This CISO Tells His Board: ‘Identity is the New Firewall’
Identity management creates a digital perimeter for a real estate firm whose cybersecurity strategy must encompass a mobile majority of employees.
- With mission-critical apps in the cloud and most employees in the field or at home, identity management and automation became central to this firm’s cybersecurity strategy.
- The ‘identity as firewall’ metaphor struck a power chord for senior management and the board.
Every company is different. But even in an age of digital transformation, this global commercial real estate firm might surprise readers with its extreme cloud-first approach to its technology “crown jewels”. Not to mention the epiphany that its chief information security officer (CISO) recently shared: “Identity is the new firewall.”
Even before the pandemic, the CISO told us, one-third or less of the firm’s over 50,000 employees were office regulars. Instead, they worked at client sites, performing a multitude of property management duties; on the road, traveling; from home; or otherwise engaged in the field. Of course, that means they work on laptops, mobile phones, and tablets. And when the board of directors asked about business risk associated with the firm’s mission-critical technology — the systems without which company operations would grind to a halt — it turned out they were all in the cloud. Customer and salesforce management, human resources, office productivity, and even the hundreds of smaller “point” solutions deployed to help the firm provide a wide range of specific services to clients were (and are) nearly all delivered via software-as-a-service (SaaS) accessed through the Internet.
When he arrived at the real estate firm’s U.S. headquarters five years ago, the CISO assessed that landscape of technology-supported business practices and began developing a cybersecurity strategy for protecting the firm. “For such a cloud-first, perimeter-less enterprise, security was not going to be about protecting devices in specific geographic locations, and it wasn’t going to focus on Intrusion Detection Systems [IDS] or Intrusion Prevention Systems [IPS],” the CISO said. “Instead, identity became the key. Today, we tie identities to business processes — and the more risk that is inherent in a particular business process, the more identity authentication firewalls we build in to protect it.”
‘Firewall’ Metaphor Hits Home with the Board
It may seem ironic for such a cloud-first company, but the firm’s identity and access management system was developed in-house because of its crucial role. “I call it identity management and automation, and it has been homegrown from literally the ground up,” said the CISO. And while the system’s intricate rules and controls were developed in collaborations between the CISO’s team and the firm’s business unit leaders, conversations with executive management stayed at a much higher level.
“I told senior management and the board, ‘Identity is the new firewall.’ Because everybody on the board, no matter their level of sophistication, knows what a firewall is — it’s that thing that stops bad things coming in and going out,” said the CISO. And the line struck home, in part, because of the board’s understanding of digital transformation.
“They’re quite aware of how digital transformation has affected us, of course. But maybe even more importantly, they see how it affects our clients and how that has changed what clients ask of us in terms of service delivery,” explained the CISO. “We have one client now where, in order to do the business with them, every person including the janitors are issued cell phones, and there are applications that they have to go into to register certain information.” Janitors use digital sensors or scan codes to record what areas they have cleaned, for example.
Between the proliferation of mobile devices in the hands of workers and the firm’s own cloud-first digital transformation, it was easy for senior managers and the board to see the value of making identity central to the firm’s cybersecurity strategy.
Keep the Board Conversation High Level
The identity example is a perfect illustration of the CISO’s philosophy for board communications. “The board [members] are not the paid experts on cybersecurity, even if some of them have good knowledge,” he said. “I’m paid — and my team is paid — to be the subject matter experts. So, if the board is driving cyber strategy, that means we failed.”
Senior management and the board understand, for example, that multifactor authentication (MFA) and enterprise-wide cybersecurity awareness training are crucial to the “identity as firewall” strategy, but they leave the details to the CISO and his team. Instead, the CISO regularly reports to the board on qualitative and quantitative metrics that demonstrate progress on the strategy. These include quantifying the growing deployment of MFA (which was at zero when the CISO joined) and awareness training completion rates (which have jumped significantly). In addition, he provides the board with information that shows how the firm’s practices align with those recommended by independent third parties, such as cyber insurers and security auditors.
He has this advice for other CISOs who present to their boards: “Above all else, know your audience. Every board and senior management team is different. I worked for a tech company once, and that board’s expectations were very different than the expectations here at a real estate firm. Ask other peers who have presented to the board what works well and get to know how the board wants information presented.” The CISO offered two examples of very different communication preferences he has encountered: Some boards want to be “presented to” with a slide deck, he noted, while others prefer written reports before the meeting following by question-and-answer style discussions. “If you prep to go in one way and the board is looking for the other, it will not end well,” he warned.
Identity as Firewall, In Practice
The heart of the CISO’s identity-centric cybersecurity strategy is the homegrown identity management system with single sign-on for the wide spectrum of SaaS apps deployed by the firm, including those that support its clients. Automated capabilities trigger many processes, from employee onboarding to termination. When suspicious activity involving a user account is spotted or when certain high-risk actions are initiated, the system will trigger additional identity authentication protocols, often MFA.
But that’s merely the general, high-level description of the system. The CISO emphasizes that his team works closely with the leaders of the firm’s individual business units to customize the system’s behavior in ways that align to the level of business risk each unit faces and/or the particular business process in question. For example, because the firm doesn’t normally handle personally identifiable information (PII) or health data on behalf of clients, information sensitivity isn’t always high. On the flip side, many financial transactions might trigger not only an additional authentication request, but also a verbal confirmation or supervisor approval.
The CISO recalled that in the wake of the recent collapse of Silicon Valley Bank, the firm saw a number of customer requests to change vendors’ bank account information for payment transactions. The firm’s business processes for such changes prevented any action based on emails or even a single verbal confirmation; multiple documents and confirmations were required. “I used to work in banking, and it’s similar to those processes. You'd have somebody who would initiate a wire, and then you'd have somebody entirely different who had to approve the wire,” he said.
He also emphasized the need for organizations to build strong controls into their business processes wherever business risk can be identified. “None of the things that I can do will replace good financial and/or business processes,” he said.
The Bottom Line
The CISO’s “identity as firewall” strategy and board communications style has become critical to his firm’s ability to build a cyber-aware culture, which was established as a crucial factor in protecting enterprise businesses by the recent Mimecast survey, “Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk.” In-depth interviews with 78 business and security leaders in 13 countries about perceptions of cyber risk at the C-suite and board level revealed that more leaders are realizing how valuable a culture that prioritizes cybersecurity is to long term safety.
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!