As an outside observer, how can you tell if a company is staying cyber healthy? While there is no financial statement equivalency to let you know the strength of a company’s security profile, there are signals that’ll give you a pretty good idea.
Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Matt Honea, CISO, SmartNews.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, Automox
David Spark: As an outside observer, how can you tell if a company is staying cyber healthy? While there is no financial statement equivalency to let you know the strength of a company’s security profile, there are some signals that’ll give you a pretty good idea.
Voiceover: You’re listening to Defense in Depth.
David Spark: Welcome to Defense in Depth. My name is David Spark, I am the producer of the said CISO Series. And joining me for this very episode is the one fantastic Geoff Belknap, CISO of LinkedIn. Geoff, grace us with the tones that come from your vocal cords.
Geoff Belknap: Hey, everybody. This is Geoff, and this is what my voice sounds like.
David Spark: Sounds just like that, and you’ll hear a lot more of that later in the show. Our sponsor for today’s episode is Automox. Thrilled to have Automox onboard, brand new sponsor with the CISO Series. Check them out at automox.com. We’re going to talk more about their patching solutions for your vulnerabilities, how they automate it and make it simple for you. Today’s discussion is how do we go about trying to determine a company’s cyber health. Jamil Farshchi who is the CISO over at Equifax asked this question on LinkedIn and provided some suggestions, such as is there a CISO? Is that CISO an executive? Does the board have cyber expertise? Does the company publicly talk about cybersecurity investments and maturity? And Jamil also brought up the discussion of cyber rating firms. Geoff, give me an idea of the multitude of reasons why it’s important to know about another company’s cyber health.
Geoff Belknap: Yeah, at a base level, if you’re a company selling a product to a consumer or another business, in this day and age it is really helpful for your customers to understand the risk that they are taking on by virtue of having you as a supplier or a vendor to them or using your product. And I think beyond that, it’s also just really important to understand that most software products today, especially if they’re delivered over the web, are using some amount of our personal data or our corporate and enterprise workforce data, data that we generally are trusting them to protect, and we need to have some understanding of how that’s going to happen. Can we build some trust with you as a custodian of this special data? And I think even beyond that, especially for companies that are holding our individual data, we want a foundation to build that trust on, and it’s really important for companies to be able to communicate about that, to tell a narrative about how they handle that. And it’s even more important for your customers to be able to understand it. So, let’s talk about what that’s like, and I think we have a great guest today to do that with.
David Spark: I think we do, and I would also just add this adds much to the discussion of third party risk, fourth party risk, the issue of mergers and acquisitions, the whole issue of the financial viability also of companies as well. I mean, it goes down a very, very long road, but the first and foremost, like you said, Geoff, is just being a customer knowing who you’re dealing with.
Geoff Belknap: Absolutely.
David Spark: And the gentleman we’ll have speaking with us and joining us in this discussion I met at Black Hat. I was like, “Ah! You should come on to one of our shows,” and lo and behold, from that conversation, here he is. It is the CISO for SmartNews, Matt Honea. Matt, thank you so much for joining us.
Matt Honea: Thanks, David. Thanks, Geoff, for having me.
This problem doesn’t end here.
David Spark: Laura Winyard of HMG Strategy said, “Expecting financial statements to give the full picture is equally as risky as assuming a company is secure because it checks all the cybersecurity compliance boxes.” Interesting statement there. And Paul Dunlop of Šóta Signal Analytics said, “The markets are still in desperate need of outside-in analytics that signal potential misstatements.” So, these are really good quotes that are kind of on the mark that address the issue and the concern that we all have of trying to determine a company’s cyber health. And I’ll just say this – while third party risk companies get a lot of crap, I think they do, there’s still a desperate need for them. Yes, Geoff?
Geoff Belknap: Absolutely. The fact that we don’t have financial statements for security and risk, the fact that we don’t have generally accepted accounting principles for security risk, it pushes us to do a couple of things. One, it makes us constantly sort of really heavily lean on more simple frameworks like SOC 2 or ISO27K, and we put a lot of faith into those things to try to understand exactly what the company’s doing when it turns out it’s not really what that is designed for. It’s designed to give you a basis and [Inaudible 00:04:53] really good, but I do think we have to level that up. Because exactly as Paul is saying, the market is still in desperate need of understanding what’s going on with your company relative to expectations. And the most important thing – how does that impact how your business works? And I’ll say that is one of the most important things that I spend a bunch of time on just internally with my own executives is how do we better understand how security drives the business, and what business decisions impact security, and vice versa. I think that’s the kind of thing that customers and investors and oversight regulators really want to know more about.
David Spark: Matt, I throw this to you. What concerns you when you go into business with another company and you’re trying to understand their security profile?
Matt Honea: Geoff, I totally agree with you, I think standardization is going to be a huge area we can improve as an industry. David, things that come to my mind are cyber risk and cybersecurity I don’t necessarily group in the same bucket, I think we can break these out in different ways. I think there’s technical indicators, I think there’s non-technical indicators. I think some standards exist today…
David Spark: Just give me an idea, that’s what we’re shooting for. What are some of the technical and non-technical indicators?
Matt Honea: Yeah. So, let’s start with what Jamil brings up. I think those are a great example of non-technical indicators. Think about things like board experience, brand awareness, R&D, security staff. I think those are all great places to start. I would probably take it even a step further and look at things like employee turnover rate, satisfaction, pay gaps, Glassdoor reviews, other non-technical proxies that might indicate how healthy a program is at a company. There’s also things like bug bounty programs, which are also very public, vulnerability disclosure programs, and essentially it helps paint the picture of how they handle security incidents internally.
David Spark: I think that also plays to how much do they publicly talk about their security program in general. Some companies say not one word, and others have a whole blog on it, for that matter. Geoff?
Geoff Belknap: Yeah, I feel like there is a strong correlation between how much a company says about their security, privacy, and trust practices externally, and how much they think about it and act on it internally. I do however come back to I feel like a lot of those things that Matt just listed off, which are great indicators, it’s just important to identify that those are lagging indicators, right? Those indicate things that might be symptoms of broader problems, but they don’t immediately tell you, like if you’ve had a bunch of turnover, it doesn’t go like, “Oh, cybersecurity’s program in dire risk. Modulo, lay off your entire security team.” Like, maybe your customers should ask some questions. Not about your security program but maybe about your business and how you make decisions.
Absent that, I think the other thing that there’s just not a good way for companies to be transparent about today, the number one indicator I look at is how many major security incidents or breaches have you had in the past, and how have you recovered from those. Because how many incidents you have and whether they keep repeating and being similar incidents and how you’re recovering from those is to me the single greatest indicator of how you’re going to handle your security in the future.
What are they doing right? What are they doing wrong?
Matt Honea: Yeah, maybe it makes sense to take a step back and kind of look at the broader problem we’re trying to solve is what is cyber health, what does it really mean to you as a company looking for a tool. And I don’t think we can necessarily treat every single element of security equally, especially if you have different use cases, and I’ll give you a good example. Let’s just say you need a tool to check on your cloud health, and what it does is it has a beacon, and it sends a beacon, it says that the health is good. No authentication, simple beacon, just lets you know that a server is good. So, in that case, are you really that interested in how secure the company is from a data privacy standpoint? They probably don’t have a whole lot of data. It may not be my number one checklist item. But things that I would want to know about are how resilient is their service, how likely are they to get DDoSed or have an impact such that their service availability goes down, and my whole use case goes down. And so I think we need to maybe break this into multiple branches and see what areas for a consumer are more important in terms of security.
David Spark: That’s a really good point of bringing up resiliency as well. And I think what you said, Geoff, at the end of the last segment of they’re going to have breaches, how do they handle breaches, are they repeated. Everything else we’re discussing are little puzzle pieces, but when you look at the end result, what the customer cares about are resiliency and how they’re handling breaches, which kind of goes hand in hand there. Geoff?
Geoff Belknap: Yeah, absolutely. While I do think things like Mark is talking about here, as where does the CISO report to, like, yeah, you might be able to garner some insight about intent, but what you can’t see in that case is maybe the person they’re reporting to, like, that is the better leader for them internally. Maybe that is the leader that is the true champion for whatever that is, there’s a lot that’s not to be seen. But when you look at how a company handles a breach, how they talk about their breach, how they recover from that, that tells you loads because you can evaluate that as a customer. You can see the emails that come out to you, you can read the tone of the message, you can read the content. Do they post a technical blog that tells you about it? There is so much rich information that you can read into, and you can test and touch and observe for yourself when they respond to a breach.
And I think it’s especially important here to not draw conclusions about the fact that there has been a breach. Because let’s be really honest. If you are running an internet-connected company of any kind of importance and you haven’t had a breach, it’s because you either haven’t had it yet, and you’re definitely going to have some kind of major security incident, or your security program is so weak you just don’t know that you’ve had a breach yet. And I think it is really unlikely that a company that has a breach is no longer trustworthy. It’s the company that has a breach, handles it well, is transparent and responsive to their customers, that has earned my trust. And I think you really have to give that a lot of weight.
David Spark: And I think about that last line you said about earning trust. I mean, I think about it and unfortunately, the names are eluding me right now, but the companies that were really public when they had a breach, had their CEO come on honestly, not read from a prompter, tell the story of what happened, what they’re going to do, what they knew at this moment, and make it clear like, “Information is unfolding, we don’t have all the answers, but we’re telling you what we know now.” The point I always make is if you don’t tell the audience what’s going on or your customers and the people who could potentially be your customers, they’re going to make their own story, and it might be right but probably not.
Geoff Belknap: Yeah. And the worst part is you’re going to get lambasted for that stuff in the press. The more public you are about it, the more it’s going to get covered, but you have to just do the right thing.
David Spark: Crisis communications always is a job in itself that I’m always impressed when they handle it well. Matt, what’s your take on when you see a company handle a breach well? And can you give examples of how a breach is handled well?
Matt Honea: Yeah. So, when I was working in the insurance industry, I did a lot of research around how companies recover from breach and how it affects their short term and how it affects their long term. And a lot of companies, when they handle a breach, even if it’s publicly disclosed, we’ll say 90% of breaches of are probably not disclosed, but the ones that we know about, the ones that are handled well, the ones that have great communication, those are the companies that recover stronger. And even if you take that short-term hit with media, with press, whatever it might be, the trend is that those companies come back stronger, and it reflects in their revenue.
David Spark: Can you give me though some of the mechanics that you’ve seen, just quickly closing this out, of how you’ve seen a breach handled well?
Matt Honea: One recent one that comes to mind was the Okta breach. It wasn’t necessarily a widespread breach, information was trickling in, we had a contractor that was involved and credentials, which is actually a very common trend. And that stands out to me.
Sponsor – Automox
David Spark: Before we go on further with the show, I want to mention our sponsor Automox. Are you ready to ditch manual patching? Who enjoys it? Nobody does. Every operating system requires critical patches to reduce your risk of attacks or breaches. The problem – patching and endpoint management can be agonizing! I don’t need to tell our listeners that. With multiple tools creating interruptions that slow down your end users, and complexity that takes up all of your IT team’s time. You don’t need that. Because modern patching should be easy, right? As with Automox it is. So, this is cloud based and globally available. Automox allows you to automate across operating systems your patch management, dramatically reducing the time, effort, and complexity it takes to manage multiple operating systems. So, now you can sleep better at night knowing your IT environment is becoming more secure. Visit automox.com to start a free trial and have all the endpoints as safe and secure as you can be in just 15 minutes. That’s their promise there. Automox is offering special pricing from now until December 31st, so you can start 2023 off right and get automated patching without breaking your budget.
What would a successful engagement look like?
David Spark: Michael M. of ClubCorp said, “At some point, there will need to be more transparency and reliable disclosure that effectively communicates many of these,” and referring to literally everything we talked about. “Seems most organizations have utilized ‘compliance’ as a means to avoid much of anything substantial to address cyber risks of their own accord. Further, historically, anyone trying to take the moral approach and disclose issues or vulnerabilities have been met by much hostility from organizations or vendors.” Don’t know if I fully agree with that one. Next one from Matthew W. of Zoom said, “Along the lines of disclosure, we need to push for greater transparency in controls as an industry, push towards more population-based benchmarking versus the existing sample-based check-boxing.” So, what do you think on Michael M.’s comment about people who are honest get lambasted, and Matthew’s comment of, “We just need sort of a greater push towards to what we’re all doing rather than some sample-based compliance analysis,” Geoff?
Geoff Belknap: There’s some truth in this, I think.
David Spark: On which one, on the first one?
Geoff Belknap: Well, yeah. I think the first part in Michael’s comment here, the more you share publicly, the more you’re being vulnerable to either press or people on Twitter or LinkedIn or customers.
David Spark: That is because you’re giving them ammunition.
Geoff Belknap: You’re giving them ammunition, you’re being open and transparent, and frankly, if you’re open and transparent and you’re just like, “Everything’s awesome, there’s nothing to see here,” that’s a little suspect. But you’re being open and transparent, and that gives people the ability to poke holes, and there are a lot of Monday morning quarterback types out there. But what I’ll point out is that there was a time maybe 10+ years ago where nobody had a security page, nobody had a page on their website that explained how we handle privacy, how we handle security, how you can report an incident. And today it is very common, and it took bravery for people to share that stuff out. And I’ll give you a great example of how far we’ve come, and if you go to linkedin.safebase.us, we’ve got a whole website that explains like, “Here’s all our compliance certifications. Here’s how we do different parts of our security program.” That’s unheard of maybe 5, 10 years ago because nobody else was sharing that information. Now people are like, “Oh, why do you make this choice? Why do you make that choice?”
David Spark: I’d be interested to know – do you have any information about the traffic that comes to that page? What do you know about who comes there?
Geoff Belknap: We do. It’s very popular. We use it as part of a sales tool to help customers and members understand how we handle our program. But I would say we probably lean even further forward than many organizations. There are lots of other companies, I’ll point out Amazon’s one or Azure, if you buy cloud services, there are absolutely these deeply detailed pages that explain how they handle compliance, how they handle security, how they handle privacy. And that is the way we need to go, but it took people to be brave and to bare the slings and arrows of public scrutiny to do that. And I think we will eventually get there, where there is much more data shared, and there is more like nutrition facts on the side of the cereal box to help you digest it.
David Spark: But that requires regulation. We have nutrition facts because of regulation.
Geoff Belknap: I think it really does. I hate to be that person, but I think it really is going to require some changes like that to bring it about.
David Spark: All right, Matt, I throw this to you. What’s your take on these two comments from Michael and Matt reminding everyone the hostility to the people who actually do disclose stuff, and the need to go move beyond compliance as an industry.
Matt Honea: Yeah, I think we need to have thick skin. I think revealing parts that are important, that the public should be aware of, are really important for security. A good example comes to mind early in 2017 when the security.txt standard came out or was proposed. And it started to get adopted more and more at many companies, and it was just a very simple concept. Basically, you post a text file on your website, it’s at a very well-known address, and if there’s a security incident, if anyone needs to report something, if you need more information around security, privacy, data compliance, whatever it might be, you go there, and it tells you a link where it is, or it tells you an email where you can contact for more information. And I think that was the start of a lot of things that have come. I think SafeBase is another great example. And then I think there’s a lot of data out there that are collected by third parties that I think we could include. I think we as a society can maybe trust a verified third party to potentially do risk assessments. Maybe it’s a government entity, maybe it’s an organization of companies that get together and actually set those standards. But I think there needs to be some sort of regulation. Maybe not by the government, but by some organization to help push these initiatives forward.
What should we be measuring?
David Spark: Brandy G. of Crum & Forster said, “Wouldn’t it make sense to ask for past security assessments and audits in addition to financial statements? This way they can see how a company is handling security and how they’ve matured over time, which in turn identifies areas of risk investors should consider. I imagine this is equally as important during a M&A deal. If an organization has the same findings/vulnerabilities/misconfigurations year after year, it means they aren’t addressing them, which would be an immediate red flag.” My feeling is that’s kind of on the money, Geoff, in the sense that here’s something physical I can show, I can show a pattern, a history of it. If it doesn’t change, uh-oh, we’ve got problems. Yes, Geoff?
Geoff Belknap: Yeah, absolutely. The “especially during an M&A deal, this is the route you want to take.” Show me your audits, show me your reports, give me the evidence that you’ve been following your controls. The problem with that approach is, and I’ll underscore it, that’s a gold standard approach. That’s absolutely what you should be doing during an M&A. But when I’m just a customer, and I’m trying to buy your product or assess whether your product is safe to implement in my environment…
David Spark: That’s not available.
Geoff Belknap: That’s not realistic. And I’ll give you a great example just from my organization is I own the supplier risk organization, and that team reviews hundreds of suppliers – new suppliers and old suppliers – every year. And it’s not realistic for companies that don’t have the same resources as a company like LinkedIn or Microsoft to review oodles and oodles and stacks and stacks of audit reports. We really do need something better.
David Spark: Well, this goes into the third party risk assessment companies, that’s their job.
Geoff Belknap: I think that’s exactly right, but I still think that’s even a Band-Aid, right? That’s me outsourcing and trying to scale a problem. But the reality is the only way to get that insight today is for somebody to go take a look at all that data and give a critical analysis. We do need something more improved. As an organization, we either need regulation to come in, a regulatory framework, or we need to agree as a bunch of technical companies what is it that we’re going to share openly so that customers can make quick assessments. And this is largely an unsolved problem today.
David Spark: Good point. Matt, for the average person who does not have deep pockets like LinkedIn… Which SmartNews isn’t nearly as large, but you’re getting there.
Matt Honea: Hope so. [Laughter]
David Spark: What are their recourses?
Matt Honea: So, I think for a smaller company trying to do business, trying to be secure, I would love an objective data set that can be continuously run and independently verified, and it doesn’t necessarily need to come from me. I could have that come from someone else, I think it could come from a vendor, I think it could come from the government. Really, I think the bar is fairly low. I think the problem we have today is it’s so much manual intervention, usually you have to request a report, you request a SOC 2, you get a secure download link, you review it, you look at it. You see some things that are wrong, ah, they’re probably okay or they’re not okay and you make a decision. Can we speed this up? Can we have, instead of once a year, can we just do a continual assessment maybe week over week, month over month, and actually just get more data over time versus having this kind of once in a year? Which actually I don’t think reflects the current risk environment for the companies, it’s a point in time. So, I think the more data and the more cadence we have with these types of assessments is the future, but it’s how we do that, and I do think we have a gap, we have a problem here.
Geoff Belknap: I think this is a great point, and this is an example of an area where we could invest more on and will over the future. But posture management and continuous control evaluation really start to help in this environment, and it would be great if we could fast forward the clock 10 years and then just say, “Hey, we expect every vendor to have a set of basic controls and have control validation running automatically in the background. And you just give me a report that says, ‘I have this many controls,’ and give me a percentile score of 98% of the time all those controls are functioning normally. And then give me your variance like, okay, for that 2% of the time, what happened, tell me about those.” That would be fantastic. If you could declare up front that, “I follow the CIS blah-blah-blah benchmarks, and here is my continuous control validation report,” that would be huge. Because that’s not what we have today. And to Matt’s point, what you have today is once a year, maybe, you’ve got an auditor that comes in and goes like, “When we looked for this two-week period when we were asking for evidence, everything was working fine.” And that was fine, I would say, for the late ’90s and the early 2000s, not as good today. But it’s the best we got.
David Spark: All right. We do have the best we’ve got. I think though we have uncovered a lot of layers in this onion, of which it is an onion. It’s round and it requires us to peel.
Geoff Belknap: And sometimes it makes us cry.
David Spark: And tear up sometimes, it does. Especially if we have a breach.
David Spark: Matt, we have come to the point in the show where I ask you which quote is your favorite and why. Which one is it?
Matt Honea: Yeah, David, I’m going to go with Matthew W. from Zoom. I think greater transparency, controls as an industry is just really important. I think it really just followed the whole discussion around there is a lot of data out there that’s hidden behind the curtains. We kind of need to peek behind it. We need to look and see exactly what’s inside this. Maybe we don’t need to do it individually, but someone needs to do it, and I think we need to figure out a way to move forward.
David Spark: Good point. And I should also mention with our onion metaphor that we had just a moment ago, Geoff, as you peel away the layers of the onion, you know what you get? More onion. It doesn’t stop being an onion.
Geoff Belknap: More layers.
David Spark: There isn’t like there’s some magic box inside. It stays onion.
Geoff Belknap: Yeah, it’s just an onion until there is no onion anymore. Where does an onion end and where does it begin, David?
David Spark: It ends when it’s gone. Geoff, your favorite quote and why?
Geoff Belknap: I’m going to go with Shawn Bowen from World Fuel Services, “Just because they had a breach doesn’t mean they are a bad investment. How did they handle the breach?” I think this is the exactly right train of thinking. Just because somebody had a breach does not mean that’s it, they’re out of business. And we have seen numerous large companies have massive breaches, and everybody just went back to buying their diapers or lumber or whatever they needed to do. Because it’s how you respond to the breach, how does your business recover, how do they engage with their customers, how do they build and rebuild trust with people who intrinsically that trust has been violated. That is really the thing that will tell you about whether you can do business with this organization on a long-term basis.
David Spark: I was just thinking – prior to there ever being computers and a cybersecurity issue, companies got robbed and people didn’t stop going to a business because the company was robbed.
Geoff Belknap: As it happens, banks still exist. Yes. There are crimes that happen at banks all the time.
David Spark: Exactly.
Geoff Belknap: So, this is not a concept that should be foreign to anybody.
David Spark: It’s all about how do you handle when the bad thing happens, and how do you improve your defenses for the next time. If you’re handling it well every time, and you’re getting robbed every single time, then there’s an issue.
Geoff Belknap: Yeah, a little bit of that. Look, I’ve been married a long time, and it is not because I have never made a mistake. Quite the opposite.
David Spark: Well, that brings us to the very end of our show where Geoff will reveal all the mistakes he’s made in his marriage.
Geoff Belknap: Cut this. Cut this right here, editor.
David Spark: I want to say a huge thanks to our sponsor Automox – automox.com – check them out for all your patching needs, especially if you want to automate it. Matt, I let you have the very last word but the question I always ask all our guests is are you hiring, so make sure you have an answer for that. But Geoff, first, I always say for Geoff’s case, he’s hiring, and if you’re not going to work for Geoff, a great place to go to look for a job is also LinkedIn. Geoff, any other last words on this topic today?
Geoff Belknap: I think LinkedIn’s a great place to look. I think LinkedIn also gives people the ability to point you at security information about your company but check out other companies that are in this space. I mentioned one earlier, I’m not going to throw it in now, but do a good job, go back and find it. But there are several companies that are in this space that are making it easier for other companies like mine and like Matt’s to share information about their security programs. They’re fantastic, go take a look. And if you don’t have one of those today, think about investing.
David Spark: And Matt, are you hiring and any last thoughts on today’s conversation?
Matt Honea: Yeah. So, we are hiring, we’ve got one spot open. We’d love to encourage anyone to apply. It’s for a security operations engineer. Yeah, parting thoughts, I think coming from the cyber insurance industry where I worked before, this space is more and more important, and the speed at which we’re moving is slow. I think we can do better as a group, as an industry, to help build standards, build frameworks. I think more and more vendors are coming in the space, but I think really what it comes down to is we need collaboration, we need working groups, we need think tanks, and we need to build a framework for our industry so that we can be objective in our measurements.
David Spark: Very good. Thank you very much, Matt. Thank you very much, Geoff. Thank you to our audience as well. We greatly appreciate you contributing and also listening to Defense in Depth.
Voiceover: We’ve reached the end of Defense in Depth. Make sure to subscribe, so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please – write a review. Leave a comment on LinkedIn, or on our site CISOSeries.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOSeries.com. Thank you for listening to Defense in Depth.