Over the last few years, cybersecurity has risen to the top of business leaders’ minds. Prompted by the digitalization of many business operations during the onset of the COVID-19 pandemic and exasperated by the increasing sophistication of cybercriminals’ attack methods, organizations are spending more time and resources to ensure their businesses remain protected – and rightfully so.
We spoke with AHEAD’s Director of IT Information Security, Grant Sewell, to pick his brain on the state of enterprise security today and learn more about the security tactics and methodologies that we employ in our own organization.
Can you tell us a bit about yourself? How would you best define your role at AHEAD?
I’ve been working in security for over 15 years, and I love what I do. I’ve worked in nearly every sector – government, education, energy, financial services, consumer products, retail, and now technology. Here at AHEAD, I oversee all aspects of the security, risk, compliance, and privacy programs that protect our internal associates and ensure that we deliver on the trust that our clients expect from us.
Given your security background, what would you say are the most pressing concerns or challenges for enterprises regarding security today?
It’s not an easy environment to work in today. Threats are increasing, the pandemic has disrupted how our organizations work, and it’s more difficult than ever to recruit and retain good talent in security. Security leaders are being pressed harder than ever to find balance and prioritize the things that will be most impactful to their business.
You joined AHEAD during a fairly tumultuous time for security – what did you prioritize when you arrived knowing that security would be a top concern for the company? Why?
When I initially came to AHEAD, one of the first things I did was meet with a lot of our key leaders to understand where their priorities were. After that, we conducted a basic but objective assessment of our program maturity using a framework that aligned to our business needs. Once we had that data, it allowed us to show our leadership where our biggest opportunities were and clearly demonstrate how these were prioritized on a roadmap. For us, a lot of these key initiatives came down to fundamentals – ensuring we were consistently and appropriately applying security controls to our entire business.
How does the triad of ‘People, Process, and Technology’ factor into your approach to security? Does any one area carry more weight than the others?
For me, People always come first. I’m a firm believer in user-first security programs. As infosec professionals, we can sometimes get lost in new technology or regulations. The best security programs I’ve built have always been driven by reducing the security friction a customer sees. It’s a lot harder to figure out how to build these low-friction security programs instead of just telling someone “No” – and that challenge is a real motivator for me.
How would you describe AHEAD’s security methodology?
Our methodology is aligned to our business, 100%. While we use industry frameworks and regulatory compliance as a guide, our approach to security comes down to two factors – Get Visibility, Keep Score. We want to ensure we see everything going on in our environment and constantly measure the performance of our people, processes, and technologies with quantitative metrics.
What advice would you give to someone in your position at an enterprise that is struggling to establish, maintain, or mature their security programs?
Using a framework and establishing good metrics will go a long way. It sounds boring, but no matter what stage your security program is in, you want to be able to tell a story that can be clearly understood by a business partner. I never add weighting to controls to ensure we’re telling the maturity story fairly across the whole program. When you look at your framework, it’s equally important to articulate what you’re NOT doing as much as what you are. Tweak the controls you need to fit your business drivers – that will really help get the support you need to strengthen your program.
What is on the horizon for enterprise security? Are there any budding solutions that have you excited or looming challenges that keep you up at night?
I think that in 2022, we’re going to see a lot of organizations take a step back and revisit some of the basics. Areas like Asset Management, Endpoint Security, and Network Security have changed for a lot of companies during the pandemic, and it’s important to look and see if the tools you have implemented are still the right tools for how you’re working today. As far as new tech, I think we’re finally starting to see artificial intelligence and machine learning deliver on the scale that’s been promised over the last few years. There are plenty of great startups disrupting the market in key areas that have been traditional pain points for security teams such as email/phishing security and risk-based identity protection. We’re seeing that the bad guys are using modern technology just as much as we are, so it’s important to identify solutions for your business where AI/ML isn’t just snake oil, but can truly add security and business value.