Ken Mortensen, InterSystems Data Protection Officer, outlined the initiative to operationalize cybersecurity and the privacy council, with Paul Bruce, InterSystems Senior Manager – Cloud Security Operations, focusing on security program development across cloud, product, and incident response. Mortensen and Bruce emphasized a shift towards practical implementation guided by the NIST Cybersecurity Frameworks and an outcome-based approach, highlighting key aspects like accountability, risk management, and incident response. The two also discussed the importance of internal and external partnerships in security operations to achieve shared outcomes, as well as the efforts to improve incident response capabilities through communication, coordination, and tabletop exercises in both self-hosted and cloud environments.
Cybersecurity Operationalization: Mortensen outlined the initiative to operationalize cybersecurity and the privacy council, with Bruce responsible for security. The aim is to develop a comprehensive program to organize security efforts across the organization, addressing cloud security, product security, and incident response. Mortensen emphasized the need to move cybersecurity from theoretical concepts to practical implementation by establishing a solid foundation.
Governance in Cybersecurity: Mortensen discussed governance in the context of trust, involving risk, reliance, and results. Transparency addresses risk, accountability ensures reliance, and demonstrating the path to desired outcomes addresses results. Mortensen highlighted three key elements for cybersecurity governance: frameworks, defined outcomes, and partnerships across the organization. He referenced a book on cybersecurity governance that described it as empowering, with risk management providing foresight and compliance ensuring accountability.
Key Aspects of Cybersecurity: Mortensen identified accountability frameworks, security decision-making processes, risk management, policies and procedures, and incident response as key aspects of cybersecurity. He stressed that accountability involves following through on commitments and defining roles and responsibilities. Risk management is central to cybersecurity, despite the operational and technological aspects. Policies and procedures are crucial for providing clarity and guidance within the organization. Incident response is a fundamental reason for cybersecurity programs.
NIST Cybersecurity Framework: Mortensen expressed strong support for the NIST Cybersecurity Framework, particularly its latest version, for providing a structured approach to cybersecurity programs. The framework is divided into six domains: Govern, Identify, Protect, Detect, Respond, and Recover. Mortensen clarified that these domains focus on achieving outcomes rather than just implementing controls, contrasting them with more control-based standards. He also noted the integration of the framework with NIST Special Publication 800-61 revision 3, which now aligns incident response with the framework’s Detect, Respond, and Recover functions.
Outcomes vs. Controls: Mortensen elaborated on the difference between outcome-based and control-based approaches to cybersecurity. While acknowledging that controls have their place, he argued that an outcome-based approach enables a more tailored and robust cybersecurity program tailored to the business’s needs. He used the example of the healthcare industry and HighTrust certification as a very defined control program. Mortensen emphasized that outcomes allow for flexibility in achieving the desired results, supported by governance.
Partnerships in Security Operations: Mortensen and Bruce discussed the importance of partnerships in their approach to security operations, both internally and externally. They aim to position the security organization in a more consultative manner rather than being purely directive. Their model involves a “supported and supporting” concept where both parties work towards shared desired outcomes, with a clear escalation path for conflicts. Mortensen drew a parallel to the National Security Council’s policy coordination to illustrate this concept of balancing different organizational needs to achieve overall objectives.
Improving Incident Response: Bruce highlighted the push to strengthen the incident response capabilities, particularly within the service desk. He noted that beyond the technical aspects of incident response, effective communication and coordination across different people, departments, and time zones are critical. Preparation through the creation of realistic tabletop exercises is a key part of this effort, focusing on understanding processes and identifying risk ownership before an actual incident occurs.
Tabletop Exercises and Communication: Bruce described their approach to tabletop exercises, emphasizing that the goal is to improve processes and understand communication flows rather than focusing on technical calculations. They allowed each team to build their own playbooks to solve both technical and people-related problems during incidents. A key takeaway from the exercises was the critical importance of communication during an incident, including defining triggers for escalation and engagement across teams. The development of common playbooks, despite their differences, signifies a shared understanding of the incident response process.
Preparation in Different Environments: Bruce addressed the preparation aspects of incident response in both self-hosted and cloud-native environments. In a self-hosted model, the focus is on identifying and resolving issues, whereas in a cloud-native model, leveraging the ability to redeploy quickly is advantageous. Regardless of the environment, having customer communication plans, adequate data backups, and the ability to restore services efficiently are crucial.
Business Value of Cybersecurity: Mortensen concluded the session by discussing how cybersecurity can provide business value beyond just reducing risk. Achieving healthy certifications can build internal and external confidence. A well-defined incident response capability provides comfort to customers, especially in critical industries. Furthermore, a consultative approach from security can foster better partnerships and enable further business opportunities by being seen as a valuable advisor rather than an obstacle.
