Managing the Rapid Expansion of your Digital Footprint

CDO Magazine and ComSpark provide a new dimension to security at the Cybersecurity Midwest Summit 2022. The following panelists in the session titled ‘Managing the Rapid Expansion of your Digital Footprint,’ discuss everything from rapid digital expansion to third-party risk and ways to mitigate it. 

• Evan Anderson, Principal Technologist, Randori, an IBM Company

• James McIntyre, CIO, YMCA of Greater Cincinnati

• Matt King, VP of Global Information Security, Belcan

• Nick Ritter, Chief Information Security Officer, First Financial Bank 

Sanara Marsh, Director of Product Marketing, Randori, an IBM Company, moderated the session.

The session opens with panelists discussing Covid-led organizational transformations and expansion in digital footprints. Anderson talks about downsizing and deciding to move in the cloud-first direction. He adds that the target has been to reduce digital footprints to reduce third-party risk. 

According to McIntyre, the democratization of data was a massive change. With growing access to enterprise data and expansion to the cloud, data protection and identity management are top priorities of the organization, he notes.

Anderson believes that the democratization of data has made it easier to access data to evaluate when policies and management are not on point. It is critical to get third-party visibility into what happened and how it is connected to the internet, versus how it was intended to connect.

Sharing his view, Ritter maintains that identity as a new parameter is clouded. Speaking about credential attacks, he insists on doubling down identity and data protection programs and linking them to understand the privileged user.

King says it is difficult to maintain due diligence while adopting third-party applications since there is a never-ending spider web of connectivity across all the third parties.

Commenting on that, Ritter says, “The nut that we are trying to crack right now is how we get a view of our third parties' data protection and information security efficacy.”

Anderson highlights that it is fundamental to know where the data is, who has access to it, and what they can access to improve organizational security posture. Ritter insists on the SOC 2 analysis to manage third-party risk while gradually expanding the third-party questionnaire into roles, access, data storage, and protection.

Portraying the challenges with evaluating third-party vendors, Anderson says, “The motivation for that vendor is to get you into the product and use it as quickly as possible, not necessarily as securely as possible.”

Next, Ritter emphasizes that the problem lies with securing APIs on the back end. He states that hiding data at the screen level is not the correct data protection mechanism.

Shifting the focus to communication, McIntyre finds it integral for CISOs and CSOs to work directly with the board and understand the risk appetite for swift decisions. He mentions using questionnaires as a part of the process.

Ritter says that the CISOs will have to earn the C title in the future by building effective relationships with business lines while understanding their priorities. Anderson states that quantifying the risk will help CISOs speak the language that the C-Suite understands.

From McIntyre POV, that part of the problem arises when a business assumes the cyber risk to be an IT problem. He insists on educating the company about risk being a collective responsibility.

Similarly, King believes taking risks is a business decision, as it is the CISO’s job to point out the IT risk and suggest ways to resolve it. Understanding the level of risk acceptance within the organization can help standardize things, he concludes.

Watch other Cybersecurity Midwest Summit 2022 sessions HERE