May 26 2020

To Thwart Cybercriminals, Businesses Turn to Each Other

Modern threat actors work together. Businesses now realize that they must do the same.

There’s a popular image of cybercriminals as solo actors working in the shadows. But that’s wrong. Real threat actors work in corporationlike teams, sharing information, developing specialties and creating new approaches together to thwart security controls.

In fact, if anyone has been working in isolation, it’s often the organizations that are trying to defend themselves. Worried about becoming targets of the bad guys, businesses have tended to keep a low profile when it comes to security — seeking information, perhaps, but not sharing much.

This is changing.

Today, a new focus on cybersecurity collaboration among professionals is emerging. As threat actors continue to up their game, many CIOs and CISOs are realizing that going it alone is leaving them in the dark. Now more than ever, companies — even competitors — work together on cybersecurity methods and strategies.

BizTech brought together a panel of corporate cybersecurity leaders to discuss the value of collaboration and the ways cooperative alliances help them keep businesses and customers safer. The roundtable included Dave Estlick, CISO of Chipotle Mexican Grill; Jamil Farshchi, CISO at Equifax; and Gary Hayslip, CISO for SoftBank Investment Advisers.

BIZTECH: Why are cybersecurity p­rofessionals collaborating more now than in the past?

ESTLICK: A lot of it goes back to the presidential directive on cybersecurity under President Obama, which provided guidance and safeguards for establishing information sharing and analysis centers, under the umbrella organization the National Council of ISACs. Before that, many organizations were worried that collaborating could be seen as anti-competitive. The government stepped in and said, “If we’re going to protect our critical assets, we need the industry to be collaborating on cybersecurity.”

FARSHCHI: One of the key lessons we learned from the past is that it isn’t effective to focus security efforts solely on the technology or the process. We had to emphasize security above everything else in our corporate culture — now, it’s even built into our annual bonus structure. Collaboration is a part of that shift. We’re trying to be as forward-footed as possible as we’re building this environment where security and trust are built into the company as a whole.

Dave Estlick, CISO Chipotle

 

BIZTECH: Why is collaboration such an important aspect of cybersecurity?

ESTLICK: Our adversaries are collaborating, so it only makes sense that we’re doing the same thing on our end. As a security officer, anyone can wake up and have a bad day. If you can save someone else from having that bad day, why wouldn’t you? My hope is that we continue to build trust and community. Today, I may have saved someone. Tomorrow, they may have saved me and my organization.

FARSHCHI: If you look at most organizations, they tend to be pretty cloak-and-dagger, or inward-focused, when it comes to security. We’re in a unique position where our CEO wants us to be a leader in this space, and at the same time, drive maturity across the industry.

When you look at the threat landscape, the challenge at Equifax is that we have a lot of unique actors we need to work against, including nation-states, organized crime, etc. We can help other organizations by providing them with our lessons learned, and ­collectively as an industry, we can defend against the threats we face today.

HAYSLIP: Collaboration is a theme in the security community right now. There are times when you need advice from other people who are walking in your shoes. We all have the bumps and battle scars, and we understand there’s a lot of value in collaboration.

Threats are moving so fast. Nothing is stagnant. You have to be willing to ask for help.

Jamil Farshchi, CISO, Equifax

 

BIZTECH: How are you collaborating? Do you belong to formal or informal ­organizations?

ESTLICK: We have both formal and informal alliances. The most formal is through the Retail & Hospitality ISAC, where I sit on the board. Larger, more mature organizations share what they know to the benefit of small and midsized businesses, and for them, it’s the only avenue from which they can get insight into what’s affecting the industry. It’s also an effective sounding board if you’re moving forward with an initiative.

On the informal side, any security leader will tell you that they spend a lot of effort grooming and cultivating professional networks, so that when they’re presented with issues or problems, they can leverage those networks.

I have peers both inside and outside of the retail industry that will reach out to me unsolicited for perspective, and I feel comfortable doing the same thing with them.

FARSHCHI: After the 2017 Equifax breach, one of our first steps was partnering with global organizations trying to work toward the same end, like the World Economic Forum, the Better Identity Coalition and the World Bank. We partnered with the NFL and the Department of Homeland Security to stage and practice a crisis exercise in advance of the Super Bowl. We even ­created our own group, Atlanta for the Advancement of Security, a council of CISOs from Atlanta-based companies and government agencies, to enhance cybersecurity practices.

Because we’re a member and also a host of several alliances in the security community, we get much meatier information than we would with an automated feed.

HAYSLIP: Internally, we work with the companies that are in our portfolio. On the outside, we’re members of the Financial Sector ISAC. And, as a CISO, I’m very active in the security community, participating in roundtables and local organizations.

MORE FROM BIZTECH: Learn how to keep your organization's video meetings secure.

BIZTECH: Can you provide some examples of how you’ve c­ollaborated with others?

ESTLICK: On a tactical level, there’s constant information sharing. Someone might say, “We’ve just been hit with X.” On the back end, it could be the tip of the iceberg. You can see it moving from organization to organization, and everyone can work together to get safeguards in place.

FARSHCHI: We’ve brought in security leaders from all over the world to look at our facility and processes so they can use them as a blueprint. And the beauty of it is that it’s not just a one-way conversation. In many of those discussions, we come up with new ideas and insight that we can implement.

HAYSLIP: For one issue, I reached out on a CISO channel and had multiple leaders, and vendors as well, walk me through what they had done. After lots of conversation, I found the solution that was best for us. Collaborating saves money and time.

Gary Hayslip, CISO, SoftBank

 

BIZTECH: What would you like to see more of in the future?

ESTLICK: The ISACs try to share info and get insights within industries, but I think there’s potential benefits of sharing information across industry verticals. For example, if financial services is hit with a malicious campaign, once that industry gets a handle on it, the bad actors are going to start moving to other industry verticals. If we can share information laterally, then cybercriminals have fewer places to go.

HAYSLIP: I’d like to see more organized, local organizations where people can meet face to face. It’s difficult sometimes in areas where there’s a lot of turnover, but I’ve been a part of roundtables that meet regularly every few months, and it’s a good professional forum for people to make strong, trusting connections.

I’d also like to see a better bridge between businesses and the government side. There are some organizations, like InfraGard, which is sponsored by the FBI, that already do this, and I think the government should be looking at more alliances like this that help bring both sides together.

MORE FROM BIZTECH: Learn more about cybersecurity's increasing role in the future of work.

BIZTECH: How does trust fit into the picture?

ESTLICK: In addition to trust between security leaders, it’s also important from a customer standpoint. It won’t help Chipotle sell more burritos to be fabulous at security, but customers are trusting us to do the right thing. Consumer confidence can erode based on events for any particular brand. So, why wouldn’t we want to work together collectively so consumer confidence is high?

FARSHCHI: In the wake of the breach, we have an obligation to customers to demonstrate that we’re transforming our organization to be best in class when it comes to security. We do bimonthly CISO calls with customers where we lay out our projects that we’re driving toward. We talk about what we learned, such as if we rolled out a solution that didn’t work and we need to try something else. It even scares me that we’re being so transparent, but we’re doing it as a learning tool for others who are navigating the same kinds of decisions.

We also support all kinds of regulatory reviews and audits from other agencies. For some companies, that could seem like a burden, but it just provides us more sets of eyes to make sure we’re doing the right thing. The more eyes you have on your security, the more prepared you are.