collecting all of your logs. From there, you can understand and pick up on anomalies and correlate events on a real-time response basis. If you’re not examining the log traffic and if you’re not looking for the communication channels, you’re not going to be able to detect it quickly enough, so it has to be automated rather than done by a human.
The second aspect is understanding where your data assets are, what the impact is and who is accessing it, as well as what the behavioural pattern looks like. Mature insider threat detection programs integrate all different types of data sources from the data lake including physical security controls like badge readers, Bluetooth mobility pings, video feeds and environmental controls. Internet of Things (IoT) devices and networks provide the capability to automate sensor feeds and collect data that is ancillary to logging in IT system controls. Correlating the physical presence data with the IT security controls improves the threat detection confidence and risk posture. These are the same principles being applied in contract tracing of COVID-19 patients to mitigate the risk of spreading the virus.
To summarise, build a Big Data analytic engine that correlates a lot of data and understands the informational assets and the impact on the business to predict the risk posture of the organisation.
In light of the current working environment, how are you helping companies to address security challenges?
In light of the COVID-19 pandemic, I have been helping organisations mature their remote teleworker service offering which is part of their business continuity plan. A lot of companies had not tested their business continuity plans and were on the fence in terms of how to expand their remote telework offering. I help them pivot and respond to the demand by implementing scalable solutions securely. Some helpful guidelines include the NIST 800-46rev2 document which walks you through the security controls for remote teleworking – how do you secure the endpoint, do you allow them to have their own endpoint, are you using Citrix where you control the endpoint? Some organisations use BYOD so they would allow people to use their own device – how do you address the privacy issues surrounding the monitoring of personal devices? I help them navigate these issues in maturing their remote teleworking capability in the development of policies and understanding the trade-offs and risks.
How do you help companies to manage security loopholes in their systems?
The detection and mitigation of loopholes are managed in the Security Operations Centre (SOC) which correlate security incidents and identify security problems such as loopholes. One such example is the tendency of privileged users to access backend systems through VPNs using an unsecured endpoint or personal computer which are very vulnerable. To mitigate this risk, policy and privileged user remote access procedure must be put in place along with training and awareness by updating the privileged user agreements to which the privileged user has acknowledged. A second example is privileged users should only be using their privileged user accounts to perform approved administrative tasks. Whereas other tasks like checking e-mail or accessing the Internet should be done on a non-privileged user account.
How can CISOs create a strong security culture within their organisation?
A great way of doing this is to build a security community practice in which there is a security champion for every part of the business (accounting, sales, marketing, engineering, etc.). As a valued member of the team, the security champion communicates the security challenges, issues, ideas and successes from their group to the larger community. The objective is to bring the business along and make them part of the decision process because the business needs to own the risk. Security needs to be seen as a business enabler. The first of the two examples is that security can increase the organisation’s productivity by implementing a scalable remote teleworking service. The second is security’s ability to demonstrate that the organisation’s IT systems meet regulatory requirements. Thereby, increasing the confidence with a customer to do business with the organisation.
Are there any particular challenges you find difficult to manage within your role?
A big focus of my work is the transformation to the cloud. CIOs are announcing that they want to move to the cloud for various cost-efficient reasons but doing this securely is part of the challenge. It truly is a C-suite role that needs reporting through the CFO or CEO – you can’t have the fox watching the hen house. By burying it under the CIO means that sometimes you get a lot of tension, so that’s a challenge within itself. From a technology standpoint, the two key areas are DevSecOps – implementing the ‘Sec’ in a DevOps transformation. You get a lot of developers who know how to do ‘Dev’ and they’re capable of pushing it to operations, but they’re not doing it securely. So, how do you integrate that into the life cycle?
It’s got to be an integrated approach and it’s a concept of rugged DevOps also called DevSecOps. It’s really about making sure the developer owns security and risk management of the code and is doing the static code analysis, dynamic code analysis, penetration testing and other security testing as part of the tool chaining in the DevSecOps pipeline. Furthermore, guidance or policies need to be established that allow the DevSecOps team to release to production base on a risk score calculated from the results of the toolchain. Thereby removing the release approval blocker inherent in the traditional Configuration Control board (CCB) SDLC control gate.
Establishing a data governance programme is also a challenge. When you look at all of that data and where it is on the information layer – who has control of that? There is the emergence of a Chief Data Officer who manages the information layer and the business informational assets. However, this is a shared responsibility with the CISO who has implemented the Information Access controls like the ones outlined in the NIST AC family. The AC-4 control manages how the systems control the flow of information. Thus, the C-suite coordination between the CIO, CISO and CDO becomes critical. This is especially true when building a data lake and the data is aggregated together in one location. This aggregation can impose added regulatory requirements across the data especially with the introduction of Personally Identifiable Information (PII), financial or European Union data. The mitigation would require the encryption of the data to meet regulatory compliance requirements.
What advice would you offer to other CISOs?
I would say embrace IT transformation and build a strong risk management programme. To be able to communicate with the business, you need to communicate on the level of risk, so you need to be able to understand where your risks are. This requires calculating in real-time what your risk posture is and carrying out continuous monitoring. Understand how to communicate to the board, understand how to calculate risk and understand how to do it in real-time.
The other piece of advice I would offer is embrace DevSecOps. It is an avenue in which you could build a partnership with the CIO and the Chief Data Officer or the Chief Digital Officer who is leading that Digital Transformation. There are a lot of risks there and you need to insert yourself into that process.