In episode 66 of The Cyber5, we are joined by H&R Block Chief Information Security Officer (CISO) Josh Brown.

In this episode we discuss the importance in building an informed security team that can collect intelligence and proper risk strategy. We have a frank conversation about what the business of security means and how to develop a team that understands multiple business lines so a security team is anchoring their security strategy to how the company is driving revenue. We talk through how to do this at scale within the intelligence discipline that touches many lines of risk, not just cybersecurity.

Three Key Takeaways:

1) Security Informs the Business to Make Risk-Based Decisions

Security professionals must have a deep understanding of how the business functions to understand how to develop a proper risk-based approach. Security is a risk management function that puts up guardrails so the business avoids bad decisions and loses money. Intelligence is critical for gaining a 360-degree review: fraud and user segment of the network. Threat intelligence must be relevant to the specific business, not the industry overall. If there is a threat to a bank, that likely has nothing to do with a tax filing service.

2) Actionable Intelligence That Reduces Business Risk

The industry has not secured an intelligence solution. Intelligence is an enrichment function, not the first line of the truth of what to prioritize. Fraud and other specific business-specific data that result in business loss are equally important to be funneled into traditional cybersecurity tools. Further, threat feeds and information must be bi-directional so even competitors and businesses in the same location can understand when incidents are taking place. The threats that most companies face are not those that are regularly marketed such as Advanced Persistent Threats. The cybersecurity industry does a poor job at providing the likelihood of a certain advanced attack. Business email compromises, account takeovers, and fraud are still the most prevalent style attacks, even to those businesses that can afford sophisticated security technology.

3) Actionable Intelligence That Gives Visibility into Supply Chain Risk

“The perimeter” is no longer relevant like it used to be. With work from home, the perimeter is just as much identity access management (IAM) as it is about IP space. On third-party supply chain risk, currently, enterprises implement score card tooling as an audit function so when a software vulnerability is released, an enterprise can quickly query what suppliers use that library or dependency. Further, the supply chain is equally about business interruption (DDoS) as much as it is about suppliers that hold critical data. Major enterprises also care about the vendor’s vendors if compromised depending on the criticality of the data (fourth-party supply chain risk). Since the United States does not even have a standard breach notification law, it’s going to be very challenging to share intelligence bi-directionally let alone get developers to uniformly submit secure technology code.