Operational Security: The Next Evolution in Risk Reduction

The Cybersecurity Midwest Summit 2022, hosted by CDO Magazine and ComSpark, brings in leaders from various disciplines to navigate the changing cybersecurity landscape and devise strategies to mitigate burning risks. The following panelists discuss security threats and organizational strategies for mitigating risk in the session "Operational Security - The Next Evolution in Risk Reduction”:

• Shawn Price, CTO of Healthy Roster Inc.

• Kevin Rinn, IT Director, Mayerson JCC

• Michael Speas, VP, CISO, Western & Southern Financial Group

• Jake Munroe, Product Marketing Manager, Recorded Future

Kate Heffernan, Field Marketing Manager at Recorded Future, moderates the session. 

According to Rinn, phishing and ransomware are organizations' top security threats. Speas, discussing challenging the team to eliminate risks virtually, points out that unsophisticated third parties also give way to breaches that cost the organization.

Price shares that it is challenging to maintain customer service while following standard operating procedures. “A huge part of the training is the layering in the supply chain attacks and how that affects us. Each time I add a new vendor to make my life easier, I open up another vector for a potential attack,” he says.

Expounding on the above, Munroe reflects on two massive issues:

• Expansion of attack surface 

• Convergence of threats

Next, Price highlights maintaining constant balance by ensuring everyone understands the safeguards. He notes that being responsive is the next important thing. “If you want people to follow a process to get a new application approved, you have to have SLAs around that,” Price adds.

Speas affirms that Western & Southern Financial Group, a 130-year-old organization, has old technical debt. He says Western & Southern conducts a lot of analysis upfront while deploying new technologies. The panelist considers the operational impact while rolling things out and works with the infrastructure and application development teams.

Additionally, Rinn notes that people always resist security, “so you need to make it as easy and customer-friendly as possible. Otherwise, they will figure a way around it.”

Speas discusses developing targeted risk assessments going forward. He explains that the organization examines specific aspects of risks whenever it loses data and incorporates them into processes through assessment.

At Mayerson JCC, Rinn says, SaaS products are the crown jewels and he has little to zero control over them. He believes that being part of conferences and learning about new security software is a priority.

“We try to do the minimum that costs the least money but meets all the regulatory requirements and does not interfere with the business process,” Rinn explains.

Adds Speas, “We are fortunate that we also have a security architecture team that helps us rationalize our overall tool set and look at where we are not deploying processes, people, and technology to address certain attack vectors.” He also concurs with following HIPAA regulations and NIST. 

Price states that compliance is critical and admits to having a web application firewall to block bots and focus on internal application scans.  

Discussing the future of cybersecurity, he says, “It is a continuous arms race of having more tools to mitigate attacks.” Price believes that his company has benefited from this, but it poses a hindrance to cybersecurity because it pushes growth at all costs.

Munroe agrees with Price, stating there is a consistent evolution of threat actors, and companies will constantly keep up with the threats. 

“There will be more jobs than people to fill those jobs,” Speas adds. “What is fascinating is the new ways that we are addressing the threats. I think that the whole ecosystem will continue to grow. So, we will have a proliferation of tools.”

In conclusion, Rinn claims everything is headed toward SaaS, and successful central management of operations and security will take a long time.

Watch other Cybersecurity Midwest Summit 2022 sessions HERE