From The CISO Exchange Floor: Q&A With 3 Experts
Priorities, initiatives and new tech from interviews with security executives
Add bookmark
Cyber Security Hub talked with speakers and attendees during CISO Exchange West earlier this week. Here, we find out what’s on their minds, what initiatives are on their plates this year and their take on the conference.
(Responses have been edited for length and clarity.)
John Kirkwood
Vice President and CISO
Albertsons-Safeway
John Kirkwood is an industry recognized Global Chief Information Security Officer who has successfully implemented information and cyber security governance, risk management, controls and compliance programs to large corporations in the financial services and retail industries for more than 18 years.
As the Global CISO and for Albertsons Companies, Kirkwood is responsible for ensuring that the information risk management and security program meets the needs of the merged Albertsons and Safeway companies. Albertsons is one of the largest food and drug retailers in the United States, with both a strong local presence and national scale, operating 2,200+ across 35 states and the District of Columbia under 18 well-known banners including Albertsons, Safeway, Vons, Jewel-Osco, Shaw’s, ACME Markets, Tom Thumb, Randalls, United Supermarkets, Pavilions, Star Market, Carrs, Haggen and Plated.
CS HUB: When it comes to protecting your network, what keeps you up at night?
KIRKWOOD: Since our network extends to our cloud, we are dependent on our cloud providers to protect our network. The concern is that these partners may or may not have implemented the controls or compensating measures that ensure that threats to us are managed.
CS HUB: Have you recently started adding any artificial intelligence-embedded products to your organization’s security arsenal?
KIRKWOOD: We aggressively utilize AI and machine learning. Virtually all of our tools either utilize ML to create and enhance their rule engine, or AI in determining what new rules should be implemented. Further, we find that there is a symbiotic relationship between ML and AI. AI helps us to improve our existing rule bases, ML uses the learnings from AI in the iterative analysis of events, matching the events to known patterns and vector of cyber attacks.
CS HUB: How do you know the tool is working?
KIRKWOOD: It’s trust but verify. So for ML we make sure the rules are what they are supposed to be. It makes no sense to find something with AI and then you can’t do anything with it. AI and ML have to work together. I’m trying to get to AI. ML to me is more the arms and legs that are rule-based. AI says, ‘Hey, can I find 100 needles in 1,000 haystacks?’ So AI is being used to enrich what you have and find patterns where you didn’t have them before.
CS HUB: What are your best practices for ensuring visibility when your data resides in multiple and/or hybrid clouds as well as for classifying all connected devices?
KIRKWOOD: We use a CASB (Cloud Access Security Broker) to provide visibility and management of our multi-cloud environment. While CASB software and our internal processes are still maturing, we have found great value in the information we receive from our CASB.
CS HUB: When it comes to being proactive about security, what’s the one piece of advice you’d give your peers that you think is not practiced enough?
KIRKWOOD: I would ask them to focus on how they provide services and capabilities, linking them to overall business priorities. The business proactively typically does not (and probably should not) care about security unless we can demonstrate the benefits or advantages to the business. And we need to be able to move with agility to accommodate the hyper speed of business innovation and transformation.
See Related: “5 Insights Surface From CISO Exchange West”
Mike Pfeiffer
Vice President of Technology
American Solutions for Business
Mike Pfeiffer holds a degree in Computer Information Systems from DeVry Institute of Technology in Kansas City, Missouri. He has over 25 years of IT experience, having served at a data and marketing solutions vendor, a consumer packaged goods company and a trade management solutions provider. As VP of Information Technology, Pfeiffer leads a team of 35 individuals to manage American's infrastructure, including its PeopleSoft system and e-commerce technology. He joined the ASB Leadership Team in 2012.
CS HUB: When it comes to protecting your network, what keeps you up at night?
PFEIFFER: I would say the human component. We spend a lot of time working on cyber awareness and making sure our people know what a threat is and what might be a threat because inherently, they want to do the right thing, they just don’t necessarily know right from wrong. I don’t like the ethics of phishing your own employees — that breaks the line of trust. If we find there are certain issues with people, we do individual training to give them the awareness. I don’t think taking the internet away for a week [as some of the speakers mentioned they do] is the right approach.
We use Mimecast and Sophos for our endpoint protection. Between those two players we gain a lot of share on the protection level. The other thing I do that’s different is I extend the protection umbrella to employees’ home systems because if you’re practicing bad practices at home it doesn’t get cleared up at work. People regularly bring work home. So we extend that to their home computers, and we’ll recommend Sophos home premium, and if someone has an issue paying for it we’ll pay for it. It’s protecting our assets. If you have open Wi-Fi at home that’s been hit with malware, I don’t want that traffic on my network.
It’s more of a holistic approach to fighting the good fight together. Mimecast shows us our bad clicks and [we also do] sandboxing. When we started out, one in 235 clicks was on a bad site. Last month it was up to 700 so there’s been almost three times improvement through monthly awareness training.
CS HUB: Have you recently started adding any AI-embedded products to your organization’s security arsenal?
PFEIFFER: I’m a huge AI skeptic. I played video games and beat the hell out of them and don’t believe AI is a panacea for anything right now. It’s headed in the right direction, but I don’t think it’s evolved enough yet. To me it’s all marketing right now.
CS HUB: What are your best practices for ensuring visibility when your data resides in multiple and/or hybrid clouds as well as for classifying all connected devices?
PFEIFFER: One of things is we’re GDPR compliant and [with our use of] cloud, we try to ensure our data stays resident in the U.S. Sophos secures our endpoints completely so no one can plug something into their computer without checking with the help desk. That helps with the proliferation with devices. We use [Cisco] Meraki cloud and tools to routinely monitor our network for large transfers of data going back and forth from the size of the data to which emails are sending data to which other emails.
CS HUB: What’s on tap for this year?
PFEIFFER: Completing multifactor authentication. We’re using Microsoft Office 365, which has cloud-based multifactor authentication and by the end of the year it will be 100% complete so that every employee will have multifactor authentication turned on for their ID. To log into email they’ll have to enter a password and then they’re sent a code.
I think that is in and of itself way more effective than password cracking and strengthening. Somehow downloading passwords and cracking them — I would question the efficacy of doing that. I think password in next five years will go away completely and will role to multifactor authentication, which is the start of the wave of identity-based authentication.
Just changing our password requirement from eight to 10 characters was a massive improvement for the triad of risk — meaning what I consider to be the three riskiest plays in security whether [it involves] a person or a company. That is your work email, personal email and LastPass, or any password manager. Those are three things you have to multifactor and make super secure. If you secure those three things you’ll protect 99 percent of your issues.
CS HUB: When it comes to being proactive about security, what’s the one piece of advice you’d give your peers that you think is not practiced enough?
PFEIFFER: The URL protection with Mimecast is huge. That way I know there’s no unprotected clicks in my environment because it will go through [Mimecast] first. That’s been one of the game changers for us.
Sam Buhrow
Director of Cyber Incident Management and Forensics
Banner Health
Buhrow is a Certified Information Systems Security Professional (CISSP) with over 18 years of experience in cyber security strategy, architecture, implementation, incident response, malware analysis, computer forensics, E-Discovery, data security, disaster recovery, and SIEM implementation and configuration.
He has extensive experience in cyber security management; identifying and mitigating risk, training and development of Information Security resources on and off-shore, and creating new processes, procedures, and techniques to solve clients’ needs with novel approaches. He has created numerous business process improvements, coded or guided software solutions, and saved his principals millions.
CS HUB: As a security professional, what keeps you up at night?
BUHROW: Two things: unpatched systems, and the other is an unaddressed alert — not so much someone didn’t notice it, but maybe there was high CPU utilization and later on [a security professional] says storage is getting utilized too much and if you put it together you’d see a place where bad guys are putting data together or they’ve encrypted it or it’s part of a DDoS attack. My concern is because of different sensors in the organization there’s not that mosaic view of the organization that it’s a targeted attack.
CS Hub: What’s your take on CISO Exchange West?
BUHROW: I like the targeted speakers and it’s fascinating to talk to vendors who are not on [Gartner’s] Magic Quadrant yet and who I haven’t heard of. [I’m focused on] incident response, and I love finding one thing I don’t know about so I can incorporate it into my [toolset].
I used to be virtual CISO and I’m more of a change agent now where I’ll find a piece of technology and tell [security] ‘This is a tool you should look at,’ that weren’t known but the vendors are in the final proof of concept. The risk scoring technology I saw here; to have something be able to tell you where all your crown jewels of data are and calculate in real time that this particular server isn’t patched and could cause this much exposure — that’s a lot of work someone has to do — and if you can automate that it would be fascinating.
We subscribe to NIST and our SOC team is all about detect and protect. We’re about respond and recover.
CS Hub: Are insider threats a big concern?
BUHROW: It’s obviously a concern for us and … it’s something the industry’s definitely been focused on the past few years. My team does cyber incident response and e-discovery. We haven’t seen a large uptick in [insider threats] in healthcare; I don’t know why. With all the data we have … that’s not as big an issue as ‘Don’t click that [potentially malicious] link. If you see something, say something, but the biggest risk is still the user inadvertently clicking something.
Phishing is still [a] pretty large [problem] in our medical group. A good portion of our effort is put into educating the employees and doing phishing campaigns to make them aware of what’s out there. My belief is the bad guys are getting so good, in healthcare in particular, but overall, too. We’re about 100,000 [employees] and about 40-50% are clinicians so they don’t have the same exposure [to malware] but they’re dealing with all these emails and what’s happening is it’s one more thing for someone to have to remember and deal with. So there’s a lot of cross between training fatigue and phishing fatigue. We’ll see a positive impact from training, but you’ll still see … a high click rate when we self-phish them.
CS Hub: What initiatives are on your plate this year?
BUHROW: The biggest one is tabletops … which is when a facilitator comes in to the SOC and different groups and they’ll say, ‘Here’s this scenario: you’ve got an alert and at what point does the incident response team come in?’ What’s its more designed to do is make sure there are no gaps in communication and decision making and from the beginning to the end you have a cohesive plan to address what this threat is. Last year we did two of them … this year [the goal is] 15 to 16 tabletops. In the healthcare industry you’ll see a lot of ransomware, so we’ll give scenarios about that or insider threats. It’s up to our third party to develop them but they’re usually [done on] things you’ve seen in the news and how you’d deal with them. We find they’re an area that doesn’t get the light shined on it as much as it should. Once you have them, you’ll see how the tabletop gets addressed with the C-suite.
See Related: “CISOs Gather To Collaborate On Security Strategies”
