Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

ADP CISO Offers Tips to Leverage Security to Grow the Business

Savvy CISOs would do their companies a favor by broadly integrating security across the organization, a move that can yield greater revenues, cost savings and an entry into new markets.

When Roland Cloutier joined ADP seven years ago to focus on operational risk, he was tasked with helping the business outsourcing solutions and payroll giant adopt a security first mindset that would ultimately yield cost savings, new markets and revenue.

"I was brought in to specifically do this and [ADP] was ready to accept change to do it," says Cloutier, senior vice president and global chief security officer at ADP.

Some of the steps Cloutier took included having senior-level practitioners placed in a group called the client security management officers (CSMOs), whose full-time job focused on quickly and accurately answering security questions raised by customers and potential clients about ADP's protection of their data and funds.

"Why that is important is because this is not sales people answering security questionnaires, nor is it people in marketing. It's a group of people who have access to the entire portfolio of our security program and can translate that to clients, give clients reports on our critical response center and be on the front end of sales opportunities with answers to security upfront," Cloutier says.

He added that security can be an enabler for the sales team to close deals, because contract negotiations often hit a snag because no one has ever explained security to the customer.  

[Cloutier will be speaking about Managing Risks to Reap Rewards: How to Use Security as a Growth Advantage during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To learn more about his presentation, other Interop security tracks, or to register click on the live links.]

Another step Cloutier took included changing the timing of when a security engineer was brought into the software development life cycle. Previously, the process went from developing a product, then having it go to the security engineer for evaluation, only to have it returned back to developers for retooling before it was released to the market. Security engineers are now embedded into the development team, as well as quality assurance teams, which Cloutier says speeds the time to market.

More Tricks of the Trade

Cloutier also scored cost savings by reducing his customers' password resets by 68% over an 18-month period. Applying a business process overview, he evaluated where password resets were frequently occurring and used security automation for password resets in those areas.

"Imagine hundreds and thousands and thousands of calls that come into our call centers from around the globe for password resets," Cloutier says. "This takes our experienced human capital management client service representatives [out of the loop] to reset passwords."

Other customer service issue he tackled with a business process approach included cutting the response time on security questions to within 24 hours, compared to the previous four to six weeks.

Transition Challenges

Although Cloutier has had success in overlaying a patina of security across ADP's businesses, he notes some CISOs may find the move challenging.

"Security is often seen as a component of IT and there are still many companies where their security executives may not be security executives," Cloutier notes. "They may have security leaders in the company, but they don't have access to the C-suite to be able to drive those conversations."

He added that security budgets are often designed as defensive cyber operations and budgeted in a way to only manage, maintain and use technology to defend the environment, rather than handle research and development, or go-to-market operations.

Until these things happen, it is difficult for companies to make it part of their digital go-to-market strategy and sales opportunity, Cloutier says. For instance, he does three client advisory board meetings a year and ADP's global sales organization pays for those meetings. Cloutier also runs an organization that is fully focused on protecting ADP's marketplace and the company's chief strategy office pays for the organization's costs.

"There are some responsibilities across the business that understand that security is a lever, as well as … a component of their cost of goods sold," Cloutier says.

Risky Business

When it comes to operational risk management, Cloutier defines it as the ability to understand the issues that can potentially impact ADP's business, its shareholders and clients and then make informed, contextual-based decisions to reduce the risk to acceptable levels.  

The company's eco-system of risk programs begins with its enterprise risk management organization, a centralized program looking across 12 dynamic areas of risk, such as, financial risk, legal risk, regulatory risk, IT risk, strategy risk and others.

"ADP is extremely formulized in how they think about risk and develop programs to test and remediate," Cloutier says, adding that it relies on a scientific formula called factor analysis for information risk (FAIR) to measure market risk and understand the data thresholds. He says FAIR gives him a consistent and measured approach to evaluate risks across all of ADP's businesses, factoring in the company's diversified market segments from human capital management platforms to technologies and services, and provides the means to look at all of these segments independently.

He believes other large, mature multinational corporations are also taking a similar approach to risk management and shifting away from a knee-jerk reaction to high-profile security breaches.

"Organizations have been able to look [at] their operations and critical assets and take more of a business operations protection approach, rather than a straight-line cybersecurity approach or a straight-line risk management approach," Cloutier says. "They look at the operating process, their operating platforms, risks and issues and vulnerabilities associated with those and then measure them accordingly to make very informed decisions. So, I truly believe mature businesses are migrating away from that knee-jerk approach." 

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.