The Cyber5 Podcast

Security Enabling the Business During Periods of Fast Growth

Episode 47 | June 9, 2021

In episode 47 of The Cyber5, we are joined by Lena Smart. Lena is the Chief Information Security Officer at MongoDB. We discuss how security can be an enabler of a business during fast periods of growth. We review how different departments can set up their own applications without needing an arduous approval process. We also discuss different cultures in departments and best practices for assessing vendor risk.

 

Here are the 4 Topics We Cover in This Episode:

1)  Avoiding Shadow IT and Enabling the Business: (01:47 – 06:00)

In big organizations, “shadow IT” refers to information technology systems deployed by departments other than the central IT department. Individuals add these technologies to work around the shortcomings or limitations of the central information systems. Oftentimes IT security is not aware of the implementation of these systems until vulnerabilities are exploited and security is called to investigate the incident or breach. 

Security can enable the business through education and automation of processes. Communication is key to success. We recommend regular meetings with legal, human resources, technology, engineering, sales, and marketing. A “security champions program” is also helpful because it brings together those who are interested in security to show transparency of the risks security faces: incidents, vulnerabilities, patch management cycles, etc.

2) Transparency of Reporting Incidents Back to Stakeholders (06:00 – 08:37)

Great security programs start with the CEO and board of a company. If they recognize these issues as existential threats to the business, it’s easier to gain insights and selective transparency, as needed. While a “see something, say something” approach is highly advised, it’s more important to have a feedback cycle so closure is brought to the employees outside of security who report incidents. Security acting in a “black box” where information comes in and nothing gets returned is not going to keep employees reporting the issues that matter.

3) Security Adapting to Cultures of Departments: (08:37 – 12:31)

Security teams cannot be seen as the “people that say no”. Security teams cannot live with a reputation of fostering fear, uncertainty, and doubt (FUD) within the business. Bringing people that are interested in security together for two hours a week for events like capture the flag, security book club, and table top exercises helps increase awareness and gives tangible results in the business buying into security programs including reducing shadow IT.

4) Critical Elements of Third Party Risk Management (12:31-17:00)

Performing security checks when new vendors onboard and going beyond questionnaires is critical now more than ever following SolarWinds. A particular focus should be to categorize the high-risk vendors that could be used to be a pivot point for gaining access to your organization. Lena recommends the use of subject matter experts to map out connections from high-risk vendors and have an investigations mindset and not just a compliance box checking exercise. This is likely a year-long effort and not a one-month level of effort. The results of such a deep dive should be to have a process of engaging with critical vendors when a supply chain attack occurs rather than considering terminating the relationship. 

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks