March 25, 2019

InfraGard Presentation – Cybersecurity – It starts with Who!

Joe Raschke

Principal Solution Strategist

InfraGard Presentation – Cybersecurity – It starts with Who!

Recently I was honored to speak at the Chicago Infragard Chapter Meeting. I discussed my 30-year career in Information Technology and specifically some of the more spectacular failures I’ve experienced. I know it seems a bit odd to confess where and why things have gone wrong, but don’t those events stick with you like a paper cut? All too often, I looked like Peter Falk in the TV show Columbo – scratching my head and not having a clear understanding of what happened.

Technology and Process: Not the Answer

I relied on Technology-Process-People to organize security, but I learned that bolt-on Technology and restrictive Processes fail at Cybersecurity. We need to focus on People for a secure organization, and Identity Governance drives it. Let me illustrate the need for Identity Governance by walking through incidents I’ve been involved in, the IT Risks that drove these issues, and how they can be addressed.

Traditional Audit Mentalities Fail

Early in my career, I set some expectations and standards I adhered to:

Use the rules: start with compliance defined processes
Self-assess: review whether you met the requirements
Audit: the auditor grades your work
Fines and penalties: a missed checkbox costs money so fix the mistakes
Standard Operating Procedure: going through the motions

But then….

Got HACKED again!

If traditional audits solved security problems, this wouldn’t have been my story. I had followed all of the alphabet soup standards such as NIST, ISO, CIS, HIPAA, GDPR, SOX and achieved strong audit reports. Yet, I was still screaming, “HACKED again?” Something was consistently going wrong, and I wanted to determine what it was and how to fix it.

Results of Security Failures

On the surface, the types of failures I experienced in my attempt to “just make us secure” weren’t all the same:

Personal Injury: Chemical tank sensor misreadings, SCADA machine takeovers
Financial Fraud: Stolen hard drives, credit card rebates, business email compromise
System Outage: Pick your favorite authorized and approved change
Reputational Damage: Look folks, we made the Wall Street Journal (again)
Corrupted Data and Systems Compromise Data Integrity: ransomware and malware incidents
Intellectual Property Theft: How do we have people working for us and our competition?

However, as I further analyzed these incidents, I found a common set of cascading factors which fed into the failures.

Human Nature: The Real IT Risk

These core risks were human, not technology, risks. Consider the connection between the problems and the quotes from senior leadership (some of which might include sarcasm):

Fragmented Approach to IT Security – “Let me tell you how IT really runs here” or “That’s less than 1% of our business”
Lack of inclusion of IT Risk – “The Security Team just doesn’t understand”
IT Primarily considers Availability or Convenience – “As long as it’s up and running”
Poorly Executed IT Projects – “It failed because of scope creep”
Lack of Incident Response – “We can figure it out as we go”
Lack of Business Continuity Planning – “Just give me my team”
Lack of control of Data and Applications – “Our company believes in transparency”

In each case, the problem came from human nature, not technology and process. Hubris, disinterest, laziness – all of these are human nature problems, not IT failures. The risks were rarely Technology and Process. It’s time to focus on people as we walk onto the next cybersecurity battlefield so we can promote resiliency and more effective results.

Focusing on People: Driving Security with Identity

The risks I identified led me to some inevitable conclusions:

People are our best asset – Education is more than training
Security is people not technology
Human nature is the cause of and the solution to most security problems! (An almost-quote of Homer Simpson)
People are why reputation risks matter – Start damage control by knowing your audience. Consider and consult many points of view.
People take time to trust you:If you lost that trust, it is hard to rebuild. You must be consistent and honest.
Start by securing your people and compliance will follow
- Develop a better approach to developers, the cloud, and software-as-a-service
- Don’t block activity without understanding purpose, gain visibility
Set the wake-up alarm to Identity, Security, and Privacy.
Wake the organization up to the impact of Information Technology on business.

Identity Governance: Start with People, End with Security

These lessons point toward one consistent gap – a need for Identity Governance. This is why we need to reorganize security to People-Process-Technology. Identity Governance starts with people, then you define the processes and use technology to keep them working. You still have the trifecta, but by changing the order to People-Process-Technology, you make it secure. Saviynt’s Intelligent Identity starts with applying the elasticity, compute, and analytics power of modern cloud computing to identify and understand all people with whom the organization interacts – employees, contractors, customers and vendors. After identification, we apply intelligent analytics to give people roles granting access to the information and systems they need to accomplish their goals. But people aren’t static, they change roles just as I have throughout my career. Saviynt’s Identity Governance is also dynamic. We provide evolving identities the access they need and prevent them from accessing what they don’t. The change doesn’t have to be immediate; access from an old position and a new position can overlap for a time. However, risk mitigation is performed by a manager periodically checking on the need for access from an old role. Security is ensured as access is updated real-time to align with changing roles. In our increasingly interconnected IT environments, Saviynt Identity Governance does even more than grant and remove access. We provide visibility into how people use their access and what risks their access creates, especially the risks to critical information assets and locations. Even with your increased footprint in cloud applications and infrastructure, Saviynt’s intelligent identity delivers a single, holistic viewpoint to examine your organizational risk, helping you have the clarity and visibility you need. Even your most risky accounts and users, the ones with the privileges which could do the most damage to your organization, are tracked and highlighted within Saviynt’s solution.

Intelligent Identity. Smarter Security.

As I said in the beginning, Cybersecurity is more than Technology and Process. We need to start with People. But to maintain Process, we need Technology that acts like People, which mean using intelligent identity in order to stay secure. Once you have the foundation of People and Identity Governance, you can start to layer the right Process on and find the Technology makes the Process efficient. Then, and only then, are we achieving the effective Cybersecurity today’s enterprises require. Do you want to understand more? I will be telling this story in an up-and-coming webinar about Identity-based governance, or you can come to one of our presentations and see it live. See all of our upcoming events here. See all of our upcoming webinars here.