In a scenario like this, knowing is half the battle—but it’s only the half. To successfully navigate the cyber security landscape, it is essential for enterprises to measure security, and integrate security within business processes. In an exclusive interview with CIO Review, Eric D. Noonan, CEO at CyberSheath discusses the current landscape of cyber security and CyberSheath’s methodology for delivering security services that provide demonstrable business value.
Q. The Cybersecurity landscape is becoming extremely complex. In your interactions with CIOs, what sense do you get of the challenges they face and how can technology effectively address those issues?
From a CyberSheath perspective, we see a cybersecurity landscape dominated by fear, uncertainty and doubt which is driving tool purchases that aren’t underpinned by the people and processes required to make them successful and sustainable. The outcome is security organizations that have more tools deployed than they have staff to effectively support which produces a highly tactical approach to security. It doesn’t have to be this way, cybersecurity can be measured and managed like every other part of the business but great marketing by product vendors and a constant barrage of sexy headlines have created a point solution approach to security.
CIO’s institutively know there is a better way to manage security and they want a system of measurement to gauge their effectiveness. A typical conversation between CyberSheath and a CIO quickly gets to the challenge of measuring effectiveness and return on investment in cybersecurity.
When a CIO looks at his or her portfolio they have metrics for the help desk, field service, the data center, you name it but security is often this incredibly expensive and unmeasured thing that they are accountable for. That’s an uncomfortable place to be.
As for technology helping CIO’s effectively address the challenge of measuring and managing security, it’s the wrong place to start. The basics of sustainable process and program management have to be in place to underpin technology investments first.
To make security measurable the basics of sustainable processes and program management have come before investments in technology.
Q. If you were to give an analogy between your personal traits or hobbies and your thought leadership, what would that be?
What I would offer instead of an analogy is to talk about the culture of CyberSheath which in many ways reflects my personal values. We don’t have corporate values that we hand out to every employee on their first day. Instead we believe in hiring leaders who already have their own set of very personal and deeply held values and they differ from employee to employee. My job is to create the environment where our employees are free to live those values while they do great things for our customers. CyberSheath is mission driven and customer focused and our employees are free to lead in executing for our customers; that’s our culture.
Q. As a global firm, how does CyberSheath embrace evolution in the information security vertical?
It’s definitely and evolution and not a revolution. I say that because if you read the headlines you would think the business world has never seen anything like the rapid changes we are seeing in security. Of course any CIO or CISO who has been around awhile knows better. CyberSheath treats cybersecurity like a business problem not a technology problem. So the evolution of the information security vertical is interesting but what really matters to our customers is figuring out if what they are doing in information security is working and implementing a system of management based on business principles to continuously monitor and measure the effectiveness of their investments.
Q. How would you best describe your partnership with RSA, the security division of EMC?
RSA has a tremendous set of products that can solve real world problems and they recognize the need to have service delivery partners like CyberSheath that can make those products work. A great example is RSA Archer, their Governance, Risk and Compliance product; they have done a great job developing a product and specific modules for the product. Our role in the partnership is to take the product and get it deployed and optimized for customers and that takes real world contextual experience. A big part of our value is in closing the gap between what the products can do and what will actually work in the real world.
Q. Can you give a description of your team of GRC specialists and how they help in identifying and implementing solutions that best suit your client needs?
CyberSheath employees have worked in Fortune 500 security operation centers, in the trenches doing the exact same jobs and facing the same challenges our customers face today, so they “get it”. They have all of the certifications and security clearances that I think are just table stakes at this point but what really sets us apart is what I call mission experience. Our GRC team has deployed GRC solutions globally across more than five countries working with CIO’s, CISO’s, internal audit teams and other stakeholders to deliver mission specific solutions that solve business problems. We focus on the business’ requirements and we sell solutions backed by detailed deliverables instead of blocks of consulting hours. We couldn’t operate this way if we didn’t have the talent and experience to do it.
Q. CyberSheath helps organizations realize ROI from security GRC initiatives, manage enterprise risks, demonstrate compliance, automate security processes, and gain visibility into corporate risk and security controls. Can you give deeper insights on the features of your security assessment solutions?
We take a different approach and use a proprietary software product that we developed internally to manage our assessments which gives customers a quantifiable score on a control by control basis using a variety of control frameworks like NIST 800-53 Rev 4 or the Critical Security Controls for Effective Cyber Defense, commonly known as the SANS Top 20. The secret sauce is in the marriage of this control by control view as an output from our product and the practical, contextual detailed implementation recommendations that are aligned with underlying business goals.
For example, any finding in our assessments tell you three things:
• Here’s what we found
• Here’s how to improve it
• Here’s the business benefit of improving it
This gives CIO’s and CISO’s a way to discuss security objectives in a business context rather than a technical context. Done correctly, an assessment should provide the foundation for a multi-year strategic plan aligned with business objectives.
Q. Can you give us insightful examples where your solutions have successfully helped your clients overcome the challenges?
CyberSheath’s greatest value is in rolling up our sleeves and getting in there to bend metal on behalf of our customers or alongside them depending on their preference. So we’re not just writing incident response and vulnerability management plans, we are implementing them.
We had a Fortune 500 customer who was transitioning from outsourced information security services to internal provided security services. In less than 6 months we designed, built and delivered a 24/7 Security Operations Center. This included everything from tool selection, implementation and integration through creating a business focused set of metrics that could be tracked and reported at the board level on a recurring basis. I don’t know of another company that could have delivered so much in such a short period of time.
We’ve also had a string of successes aligning the compliance side of security with day to day operations. Ultimately we believe that when security is done correctly, compliance is an outcome of day to day operations and not a separate, disconnected activity. In the Aerospace & Defense sector we’ve helped customers interpret the Defense Federal Acquisition Regulations that relate to cybersecurity and design and implement a program that can measurably achieve compliance in a way that improves operational security and lowers risk. We’ve done the same with Sarbanes–Oxley requirements for a slew of customers.
Our solutions work because they put security problems in the context of business problems, which forces a solution that is cost effective and measurable.
Q. What are the strategies employed by CyberSheath to thwart the emerging challenges, and what are your key differentiating factors?
Our documented methodology for aligning people, process and technology with the underlying business delivered by world class security operators are our key differentiators. Every solution we deliver from assessments to a security information and event management (SIEM) deployment and optimization is informed by decades of technical experience and the business acumen to avoid the trap of technology for technology’s sake.
We are a services business so the strategy for fending off competition is to be absolutely unbending is our commitment to our customers and their mission. We get incredible customer reviews and recommendations because we put our customers first. It sounds cliché but it goes back to my time in the Marine Corps, mission accomplishment and troop welfare. Your mission is our mission.
Our GRC team delivers mission specific solutions that solve complex business problems
Q. What does it take for a company like CyberSheath to show tenacity, delivering technology that enables business objectives and customer satisfaction?
It take leaders who fit our company culture and want to have the satisfaction of taking on the customer’s mission as their own. It takes certain selflessness and a commitment to making sure every solution we deploy is underpinned by a business objective. We stay relevant because the security space is dominated by point solutions disconnected from business objectives and we wake up every day trying to change that.
Q. What is in store for CyberSheath in the upcoming years?
Our solutions will expand to meet our customers’ business problems and continue to enable them to articulate the risk they are managing instead of just the investments they are making. There is no end state to security any more than there is an end state to HR, Finance or any other function that supports the business. That means security needs to have at best a strategic plan for enabling the business or at a minimum a strategic plan to “do no harm” to the business. CyberSheath will continue to enable organizations to do that.