CPA Australia

Keeping A Security Mindset

Neil: Hi Nigel – great to chat to you today. You have been with CPA Australia for just over a year now. What was important for you to establish when developing your infosec strategy for the business and what have been some of the milestones?
Nigel: Thanks Neil, yes, I have been with CPA Australia for just over one year now. My role started off pretty much the same way any traditional CISO would – 30, 60, and 90-day plans and looking at the gaps and where the organisation needed help the most; and I quickly arrived at a four-step plan:
  1. Shore up security operations, with the idea of improving the mean time for incident detection and response; this was a big driver for me.

  2. Improve overall security governance. We have a lot of policy documentation, being a governance-heavy organisation, especially in the last couple of years, so my plans were to continue to have thorough governance, however, to peel it back and make the policies more organic and engaging with staff.

  3. Thirdly, improve security metrics. For example, we have been doing annual penetration testing and IT general control assessments which felt to me like we are playing whack-a-mole because you find issues, you deal with them, you report to the board that you have fixed those issues and then a year later you would repeat that process. That is important activity, but I wanted to put a security program in place that would enable you to see the improvement and maturity over time and therefore the effectiveness and performance through the metrics.

  4. The last one was a stream of work around ‘secure member’ and ‘secure employee’ experience, which relates to a saying I heard not long ago – the reason why you put good brakes on a car is not to slow you down but give you the confidence to speed up! That was the driver in putting in a solid Identity and Access Management program for staff and members.

That is how we started. Going back to the first part I mentioned – security operations, we are a lean team. We have security as part of our Infrastructure team and then my team which is a Governance and Strategy function. We looked at the overall control elements and thought we had better be lean about this. We were looking for technologies that were delivered as SaaS and had low infrastructure involvement or set up times to give us quick speed to set up and reduce the amount of time that we spend running and managing technology, which is an overhead that comes with on-prem solutions.
That has really benefited us during these current times, as the entire team has moved to remote working, which includes the member experience or customer service team, meaning that we have been able to pivot very quickly, because we have light touch structure and security.
With traditional endpoint security architecture, you have a series of endpoints that are reporting back to an on-prem, centralised or tiered management point. When you work from home, the endpoint security agent doesn’t upload activity data and alerts until the endpoint is able to connect to the corporate environment; whereas next-gen solutions have that management point in the cloud – so whether you’re remote or on the network it is reporting back all the time, which means we’re getting real-time information about the asset.
Neil: That is always a challenge for on-prem SIEM technologies. If you can’t make a VPN connection you can’t get the updated telemetry and alerts from the endpoint. What have been your main challenges dealing with the current lockdown?
Nigel: We hadn’t necessarily planned for such a fast shift for all our staff, including customer experience staff working from home. That included hooking into our call management software. VPNs have a latency impact, so you have to think about voice quality.
We were sunsetting one remote access solution and onboarding a new one, so we had to expedite that and we had to implement some emergency adjustments to a few change management rules, and there were some very long days to get that set up as it had an impact on about a third of the business.
Neil: One of the things that people run into as a challenge is the benefits versus risks of allowing split-tunnelling for VPN users. The traditional thinking with VPNs - being a hard-line security view - is that when your remote client is connecting to the network via a VPN, it shouldn’t connect to the internet any other way; all traffic should drive through the VPN, so that you can run it through your corporate web and  email filters and avoid the endpoint becoming a relay into the network for attackers or malware. Unfortunately, when you have 10x the number of remote workers, your VPN infrastructure may be unable to cope. At the least, performance is likely to degrade, and you may have problems with voice quality if you are using VOIP.
In order to improve VPN performance you may take a non-purist, risk-based decision, to split-tunnel; meaning that only the traffic that needs to go back to HQ goes through the VPN and other traffic goes straight from the endpoint to the internet. The risk you take is that if something compromises your device, you can become a relay back to the corporate network. The benefit is that you dramatically reduce the load on your VPN concentrators and your network links.
Nigel: We had already moved to a split-tunnel architecture; however, to manage the risk, we use a low-touch, high-security cloud technology to process that data so it is still controlled, protected and monitored.
Neil: Using these virtual firewall/web proxy tools that sit in the cloud in order to achieve corporate-level security controls over your non-VPN traffic basically. You can also get telemetry back over to your monitoring platform.
Nigel: Yes, I like to think of that monitoring platform as the nervous system.
Neil: Yes, great analogy.
Nigel: One of the main visions I have for CPA is: identity is the new perimeter. I saw that the organisation was looking to introduce greater flexibly of working, they actually do a good job of that now, also diversity and inclusion. What I was seeing was the remnants of a traditional perimeter-based security model, where you have your firewall and antivirus etc. and that was going to protect us.
A lot of us had adopted SaaS platforms and Infrastructure as a Service to meet the needs of the members. There was a view that it was already out there, people are already operating outside of our traditional network. So that is when I started thinking - security fundamentals for me are: get endpoint right, get the gateways right – the business applications and security around those – making sure we are getting security information from those applications, get the network right, invest in the network and bring all the information together so they are informing each other. So that if the email gateway sees a malicious link from Brazil, why can’t that IP address inform the firewall and block it there as well.
The central theme for me was identity, if it was the end point, the network, the gateway – I would still want to be able to see who was that person, who was the user that was doing that activity – which provides a lot of rich contextual information - was that a person that was just made redundant – what are they accessing, where are they going – gather all that information together and make informed decisions. I don’t care where that person is as long as I can see it.
We started to put that in place in July last year. We were obviously unaware that we would be facing the COVID-19 pandemic ahead. That has expedited some of the activities.
Neil: That really helps when you have people at home using unmanaged devices and connecting from an iPad or their own computer - if you allow them some sort of access to certain applications. If you are linking identity to the personal device, it makes the telemetry a lot clearer.
Nigel: There is a certain reality that it isn’t possible for one solution to integrate across all these different platforms to get that information and interpret it in a rich way in all cases. Certainly, for me, using a security monitoring platform that has a rich plug-in ecosystem is really important. One of the tasks I do frequently is checking the new plug-ins of Rapid7’s SIEM to see what new integrations have come through the pipe. As a fundamental, having Multi-factor Authentication technology integration and connectivity is crucial. Another example is API integration; we want to get information about what a given platform is seeing and doing and who's accessing it.
Neil: You had the advantage of putting a lot of groundwork in place. What piece of advice would you give to other organisations in this current environment?
Nigel: I think it's hard for security professionals, especially in this sort of seat as they rise up the ranks of security roles. You could fall into the trap of feeling like any potential security issue is 100% on you. My approach when I joined the organisation was to say, my role here is to be a subject matter expert and advisor to the business. And my job is not to make decisions about whether the business can or can't do something, but to play the role of an enabler. As cliché as that might sound, I fundamentally believe it. I'm not here to be the department of no. It’s an organic way of making people feel accountable for the decisions that they make, and you get a better partnership with the business; you get a better partnership with your peers. I've found that I've had less resistance to suggestions on how we could solve the problem. I think that has extended upstream as well. For example, I have a bimonthly meeting to provide cybersecurity updates to the CPA Australia board which then has a positive impact on their confidence in what we're doing and that flows down as well. So, it just all compounds together really, and drives acceptance of the things we need to do. There's also a practical approach. So that's my advice to people - just to have collaborative partnerships with your peers, the board and the business.
Neil: Partnering with other areas of the business is important for taking controlled risks.
Nigel: Risk management, or enterprise risk management, has suffered in the past from a little bit of an ivory tower syndrome. It can be esoteric. So, I've found that expressing risk in a simple way is best. I use a risk acceptance form and then when I'm discussing any risk, I detail in clear terms what the rationale for that requirement was, why it came up and what the impact will be for the business. We have a good collaborative relationship with our Risk & Compliance team, which makes this whole process easier to express in the enterprise risk register.
Neil: Another important piece of advice is to install a password manager, you're actually improving their password security, but also making it easier for employees to access both their work and other accounts because all their passwords are stored centrally and auto-populated into the systems they need to connect to.
Nigel: Yes certainly. Security controls are key, as people will look for the shortest path to meet their objective. Security controls can be an obstacle, such as having a complex password and needing to change it every 45 days for example. And an employee may start keeping a central password file or writing passwords on post-it notes. So, the objective is to come back to context and empathy, understand what they're facing, understand that security may not be immediately important to them. They just want to get their job done. It is important to try to give them a positive message around why security's relevant to them so that resonates with them personally.
You need to try to anticipate the many ways employees will find the short path around your beautifully constructed security controls, accept that rather than trying to fight it, and you should plan for failure scenarios. You need to try to anticipate employees not following policy and have a monitoring regime and mitigating controls in place so you can see when that's happening and address it accordingly.
A very well-respected peer of mine was asked by another CISO – “so how do you solve all of the security problems?” And his answer was, “You can't. You focus on the issues you think are going to affect the organisation the most because there's only so much resource you can use to solve these problems”. He then iterated the point which resonated with me on why security awareness and partnership is so important.
And then the extension of that point is that if you're not planning for what you're going to do when there is a security incident, then you're in denial. You have to accept that security incidents will happen despite your wonderful control regime and make sure that you know how you're going to respond. And it's a bit like a fire drill. Generally, there's no life at risk with cybersecurity unless you're talking about attacks on hospitals or similar, however the reason you do fire drills is so that if an incident eventuates people will go back to their training and react in a planned way. If you don't plan and carry out fire drills and there's a fire, then people’s first thoughts will be, there's a fire. What do I do? And nothing may come to mind. People may act in ways they normally wouldn’t do under pressure. So, you must plan for failure and rehearse what you're going to do.
As IT Professionals, it is very important to stay mentally buoyant ourselves, when we're trying hard to make sure everyone else is thinking the right way. Three things that helped me personally to challenge other parts of my brain are to read books like Edward de Bono’s ‘Six Thinking Hats’, play music and online gaming like World of Warcraft. Although these days I’m a mostly retired gamer.
Neil: It's a really good point because you can become very rigid in your thinking. Thanks for taking the time to talk to us today Nigel.

For more information, please email us at [email protected].