Gene Fredriksen is the Chief Information Security Officer for PSCU. He is responsible for the development of information protection and technology risk programs for the company. Gene has over 25 years of information technology experience, with the last 20 focused specifically in the area of information security. In this capacity, he has been heavily involved with all areas of audit and security. Gene has served on the R&D committee for the Financial Services Sector Steering Committee of the Department of Homeland Security. Gene was recently appointed to represent credit unions in the Global Forum to Advance Cyber Resilience.
Christopher P. Skroupa: Short of spending unlimited amounts of money on new tools, what can a CISO do to keep pace with the escalating threat levels?
Gene Fredriksen: Trying to deal with the deluge of new and emerging threats is a losing proposition. A CISO needs to turn threats and risk feeds into actionable intelligence by filtering the input through an understanding of what tools, operating systems and features are used in the environment—this reduces the noise significantly. If you couple this with benchmarking and input from the CISO’s peers in the same geography and/or sector, the threat equation will be much easier to handle.
Skroupa: How important is it to control the connections and tools associated with your company’s supply chain?
Fredriksen: Incredibly important, not just from a security perspective but also from an operational perspective in regards to business support. The supply chain is the lifeblood of your company, and an interruption may result in a corruption of data or worse yet, the loss of inventory availability or data input critical to the service of your customers.
Every organization should establish and maintain effective vendor and third-party management programs considering the increasing reliance on external and cloud providers. They must understand the details of arrangements with outside parties and ensure adequate controls and oversight for the engagement of the relationships and ongoing monitoring. To ensure functions are conducted appropriately, organizations should have comprehensive contract provisions and adequate due diligence processes. They should also monitor service providers for compliance with contracts and service level agreements. Contractual provisions should define the terms of acceptable access and potential liabilities in the event of fraud or processing errors.
Skroupa: What capabilities are emerging for information sharing and benchmarking?
Fredriksen: Information Sharing and Analysis Organizations (ISAOs) are a strong organization type emerging in the U.S. and globally. ISAOs focus specifically on a specific sector such as credit unions, ports, global manufacturing, etc. They combine easy access to peers and benchmark data with access to actionable, applicable, sector-specific intelligence.
Cyber resilience is dependent upon the real-time availability of proactive operational, regulatory and threat intelligence, as well as analysis, coordinated response, best practice adoption and role-based workforce education. Protecting critical infrastructure requires an unprecedented level of cooperation and coordination to bridge physical and cyber domains. A sustainable collaborative infrastructure connects public/private stakeholders, breaking down existing silos and boundaries.
Skroupa: Why is it important?
Fredriksen: Your infrastructure represents the assets, systems and networks (physical or virtual) so vital that incapacitation or destruction could have debilitating and catastrophic cascading impacts within your business and sector. As cyber critical global infrastructure threats and attacks continue to increase in frequency, severity, and sophistication, cascading impacts can result in catastrophic incidents.
Skroupa: How do you select the necessary metrics to show senior management?
Fredriksen: Boards now regularly meet with the CISO of the organization. Even though they are getting reports from enterprise risk management and external independent sources, boards are now taking the time to meet with the CISO at least annually to get the state of cyber security from the organization’s information security program expert.
Board members want to know what the key cyber security issues are from the CISO, particularly from a business perspective—the key issues identified, the security strategies and ongoing projects to address the issues, etc. The CISO should identify any key roadblocks or competing strategies that may affect their ability to deliver.
CISOs should be prepared to discuss current data breaches within the organization’s industry and how their program compensates for the vulnerabilities that led to other breaches. CISOs are generally the “heart and soul” of an information security program in most organizations, and as such, the board values their input—they should aim to be a trusted advisor for the board.
Skroupa: What does the board want to hear from you?
Fredriksen: Why is it important that the board understand the current state of cyber security in the company? Let’s start with the value proposition as driven by the world in which we live given the following circumstances: increased frequency of significant cyber attacks, the all-encompassing nature of cyber breaches and the effects on long-term profitability.
There is no doubt that significant cyber attacks are not only occurring more frequently, but also exponentially increasing in technological sophistication. This makes every company more susceptible to breach, and subsequently, the possibility of significant damage to the financial health of an organization.
No company or organization is immune to cyber attacks—we can’t name a sector that has not been affected. Even our most secure and sophisticated military systems have been compromised. This is because of the three vectors that can be leveraged in an attack: people, process and technology. Technological sophistication is not a guarantee against compromise.
The effects of a breach can significantly impact the long-term profitability of a company, resulting in risks to investors not just through the immediate impact of the news of the breach, or the fines or the publicity. Long term, clients and customers will react to a loss of trust in an organization, and may, as we say, vote “with their feet” to go somewhere they feel safer or more comfortable.
Given the nature of cyber threats, we can reasonably assume that public companies must report significant breaches. The board should include formal actions to monitor, assess and govern cyber security based on the company’s risk profile.
We also understand there are barriers. There is uncertainty regarding board expectations or requirements when it comes to cyber risk. The ever-changing SEC guidance and cyber security legislation are also obstacles that every CISO should continuously monitor. It has been said that laws and regulations are written in Washington, but defined in the courts. This is no different. The actual implementation of this direction will be defined through hard work, litigation and industry leadership. CISOs should use peer groups, industry organizations, news feeds, and any other source they can find. The only certainty here is that more change is coming in the next few years.
Audit committees traditionally focus on financial risk, so significant cyber security expertise may not be available to the board. Let’s face it—cyber risk is new to audit committees too. They have been organized for years to deal with “traditional” areas of market and financial risk. Yes, the audit committee reviews internal audit findings, but they aren’t in-depth cyber reviews as we see today. Boards will recruit cyber expertise, but it will take time.
Christopher P. Skroupa is the founder and CEO of Skytop Strategies, a global organizer of conferences.