When Stephanie Franklin-Thomas joined facilities management provider ABM Industries in early 2021 as the company’s first CISO, she said she saw a security strategy that had many of the right parts.
That is a plus.
But Franklin-Thomas said those components weren’t fully assembled, and that was a negative—one that created a less-than-optimal security posture for the company.
“I believe that everyone wants to do a good job, but there is no program. There are pieces of a program, they are not just put together; it is not holistic,” he said.
So Franklin-Thomas set out to change that scenario, pursuing a plan to bring the various pieces together as well as identify and add any missing pieces so he could create a more coherent security program. .
“They have what I call ‘accidental security’: They do the right things, but they don’t have a full program. They need a more programmatic approach,” Franklin-Thomas explains.
About 18 months into his tenure, Franklin-Thomas implemented a comprehensive security program for ABM, one centered around a zero trust security model and one where people, processes, and technology are unified and work together to be effective and efficient. to defend, protect and ultimately enable the business. The project earned ABM the 2022 CSO50 award for business value and thought leadership.
“Everybody is now rowing in the same direction,” he said.
‘The soup was not made.’
As the new security chief and senior vice president, Franklin-Thomas said his top priority is to understand the pieces he has—in other words, what security elements are in place and which are missing.
One of his first steps was a NIST assessment, evaluating current security policies, procedures, and technologies against the control matrix to determine where the security function was performing well and where it was lacking.
He then validated his team’s findings by asking both security practitioners and other department heads whether the identified security controls were actually working and being followed.
“We went out of business and asked: Does it exist?” Franklin-Thomas said. “And they all said yes, we moved to validation, [saying] ‘Show me.’ That’s a whole other eyeopener. We can ask about a policy and they’ll say, ‘Yes, we have that,’ but when we look for it, it’s really not in place.”
It goes back to having the parts, but not the assembly. Or, as Franklin-Thomas put it: “We felt we had all the ingredients but the soup wasn’t made.”
He explained: “We at ABM and other companies are strong in technology, where security has brought everything needed, but people and processes are not equal and they have to be a perfect triangle: technology, people, and process. Here you have the ingredients but not the soup,” he said.
Franklin-Thomas, who has held other CISO and senior positions and holds a Ph.D. in organizational leadership and management, he says he sees this situation in many enterprise security functions, and notes that it leads to less effective and less efficient security operations. Because of this, he added, it remains one of the major hurdles to overcome to advance one’s cybersecurity posture.
For example, he said, ABM implemented multifactor authentication and followed the principle of least-privilege access but lacked robust documentation to ensure processes were followed.
“So for multifactor authentication and single sign-on, obviously everyone knows how to connect to the environment, everyone knows as an unwritten standard that if you’re going to deploy anything in the environment, it has to have multifactor authentication and single. sign-on, and that’s very effective, but it’s very informal,” he said.
Franklin-Thomas said ABM now uses ServiceNow’s workflow software to document and create audit trails to support the security team’s transition to formal processes.
As another example, he pointed to the fact that the company has a firewall in place but has not confirmed that the firewall rules meet current requirements.
“We have rules, but are the rules always right? Not necessarily,” he said, noting that firewalls in general are often too permissive.
Forming a perfect triangle
Franklin-Thomas scored the security efforts he inherited against a NIST scorecard, using measurement to help him shape his security roadmap, inform the board of the company’s security status, and prioritize.
“We did the NIST assessment to find out where we are and identify the gaps; some are technology gaps, some are around management. Then we jeopardized our priorities. We did a quick fix, first the high-risk items and then the lower-risk ones,” he said.
As the security team works through those phases, closing gaps and strengthening his company’s overall security posture, Franklin-Thomas said he simultaneously seeks to redirect the mission of the security function.
“I want to move from detective to being more proactive while, of course, still maintaining the surveillance/detection capability,” he said, explaining that he believes the change—in both mindset and execution—is both better defending the company from existing threats, adapt more quickly to future ones, and enable business growth more effectively.
For him, that means building the perfect triangle, where technology, people, and process work together holistically and equally. According to Franklin-Thomas, collaboration and coordination between the three overall pieces is essential for any cybersecurity program to succeed.
Switch to zero trust
ABM is now advancing its cybersecurity program, with a major focus on zero trust principles.
Franklin-Thomas says his team is well-positioned to move forward, with a holistic approach where technology, people, and process are equally integrated—a balance he says is critical to making zero work. trust model.
“When we started talking about zero trust, we looked at it from three pieces: We had to bring in the people and the processes and make it auditable, so we could go back and make sure we did the right thing. every time,” he said.
He went back to the firewall to illustrate his point. A firewall is a technical part of implementing a zero trust security approach. But the firewall needs to be fine-tuned to the rules, so that the technology can accurately identify and allow through legitimate traffic while also accurately identifying and blocking illegitimate traffic as closely as possible. Defining and implementing those rules are the people and process components, which are just as important to success here as the tool itself.
Franklin-Thomas speaks from experience, saying that she and her team work with their business unit colleagues to review existing rules, identify those that are too broad or permissive, and then refine those. firewall accordingly.
Also in the people and process triangle, Franklin-Thomas created a risk team, embedded security in the project management office as well as the vendor management office, and reviewed security standards. and management policies. He also builds his security team and creates a culture where the various elements of his team—engineering, operations, risk—work together to further support that holistic approach to security.
“It’s all about zero trust, so we understand how we grant access and ensure less privileged access. This ensures that we are creating an entire environment that subscribes to zero trust,” he explained. “Really trying to look at everything in the architecture, the network, the edge, everything we do, that we don’t trust anyone and we build the environment that supports that.”
Copyright © 2022 IDG Communications, Inc.