Taking An “Inside-Out” Approach to Security and Compliance

Q&A with Justin Sulhoff of Optiv Security

Today we feature an interview with Justin Sulhoff, Practice Manager, PCI Services at Optiv Security, a $2 billion security solutions integrator. He tells us why an “inside-out” approach to security and compliance is essential to mitigating risk in today’s world of never-ending regulations and increasingly sophisticated cyber threats.

Maurice Gilbert: How do you stay current on ethics and compliance issues?

Justin Sulhoff: There is a constant need to “keep the blade sharpened,” so to speak, when it comes to compliance, ethics and information security as a whole. The industry is constantly changing due to the need to adapt to new technologies, threats, standards and regulations. Staying current requires lots of reading. I also attend webinars, conferences and local industry group meetings during my free time.

MG: What do you believe is the optimal reporting structure for the CCO and why?

JS: All organizations are unique in their structure and how they delegate roles and responsibilities to internal stakeholders. Ideally, the CCO should maintain organizational independence, so no conflicts of interest arise from rolling up under an organizational unit whose interests may be at odds with the goals and needs of compliance. For example, you wouldn’t want to have an internal audit group that is testing controls as part of the same team that’s responsible for implementing and maintaining controls, as that could present a clear conflict of interest.

MG: How do you affect change within your client’s environment?

JS: Client compliance needs are often a significant driver of the overall security initiatives of that organization. Optiv’s compliance team is skilled at assessing a client’s current security and compliance posture and identifying any areas that are noncompliant. From that perspective, we affect dramatic change in a client environment by providing trusted advisory, remediation guidance and services regarding logical, administrative and/or physical security controls that can be implemented to meet the intent of any given compliance requirement. Oftentimes, a client will choose to implement the recommended solutions in their broader network where compliance mandates may not apply.

MG: What do you see as the greatest business risks facing companies today?

JS: Contrary to what many believe, security and compliance are business issues. If a company is the victim of a data breach or violates a regulation, it risks a damaged reputation, a loss of customers and, in the case of compliance, major financial penalties – all of which impact the bottom line. Despite this, CCOs and CISOs have always had a difficult time gaining a “seat at the table” in the executive suite and boardroom. One of the main reasons for this is that, historically, it has been difficult for them to effectively measure and report on the impact security and compliance operations have on corporate business goals.

While this has been an issue for years, it’s still an area of immaturity for many companies. To effectively mitigate risk in today’s sophisticated threat landscape, security, compliance and business teams must work together. And the best way for them to do this is by balancing business requirements with enterprise risk and using this balance as the foundation of a strong security and compliance program. From there, security and compliance pros can implement metrics and key performance indicators (KPIs) that allow them to budget and evaluate security operations in a way that is consistent with other business units. In other words, they can demonstrate how security and compliance investments are impacting the risk profile in a way their business colleagues can understand.

MG: What do you see as the greatest regulatory risks facing companies today?

JS: Many organizations take what we, at Optiv, call an “outside-in” approach to security and compliance: They focus first on identifying specific cyber threats and compliance requirements, and then they react with technology procurement. This approach has failed. It has resulted in massively complex and costly security infrastructures consisting of endless point solutions that are impossible to manage, measure and  maintain. It has created an operations environment in which there are never enough resources to manage the cacophony of tools and services – a problem inflamed by the cybersecurity skills shortage. And these infrastructure and operations problems escalate enterprise risk by creating security vulnerabilities and compliance gaps caused by human error and technology misuse.

While new regulations emerge all the time, the biggest regulatory risks are posed by these complex environments and antiquated approaches to security and compliance. Because of this, organizations need to move from an “outside-in” to an “inside-out” approach to security and compliance, where technology and processes are organized and optimized around enterprise-specific risk rather than the latest external threat.

MG: How does your company help its clients mitigate risk?

JS: Optiv helps its clients take an “inside-out” approach to security and compliance. Unlike the “outside-in” model, where the threat landscape dictates security spend, strategy and operations, the “inside-out” approach focuses first on the core requirement of every business: reducing enterprise risk. Clients define the specific enterprise risk model appropriate to their business and then build out from there across security strategy, infrastructure rationalization, operations optimization and ongoing measurement.

Building an enterprise risk model suitable to each unique business is important because it maps to the enterprise business model. This means that business objectives – not the threat landscape – drives security strategy. This strategy then dictates how to rationalize infrastructure so it is manageable and effective and how to optimize operations to ensure proper infrastructure management and long-term risk mitigation.

With a risk-centric foundation in place, enterprises can close vulnerability gaps and respond to new threats and regulations in a proactive, systematic way. And, once the entire security and compliance program is constructed around a coherent strategy, it becomes possible to measure that program with KPIs that ensure long-term adherence to the desired state of security while also giving CCOs and CISOs easy-to-understand metrics to report to other executives and board members, allowing them to finally gain a seat at the business table.

MG: What new service offerings do you have in the queue?

JS: Optiv has a number of new service offerings in the pipeline, but I’d like to talk about one we recently announced – [email protected] – because it’s a great example of an “inside-out” approach to security and compliance. [email protected] is an integrated portfolio of services and technologies that enables organizations to move beyond basic Payment Card Industry Data Security Standard (PCI DSS) compliance so they can implement comprehensive, risk-centric security across the entire payment life cycle.

Many merchants (i.e., anyone accepting a credit card) use the PCI standard as their security framework, which is a disastrous mistake, because PCI is not a security framework at all. By using PCI as the blueprint for security, organizations leave themselves open to tremendous security and compliance gaps in other areas of the business. [email protected] provides a complete reference architecture of services and technologies across application security, network segmentation, encryption, identity and access management, threat intelligence and incident response to help clients lock down their entire payment network so it is truly secure, while still remaining PCI compliant. Rather than allowing an external regulation to dictate security strategy and spend, [email protected] evaluates each organization’s specific risk profile and then applies the right reference architecture to deliver the optimal combination of technology and operational processes.

This risk-centric approach results in a holistic payment security program that reduces the risk of payment fraud, data breaches and compliance gaps and delivers comprehensive security across the entire payment life cycle.

Justin Sulhoff is Practice Manager, PCI Services at Optiv Security, where he is responsible for all post-sales Information Assurance project operations. He’s involved in team hiring and management, practice methodology development and oversight of client-facing pre-sales activities. Previously, Sulhoff served in various security consultant roles at FishNet Security before the company’s merged with Accuvant to become Optiv Security.