Podcast: Tom Cornelius Discusses Compliance Challenges
DATA SECURITY PODCAST
In a recent podcast interview with Hillarie McClure, Multimedia Director of Cybercrime Magazine, and Tom Cornelius, who currently serves as both the senior partner at Compliance Forge, and senior director at the Secure Controls Framework Council, discuss the latest views on data security, and the why organizations have a constant struggle with vulnerability management and compliance. The podcast can be listened to in it's entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Joining us today is Tom Cornelius, who currently serves as both the senior partner at Compliance Forge, and senior director at the Secure Controls Framework Council. He brings over two decades of leading professionals and innovating solutions to complex problems in both the private and public sectors. Welcome Tom, it's great to have you with us today.
A: It's a pleasure to be here. Thanks for having me on podcast today.
Q: So let's talk about compliance and managing vulnerabilities. Starting with; Why does compliance continue to be a challenge for organizations?
A: So people forget that cybersecurity is utterly dependent on business leadership to be successful. So without this active leadership you know, really from the lines of business and corporate structure, if they are not enforcing the secure practices then compliance will always be an issue. This fundamental lack of understanding of what it takes to be secure is really the challenge.
This is where you know, no one expects executive leadership to be configuring firewalls or performing pen tests, but they do need to understand that technology does require care and feeding to stay healthy.
Just like anything else that requires a kind of love and nurturing, so do systems application services to make sure that they are both secure, running efficiently and can essentially support the business needs.
Q: So, Tom, in terms of compliance, do companies have obligations to manage vulnerabilities?
A: Absolutely. All the major cybersecurity frameworks require this. You look at NIST CSF, ISO 27002, NIST 800-53 - all of them have sections on proactive vulnerability management. Additionally, from a compliance perspective you have NIST 800-171, CMMC, PCI DSS and a whole sort of data protection laws that have legal obligations for managing vulnerabilities.
Q: And so, then why is vulnerability management such a challenge for organizations?
A: This really goes back to that earlier question about overall compliance being a business requirement, more than a technical one. So vulnerability management inherently involves downtime for systems. Anything that requires some type of maintenance is going to have some type of interruption for the business.
And this is where business stakeholders have to work hand in hand with the cybersecurity and IT teams, to have that understanding of, maybe once a quarter or there might be a maintenance window. Depending on the patch cycle or maintenance cycle of the various systems applications and services, that the business uses.
So unless there is like a really good plan from the IT and cybersecurity staff that they establish these reasonable patch and maintenance practices, vulnerability management is going to be an unattainable goal. This is where it really requires strong executive support to keep the lines of business from essentially telling IT departments "no".
And that sounds surprising, but I've seen that in Fortune 500 companies where IT and cyber teams are just told "no - we're not going to patch it, you can't take it down".
And so you essentially get business stakeholders that end up being a little bit of a bully towards IT and cyber. So this is where it requires the executive leadership to tell business stakeholders no-you will take downtime, you will maintain your stuff.
And this is where its just an ongoing fight. This is where metrics on vulnerability management can be very helpful to sell the importance of maintenance operations, since it paints a picture of risk that someone needs to own. Essentially by the business, not just the technology teams.
Q: And so to build on that. What are the prerequisites that companies should have in place to make vulnerability management more efficient?
A: Well, it really starts with IT asset management. So it's surprising how many organizations really don't know what assets are on their network. This is more than just workstations for servers. It involves the full stack of IT platforms. This this includes major and minor applications, network gear, IoT devices, printers, servers, databases, laptops mobile devices, etc.
So the reason for this is, understanding IT assets, is that each different type of IT platform has a certain type of vulnerabilities, or its attack surface. So organizations have to understand what the secure configurations are for each platform which are defined by either manufacturer recommended security guides. And it could be CIS Benchmarks, or DISA STIGs. So without that inventory and understanding of what a secure configuration is vulnerability management is really not attainable. And it's really just more of a game of whack-a-mole.
Q: And so what is the biggest takeaway that organizational leadership should be aware of in terms of managing vulnerabilities.
A: Well, if you take a few minutes and just perform a simple internet search for recent major data breaches, most are not overly sophisticated attacks, or something, you're going to see in the movies. Most are really due to poor vulnerability management practices.
Therefore, the biggest takeaway is that if you want to stay out of the headlines for the wrong reasons, then corrective vulnerability management is really a key practice your organization organization needs to master.
Q: Great. Well Tom, thank you so much for joining us today.
A: Hey, it was a pleasure. Thank you for having me.
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".