Understanding IT Risk in Cyber Security with Secuvant’s CISO Matt Sorensen
Oct Wed, 2018
October marks National Cyber Security Awareness Month, a campaign driven by the National Security Alliance in educating and promoting cyber security awareness and best practices in safeguarding information. With over 17 years of experience in the IT security space and five years as a licensed security management attorney, Secuvant’s CISO, Matt Sorensen, has extensive knowledge and experience in helping business leaders understand how to properly instill cyber security best practices at their organizations. Because of his unique background, we spent some time asking him questions and getting to know his perspectives on cyber security and risk management topics.
What has your journey been like in the cyber security industry?
My journey in cyber security has been primarily marked by industry and state regulations. Early in my career, I started off as an IT auditor for a Big 4 firm, ensuring organizations were in compliance with regulations such as Sarbanes Oxley, GLBA, and HIPAA. As an IT auditor, I gained experience in IT risk, learning early on that IT risk is business risk. I discovered the importance of having someone at the executive leadership level, manage not only IT risk, but data security risk at an organization.
With this discovery and my experience as an auditor, I undertook to specialize in different areas of cyber security working with a variety of organizations in different industries, as well as implementing different technologies. Later in my career I began working for the banking industry, providing cyber security in-house, and realized the complexity of the regulatory environment. I opted to earn a law degree instead of an MBA, to retain the needed skillset to understand the regulatory environment, while still maintaining value in the cyber security industry. At Secuvant, we are able to become an extension of management to organizations, providing the expertise and experience needed to enhance our clients’ security environment, while also providing an opinion, even when it’s difficult to hear.
Why are you passionate about cyber security and risk management?
My passion has always been to render a service to people who can’t otherwise do it themselves. Safely operating a business in today’s cyber-threat environment demands many specialized professional skills. What I enjoy the most about cyber security and risk management is conducting workshops with teams of executives, and listening to their concerns and business priorities, and showing them how to manage their security risks. I find they appreciate the difference in how Secuvant discusses IT risk as a business risk, instead of just selling them cyber security solutions to manage the risk. I am passionate about delivering that message and enabling companies to stay ahead of the disastrous cyber incident landscape.
Where do you think the cyber security industry is headed?
The cyber security product and services industry attracts billions of dollars of venture capital, billions in R&D, and draws over a trillion dollars in revenue each year. A few dozen corporations are buying up valuable IP, created by hundreds of innovative start-ups, as fast as Silicon Valley, Israeli tech companies, and other innovators in tech hubs across the world can churn it out. Second to Silicon Valley, and the US overall, Israel is a significant contributor to the cyber security industry. The industry is essentially driven by a cyber arms race between security vendors, research firms, think tanks, open source communities (both good and bad), cyber criminals and nation state actors. I don’t see an end to the arms race, at least not until a seismic shift in resources available to either side.
I see a gradual consolidation of available security offerings into a more consolidated infrastructure, run by a few really big companies. Niche, specialty innovations will continue to be bought and delivered by a handful of large, consolidated infrastructure service companies, like Amazon, Google, and Microsoft, Oracle, and others. They will largely dictate much of the security environment available for most business. For example, many small and medium sized business use either Microsoft O365 email or Google Gmail for business. These companies will simply avail themselves of whatever anti-phishing, malware prevention services Google and Microsoft offer. It becomes a question of how, why, and whether Google and Microsoft will offer email security. Will US federal law dictate that they must offer email security as a utility attribute, the way the local water company must offer clean water? Will they monetize graded levels of email security for different prices, or will they make email security a lower priority due to a lack of economic incentive? For companies that can afford it, they can buy specialized third-party services to secure, clean, and scrub their email of phishing links and scams, the same way they do spam today.
This simple example with email can be applied to most areas of securing modern corporate computing: cloud computing, monitoring, threat detection & prevention, and compliance.
Do you still see some of the same challenges in cyber security that were in the past, today?
The pace in the change of technologies is still going faster than we as people can keep up with. Human error is still as predominant a risk factor as it was in the past. Whether end users or IT administrators, making mistakes never goes away.
What are some cyber security best practices that work versus some that don’t for SMBs?
For small and medium-sized businesses (SMBs) the number one risk today is business email compromise through phishing tactics. Two-factor authentication is a primary solution to overcoming the loss of credentials through phishing. Businesses are slow to adopt, so the same old problem of the “careless user” is still with us. Moreover, Shadow IT – information technology projects that are managed outside of, and without the knowledge of, the IT department – is becoming a rising problem. Any manager with a corporate credit card can now implement a new IT system in minutes. SMBs should implement old-fashioned purchasing policies and purchasing authorities controls can help stem the tide of Shadow IT.
Can you discuss the importance of incident response and forensics?
Incident response is the process and activity that is kicked off when a threat manifests itself as an intrusion or data loss, impacting the business. There is a multi-step process to incident response which includes, identification, containment, and recovery. Computer forensics is essential to analyze how certain types of cyber intrusions occur, but not always required. An example of when it wouldn’t be required, would be a user clicking on a phishing link. Forensic examination isn’t needed to determine a root cause for a phishing event. Having an incident response plan in place is an important part of a cyber security program, which every organization should have in place to recover from a data breach efficiently and effectively. The simplest form of incident response plan consists of a list of key contacts that you call when you need help: your security advisor, computer forensic specialist, legal counsel, insurance agent, PR firm, and law enforcement.
With the emergence of AI and machine learning, how do they help facilitate cyber security in organizations?
AI and machine learning allows organizations to very quickly detect anomalous behavior that deviates from normal patterns, something humans are not very good at performing quickly. As companies operate at a steady pace week over week, monitoring systems have the ability to establish what “normal” looks like at an organization. Take credit card purchases as an example – unusual locations or purchases trigger credit card companies to put a hold on the credit card, preventing purchases from happening. Machine learning does the same with data, security indicators, acquiring massive amounts of data and tracking anomalies within that data, helping to detect breaches and intrusions quickly. The goal of this is two-fold: first, more consistently discover events of interest that might indicate a compromise, and second, to take action quickly in an automated way.
How does the principle Cyber Risk is Business Risk™ provide value to organizations in the long-term?
We find that CIOs, CISOs, and IT Directors usually can’t single-handily move their organizations to a more secure posture. It needs to be a joint effort with other executives in the organization. When a single IT director bears the accountability of securing the organization, he or she is often reluctant to report bad news to senior leaders, especially when that IT director has been in place for any substantial amount of time. We encourage executives to form a security steering committee, including the IT director, and seek input from an outside third-party. When the bad news comes from without, and the accountability is shared amongst two or three executives, things get quickly sorted out, with minimal risk to the IT director. We also find that by internalizing cyber risk in terms of metrics understood by executives, and by comparing the management of cyber security risks to other business risks in the company, executives have a better understanding of their security posture, feel more confident in their oversight duties, and are less likely to scapegoat individuals for security failures. Secuvant plays a crucial role in enhancing the communication about security between the IT team and the executive team, as illustrating the Cyber7™ Methodology, which outlines the seven areas of risk to the business in which most cybersecurity findings, gaps and controls can be applied.
Are there any cyber security or risk management tips you can provide readers during National Cyber Security Awareness Month?
My NCSAM tips would be to utilize two-factor authentication across all personal and business devices, especially email, as well as thinking about regulated data as something toxic – handle with great care! Every data transaction comes with consequences – if you use data, store it, or share it with third-parties you make yourself and your organization vulnerable to a possible security incident. Assistance from security experts and instituting risk management best practices will help safeguard the data and keep you in compliance with the regulatory environment.