46:49

Episode 06: How to Converge Security and Business to Reduce Risk

March 02, 2022

Listen on SpotifyListen on Apple Podcasts

Digital security and risks are some of the most significant concerns companies face. And they look for various ways to mitigate those risks and establish a safe environment for their core business operations, even implementing security solutions that merely put a band-aid on vulnerabilities.

But what companies don’t know is that the key to augmented security lies in asking the right questions. And changing the mindset that it’s not security first, it’s business first, it’s people first, it’s risk. And security is a supporting pillar in that.

In this episode of Dr. Dark Web, Chris Roberts welcomes Joseph Carson, the Chief Security Scientist (CSS) and Advisory CISO at Delinea. They get into the role of threat intelligence in strengthening security, the importance of knowing where the threats come from, how to translate intelligence and risk to the board, and why people should always come first.

Guest-at-a-Glance

💡 Name: Joseph Carson

💡 What he does: Joseph is the Chief Security Scientist and Advisory CISO at Delinea.

💡 Company: Delinea

💡 Noteworthy: Joseph dedicated nearly 11 years of his professional career to Symantec. He’s also the Founder and CEO of Wiretrap, based in Tallinn, Estonia.

💡 Where to find Joseph: LinkedIn

Podcast Insights

Threat intelligence turns security into business value.

Joseph dives into the concept of threat intelligence and highlights its role in strengthening the company’s security. “Ten plus years ago, we had nothing. But data and intelligence are available to organizations today to turn security into business value. Threat intelligence is a mechanism that allows us to do that convergence, to make sense of attacks, and turn it into more business justification and business value.”

Understand the important questions that need to be answered.

Joseph suggests that companies should understand the most important questions regarding their security and answer them. That way, they obtain threat intelligence they can turn into business value. “You want to understand the important questions that you want to get answered. And if you don’t know what the questions are, you’re going to get intelligence feeds that you’re not going to be able to turn into value. So, it’s always important to understand what you’re trying to improve, what your strategy is, etc.”

Using security to make business more successful.

According to Joseph, security can be a great tool for making a business more successful and understanding that people (employees) come first. “I had to look at how I can make sure that whatever I do from a security perspective, it’s making their [employees’] job better. It’s making them happier. It’s helping them meet their goals. The whole business-first and people-first perspective is how I can make sure that I’m using security to make the business successful.”

Episode Highlights

Convert Anything You’re Doing into Business Language

“You need to be able to convert everything you’re doing into business language and things that we understand and care about, and the CEO said, ‘What we care about is how you’re helping the business. Otherwise, you’re just seen as a cost. You’re not seen as any value to the business.’

That was when I realized that my job was no longer about security. I realized that my security mindset had just changed. I realized that I’m actually not here to push security into the business, but I’m here to listen and understand the risks that the business has. […] That was the moment when I realized that my career had changed. I thought it was a wake-up call and that we’re here to listen to the business and understand how we can use our security expertise and knowledge to make sure the business is resilient to all of the threats out there.”

Companies Should Be More Focused on Internal Security

“Too many organizations sometimes put cameras pointed at the doors and windows of the buildings. They’re neither focused internally nor are they focused on the street. And it’s about getting a balance between all of that. If you make sure that somebody is looking at what threats are out there, what are the common techniques that you use? What are the common exploits in the industry? If you’re able to understand those, you’re able to make sure that you’ve augmented security controls so that the most common techniques have been used, and I will say that organizations won’t be able to prevent all threats.

It’s always important to make sure that you can balance a lot of that. The more we force that noise, the more we’ll be able to proactively stop the attacks before they turn into a major catastrophe. So, it’s all about balancing where your cameras are pointed. If you’ve only got one camera pointed at your door, then it’s very likely you’ve already got an attacker inside.”

Sometimes, You Just Have to Listen

“We were sending hard legal policies and emails to employees saying, ‘Let’s do this, there’ll be consequences.’ And we realized, after a few weeks, that it wasn’t working. We were getting a lot of bad feedback. And we realized that we needed to take a different approach. 

At the same time, there were a bunch of kids who were doing a workshop at the company. So, we got to interview the kids to help us with how we can communicate securely and what would be the best form. And it was quite funny because the feedback was, ‘You’re doing it in language that we don’t understand. Can you speak a different language?’ So, we converted it into comics, graphics, and nice images to be able to give people a common language. We took ‘don’t plug USBs,’ smart passwords, and everything, and we put it in a comic and had little storyboards to explain the bad thing and the risks and what you should do instead. And it came from the kids.”

Use Threat Intelligence Instead of Another SIlo Tool

“You can’t wait two to three years to get value out of the security investment. That value must be immediate because in six months, a new vulnerability, a new technique will be available. All the adversaries will be out there, cybercriminals will monetize it, and you’ll be looking at how you can augment the security to deal with that.

And your decision should not be to buy another tool. […] You need to move to a more strategic type of thinking. And that’s where threat intelligence can help you. Threat intelligence can help you make more strategic decisions long-term so that you’re continuously improving and not just buying silo tools that will do one thing. Threat intelligence is that area of how we collaborate, how we share data, and how I can make the person next to me also benefit from the information that I have.”

Final Thoughts

“It’s important to reach out to people and peers and get their insights. What’s important is to find the experts in the industry who can help you make sure that you’re not going down the rabbit holes. Make sure that you understand the right questions. […] And if you don’t understand the problem, you’re not going to get the right solution to minimize or eliminate that problem. I’ve seen too many times that the solution becomes the problem and the focus. And all of a sudden, what becomes the priority is the technology you’re trying to implement, and you forget about the problem that you’re trying to solve in the first place.

[…]

Ultimately, the goal should be to automate. That will help employees be successful and reduce the risks of the business. Put security in place because it’s making the employees’ lives better and making the business more successful, and that’s what we’re here to do. In the end, it’s not security-first. Security is important, but security is there to support the business and people.”