I recently sat down with Gabe Dimeglio, GVP & GM of Rimini Protect™ security services and solutions to discuss how uncertainties, like the economy, global unrest, and inflation, are impacting security strategies. Three areas we focused on were the importance of networking, meeting compliance mandates, and how to approach a managed security service provider (MSSP) relationship. Read on for the main takeaways from the interview and a link to watch the full conversation.
Takeaway #1 – Expand your circle
The operational side of cybersecurity is largely about protecting people, data, and resources inside of an organization. But as you start to refine your security posture and evaluate best-in-class solutions, seek out trusted colleagues for insights and best practices.
As a security professional, think of your counterparts at similar organizations as potential resources. “I highly recommend for most executives that they spend at least 10% of their time sitting down with their peers to share perspectives on problems they are facing,” Gabe noted. It’s a safe bet, by the way, that hackers are continuously learning from each other on the dark web, so you should be doing the same in your circles.
If you end up creating a group of friends that are CISOs at different companies, Gabe adds, so much the better. Certainly, some conversations need be under NDA. But there is value in knowing what challenges others are seeing, and in hearing what they like about their service providers, what tactics are working for them, and what’s on their roadmap. In the interview, he offers some ideas on the benefits of networking.
Takeaway #2 – Compliance is more than checking off the boxes
When you start having conversations with your security colleagues, regardless of what industry they are in, some topics are inevitable. For example, regulatory compliance is the challenge that keeps on challenging. It might seem like there’s inherent value in any effort to shore up security, and that doing so because of regulation XYZ might be as good a reason as any. Not so, Gabe says.
No one would argue that the effort you put into preparing for audits is having an impact. “Unfortunately, it’s not the impact we’d like to see,” Gabe observed. “These regulatory bodies create or enforce regulations to address specific problems, say to protect personally identifiable information. But they are uncoordinated. One federal agency doesn’t necessarily work with the other,” he noted.
The challenge for many organizations is that it creates confusion and misinterpretation as to what controls are actually being requested. So, people make assumptions, and then they make investments doing things that they don’t need to do. “The danger,” Gabe explained, “is that you spend a million dollars a year in audit preps for systems that are out of scope for some regulatory compliance program because you don’t know they’re out of scope.” The interview includes additional details on how to manage compliance.
Takeaway #3 – Evaluating MSSPs
Modern security has many legs. Unfortunately, many IT security teams have limited hands. The right MSSP can help bridge the gap. But not just any MSSP will do. “The key is to have a partner type of relationship, rather than just being a consumer of services,” Gabe advises. You have to make sure that you thoroughly understand what risks the MSSP is managing for you and how they are doing it. If an MSSP isn’t willing to be transparent, open, and candid with you, if you’re looking at this as if it’s all sorcery and hidden behind the veil of secrecy, move on.
Nor is compliance the only domain in which your partner should step up. “Take areas such as operational technology, or OT. Everything from power plants to Internet of Things to water treatment are susceptible to cyberattacks,” Greg said. We have already seen these technologies being weaponized and leading to loss of life. Many of those systems were created when controls weren’t in place. Securing them means we will need to think from the outside and protect them in a more holistic and proactive way—a perspective your MSSP should be able to provide.
I don’t want to leave the impression that Gabe was painting a bleak picture of cybersecurity. According to Gabe, even though cybersecurity is serious business, you can tackle it confidently when you make the right connections and know how to manage risk.
Watch the video below for more detail on each of these topics.
You may also like
- Read: CISO’s Guide to the Future of Enterprise Software Security
- Watch: Introducing Rimini Protect™
- Solution: Global Security Solutions
Looking for thought-provoking, educational content? Check out Street Wise, your one-stop shop for authoritative articles, interviews, blogs, and more from industry leaders on today’s hottest topics.