Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

ADP CISO Offers Tips to Leverage Security to Grow the Business

Savvy CISOs would do their companies a favor by broadly integrating security across the organization, a move that can yield greater revenues, cost savings and an entry into new markets.

When Roland Cloutier joined ADP seven years ago to focus on operational risk, he was tasked with helping the business outsourcing solutions and payroll giant adopt a security first mindset that would ultimately yield cost savings, new markets and revenue.

"I was brought in to specifically do this and [ADP] was ready to accept change to do it," says Cloutier, senior vice president and global chief security officer at ADP.

Some of the steps Cloutier took included having senior-level practitioners placed in a group called the client security management officers (CSMOs), whose full-time job focused on quickly and accurately answering security questions raised by customers and potential clients about ADP's protection of their data and funds.

"Why that is important is because this is not sales people answering security questionnaires, nor is it people in marketing. It's a group of people who have access to the entire portfolio of our security program and can translate that to clients, give clients reports on our critical response center and be on the front end of sales opportunities with answers to security upfront," Cloutier says.

He added that security can be an enabler for the sales team to close deals, because contract negotiations often hit a snag because no one has ever explained security to the customer.  

[Cloutier will be speaking about Managing Risks to Reap Rewards: How to Use Security as a Growth Advantage during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To learn more about his presentation, other Interop security tracks, or to register click on the live links.]

Another step Cloutier took included changing the timing of when a security engineer was brought into the software development life cycle. Previously, the process went from developing a product, then having it go to the security engineer for evaluation, only to have it returned back to developers for retooling before it was released to the market. Security engineers are now embedded into the development team, as well as quality assurance teams, which Cloutier says speeds the time to market.

More Tricks of the Trade

Cloutier also scored cost savings by reducing his customers' password resets by 68% over an 18-month period. Applying a business process overview, he evaluated where password resets were frequently occurring and used security automation for password resets in those areas.

"Imagine hundreds and thousands and thousands of calls that come into our call centers from around the globe for password resets," Cloutier says. "This takes our experienced human capital management client service representatives [out of the loop] to reset passwords."

Other customer service issue he tackled with a business process approach included cutting the response time on security questions to within 24 hours, compared to the previous four to six weeks.

Transition Challenges

Although Cloutier has had success in overlaying a patina of security across ADP's businesses, he notes some CISOs may find the move challenging.

"Security is often seen as a component of IT and there are still many companies where their security executives may not be security executives," Cloutier notes. "They may have security leaders in the company, but they don't have access to the C-suite to be able to drive those conversations."

He added that security budgets are often designed as defensive cyber operations and budgeted in a way to only manage, maintain and use technology to defend the environment, rather than handle research and development, or go-to-market operations.

Until these things happen, it is difficult for companies to make it part of their digital go-to-market strategy and sales opportunity, Cloutier says. For instance, he does three client advisory board meetings a year and ADP's global sales organization pays for those meetings. Cloutier also runs an organization that is fully focused on protecting ADP's marketplace and the company's chief strategy office pays for the organization's costs.

"There are some responsibilities across the business that understand that security is a lever, as well as … a component of their cost of goods sold," Cloutier says.

Risky Business

When it comes to operational risk management, Cloutier defines it as the ability to understand the issues that can potentially impact ADP's business, its shareholders and clients and then make informed, contextual-based decisions to reduce the risk to acceptable levels.  

The company's eco-system of risk programs begins with its enterprise risk management organization, a centralized program looking across 12 dynamic areas of risk, such as, financial risk, legal risk, regulatory risk, IT risk, strategy risk and others.

"ADP is extremely formulized in how they think about risk and develop programs to test and remediate," Cloutier says, adding that it relies on a scientific formula called factor analysis for information risk (FAIR) to measure market risk and understand the data thresholds. He says FAIR gives him a consistent and measured approach to evaluate risks across all of ADP's businesses, factoring in the company's diversified market segments from human capital management platforms to technologies and services, and provides the means to look at all of these segments independently.

He believes other large, mature multinational corporations are also taking a similar approach to risk management and shifting away from a knee-jerk reaction to high-profile security breaches.

"Organizations have been able to look [at] their operations and critical assets and take more of a business operations protection approach, rather than a straight-line cybersecurity approach or a straight-line risk management approach," Cloutier says. "They look at the operating process, their operating platforms, risks and issues and vulnerabilities associated with those and then measure them accordingly to make very informed decisions. So, I truly believe mature businesses are migrating away from that knee-jerk approach." 

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13991
PUBLISHED: 2020-09-24
vm/opcodes.c in JerryScript 2.2.0 allows attackers to hijack the flow of control by controlling a register.
CVE-2020-15160
PUBLISHED: 2020-09-24
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8
CVE-2020-15162
PUBLISHED: 2020-09-24
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.
CVE-2020-15843
PUBLISHED: 2020-09-24
ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow "Full Control" t...
CVE-2020-17365
PUBLISHED: 2020-09-24
Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially craf...