2021 Global Top 100 LinkedIn Live Panel Discussion – North America: Episode Two
Facing up to fast-evolving threats was top of the agenda at the lively Business of InfoSec North America LinkedIn Live panel, held earlier in June
Hosted by: Catherine King, Director, Business of InfoSec
Speakers include:
- Eric Cole, CEO, Secure Anchor Consulting
- Raj Badhwar, SVP, Global CISO, Voya Financial
- Karen Holmes, VP, CISO, TrueBlue
- Marene Allison, CISO, Johnson & Johnson
- Mark Eggleston, VP, CISO, Health Partners Plans
- Tyler Cohen Wood, Private Consultant, Private Consultancy
- Lester Godsey, CISO, Maricopa County
- Michael Owens, Business Information Security Officer, Equifax
- Jacqueline (Jack) Powell CISO Allianz
How to Effectively Secure Software
In the modern data-driven, cloud-based environment, securing software and applications is an important priority for cybersecurity leaders. However, this can be a challenge given the idiosyncrasies of modern development practices.
“Software security is something we've been looking at for years. When you make healthcare medical devices and you're working with protected health information, you have to absolutely make sure that those devices are safe, secure, and keep the data that is being collected private,” says Johnson & Johnson CISO Marene Allison.
She continues: “From a CISO perspective, you have to know what your assets are in your organization. Know your bill of materials. know what it's connected to, know what all the software is along the entire chain of how that's operated.”
To mitigate against the threat of supply chain attacks like the SolarWinds hack that affected up to 18,000 businesses in the US earlier this year, Raj Badhwar says that it’s essential to maintain the integrity of software development processes.
“Something we have done is make sure that the integrity of the software development and their software build process is maintained so that malicious back doors can’t be injected into our libraries,” Badhwar says.
“So, making sure that the integrity is maintained as the software gets built from unit into integration, into production type environments, that integrity is checked,” he concludes.
Government Cybersecurity Mandates for Private Firms
Cybersecurity breaches are hitting the headlines weekly, it seems. The most recent high-profile ransomware attack on the Colonial Pipeline affected 5,500 miles of infrastructure between New York and Texas and triggered a wave of gasoline panic buying across the eastern seaboard.
When cyberattacks are disrupting the lives of millions of Americans, we asked the panel, isn’t it time for the federal government to step in?
“I think that any mandates should really set the ground floor. A uniform ground floor across the board with minimum security requirements that are controlled and that need to be implemented,” says Badhwar. “And then the companies themselves, based on their own risk or their advancement or their capabilities or their maturity, can set the ceiling of the controls that they want.”
Allowing companies some flexibility in the way they implement mandated controls was also a priority for Equifax BISO Michael Owens. However, he makes the point that cybersecurity guidelines already exist, but lacking enforcement, they are not widely adopted.
“Right now, we have guidelines, and we have frameworks and there are things that are, that are in place,” Owens says. “However, they don't have teeth because they're not mandates.”
He continues: “In my perspective, we need to put teeth into this to ensure that companies are spending the right amount of money, time, and due diligence on mitigating risks. But at the same time, we have to allow flexibility for different companies and industries.”
Allianz CISO Jack Powell has spent much of her career working in heavily regulated industries such as nuclear power, oil and gas, and insurance. As a result, she understands deeply the need for regulations.
“I look at regulations as a good thing because a lot of the regulations are simply best practices and I think holding ourselves accountable to minimum security standards or best practices is a good thing,” Powell says.
“But to Michael's point, without the teeth and without the resources for those regulators to come and ask us questions and probe our security plans and roadmaps, it's kind of a waste of time.”
Dealing with Modern Cybersecurity Challenges
The volume and complexity of cyber threats have increased almost exponentially over the last few years. At the same time, borderless networks have replaced the conventional ‘walled garden’ approach to network security, and more sensitive data than ever is being stored in the cloud.
Keeping that data safe, however, still boils down to getting the basics right.
[Most attacks] come down to two fundamental rules being broken. Any system accessible from the internet – make sure it's fully patched and up to date. And any critical data must never, ever, ever reside on internet-facing systems,” says Secure Anchor Consulting CEO Eric Cole. “If these two things had been done, 95% of all the attacks over the last three years would not have happened.”
“It's really about simplicity, right?” adds Mark Eggleston, VP, and CISO at non-profit health maintenance organization Health Partners Plans. “If you're going to get breached, imagine your headline on the Wall Street Journal, what are they going to say about you?”
He continues: [They’d better say] that you’re doing the simple things like network segmentation and multi-factor authentication. And time after time, we continue to see the headlines of companies not doing these simple things.”
“I loved participating within the Business of InfoSec LinkedIn Live Panel discussion. It really was one of the best panels on which I’ve ever participated. From the knowledgeable, passionate expert guests to the insightful audience questions, I’ve rarely left a panel so invigorated and excited about what we do! ”
Karen Holmes, VP CISO, TrueBlue
Get your copy of the 2021 Global Top 100 Leaders in Information Security Report. Click here to read the full list.
