Why the Portfolio Approach to Cybersecurity Works: A Podcast with Rick Tracy of Telos

On this episode of Early Adopter Research’s (EAR) Designing Enterprise Platforms podcast, Dan Woods, principal and founder of EAR, spoke with Rick Tracy, the chief security officer of Telos. Their conversation centered on the EAR research mission called “Creating a Balanced Cybersecurity Portfolio.” Tracy has significant hands-on experience as a chief information security officer executive, and shared his thoughts on what companies need to consider when managing cybersecurity as a portfolio. This is Tracy’s second appearance on the podcast. Key points in their conversation included:

* 1:45 — What Telos does
* 13:00 — How using a cybersecurity framework helps CEOs
* 22:00 — How pruning can occur by using a framework
* 32:00 — How products must always be viewed within the context of the people using them

Listen to the podcast or read an edited Q&A of the discussion below.

Woods: Would you introduce yourself and explain what you do at Telos and what Telos does?

Tracy: I really appreciate the opportunity to do this podcast. I’ve been with Telos Corporation for 34 years. I’m the chief security officer and I also am responsible for a product that we call Xacta that helps manage cyber risk for organizations and government agencies. Telos is a pure-play cybersecurity company that has invested in a variety of products based on our own intellectual property to deal with things like identity vetting, secure messaging, and risk management platforms. We also have a very large professional services organization focused solely on cybersecurity missions.

The research mission on creating a balanced cybersecurity portfolio talks about the steps to create a portfolio. You determine your needs, allocate your spending according to your risk in various areas, and design your portfolio to get optimal results for the minimum amount of spending needed to manage the risk that you have. Then you choose the right products to implement that and then you rebalance as needed.

Today, we’ll talk about those last two steps: choosing the right products and rebalancing as needed. Once you adopt a cybersecurity technology, it really is sticky. People are very slow to prune their portfolios. That’s problematic because risks and products change and they don’t always change in the same direction as the optimal portfolio. In addition, if you’re spending time and management energy on one vendor that’s not serving you well, you don’t have room to handle new solutions that might work better.

Can you talk a little bit, Rick, about some of the experiences you’ve had in the field where people have either struggled or successfully managed this issue?

Let me tell you about an experience that I had here three years ago where we were under some pressure, as government contracts required us to invest in the ISO 27001 standard. We spent a lot of energy going through the whole compliance process for ISO 27001, which is a combination of control validation and developing policies and procedures and documenting, documenting, documenting. And it took us nine months to get to the point where we were prepared to have someone come in and assess us. We had a third-party organization come in and we were very proud of the fact that they said that we were doing everything that we needed to do and we got the certificate and our quarterly security review with the CEO, and the response was not what we expected. It was, “Congratulations, guys, but I don’t really understand how this benefits us from a security standpoint, and how is it good for the company? I need context.” We left that meeting and I was scratching my head trying to figure out how to put all of these things that we had done to comply with this ISO 27001 standard into context that would make it relevant and digestible for our CEO.

This gets to a real issue with the portfolio approach. If you use the portfolio approach as your own internal methodology and you and your team organize it and then you present it to the rest of the company and they say, “Well, that’s a really nice framework, what does it have to do with us?” then you’ve sort of lost. But if you use the portfolio approach to organize the risks that the business feels that it owns, these things that you’re trying to stop really matter to them and then these investments that you’re making matter to stopping those risks, then you’ve won because now you’re on the same page. This framework is not just some nice PowerPoint framework, it’s actually the way you and the business are communicating. So how did you go about explaining that the certification process wasn’t just internal organization of your team, but it actually was relevant to the business problems that the company was facing?

There are two parts to that answer, because the utility of the cybersecurity framework is twofold. The first part is you go through the framework to identify the cybersecurity objectives as defined by this internationally recognized framework, which in and of itself validates it because it’s a standard that’s used by 20 countries and tons of industries in the United States. So by identifying the cybersecurity categories that are meaningful to you as a business and having those relate to your business objectives, you’ve basically laid out what your target cybersecurity profile is intended to be. The next step, though, is relating the ISO activities to those categories so that you can see what have I actually done to help satisfy those cybersecurity framework categories and where are there gaps. And as part of that process you can expose the investments that are being made as it relates to the ISO controls, what cybersecurity labor have I invested in, what policies have I created, what technologies have I put in place? You can then begin to see where you have too much investment in a particular category.

The idea is the next time you went to the CEO you said this cybersecurity framework has five categories: identify, protect, detect, respond, recover. And what we did is we showed what we were doing in each of these categories to identify threats, to protect ourselves, to detect them, to respond and recover. And we could then tell you which products we bought, which processes we put in place, which training we underwent to help this. Then, the CEO can see all of the activity that’s going on to address the risks in each of these areas.

Yes. Exactly. And it’s the universe of things that you care about that is the backdrop for all of these investments. So that you can also see where some things that are desirable haven’t yet been done. The cybersecurity framework was a way for me to overlay the work that we did for the ISO 27001 so that you could see greater context.

What you’re really doing is helping explain how to create a detailed portfolio of cybersecurity investments using the NIST CSF framework and other frameworks, and you’re trying to frame that issue so that it makes sense to the business.

Yes. From a communication standpoint, the beauty of the cybersecurity framework is the piece of it that’s referred to as the core. To the extent that you want to have a conversation that includes everyone from the server room to the boardroom and everyone in between, the beauty of the cybersecurity framework is the language rolls up from controls to subcategories to categories to functions and it allows everyone to be talking using the same lexicon, the same terms, and they all relate to each other. 

Did you have to educate the CEO about how the functions are devolved into categories, subcategories, and controls? 

It took very little because there are terms that are that are relevant, whether you’re talking about cyber risk or you’re talking about other forms of risk within the organization, they’re just terms that resonate. It’s really intuitive so it didn’t take a lot of time for us to explain what it was, how it worked, and why it was beneficial. After about five minutes of us talking about cyber risk using this framework, you could see the light went on and it went from being, “I don’t understand the business value of ISO 27001” to all of the sudden, “I understand how our investment in ISO 27001 has helped us achieve our broader information security and cyber-risk object.”

So the CEO understands what’s going on. If a board member asks the CEO why are we spending X on cybersecurity, they can give a good answer. You’ve actually armed the CEO to tell a better story to whoever they have to tell it to. But after six months have gone by, how can you identify where the company should expand investments in certain controls or where you should prune investments in certain controls? 

The way that we address the issue is through a process recognized as continuous monitoring. Regardless of which framework you choose to adhere to, the concept of continuous monitoring suggests that you don’t go through the process once and put it on a shelf. You go through the process, identify risk, prioritize them, and create action plans. You measure progress toward the completion of those action plans, which means that you may have to make additional investments in addressing a particular risk, which might take a year because that’s what your budget cycle is. You identify who is going to do what by when. The trick then is to make sure that you’re managing the action plans and the remediation activity to closure. 

So you monitor your landscape and the threats that are coming in. You then see if there’s potential for you to do a better job handling a certain type of threat earlier in the attack chain or make your response better. You create a plan to deal with it, and then you carry out that action plan. That sounds really good. But what I’m interested in more is if you’re monitoring, how do you ever understand when your control investment is maybe too large or your people technology is over capacity to the threats that you were addressing with them and that there could be a simpler way where you can either reduce investment in that control or prune a product out of existence? 

We’ve aligned our security investments for each of the CSF subcategories that are in scope for us. Let’s say that you have five technology investments that are associated with a particular subcategory. It begs the question, when you have your quarterly security reviews with your management team and CEO, “Why do we need five?” And through that discussion, either you identify the fact that that’s a great question because we were supposed to have stopped support for this product because this other one was to have taken its place. Absent some way of visualizing all of this investment data in one place, things can fall through the cracks. You can think that you’ve eliminated a particular investment in favor of another one and it didn’t happen for reasons that you need to investigate. Having the ability to see all of your investments, using the framework as the backdrop, helps you look to see where you’re overinvested. IT people can ask themselves if we add this to our portfolio of cybersecurity solutions, we don’t need this thing anymore. The utility is overcome by us investing in this other thing. But if you’re just adding new widgets to your environment because there’s a new thing on the market that sounds better, the discipline of pruning may not be as easy because all of the investments aren’t visible in one place.

So the pruning really only has a chance of happening if you use the framework and map out your investment portfolio in a disciplined manner. You have to map out all of the controls that you are going to implement. Then you can ask if there is a way to refactor that portfolio to take out some products, add others, and get all of the controls implemented for less money or get more effective implementation for the same amount of money.

For us, the answer to that is yes. That’s how we’ve managed to stay on top of the investments to ensure that we’re not overinvesting and to at least be able to ask ourselves what is necessary. If the answer is yes, then theoretically you should be able to justify it. But if not, then this product replaces that product and it costs less money, so the overall cost of achieving security as it relates to that particular category should go down.

Can you tell a story about one type of product that allowed another type of product to be pruned? 

The antivirus is an interesting one because it gets a lot of criticism and you could argue that it’s not effective. But there’s a requirement that says antivirus is necessary and so by the letter of the law, not having antivirus could be perceived as a weakness. From my experience, it’s usually a new product will have capabilities bundled that allow you to have one product that does multiple things versus five products that are all sort of point solutions.

The pruning, if it ever happens, happens in the context of a suite of products. 

An example using a vendor name is Palo Alto Networks. They’ve gone from being a pure-play firewall company to bundling a number of security solutions within their platform that allow you to do multiple things and they don’t have separate maintenance cost streams. 

It’s clear that one of the important things is to be able to identify gaps between the security controls that you have in place and your desired ideal security. Can you give me some examples about how you’ve identified such gaps and what you did to remedy them?

Gaps come in a couple of different flavors. One type of gap we identify is through the requirement to deal with new security standards to do business with the federal government. Like 800-171 is a fairly new standard that the federal government is putting on government contractors. ISO 27001 has various security controls that require compliance that we may or may not have met prior to our desire to comply with that standard. But there are also technology areas you have to deal with because what you’ve done in the past wasn’t sufficient, and an example of that is patch management. You realize over the course of some period of time that your patch management solution is leaving you with far too many critical and high vulnerabilities that should have been patched, but for whatever reason, weren’t. You have a patch management responsibility that’s not being fulfilled because your patch management solution isn’t doing what you thought it was and it forces you to relook at your system investment to find something better.

For example, you might have a graph of the time between the announcement of a critical patch and its application in your environment. If it turns out that the average delay is going higher, you can recognize that you need to do a better job of patch management.

Yes. And it could also result in you realizing that to rely completely on technology to deal with patch management is something you can’t expect. You may then say we need to add another person to our investment portfolio because there are certain things that a human has to patch. 

The idea is that the controls are always people using a product in a context, and also processes that happen outside of the product as well. It’s never just let’s buy this and it’s done. Now, you worked with Drew Ladner, the former CIO of the Treasury, and he was one of the first people who told you about financial portfolio management ideas and how they applied to cybersecurity portfolios. He now runs a company called Pascal Metrics. Could you tell me a little bit about your first experience coming to the idea of cybersecurity as a portfolio?

Working for him was the cold, hard slap in the face that I needed at the time. He basically said to me, “Rick, what you’re doing is good and all. But from a risk management standpoint, you should be thinking of it like the financial sector does as a portfolio.” He was the first one to sensitize me to the fact that you can’t treat everything at the same level. All systems aren’t of equal importance. All IT elements that make up your business systems aren’t of equal importance. There’s a need to prioritize and look at your information security risk management process as a portfolio endeavor, which means that you have to prioritize based on what’s most important to your mission. It was the first time anybody had tried to translate financial services portfolio management concepts into IT security risk management concepts. 

How do you get the most value out of using these cybersecurity frameworks in the context of managing a portfolio? 

My suggestion is to walk before you run. Pick the framework that works best for you. We use NIST. The value of it is that it’s a framework and NIST encourages organizations to use it as they see fit and to adapt and modify it. My suggestion is to start small and then grow quickly. Add to it over time quickly to get more benefit from it. Identify the pieces of the framework that offer you the most value right now so that people begin to buy into it and then expand how you use the framework to derive more and more value over time. Recognizing that you use a framework to manage risk is one thing, but educating people on how to use it and their role or their visibility as it relates to the framework is much smaller than the entire company.

How can somebody who’s a CISO/CSO choose between the different frameworks? What frameworks are out there to choose from and what are the strengths and weaknesses of each one of them? 

We chose NIST because we have a very long history with the NIST organization. We’ve used other frameworks in support of our customers, like the risk management framework, which is a much heavier-duty framework that was originally targeted toward federal agencies. We’re very familiar with the NIST way of doing business. We were staunch supporters of the cybersecurity framework when it was introduced in 2014 for critical infrastructures in the US. We saw a broad adoption of the cybersecurity framework. There are more than 20 countries around the world that have embraced the NIST cybersecurity framework as a national standard at some level. It is just much more prevalent than other competing frameworks that exist.

There’s a lot of momentum for the NIST cybersecurity framework. So there’s a critical mass of attention toward it and everybody’s framing their products and their conversations around it.

Yeah, Gartner put out a slide a year or two ago that showed that they expected that more than 50% of companies in the United States by 2020 would be using the cybersecurity framework to some degree.

Thank you. As usual with the Designing Enterprise Platform podcast at Early Adopter Research, we wander around and go deep into topics and then pop back up and talk about big picture stuff. And we’ve done that today. I really appreciate your time with us today, Rick, and thank you for sharing all your wisdom.