Cybersecurity and zero trust solutions in an agile world IN ASSOCIATION WITH:
DIGITAL REPORT 2021
TERANET
CYBERSECURITY AND ZERO TRUST SOLUTIONS IN AN AGILE WORLD
2
teranet.ca
TERANET
teranet.ca
3
TERANET
Creating a secure IT network that enables remote workers to operate with confidence is essential, says Brenda McCulloch, CISO of Teranet
I
“
4
have enjoyed working from home,” says Brenda McCulloch, Chief Information Security Officer (CISO) at Teranet, as we chat over Zoom on a Friday afternoon. “I’ve discovered lots of local walking routes that I didn’t know existed before the pandemic. I’ve even taken up skiing something I wouldn’t have considered before.” The world has changed, she acknowledges, and some of it has been for the better. Although, her area of expertise - highlevel cybersecurity, has definitely faced its challenges of late. The pandemic and the resulting increased digitisation of companies have unleashed a tidal wave of malware and ransomware cyberattacks across all industries globally. Companies that hold sensitive information have been especially vulnerable to attack. And for many, 2020 resulted in the worst hacking and breach incidents on record. McCulloch is responsible for the cyber fortification at Teranet, Canada's leader in the delivery and transformation of registry solutions, data and analytics, and platform modernization. As a provider of extensive expertise in land and commercial registries, data - the protection of it, is paramount to its success. But her 20-year career in the IT industry now stands her in good stead, and she believes an organized team, careful prep work, and properly allocated expertise and resources are the keys to making sure companies maintain their security correctly in these challenging times.
teranet.ca
Brenda McCulloch CISO, Teranet
TERANET
TERANET
Title of the video
“It’s always about balance,” she says, with a hint of zen. “Ultimately, it’s risk versus reward. What you want to achieve out of a security programme and what you want to invest, versus what kind of exposures and risks that organization faces. As a self-confessed computer nerd, McCulloch has been immersed in the industry since an IT module caught her attention at university. Following a 16-month internship at IBM, where she says she learned “an immense amount”, her love for the IT industry was cemented, and McCulloch enjoyed a number of high-flying roles. “My past roles include positions where I was internally facing and externally facing, so I have consulting experience as well as building an in-house security practice from scratch. “From those two experiences and perspectives, I have built a very balanced view of different ways to deliver a security protocol to different companies. 6
teranet.ca
“So, I bring that balanced view to Teranet, and I work in tandem very closely with the executives on that. Corporate cybersecurity post-pandemic McCulloch has the onerous task of making sure Teranet utilises cutting-edge technology to maintain its robust and agile architecture against cyber threats - a challenge that she relishes. As part of her role, she has built a security practice programme and team and also works on Teranet’s identity and access management multi-factor programme. She also oversees the security posture enhancing initiatives including the zero trust model development. “The past 12 months have been an eyeopener for companies globally in terms of cyber awareness and breaches. Although, we keep saying this annually, to be honest with you,” she says.
TERANET
“ Richter helped us identify where we sat, as well as where we needed to go”
BRENDA MCCULLOCH TITLE: CISO INDUSTRY: INFORMATION TECHNOLOGY & SERVICES LOCATION: CANADA
BRENDA MCCULLOCH CISO, TERANET
Digital transformation The rush towards digital transformation has been instrumental, McCulloch says, in opening up companies to cyberattacks, whole populations have shifted to online operations, and that is causing a massive vulnerability. “Last year, there were more vulnerabilities reported than in any other year,” she says. “People are online more than ever before, and there are so many more digitized services. Even our kids are online. Literally, everyone is online. That inherently will have risks associated with it.
EXECUTIVE BIO
“But I agree that cyberattacks do continuously get more sophisticated and advanced. Teranet understands that, and in order to stay current, we have to continuously invest in our security and that our practise can't stagnate.” Ultimately, it's not the high flying glamorous side of being a tech genius that’s going to prevent a company from data haemorrhaging in an attack, says McCulloch, but the meat and potatoes of the job. “We know that security hygiene, as well as operations, are not exciting. But they are very important. Because of competing new initiatives, we know that we have to inject additional resources to support them and not rely on repurposing existing resources that are dedicated to the hygiene of the operational activity.”
Brenda McCulloch is a proven security professional with over 20 years of experience and is the CISO of Teranet. Under her thoughtful leadership, Teranet has undergone an ambitious modernization of its security program. In a short period of time, she expanded Teranet’s security practice and capabilities, led critical security initiatives and programs to fruition, and effectively led the integration of new solutions and processes. Brenda has a demonstrable track record in delivering forward thinking security strategy and programs in her previous roles as the Director of Information Security at IIROC and Senior Manager at Deloitte. Brenda is an alumni of the University of Toronto and holds various leadership and security certifications.
TERANET
Next LeveL threat risk assessmeNt: Richter’s Holistic Approach
ADVERT PAGE GOLD
LeARN moRe AbouT ouR hoLisTic AppRoAch.
Challenge
For business owners, leaders and executives, understanding the impact of cyber risks to their organizations can be a challenge. Highly technical security reports often do not provide a risk-oriented, universal view inclusive of financial and business impacts and make it difficult to understand the full scope of the threats to an organization. Business leaders need a holistic view of their cyber risk through a threat risk assessment (TRA) that considers governance, culture, threat profile and risk appetite.
Key Benefits •
Risk scenarios provide a bridge between technical controls and business operations with qualitative and quantitative measurements that are understandable and actionable.
•
Practical recommendations are scaled to the size, complexity and capability of your organization.
•
Execution is led by highly experienced practitioners with technical and business proficiency.
Solution Richter’s Next Level TRA report is a holistic, customized and scalable threat risk assessment that has been adapted for business from the Harmonized Threat Risk Assessment (HTRA) methodology. Richter’s Next Level TRA adaptations leverage the structure and consistency of the HTRA and layer on a business view. We replace the traditional complexity of a TRA to make it simple and consistent with value added insights.
RICHTER.CA
Creating value and security, every step of the way.
TERANET
“ We know that security hygiene, as well as operations, are not exciting. But they are very important” BRENDA MCCULLOCH CISO, TERANET
McCulloch says that very often, the way companies maintain their hygiene routines on a day to day basis is the cause of unexpected hacks. “I think many of the root causes of many breaches were because of persistent vulnerabilities, phished users, excessive privileges, etc. “I think it's really important that when you augment new initiatives, that you also augment the resources at the same time,” she says. Cybersecurity and the cloud The shift to cloud-based systems has been massively instrumental in creating greater vulnerabilities, points out McCulloch, and mainly, this has been caused by limited security resources. She explains, “One of the challenges has been the movement to the cloud and the augmentation of security resources to support them, both on premise infrastructure as well as cloud services. “Most organizations have limited security resources, so during the transition phase, the augmented resources and skills required to support the paradigm shift is always challenging - especially if you look at other initiatives that you want to accomplish at the same time.”
Ensuring that an organization remains abreast of novel cyber threats is a constant challenge, and only one that can be met when cyber security is considered a top priority. And at Teranet, this mentality is evident. “At Teranet, we have very strong executive support, and we meet regularly to discuss our posture as well as challenges that the security office faces,” McCulloch says. Richter partnership and security The strategic partnership with Richter has also been highly instrumental in maintaining a secure footprint for the company. McCulloch says Richter entered the security journey “very early”; it was this longterm partnership that has helped in Teranet’s cybersecurity strengthening process. “They were engaged [in providing] a security maturity and threat risk assessment because of the security programme.” McCulloch says it’s essential to know precisely where companies sit in maturity in order to know what needs to be achieved.
teranet.ca
9
TERANET
“At the same time, Richter helped us based on what our client’s risk trauma level was. We needed to come up with an end game.” She continues, “Richter helped us identify where we sat, as well as where we needed to go - and ultimately, that kind of risk assessment and maturity assessment has given us a view that we can execute on. “It wasn’t a one-time thing for us. After we brought in Richter, we consistently looked back at this report and ensured that we were progressing against it. So it was a living document. It wasn’t a document we parked; the assessment helped us execute with a roadmap and a plan.” McCulloch says the Teranet team still relies on their strategic partnership with Richter to maintain thorough assessments of their 10
teranet.ca
“ In the last year, we saw more advanced supply chain attacks, ransomware attacks and vulnerabilities than we’ve ever seen before” BRENDA MCCULLOCH CISO, TERANET
TERANET
In a traditional security model, you protect the doors of the home. You lock the doors to ensure no security breach occurs. You use a strong lock and you make sure only certain people have keys to the lock. She continues, “Zero trust is different from that model because even if I have a key to the home and I live in the house, it doesn’t mean that I have access to every single drawer and cabinet in the house. “But, if I live in a room in the house, I also have the key to my room door, and if I share a room with someone else, then I get only the keys to the areas and cupboards that I am allowed access to. “We might both have keys to the closet, but I have access to the left drawers and my husband would have keys to the right drawers. “It’s essentially a multi-layer security architecture. And that means if you have a breach at the front door, it doesn’t put the jewels in the closet at risk right away. Hackers will have to work harder to get to it. There are barriers to other controls to get to the more sensitive data.” security as they evolve. “We bring Richter back as changes within the business happen, for example, M&A, to make sure our threat risk assessment is updated. It's definitely a partnership between Richter and Teranet.” Zero Trust modelling in cybersecurity Teranet is in the process of moving over to a zero-trust model in terms of its security architecture. This multi-layered solution that prevents and slows down the damage that can be wrought in a major breach has been instrumental in fortifying the company’s cyber strategy. McCulloch uses an analogy to describe exactly how the architecture works. “So, in terms of a home, you’ve got the doors to your house and there are keys to the door.
ID cybersecurity solutions As well as the zero-trust security architecture, Teranet has adopted and is also developing a number of ID gateways via its access management multi-factor programme. This means authentication, especially for sensitive data, requires several steps before access is provided. “For privileged accounts, authentication to sensitive data, systems and apps should be more than just passwords,” says McCulloch. “The difficulty in today’s landscape is that many providers are getting breached and hackers can stealthily steal a database of usernames and passwords which go on sale on the black market. This means the user is not the only person to have access to that account. teranet.ca
11
TERANET
She continues, “At Teranet we use more than one factor to authenticate our users for when they want to access sensitive data or systems or applications to our cloud single sign-on or VPN.” The authentication factors used by Teranet include the password, tokens on mobile phones and devices. The company is also exploring other types of authentication - such as biometrics.” Security practice programmes As part of her work at Teranet, McCulloch has also been instrumental in building a security practice programme and team. The challenges involved in such a project often hinge on resources and executive-level approval. “You’ve got to make sure the executives at the organization are mindful of the endgame - because the endgame is where they believe that investment must go - and a lot of the time the endgame is where the risk appetite ends. Ultimately, says McCulloch, if companies have low investment but high-risk weakness items, that's something they should definitely address. She says that executives have to be very aware of these programmes because there are so many non-security initiatives that are competing with the security initiative. She says companies should also prioritise the roadmap to decipher which initiatives are more important in terms of security and that building an expert and responsive team is part of the challenge. “I am extremely picky when selecting team members since we can only hire a certain number of security resources. We also want to ensure that each of the resources is able to deliver certain parts of the programme.” Looking at the whole skillset and not just the technical expertise, is the main hiring practice for McCulloch. She explains, “A lot of people in 12
teranet.ca
TERANET
1991
Year founded
IT & Services Industry
Canada Headquaters
the industry look at technical skills in terms of hiring. But I also look at soft skills because those are the ones that are more difficult to teach. “The way a team interacts and communicates with each other, that’s extremely important because if you have too many casualties along the way you are not going to be able to do another initiative down the road. We want to make sure when we hire someone it’s for the long haul for sure. She adds that authenticity is a critical element required of every team member. “Lastly, once we bring on team members, we’re very considerate of their desires. We like to make sure that team members can bring their whole self and true self to work.” Security post-covid McCulloch believes the hybrid working model is the answer to the bigger question regarding work/life balance, but with it, comes additional risk. Things are different now, she acknowledges, and companies need to move with the times and minimise their vulnerability footprints. For businesses to operate in today's landscape, they need to be able to connect with others and transmit data. “It’s part of our core business to enable customers to access the data and applications they need,” she says. “That comes with cyber risk so we have to leverage advanced malware detection technologies, automation, AI, adaptive policies and behavioural deviation detection as much as possible to optimise our resources. “In the last year, we saw more advanced supply chain attacks, ransomware attacks, and more vulnerabilities than we’ve ever seen before. So we know that plugging every single hole at all possible times simply isn't possible and the reality is, we just need to make sure we are as prepared as possible to contain and mitigate the extent of a breach.” teranet.ca
13
TERANET
14
teranet.ca
TERANET
“For privileged accounts, authentication to sensitive data, systems and apps should be more than just passwords” BRENDA MCCULLOCH CISO, TERANET
Work may be more challenging than it's ever been, but McCulloch is irrepressibly optimistic - and embraces the new remote working culture, despite the issues it presents. “Post pandemic, we really don’t know how it's going to look. So we just want to be ready with our strategy. If we take the scalable approach we can ensure the entire workforce can operate from home - or any location,” she says. And working from home is a pleasure that suits McCulloch well. “I personally am thankful I’ve had this chance to have more family time and the opportunity to try new things,” she says. “These days when I finish work, I don’t have a long and late commute. I simply shut down my computer and my son and I might go for a bike ride together. It’s a simple but wonderful pleasure that we never would have been able to enjoy before because working life didn’t allow for such mid-week activities.” Through the pandemic, innovations have been discovered, solutions to problems are steadily being solved, while families can have more time together. It’s not difficult to see why McCulloch is pleased to be part of a company that is embracing the change.
teranet.ca
15
123 Front Street West Suite 700 Toronto Ontario Canada M5J 2M2 T 416-360-5263 | teranet.ca
POWERED BY: