AusCERT 2013: Visibility critical when selling IT security to execs, says Foxtel CSO

Hard-to-find security skills and the rapid pace of malware evolution make a strong relationship with a managed security services (MSS) provider as important as maintaining the internal tools to keep business executives apprised of IT-security risk, Foxtel information security manager Kevin Shaw has advised.

“Whether it’s talking with executives or with the MSS provider, the more you put into a relationship the more you get out of it,” the 18-year IT-security veteran told attendees at the AusCERT 2013 security conference. “The results of doing that pay for themselves ten-fold.”

Properly informing those relationships, however, remains one of the security executive’s biggest ongoing challenges: different expectations, changing technologies, malleable business objectives – and the constant dread of being the one confessing a security breach to a risk and audit committee or angry CEO – all force security executives to be as proactive as possible when it comes to managing risk.

“Nothing is standing still, and even the IT environment you’re trying to protect is evolving quickly itself,” he said. “With third parties such as suppliers and contractors coming through, the size of the organisation can fluctuate quite dramatically depending on what projects are on the go. So, it’s a very nebulous environment that you’re trying to build some structure in.”

“It’s like trying to bake a cake on the back of a running horse.”

Data gathering for the big picture

Shaw, who manages the information-security posture for the pay-TV broadcaster, long ago recognised the importance to of knowing exactly what’s installed in an organisation’s IT environment.

“It’s amazing how many organisations don’t really understand how many devices they have on the network, who’s connecting, and where the servers are,” he said. “These days with virtual machine environments, we have people spinning up instances all over the shop without necessarily coming through the IT or security department.”

Regular discovery scans, even those conducted outside of change management database (CMDB) systems, are crucial to keeping track of the ever-changing configuration. Once devices have been located and identified, they should be verified and approved, then tied to their owners long-term so there is a clear line of responsibility.

“I want to know that if someone adds a new server, that I can come back through my actionable intelligence and confirm that box has the right agents, has been hardened for the criteria we’ve mandated,” Shaw said. “Through repeated scans that touch the boxes on a regular basis, we can later understand whether they are in the same kind of configured state as when they were was deployed.”

Under Shaw’s guidance, Foxtel has maintained a long-term MSS relationship with Symantec, which provides extra skilled staff that not only keep apprised of new threats, but monitor the company’s infrastructure 24/7 for signs of malicious activity. The MSS staff are also given data on device ownership so they can quickly tie a specific issue back to the business impact it might have.

“It really helps to be able to take all that back to the MSS provider, because they are the people with the global vision, the honeypots, and the intelligence coming back from other clients. They can start joining the dots and giving you actionable intelligence from all the data we’ve fed through.”

A few years ago, Shaw said, a potential security incident was detected only because the MSS was able to correlate the many sources of data and raise the alarm.

“The only reason it was picked up was because it went through the MSS provider, was picked up and married together with other information and sent back to us to deal with,” he said. “Had we relied on our own resources to respond to it, we would not have picked up the signal because we didn’t have all the information that they had going through the MSS.”

Everybody owns [infrastructure] when they don’t want you to touch it, but nobody owns it when it’s their bum on the line if things go wrong

The executive sell

Building on the MSS relationship not only allows Foxtel to be more proactive in maintaining its security posture, but supports interactions with executives who are less concerned with technical minutiae but think of IT security in terms of business risk.

Analysis of internal cost-recovery claims is a great way to marry IT-security activity to potential business change: once the IT staff know which business units are paying for what systems and services, it’s much easier to know how any potential security issue will affect which parts of the business.

Using this information to drive change, however, can be tricky because it can upset tightly managed perceptions of control over infrastructure. “I’ve had to learn to sell in different ways to different audiences,” Shaw said.

“Your IT operations person wants to know that your systems aren’t going to be bringing down his infrastructure; otherwise, he’s absolutely not going to let you come near anything he’s got. Everybody owns it when they don’t want you to touch it, but nobody owns it when it’s their bum on the line if things go wrong.”

Security data from regular device scans often reveals configuration changes that might have otherwise gone unnoticed, and which could potentially affect compliance with requirements such as the PCI DSS payment-cards security requirement.

Shaw has often found it’s easier for an internal security organisation to get leverage with other business units by handballing the bad news to the MSS: “it’s always effective bringing in external parties to talk to your executives,” he laughed. “People come in externally and say the same things that you would say, and it has much more cachet if it’s coming from an external expert.”

Strong relationships, backed by justifiable assertions about the integrity of IT-security efforts, can pay off when it comes time for arguing for IT-security budgets.

“Every year we find ourselves having to fight pretty hard to protect what we’ve already been allocated in terms of the budgets; those constraints are no different than anywhere else in IT,” Shaw said. “I’m constantly having to sell security and compliance, and the threat the organisation is facing, on a daily basis.”

“Your executives are not going to give you budget unless you can marry together the value from MSS, actionable intelligence – unless you can demonstrate the value to the business and where the business is trying to go. But it is a lot easier for me to get budget and funding around using an MSS than it is to buy technology and get the head count to run it internally.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags Foxtel CSOKevin ShawAusCERT 2013IT Securityfoxtelmanaged security services (MSS) provider

More about 24/7CSOFoxtelSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place