The modern work environment has changed drastically in the last few months. The COVID-19 pandemic has forced many companies to rethink and often completely overhaul their remote working practices. At least half of the American labor force is working remotely, and it may become a permanent fixture with some employers. While employees are staying safe at home, they need to be empowered to keep their personal and professional data safe, too.
Seems like a good opportunity to catch up with Graydon McKee, the Chief Information Security Officer at Pyramid Consulting. Graydon is a 20+ year veteran in InfoSec who started at Pyramid Consulting just as the pandemic was forcing companies to reposition their teams.
Graydon, let’s start with your role at Pyramid Consulting.
I am the Chief Information Security Officer, which means I’m responsible for all the internal aspects of protecting information at Pyramid Consulting for both our clients as well as internally.
I’m also the Information Security Practice Director which means that I lead the team that architects and implements client solutions and engage with those clients to understand exactly what their needs are so that we can customize a security solution for their unique environment.
What are some of the biggest security threats companies are facing today?
The biggest threats are coming from the user accounts on a company’s network. Now, I’m not saying users are evil and trying to do bad things. What I’m referring to is something called credential compromise. Credential compromise is when a malicious attacker gets a hold of a valid user’s credentials to the network and uses them to compromise a company.
Since the onset of COVID-19, many more people are working from home. These people are more stressed, and as a result, are often more susceptible to what we call Social Engineering Attacks. Social Engineering is the process where an attacker will utilize various tactics in an effort to fool users to give the attacker their credentials. These tactics include fake emails (phishing), fake websites, and even phone calls claiming to be IT Support or someone high up in the organization.
With this in mind, there are several things companies can do to lessen the chance social engineering will be used against them. From a security tools perspective, implementing Multi-Factor Authentication is top of the list. This introduces another factor to a user’s credentials in addition to their password. Most often this is a PIN that rotates every minute, but it can also be a fingerprint or retinal scan.
Tools and technology though are no replacement for solid user training and awareness. We need to train our users on how to react to these attempts and emphasize why it’s important. Our people are our greatest asset as well as our greatest weakness.
What are the mistakes companies make when it comes to their security strategy?
Holding onto legacy systems for too long is a big mistake we see. Companies will have an application or system that seems to be working just fine, but it’s ten years old and running on Windows XP or another old, unsupported operating system. These systems are no longer getting patches, but are still susceptible to vulnerabilities.
In fact, what most people don’t realize is that most modern, supported operating systems are using code that came from earlier versions. When a vulnerability is announced for the recent operating system, it is also very possible that the older versions are also susceptible as well. The vendor doesn’t tell you this because they are no longer supporting the older version, but you can bet hackers will check and jump to exploit the vulnerability if they can.
Companies need to keep their systems up to date. This basic hygiene item, much like washing your hands and wearing a mask in public, will go a long way to keeping your systems and information safe.
There was a recent study by the Ponemon Institute which talks about the power of prevention and the money invested. They saw an 82% reduction in the cost of a breach or compromise when money was spent on prevention as well as detection versus money just spent on detection alone.
It is important to understand that despite what security vendors try to tell us, there is no silver bullet. There’s no 100%. Statistically speaking, you will get compromised. That’s a fact of life now, so a company’s strategy needs to focus on the essential elements that have proven themselves to be effective in managing the risk of a breach or compromise:
The battlefield is constantly changing, we’re constantly adjusting what we’re doing. The hackers are really smart, and they only have to be right once. People working in information security have to be right every single time. There are millions upon millions of events every day, so statistically speaking, there’s no way that’s going to happen.
The best security is tight security. Security that’s almost transparent, that the user doesn’t have to worry about or understand. It’s just there and it works and it keeps them on the road, sort of like guardrails along the edge of a highway. You can drive up and down the road but the guardrails keep you from falling off and running into a tree. That’s what security should be doing. If it’s onerous and gets in the way, people will look for ways around it because it’s preventing them from being productive.
When clients come to Pyramid Consulting, their first engagement is typically an assessment. Can you explain that process?
The assessment helps us understand our clients and their environments. We assess or measure where they are against common information security frameworks and then lead them through conversations of “where do you want to be in one, three, and five years?” This isn’t a technology question though, at least not at first. Once we understand the business goals, we can then figure out the technology needs to support these plans and finally integrate security into the roadmap. Security capability can then grow with the environment rather than fall behind.
If a company is not sure about the direction they want to go, an assessment is the perfect place to start. We can help them understand where they are technically and programmatically and then provide a roadmap to where they want to be.
This is a collaborative process. We work to bring information to clients that is easy to understand and easily translatable beyond technical speak. The message needs to be easily understandable by anyone, even if they are not a technical person. We strive to communicate in more human terms, then a company can say ‘Okay, this is what I want to do. I don’t need to worry about what the settings are in the firewall. You guys go figure out how to make this work at that level.’
We work to understand their needs and tailor the assessment – it’s not a cookie cutter process. Anybody can come out and help you implement this tool or that tool, but Pyramid really tries to take the years of experience we have across all practice areas, from Information Security to Quality Assurance, and set you up with a way to achieve your goals.
The assessment can include just about any framework – NIST, COBIT, ISO, to name a few -- that’s out there and they map to different industries. If a company is handling credit card transactions, we will make sure that they map to the PCI (Payment Card Industry) security standards and then we will add additional questions that aren’t necessarily covered in our basic assessment. If the company is handling healthcare information, then HIPPA would be involved.
Our real value add, though, is after that’s done. What is the strategic outlay? What does it mean? What should you really do? Filling that trusted advisor role to say ‘I know you’ve come to me and said that you want a Security Operation Center, but my assessment says that these four baseline things need work first. Why don’t we spend the money you wanted to spend on an SOC to ensure you have the basic foundation and then build from there?’
I want to be the guy that comes in and helps you out. How can I help you do better? And that’s what our whole security practice, and all of our consulting practices at Pyramid for that matter, are about -- to help people and organizations become better.
Want to find out how Pyramid Consulting can help make your organization more secure? Contact Graydon today to get started.