“I have enjoyed working from home,” says Brenda McCulloch, chief information security officer (CISO) at Teranet, as we chat over Zoom on a Friday afternoon.
“I’ve discovered lots of local walking routes that I didn’t know existed before the pandemic. I’ve even taken up skiing - something I wouldn’t have considered before.”
The world has changed, she acknowledges, and some of it has been for the better. Although, her area of expertise - high-level cybersecurity, has definitely faced its challenges of late.
The pandemic and the resulting increased digitisation of companies have unleashed a tidal wave of malware and ransomware cyber-attacks across all industries globally.
Companies that hold sensitive information have been especially vulnerable to attack. And for many, 2020 resulted in the worst hacking and breach incidents on record.
McCulloch is responsible for the cyber fortification at Teranet, Canada's leader in the delivery and transformation of registry solutions, data and analytics, and platform modernization. As a provider of extensive expertise in land and commercial registries, data - the protection of it, is paramount to its success.
But her 20-year career in the IT industry now stands her in good stead, and she believes an organized team, careful prep work, and properly allocated expertise and resources are the keys to making sure companies maintain their security correctly in these challenging times.
“It’s always about balance,” she says, with a hint of zen. “Ultimately, it’s risk versus reward. What you want to achieve out of a security programme and what you want to invest, versus what kind of exposures and risks that organization faces.
As a self-confessed computer nerd, McCulloch has been immersed in the industry since an IT module caught her attention at university. Following a 16-month internship at IBM, where she says she learned “an immense amount”, her love for the IT industry was cemented, and McCulloch enjoyed a number of high-flying roles.
“My past roles include positions where I was internally facing and externally facing, so I have consulting experience as well as building an in-house security practice from scratch.
“From those two experiences and perspectives, I have built a very balanced view of different ways to deliver a security protocol to different companies.
“So, I bring that balanced view to Teranet, and I work in tandem very closely with the executives on that.
Corporate cybersecurity post-pandemic
McCulloch has the onerous task of making sure Teranet utilises cutting-edge technology to maintain its robust and agile architecture against cyber threats - a challenge that she relishes.
As part of her role, she has built a security practice programme and team and also works on Teranet’s identity and access management multi-factor programme. She also oversees the security posture enhancing initiatives including the zero trust model development.
“The past 12 months have been an eye-opener for companies globally in terms of cyber awareness and breaches. Although, we keep saying this annually, to be honest with you,” she says.
“But I agree that cyberattacks do continuously get more sophisticated and advanced. Teranet understands that, and in order to stay current, we have to continuously invest in our security and that our practise can't stagnate.”
Ultimately, it's not the high flying glamorous side of being a tech genius that’s going to prevent a company from data haemorrhaging in an attack, says McCulloch, but the meat and potatoes of the job.
“We know that security hygiene, as well as operations, are not exciting. But they are very important. Because of competing new initiatives, we know that we have to inject additional resources to support them and not rely on repurposing existing resources that are dedicated to the hygiene of the operational activity.”
The rush towards digital transformation has been instrumental, McCulloch says, in opening up companies to cyberattacks, whole populations have shifted to online operations, and that is causing a massive vulnerability.
“Last year, there were more vulnerabilities reported than in any other year,” she says. “People are online more than ever before, and there are so many more digitized services. Even our kids are online. Literally, everyone is online. That inherently will have risks associated with it.
McCulloch says that very often, the way companies maintain their hygiene routines on a day to day basis is the cause of unexpected hacks.
“I think many of the root causes of many breaches were because of persistent vulnerabilities, phished users, excessive privileges, etc.
“I think it's really important that when you augment new initiatives, that you also augment the resources at the same time,” she says.
Cybersecurity and the cloud
The shift to cloud-based systems has been massively instrumental in creating greater vulnerabilities, points out McCulloch, and mainly, this has been caused by limited security resources.
She explains, “One of the challenges has been the movement to the cloud and the augmentation of security resources to support them, both on premise infrastructure as well as cloud services.
“Most organizations have limited security resources, so during the transition phase, the augmented resources and skills required to support the paradigm shift is always challenging - especially if you look at other initiatives that you want to accomplish at the same time.”
Ensuring that an organization remains abreast of novel cyber threats is a constant challenge, and only one that can be met when cyber security is considered a top priority. And at Teranet, this mentality is evident. “At Teranet, we have very strong executive support, and we meet regularly to discuss our posture as well as challenges that the security office faces,” McCulloch says.
Richter partnership and security
The strategic partnership with Richter has also been highly instrumental in maintaining a secure footprint for the company.
McCulloch says Richter entered the security journey “very early”; it was this long-term partnership that has helped in Teranet’s cybersecurity strengthening process.
“They were engaged [in providing] a security maturity and threat risk assessment because of the security programme.”
McCulloch says it’s essential to know precisely where companies sit in maturity in order to know what needs to be achieved. “At the same time, Richter helped us based on what our client’s risk trauma level was. We needed to come up with an end game.”
She continues, “Richter helped us identify where we sat, as well as where we needed to go - and ultimately, that kind of risk assessment and maturity assessment has given us a view that we can execute on.
“It wasn’t a one-time thing for us. After we brought in Richter, we consistently looked back at this report and ensured that we were progressing against it. So it was a living document. It wasn’t a document we parked; the assessment helped us execute with a roadmap and a plan.”
McCulloch says the Teranet team still relies on their strategic partnership with Richter to maintain thorough assessments of their security as they evolve. “We bring Richter back as changes within the business happen, for example, M&A, to make sure our threat risk assessment is updated. It's definitely a partnership between Richter and Teranet.”
Zero Trust modelling in cybersecurity
Teranet is in the process of moving over to a zero-trust model in terms of its security architecture. This multi-layered solution that prevents and slows down the damage that can be wrought in a major breach has been instrumental in fortifying the company’s cyber strategy.
McCulloch uses an analogy to describe exactly how the architecture works. “So, in terms of a home, you’ve got the doors to your house and there are keys to the door. In a traditional security model, you protect the doors of the home. You lock the doors to ensure no security breach occurs. You use a strong lock and you make sure only certain people have keys to the lock.
She continues, “Zero trust is different from that model because even if I have a key to the home and I live in the house, it doesn’t mean that I have access to every single drawer and cabinet in the house.
“But, if I live in a room in the house, I also have the key to my room door, and if I share a room with someone else, then I get only the keys to the areas and cupboards that I am allowed access to.
“We might both have keys to the closet, but I have access to the left drawers and my husband would have keys to the right drawers.
“It’s essentially a multi-layer security architecture. And that means if you have a breach at the front door, it doesn’t put the jewels in the closet at risk right away. Hackers will have to work harder to get to it. There are barriers to other controls to get to the more sensitive data.”
ID cybersecurity solutions
As well as the zero-trust security architecture, Teranet has adopted and is also developing a number of ID gateways via its access management multi-factor programme.
This means authentication, especially for sensitive data, requires several steps before access is provided.
“For privileged accounts, authentication to sensitive data, systems and apps should be more than just passwords,” says McCulloch.
“The difficulty in today’s landscape is that many providers are getting breached and hackers can stealthily steal a database of usernames and passwords which go on sale on the black market. This means the user is not the only person to have access to that account.
She continues, “At Teranet we use more than one factor to authenticate our users for when they want to access sensitive data or systems or applications to our cloud single sign-on or VPN.”
The authentication factors used by Teranet include the password, tokens on mobile phones and devices. The company is also exploring other types of authentication - such as biometrics.”
Security practice programmes
As part of her work at Teranet, McCulloch has also been instrumental in building a security practice programme and team. The challenges involved in such a project often hinge on resources and executive-level approval.
“You’ve got to make sure the executives at the organization are mindful of the endgame - because the endgame is where they believe that investment must go - and a lot of the time the endgame is where the risk appetite ends.
Ultimately, says McCulloch, if companies have low investment but high-risk weakness items, that's something they should definitely address.
She says that executives have to be very aware of these programmes because there are so many non-security initiatives that are competing with the security initiative.
She says companies should also prioritise the roadmap to decipher which initiatives are more important in terms of security and that building an expert and responsive team is part of the challenge.
“I am extremely picky when selecting team members since we can only hire a certain number of security resources. We also want to ensure that each of the resources is able to deliver certain parts of the programme.”
Looking at the whole skillset and not just the technical expertise, is the main hiring practice for McCulloch. She explains, “A lot of people in the industry look at technical skills in terms of hiring. But I also look at soft skills because those are the ones that are more difficult to teach.
“The way a team interacts and communicates with each other, that’s extremely important because if you have too many casualties along the way you are not going to be able to do another initiative down the road. We want to make sure when we hire someone it’s for the long haul for sure.
She adds that authenticity is a critical element required of every team member. “Lastly, once we bring on team members, we’re very considerate of their desires. We like to make sure that team members can bring their whole self and true self to work.”
McCulloch believes the hybrid working model is the answer to the bigger question regarding work/life balance, but with it, comes additional risk. Things are different now, she acknowledges, and companies need to move with the times and minimise their vulnerability footprints.
For businesses to operate in today's landscape, they need to be able to connect with others and transmit data. “It’s part of our core business to enable customers to access the data and applications they need,” she says.
“That comes with cyber risk so we have to leverage advanced malware detection technologies, automation, AI, adaptive policies and behavioural deviation detection as much as possible to optimise our resources.
“In the last year, we saw more advanced supply chain attacks, ransomware attacks, and more vulnerabilities than we’ve ever seen before. So we know that plugging every single hole at all possible times simply isn't possible and the reality is, we just need to make sure we are as prepared as possible to contain and mitigate the extent of a breach.”
Work may be more challenging than it's ever been, but McCulloch is irrepressibly optimistic - and embraces the new remote working culture, despite the issues it presents.
“Post pandemic, we really don’t know how it's going to look. So we just want to be ready with our strategy. If we take the scalable approach we can ensure the entire workforce can operate from home - or any location,” she says.
And working from home is a pleasure that suits McCulloch well. “I personally am thankful I’ve had this chance to have more family time and the opportunity to try new things,” she says.
“These days when I finish work, I don’t have a long and late commute. I simply shut down my computer and my son and I might go for a bike ride together. It’s a simple but wonderful pleasure that we never would have been able to enjoy before because working life didn’t allow for such mid-week activities.”
Through the pandemic, innovations have been discovered, solutions to problems are steadily being solved, while families can have more time together. It’s not difficult to see why McCulloch is pleased to be part of a company that is embracing the change.