National Cybersecurity Awareness Month (NCSAM) may have come to an end, but that doesn’t mean the conversations about education, best practices, and innovation have to. Recently, the team at GovDataDownload spoke with Phillip J. Ferraro, NetApp’s Global CISO, about the responsibilities of a CISO, how the role of a CISO has evolved, and their part in cybersecurity throughout their companies. Many times, a CISO is responsible for creating a productive cybersecurity cultural and protecting against cyber threats, and this is not an easy task. Phil shared his thoughts on the current cybersecurity landscape as well as how a CISO can build a stronger cybersecurity environment within their organization.
What is the current threat landscape?
Phillip Ferraro: The biggest change I’ve seen over the years is the disappearing enterprise perimeter. In the past, we’d build big walls around our environment. You could lock down systems and harden them to keep bad actors out. Today, the landscape has changed. Enterprises manage data in the cloud now, and on-premises, or have a hybrid model, and are allowing access from all types of mobile devices. There is no longer a clearly defined enterprise perimeter to secure.
How do you protect your organization and its data when there isn’t a clearly defined perimeter?
Ferraro: This is the biggest challenge that organizations face today and there isn’t a clearly defined solution. Regardless of the type of organization – from Fortune 500, to SMB, to public sector – you have to take a multi-layer approach to enterprise security today. We used to call it “defense in-depth” and that is still applicable today. Security at your endpoint is one of the main attack vectors to defend against. With a proliferation of the access points on the network, organizations must have a holistic view.
Organizations need to know what’s on the network, what is moving laterally across the network, what is extending out in the cloud, how it is accessed and then protect the data, wherever it resides. It requires strict access controls and authentication to access data – even if it’s internal. In fact, even in our own organization, where we work with healthcare and public sector customers, there are very strict controls in place to access data for our own employees. We require multi-factor authentication and role-based access controls to ensure security for all employees accessing our network. Even with a holistic, multi-layered defense strategy with all these controls in place, risk of cyber threats still exists.
Organizations must prepare for the unknown threat. A very strong incident detect and respond capability is critical for zero-day threats and anomalies. There are always new attack vectors. Quick response is required when a new attack is detected. The faster you can detect and respond, the faster you can contain and mitigate the incident before it becomes something significant.
As a CISO of a Global Fortune 500 company, what keeps you up at night?
Ferraro: All CISOs worry about getting breached, but as an organization that hosts public and customer data, that worry of exposing sensitive data of customers and employees keeps me up at night. If personal and sensitive customer data were to be stolen, we recognize this could create significant repercussions from class-action lawsuits, to a negative brand image and shareholder value implications.
To reduce this risk, here at NetApp, we go through extraordinary measures to protect our customers’ data. We do a lot of business with public sector and we are responsible for the security of data. So, we take extra measures to keep the data safe and protect information. Among the many controls we implement, a couple of these include role-based access controls to the data, as well as encrypting the data at rest and in-transit. We ensure we are in compliance with NIST and other government standards and regulations.
As an organization that develops data management solutions, how do you ensure security stays top of mind?
Ferraro: Security is a key aspect for all of NetApp. It is built into our culture. From the Board of Directors, to the CEO and C-suite, and for each of our business leaders, security is a priority for our organization from the top down.
We take a three-pronged approach to security:
The first prong is enterprise security. This is how we secure our entire organization, which includes all the tools and policies across the global enterprise. We’ve built a robust, layered security program that covers all areas from secure endpoints, networks, gateways, and cloud. Our focus is on protecting our IP and ensuring proper access controls, monitoring and detect and respond capabilities are in place. In addition to providing the right set of tools, this focus includes programs that create and reinforce a culture of cybersecurity awareness with every employee around the world. These programs include global training and events where employees are encouraged to share the responsibility of defending NetApp.
The second prong is engineering security. We focus on our technology development and engineering. We’ve implemented a secure development life cycle. It is how we secure the processes and the workflow and the data itself. It provides our engineers and developers with secure development environments.
The third prong is product security. Our products go through stringent security testing from the code, to the hardware components, to going through rigorous certifications. There are several processes that we go through to ensure the security of our solutions, including ISO 27001 certification.
We drink our own champagne here at NetApp, as we are customer number one. We use our own products internally and have great use cases on how our own solutions have helped our organization.
How do your share the responsibility of security within your workforce?
Ferraro: At NetApp, to build and reinforce a culture of cybersecurity, our key message designed to encourage employee awareness is Cybersecurity Is Everyone’s Responsibility. As part of our robust program for employee awareness for cybersecurity, we send out regular updates to the entire workforce – from full-time to part-time and consultants, to educate them on the latest threats.
To bring the reality of threats into our employee awareness program, we share the types of real attacks that have been attempted on our network. It is important that our employees and customers don’t think of attacks as theoretical. We ensure employees know some of the kinds of attacks that have been attempted and how we prevented these attacks from being successful. These real-world scenarios are important, so we also create monthly phishing tests that are sent to employees. Some of our phishing email tests are very sophisticated, because it’s important that employees get practice and think about security even during their day-to-day activities.
During October, our team hosts an Hacktoberfest program for employee awareness and education on cyber risk across the organization. We travel to select global offices and hold an event with employees to educate them on cybersecurity and we open the dialogue with them to ensure they understand their role in protecting NetApp. But security awareness is an ongoing effort. Outside of these special events this month, I partner with our Global CIO for regular Town Hall meetings around the world. We talk to employees about what we are doing in IT to support the business and hold Q&A sessions to give employees a chance to ask questions.
The employee feedback we have received from these ongoing awareness efforts is fantastic. When employees see C-level executives on the road to conduct these discussions, they understand that we see the importance of security at the core of what we do. It also empowers our employees to engage, to join the conversation, and take an active part in creating our culture of security.