Managing an Agile Security Operations Program

RH-ISAC: When you started at Conair, what were the biggest influences on your security program? What helped shape the way you made and still make decisions?

Ken: A big influence on our security program is the fact that Conair’s security operations program resides under the chief information officer in the IT department. Being part of IT has enabled the program to leverage key IT resources with critical business knowledge. This has helped me to create a security program nimble enough to support security related initiatives efficiently and effectively.

 There are challenges to having a security operation within the IT group, and we have to be very aware of segregating duties and not overloading any individual or team. Historically, companies have been tempted to assign critical security tasks to IT teams who were already fully utilized, meaning neither role was done as completely as it should be. But we take care to ensure that we get the best of both worlds, and that the security and IT teams can leverage each other’s experience and expertise.

RH-ISAC: What are some capabilities that have helped you to navigate and build a ‘nimble’ security program, as you call it?

Ken: Some of the key must-have capabilities for me have been:

• Identity and access management – In today’s world, more and more of our workers and users are accessing systems and networks from all over. There’s really no such thing as a network “perimeter” anymore—that perimeter is everywhere. So, knowing and controlling who is accessing our network, and why, and for what is absolutely critical.
• Application security – Applications are obviously a critical part of modern business, and security has to be an integral part of their development, not an afterthought.
• Device management (BYOD and corporate controlled) – We always need to balance security with operational efficiency and cost. Device management is key. For corporate devices, it’s key that we’re ensuring that vulnerabilities are addressed and patches are applied in a timely fashion. For BYOD (bring your own device), we need to make sure we are balancing the convenience and cost savings with proper access control and security.
• Security audit (ability to self-assess) – This is one of the key components of any security program, and it’s why we use an established framework (CIS CSC). Without measuring and auditing our progress, we don’t know how far we’ve come or how far we need to go to be where we need to be.
• Network (including firewall management and email security) – Monitoring and securing our networks as much as possible is still absolutely critical to modern security. It’s the foundation, really.

Conair also partners with a consulting firm for executive guidance and security program development, as well as security audits and security program direction. This has been essential to my success as an executive and has helped me put in place the security program we have today.  

RH-ISAC: As a company with a small security team, do you outsource to supplement resource gaps?

Ken: Absolutely. A key aspect of our outsourcing is gaining the expertise provided by specialized security companies. As a small security program, we do try to outsource as much as possible. The biggest driver to outsourcing is the availability of resources that can support the capabilities of Conair’s security program.

Because Conair’s program resides under the IT department and leverages matrixed IT staff to support the internal capabilities of the program, our internal resources may have the technical expertise to support security capabilities but may not have the expertise or the subject matter expertise in security. That’s where some of our outsourcing partners come in: they provide that expertise to us, for a fraction of the cost of us maintaining a full-time resource.

Conair outsources its security support and monitoring to free up support staff to investigate and remediate incidents and events. We leverage internal support staff for maintaining and applying critical business knowledge in-house. Also, by outsourcing we can supplement skilled staff to support other important operational and business support functions.

RH-ISAC: How do you manage all your outsourced partners?

Ken: We manage our outsourced functions by leveraging service level agreements (SLAs) and hosting monthly vendor management performance calls with key third-party providers. In those meetings, monthly and weekly performance reports are reviewed to ensure the third-party is delivering to the terms of the agreement and meeting the defined SLAs.

RH-ISAC: How do you staff your security program when you have a heavy focus on outsourcing?

Ken: We leverage internal resources on a part-time basis that have the technical capabilities to provide support to the program.

Since we require matrixed resources, we seek talent in certain IT areas such as system administration and IT audit who have inherent business knowledge. IT audit resources have the desire to find and resolve issues for continued process improvement. Soft skills have higher priority because technical knowledge can always be taught, but not motivation.

The main areas of expertise necessary for threat intel and incident response programs for Conair include:

• Technical and security knowledge: Technical knowledge around how to prevent cyber threats.
• Intellectual curiosity: A strong curiosity to understand how things work is a critical success factor.
• Technical aptitude: Identifying resources by understanding technical impact to the business.

Retaining talent is all about challenging them, keeping them engaged, encouraging development, and providing avenues for that development. The best folks in this field are curious, driven, and always hungry for knowledge. Giving them ways to satisfy that curiosity and constantly feed that love of knowledge is a win-win: they continually get better at what they do, and they’re more likely to enjoy the work they’re doing and stick around.

RH-ISAC: Beyond outsourced expertise, what other outside influences and information help shape and develop Conair’s program?

Ken: Establishing strong internal relationships with consulting resources and leadership has helped me develop the security operations program at Conair. Conair also leverages well-known global research and advisory firm for industry information and to further understand the risks and issues that should be addressed within the security program.

A large part of my role at Conair requires good information research to determine the roadmap for Conair’s security program. Information provided by the RH-ISAC has been invaluable in providing best practices and enhancing our security program. Seeing what others within the industry have dealt with, and the solutions they’ve developed to deal with those issues, has been incredibly helpful.

RH-ISAC: In your presentation, you mention several security tools and vendor solutions. Do you stick with commercial tools, or does Conair utilize open source tools? What are the security tools you can’t live without?

Ken: Conair prefers primary tools to be commercially sourced but is not opposed to using open source for secondary tools. And as the program resources are matrixed, vendor solutions are prioritized by time to implement (fast deployment) and internal support requirements.

Conair has leveraged both internal and external development resources for eCommerce sites and to support critical security activities. It has been difficult finding development resources that truly understand security and the impacts to the business.

The top five must have security tools for the Conair security tool portfolio include:

• Vulnerability and patch management – How many breaches have we read about over the years that could have been prevented simply by keeping systems up to date? Any security program that doesn’t prioritize vulnerability and patch management isn’t doing its job.
• Security awareness – You can have the best technology in the world, but if your people aren’t aware, you’re still vulnerable. And this goes beyond your IT and security teams: security must be a company-wide culture, and security awareness training and tools are critical to that.
• Web gateway security / CASB (cloud access security broker) tool – Like most businesses these days, we’re relying more and more on the cloud for a range of services and having a CASB to monitor activity and enforce policies is critical.
• Email security – Phishing and other email attacks have always been one of the most common attack vectors, and recently that’s only increased. A tool that monitors and protects your email is key.
• Robust endpoint security monitoring (not your grandfathers antivirus) – Modern endpoint protection technologies are amazing. Signature-based endpoint and antivirus solutions just don’t cut it most of the time now—you need to monitor behaviors and look for abnormal activity.

RH-ISAC: Our final question for you. If you could go back and give yourself some advice on the day you took this executive-level job, what would you say?

Ken: Knowing what I know now, I’d really stress the fact that it is important to team up and collaborate with peers that lead similar organizations and have like-minded approaches to the challenges we face across the industry.

Organizations like RH-ISAC have helped me to establish some of those relationships. Having open lines of communication with industry peers is helpful for strong relationship building and understanding more about the industry environment. Things change so fast in this space. What you knew yesterday might be out of date tomorrow. You simply can’t keep up with it all yourself—you need to team up with your peers across the industry to stay current.