In this week's episode Dr. Crane speaks with Mark Morrison about understanding and communicating with business units when implementing a security program, and managing a workforce in the face of shortages.
Mark is the senior vice president and chief security officer at the Options Clearing Corporation. Previously, Mark was the chief information security officer with State Street Bank. Mark has had a long and distinguished career in the Defense Department and intelligence community serving in multiple cybersecurity leadership roles.
In this episode:
00:00 — Highlight Clip
01:40 — Introductions
01:44 — What Works In Driving Security Initiatives?
03:17 — Successes In Resiliency And Being Proactive
04:21 — Organizations Falling Behind On Being Proactive
04:59 — Challenges In Understanding Critical Business Processes And Elements
07:12 — Determining Return On Investment Of Security
08:17 — Communication With Business Units When Implementing New Controls?
08:50 — Overreach In Security Affecting Business Processes
10:22 — Resiliency And Planning For Attacks
13:09 — Cybersecurity Workforce Shortage
15:19 — How Do You Ensure Your Cybersecurity Program Is Adequately Staffed?
16:42 — Successes In Cybersecurity Drawing Workforce From Military
17:51 — Sign Off
Mark Morrison:
The OCC — https://www.theocc.com/Company-Information/Executives/Mark-Morrison
Links in this episode:
US Cyber Command — https://www.cybercom.mil/
The SEI — https://sei.cmu.edu/
Thanks To Our Sponsors:
CISOWise vCISO — https://www.cisowise.com/
Follow CISOWise on all podcast apps.
Website — https://www.cisowise.com/podcast
Show Notes & Transcript — https://www.cisowise.com/podcast/002-establishing-your-cyber-program-with-mark-morrison
[00:01:25] Earl Crane: Mark, welcome to the program.
[00:01:26] Mark Morrison: you, Earl, pleasure talking with you as usual.
[00:01:29] Earl Crane: I wanted to open up by asking, leaving this as an open-ended question to start. Based on your experience as a cybersecurity leader, what have you discovered works well to drive your security initiatives forward?
[00:01:41] One of the key takeaways in order to become more effective is being able to listen to what people are telling you across the business. In most implementations of a security program in private industry, and to a certain degree government, you're in a support organization. It's not the primary function of the organization for security.
[00:02:02] Mark Morrison: In the financial community obviously we're here to support the financial markets, the financial infrastructure, and in OCC where we are the central counterparty and clearing organization for all derivative options within the United States.
[00:02:16] Mark Morrison: So you really have to understand and tie your security risk profile to what's critical to the business operations. And you can start by breaking those down into the three major security areas of confidentiality, integrity, and availability. Where we are as a financial utility, availability is as paramount for us.
[00:02:37] Mark Morrison: So we put a lot of focus on being able to identify threats and reducing the risk of keeping OCC from being able to process and clear options within the financial markets. We do still obviously look at the risks and the threats associated with integrity based attacks and certainly any breach of our information but really if we don't clear options, it's a bad day.
[00:03:02] Earl Crane: So as you're trying to get more proactive with your security posture, focusing on response and recovery, have you seen organizations or any operations that are working particularly well?
[00:03:15] Mark Morrison: Yeah I've seen, now that we, the more sophisticated threat intelligence assertions, whether you get it from commercial, or you get it from the ISACs or from other type of consortium and being able to automatically ingest those indicators of compromise, and other security indicators beyond the signature-based antivirus type activities that we're using.
[00:03:36] Mark Morrison: The next gen tools are using more machine learning, heuristic type algorithms to help identify trends in techniques that adversaries are using. And then following that through, into your SIEM or whatever you're using for you know data analytics, to be able to identify patterns of malicious activity.
[00:03:55] Mark Morrison: I think that is helping out quite a bit. I think that's starting to take hold across the community. I think we'reuniversally in the defensive cyber world, I think we're seeing some returns on investment in that area.
[00:04:06] Earl Crane: Have you seen organizations falling behind?
[00:04:09] Mark Morrison: Oh, yeah. I mean, it all depends on where you view in your board and what your risk tolerance and risk appetite is. So all boards are going to say your cyber risk appetite is low. No one's going to come say, yeah, you know we're willing to take a lot of cyber risks. That just doesn't happen.
[00:04:25] Mark Morrison: So the real thing is that based on a quote unquote low risk appetite, how do you really define your tolerances in what your limits are for those tolerances? What are you willing to really accept? And what corresponding investment have you made to reduce that risk into what you believe your acceptable range is? And that's a balancing act that occurs all the time.
[00:04:44] Earl Crane: What are some of the challenges that you ran into in understanding those critical business processes, critical elements?
[00:04:52] It depends on the maturity of the overall organization and how well does anyone in the company really understand data flows. Where is data going? What state data is. What state the data is at any point in the process. And really understand, instead of looking at a system or an application level, you're looking at an end-to-end process situation.
[00:05:13] Mark Morrison: So it's easy to say we're going to protect all of our data by encrypting everything. Encryption does come with a cost, for example, whenever you're really processing the data, you've got to decrypt it to actually process it and use it. So there are vulnerable points. Even if you say we're encrypting all the data in transit and in rest, you've got to understand what that means and what the limitations of that are as that data entity transits throughout your business process.
[00:05:37] Mark Morrison: The other challenge is being able to monetize the risk in the cyber world. It's always been a challenge of actually putting a dollar cost on a loss or a breach. How much you have to do for the clean-up or for the breach or forensic analysis, or really what does that loss of data that loss of confidence that loss of business processing. What does it really mean to the business and the critical business processes again?
[00:06:00] Mark Morrison: So what you don't want to end up doing, is you want to spend a hundred thousand dollars to effectively mitigate a thousand dollar risks. You've really got to be able to identify what your loss ratios are and be able to tailor your controls to minimize that on the most important parts of your system.
[00:06:15] Mark Morrison: So we're saying that we're going to be more secure and bad things won't happen. Doesn't cut it. What you really have to be able to identify. If I spend X amount of dollars in this area, this is where we're going to facilitate the business, or this is where more importantly, we're going to be able to reduce or eliminate a potential risk loss.
[00:06:37] We're more of a loss or a cost center. So, and we're always preventing bad things from happening. We call it the CISO conundrum. If you spend $10 million on cyber and nothing happens, you've overspent because you didn't have to spend that much money. Or if you spent $10 million, and you get breached then obviously you didn't know what you're doing. You didn't ask for enough money.
[00:06:57] Earl Crane: What are some of the lessons learned or challenges that you've had, that you could share, when it comes to trying to show, the return on investment and what a security investment is going to achieve?
[00:07:09] One of the challenges is how do you really define the key risk indicators and the resulting metrics and measurements that show the value of the security program?
[00:07:19] Mark Morrison: Because as I mentioned before, you're basically a lot of times measuring things that don't happen. So, what you, really need to be able to spend a lot of time on developing what are your key performing indicators and your key risk indicators are, and then being able to put in the right metrics to be able to measure to show the investment.
[00:07:39] Mark Morrison: And that consistently is a challenge, and you ask any of the CISO communities or the folks like SEI or anyone else. Developing security metrics that are effective, repeatable and provide not just the answers that you're trying to put forward, but provide trending information that beyond the CISO that the CFO, that the board and others can use is a real challenge.
[00:08:02] Earl Crane: What advice do you have for communicating with business units when implementing new controls that impact the business?
[00:08:08] Mark Morrison: You and your security team really do need to work very closely with the business. You've got to understand what's important to them. And what's important to the business. Implementing a security control in the wrong way, that you may think provides a significant increase in your security profile, could have a very disastrous effect on your business processing.
[00:08:27] Mark Morrison: So you've got to find that sweet spot, that balance, we have adequate security, but you're also supporting the critical business functionality.
[00:08:35] Earl Crane: Could you share an example, maybe when you've seen a security control implemented with good intentions, but had disastrous consequences on the business impact?
[00:08:44] I think it's how you're doing identity and access management is a good example. About being able to define roles and entitlements associated with, if you're implementing role-based access control and how you define the roles and how you translate those into AD groups, it's most people using AD.
[00:09:01] Mark Morrison: And how you define those, so you don't support toxic combinations on the business side, but you also don't put so many entitlements and controls and lock it down too tight where people have to constantly go in back into the system, to keep going to ask for additional entitlements and additional authorizations either into the application or into the data itself.
[00:09:22] You could have a serious impact on how the business and who gets access to what. The other problem you have is if you don't understand how the business works on access control, what you'll do is you'll allow toxic combinations. You'll allow nesting of authorizations. You allow your AD to get out of control. When people do change roles, they're basically keeping all of their legacy authorizations or entitlements with them, and you're not then stripping them away.
[00:09:47] Mark Morrison: Or second of all, when someone new joins the organization, you're just going to use modelling. So you have a person that's been there 15 years and has an elevated set of privileges. Somebody new comes in, you automatically give them the same set of privileges because it's easier to do it that way. Instead of actually working with the business to actually figure out what type of entitlements are necessary for each role.
[00:10:07]
[00:10:07] Earl Crane: You mentioned that there was data flows and monetizing risk as one of the challenging areas in listening to your business units. Do you remember what the second one was that you wanted to highlight?
[00:10:18] Mark Morrison: Yeah, I think that the other challenge that you have is, trying to get away from just implementing a reactive security program.I think we tend to, with the emerging threat, if you follow the classic NIST cybersecurity framework model of the five functions, all of us have put a lot of emphasis on identify, protect, detect. And I think that's all good. I think you need to do that. And I think you need to have very strong controls because you've got to prevent as much as possible.
[00:10:47] With today's emerging threat, and we're seeing larger scale attack patterns by more sophisticated cyber criminal elements as well as nation states, you've got to realize that at some point, most likely, with a determined, sophisticated adversary and the amount of vulnerable points within your network. Human insider threat to phishing, to, lack of patching or vulnerability control. I think you're going to have to put more emphasis on your ability to respond and recover from an incident.
[00:11:18] Mark Morrison: So a lot of more mature cybersecurity programs are really trying to measurewhat we call dwell time, to be able to reduce the dwell time. To be able to as quickly as possible to identify an adversary has breached your perimeter, or an insider is starting to do either inadvertent or malicious activity inside of your enterprise.
[00:11:40] Mark Morrison: And I think what you really want to be able to do is, put the controls in place to identify malicious behavior as quickly as possible and have the capabilities to isolate, contain first and then go through to eradicate the incident versus just saying we're going to build the wall higher on the perimeter and just hope that nobody breaches it.
[00:12:00] Mark Morrison: So you're seeing this new emerging field within cyber called cyber resiliency, and that's the ability to bounce back from various levels of attack. And I think that's going to be one of the ways that's going to improve our game on the defensive side. And really integrating cyber intelligence, so you can get more predictive.
[00:12:19] Here, we use a multi-tiered method of being able to identify and risk rate cyberattacks that we see out in cyberspace based on general cyberspace attacks or ones that are targeting financial communities and then financial utilities.
[00:12:34] Mark Morrison: So we can understand better how they would manifest attacks against OCC and that goes back to understanding the business. So what would an adversary, if they were really trying to attack you, what would they go after? How would they work that through? Where would they go laterally? What kind of piece of data or systems would they be looking to compromise?
[00:12:54] Earl Crane: I want to touch on something you mentioned there as we've gotten better at cybersecurity and the cyber defense community, is doing better each year. We also hear the challenges of the workforce shortage, the lack of cybersecurity professionals. Do you really think that this is an issue that we need more cybersecurity professionals? We need better professionals? We need more tools? How do you feel the workforce is progressing?
[00:13:20] Mark Morrison: Well, I think the answer is yes to all of those. We are seeing some relatively new and very encouraging technologies that are coming out.
[00:13:28] As I said earlier, I believe the better introduction of machine learning, artificial intelligence, data analytics into more advanced data analytics into the security world could be a significant game changer for the defensive cyber community. I think that's a very good positive step.
[00:13:44] Mark Morrison: I also think on the cyber workforce, I think it's a twofold, obviously it's a numbers game where we could obviously use more folks that have been trained in the basic parts of cybersecurity. We're seeing more of that being pushed down lower levels. A lot of colleges and universities now offer you the concentrations or degrees in information security, cybersecurity, whatever that in the past, you either had to get an EE or a comp-sci degree, and then you learn cybersecurity once you got on the job.
[00:14:13] Mark Morrison: So I think that is beneficial. I think the other part is training. I think a lot of companies are realizing that you're not going to go out and find all the talent that you need, so you have to kind of grow your own. And I think companies like ours are taking individuals from IT or the other organizations, and then sending them back to some of the very proficient college universities or other types of programs that offer very comprehensive cybersecurity training. And that's turning out to be very beneficial for helping us out.
[00:14:44] Mark Morrison: I still believe personally there's a wealth of untapped talent out there for military that have really built up their cybersecurity programs with the Cyber Command and the associated military support elements. I think there's a lot of talent that's untapped that's coming out of there as well that private industry could utilize better.
[00:15:04] Earl Crane: Any insights around organizations that are trying to make an adequate cybersecurity investment and their capabilities, for example, how do you ensure your cybersecurity program is adequately staffed and has appropriate capabilities?
[00:15:17] I think the largest thing for the younger workers is offering more programs like work from home, remote working. It's more difficult. You limit yourself if you have a specific geographic location, you're not willing to expand. Obviously you can't open offices everywhere. I think it's proactive, and it shows that you're willing to invest in talent wherever they want to reside. We do that here at OCC.
[00:15:42] Mark Morrison: I think the other part of it is that we have a very aggressive internship program with some of the universities here in Chicago, that allow us to bring in interns. Allow them to see what operating in a corporate security environment looks like. We get the benefit out of their knowledge on the latest technologies they're being taught in college. And a lot of times those translate into full-time positions after they graduate.
[00:16:03] I think the third part is that where the market is really the tightest is that 10 to 15 year experience level. And, right now the people that have solid experience in those levels, especially as the new on the newer technologies like cloud applications, mobile, they're at a premium right now. And a lot of companies are scrambling hard to try to find and attract those individuals and bring them into their organizations.
[00:16:26] Earl Crane: You mentioned earlier about the quality of individuals coming out from Cyber Command and the enhanced training that's coming in. What successes have you seen with anyone with a transition from military service into civilian cyber service?
[00:16:40] I'll be honest with you I have seen very few failures in that area. Anyone that's coming out that has that solid training from the military, they come out well-trained, they know what they're doing. And a lot of cases like in the financials and other critical infrastructures, they concentrate more on nation state attacks. Were also subjected to nation state attacks. So they do understand some of the threat space. But a lot of the techniques are the same. They know how to work in a collaborative environment. And I think that's probably one of the keys is that security has to be integrated into all aspects of your operations.
[00:17:15] Mark Morrison: If it's always looked at as a secondary capability or a secondary function, you've lost that battle. It's got to be considered to be the prime business space and that role as a CISO is to reinforce that security is not there to put obstacles in your way. We're actually there to clear obstacles that may arise.
[00:17:36] Earl Crane: I think that's a solid bookend to some of your earlier comments about supporting business and integration. I think this is extremely helpful for CISOs and aspiring CISOs and other security executives to be able to hear your perspectives. And I appreciate you taking the time to share with us here on the podcast.
[00:17:55] Mark Morrison: Well, thank you, Earl. I appreciate your reaching out and good luck.