Innovation Nation
Innovation Nation

Episode · 7 months ago

Think beyond Compliance – Think Security w/ Edward Chandler


Over the years, the focus of cybersecurity professionals has switched from breach prevention to breach response. Most now agree that it’s unlikely you’ll be able to avoid a breach these days, so the next best thing is to be prepared when one happens.

In this episode of Innovation Nation, I interview Edward Chandler, Account Executive at TÜV SÜD, about the steps companies can take to prepare for the negative innovations of cyber criminals.

Join us as we discuss:

  • The three elements of a successful security program
  • How to prepare for a security breach
  • How cybersecurity plays into the viability of the supply chain
  • Compliance versus security

Tune in on Apple Podcasts, Spotify, or wherever you listen to podcasts.

Listening on a desktop & can’t see the links? Just search for Innovation Nation in your favorite podcast player.

Innovation is all around us. In fact, everyone innovates, often unbeknowns to themselves. Many mistakenly assumed the innovation is either a big capital project, a figurative bolt of lightning that brings inspiration, or the province of some exceptionally gifted person. This is the myth of innovation. But you can innovate as well. You're listening to innovation nation, the podcast where top executives and industry experts are sharing their insights on harnessing the power of innovation. We're here to help you stay ahead of the curve by driving your own innovation. Here's your host, Jasmine Martyr Rosen. Hi. Welcome to another episode of our Innovation Nation podcast. This is your host, Jasmine March Roston. Joining me today is Ed Chandler. He's joining us from Chicago. He's been working in the area of Cybersecurity for the past eleven years. He's with to zooed and he focuses on cyber security and the security of the supply chain. Welcome in and Jasmine, thanks for having me on. Well, I'm delighted to have you on and you and I have had a lot of conversation on cybersecurity in the past and how cyber criminals in particular are very good at, quote unquote, innovating right because they have to stay ahead of the game. So it's think of it as negative innovation, but it's innovation of sorts for sure, and would love to hear your perspectives on challenges in the industry and how the industrict can innovated itself. Yeah, I mean, I mean I think you you've kind of you hit the nail on the head when it comes to the ways that cyber criminals are staying ahead of a reorganization, and that's really their job, if you think about it, their job is to be innovative in the way that they're doing things and trying to stay ahead of the market that's trying to slow them down or stop them. You know, it's definitely a very interesting topic, as you know, as you know, we you know, as I've worked throughout the industry, through the year with throughout the years, what I've noticed is just a change in tendencies. It was, you know,...

...when I first started, in particular, it was nobody is going to break into my network. I used to call that the Fort Knox model, and then over time that's that's actually changed to organizations now realizing that they're not going to always prevent people from coming in. In fact, you know, they're they're there. They're not even necessarily trying to stop it as hard as they once were. They've realized that people are going to get in and it's really more about how quickly can I detect it and how can I minimize my damage? That's a very interesting perspective, but it's almost conveys a sense of resignation. Yeah, it's. It was. It was a complete one hundred and eighty switch. It was probably about two thousand and fourteen when that switch actually started to come. Some of the the brightest chief information security officers I've had the pleasure of meeting with throughout my throughout the years, you know, started to talk about that around that point in time and it was a very, very different methodology to think, wow, you know, it's no longer I'm going to stop you, it's how do I just minimize the damage from what you can do to me? And I've read some staggering statistics that talk about that. It's not just systems. Again, systems are very important in preventing cybersecurity attack, but a lot of the breaches occur from human error, somebody on wittingly clicking on a fishing email or just sharing their credentials or doing something that's not very cautious, opening a link or file, and how do we combat that? Yeah, so any any organization, if they want to have a successful security program what they're going to do is they're going to implement three major portions to that program that they're going to take into account. The first, as you mentioned, Jasmine, is people. And how do I, how do I educate my people to prevent them from clicking on things such as emails or links that they shouldn't be doing? How can I prevent them from doing that? And it all comes through education, education, education. Additionally,...

...there's processes, and those processes are things that you can put into place that will help you know, people make the correct decisions as they're going through their day to day, their day to day lives. You know, it's funny, you know, I look at Cybersecurity as you're only as strong as your weakest link and you need to ensure that you know, people are protected, processes are in place and by that you've set yourself up for success. Technology is the third area, and people. There's a misconception that's about technologies in general and Cybersecurity, as people start to think, well, this is going to be a silver bullet for me. One thing I've learned throughout my career is that there is no silver bullet to it security. You need to have multiple layers in place to be able to have a good cyber security program and it's very, very important that you do have technology thee. But technologies are really meant to just help make the job of the security team and the people that are going through those processes on a day to day basis more efficient, so they're not being bogged down with, you know, additional emails that are coming through, a great example as things such as spam filtering and stuff like that. Now that that's really important issues that you're raising, especially when you're talking about, you know, building fort knocks and that's not exactly quite doable, and with cybercriminals driving their own form of innovation, you know, how to companies then also prep themselves to be bad responsive, to recognize when they U is a reach, as you were, you know, referencing at the beginning little conversation. What can they do to be on the ready yeah, I mean there's there's a few things that they can do. I mean obviously there's there's technologies that will help sift through certain types of reckers to tell you if something is in your system, but really it's just the preparedness. It's to ensure that you have things in place, such as an incident response program or business continuity that will allow you to continue to do business while you're...

...doing the investigation. The worst thing that you can do during, you know, during the time of critical time and particular of a breach, is to panic and you should be going through that incident response and you should also be practicing that so that everybody knows what to do when something like this occurs. Very similar to the methodologies we use in the office day to day, such as like fired rills. Same concept, different, different idea, but same concept. Interesting when you talk about the security of the supply chain, and supply chain has been all over the news in you know, different perspectives, right with the pandemic, with the disruption of supply chains. How does cybersecurity playing to the viability of the supply chain? Well, in general, when we talk about cyber security, there's very few, very few, programs, especially the successful ones, that don't take supply chain into consideration. No matter what you're looking at, whether it's credit card data or, you know, just customer information or your operational technologies, these are all things that now so that your customers would care about, and the reason why is will look at, you know, like a manufacturing facility as an example. You know, I'm dependent based off of what they called just in time manufact acturing, meaning that I don't have, you know, things that I've got in stock to be able to continue my manufacturing process, and I'm I'm thinking that that that that next shipment is going to show up on my doorstep so that I can continue my process by not by not worrying about cybersecurity within those organizations if things such as like a ransomware attack, something that potentially could stop production, could then affect my business. Wow, that that's amazing. I now the word innovation, which is the focus of our podcast, is generally very positive. Like you won't come across a person who says, Oh, I don't want... be innovative right. It's like politicians speaking against children. Doesn't happen, but in our minds and the average person's mind I don't think innovation goes with negative thoughts, but in effects. where it comes to Cybersecurity, there's a lot of innovation that humanity, which is probably did not occur. How do organizations stay competitive, to stay ahead of the curve? Well, you know what what's going on in the industry right now. To stay that we're organizations. I wouldn't even say it's organizations that are working to stay competitive as much as it is industries. We see a lot of industries taking steps forward to ensure supply chains or secure great example is the automotive automotive market, whether it's European organizations that utilize framework such as sacks, or US organizations that use self assessments such as Tespi are, these are all steps forward and steps in the right direction that do mind elaborating a little bit on these acronyms you use to stare x and sure so. Basically, what t sacs is as a cyber security framework where there's a requirement for audits down stream within the automotive supply chain and specifically European OEM's. Oem's meaning like the automotive manuaging of equipment manufacturers. ridget exactly equipment. Original Equipment Manufacturers are pushing these requirements down and their supply chain because they're concerned about certain areas such as continuing manufacturing, but also, you know, their designs, their data security as it comes to different types of legal requirements for data privacy, etc. In the US Tspires the same idea. The only difference is is that, instead of utilizing third party auditing, it's based off of self assessments and self assessment questionnaires. And really the idea behind no matter whether it's a third party doing these assessments or these self assessment questionnaires, is really to make the suppliers start to think about security.

You know, as I've seen throughout my career, usually these self assessments usually end up into larger and greater frameworks and that's probably the way that we will see that industry go in the in the long term. But it's very interesting. That is interesting. So you're seeing a tried more towards third party assessments or self assessments or a combination of both. A combination of both. Now I mean obviously a third party assessments have benefits and self assessments have benefits. Self assessments or, you know, less of an investment from the supplier. However, you know, third party assessments provide us a new set of eyes. So you know, I think of it, you know, sitting back in Grade School, where you know when I was, when I was you know, when you take a test and you hand your test over to the guide to the right and then you know they would grade your test for it with a self assessment question or you're not necessarily handing it over to the right. Your you got your test in front of you and you're checking your own work and that's that's where, you know, some questions come in. But I think self assessments are a good way to at least raise awareness and raise the you know, the idea of cybersecurity and push organizations into making these types of investments. That's actually interesting. I mean, if I were the decision maker for such a sensitive areas Cybersecurity, for assessments, I at first make sure we have the rigor of self assessment and then would double check with third party verification. Absolutely, I mean, and any any standard that you look at today, it also usually requires that you do, you know, internal lot at whether it's a third party assessment or doing it yourself. So they're all always is that self assessment portion, you know. But again, you know, the ideas is that, you know, having that third party, that that set of eyes that will help help that that can actually add value to your organization, into your security, your security protocols. What I'm hearing,...

...what I'm inferring from what you're telling me, is the best approach for organizations and entire industries is to have the very kind of mindset change right to not just do it as a check mark, but to have the rigor of almost building that into your DNA. Yeah, that absolutely and you know, when we look at like the history of of audits and you know there's there's a framework out there that was that was adopted very, very well. Now it's a very strong industry when it comes to cyber security. Was for the credit card industry standards, and when that framework first came out, what organizations did was they started to do point in time assessments where they would be sitting for eleven months of the year. They would just kind of do business as is and then they've running at their their security frameworks up and going and, you know, having everything in process to have this audit happen and then the auto would come in, they would pass and then, you know, it go back to the same way it was for the past eleven months. And that's that's pushed, you know, different types of organizations, such as the PCISSC to start implementing tools and and requirements that that have organizations start to look at cyber security on a regular basis throughout and ensure that they are, otherwise they wouldn't be able to pass their audits. And that that has forced organizations not only to have more secure systems, but it's also had organizations become, you know, more security minded, more prepared, and as they go out into the market and other organizations, sometimes that moves along with them. So I'm hearing you say the old way of doing business is no longer viable. You can't behave like a college university student that goofs off the entire sinister and then crams is overnight for a couple of nights to be prepped for that exam and then go on goofing off, and you don't even have long term retention...

...of information exactly. And that's that's the Adel Age, old age, old argument of the difference between compliance and set and security. You know, how do you how do you ensure that you know an organization is secure? Will typically the first step can be through compliance and putting those frameworks in place and stuff like that. However, just because you're compliant doesn't mean you're secure, because you can do that cramming. Oh Wow, that's a really cute distinction it. I think we need more education on the dichotomy. You can be compliant but not secure. To make sure you're compliant and secure, and that's a different frame of thinking exactly exactly. And the ideas is that when you're secure, typically when you're secure, you probably will meet compliance rather than, you know, compliance for security. It just so happens that organizations tend to start to make these these steps forward due to compliance and, you know, we have to get out of that mindset. We have to get into how do I secure my organization? How am I going to protect my organization? What is critical to me? What am I trying to protect? That's a really keen insight. Drive with security rather than for compliance. You're right, because if you really secure, will pass the compliance test. You could pass the compliant test otherwise but not be secure and still be vulnerable exactly. It's it's something that, you know, has been preached for a very long time. However, it's, you know, it's it too many organizations. I still see that, you know, a lot of the same, same trends out there, and if these are trends that we can you know, we you know, we as organizations and we, as you know, as in this you know, industry leaders, can be talking about and start to try to change that mindset and perception. I think we've all encountered such situation. I remember walking into a bank branch, especially when there was less online banking, and it's looking very stick and span and I said, wow, what's...

...going on and they're like, oh, we're going to be audited. That's a classic you know, doing the check work for compliance. They'll pass. Yeah, it's it. I you know, it's almost you know, and I in going back to what you're talking about earlier, Jasmine, about you know, the the kid who's, you know, getting ready to go through their final examine is starting to cram for the last couple weeks. It's almost more work to do it at that time than to just, you know, continue on with the processes. I could not agree with you more. In fact, even in day to day life with my teams, I advise them because we you know, especially if we track the analympics the day to like capture things as you go. If you don't, it's becoming a production that you all sudden have a huge project. If you do it right as you progress, then it almost takes care of itself and to me it's a no brainer, but it's hard for a lot of people to really internalize that. It is, I guess, the the the interesting part about cyber security in generals, because it is becoming a more common topic, though, throughout all different industries. We talked about aerospace. We're starting to see it with the fence as well. You know, anybody who sitting on these supply chains are subject to, at one point or another, people looking and being curious about their their security and you know, people want to ensure that not only the people they're doing business with or, you know, providing good product, but they're also being able to provide it on time and that their information is secure, because that's just as, if not more, value and it has huge impath on individual people. Rant sometimes people think, oh, cybersecurity, it's not about me. It's out there, but it it affects your customer base, it affects all the individuals. I mean, unfortunately we've all deal up with credit card breaches, you know, or major retailers breaches. What your... cards have been used, and even the IRRIST was hacked US Department of State. I mean, it's everywhere. The most those are some of the most secure systems you could think of. It's everywhere and it's but it's also everyone. So I mean there's a there's a misconception that, you know, as as you know, organizations start to look at cybersecurity. You know, you hear that. You know, it's not me, I'm not part of the security team, but really it's everybody who's part of the security team and the idea of, you know, ensuring that I am I am I supposed to click that email? Should I open that attachment? What process do I take when I see something that I'm just not really sure about? These are all questions that a lot of people go through and their day to day processes and it's so important that everybody realizes that. You know, we are only as strong as our as our weakest link, and, you know, ensuring that these organizations are preparing themselves for security and realizing that everybody is part of the security team. It's not just your it security professionals. Oh, I could not agree with that more so. That's absolutely truly defects absolutely every single human being in the more people are cognizant of that, the more they'll see themselves as part of dissolution. Absolutely, absolutely well, it's been a very insightful conversation and the your adage about being compliant does not make you secure will stay with me for a long time because that's a really deep insight. Any other closing thoughts? No, I mean, I guess the only thing that was that you know that I find interesting is that, you know, we talked a little bit about automotive and we tie I mentioned the you know, the Department of Defense supply chains. You know, one thing that you know, in general people are starting to talk about is a lot of different industries looking at different ways of securing themselves, and I just it's not something that's...

...going to go away. It's something that's going to continue to grow and innovate but also build upon itself. Excellent. Thank you very much it for joining our innovation nation podcast. This was too suits at Chandler and this is your host, Jasmine, more to Russian. Thank you. You've been listening to innovation nation. For more, subscribe to the podcast in your favorite podcast player or connect with us on Linkedin. Thanks for listening.

In-Stream Audio Search


Search across all episodes within this podcast

Episodes (33)