Importance of Integrating Cybersecurity in Every Nook and Corner of the IT infrastructure

Mark Gordon, Vice President - Cloud Security SME, Huntington National Bank

Mark Gordon, Vice President - Cloud Security SME, Huntington National Bank

Could you give me a brief overview of your journey in the industry before becoming the senior cybersecurity and risk management expert at Huntington National Bank?

My expertise started at Computer Land of Sante Fe, NM, where I went from a setup tech to a Certified Novell Engineer over the five years I was there. That led me to MicroAge, where I achieved the very first certification from Microsoft (Microsoft Certified System Engineer) on Windows NT 3.5. That eventually led me into the semiconductor industry. I worked for 19 years at Intel Corporation in their Root Certificate Key Generation facility, testing and securing their cryptographic services. After leaving Intel, I built my risk and program management experience by combining the flight systems between U.S. Airways and American Airlines. After a year of working for Cisco Systems selling their security services, I hopped into the automotive sector at Fiat Chrysler Automobiles (FCA) as an enterprise security architect, working side-by-side with Google. My job was to aid FCA in understanding the best way to protect the customer’s intellectual property while preventing the connected vehicles from being compromised. That is when the banking industry came calling.

What are some of the trends you notice in cloud adoption, and how are organizations handling their migration processes?

The adoption of cloud computing solutions has accelerated as enterprises attempt to realize the improved cloud-based benefits when compared to on-premises solutions but lack critical experience and education to make some of the key fundamental decisions around security architecture, identity, and access management (IAM), secrets management, Data loss prevention (DLP) and other core services contentious – causing frustration from delays and re-work. From what I have seen across the various sectors, teams earnestly want to try and shift over to cloud solutions while attempting to embrace cloud-native services that have baked security earlier into their processes. On the surface, it seems easy for them to fulfil their desire to reduce the number of misconfigurations due to human interactions, especially when the cloud vendors attempt to make things seem easy. But it is not as easy as flipping a switch or just enabling a service, even if you already have robust skills in coding with Terraform and Python, for example. You need expertise in understanding and choosing the industry-standard security control benchmarks to make adjustments and implement with quality.

It also comes down to the management of the cloud. We will see a better adoption and acceptance once fundamental knowledge of what security services can do for all the areas is better understood. In particular, we will need to better educate executives and managers with an approach rather than the technical details of how the DevSecOps model works with respect to their existing enterprise silos. It is a shared responsibility between the cloud provider and the enterprise to accommodate and implement the model. Do not try and change the whole corporation at once; pick a couple of projects that have some visibility, employ some creative and determined problem solvers - and continuously improve every day to roll-model the behaviors of shift left security.

Can you shed light on some of the reasons why cloud adoption has increased after COVID-19?

There are several reasons and aspects surrounding the rise of cloud adoption, thanks to the hardships and changes in reality from the pandemic.

“Don’t try and change the whole corporation at once; pick a couple of projects that have some visibility, employ some creative and determined problem solvers - and continuously improve every day to roll-model the behaviors while shifting security LEFT”

For one, executives had to rethink how their resources could accomplish their tasks remotely, which the cloud solves natively. And customers shifted their expectations, some to their dismay, when companies could not meet their demands. And then held onto the brighter expectations from those companies that were nimble enough to pivot on the fly into the cloud. But those companies could not have succeeded without a dramatic change in their mindset, approach, and culture. As they began investigating cloud technologies, their concern for how their goals for cybersecurity also increased. But as the “shared-trust model” was demonstrated to be as secure or even more secure than their existing ecosystem - organizations began investing in the cloud, and it snowballed from there.

However, the effectiveness of their people using the new platform was a gap, where they still needed to learn how to properly design, test, implement and operate within the new “shared-trust model.” But with great partnership from the platform vendors, including hands-on training where resources could learn at their speed (Think: FAST and OFTEN), cloud computing acceptance gained momentum. Senior management began to become familiar with the risk/reward of moving into the cloud and chartered the teams to build comprehensive programs to grow out hybrid, cross-platform interoperability. As enterprises matured, so did their understanding of the evolving cyber threats, so they could implement their defence-in-depth strategy and ensure that their threat detection and response are optimized and continuously improving while meeting their appetite for risk.

Having said that, the cloud providers have been continuously improving their security policies for compliance and for monitoring or managing customer data to help with Gramm-Leach-Bliley Act (GLBA), California Consumer Privacy Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA), PCI and other notoriously stringent regulations. Another silver lining of the accelerated cloud adoption after COVID-19.

What would be your piece of advice to your peers or the leaders in the cloud security space today?

Take the time to research the best practices of related technologies before jumping into the deep end. Take the time to evaluate proof-of-concept/proof-of-value projects. Most vendors will openly partner with you to try their services for free if you can show a favorable need. Allow multiple avenues of training. THINK: self-study with hands-on training, remote workshops, time for networking and peer-sharing events both in-person and remote anything atop of the traditional instructor-led classroom (Bueller, – anyone?) to incorporate the basic and advanced concepts into different areas of your business. This reduces the problem of getting answers and managing teams that need solutions faster than waiting for the teacher to show up and hope to gain wisdom. If you are hiring a consultant, understand that they will not have all the answers. I would recommend that the resource, and especially leadership, attend at least one virtual conference a month, if not more, in multi-domain and in multi-sector conferences to get their perspective, which will help shift policies and standards into current best-known practices. It is nothing new to you that ransomware, phishing, and malware incidents are increasing the rate of security breaches at a mind-numbing rate. Cloud computing added AI is a requirement for large corporations to reduce the risk and elevate the correct anomalies that are true risks. Even more troublesome, the hacking successes are, in a sense, the large result of human error. Education and awareness are essential to combat cybercriminal activity and prevent security breaches. And since the bad actors are always evolving, using cloud technologies will help you shift security left and continuously improve your security posture (if done right) easier than on-premises solutions.

Read Also

Strengthening Enterprise Security via a Multi-Faceted Approach

Strengthening Enterprise Security via a Multi-Faceted Approach

David Jenkins, Chief Information Security Officer,The Lottery Corporation
Effective Communications between CISOs and Key Stakeholders

Effective Communications between CISOs and Key Stakeholders

Kevin P. Gowen, Chief Information Security Officer, Synovus
Giving Cybersecurity a Business Lens

Giving Cybersecurity a Business Lens

Grant McKechnie, Chief Information Security Officer at Endeavour Group
Setting the Right Security Culture

Setting the Right Security Culture

Mackenzie Muir, Chief Information Security Officer at Allianz Australia
Ways to Thrive in the Ever-Evolving Cybersecurity Landscape

Ways to Thrive in the Ever-Evolving Cybersecurity Landscape

Yonesy Núñez, the Chief Information Security Officer at Jack Henry™
Future Of Cyber Security: Responding To Threats With Confidence

Future Of Cyber Security: Responding To Threats With Confidence

Bernard Gavgani, Group CIO, BNP Paribas