Charter Engage: Know IT
Welcome to Charter Engage: Know IT, the new podcast series from Charter (www.charter.ca), an award-winning technology solutions integrator established in 1997 in Victoria, BC, Canada. Our mission is to align people, process, and technologies to build better organizations, enhance communication, boost operational performance, and modernize businesses. Leveraging a design thinking methodology and a human-centered approach, our team of experts drives successful business transformation for clients. Charter offers a comprehensive range of IT, OT, and IoT products and professional services, including advisory and consulting, project management, and managed services, providing end-to-end solutions from planning and design to ongoing support and implementation. We extend knowledge and support beyond our clients’ businesses, empowering them to focus on core operations. Charter helps organizations generate new value, drive growth, and unlock opportunities, enabling faster and more effective market entry. Forward, Together with Charter, achieving your potential.
Stay current on the latest cutting-edge strategies and industry-leading practices in IT innovation. Subscribe to Charter Engage: Know IT and let Charter help drive your business outcomes Forward, Together.
Charter Engage: Know IT
Charter's Cybersecurity Best Practices
October is Cybersecurity Awareness Month, and this podcast discusses best practices and how to plan and execute a cybersecurity strategy that protects the people, your assets, and the devices of your organizations.
Get to know our contributors: Ronnie Scott, our Chief Technology Officer, Krisann McDonnell, Charter’s Security Practice Lead, Josh Patton, our Principal Architect – Security, and Mark George, Charter’s Director – Energy, Resources & Industrial Markets as they have a roundtable discussion touching on having good cybersecurity process for your organization; foundational framework pillars to rely on; how to put strategies in place; and issues around cyber insurance.
“It does take a machine to be able to catch a machine, and a human to be able to catch a human.”
- Krisann McDonnell, Charter, Security Practice Lead
This is the third of four Charter Engage: Know IT podcasts set to be released weekly in October.
· Week 1 - Charter’s Business Transformation Roadshow: A Practical Approach to Business Transformation
· Week 2 - Cybersecurity Awareness Featuring Jason Maynard
· Week 3 - Charter's Cybersecurity Best Practices
· Week 4 - IT Staff Smarts: The Augmentation Approach
💙 Leave a Rating and Review on Apple Podcasts
Let Charter help drive your business outcomes Forward, Together.
Charter Engage: Know IT Podcast –
Charter's Cybersecurity Best Practices
[Recorded simultaneously in Victoria, BC, Calgary, AB, and Mississauga, ON]
September 28th, 2023
Presenters: (in order of appearance)
· Mark George, Charter, Director – Energy, Resources & Industrial Markets, Moderator
· Ronnie Scott, Charter, Chief Technology Officer
· Krisann McDonnell, Charter, Security Practice Lead
· Josh Patton, Charter, Principal Architect - Security
[0:06] Mark George, Charter, Director – Energy, Resources & Industrial Markets, Moderator
Welcome to the latest episode of Charter’s ongoing podcast series called Charter Engage: Know IT. I'm your host, Mark George, the Director of Energy, Resources, and Industrial markets.
Today's discussion is episode two of our Cybersecurity series that we've created because in October, it is Cybersecurity Month. We're going to talk some more today about best practices and how to plan and execute a cybersecurity strategy that protects the people, your assets, and the devices of your organizations.
For over 25 years, Charter’s built a very successful business as a reseller of networking, IT, security, and collaboration products and services. Last year, we made the strategic decision to invest and build a much broader systems integration business, developing specialty professional service practices in critical areas such as business architecture, Governance, risk and Compliance (GRC), staff augmentation, and cybersecurity. To do this, Charter will take responsibility for customers achieving business outcomes, leveraging best-in-class technology and a comprehensive portfolio of professional services to help them integrate and optimize across the traditional IT and OT infrastructures. To put these comprehensive solutions together, sometimes Charter will partner with third parties to help our clients achieve their digital transformation and business objectives.
For our regular listeners, you know that we spent the last few months in our podcast series exploring topics such as how we work with industry partners to secure connected workers, leveraging design thinking to build business transformation road maps, and, most recently, how to move beyond using spreadsheets to make more informed decisions.
Underpinning all of these subjects is the absolute mandatory protection of corporate integrity with pervasive cybersecurity. Now, all the leading consulting firms suggest that you're either an organization that's been hacked, or you soon will be. Cybersecurity statistics indicate that there are 2,200 cyber attacks every day. With a cyber attack happening every 39 seconds on average, a data breach costs well in excess of $7 million. And cybercrime is predicted to cost $8 trillion by 2023. [1]
With sobering statistics as a backdrop, we are blessed today to have three industry veterans to help us think our way through the cybersecurity challenges. I am pleased to introduce our guests: Ronnie Scott, the Chief Technology Officer at Charter; Krisann McDonnell, the Security Practice Lead; and Josh Patton, our Principal Security Architect. Now all three have seen the good, the bad, and the ugly with respect to creating cybersecurity strategies and determining how best to remediate after a security breach or incident. We honestly couldn't ask for a better team to help us drill down deeper into this topic. So, let's get started.
I think you'd all agree that there's no question that cybersecurity has become a top priority for organizations across all industry sectors. In fact, in 2021, approximately 90% of manufacturing organizations had their production or their energy supply hit by some form of cyberattack. In a recent McKinsey and Company article, they point out that both elements of a company's operations are vulnerable. But OT cyber attacks tend to have higher and more negative effects than even those in IT do, as they can also have physical consequences. In other words, shutdowns, outages, leaks, and explosions. [2] Clearly, cybersecurity is a 24-by-7 job.
So, Ronnie. In the first episode of our Cybersecurity podcast series, you and Jason Maynard, the Field Chief Technology Officer of Cybersecurity at Cisco, focused on cybersecurity awareness. Essentially, talking about how it’s important that from the top of the organization to the bottom, everybody is cybersecurity aware. [3] Perhaps you can start this off by sharing some of the key takeaways that are relevant for today's discussion, as we dive down more on best practices, and planning and executing a cybersecurity strategy.
[5:34] Ronnie Scott, Charter, Chief Technology Officer
Thanks, Mark. It's great to be back in the podcast chair again. Hopefully, the listeners aren’t getting bored of my voice.
But we had a really interesting conversation with Jason [Maynard] and we talked a lot about a number of different things. We definitely talked about the ideas of how IT and OT security differ. But I think the thing that we really settled on is that having good process in your organization is the starting point. So, for example, basing your security response on a framework allows you to get past the idea that I'm always just responding to things.
So, when we look at the framework model, we start off with these basic pillars. And it's commonly recognized that there are now six pillars. (It used to be 5, but it's now six.) But you start with GOVERN; then you go on to IDENTIFY, know what you've got; PROTECT, to protect those other things that you've got from damage; then you DETECT if anything weird is happening; then we RESPOND; and worst-case scenario, we RECOVER.
What we tend to do as organizations, is we often jump into that PROTECT. That's the thing we all know about. And whilst those basic tools of prediction, firewalls, and e-mail protection and intrusion prevention tools are fundamental and helpful, they only run, [and] don't provide protection. So, we need to think outside of that box. We need to think about our whole life cycle from knowing that we've got security policies and frameworks in place; knowing that we have all the elements in our organization protected; knowing that we have all the elements and components in our network protected; and then being able to see when something happens, respond to that threat, and recover if the worst happens. So, I think this idea of having a basic foundation framework to work from allows us to dig deep.
So, I'm really excited to have Krisann and Josh, who I work with all the time, being able to come in here and bring some depth to that of “How do we actually do these things? How does it look in the real world?” So, I'm looking forward to the conversation, Mark.
[8:11] Mark George, Charter, Director – Energy, Resources & Industrial Markets, Moderator
Krisann, as the leader of Charter’s Cybersecurity Practice, can you build on the concept of the framework and maybe take it down to the next level? What is the path forward given the significant investments that clients need to make in protecting their organization from an attack?
[8:42] Krisann McDonnell, Charter, Security Practice Lead
I think it all starts with knowing what you have to protect in the first place. Of understanding your assets, your valuation, and what it is you have to protect before you can protect it.
[9:02] Mark George, Charter, Director – Energy, Resources & Industrial Markets, Moderator
So, Josh. Maybe from an Architecture perspective, then, take it down one more level. So, you've got this framework. You've identified what you're trying to protect. Clearly, there are multiple different types of cybersecurity issues that you're seeing, (whether they’re breaches, or user phishing, cloud misconfiguration, [or] a supply chain breach.) Take it down the next level for us and kind of build on that, and help our listeners better understand (as they are developing their cybersecurity strategy) how to put into place some of the fundamental policies [and] procedures they're going to need to protect, no matter what the assets are - people, technology. How do they do that from a very technical perspective?
[10:05] Josh Patton, Charter, Principal Architect - Security
For sure. Thanks for having me on the podcast. This is a great topic.
So, I think Krisann highlighted, you know, one of the imperative paths forward, which is really asset identification. And, you know, the word “asset” could mean many different things. That could be your employees; that could be your intellectual property; that could be the devices that you work on; that could be something to do with your supply chain and making sure that your customers are consuming services, maybe, you provide. Assets can be really identified and articulated in many different ways.
But that really leads into those first three pillars after GOVERNANCE, I find, are the most important pillars. From an identify POV, you want to identify both how your employees work; how your customers act; [and] what type of devices they work on. Knowledge is power, and understanding a lot of traffic flows, or use cases, or how your business runs helps you identify how to move into the next pillar - to protect those things.
Protection though, traditionally when we look at perimeter devices, like a firewall, are very “Yes/ No” kind of controls - which makes it difficult to do the third pillar, which is DETECT.
And so, where we really have been leaning in the last, quite some, period of time is to grow past looking at these as transactional deployments. A firewall, perimeter device, [Intrusion Prevention System] IPS, [and] things like that feed into a defense-in-depth strategy, a layer of protection. Which means you can't just look at them with one lens. You need to take a step back and look at it from a security program-type point of view, and how these different investments, or different process changes, actually feed into your big picture.
So those three pillars that start off with IDENTIFY, PROTECT, and DETECT really feed into growing from a “Yes/ No” kind of control perspective into a much more fluid, look for anomalous behavior, when are users, or devices, or traffic behaving in a manner that isn't traditional, [or] you haven't experienced it before. This is where we're getting into finding interesting things in the OT environment. You should be able to identify all your assets in that OT environment, whether you're looking at [Programmable Logic Controller] PLCs; or whether you're looking at operator workstations; [or] whether you’re looking at historian servers.
So, you should be able to identify all the assets within an OT environment. And that helps you, kind of, define how you want to protect them. “What is the expected behavior? What is the expected usage from an employee or a plant worker? What is the automation behavior of traffic flows behind that (for looking at statistics or any kind of information out of these devices?”), and that helps you be able to detect when anything abnormal is happening.
So, there are a lot of areas that this industry has been growing, to look at behavior analytics from devices, and users, and customers that help us hone in on where some of our layers of defense need to be strengthened or explored for better efficacy.
[14:41] Ronnie Scott, Charter, Chief Technology Officer
So, I'm going to reflect on that a little bit and point back to you, Krisann. When we talk about these kinds of solutions and this “identify and protect” and so on, we can obviously go and get a hold of tools off the shelf. And that’s something we've been doing for a long time in the past, is “Let's go and get a firewall from vendor X, and let's get this SaaS solution from vendor Y. Let’s get an antivirus from vendor x,” or whatever it is. We’ve just been going, and getting these tools, and putting them together. But I think one of the things you've been doing in your past is, sort of, looking at the whole solution from a from a single-stack solution. I know you've been working with Microsoft a bit.
What should a customer be doing to pull these solutions together and what do you think [are] the kinds of solutions that a customer should be looking for today?
[15:54] Krisann McDonnell, Charter, Security Practice Lead
Consolidation is, really the thing of the future now, and the reason for that is as we traditionally choose our solutions, quite often, with looking at the Gartner right-hand quadrant [4] for solutions, and implementing those solutions, and as many organizations have discovered that we've invested a lot into these solutions, and yet the bad actors are still winning.
And the best of platform solution provides native integration and speed with solutions - which is really key to responding to an incident. Automation and speed. The automation and speed are really key to being able to respond to an incident today, especially since it's not only just humans (even though they’re the ones that are behind the systems), but they’re using AI and machines. And it does take a machine to be able to catch a machine, and a human to be able to catch a human.
[17:22] Mark George, Charter, Director – Energy, Resources & Industrial Markets, Moderator
Josh, I have a follow-up question. You brought up a really important issue that I think we should probably give some thought on. So, a cybersecurity plan really needs to look across the enterprise and include the traditional IT side and the OT side. But I suspect, and I’d be interested in all your views on this, Ronnie, and Krisann, and Josh, how do you deal with the fact that some of the OT systems can't be touched, or the operations team prefers not to touch them? Some of them are legacy systems, some are 30 years old. Some are very remote because they're in plants far from headquarters. How, then, do you take those kinds of things, those challenges presented by the OT environment, and incorporate those into a solid enterprise cybersecurity plan?
[10:05] Josh Patton, Charter, Principal Architect - Security
Well, that's a great question, Mark. And you know our industry has gone through this several times, in the past. There used to be dedicated voice specialists. It would not let IT people anywhere near their technology. And I think we're going through that same convergence with OT and IT right now. And so, it's a bit of fear from an outsider not knowing what technology is going to do to their environment. So, you can't discount that their feelings are valid. And they need to be addressed when they're worried about what we do in an OT environment.
Typically, though, we don't need to touch anything in an OT environment. We want to observe. We want to identify what you have, and how it reacts, and how it behaves, and layer on, on top of that, “How do we continuously protect it so that that behavior doesn't change, and then detect if that behavior changes in these environments?” A lot of them have Legacy Communication Serial RS 422, 232, 458, and a lot of people have been migrating that to serial over IP because those devices are still functioning, and don't need to be updated yet. And that's fine. From an IT or a cybersecurity point of view, we just want to be able to monitor that nobody is being malicious - whether that's an accident from a misconfiguration, from an insider in the plant, as well as from external threats. This is how we, kind of, approach dealing with e-mail, it's how we approach dealing with door access control systems. Every area of technology needs a little bit of governance, a little bit of monitoring, and a way to respond and recover as quickly as possible when things go poorly.
[20:21] Ronnie Scott, Charter, Chief Technology Officer
So, I'm going to wind the question back just a little bit, Mark. Because I was recently on a panel for an upcoming conference, [5] and we were having a very similar conversation. And an important part that we need to remember, is for these people in the operational world, “Why would I even connect to the network in the first place, right?”
So, if we're going to connect, there is no argument - you have to secure. So, if you don't connect, you're in a position where security may not be as important. If you are connected, it is important. It's just that simple.
So then why would we connect at all? Well, the simple answer is your business needs it. You connect your OT world to your IT world so that we can get data out of the business, and that we can see what's happening, and then we can respond, and we can be more agile to the business needs.
So, if you're in that position where you want those benefits, you've got no choice. And then we can begin to wrap the designs and plans, that Josh and Krisann’s experience brings to this world, and apply that to the OT world.
If you don't want to connect, don’t. And there are cases, still, where an air gap still makes sense - the military and nuclear power stations and so on. [6] Sometimes you just want a good old air gap to make sure that boundaries are not going to be compromised. But if you're going to connect, you’ve got to secure.
[21:55] Mark George, Charter, Director – Energy, Resources & Industrial Markets, Moderator
So, Krisann, in the cybersecurity practice at Charter, obviously you're providing very strategic advice to clients on a very sensitive topic. I suspect one of the questions that you get is “What is the right combination of products that, perhaps, one might say are best-in-class?” Because it goes way beyond “What's the right firewall to use?”, as everybody's discussed this morning.
So, can you give us a sense of what the checklist might look like to put together the right combination of products that are known as best-in-class?
[22:41] Krisann McDonnell, Charter, Security Practice Lead
I don’t think that cybersecurity is a checklist. It starts from what the business goals are and what the organization is trying to achieve from a cybersecurity perspective. Every solution is different. Every organization is different. Every goal of the organization is different. Some organizations are growing by acquisition, for example. Some organizations have a mother ship and are purchasing organizations that they're going to integrate into the mother ship. And those cybersecurity problems are different than an organization that is growing by acquisition, but they're keeping the companies that they acquire separate from the mother ship, for example. “Am I looking to build a business that I'm going to sell in five years?” It really does depend on what the goals are of the organization, and where they're going, as to how those cybersecurity solutions would fit to them. It's not a checklist. It's a tailored solution, usually, going back to a framework such as NIST [7], such as ISO [8], such as Sys. [9] And I know Josh could expand on that as well.
[24:18] Josh Patton, Charter, Principal Architect - Security
Definitely. You know, I think we brought up a couple of points, like defense-in-depth and layers of protection. And that, kind of, leads into speaking about platforms and, for example, the Microsoft Ecosystem. [10] So, there isn't really a checklist, but one thing to keep in mind is these are layers of defense that should all work together, and they should all lead toward risk mitigation. That's the whole point of the game, is to mitigate the risk for our organization from a cybersecurity point of view.
And then that leads into measurements and “How do you look at measuring this?” When you do have an ecosystem, like the Microsoft stack [11], where we can talk about Defender for IT and Defender for Endpoints, Sentinel, your Azure cloud presence, and what kind of workloads that you're running in the cloud. You kind of get visibility into several layers of your stack. And so, you want to think about that while your positioning, what types of tools and controls you're going through this virtual checklist. Because they're not items on a list, they are peers to the layer above and the layer below. And at the end of the day, what you want to do is be able to measure those investments and measure your risk reduction.
One great example is the amount of EDR hits you might get - Endpoint Detection and Response. [12] If you have a very mature EDR solution and you are getting it to alert you and you put a new parameter solution in, like an IPS system (an Intrusion Prevention System) [13], and that starts blocking traffic at the perimeter, a quick measurement is that your EDR hits go down. That's a way to look at these two layers working with each other. You would never think that an IPS and an Endpoint Detection System should have a correlation that you can get right out of the gate, but those two investments usually cost significant capital, significant effort, and they do mitigate significant risk. A lot of organizations have challenges with those risk measurement reductions and the dollars that they spend.
So, I think that's a really fascinating way to look at the different products and tools, how they all work together, and how, at the end of the day, they should all work towards that same goal of mitigating your risk.
[26:37] Ronnie Scott, Charter, Chief Technology Officer
So, I want to, then, add the “I'm going to play the CTO card,” right now. Whether you're an IT leader, or IT Director, or a CIO, or CTO, when you're looking at all these different solutions your team is bringing forward and saying, “We need a firewall, we need an IPS, we need an [Enterprise Vulnerability Remediation] eVR,” [14] I think it's very easy for us to get confused about how this is going to help us and how is this going to make our business better.
So that's where the framework keeps coming back into it. And I don't want to harp on about it. I know that we keep coming back to the stuff. But, as a leader, it's important to know that the product(s) your team is recommending and bringing forward is fitting into your big picture, that it’s fitting into, “How is this going to help me know what we've got protected, and help us identify if something is happening, and help us to take those breakouts?”
If you're not adding tools to your overall solution, if you're just putting in point products, you're essentially creating gaps in your fence that you're not looking for. And so, by having a strategy and a plan, and having your team align to that plan, you can demonstrate how you're improving all of those pillars - rather than just having one that says, “Let’s block this, let's protect that,” and finding that there’s a whole other thing(s) you're totally ignoring.
And what Josh was just saying is so important. If your IPS is able to help prove that your EDR is doing its job, or vice versa, that's great information. To know that you're doing your job and improving your protection.
[30:04] Mark George, Charter, Director – Energy, Resources & Industrial Markets, Moderator
Josh, one of the topics that many of us get involved in, with our clients, is the concept and part of the strategy of protecting your organization, is having cybersecurity insurance. Specifically, I guess, the coverage they need to deal with many of the issues we’ve discussed on the podcast, so far. The cost of the coverage is, obviously, embedded in the policy and many of them say to us, “I don't know whether I'm covered properly.”
Can you help us better understand, maybe, some of the coverage things that people should protect themselves from? But more importantly, we know that in the event of an incident, coverage can help you remediate. So, maybe, both sides of this cybersecurity insurance - Josh, you could start, give us some thoughts on, and then maybe the others on the call can develop out?
[31:18] Josh Patton, Charter, Principal Architect - Security
Definitely. So, I would think from a cybersecurity insurance POV, you do want to do your homework and understand exactly what you're covered for. You did mention a couple things, like remediation of an event, but you know, we want to make sure, you want to make sure that you're covering off all the bases on where you could have a negative impact and make sure you can either recover costs or loss of income, due to outages.
So, the interesting thing when you have a major incident is there are several areas of your business that are impacted. You have your brand name, you've got maybe stock market-related issues, if you're a publicly traded company, you have media to deal with, you could have other legal repercussions, you could have upstream or downstream obligations that you can’t contractually meet. So those are all areas that you want to explore. It’s very custom to your business. No different than buying insurance for a car or tractor. When you're in a car you need to make sure of airbags and seatbelts. But when you're in a tractor you need to make sure you have a few other things to find, like a proper cabin and where you’re going to be using it.
So, to cover off the aspect of the remediation, you also want to make sure that your insurance provider can help you in several different areas or, if not, if you have specialty response that you know where to seek incident responders, media liaisons, what your legal obligations are, how you need to maybe report this to a municipal, provincial, or a federal entity (depending on what industry you’re in.)
And you mentioned at the very start of the podcast, especially when we look at OT environments, the impact can have physical plant shutdown, explosions, loss of life. There are lots of areas where you want to make sure you're exploring with cyber insurance.
At the end of the day there, cyber insurance is growing. Cyber insurance requirements have grown quite a bit over the last few years and that's due to threat actors improving their game, and using better tools, and being quicker to do damage. [15] But it also goes into the fact that we have explored and developed these frameworks, over so many years, and they really do give customers a path forward to make sure they're secure in their environment. And insurance providers expect you to follow the path forward. It isn't such a big unknown to everybody anymore. There are ways to apply process and policy - to make sure that you're mitigating risk. And that's what the insurance providers would like to see.
[34:28] Ronnie Scott, Charter, Chief Technology Officer
Yeah, Krisann. I'd like to hear from you. How important do you feel insurance and cyber insurance is to an organization these days? And it's that changing or evolving?
[35:42] Krisann McDonnell, Charter, Security Practice Lead
Cyber insurance is very important. However, it's much harder to be able to transfer risk to an insurance company now, especially after COVID, where cyber insurance has only really been around for a decade. And after, or, with the Covid lockdowns (and there were so many breaches that happened over Covid, that the insurance companies lost the majority of the income that they gained, or the profits that they gained, over the last ten years.) So now, they are they are offering less coverage now, higher premiums, and they're now being really sticklers as to how they are allowing a policy to move forward. So, for example, they are they are now auditing, they are sending in people to do posture reviews, they’re sending out RFIs, or a request for information, (which we're seeing a lot in the area of supply-chain breach.) And they are there charging more, they’re covering less, and there's a lot more rejected claims now due to, what we call “lack of due diligence and lack of due care.” [16]
So, it's not as easy to get as it used to be. It's challenging now. And with supply-chain breaches, we're seeing a lot of organizations, for example, that insurance companies are forcing organizations to improve their posture by handing, for example, if you are an organization and I just won a big contract then they're saying, “Here is this request for information, tell us about your cybersecurity posture. And we're going to audit you in the next 90 days to make sure that your posture is good. Otherwise, we're just going to cancel your contract with no notice.” Many organizations are seeing that - are seeing that now. Ronnie, are you seeing that, as well?
[38:25] Ronnie Scott, Charter, Chief Technology Officer
Yeah, actually. I’m right in the middle of just upgrading my car. And one of the things that getting into a brand-new car that's got all these features (and it's just a Hyundai, but it’s loaded with all these security features.) And what interests me about that is that the insurance company expects me to behave a certain way. It expects me to do all these things. But I'm really taken that the car comes built-in with all these security solutions so that I don't have a crash in the first place. [17] And I think this aligns with the cybersecurity space, as well.
The cybersecurity companies, we can get upset at them, we can get mad that they keep asking us for more, and that, but they’re actually setting good mindsets and good behaviours in organizations. And if you're not doing that, then there’ll be a point of saying “We’re not going to protect you and give you money because you didn’t do that due diligence.” And just like with my car, I'm hoping to get a car that's going to protect me and stop me from getting into the accident in the first place, rather than having to deal with the insurance company after I had the crash and explain why it was or wasn't my fault – and whose fault it was.
So, I think that cyber insurance is something that's really important. It is getting harder, but it’s also a great opportunity for us to learn from.
[40:25] Krisann McDonnell, Charter, Security Practice Lead
I think it's also, Ronnie, a good opportunity for organizations to take advantage of the market share. The more that we're auditing postures, the more that organizations get their posture together sooner will allow them to compete for larger market share sooner. And I think, you know, this is where cybersecurity can be used as a differentiator, and not just as a cost centre.
[41:26] Ronnie Scott, Charter, Chief Technology Officer
That's a great point. Yeah, that's a very good point, thanks.
[41:32] Mark George, Charter, Director – Energy, Resources & Industrial Markets, Moderator
Krisann, beyond our ability to support a client through a cybersecurity audit, so to speak, whether it's part of its supply chain exercise, what other types of services are in the Charter cybersecurity portfolio?
[41:49] Krisann McDonnell, Charter, Security Practice Lead
Well, actually, we’ve launched a service around doing assessments against a typical RFI, allowing organizations to be able to make that investment to achieve more market share in the industry. [18] So that's something that's becoming very, very popular. It's a hot topic right now at Charter.
[42:16] Josh Patton, Charter, Principal Architect - Security
Yeah, I think to go along with that, you know, there's an interesting part of my finding my security job, [which] is [cybersecurity] taxonomy and making sure that we all speak the same kind of language while we're evaluating different areas of security. [19]
But, like Krisann mentioned, we've got a posture, a maturity assessment that we've launched to work with customers to make sure that we understand what their posture is, how mature their security program is, and how we can help them identify ways to move forward. And that's at a very conversational [level.] We don’t audit you; we don’t put you through a wringer to make sure you're meeting a framework.
On top of that, though, we do offer the services to do full risk assessments and start looking at how to map out your organization to a road map to where you want to have a target maturity level, a target posture that you want to achieve. [20] Whether that's based on your industry, or your obligations to your contract customers or suppliers, there's ways to align that all to a framework, doing the full risk assessment.
I think we've spoken about framework several times so far, and there are many different frameworks out there that we explore, and we rely on. The National Institute of Standards and Technology's NIST has frameworks that are really applicable if you've got any work with the federal government. They are in the United States, but they're very applicable. But it’s how you approach business. So, 800-53 is a special publication about IT security and it gives you a great path forward. To layer on top of that, NIST also has the Cybersecurity Framework, which is how people can look at different areas to identify, and how to move forward and increase their posture. [21] Special Publication 800-52 is specifically about your OT environments and that gives you a framework to move into the OT area. [22] From an IT perspective, there is an ISO 27,000 series which covers off IT security. [23] On the flip side, for OT, we can look at ISA 99 [24] or IEC 62443 [25] which is really about how to architect a secure OT environment.
So, there are lots of services with our Governance, Risk Management, and Compliance (GRC) division [26], with Krisann and our Cybersecurity division [27], and beyond all of that, we typically provide, deploy, architect, [and] design many controls for people - whether that's network access control, multi-factor authentication, perimeter security. [28] There are not many areas that we don’t try and explore. We’re here to help customers, where we have experience and knowledge.
[44:42] Ronnie Scott, Charter, Chief Technology Officer
And the last one, I would add to that, is this whole area of visibility. “How do you monitor all these logs and events and so on from all these different systems?” And we've already alluded to it. The idea of being able to have a security operation deemed to 24 hours looking at those events, correlating them, and identifying when something is untoward going on inside your network. And we do have a couple of great offerings around 24 managed security operations centre and solutions [29], which I think provide you that sense of comfort in the middle of the night that someone's watching even when you're not awake to be there.
So, I think that rounds out our portfolio very well, from the architecture and governance, through the deployment, through when we are managing it for you 24/7 when you need it.
[45:41] Krisann McDonnell, Charter, Security Practice Lead
I also wanted to bring up, as well, that we also offer zero-trust architecture reviews, and this is really relevant when we look at the top attack vectors of today. The third one, being cloud misconfiguration. [30] And this is where organizations have quickly moved to the cloud, and in some cases, they’ve had a partner deploy some of those security workloads or they have deployed it themselves, but they haven't had a cloud security expert go through all of those configuration settings with a fine tooth comb, making sure that there are no holes in your cloud - with being the third largest attack vector. We’re seeing a lot of cloud misconfiguration and anytime I have brought one of our Charter security experts in, having these discussions about an organization’s cloud, we always find areas of improvement, and it’s one of the ways that you can mitigate your cloud environment. It's a really good way to go about doing that, and mitigating some of the risk, there.
[47:05] Mark George, Charter, Director – Energy, Resources & Industrial Markets, Moderator
Well, I want to thank each of you for sharing the cybersecurity insights with our audience today. If you want to learn more about how cybersecurity underpins all business transformation activities, we invite you to join us at our October roadshow, which we’ve called “A Practical Approach to Business Transformation.” In these events across Canada, we're going to share more business and technical insights plus provide some real-world examples [of] how clients we work with are in the process of transforming their organizations.
We hope today's podcast has been very valuable and we thank you for taking the time to listen to our program.
Sources:
[1] University of North Georgia. (2023). Cybersecurity: A Global Priority and Career Opportunity. University of North Georgia. https://ung.edu/continuing-education/news-and-media/cybersecurity.php
[2] How to enhance the cybersecurity of operational technology environments | McKinsey. (n.d.). Www.mckinsey.com. https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/how-to-enhance-the-cybersecurity-of-operational-technology-environments
[3] Cybersecurity Awareness Featuring Jason Maynard - Charter Engage: Know IT. (n.d.). Www.buzzsprout.com. Retrieved October 23, 2023, from https://www.buzzsprout.com/2094661/13767764
[4] Magic Quadrant Research Methodology. (n.d.). Gartner. https://www.gartner.ca/en/methodologies/magic-quadrants-research
[5] Charter - Forward, Together. (n.d.). Www.charter.ca. Retrieved October 23, 2023, from https://www.charter.ca/post/charter-announces-its-latest-podcast-charters-business-transformation-roadshow-a-practical-approach-to-business-transformation
[6] Zetter, K. (2014, August 12). Hacker Lexicon: What Is an Air Gap? Wired. https://www.wired.com/2014/12/hacker-lexicon-air-gap/
[7] NIST. (2019). Cybersecurity Framework. National Institute of Standards and Technology. https://www.nist.gov/cyberframework
[8] ISO. (2022). ISO/IEC 27001 standard – information security management systems. ISO. https://www.iso.org/standard/27001
[9] kfend. (2018, August 3). SysOperation Framework Overview. Learn.microsoft.com. https://learn.microsoft.com/en-us/dynamicsax-2012/developer/sysoperation-framework-overview
[10] Ecosystem. (n.d.). Microsoft Open Source. https://opensource.microsoft.com/ecosystem/
[11] Azure Stack | Microsoft Azure. (n.d.). Azure.microsoft.com. Retrieved October 23, 2023, from https://azure.microsoft.com/en-ca/products/azure-stack
[12] Arctic Wolf. (n.d.). Cybersecurity.arcticwolf.com. Retrieved October 23, 2023, from https://cybersecurity.arcticwolf.com/AW-Endpoint-Security.html?utm_source=Google&utm_medium=CPC&utm_campaign=LP_Demo_EndpointSecurity&utm_content=LP_Demo_Cybersecurity&utm_term=edr&gad=1&gclid=CjwKCAjws9ipBhB1EiwAccEi1COQoms5me0J8anPAcz39z-s9DgAEG1zTzQRuMuO5NmpANDuUWCG5hoCyOsQAvD_BwE
[13] (n.d.). What is an intrusion prevention system? [Review of What is an intrusion prevention system?]. Vmware.com. https://www.vmware.com/ca/topics/glossary/content/intrusion-prevention-system.html
[14] Enterprise Vulnerability Remediation (eVR) Video. (n.d.). Resources.trendmicro.com. Retrieved October 23, 2023, from https://resources.trendmicro.com/Enterprise-Vulnerability-Remediation-Video.html?cm_mmc=XGen-_-Network-Defense-_-Email-_-Go-Beyond-TP:SL:Adhoc:Watch-the-video:CU
[15] Violino, B. (2022, October 11). Rising premiums, more restricted cyber insurance coverage poses big risk for companies. CNBC. https://www.cnbc.com/2022/10/11/companies-are-finding-it-harder-to-get-cyber-insurance-.html
[16] Johansmeyer, T. (2021, January 11). Cybersecurity Insurance Has a Big Problem. Harvard Business Review. https://hbr.org/2021/01/cybersecurity-insurance-has-a-big-problem
[17] Tempe, A. H. (n.d.). Hyundai Forward Collision-Avoidance | AutoNation Hyundai Tempe. Www.autonationhyundaitempe.com. https://www.autonationhyundaitempe.com/research/forward-collision-avoidance.htm
[18] Firewall Security Configuration. (n.d.). Retrieved October 23, 2023, from https://assets-global.website-files.com/5f18befe740a0c2c9494de4c/64bae47881a3919bb9abcd45_Cybersecurity%20and%20GRC%20Consulting%20Services%20-%20At%20a%20Glance.pdf
[19] Cybersecurity Taxonomy | Cybersecurity Atlas. (n.d.). Cybersecurity-Atlas.ec.europa.eu. https://cybersecurity-atlas.ec.europa.eu/cybersecurity-taxonomy
[20] Business Architecture. (n.d.). Www.charter.ca. https://www.charter.ca/advisory-services/business-architecture
[21] NIST Cybersecurity Framework (CSF) Assessment. (n.d.). 360 Advanced. Retrieved October 23, 2023, from https://360advanced.com/our-services/nist-cybersecurity-risk-compliance-assessments/?gclid=CjwKCAjws9ipBhB1EiwAccEi1KsiYYhYQMGVHx42EBHyCSGXfZxs7Znh7GlnRbuu-rFaIblCYLBJjRoCnM4QAvD_BwE
[22] McKay, K., & Cooper, D. (2019, August 29). Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. Csrc.nist.gov. https://csrc.nist.gov/pubs/sp/800/52/r2/final
[23] ISO. (2022). ISO/IEC 27001 standard – information security management systems. ISO. https://www.iso.org/standard/27001
[24] ISA99, Industrial Automation&Control Sys Security- ISA. (n.d.). Isa.org. https://www.isa.org/standards-and-publications/isa-standards/isa-standards-committees/isa99
[25] ISA/IEC 62443 Series of Standards - ISA. (n.d.). Isa.org. https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards
[26] Governance, Risk, and Compliance. (n.d.). Www.charter.ca. https://www.charter.ca/advisory-services/governance-risk-and-compliance
[27] Security. (n.d.). Www.charter.ca. Retrieved October 23, 2023, from https://www.charter.ca/advisory-services/security
[28] IT Support Services. (n.d.). Www.charter.ca. Retrieved October 23, 2023, from https://www.charter.ca/services-solutions/support-services
[29] Managed IT Services. (n.d.). Www.charter.ca. Retrieved October 23, 2023, from https://www.charter.ca/services-solutions/managed-services
[30] Wolf, A. (2022, October 24). Biggest Cyber Attack Vectors. Arctic Wolf. https://arcticwolf.com/resources/blog/top-five-cyberattack-vectors/
Presenters: (in order of appearance)
| Mark George, Director - Energy, Resources & Industrial Markets | Mark George is a proven business leader with global experience across multiple industries. He currently serves as the Director – Energy, Resources and Industrial Markets for Charter. Prior to that, he worked for five years as Managing Partner and Founder of EdgeMark Capital and Advisory Services Inc., a capital markets and financial advisory services firm. Mark’s in-depth energy markets experience developed through leadership roles with Environmental Refueling Systems Inc. and with PricewaterhouseCoopers. From 2000 to 2010, he served as the Founder and President of the Cielo group of companies, a fully integrated residential and commercial construction and real estate development company in Arizona. Mark has an intense interest in emerging technologies, having spent 15 years with Nortel, Bay Networks, DEC, and Honeywell in progressive sales, management, and executive roles throughout the Americas and Asia Pacific. Mark proudly serves on the boards of several privately held companies and not-for-profit organizations.
| Ronnie Scott, Chief Technology Officer | Ronnie Scott has over 35 years of broad IT experience, including programming, and network architecture, as well as senior consultative roles for Financial Services, Internet Service Providers, ILEC Carrier Networks, and large enterprise customers across New Zealand, Australia, and Canada. Ronnie is currently the CTO at Charter Telecom Inc, a Value-Added Reseller specializing in IT service delivery. As CTO, Ronnie brings his extensive technological background with a strong Business and Service Delivery lens to Enterprise IT Infrastructure solutions.
| Krisann McDonnell Security Practice Lead & vCISO | Krisann is Charter's Cyber Security Practice Lead & vCISO and is an ISACA Certified Information Security Manager (CISM), TOGAF Certified Business Architect, and passionate, ethical entrepreneur. As a seasoned executive salesperson turned cybersecurity practice lead, she recognized the importance of cybersecurity in the well-being of companies a decade ago. Since then, she learned that cybersecurity isn't just technology, but people and culture as well. Krisann brings that perspective to every Charter engagement with great success.
| Josh Patton Principal Architect - Security | Josh Patton is the Principal Security Architect at Charter and brings over 25 years of experience working in Information Security and IT Operations. His experience has been leveraged within several critical accounts and verticals, such as: Healthcare, Financial, Education, Federal, Provincial and Municipal Government, and Energy, Resources and Industrials (ER&I.) Other resume highlights include: his significant experience with enterprise network security controls; strong alignment with infosec’s relationship with business objectives and risk management; and extensive involvement in Business Continuity Planning.
About Us:
Charter [https://www.charter.ca/about], an award-winning IT solution and managed services provider, was founded in 1997 in Victoria, BC, Canada. We offer a comprehensive portfolio of innovative IT solutions, managed services, project delivery, and consulting services. Our mission is to align people, process, and technologies to build better organizations, enhance communication, boost operational performance, and modernize businesses. Our team of experts leverages a business architecture methodology and a human-centered design approach to drive successful digital transformations for our clients, unlocking new opportunities, generating value, and promoting growth. We provide knowledge and support that extends beyond our clients’ businesses, empowering them to focus on their core operations. Let Charter help drive your business outcomes Forward, Together.
Questions? Please contact Dawn van Galen at dvangalen@charter.ca or 250-412-2517
© 2023 Charter Telecom Inc. All Rights Reserved.