October 17, 2022
CDW Exec-Connect: Winning with Identity and Access Management
For Cyber Security Awareness Month, CDW Vice President of Integrated Security and avid runner, Stephanie Hagopian, explains why building your identity practice is a marathon, not a sprint, and how training for both is a lesson in endurance.
How do I gain leadership buy-in for Cybersecurity improvements?
I love to run. Running is how I like to process my day and determine what are my next steps for priority projects. As a high-energy person who can’t sit still, it is truly a mental health exercise for me; a way to burn pent-up energy from sitting at a computer all day and de-stress.
I’ve done multiple marathons and many half marathons, as well as 10Ks and 5Ks. No matter the distance, I do a lot of creative thinking during my runs, and this month especially, as I train for a half-marathon in December, I’m thinking about National Cybersecurity Awareness Month and how it correlates to the same time of year when a lot of customers are critiquing their cybersecurity risks and wondering ‘How do I balance the reality of my IT budget and resources with the reality of today’s threat landscape?’
During a recent outing, I started playing with the idea of how closely related marathon training is to building any cybersecurity program. After over 20 years espousing the importance of developing multi-faceted security programs to customers, I’ve seen my fair share of cybersecurity analogies:
“Identity is the new perimeter.”
“Multi-layer security is like an onion.”
“Protecting your sensitive data is like protecting your crown jewels.”
“We’re in a cybersecurity arms race.”
But I’ve never really thought of how the journey of building and maintaining a security program is so similar to how I train for a long-distance run, especially since it’s something I never really stop doing.
I agree that most of these analogies are indeed an oversimplification of a very serious topic, and most of them are overused, but there is a reason we gravitate to them in this industry – because security concepts are complex. They’re hard to grasp. And when you consider that most cyber breaches could be avoided with some fundamental cyber awareness training and enablement, I think analogies are great tools for folding more people into a security-aware mindset and raising their overall security IQ. Especially considering that credential thefts have doubled since 2020. According to findings from the Ponemon Institute, 56% of incidents experienced by organizations were due to negligence, and the average annual cost to remediate the incident was $6.6 million.
That’s justification enough to simplify what we aim to accomplish, so more end users can practice good cyber hygiene. Particularly when it comes to showing leadership how spending money on cybersecurity controls can avoid costly penalties and their institution’s reputation “in the long run.” Many executives and employees who don’t have an IT or security-related background often believe that the solution to cyberattacks involve complicated, highly technical software and hardware investments. They are right to a certain extent: cybersecurity threats are constantly changing, and so are organizational priorities and operational requirements, but you can spend millions in a cybersecurity program and undermine all of those sound investments if you don’t also have a tuned-in and vigilant workforce who can spot a phishing email and won’t divulge their passwords to a threat actor. Training your workforce should always be a priority.
“
Whether running marathons or setting up a lasting IAM program, going too fast, too soon can be your biggest vulnerability.
”
Stephanie Hagopian
VP, Integrated Security
What is Identity and Access Management (IAM)?
Identity and Access Management (“IAM”) solves the challenge of understanding what digital identities (human or non-human) have access to what resources (applications, devices, etc.) at the appropriate time based on that identity’s role within the context of the access request. It’s a concept that’s been around for over two decades and has always been one of the most critical elements of a cybersecurity program, though it was not often treated as such. When IAM first gained popularity around 10-15 years ago, it gained a reputation for being too costly and difficult to implement, so many organizations either built their own solutions or did the bare minimum. However, the advent of smarter technologies, a more seasoned and experienced IAM talent pool, and the recent rise in popularity of a Zero Trust model, has put IAM into the forefront of cybersecurity.
Zero Trust Architecture (ZTA) is the latest buzzword (you could even claim it’s an analogy in its own right, especially if you look at the Cybersecurity and Infrastructure Security Agency’s (“CISA”) “Temple” visualization model). It’s admittedly overused at this point, but it’s not a new concept. ZTA is simply another way of looking at a multi-layer security model but in the context of a modern security landscape that has no real boundaries. The mantra that “Identity and Access Management is the new perimeter” is no longer accurate, because there is no actual perimeter. It’s more than a marathon that we’re chasing nowadays: it’s a road with no end. As a result, tying security to an identity has turned IAM into the most critical component of a ZTA model to ensure access to sensitive data can be traced through all layers of a modern infrastructure at any point in time. ZTA and IAM are 100% tied together in the CISA Zero Trust Maturity Model, which is an evolution of what the National Institute of Standards and Technology (NIST) framework developed.
But how do you convince senior leadership that this is so important to your overarching security program? How do you help them understand that identity controls—in addition to your next-generation endpoint, edge and network solutions—are legitimate budget line items? How do you explain to stakeholders the time and resources it takes to build a well-toned cybersecurity program? Or why IT needs to move faster/slower than they deem it necessary? What kind of logic will you use to get their buy-in? That’s where the Marathon metaphor comes in handy, and here is my interpretation of the 6 ways Marathon running can inform your approach to building an IAM and ZTA program.
1) Gauge your starting point.
When I run, I’m not competing against anyone but myself. In fact, I’m my own worst critic. I don’t need anyone else to egg me on to excel or win. Similarly, as organizations investigate how to build out their cybersecurity measures, the key is to not be swayed by what others are doing in their industry or get tricked into implementing universal tactics. Your organization is unique. Keep that in mind. Consider how your workforce gets work done. Are they at a desktop all day, or using mobile devices out in the field? Are they issued company devices, or do they use personal ones to accomplish their goals? And it’s not just your workforce – you also have to evaluate your third-party vendors and partners, as well as your customers.
You really need to understand how your security posture ranks when compared to a framework like ZTA. Most organizations are not starting at ground zero. They likely have many security controls already in place, and probably use NIST as the baseline for the program, which automatically puts them at a ZTA maturity level, especially when it comes to basic elements of IAM, like Multifactor Authentication (MFA) or Single Sign on.
Warm up by taking inventory of your infrastructure and technological debt. Find out what may be redundant or close to deprecation, and where your gaps are functionally. Review your business logic. Is it logical? What aspects can be automated, and which must stay as manual exception processes? How reliable is your data? Do your authoritative user attributes really determine the roles and responsibilities to assess who (or what) requires access to your organization’s most sensitive data, who doesn’t, on what devices, and to which systems?
2) Don't go too fast.
I’ve run multiple marathons. That experience does not trick me into believing that I will automatically be able to be the first across the finish line or even beat my last time. Likewise, it is important that organizations don’t have a “false start.” In racing, the goal is to clock the best time. In setting up a ZTA framework or IAM program in a ZTA context, your goal is to not expose your company to a breach. Whether running marathons or setting up a lasting IAM program, going too fast, too soon can be your biggest vulnerability. Every company has its own pace. Nobody, not even a third party will understand how fast your org moves or what your corporate objectives truly are because only you live it day in and day out. Overestimating your ability to keep up the pace can cause injuries that could be detrimental in racing and in security deployments.
Your leadership team may be in a hurry to report to their investors that they’ve “finished” an IAM initiative (a misnomer in its own right), but the speed of getting even a foundational IAM program up and running doesn’t matter if you’ve missed crucial vulnerabilities or skipped essential workforce training and communication planning. Also, remember that the pace at which your company implements your framework is vastly restricted by the number of resources you have and the other projects going on in IT and at the line of business level. Working IT staff into the ground to incorporate a new IAM solution at some predetermined but inconsequential time will only increase the chances of a configuration error or critical oversight.
3) Look at your roadmap and gather intelligence.
Marathon training can take you so many different places, and everyone trains differently, even while keeping in mind their end goal. Some people run on city streets, and others run on tracks or treadmills. Most people track their progress using a wearable device to monitor vitals and clock performance. They are all useful at different stages of building endurance to run 26.2 miles (a number that is oddly specific, but it commemorates the run of the soldier Pheidippides from a battlefield near the town of Marathon, Greece to Athens in 490 B.C. to announce the defeat of the Persians). No matter where you start, or how you supplement your workouts, you have to keep in mind where and how you will end your journey. Sometimes it can feel like you too are trying to run an unattainable distance to end a war, but you have to stay the course to meet your goals.
It’s rare to see a marathoner run without shoes or water-resistant clothing. It’s true some brands are better than others, but most have the same elements. Similarly, a mature IAM program will draw on a number of time-tested standards, tools and solutions. While there really isn’t one right direction, a program that doesn’t adopt a sound cybersecurity controls framework (like NIST, ISO – or ZTA) will likely fall short of helping you reach your destination. And since ZTA is based on the NIST framework, the two playbooks will take you on a scenic route past the necessary landmarks of Identify, Protect, Detect, Respond and Recovery.
Intelligence is also a factor. Like a FitBit or Apple Watch, deploying the proper analytics and intelligence-based solutions will provide specifics about your threat landscape that you wouldn’t normally notice or easily track. Integrating your SIEM with your IAM tools and pairing it with related elements of your cybersecurity program like user entity behavior analytics, threat hunting, incident response, and network traffic analysis will provide the level of visibility you need to truly counter external or internal threats. And if operationally, you do not have the capability to have your own Security Operations Center (SOC), the keen expertise of a third-party vendor who can monitor, detect and respond to these metrics and patterns 24/7 can fill in gaps in your staff where needed: this is why Managed Detection and Response (MDR) as a component of ZTA has become so popular in recent years as well.
4) Create a schedule.
Despite that I run 6 to 7 times a week, I’m acutely aware that doesn’t mean I can go out and run a marathon tomorrow. I’d likely need to stop after seven miles. One long practice run on a Wednesday won’t make or break a marathon. Running a marathon is not a one and done kind of thing. Neither is setting up a ZTA framework or IAM Program. It’s the preparation over months and even years that will really sustain you. Sometimes, IT teams are so confident in their expertise that they question why certain deployments can’t be introduced earlier in the timeline. With setting up a secure program, it’s important to operationalize your processes. Given the resource challenges of late, the skilled team you have now may not be with you later. Building out a scalable, repeatable, documented process which can be taught to predecessors is the epitome of cybersecurity succession planning. Also, as the threat landscape evolves, so too must your program evolve. This can be done by adding time in your roadmap to modernize equipment, renew software licenses, update employee training, and streamline processes with an overall eye towards continuous improvements.
5) Understand how to sustain your energy budget.
Running a marathon can be depleting, but so is operationalizing any element of your cybersecurity program. The night before a marathon, I load up on carbs like pasta, rice, and bread. But by mile 18 the next day, my energy has diminished entirely. So I eat gummies, because (of course!) carrying a loaf of French bread is not convenient and honestly just weird. Gummies are light and easy to carry with you while you run. They infuse my body with needed glucose, but without causing gastrointestinal distress. With gummies, I can increase my stamina at opportune times during the race; like when I feel everyone is passing me. But I’m usually on autopilot, and I reach for the gummies during regular intervals to replenish my strength.
Like any good sustainability plan, automating security controls across the company can help your organization reliably monitor and economically assess risk. IAM introduces a lot of automation—like your daily user on-boarding and off-boarding processes--as do most security technology investments, especially ones that embed machine learning and analytics capabilities. Most of the security investments you make will allow your organization to scale with less risk, which is crucial in a world where we have an extreme security talent shortage.
6) The last leg of the race.
There is one final thing that I do when running a marathon, which I believe will be a benefit to those working to enhance their identity and managed detection program. I remind myself what I’m running for. Like I mentioned earlier, running helps with my ability to unwind. I absolutely do it for fun, but I’m a big fan of running to benefit a charity—especially those that have impacted my close friends and family. I’ve run for Breast Cancer and Multiple Sclerosis research and awareness quite a bit.
As I run, I don’t need anyone else to egg me on to excel or win: the causes I run for keep a fire under me. The impact of cyber breaches also has real world consequences for the industries they affect. Everyone focuses on the direct financial costs, but opportunity, reputational, and market costs are just as substantial and critical to why we need to invest and build a cyber program that guards against these risks. Not to mention the costs carried by individuals. For instance, when hospitals are attacked with ransomware, medical devices are disabled, and access to medical records are lost preventing patients from receiving timely care. “Ransomware attacks on hospitals are not white-collar crimes, they are threat-to-life crimes,” says the American Hospital Association. When building out an IAM and overarching cyber security and risk management program, I’ve found it helps to consider how an attack on your organization would affect your business outcomes and your customers or your customer’s customers. Visualizing the costs they will pay in time, health, or loss of financial security will inspire you to run your best race and subdue the attempts made by bad actors.
The finish line?
Finally, while there are many parallels between cybersecurity and marathon running, the truth is that after months and even years of preparing, one ends, but the other one doesn’t. In fact, not only will your preparation against a cybersecurity breach not end, but also it probably will not end well. As I’m sure you’ve heard before, the question is not IF you will be breached but WHEN. Securing your organization from cyber threats by defining roles, requiring authorization, and enforcing governance are never-ending. There is no finish line, and an IAM architecture is only one element of a full-stack solution. An end-to-end solution will include Network and Cloud security posture management solutions, Next-gen firewalls, incident response, DevSecOps, and much more.
Also, unlike marathon running, defeating bad actors doesn’t need to be done alone. Team up with a third-party vendor like CDW. With the help of our deep-seated partner bench and certified security specialists, we can assist with managing your risk before, during and after an event. We’ll run this race with you.
About the Author
Stephanie Hagopian is the Vice President of Security Solutions at CDW. In this role, she oversees CDW’s full-stack cybersecurity practice, with more than 500 coworkers and annual services and solutions sales in excess of $3B. Stephanie has more than 15 years of experience in the IAM and cybersecurity industry, serving in both sales leadership and technical delivery roles. She also serves as a thought leader on emerging IAM and cybersecurity issues, frequently speaking at regional and national industry conferences and events. Prior to her current role, Stephanie was the global sales and business development leader for Focal Point Data Risk, a leading cybersecurity services provider acquired by CDW in 2021.