Cybersecurity professionals have dedicated their careers to protecting organizations and building resilience. And today, that job is tougher than ever. When we think of security resilience, is it just another buzzword to describe a reactive approach to security?
I had the opportunity to speak with Mark Lynd, Head of Digital Business at NETSYNC and ranked as one of the Top 10 Onalytica Global Cybersecurity Influencers in 2022. During our conversation, he explained his cybersecurity philosophy and how the company he works for helps other organizations achieve their cybersecurity goals.
Cristina Errico: I would love to hear your thoughts about how your security efforts and policy affected your entire organization by delivering security resilience across the supply chain, finance, organizational operations, and customer trust.
Mark Lynd: What’s interesting about it is that NETSYNC is a Value-Added Reseller – we’re a huge Cisco partner. And because we are such a diverse and widespread organization, we have operations in the Middle East, Africa, parts of Europe, and North America. We have a first-hand understanding of what the Cisco security portfolio can do to support global technology activities. Not only do we recommend these products, but we use these products ourselves every day.
CE: That’s powerful, isn’t it? When you can say that you’re selling a product that you use, as well. That would obviously help build a case for a resilient security strategy. How does your organization build security resilience?
Security Resilience in the Supply Chain
ML: One way is through the careful stewardship of our supply chain. We have a large supply chain, consisting of warehouses around the world. Most of those who worked in those warehouses did so unselfishly throughout the pandemic. Those employees and our leadership knew we had the responsibility to deliver to governments, counties, hospitals, and schools, who were all dependent upon us for their technology used to provide their critical services.
“With Cisco as our vendor, we knew that our supply chain would remain secure. We made sure that everybody throughout the supply chain, including the warehouse workers on their devices, had that capability and supported our efforts. When thinking about security resilience, that level of trust is a big deal.”
It allowed our supply chain to keep flowing, serving underserved businesses like schools, which the students rely on for breakfast, lunches and education. Keeping those open and supporting them was a big part of our effort… Being able to do that during the pandemic utilizing the Cisco security portfolio was critically important to the kids, parents and community.
An area that is not being explored deeply enough is threat intelligence. People don’t really look at threat intelligence to understand what threats are relevant and legitimate, and what they should be protecting themselves against. Once they understand what the threats are, it changes. You must continually make that investment in time, effort, and money to understand your threats. You need to position your incident response to be able to respond to those threats quickly and thoroughly. Ensuring your incident response plan is tested and actionable against relevant threats is critical.
Anticipation and preparation is the way to prepare for the worst. You’ll be able to provide those critical services that you need to your constituents. That’s an incredible piece. But to do that at the very beginning, you must have threat intelligence.
“You have to understand what threats you’re trying to detect, and then which ones you’re trying to recover from. If any of those are out of imbalance, or if you are looking at the wrong threats, you’re going to be in serious trouble.”
CE: When you talk to these people, do you give specific examples of where it’s gone wrong?
ML: One that immediately comes to mind, and perfectly sums up part of the problem, is when we worked with a college that was provided with a lot of public funding. Their intent was to make investments in infrastructure solutions to address the IoT security problem, which is a big problem on educational campuses. But, when we went through and discussed the threat intelligence with them, they only knew about three threats out of nine – all the rest were missed completely. Ultimately, this changed the way they were going to use this funding to yield stronger results, but that comes a little later in this story.
Part of the problem was that they were looking at attacks in a very old way, thinking about very simple exploit techniques. They weren’t thinking about the sophisticated state-sponsored attacks by bad actors trying to steal patent ideas and intellectual property. The CISO was incredulous and unfortunately had a false sense of security that he shared with others in the organization.
We performed a penetration test as part of a red team exercise, and the resulting report was quite unflattering. The CISO called me in a panic and asked me if I could get the team to bring down the larger results to just an executive summary. I explained the ethical responsibility of accurately presenting the results to an organization receiving public funding. Unfortunately, when we presented the results to the administration, they were shocked and made changes, which included letting him go shortly thereafter versus making it a teaching moment.
The real problem was not the findings in the report. It was that they weren’t making their security investments in the right areas where there were actual threats were. Instead, they implemented the most popular security measures or easiest to fund, which led to poor results and ultimately changes in their approach. Thankfully, these changes have led to better outcomes and results.
CE: The overarching message I’m getting here is that preparation is key. Organizations need to be prepared for these threats and new challenges, not just those from 5 or 10 years ago. They have to be thinking about now and relevant threats.
ML: Many of my clients wonder and ask me how they can get their leadership or the board to invest in better protection. I explain that, as a security professional, you have a higher responsibility. You need to go out and share with your leadership that proper security and resilience is a journey, not a destination. So, not only are they going to have to make further investments again this year, but the next year, and years to follow because the threats are going to change, evolve and the environment is going to change. Bad actors are emboldened and investing in their nefarious activities. To protect the organization, its employees and customers are going to have to invest and evolve, as well.
Cisco spoke to 13 cybersecurity leaders around the world to hear their stories and understand how they have successfully integrated security resilience into their organizations. Get their perspectives and advice in our latest eBook here: Building Security Resilience: Stories and Advice from Cybersecurity Leaders
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels