Solving the Business Challenges of Governance, Risk, and Compliance
November 18, 2019 • Monica Todros
Our guest today is Syra Arif, a senior advisory solutions architect in the security and risk practice at ServiceNow, a global cloud computing company. Syra shares her insights on providing customers with solutions to the business challenges of governance, risk, and compliance. She shares her experience coming up through the industry as a woman, and we also get her perspective on threat intelligence and why it’s critical for organizations to embrace diversity.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 134 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Our guest today is Syra Arif. She’s a senior advisory solutions architect in the security and risk practice at ServiceNow, a global cloud computing company. She shares her insights on providing customers with solutions to the business challenges of governance, risk, and compliance. We’ll get her perspective on threat intelligence, and she shares her experience coming up through the industry as a woman and why it’s critical for organizations to embrace diversity. Stay with us.
It was honestly luck, Dave. I had a background in electrical and computer engineering, and at the time, I wasn’t sure what I wanted to do. I was recruited by Cisco to actually work in their mobile internet technology group, which was a subdivision of Cisco that really focuses on cellular and satellite communications, and that’s where I started my career.
I did that for about five years and I realized it just wasn’t the right fit for me. And that’s when I got contacted by a small company called RSA, which was the security division of EMC at the time. And I remember I called my dad and I said, “Hey, dad, have you heard of this company, RSA?” He was like, “Are you kidding me? You’ve got to take this seriously.” So that’s when I returned the phone call to the recruiter from RSA. That started my journey in cybersecurity.
I started by focusing in the areas of vulnerability management as well as governance, risk, and compliance. At the time we were focused on bringing technical solutions to customers in both of those areas. As I got deeper into it, I started to get into the identity and access management space. There were a lot of challenges at the time around having too many solutions, not being able to control access and understand who has access to what. RSA was really focused in that space. And then I started to go to client sites and I noticed a lot of clients were asking about potential integrations or partnerships between ServiceNow and RSA. And so I said to myself, “What’s this company called ServiceNow?” And that’s what sparked my interest.
Luckily, at the time, ServiceNow, this was about four years ago, ServiceNow was actually in the process of building an entire subdivision focused on security and risk. They just happened to be looking for someone in the Boston area. I reached out and that’s how I was recruited onto the team. It was crazy because four years ago the company was maybe only 2,500 employees, which was when I joined. Now we’ve just about crossed over the 10,000 employee mark within a span of just three and a half or four years. So that’s what brought me to the point I’m at now.
And so what is your day-to-day like?
Yeah, so it’s really evolved. And what’s great, Dave, is, we’ve focused so heavily on the security and the GRC space, or governance, risk, and compliance. What I do in my current role is, I consult across multiple verticals. Everywhere from financial services institutions based out of New York City and the New England area, all the way to healthcare and education, state and local governments, to focus on how we can help solve some of their technology and business challenges with ServiceNow solutions. A lot of that is coming in and consulting clients on how they run a vulnerability management program.
There’s a lot of inefficiencies within the vulnerability management process, as well as how I can use incident response automation capabilities and respond to security incidents quickly. My day-to-day is meeting with clients, identifying areas where they could heavily use some automation capabilities, and then coming in and showing them how ServiceNow solutions can help meet some of their problems. What we’re trying to do, Dave, in this market is, we’re trying to reduce the time that it takes to respond to anything, an incident, a vulnerability, a risk event. Reduce that time so that we can make sure that we quickly respond to things that matter and that are critical, without having them turn into a major data breach or a huge financial loss to our organization.
Can you give us some insights on where organizations are, at that point when they’re reaching out to someone like you, and I suspect they know that looking into vulnerability management and incident response is something they’re ready to do. They’re ready for that next step. Is that an educational process for you to get them up to speed on how to calibrate their expectations?
Yeah, 100 percent. I think about it almost like when we, in our personal lives, go and we have a doctor’s appointment. Some of us may set up an appointment with our doctor and say, “Hey, these are the symptoms that I have. Can you help identify what my issue is?” Some of us might even say, “I’m just going to go in for my regular checkup and just make sure that I’m still okay, I’m still healthy, or are there things that I need to be concerned about?” When organizations are coming to me, it falls into one of those two buckets.
A lot of times, and lately what I’m seeing is a lot of clients coming to me and they’re starting to say, “We’ve had something catastrophic happen. We’ve had a major data breach, or we’ve had an external audit entity come in,” especially in financial services. And they’ve found out that there’s a major audit finding that they need to go out and fix. When they come to us with this problem, they’re telling us what some of their symptoms are or what some of those audit issues are and that’s when we can sit down and say, “Well, here’s what we think you need to do. You need to think about things in a way where you’re starting to quantify risk. Without having that risk conversation and identifying what’s critical to your business stakeholders, all the way up to the board level, how are you going to make any sort of change down on the operational level?” Those are some of the conversations that we’re having.
When it comes to compliance, how do you help your customers make sure that they’re not just checking off boxes, that compliance is also leading them to positive practices, to positive change, that sort of thing.
Oh gosh. Compliance, it’s just a huge pain in the butt for so many organizations. Even the ones that are mature in the space are still struggling with it. So there’s a couple things that organizations, I think, need to consider. One of those things, Dave, and you’d be surprised, I still get surprised when I go to organizations, is there’s a regulation out there, there’s maybe some sort of regulatory document. Like let’s take into consideration some of the data privacy regulations, like GDPR. An organization may go online, type in GDPR into Google. They get the actual document that outlines the mandates. And they sit down and they say, “Well, gosh, what does this mean? Does this apply to my organization? How do I translate this into something that’s actually meaningful that I can take action on?”
That’s the first step in this whole process. This comes even before we start looking at a ServiceNow or a compliance tool to help us run some of the automation and manage that process. But it’s that translation of what is the regulation telling me and what does that mean in my organization? That’s the first step. That’s honestly where I see organizations are struggling most. Usually that involves a lot of attorneys and technology folks having to translate some of those requirements into something that matters. And then we really get into the meat of things, which is, “Okay, now that you’ve understood what’s required of you, do you actually have the appropriate business process in place?” I think, a lot of times, when we think about compliance or some of these technology challenges, we think it’s just something that I can put a technical solution in place and that’ll fix my problem. Well, no, that’s not the case. Without the appropriate business process and the right people involved in your organization, you’re never going to have that program around compliance or reducing risk that you need.
Once you figure out the key players and make sure that everyone is committed to managing this business process, that’s when you turn around and say, “Okay, well, now that we know what we need to do, I don’t want to do this over email and spreadsheets because it’s just too much work. Things get lost. I can’t send an email to an individual, expect them to reply within one business day if it’s not at the top of their priority list.” That’s when they come to us at ServiceNow and they say, “Okay, let me actually have a technology platform in place that can help me manage this entire process from beginning to end.” It’s a lot more than just the technology, and that’s really what I’m personally trying to preach to some of my customers.
Is there a natural impulse to try to delay the reckoning when it comes to these sorts of things? I mean, I can imagine it being a pay me now or pay me later sort of thing. In other words, you can get ahead of your compliance requirements, or at some point, your compliance requirements are going to come for you.
Oh, 100 percent. It’s interesting that you say this. I know a lot of us were tracking the Cambridge Analytica scandal and the Facebook involvement and some of the data privacy stuff that was happening. I think that was actually over a year and a half ago. A lot of us were tracking that, and I was watching the Zuckerberg trial, and I was thinking to myself, “Well, wow, some of the things that are going to come out of this are going to have widespread implications.” And so I mentioned GDPR and there’s another one around the CCPA, the California privacy initiative. I think it’s going to start trickling into other states as well. I know, in Massachusetts, we have something that’s similar.
Looking at all of these data privacy regulations, there was a key metric that was outlined, or an impact, rather, on organizations that didn’t meet GDPR initiatives. I think the timeline was maybe last May. You’d be surprised. I was in a CISO roundtable event, maybe a couple months before the GDPR timeline cutoff. And at this CISO roundtable, what I was amazed to see was that about 75 percent of the CISOs there weren’t actually ready for GDPR. They hadn’t even started the process. So they knew the timeline was approaching, but they hadn’t done anything about it.
Some of the reasons that I see for that are, well, they didn’t get any directive from the board or from a higher level. So that’s one thing. Think about having to self-initiate a project that’s as widespread as something as data privacy is. That’s a huge project to take on. That’s a lot of resources from a CISO perspective. I mean, that was one of the reasons.
The other reason was they weren’t quite sure if the actual impact or the fines were something that someone would actually have to pay. So yes, with GDPR we have a potential fine we have to pay, but who’s actually going to come and audit us and make sure we pay the fine? And then even if an organization … there’s been some stuff with Facebook and Amazon and Google that’s happened … But even with an organization that does get fined, are they actually going to pay the fine? They’re sitting around and waiting to see what happens, or if this is even real, before they actually go out and make change. They drag their heels. Even now, I mean, we’re talking about a year and a half later, even now I’m seeing organizations still coming to us at ServiceNow and saying, “Hey, what can we do to get started to meet GDPR compliance?” We’re way past that deadline.
Yeah, that’s fascinating. I mean, to get back to one of the things you mentioned early on in our conversation there, it’s almost as if they’re taking a calculated risk that maybe the other organizations will get hit with fines first, or let’s take a wait and see before we spend all this money on something that may not come to pass.
It is. Everything is a risk management exercise. I was actually talking to someone this morning about the fact that even with audit findings, for example, you may get hit with an MRA, a Matter Requiring Attention, if you’re a large financial services institution, and that MRA may have a fine of, let’s say, a million or $5 million. But if it costs you $10 million to put a proper compliance program in place, you may actually say, “You know what, I’ll just pay for that audit finding, because it’s just easier and it costs me less than actually trying to meet compliance.” It’s all just a big exercise around risk management.
I want to get your insights on threat intelligence and how you consider that as part of an organization’s defenses.
Yeah, that’s a great question. Dave, it was great meeting you at the Recorded Future Conference, and I have threat intelligence at the top of my mind. I meet with organizations that have a Security Operation Center in place. So it could either be a SOC that’s in-house or they’ve potentially outsourced to an MSSP or a service provider, but they’re still having to deal with the remediation side of the house. With these organizations that are running an IR program, a lot of them are under-resourced and they have way too many security incidents and attacks that are occurring. They’re trying to figure out, “How do I do more with less, and how do I take the analysts that I have in my SOC and make them more productive on things that actually matter, and then automate things that maybe don’t matter as much.”
One of those key areas is this area of threat intelligence. So the concept of threat intelligence, if you’re not aware, is just this idea that there’s a lot of bad stuff that’s happening out there on the internet. There’s a lot of hacker groups, a lot of attacks, there’s a lot of exploits that are being written to go out and exploit known vulnerabilities. There’s a research component to understanding what’s happening out there in the wild. What threat intelligence providers do is they actually provide organizations with a feed that allows them to track these campaigns, understand the exploits, and then identify what’s happening in the wild and how that affects my organization. These threat intelligence providers, they’ll provide a feed and there’s this automation activity that needs to happen where we look at what’s happening out there in the wild and then is it actually affecting us as an organization. Because if I’m being inundated with 500 security incidents in a day, I need to know what’s actually critical and what I need to pay attention to.
Threat intelligence is really key because it allows organizations to identify what’s actually real, what’s actually going to impact the organization. And then that, in turn, will help the security analysts prioritize what needs to be top of mind from a remediation perspective. At ServiceNow, just from a technical perspective, we’ve got our IR solution and we can go out and actually integrate to these threat intel feeds and different solutions out there, one of those being Recorded Future. VirusTotal is another.
We can actually help organizations quickly respond to these security incidents by performing things like IOC lookups. So if I see an observable in my security incident, is it something that’s actually critical and is it known by one of these threat intelligence providers? If it’s known, then the threat intel provider can actually tell me, “Well, yes, this is a known IP or observable and it’s attributed to this hacker group or this campaign. Here’s what you can do to actually go out and make sure that you’re not affected by it.” Maybe that has to do with patching a vulnerability or maybe it has to do with going out and making a firewall change so that you’re not as exposed to that group that can actually come out and do harm to your organization.
You touched on something earlier in our conversation that I want to swing back around to. That’s the human factor. I think, for many people, it’s easy to be seduced by the allure of automation. And there’s no doubt that automation can save time and allows us to do things that we couldn’t otherwise do. But at the same time, you have to dial it in with those real, live human beings. I’m wondering, how do you guide your clients to dial in that balance?
It’s such an interesting comment that you’re making, and we’ve got all these sophisticated security tools and processes out there, and being in the security industry, we’re so deeply entrenched in automation and orchestration capabilities. And yet, we always find, especially me, when I go into clients, I always find that the number one type of threat that organizations are facing is a phishing incident.
Think about what a phishing incident is. It’s just an email that’s going through your Proofpoint or your spam folder. It’s ending up in someone’s email inbox. And then a user either opens up a file that’s attached in that email, or they click on a link, and all of a sudden your system is compromised and that infection spreads in the organization. In that, even though you may have the Proofpoints, the ServiceNows, the firewalls, you have everything you need in place, the weakest element is the human. It’s the individual that opens up that email.
That’s still the number one thing that I’m hearing with clients that they’re struggling with. So the human factor is definitely a huge piece of this. I think there needs to be a lot more security awareness out there. I think, as an industry entrenched in cybersecurity, we’re doing a great job creating podcasts and material and educational material out there, where we’re getting into the hands of the folks that are in the line of business and educating them on cybersecurity as well. But still, if you turn around and talk to your neighbor who doesn’t work in the cyberspace and tell them about some of the things that you’re seeing, they’ll be shocked. They have no idea. Humans have no idea that they need to put a post-it note on their webcam, on their laptop because someone might be watching them. We’re still very far behind in terms of just educating the general public on some of the cybersecurity awareness that they need to have.
I’ve actually been thinking personally about going and volunteering some time to work with my local city, especially with the elderly, to let them know when to look out for a phishing email or a phone call, because it breaks my heart to think about that grandma that gets a phone call saying that her nephew is in prison and she needs to transfer money to some offshore bank account. We still have a long way to go.
Looking at your career, you came up, you got your bachelor’s degree in electrical and computer engineering. You have a master’s degree in technology and strategy. I would imagine that coming up through the ranks there, there weren’t a whole lot of women in a lot of your classes. What has that side of the experience been like for you?
Oh, it’s so interesting. I’ve done so much reflection on this topic throughout the years, just seeing how I’ve evolved throughout my career. So yeah, I mean, in electrical engineering, sadly, there were only about three or four women in my class out of maybe 150, and that metric has carried on through the years. My first job at Cisco, very few females, especially as part of the engineering team. Moving on … Luckily, in sales, we are starting to see a lot more women emerge and get into the cybersecurity space. There’s a lot more awareness, but there’s still a long way to go.
The one thing that I’ve realized is, and not to generalize, but for me personally, I think there is a misconception, that in order to be a woman in technology, that you have to be this super hands-on coder who reverse engineers bugs and malware and that sort of thing. But what people don’t realize out there is you can be in the technology industry and do all sorts of things, whether you have a technical background or not.
For me, personally, I’m encouraging young women who are in undergrad or in grad school to look at careers in cybersecurity. We could really benefit from the perspective that you have coming into this. Just the diversity of thought, I think, in cybersecurity is essential.
I was actually attending a fireside chat with a senior executive from one of my customers, and he was mentioning how he’s going out, as part of his threat intelligence team, he’s looking for diversity in thought and background. Could be gender-related. It could be where you come from. It could also be your skillset. Because to fight cybercrime, we need all sorts of people who think in different ways, because we need to reflect our attackers. Just like the cybercriminals are diverse in their talents and in their background, we need to recruit more diversity in cybersecurity, so we can think the way that the hacker thinks and solve some of the cyber problems that we’re having.
Our thanks to Syra Arif, from ServiceNow, for joining us. We sat down at Recorded Future’s 2019 RFUN: Predict conference in Washington, D.C.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.