Every organization is at risk of a cyberattack, but each organization addresses risk differently. No one expects SMBs to take the same approach to cybersecurity as a large enterprise, or a legacy organization to have the same appetite for risk as a startup. Similarly, how an organization defends itself from attack depends on various factors, including its size, type of industry, supply chain resources, approach to outsourcing and remote work, and global presence.
Security leaders from three very different industries sat down with Dark Reading to discuss their respective cybersecurity programs.
John McClure is the CISO at Sinclair Broadcast, a major news and sports broadcasting provider in the United States, with nearly 200 televisions stations, streaming and digital platforms, and close to two dozen sportscasts. McClure says that while Sinclair faces many of the same cybersecurity threats that any organization faces, it is also considered part of the critical infrastructure because it carries emergency broadcast signals. One of the challenges that McClure has seen over the past five years is the disappearing network borders and finding ways to protect the network as the way people work continues to change.
Doug Shepherd is the senior director of the offensive security services team at Jones Lang LaSalle (JLL), a worldwide commercial real estate company with 90,000 employees in more than 60 countries. For a long time, JLL was more of a brand than a company, Shepherd explains, but in recent years, it has become more cohesive and working together under the JLL model. The company's cybersecurity concerns revolve around integrating all the different office networks into a unified model and consolidating individual security practices into one companywide policy, he says.
Luis Cunha is the director of security engineering at Aptiv, an automotive technology company with 170,000 employees in 165 manufacturing plants around the world. Operational technology security is as important to Aptiv as information technology, with endpoint security across all technologies a major concern, Cunha says.
Size of Security Team
There is no "right" size when it comes to the security team. Some organizations have large teams, and others partner with third-party providers to offset small teams. That difference is very clear at Sinclair, JLL, and Aptiv.
When Shepherd first came to JLL, most security was outsourced, but now there are 100 people on the security team, he says. However, Shepherd believes the team is a little undersized considering the size of the company.
Outsourcing in such a distributed company meant that each office was setting its own policies. JLL's focus on unifying security is driving its decision to move away from outsourcing. The goal is to reduce its reliance on outsourcing and eventually bring in contractors who work directly with the security staff, Shepherd says.
Sinclair's McClure didn't provide exact numbers — he just says his security team meets the industry average. At Sinclair, security is handled both in-house and outsourced. Sinclair relies on outsourcing for skills that are difficult to recruit and retain in-house, such as threat hunting, McClure says.
And then there is Aptiv, with 35 people on its security team — up from five on the engineering team a year ago, according to Cunha. Cunha thinks Aptiv has outsourced too much, which has an impact on the organization's agility and flexibility. When you outsource, you lose the ability to change and react to security problems quickly, he says.
Investing in Security Tech
What kind of security technologies an organization invests in depends on factors such as regulatory and compliance requirements, the type of threats the organization sees, and its technology stack. As organizations move more of their operations to the cloud, they are investing in cloud security. With the shift to distributed computing, identity becomes an even more critical area of focus.
McClure says Sinclair is investing in a number of technologies, including endpoint detection and response (EDR), extended detection and response (XDR), and endpoint security, with an emphasis on identity and cloud security.
The broadcasting provider is also relying on automation to support the volume and velocity of data that is driven across its networks, says McClure. While some of the automation capabilities are native to the technology in use, the company also utilizes security orchestration, automation, and response (SOAR) technologies across multiple platforms.
In contrast, automation is in its "very early days" for JLL, Shepherd says, as the organization moves away from outsourcing to in-house security. The company is focusing on endpoint and cloud security, and that is also where the focus is for automation. Shepherd is designing automation that pulls data from every endpoint every 15 minutes to look for indicators of risk in real time.
In the past, security was siloed at Jones Lang LaSalle, so the current focus is to set up technology that will allow the security team to have better visibility into the whole environment, Shepherd says.
Aptiv's focus is a little different, as the company is looking to adopt technology that brings more security efficiency and quality, with a greater focus on secure access service edge (SASE), Cunha says. Aptiv also invests in operational technology security for its manufacturing plants. There are a lot of different vendors for both types of security, and a goal for Cunha is better consolidation of technology and vendor solutions. Orchestration and automation tools play a very important role integrating security tools.
Road to Data-Driven Security
As far as Aptiv's Cunha is concerned, you can't have orchestration and automation without solid data analytics. Engineering teams use data analytics to improve security tools, Cunha says, bringing search capabilities to the SOC. Cunha's team performs its own data analytics rather than relying on a platform.
Like automation, data analytics is still in the early stages at JLL, but the data is still useful, Shepherd says. JLL uses analytics to help determine what’s happening on the perimeter, he says.
Data analytics are used to control coverage and control efficiency, as it helps Sinclair understand the business and the assets that need to be protected, McClure says.
Biggest Security Concerns
Ransomware is the threat that keeps Shepherd up at night. It is the biggest concern for JLL because of how it disrupts business operations, he says.
Aptiv's Cunha's worries center around threats that impact data liability and organizational reputation, he says. While phishing is a common attack vector, Cunha also has to contend with lesser-known threats against operational technologies.
For McClure, ransomware and cybercrime are the biggest concerns, but he points out that cyber threats have not become more sophisticated. Instead, he thinks the barrier to entry for attackers has gotten lower, which is why there are more attacks. The attack vectors themselves, he says, haven't changed much over the years, and cybercriminals are using the same methods to get into the system.
The volume of attacks is the greater challenge for organizations, McClure says, not increased sophistication in attacks.