Cohesity’s CISO and Head of IT: Data must come first

Article by Brian Spanswick, Chief Information Security Officer, Cohesity

When I joined Cohesity in April 2021 – mid pandemic – the organization was expanding globally, with many employees coming on board in remote working environments. At the same time, we were also expanding our SaaS offerings and SaaS-focused partnerships, including activating our Data Management as a Service (DMaaS) offerings in EMEA and APJ, with the Singapore region launched in June of this year. This rapid growth and acceleration for Cohesity and its customer offering have been pivotal as data management and security intensify their convergence.

Our goal from the start was to reach a state of cyber resilience, commonly defined as the ability to continue delivering business outcomes or processes despite an adverse cyber event – this was, and is, a muscle we wanted to strengthen. We started by assessing foundational cyber security controls to get an understanding of our basic level of security hygiene – the fundamentals of any organization’s security posture. The areas we focused on, which aren’t the coolest things to spend time on but must be addressed thoroughly, were: knowing our assets and our data, having an effective patching strategy, having the ability to scan for known vulnerabilities, making sure data was encrypted in transit and at rest, adopting a least privilege access approach for escalated privileges, and educating our users on social engineering threats and how to handle critical data.

Collaboration will tighten the security posture

From the start, I had the privilege of managing both the SecOps and ITOps teams. In this dual role, which was not only a highly attractive component of the role when being hired, it meant having the additional responsibility of managing ITOps and Business Applications. Why was this so important to me, and is important for organizations? Because organizations should not pursue “security”, their focus should be on how to conduct business securely. To that end, you need to have solid collaboration across the IT and Security functions, and this makes sense on a variety of levels.

When an organization moves past a compliance-driven to a risk-based approach to cyber security, the security posture will be more comprehensive, focusing on both data protection (often a priority for IT organizations) and preventing attacks, and limiting the potential impact of an attack (key focus for InfoSec teams). In a recent survey conducted by Cohesity, we found that there are gaps in collaboration between these teams. Ideally, IT and security decision-makers should jointly own the responsibility for their organization’s data security strategy. Unfortunately, many of these teams are not collaborating effectively to address growing cyber threats. The consequences to the organization are often significant. A complete data security strategy must bring these two focuses and functions together, to close this gap.

 My next priority was to establish a common controls framework that defined our targeted security posture across different attack surfaces. We combined the National Institute for Standards & Technology (NIST) and Centre for Internet Security (CIS) frameworks together to ensure we covered all our bases for our targeted controls. Since these frameworks focus on the operation of the controls, we needed to define KPIs that measured the effectiveness of each control and established a Service Level Agreement (SLA) that defined our targeted security posture across our common controls framework. Once the targets were established for the security controls, we worked with the system or environment owners to ensure the controls were implemented correctly, and that we met the targeted efficacy SLAs. We used the same approach with our SaaS solutions, and even though those controls were operated by partners, it was an effective way to communicate our security requirements and set expectations.

Making progress in security posture quantifiable

Industry-standard frameworks like NIST and CIS are comprehensive and a good place to start. The challenge with both frameworks is that the control description is activity-based but does not describe how to measure the effectiveness of the control. Therefore, my approach was to rewrite the definition of the controls so that they described the intent of the control – not the activity of operating the control – and how effectiveness would be measured.  There is a range of effectiveness where the KPIs and SLAs are defined as “effective”, “mostly effective”, “partially effective”, and “not effective”. This flexibility, and applying it to the correct controls, translates to a more accurate and actionable assessment of the security posture. For example, if you have assessed 90% of the vendors then the KPIs SLA is “effective”, but if you assessed just 60% of the vendors then the KPIs SLA is “partially effective”. This approach can be executed across all the controls in your framework.

Moving to a risk-based approach centered on cyber resilience

It’s essential that the executive staff and the board have an accurate understanding of your security posture and the level of risk that exists so that they can make informed business decisions on how to best manage that risk in alignment with their business objectives. Like most organizations, we “score” risk using the formula (likelihood * impact) but we define those two components differently.  We measure “impact” in dollars regardless of the type of impact. Brand equity, customer satisfaction, and market position are types of impacts that we assign a dollar value to. This creates a common language that business owners can relate to unlike conceptual ratings like “critical” or “high”.

The second modification that we made to the risk formula has to do with likelihood.  When we assess likelihood, we are not assessing the likelihood of a control failure or even the likelihood of a breach, we are assessing the likelihood that the impact could be realized in the next 12 months. By quantifying the impact in dollars and time-boxing it to 12 months, it makes the level of risk that they own real to them and leads to a shared goal of cyber resilience.

 Measuring the current security posture by attack surface

There are usually multiple attack surfaces within an organization, each with their own discreet deployment of security controls that create attack surface-specific security postures. As we identify an attack surface, we work with the owner to understand the relevant controls and how those controls will be assessed. Then, based on the control, we implement a process for ongoing assessment that tells the InfoSec team how effective those controls are in production. We can automate the control assessment from the technology used, but some controls might require a manual entry that is audited at least yearly.

Both types of measures are fed into a metrics dashboard providing a consolidated view of the security posture across multiple attack surfaces. This security governance approach supports the accurate communication of our current security posture and the impact that investments have had on strengthening our posture. In turn, this enables discussions with business owners on the level of risk that aligns with their business objectives and allows them to assess cybersecurity investments against other investment opportunities.

Tightening the Security Posture in a Multi-cloud World

Most companies, including Cohesity, follow a cloud-first or SaaS-first strategy. This approach can be stressful for CISOs since they are extending their security posture beyond what they have direct control over. This means close collaboration with the internal business owner and the partner is vital because you can outsource security controls but you can’t outsource accountability or risk. Ensuring that cloud/ SaaS partners meet the security posture requirements is critical – these relationships can easily become the weakest area of your security posture. It requires partners to comply with the same security policies and standards as internal security control operators. By implementing this approach, as a CISO I become an enabler for the business, while in parallel remain accountable for our organization’s security posture. This approach also helps address the proliferation of shadow IT – a problem that no public or private organization is immune from.

Looking to the future

Having implemented a cloud-first strategy that will lead our IT investments, my plan is to stay aggressive with the movement to the Cloud where it makes sense. Like many IT leaders and organizations, there is a level of technology debt that needs to be addressed, with transitioning to or leveraging cloud capabilities offering the ability to help solve these challenges.

As a CISO at Cohesity, I’ve been able to create a great foundation to build our cyber security capabilities. Our ITOps and SecOps teams work closely together and co-own cyber resiliency outcomes that align to the NIST and CIS frameworks. We will strive to strengthen our ability to deliver business outcomes during a cyber incident by remaining aggressive on our recovery point objective (RPO) and recovery time objective (RTO) targets. We also collaborate closely with our leadership to effectively manage risk for our organization.

---

---

---

---