In episode 47 of The Cyber5, we are joined by Lena Smart. Lena is the Chief Information Security Officer at MongoDB. We discuss how security can be an enabler of a business during fast periods of growth. We review how different departments can set up their own applications without needing an arduous approval process. We also discuss different cultures in departments and best practices for assessing vendor risk.
Here are the 4 Topics We Cover in This Episode:
1) Avoiding Shadow IT and Enabling the Business: (01:47 – 06:00)
In big organizations, “shadow IT” refers to information technology systems deployed by departments other than the central IT department. Individuals add these technologies to work around the shortcomings or limitations of the central information systems. Oftentimes IT security is not aware of the implementation of these systems until vulnerabilities are exploited and security is called to investigate the incident or breach.
Security can enable the business through education and automation of processes. Communication is key to success. We recommend regular meetings with legal, human resources, technology, engineering, sales, and marketing. A “security champions program” is also helpful because it brings together those who are interested in security to show transparency of the risks security faces: incidents, vulnerabilities, patch management cycles, etc.
2) Transparency of Reporting Incidents Back to Stakeholders: (06:00 – 08:37)
Great security programs start with the CEO and board of a company. If they recognize these issues as existential threats to the business, it’s easier to gain insights and selective transparency, as needed. While a “see something, say something” approach is highly advised, it’s more important to have a feedback cycle so closure is brought to the employees outside of security who report incidents. Security acting in a “black box” where information comes in and nothing gets returned is not going to keep employees reporting the issues that matter.
3) Security Adapting to Cultures of Departments: (08:37 – 12:31)
Security teams cannot be seen as the “people that say no”. Security teams cannot live with a reputation of fostering fear, uncertainty, and doubt (FUD) within the business. Bringing people that are interested in security together for two hours a week for events like capture the flag, security book club, and table top exercises helps increase awareness and gives tangible results in the business buying into security programs including reducing shadow IT.
4) Critical Elements of Third Party Risk Management: (12:31-17:00)
Performing security checks when new vendors onboard and going beyond questionnaires is critical now more than ever following SolarWinds. A particular focus should be to categorize the high-risk vendors that could be used to be a pivot point for gaining access to your organization. Lena recommends the use of subject matter experts to map out connections from high-risk vendors and have an investigations mindset and not just a compliance box checking exercise. This is likely a year-long effort and not a one-month level of effort. The results of such a deep dive should be to have a process of engaging with critical vendors when a supply chain attack occurs rather than considering terminating the relationship.