In an effort to further make a difference in the marketplace and with our customers, Iceberg is very excited to introduce the latest senior professional services resource to our GRC team. David White recently joined our team as a senior cyber risk consultant. He comes to us from a large Canadian digital bank, where he was manager of enterprise security and oversaw the bank’s implementation of RSA Archer to address cyber security risk and governance. I recently talked with David to talk about his background, his new role at Iceberg, and what he’s hearing from executives about cyber risk.
GG: Tell me about your background in information security.
DW: I began my career with Hewlett Packard in 1997 and spent almost 15 years navigating different positions throughout the technology and consulting practices. At HP I was provided with opportunities to become a subject matter expert in several different technologies including Microsoft platforms, UNIX/Linux environments and Tier 1 through 3 enterprise storage platforms. The technology experience provided a cross platform foundation which became an enabler for cyber security practices. I spent over six years in HP’s enterprise security practice as an Information Security Consultant.
Then I made the transition to the financial industry, around the time that companies began to explore expanding their IT infrastructure beyond their own data center. Although managed services, cloud computing and vendor partnerships became a viable option for companies to expand their IT platform, it came at the cost of introducing cyber risks.
In the last few years, the media has popularized cyber security breaches that focus on the weaknesses associated with outsourced IT infrastructure and applications. Breaches such as the ones at Target and Home Depot have made the industry re-evaluate their cyber security posture, and how investing in risk and governance programs can allow them to mature. These programs provide companies a better understanding of cyber threats and if they are properly protecting the company’s products, services – and most importantly, customer data.
GG: Tell me a bit about your roll-out of Archer at the financial institution.
DW: Let me begin with vulnerability management. Our company suffered from the same challenges that I believe most companies suffer from – that patch management is considered a “keep the lights on” activity. Although patching cycles were defined, they always came second to business requests and if the two contended for the same resource, the business always won. Patching vulnerabilities is a continuous task, so by the time you complete a round of patching, vendors have already released the next round. Providing IT with vulnerability data allowed our company to better understand our vulnerability status and the risks associated, but it did not help solve the resourcing problem with patching them.
Within Archer, we built a framework that allowed us to tie vulnerability results to business products and services. Instead of only producing vulnerability reports for IT, we began to produce reports for the business, which illustrated how cyber risks were associated to their product offerings. Patching became a request from the business to reduce the vulnerabilities and this allowed IT to allocate resources more efficiently.
In about a six-week period we saw an 80% decrease in vulnerabilities.
“From an executive viewpoint, it helped illustrate vulnerability risks at a business and product level… Once we tied it back to a product and service – terminology that they understood – they felt more in control.”
GG: Did you get any pushback from the various stakeholders?
DW: The business loved it because they became informed. Initially they were frustrated because they were unaware that all of these vulnerabilities even existed. If you’re a product owner, especially at a digital online bank, having the right information to make a decision is important and they wanted to know everything about their product. If there was a health status somewhere, they wanted to see it. So they loved it.
You would think IT wouldn’t like it, however from an operational perspective they loved it because it allowed them to prioritize patching as a business need and time actually got carved out to fix vulnerabilities.
From an executive viewpoint, it helped illustrate vulnerability risks at a business and product level. Having a bunch of numbers on the screen with green arrows and trending meant very little to them. Once we tied it back to a product and service – terminology that they understood – they felt more in control.
This was a real eye-opener for us, as we realized a hidden strength of Archer became its ability to be a translation layer between IT security and the business.
“Archer allows companies to link cyber security risks directly to core business products and services.”
GG: How do you see your new role at Iceberg?
DW: We are building a cyber risk program to bridge the gap from IT security into business processes. Today we use a lot of terminology in cyber security: SQL injection, DDos, volumetric attacks, ransomware, and so on. We’re going to help translate these terms into language that executives understand, so they can be informed and have the ability to make the correct decisions.
If you look at vulnerability management, how companies usually deal with it today is “I have a server, it has a vulnerability”. The questions should be: “What does this vulnerability mean to us? What does that server do for us? What business process does it support? Does the business know they have a problem?”
Cyber security is not a product offering for most companies. Cyber security supports the company’s core business products through an IT delivery mechanism to allow clients to access your products safely. Archer allows companies to link cyber security risks directly to core business products and services.
At the end of the day the server that houses the vulnerability is the responsibility of a business unit. They own the product on top of it, and they have the ability to make the correct risk decisions to say whether it has to be done today or next weekend.
That’s where Iceberg can help and I am excited because this is not just a financial services issue. I have already begun to engage clients the energy sector, government, health and retail industries. We are already seeing how our team can make a difference.
GG: For someone who’s reading this and wants to start moving that IT conversation into a business conversation, what would you suggest as a starting point?
DW: What I would recommend is not to focus on what Archer can do for you, but rather what you need Archer to do for you. Have a look at your processes and understand the end to end view of what you need to accomplish and make sure to include everything from an operator’s perspective all the way to an executive’s perspective. Think about how business owners can make better decisions at the end of the day.
This is the value we are building at Iceberg. With Archer as the platform, Iceberg strives to help customers understand what the cyber risks are and how they relate back to the business. If we play our role well, we can provide our customers with a more accurate, aggregated and transparent view of their cyber risks – with business context!
You can reach David White at 613-595-0808 x268 or by email at email@example.com. Watch for more articles and insight from him in the coming weeks in this space.