Innovation Nation
Innovation Nation

Episode · 2 months ago

Think beyond Compliance – Think Security w/ Edward Chandler


Over the years, the focus of cybersecurity professionals has switched from breach prevention to breach response. Most now agree that it’s unlikely you’ll be able to avoid a breach these days, so the next best thing is to be prepared when one happens.

In this episode of Innovation Nation, I interview Edward Chandler, Account Executive at TÜV SÜD, about the steps companies can take to prepare for the negative innovations of cyber criminals.

Join us as we discuss:

  • The three elements of a successful security program
  • How to prepare for a security breach
  • How cybersecurity plays into the viability of the supply chain
  • Compliance versus security

Tune in on Apple Podcasts, Spotify, or wherever you listen to podcasts.

Listening on a desktop & can’t see the links? Just search for Innovation Nation in your favorite podcast player.

Innovation is all around us. Infact, everyone innovates, often unbeknowns to themselves. Many mistakenly assumed the innovationis either a big capital project, a figurative bolt of lightning that brings inspiration, or the province of some exceptionally gifted person. This is the myth ofinnovation. But you can innovate as well. You're listening to innovation nation, thepodcast where top executives and industry experts are sharing their insights on harnessing thepower of innovation. We're here to help you stay ahead of the curve bydriving your own innovation. Here's your host, Jasmine Martyr Rosen. Hi. Welcometo another episode of our Innovation Nation podcast. This is your host,Jasmine March Roston. Joining me today is Ed Chandler. He's joining us fromChicago. He's been working in the area of Cybersecurity for the past eleven years. He's with to zooed and he focuses on cyber security and the security ofthe supply chain. Welcome in and Jasmine, thanks for having me on. Well, I'm delighted to have you on and you and I have had alot of conversation on cybersecurity in the past and how cyber criminals in particular arevery good at, quote unquote, innovating right because they have to stay aheadof the game. So it's think of it as negative innovation, but it'sinnovation of sorts for sure, and would love to hear your perspectives on challengesin the industry and how the industrict can innovated itself. Yeah, I mean, I mean I think you you've kind of you hit the nail on thehead when it comes to the ways that cyber criminals are staying ahead of areorganization, and that's really their job, if you think about it, theirjob is to be innovative in the way that they're doing things and trying tostay ahead of the market that's trying to slow them down or stop them.You know, it's definitely a very interesting topic, as you know, asyou know, we you know, as I've worked throughout the industry, throughthe year with throughout the years, what I've noticed is just a change intendencies. It was, you know,...

...when I first started, in particular, it was nobody is going to break into my network. I used tocall that the Fort Knox model, and then over time that's that's actually changedto organizations now realizing that they're not going to always prevent people from coming in. In fact, you know, they're they're there. They're not even necessarilytrying to stop it as hard as they once were. They've realized that peopleare going to get in and it's really more about how quickly can I detectit and how can I minimize my damage? That's a very interesting perspective, butit's almost conveys a sense of resignation. Yeah, it's. It was.It was a complete one hundred and eighty switch. It was probably abouttwo thousand and fourteen when that switch actually started to come. Some of thethe brightest chief information security officers I've had the pleasure of meeting with throughout mythroughout the years, you know, started to talk about that around that pointin time and it was a very, very different methodology to think, wow, you know, it's no longer I'm going to stop you, it's howdo I just minimize the damage from what you can do to me? AndI've read some staggering statistics that talk about that. It's not just systems.Again, systems are very important in preventing cybersecurity attack, but a lot ofthe breaches occur from human error, somebody on wittingly clicking on a fishing emailor just sharing their credentials or doing something that's not very cautious, opening alink or file, and how do we combat that? Yeah, so anyany organization, if they want to have a successful security program what they're goingto do is they're going to implement three major portions to that program that they'regoing to take into account. The first, as you mentioned, Jasmine, ispeople. And how do I, how do I educate my people toprevent them from clicking on things such as emails or links that they shouldn't bedoing? How can I prevent them from doing that? And it all comesthrough education, education, education. Additionally,...

...there's processes, and those processes arethings that you can put into place that will help you know, peoplemake the correct decisions as they're going through their day to day, their dayto day lives. You know, it's funny, you know, I lookat Cybersecurity as you're only as strong as your weakest link and you need toensure that you know, people are protected, processes are in place and by thatyou've set yourself up for success. Technology is the third area, andpeople. There's a misconception that's about technologies in general and Cybersecurity, as peoplestart to think, well, this is going to be a silver bullet forme. One thing I've learned throughout my career is that there is no silverbullet to it security. You need to have multiple layers in place to beable to have a good cyber security program and it's very, very important thatyou do have technology thee. But technologies are really meant to just help makethe job of the security team and the people that are going through those processeson a day to day basis more efficient, so they're not being bogged down with, you know, additional emails that are coming through, a great exampleas things such as spam filtering and stuff like that. Now that that's reallyimportant issues that you're raising, especially when you're talking about, you know,building fort knocks and that's not exactly quite doable, and with cybercriminals driving theirown form of innovation, you know, how to companies then also prep themselvesto be bad responsive, to recognize when they U is a reach, asyou were, you know, referencing at the beginning little conversation. What canthey do to be on the ready yeah, I mean there's there's a few thingsthat they can do. I mean obviously there's there's technologies that will helpsift through certain types of reckers to tell you if something is in your system, but really it's just the preparedness. It's to ensure that you have thingsin place, such as an incident response program or business continuity that will allowyou to continue to do business while you're...

...doing the investigation. The worst thingthat you can do during, you know, during the time of critical time andparticular of a breach, is to panic and you should be going throughthat incident response and you should also be practicing that so that everybody knows whatto do when something like this occurs. Very similar to the methodologies we usein the office day to day, such as like fired rills. Same concept, different, different idea, but same concept. Interesting when you talk aboutthe security of the supply chain, and supply chain has been all over thenews in you know, different perspectives, right with the pandemic, with thedisruption of supply chains. How does cybersecurity playing to the viability of the supplychain? Well, in general, when we talk about cyber security, there'svery few, very few, programs, especially the successful ones, that don'ttake supply chain into consideration. No matter what you're looking at, whether it'scredit card data or, you know, just customer information or your operational technologies, these are all things that now so that your customers would care about,and the reason why is will look at, you know, like a manufacturing facilityas an example. You know, I'm dependent based off of what theycalled just in time manufact acturing, meaning that I don't have, you know, things that I've got in stock to be able to continue my manufacturing process, and I'm I'm thinking that that that that next shipment is going to showup on my doorstep so that I can continue my process by not by notworrying about cybersecurity within those organizations if things such as like a ransomware attack,something that potentially could stop production, could then affect my business. Wow,that that's amazing. I now the word innovation, which is the focus ofour podcast, is generally very positive. Like you won't come across a personwho says, Oh, I don't want... be innovative right. It's likepoliticians speaking against children. Doesn't happen, but in our minds and the averageperson's mind I don't think innovation goes with negative thoughts, but in effects.where it comes to Cybersecurity, there's a lot of innovation that humanity, whichis probably did not occur. How do organizations stay competitive, to stay aheadof the curve? Well, you know what what's going on in the industryright now. To stay that we're organizations. I wouldn't even say it's organizations thatare working to stay competitive as much as it is industries. We seea lot of industries taking steps forward to ensure supply chains or secure great exampleis the automotive automotive market, whether it's European organizations that utilize framework such assacks, or US organizations that use self assessments such as Tespi are, theseare all steps forward and steps in the right direction that do mind elaborating alittle bit on these acronyms you use to stare x and sure so. Basically, what t sacs is as a cyber security framework where there's a requirement foraudits down stream within the automotive supply chain and specifically European OEM's. Oem's meaninglike the automotive manuaging of equipment manufacturers. ridget exactly equipment. Original Equipment Manufacturersare pushing these requirements down and their supply chain because they're concerned about certain areassuch as continuing manufacturing, but also, you know, their designs, theirdata security as it comes to different types of legal requirements for data privacy,etc. In the US Tspires the same idea. The only difference is isthat, instead of utilizing third party auditing, it's based off of self assessments andself assessment questionnaires. And really the idea behind no matter whether it's athird party doing these assessments or these self assessment questionnaires, is really to makethe suppliers start to think about security.

You know, as I've seen throughoutmy career, usually these self assessments usually end up into larger and greater frameworksand that's probably the way that we will see that industry go in the inthe long term. But it's very interesting. That is interesting. So you're seeinga tried more towards third party assessments or self assessments or a combination ofboth. A combination of both. Now I mean obviously a third party assessmentshave benefits and self assessments have benefits. Self assessments or, you know,less of an investment from the supplier. However, you know, third partyassessments provide us a new set of eyes. So you know, I think ofit, you know, sitting back in Grade School, where you knowwhen I was, when I was you know, when you take a testand you hand your test over to the guide to the right and then youknow they would grade your test for it with a self assessment question or you'renot necessarily handing it over to the right. Your you got your test in frontof you and you're checking your own work and that's that's where, youknow, some questions come in. But I think self assessments are a goodway to at least raise awareness and raise the you know, the idea ofcybersecurity and push organizations into making these types of investments. That's actually interesting.I mean, if I were the decision maker for such a sensitive areas Cybersecurity, for assessments, I at first make sure we have the rigor of selfassessment and then would double check with third party verification. Absolutely, I mean, and any any standard that you look at today, it also usually requiresthat you do, you know, internal lot at whether it's a third partyassessment or doing it yourself. So they're all always is that self assessment portion, you know. But again, you know, the ideas is that,you know, having that third party, that that set of eyes that willhelp help that that can actually add value to your organization, into your security, your security protocols. What I'm hearing,...

...what I'm inferring from what you're tellingme, is the best approach for organizations and entire industries is to havethe very kind of mindset change right to not just do it as a checkmark, but to have the rigor of almost building that into your DNA.Yeah, that absolutely and you know, when we look at like the historyof of audits and you know there's there's a framework out there that was thatwas adopted very, very well. Now it's a very strong industry when itcomes to cyber security. Was for the credit card industry standards, and whenthat framework first came out, what organizations did was they started to do pointin time assessments where they would be sitting for eleven months of the year.They would just kind of do business as is and then they've running at theirtheir security frameworks up and going and, you know, having everything in processto have this audit happen and then the auto would come in, they wouldpass and then, you know, it go back to the same way itwas for the past eleven months. And that's that's pushed, you know,different types of organizations, such as the PCISSC to start implementing tools and andrequirements that that have organizations start to look at cyber security on a regular basisthroughout and ensure that they are, otherwise they wouldn't be able to pass theiraudits. And that that has forced organizations not only to have more secure systems, but it's also had organizations become, you know, more security minded,more prepared, and as they go out into the market and other organizations,sometimes that moves along with them. So I'm hearing you say the old wayof doing business is no longer viable. You can't behave like a college universitystudent that goofs off the entire sinister and then crams is overnight for a coupleof nights to be prepped for that exam and then go on goofing off,and you don't even have long term retention...

...of information exactly. And that's that'sthe Adel Age, old age, old argument of the difference between compliance andset and security. You know, how do you how do you ensure thatyou know an organization is secure? Will typically the first step can be throughcompliance and putting those frameworks in place and stuff like that. However, justbecause you're compliant doesn't mean you're secure, because you can do that cramming.Oh Wow, that's a really cute distinction it. I think we need moreeducation on the dichotomy. You can be compliant but not secure. To makesure you're compliant and secure, and that's a different frame of thinking exactly exactly. And the ideas is that when you're secure, typically when you're secure,you probably will meet compliance rather than, you know, compliance for security.It just so happens that organizations tend to start to make these these steps forwarddue to compliance and, you know, we have to get out of thatmindset. We have to get into how do I secure my organization? Howam I going to protect my organization? What is critical to me? Whatam I trying to protect? That's a really keen insight. Drive with securityrather than for compliance. You're right, because if you really secure, willpass the compliance test. You could pass the compliant test otherwise but not besecure and still be vulnerable exactly. It's it's something that, you know,has been preached for a very long time. However, it's, you know,it's it too many organizations. I still see that, you know,a lot of the same, same trends out there, and if these aretrends that we can you know, we you know, we as organizations andwe, as you know, as in this you know, industry leaders,can be talking about and start to try to change that mindset and perception.I think we've all encountered such situation. I remember walking into a bank branch, especially when there was less online banking, and it's looking very stick and spanand I said, wow, what's...

...going on and they're like, oh, we're going to be audited. That's a classic you know, doing thecheck work for compliance. They'll pass. Yeah, it's it. I youknow, it's almost you know, and I in going back to what you'retalking about earlier, Jasmine, about you know, the the kid who's,you know, getting ready to go through their final examine is starting to cramfor the last couple weeks. It's almost more work to do it at thattime than to just, you know, continue on with the processes. Icould not agree with you more. In fact, even in day to daylife with my teams, I advise them because we you know, especially ifwe track the analympics the day to like capture things as you go. Ifyou don't, it's becoming a production that you all sudden have a huge project. If you do it right as you progress, then it almost takes careof itself and to me it's a no brainer, but it's hard for alot of people to really internalize that. It is, I guess, thethe the interesting part about cyber security in generals, because it is becoming amore common topic, though, throughout all different industries. We talked about aerospace. We're starting to see it with the fence as well. You know,anybody who sitting on these supply chains are subject to, at one point oranother, people looking and being curious about their their security and you know,people want to ensure that not only the people they're doing business with or,you know, providing good product, but they're also being able to provide iton time and that their information is secure, because that's just as, if notmore, value and it has huge impath on individual people. Rant sometimespeople think, oh, cybersecurity, it's not about me. It's out there, but it it affects your customer base, it affects all the individuals. Imean, unfortunately we've all deal up with credit card breaches, you know, or major retailers breaches. What your... cards have been used, andeven the IRRIST was hacked US Department of State. I mean, it's everywhere. The most those are some of the most secure systems you could think of. It's everywhere and it's but it's also everyone. So I mean there's athere's a misconception that, you know, as as you know, organizations startto look at cybersecurity. You know, you hear that. You know,it's not me, I'm not part of the security team, but really it'severybody who's part of the security team and the idea of, you know,ensuring that I am I am I supposed to click that email? Should Iopen that attachment? What process do I take when I see something that I'mjust not really sure about? These are all questions that a lot of peoplego through and their day to day processes and it's so important that everybody realizesthat. You know, we are only as strong as our as our weakestlink, and, you know, ensuring that these organizations are preparing themselves forsecurity and realizing that everybody is part of the security team. It's not justyour it security professionals. Oh, I could not agree with that more so. That's absolutely truly defects absolutely every single human being in the more people arecognizant of that, the more they'll see themselves as part of dissolution. Absolutely, absolutely well, it's been a very insightful conversation and the your adage aboutbeing compliant does not make you secure will stay with me for a long timebecause that's a really deep insight. Any other closing thoughts? No, Imean, I guess the only thing that was that you know that I findinteresting is that, you know, we talked a little bit about automotive andwe tie I mentioned the you know, the Department of Defense supply chains.You know, one thing that you know, in general people are starting to talkabout is a lot of different industries looking at different ways of securing themselves, and I just it's not something that's...

...going to go away. It's somethingthat's going to continue to grow and innovate but also build upon itself. Excellent. Thank you very much it for joining our innovation nation podcast. This wastoo suits at Chandler and this is your host, Jasmine, more to Russian. Thank you. You've been listening to innovation nation. For more, subscribeto the podcast in your favorite podcast player or connect with us on Linkedin.Thanks for listening.

In-Stream Audio Search


Search across all episodes within this podcast

Episodes (27)