The Cyber5 Podcast

EP66: Building a Security Team And Using Intelligence to Inform the Proper Risk Strategy

Episode 66 | February 24, 2022

In episode 66 of The Cyber5, we are joined by H&R Block Chief Information Security Officer (CISO) Josh Brown


Episode 66 | February 24, 2022

In episode 66 of The Cyber5, we are joined by H&R Block Chief Information Security Officer (CISO) Josh Brown


In this episode we discuss the importance of building an informed security team that can collect intelligence and establish a proper risk strategy. We have a frank conversation about what the business of security means and how to develop a team that understands multiple business lines so a security team is anchoring their security strategy to how the company is driving revenue. We talk through how to do this at scale within the intelligence discipline that touches many lines of risk, not just cybersecurity.

Here are the 3 Topics We Cover in This Episode:

1) Security Informs the Business to Make Risk-Based Decisions:

Security professionals must have a deep understanding of how the business functions to understand how to develop a proper risk-based approach. Security is a risk management function that puts up guardrails so the business avoids bad decisions and loses money. 

Intelligence is critical for gaining a 360-degree view of fraud and user segments of the network. Threat intelligence must be relevant to the specific business, not the industry overall. If there is a threat to a bank, that likely has nothing to do with a tax filing service. 

2) Actionable Intelligence that Reduces Business Risk: 

The industry has not secured an intelligence solution. Intelligence is an enrichment function, not the first line of the truth for what to prioritize. Fraud and other unique business-specific data that results in business loss are equally important to be funneled into traditional cybersecurity tools. 

Further, threat feeds and information must be bi-directional so even competitors and businesses in the same location can understand when incidents are taking place. The threats that most companies face are not those that are regularly marketed such as Advanced Persistent Threats. 

The cybersecurity industry does a poor job at providing the likelihood of a certain advanced attack. Business email compromises, account takeovers, and fraud are still the most prevalent style attacks, even to those businesses that can afford sophisticated security technology.

3) Actionable Intelligence That Gives Visibility into Supply Chain Risk

“The perimeter” is no longer as relevant. With work from home, the perimeter is just as much identity access management (IAM) as it is about IP space. On third-party supply chain risk, currently, enterprises implement score card tooling as an audit function so when a software vulnerability is released, an enterprise can quickly query what suppliers use that library or dependency. 

Further, the supply chain is equally about managing business interruption (DDoS) as much as it is about tracking suppliers that hold critical data. Major enterprises also care about the vendor’s vendors. If compromised, depending on the criticality of the data (fourth-party supply chain risk), they can be just as detrimental as third parties.

Since the United States does not have a standard breach notification law, it’s going to be very challenging to share intelligence bi-directionally, let alone get developers to uniformly submit secure technology code.


Listen to other podcast episodes