Larry Shoup is the CEO of ClearArmor Corporation, a cyber security firm focused on CyberSecurity Resource Planning (CRP). Larry is a seasoned executive with experience from successfully founding start-ups to leading major subsidiaries of Fortune 500 companies. He was an Ernst & Young Entrepreneur of the Year. He is a recognized world-wide expert in IT Asset Management which is foundational to a successful Cyber Security program. Prior to moving into executive management Larry spent many years in information technology as a programmer, system analyst and data base administrator.
Larry Shoup will be speaking at the Global Cyber Security Summit on October 12-13 in London, United Kingdom. Learn more here>>
Christopher P. Skroupa: Why is it important for CEOs and boards to actively govern their cyber security efforts?
Larry Shoup: It’s because cyber security presents a very fundamental enterprise-level risk to the organization—a significant risk that is very damaging, if it occurs. In the same way CEOs and boards manage any other enterprise-level risk, they have to manage this risk because it is pervasive and it is damaging. Everybody is a target and size doesn’t really matter anymore—ransomware goes after fairly small organizations so size doesn’t protect them from that. These people are talented, they are organized, they are tenacious, they are very good at figuring out how to attack you and monetize your misfortune. People used to think of hackers as kids in their garages with something to prove, but these are organized businesses now that have CEOs, management structures, business plans, and hire smart people.
The other reason the board needs to do it, in the event that something does happen—and it is likely that at some point in time you will have a cyber security breach—is that you have to defend yourself. You may have to defend yourself to regulators or in a court of law if you get sued by people saying you failed in your fiduciary responsibility to protect their data. If you don’t take cyber governance seriously, you won’t have any evidence to produce. If you’re in a courtroom, you have to present concrete evidence to say that you did everything you could to protect yourself. If you’re in front of a regulator, and you had to prove you did everything you could, what would you say?
Unfortunately, for a lot of companies, the answer is that “We asked everyone once a month if we did a good job and they kept telling us yes and we believed them.” This isn’t going to help you defend yourself at all. Another reason to do it is that most people are spending a lot of money on cyber security. It’s not like organizations aren’t invested in products and processes and people but it’s been a disjointed, chaotic, and disorganized investment. What we’ve done is we’ve bought a lot of point solutions over time as new threats have occurred. The general sense of most organizations is that “We’re probably wasting money on cyber security. We can probably spend less money and get a better result if we pay more attention to governing this.”
Skroupa: What are the challenges that CEOs and boards face in governing cyber security?
Shoup: I think one of the primary challenges is time. They don’t enough time to do the things they’re already being tasked with and time is one of the things you can’t make more of.
Another issue for CEOs and boards is “I don’t want to become an expert in cyber security and learn all of the nuances and all of the details of cyber security.” The fundamental challenge of the board is visibility—they don’t have visibility into the entire process because it has grown up in such a disorganized way.
Skroupa: Is there a governance model that CEOs and boards can follow for cyber security?
Shoup: When you think about this, governance is not something new—it has been a primary job of boards and CEOs for a long, long time. It’s not that we’re new to the idea of governance. we just have not applied it in a rigorous manner for cyber security. We think the model that applies very well for cyber security is financial governance. It’s one of the things that people have done the longest in organizations; most folks are very good at financial governance. We trust the numbers, we believe the income statement, we trust the balance sheet. If we are subject to Sarbanes-Oxley we know it’s right because we have the chance of going to jail if it’s wrong. We think the financial governance model applies very well over to cyber security.
Skroupa: What are the key practices of financial governance that apply to cyber governance?
Shoup: The first that comes to mind is independence. A core principle in financial governance is the people that are doing the auditing and verification are independent from the people that do the day-to-day financial work. That is generally not true in cyber security. Almost all of the data presented to the board and CEO comes from the security people. The same people doing the work to protect the organization are also the ones doing the reporting up to the board. We’re asking people to self-report and say if they’re not doing a good job.
The second principle is being based upon data. Financial governance is based upon a large quantity of financial transaction in the accounting system. All of that data boils up to and gets summarized at a very high level into a two page income statement or one page balance sheet but it is all based upon data that has been rolled up, summarized, aggregated and analyzed. In cyber security most of the data that the executives get to see is all hand-prepared—it’s been massaged so that they get Powerpoints and Excel spreadsheets that look like aggregated data, but it has all been typed by somebody.
We take that kind of data all of the time in cyber security—a lot of what gets presented now for cyber governance is basically a survey based upon opinions. It looks nice, it gets put into dashboards, fancy gauges and charts, but if you ask where that data came from, it’s probably surveys of opinions if people are doing their jobs and people say, “Yes, we’re good.”
Another principle is rationalizing disparate data sources. In financial governance, one of the things we do is we take checking account balance that is in the accounting system and reconcile it to the bank statement. If they don’t match, we generally trust the bank statement and go back to see what we did wrong in our accounting work. I think the principle applies in cyber security—this is another area that a lot of people don’t do. For example, if the technical people come and say we have 5,000 desktops and we are 100 percent patched on those, well 100% patched is a good thing. The question though is the 5,000 number is right? If you’re missing 2,500 computing devices and can’t find them, does that means that they are lost, stolen or being hoarded? Are the missing devices a security risk? What if that means your network identification and discovery tools haven’t been configured correctly? If I can’t find it, how am I going to protect it? A lot of the things we need to do is go back and say okay, you said there’s 5,000 of these and does that make any sense?
What we need to do is go back to a trusted data source, in the same way that a bank statement is a trusted source in the financial side. What do we have internally for trusted data sources? There’s two I can think of. One is the financials—we tend to trust the financials because we do audit them to make sure the financials are right, so we believe the financials when we see them. We also tend to trust the employee counts. Most folks manage headcounts really well; they know how many employees they have, not “about” how many, they know exactly how many employees they have. One of the things you want to do is when you get that 5,000 number, you say does that make any sense going back to how much we’ve spent the past year or how many employees we have? You want to go back to trusted data sources.
Another principle that we work very hard at in financial governance is to build a culture of financial responsibility. We work hard to instill that notion that it’s everyone’s job to be financially responsible and to spend wisely. Culture is a critical area of cyber security. Over half of data breaches are caused by a human error such as replying to a phishing email, sharing credentials, or writing passwords on a piece of paper and sticking it behind their computer monitor. It’s really important to gather data to make sure that the cyber security culture is being built and is effective. Training needs to be tracked and verified. Training needs to be aged. Having a pretty policy manual that no one follows is worthless. Policy violations must be tracked.
A big part of financial auditing is sampling, where we go and we see a deposit in the checking account and we say what is this deposit? They say that it’s a sale and we go check the documentation to make sure it’s real and not just to make the revenue look good—we need to do the same thing in cyber security. We need to go back to the purchasing records and sample if machines can be accounted for. Every machine I can’t account for is a security risk. We do the same in configuration auditing. Say we have 500 production servers and run the configuration auditor on a random 10 percent. If they pass with flying colors and there’s no vulnerabilities, we say that we are doing going a good job. If they failed and had lots of vulnerabilities, we dig into the details to find out what went wrong. We do the same with vulnerability testing with another 10 percent and see if we can break into them. Sampling will be another key practice that tends to not be done in cyber security and it needs to be done by the people that are independent.
Skroupa: What are the initial steps for CEOs and boards to build a core business competency in cyber governance?
Shoup: I think the key is building a core business competency in cyber security. You have to realize that cyber security is not going to go away. It’s something we have to do and get better at as time goes on. It’s not a flash in the pan—as long as there’s cyber criminals trying to attack me, then I have to do this for the long haul. The first thing to recognize is the commitment to it. The second thing to recognize is that time is not your friend. The world is only getting worse and cyber criminals are only getting better at what they’re doing, we’re adding more stuff, we’re connecting more things together, our attack surface is growing.
Cyber security is never going to be any easier than it is today, so get started now. What are we waiting for and why are we not getting started on this?
I think that organizations will do cyber governance eventually. It can be done proactively, in control and can be a competitive advantage or it can be reactively after something bad happens and will have to do it in a big hurry. In terms of doing it, there are really two steps: the first step is to convince yourselves that you actually have an adequate and accurate inventory of everything that needed to be protected. You have to take it back to your purchasing records and your employee counts and be convinced that you found it. If you can’t find it, you can’t protect it.
At the same time you have to prioritize where you are going to put your efforts in cyber security. You think from the business side what is the most important thing to protect, what is the most valuable thing a cyber criminal will want to get their hands on. This is business prioritization and when you have those two pieces in place, what you do is now you understand what your number one priority is and how it maps in your IT environment. So how much of my IT environment can be used to get to this one thing? If you have a standalone single database that hardly anybody can connect to, it might be very important, but it might be easy to protect because it has very limited connectivity.