Jim Routh

Identity has evolved as a primary line of defense for cyber security and data science has emerged as a foundational component of digital identity management for an enterprise. Identity and Access Management (IAM) programs tend to lurk in the shadows until something goes wrong. But enterprises now have capabilities that haven’t yet been applied to cybersecurity, and IAM within cybersecurity, fueled by data science fundamentals. Identity is being widely discussed as the next generation of the… Show more

Identity has evolved as a primary line of defense for cyber security and data science has emerged as a foundational component of digital identity management for an enterprise. Identity and Access Management (IAM) programs tend to lurk in the shadows until something goes wrong. But enterprises now have capabilities that haven’t yet been applied to cybersecurity, and IAM within cybersecurity, fueled by data science fundamentals. Identity is being widely discussed as the next generation of the perimeter as businesses transform from legacy-based, on-premises environments to cloud-hosted and Software as a Service (SaaS) applications. The design of enterprise controls has to keep pace and evolve away from on-prem to cloud-native apps, using data science to drive model-driven security.

The shift also fundamentally changed enterprise controls as on-premises IAM capabilities were substituted for access control in a cloud or SaaS deployment. However, threat actors also adjusted their approach, which meant the core IAM controls had to evolve with the tech. That saw the introduction of edge protection controls, such as using secure browsers rather than the traditional approach of virtual private network (VPN) tunnels.

The use of identity for continuous risk management and verification is well established in fraud management within financial services. But what’s new is the maturity of machine learning algorithms, which enable enterprises to apply identity in a near real-time model.

Traditionally, IAM practices relied on human labor to do the heavy lifting. Managers would have to approve employees’ access to resources, which created delays and workflow challenges and frustrated users. But a model-based approach reduces dependency on human behavior and increases reliance on models or near real-time decision-making to remove human involvement.

The benefits are significant as IAM controls improve while the productivity of the entire workforce improves. Show less

The market for cyber security talent is getting scarcer every year yet the current practices in place by enterprises reflect an employment model that has been obsolete for many years. Cyber security leaders have to adjust their recruiting practices along with their leadership skills demonstrating a solid commitment to talent development to deal with the current market conditions. Unconventional techniques can enable cyber security leaders to both attract and grow diverse talent to meet the… Show more

The market for cyber security talent is getting scarcer every year yet the current practices in place by enterprises reflect an employment model that has been obsolete for many years. Cyber security leaders have to adjust their recruiting practices along with their leadership skills demonstrating a solid commitment to talent development to deal with the current market conditions. Unconventional techniques can enable cyber security leaders to both attract and grow diverse talent to meet the future needs of the enterprise without increasing compensation or recruiting fees. The key is to consistently demonstrate a commitment developing talent and make adjustments to roles enabling employees to have an opportunity to learn and master new skills that they choose.

Cyber leaders have to collaborate with HR professionals to apply un-conventional techniques that are essential for the current and future market conditions. Enterprises can't hire cyber security professionals when they are needed due to the constraints of the limited supply of talent. The key is to shift the paradigm to hire top, diverse talent when you find it...not necessarily when you need it. Leaders should expand their networks and consistently recruit talent for loosely defined job categories with a minimum of requirements and encourage their teams to conduct exploratory interviews designed to understand what skills the candidate wishes to master. Top talent should be offered a role that is partially designed to give them an opportunity to learn what they wish to learn.

Cyber leaders should spend 30% of their time each week on talent development for their employees. CSO/CISOs should identify the development needs for their stakeholders and design curriculums for all of their stakeholders. This demonstrates a shift toward CISOs as educators to provide a multifaceted curriculum for all stakeholders in addition to a demonstrated commitment to talent development for all employees. Show less

It's time for enterprises to develop an approach to eliminate the use of passwords. They served us well for 60+ years but digital consumers have too many digital assets to remember passwords for. Enterprises have an opportunity to shrink the attack surface, improve the digital experience and lower costs by implementing behavioral based authentication capabilities.

White paper on 3 additive controls for a 3rd party vendor governance program specific to software security

Chapter 11