Technology’s Role in Strengthening Business Continuity
August 11th, 2022
A Conversation on Business Continuity and Security Ratings with:
Stephen Boyer: Co-Founder and CTO of BitSight
Victor Gamra: Chief Executive Officer at FortifyData
Mike Wilkes: Chief Information Security Officer at Security Scorecard
This conversation originally appeared in the March 2022 issue of Risk & Resilience Magazine. Subscribe to receive the latest news and the new issue coming September 2022.
Have you seen market impacts of the pandemic for business continuity, cybersecurity, and third-party risk management? How has this shifted over time?
Victor Gamra (VG): The pandemic has definitely played a significant role in cybersecurity, particularly in remote workforce management. As the shift to working from home became the new normal, it brought along a list of challenges for managing risks associated with remote access and networks. However, I believe this is an important evolution in the cybersecurity market. Now, more than ever, companies are becoming more aware of how easy it is for hackers to compromise networks through employee accounts and devices, or third-party vendor solutions. These risks are very real, but they create opportunities to develop and implement new solutions that address these emerging threats.
Mike Wilkes (MW): Most definitely. When folks were sent home and asked to work remotely a lot of companies were unprepared from a security controls and tools standpoint. Even having enough laptops for everyone was a problem, so a very significant percentage of those companies had to allow the use of personal computers which, in most cases, were unprotected by anti-virus or other security policies and settings. So, your own company became much more vulnerable to ransomware and malware… One of the lesser discussed aspects, however, was printers. Some finance and HR staff needed printers at home to do their jobs. This created an “information-rich” garbage risk. In the office, there are document shredders and bins for secure document disposal. Bad actors have taken advantage of this and have undoubtedly found sensitive data in the garbage.
Stephen Boyer (SB): The pandemic has certainly accelerated the digital transformation which is happening for organizations across the globe. With this, we’re seeing attack vectors that hit organizations at the heart of their digital supply chains. Solarwinds, Kaseya, and ransomware attacks continue to make headline news. This means that cybersecurity and third-party cyber risk management are becoming must-have business requirements.
Are there overlooked indicators that people should be paying attention to in terms of the cybersecurity vulnerabilities of their third-party vendors?
VG: Often, third-party risk managers rely on outdated reports or vulnerability assessments while performing due diligence on vendors. These assessments provide little to no value if they aren’t using a risk-based approach. This means additional indicators are necessary to inform the criticality of the issue based on the importance of assets, the impact on the business, and the likelihood of compromise. Vulnerability assessments are a good starting point but do not paint the entire picture of risk without the additional data.
SB: There are many signals and indicators in the data and it’s really about being able to find that information and validate the correlation.
MW: One of the overlooked indicators that is worth mentioning here is concentration risk. Recent disruptions such as the 2020 Amazon outage caused many companies to realize that lack of fault tolerance and high availability designs by their third parties could result in impacts on their own platform availability. So, it’s important to have a view into the concentration risk of your third parties and select vendors with good security ratings, but also vendors with good security architecture, design, and multi-region digital footprints.
How does continuous monitoring play a part in business continuity management?
SB: Continuous monitoring is vital in understanding the state of your third-party risk at any moment, and responding to changes in risk when they happen. Having programs and workflows in place to help proactively monitor your third-party environment is crucial when maintaining your business continuity. While it certainly can be a challenge to monitor and reassess your vendors with a regular cadence, cyber risk is dynamic and fluid which makes it so vital to firm up your continuous monitoring program.
MW: There is a saying that if you have one of something, you have none of that thing because it is a SPoF (Single Point of Failure). Business continuity planning involves looking for and mitigating the risk of SPoFs. A company with no continuous monitoring of their service endpoints will suffer more frequent and longer-lasting disruptions. And this monitoring is not just a simple ping check or network connection test. The monitoring needs to become more sophisticated and evolve into what is being called “continuous verification” or “continuous validation” which is verification of business logic, security compliance, configuration drift, and fault tolerance. This requires an approach to engineering systems monitoring that understands how failures occur and how to ensure business remains operational despite extreme conditions.
VG: Continuous monitoring enables the enterprise to stay vigilant and aware of the ever-changing threat landscape. This should be a critical aspect in every cybersecurity program, as it allows businesses to become more resilient to various types of attacks, and even in some cases, zero-days. There is a saying that “it’s not if you’re going to be breached, but when.” Enterprises need to have effective business continuity procedures that have accounted for various risk scenarios informed by new threats through continuous monitoring capabilities.
What are steps organizations can take today to build resilience and strengthen business continuity management?
MW: Look into the emerging practice of “security chaos engineering” and find DevOps talent that can move beyond the fear of failure. Security chaos engineering is the thoughtful experimentation with infrastructure and services to identify how to make our complex web of dependencies and infrastructure more resilient… To this end, tabletop exercises are inexpensive ways to surface gaps in documentation. Just like an unused muscle will atrophy over time, strengthening business resilience comes with practice and exercise.
SB: Some of the steps that organizations can take today include building out cyber risk governance across your organization where you set a standard for cyber security programs to drive accountability and to measure performance over time… Another key element is validating your vendors quickly and confidently to ensure new vendors are within your organization’s risk tolerance.
VG: A really key step is leadership buy-in to implement effective policies and procedures. Without clear visibility into what risks impact business resiliency, it may be difficult for leadership to understand the criticality of the issues. With effective risk management, that can be communicated effectively. However, the next step should be implementing policies and procedures to support the initiatives that drive business resiliency.
What can security ratings tell us about the cybersecurity of our third parties?
SB: Security ratings empower you to easily compare the level of inherent risk to prioritize assessments and mitigation efforts of your third parties. Through security ratings you are able to set a risk threshold for each vendor tier, allowing you to right-size your due diligence process based on where there are gaps.
VG: They’re traditionally used to quickly determine security issues from an external perspective. Although many cybersecurity ratings providers may lack the comprehensiveness of data to define a truthful score, I believe newer technologies could fill in those gaps and give a better understanding of risks linked to any third-party entity. The combination of an effective security rating and questionnaires for assessing third parties will provide any organization with more risk intelligence that drives business decisions.
MW: A key point to also think about is that security ratings have only to prove correlation, not causation. Many CISOs confuse the two. Yes, the investor relations website has no critical or sensitive data, and having vulnerabilities on that website does not usually turn out to be the root cause of an attack being successful… But with a sufficient number of observations, with the application of objective scoring, and weighting of the risk indicators, the correlation between security breaches and risk indicators is mathematically demonstrable and unassailable.
How do you think security ratings will evolve and what priorities do you see arising?
MW: Complex systems behave in unexpected ways and exhibit what is called systemic risk, an emergent property of modern digital economies… We need to achieve widespread change as current practices are inadequate to meet modern threat actors. This comes down to working on the “three A’s” of change: awareness, acceptance and action. If we don’t reach the third stage of change then we have failed. If we cannot get companies to be aware of their third-party or supply chain risk and gain the resources needed to address them, we do not win. It is only when we have awareness and acceptance that we are capable of action.
SB: We see that boards, investors, insurers, and regulators are increasingly accounting for cyber risk in their investing, underwriting, and oversight activities. Cyber risk has historically been opaque for them and they are now demanding more transparency and quantification of the risks. Security ratings combined with Cyber Risk Quantification (CRQ), which translates performance into potential financial loss scenarios, will help these groups more efficiently and effectively measure and quantify organizational cyber-performance and the consequential financial impact of that performance.
VG: The perception of security ratings not being an indication of risk is starting to change with next-generation ratings solutions. When you get a risk rating from a trusted provider, the score should accurately represent your susceptibility to a data breach. This is part of risk management – the ability to inform your risk profile with other factors via integrations with other sources is key to defining the most accurate representation of risk. I believe next-generation ratings solutions provide these capabilities and are the future.
This interview has been edited for length and clarity.
Stephen co-founded BitSight in 2011 and serves as the Chief Technology Officer. BitSight is a cybersecurity ratings company that analyzes companies, government agencies, and educational institutions. Prior to founding BitSight, Stephen was President and Co-Founder of Saperix, a company that was acquired by FireMon in 2011.
While at the MIT Lincoln Laboratory, Stephen was a member of the Cyber Systems and Technology Group where he led R&D programs solving large-scale national cybersecurity problems. Before MIT, he worked at Caldera Systems, an early Linux startup.
Stephen holds a Bachelor’s degree in Computer Science from Brigham Young University and a Master of Science in Engineering and Management from the Massachusetts Institute of Technology.
FortifyData is a cybersecurity ratings and risk management platform provider that helps enterprises assess, identify and manage their cybersecurity posture. Before launching FortifyData, a cyber risk management solution, Victor Gamra was the Head of Information Security for a Credit Reporting Agency in Atlanta. It was during this time that Victor was confronted with a problem. He was unable to effectively quantify the complete cyber risk exposure of his own company, let alone those of his third-party vendors. Existing GRC and security rating products were insufficient and inaccurate due to misattributions and a plethora of false positives.
Today, in his role as the CEO, Victor continues to focus on building the company. The vision is to help companies of all sizes effectively assess cybersecurity risks and guide business leaders to make better-informed decisions to protect their resources from cyberattacks.
Mike Wilkes is the Chief Information Security Officer (CISO) at SecurityScorecard, an information security company that rates cybersecurity postures of corporate entities through completing scored analysis of cyber threat intelligence signals for the purposes of third-party management and IT risk management. Wilkes is responsible for developing enterprise-wide security programs to protect corporate systems as well as growing and extending the SecurityScorecard platform to customers, executives, and boards of directors.
Wilkes is a technology evangelist with experience reaching back to the earliest days of the internet and the birth of e-commerce (he and his team built, launched, and supported starbucks.com in 1998), Mike has been leading the digital transformation of globally renowned brands such as Sony Playstation, Macy’s, Nvidia, KLM, and many others. Before joining SecurityScorecard, he was the VP, Information Security at ASCAP and the Director of Information Security, Enterprise Architecture, and DevOps teams for Marvel Entertainment.
Get in touch for a better approach to third-party risk management
The Definition of Better Business
Better business is built on acting with integrity. It commands better performance, delivering better efficiency, collaboration, and financial outcomes. It inspires trust. But better business is more than that – it’s about lifting the ethical standard of an entire business ecosystem to build a better world.