As a company with a mission to improve people’s online security, it’s only fitting to have a CISO on the team. That’s why we’re excited to introduce you to ours. Gerald Beuchelt, aka “Gerry”, recently joined our team to serve as our Chief Information Security Officer (CISO), taking ownership of our overall security, compliance, and technical privacy program. Gerry leads the global Security Team at LogMeIn, working alongside our CIO, Ian Pitt, and CTO, Sandor Palfy.
In his prior role, Gerry was the Chief Security Officer for Demandware, a SaaS provider for Retailers offering eCommerce, Point of Sales, and retail Backoffice solutions. Demandware was acquired by Salesforce in 2016. At Demandware, Gerry created a full enterprise security program and built the security, compliance, and privacy team from the ground up. He organized production operation, engineering, corporate IT, and physical security, oversaw the creation and management of the compliance portfolio (including PCI, SOC2 & SOC3, ISO 27001, and CSA STAR), and acted as Data Protection Officer for EU countries.
We recently sat down with Gerry to dive a bit deeper into his thoughts around cyber security and how to maintain a secure workplace. Here’s what he had to say!
Q: Why is it important for everyone in the workplace to be security-conscious?
A: We all have access to sensitive information as part of our jobs and we all have a responsibility to keep that information secure. At LogMeIn, and for LastPass, security is a large part of our mission and a part of the way we work. From using LastPass for effectively safeguarding our passwords to knowing how to detect and report an external security threat – as employees, each of us has a part to play in practicing good security as we continuously protect our organization from existing and emerging dangers, for our customers and ourselves.
Q: What are the biggest cybersecurity concerns an organization should be aware of?
A: Password mismanagement is right at the top. With more than 4.2 billion credentials leaked in 2016, nefarious parties can easily use stolen passwords to access corporate networks and steal sensitive company data. This problem is nothing new and unfortunately worsens every year. Ultimately, humans are the weakest link in security, but we must take a nuanced approach to understanding the technological reasons behind this. In short, it comes down to convenience vs. disrupting workflow. If security ends up hindering how an employee carries out day-to-day tasks, they will be less inclined to follow best security practices. Worse still, they may attempt to circumvent security policies that are in place, which can generate even greater risks.
Q: Where should organizations place their security priorities for 2018?
A: The answer to this question is almost always very context dependent: different organizations have very different security requirements and are also at different stages in their security maturity. If the organization has not done a comprehensive assessment about their current security posture, the business and stakeholder requirements driving the definition of the security program, and a risk-informed target state for security maturity: now is the time.
Beyond getting these basics in place, I believe we will see an increase in emphasis on detection and response automation. With the current increases in alerts and visibility from sensors, traditional triage does not scale anymore. Investigating the use of automation tools for all aspects of your security program should be a high priority. Machine learning for detection and response systems will probably be a hot topic for vendors, and organizations should pay attention to savings that can be realized from deploying machine learning or artificial intelligence.
Q: What do you think the biggest threats will be?
A: Again, there is almost certainly a high degree of context-sensitivity. However, we will likely see a continuation of perimeter demise: organizations relying on firewalls or network intrusion systems need to revisit their threat assessments. We will have more Shadow IT, more BYOD, and a wider portfolio of advanced threats to non-critical endpoints. Recent ingress and egress techniques such as compromised browser apps or DNS tunneling will require quick adjustments to detection rules, SOPs, and in some cases cultural changes. In summary, these threats will continue to increase the exposed threat surface, and they have the potential to create gaps in the overall control environment. Addressing these threats will require a more agile security team that can adjust to quickly changing adversaries’ TTPs. Leveraging force-multipliers such as machine learning and artificial intelligence, automation, or infrastructure consolidation can limit the impact of these threats.
Q: What is the #1 online security best practice you recommend to end users?
A: First and foremost – use a unique, long and strong password for every online account. That should be a no-brainer. Additionally, it’s very important that you make sure you’re updating your software. Many attacks are related to outdated and unpatched software – take the Equifax breach for example. The initial investigation revealed that attackers exploited an application vulnerability that allowed them to access files with the personally identifiable information. Something that could have so easily been avoided.