To effectively reduce enterprise risk, cybersecurity experts argue it's critical to fully embed cybersecurity in the enterprise-risk management framework and into the whole organization. Here, we talk to Curt Dalton, Managing Director and Global Leader of Protiviti's security and privacy practice, about the importance and the benefits of this practice.
Security magazine: What is your background and title?
Dalton: I have been in information security for over 30 years. I began my career at Apollo Computer, the arch nemesis of Sun Microsystems, where I was a system and network administrator. There, I learned every flavor of Unix operating system, OS internals, and every flavor of networking technology and protocol from Thicknet, to IBM Token Ring, to Apollo Token Ring and every protocol imaginable at the time. It was a great environment for learning. A few years later, I helped to develop and implement one of the first firewalls – before most people knew if firewall was one word or two words. A few years after that, I developed an early Data Loss Prevention solution for a large technology company that was trying to determine the source of a spate of corporate IP theft. Soon after, while serving as the Security Practice Leader for a sizable consulting services firm, I co-authored a security architecture book that was published by Osborne McGraw-Hill and RSA Press. The book sold a substantial number of copies, and I used that bit of positive notoriety to found a security consulting firm, which I managed, grew and sold seven years later. I was then approached by an exciting startup company, Sapient, and became their first CISO. Several years later, I accepted the CIRSO role for the largest IT consulting company in China, which was recently acquired by a very large American PE firm. More recently, I have served in security consulting leadership positions, to where I am today at Protiviti where I serve as a managing director and the Global Leader of the Security and Privacy consulting practice.
Security magazine: How important is it to embed security into the organization as a whole?
Dalton: Simply put, it is critical to embed security within the organization. Organizations that fail to take this seriously can find themselves facing heavy fines, lost customers and prolonged damage to their brand. Cybersecurity needs to be part of the organizational DNA. Leaders need to think about how they will create and encourage a security mindset across the organization, and make sure that mindset influences the what and how the organization does what it does. Baking security in and doing it from the start is nothing new. The essence of SbD (Security by Design) and PbD (Privacy by Design) is that security and privacy is considered and factored in from step 1. These approaches should become the hallmark of how an organization develops its applications, architects its networks, executes its business processes, and even pursues mergers, acquisitions and divestures, etc.
Security magazine: How can enterprise security leaders achieve this goal?
Dalton: Pay attention to the fundamentals, and to the details. With all of our expensive technologies in data detection, protection and response, most organizations continue to suffer from weak security hygiene. Do you know where your assets are, what they are used for, who uses them, what impact they will have to your business if they are no longer available, and are you backing them up and patching them? Are you logging security events, and do you have trained staff dedicated to identifying and responding to security events? If your organization does these things well, many of your risks will be alleviated out of the gate.
Security magazine: How can enterprise security executives maintain ongoing training and risk assessments?
Dalton: One of the most interesting things I’ve learned in recent years is that the bad guys actually collaborate better than the good guys, and that is a shame. They freely share information with one another to find the chink in your armor. Companies need to more fully leverage their ISACs and other peer to peer networking opportunities, and benefit from the information sharing that comes from these things -- yet many organizations remain reluctant to. By sharing information and collaborating more closely, your risk assessments and subsequent mitigations will be more focused, more thorough and that will translate to better reducing risk.
Security magazine: Can you detail what ongoing training and risk assessments should include?
Dalton: The best ongoing training is tailored to people’s roles. Those in data protection should focus on trainings in data protection, while those in incident detection and response should focus on that domain, for example. Over the years, I’ve learned that my team’s hard skills benefit the most by leveraging our vendor partners. They are literally on the cutting edge of technological advancements, and keeping pace with their developments ensures the technical skill advancements I want are being addressed. On the soft skills side, I lean on a combination of sources, from Gartner, Forrester, SANS to others. Technology alone doesn’t address the challenges we have in cybersecurity. In fact, if that is your approach then you’ve left yourself wide open for a right hook. Your cybersecurity team needs to have both the soft skills and hard skills represented well to mount an adequate defense. Also, it is important to acknowledge that the cyber industry moves fast, so don’t wait for training programs to become available. You need to collaborate with your industry peers at conferences, at CISO roundtables, and other industry events – and regularly (all virtual at the moment, of course). This is how you’ll hear how your peers are tackling this or that challenge, and what pitfalls they ran into so you can try to avoid them.