The modern work environment has changed drastically in the last few months. The COVID-19 pandemic has forced many companies to rethink and often completely overhaul their remote working practices. At least half of the American labor force is working remotely, and it may become a permanent fixture with some employers. While employees are staying safe at home, they need to be empowered to keep their personal and professional data safe, too.

Seems like a good opportunity to catch up with Graydon McKee, the Chief Information Security Officer at Pyramid Consulting. Graydon is a 20+ year veteran in InfoSec who started at Pyramid Consulting just as the pandemic was forcing companies to reposition their teams.

Graydon, let’s start with your role at Pyramid Consulting.  

I am the Chief Information Security Officer, which means I’m responsible for all the internal aspects of protecting information at Pyramid Consulting for both our clients as well as internally.

I’m also the Information Security Practice Director which means that I lead the team that architects and implements client solutions and engage with those clients to understand exactly what their needs are so that we can customize a security solution for their unique environment.

What are some of the biggest security threats companies are facing today?

The biggest threats are coming from the user accounts on a company’s network. Now, I’m not saying users are evil and trying to do bad things. What I’m referring to is something called credential compromise. Credential compromise is when a malicious attacker gets a hold of a valid user’s credentials to the network and uses them to compromise a company.

Since the onset of COVID-19, many more people are working from home.  These people are more stressed, and as a result, are often more susceptible to what we call Social Engineering Attacks. Social Engineering is the process where an attacker will utilize various tactics in an effort to fool users to give the attacker their credentials. These tactics include fake emails (phishing), fake websites, and even phone calls claiming to be IT Support or someone high up in the organization.

With this in mind, there are several things companies can do to lessen the chance social engineering will be used against them.  From a security tools perspective, implementing Multi-Factor Authentication is top of the list. This introduces another factor to a user’s credentials in addition to their password.  Most often this is a PIN that rotates every minute, but it can also be a fingerprint or retinal scan.

Tools and technology though are no replacement for solid user training and awareness. We need to train our users on how to react to these attempts and emphasize why it’s important. Our people are our greatest asset as well as our greatest weakness.

What are the mistakes companies make when it comes to their security strategy?

Holding onto legacy systems for too long is a big mistake we see. Companies will have an application or system that seems to be working just fine, but it’s ten years old and running on Windows XP or another old, unsupported operating system. These systems are no longer getting patches, but are still susceptible to vulnerabilities.

In fact, what most people don’t realize is that most modern, supported operating systems are using code that came from earlier versions. When a vulnerability is announced for the recent operating system, it is also very possible that the older versions are also susceptible as well. The vendor doesn’t tell you this because they are no longer supporting the older version, but you can bet hackers will check and jump to exploit the vulnerability if they can.

Companies need to keep their systems up to date. This basic hygiene item, much like washing your hands and wearing a mask in public, will go a long way to keeping your systems and information safe.

There was a recent study by the Ponemon Institute which talks about the power of prevention and the money invested. They saw an 82% reduction in the cost of a breach or compromise when money was spent on prevention as well as detection versus money just spent on detection alone.

It is important to understand that despite what security vendors try to tell us, there is no silver bullet. There’s no 100%. Statistically speaking, you will get compromised. That’s a fact of life now, so a company’s strategy needs to focus on the essential elements that have proven themselves to be effective in managing the risk of a breach or compromise:

  1. Do you know what you are protecting? What is on your network? Where is the critical data? What software is being used?
  2. Are you taking prudent and reasonable measures to protect these assets? It will vary based on the environment and information being protected.
  3. Are you actively monitoring your systems for potential security events?
  4. Do you have plans in place for what you will do when you feel you have been compromised or breached? Do you know if they will actually work?
  5. Do you know how you will recover from a compromise or breach? It isn’t as simple as returning to the same state as the day before. Recovery will necessarily need to include improvements to address the vulnerabilities that led to the situation in the first place.

The battlefield is constantly changing, we’re constantly adjusting what we’re doing. The hackers are really smart, and they only have to be right once. People working in information security have to be right every single time. There are millions upon millions of events every day, so statistically speaking, there’s no way that’s going to happen.

The best security is tight security. Security that’s almost transparent, that the user doesn’t have to worry about or understand. It’s just there and it works and it keeps them on the road, sort of like guardrails along the edge of a highway. You can drive up and down the road but the guardrails keep you from falling off and running into a tree. That’s what security should be doing. If it’s onerous and gets in the way, people will look for ways around it because it’s preventing them from being productive.

When clients come to Pyramid Consulting, their first engagement is typically an assessment. Can you explain that process?

The assessment helps us understand our clients and their environments.  We assess or measure where they are against common information security frameworks and then lead them through conversations of “where do you want to be in one, three, and five years?” This isn’t a technology question though, at least not at first.  Once we understand the business goals, we can then figure out the technology needs to support these plans and finally integrate security into the roadmap.  Security capability can then grow with the environment rather than fall behind.

If a company is not sure about the direction they want to go, an assessment is the perfect place to start. We can help them understand where they are technically and programmatically and then provide a roadmap to where they want to be.

This is a collaborative process. We work to bring information to clients that is easy to understand and easily translatable beyond technical speak.  The message needs to be easily understandable by anyone, even if they are not a technical person.  We strive to communicate in more human terms, then a company can say ‘Okay, this is what I want to do. I don’t need to worry about what the settings are in the firewall. You guys go figure out how to make this work at that level.’

We work to understand their needs and tailor the assessment – it’s not a cookie cutter process. Anybody can come out and help you implement this tool or that tool, but Pyramid really tries to take the years of experience we have across all practice areas, from Information Security to Quality Assurance, and set you up with a way to achieve your goals.

The assessment can include just about any framework – NIST, COBIT, ISO, to name a few -- that’s out there and they map to different industries. If a company is handling credit card transactions, we will make sure that they map to the PCI (Payment Card Industry) security standards and then we will add additional questions that aren’t necessarily covered in our basic assessment. If the company is handling healthcare information, then HIPPA would be involved.

Our real value add, though, is after that’s done. What is the strategic outlay? What does it mean? What should you really do? Filling that trusted advisor role to say ‘I know you’ve come to me and said that you want a Security Operation Center, but my assessment says that these four baseline things need work first. Why don’t we spend the money you wanted to spend on an SOC to ensure you have the basic foundation and then build from there?’

I want to be the guy that comes in and helps you out. How can I help you do better? And that’s what our whole security practice, and all of our consulting practices at Pyramid for that matter, are about -- to help people and organizations become better.

Thanks Graydon!

Want to find out how Pyramid Consulting can help make your organization more secure? Contact Graydon today to get started.

Randall McCroskey

About the author

Randall McCroskey

Vice President, Enterprise Solutions

Since 2006, Randall has been helping technology executives digitally transform their business as Vice President of Pyramid Consulting. Relationships are his daily driving force and his desire to trust and serve those in his professional and personal life constantly motivate him. Atlanta is a great city for Randall, as he hates the cold and prefers warm weather near the water. His greatest pride is the partnerships with colleagues, friends, and fellow professionals he has made along the way.

Cookie Notice

This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our privacy policy & the use of cookies. Please read our privacy policy for more information on the cookies we use and how to delete or block them. More info

Accept Cookies

Back to top