At a recent financial industry conference, the chairman of the Commodity Futures Trading Commission called for a shift in how organizations think about cybersecurity. She called for a change from an incident response mentality, to a resilience mentality. Federal Drive with Tom Temin next guest has some ideas for how that might actually happen. Igor Volovich is vice president for compliance strategy at Qmulos.
Tom Temin Well, is there a connection between compliance, which everyone has to do because you’re in the federal government and complying with a thousand things, and resilience? Because sometimes compliance seems like a checklist exercise. Resilience seems like you’re dancing.
Igor Volovich Well, it’s true. So compliance, everybody has a lot of compliance obligations. There’s plenty of mandates evermore coming out. We saw the executive Order 1403 being put out in 2021. And since then it’s spawned all kinds of other mandates and directives and memoranda. And one of the big ones that comes to mind as M-21-31, which is the logging directive, and everybody scrambling to figure out how to comply with that. And then, of course, there’s M-22-09, which is the zero trust directive. And so those are two of the big ones that everybody wants to talk about. And as everybody’s scrambling to comply with the latest, they also can’t leave behind what they’ve always had to comply with. So compliance requirements keep multiplying. That’s kind of the bottom line there. And it’s difficult, because the compliance processes have really been built around these manual workflows, manual data collection, manual processing, manual analysis, manual reporting. Most compliance folks either work in Excel or some kind of an antiquated platform. And the data collection is still very much a manual exercise, as is the reporting. Most of the reporting is being done through some kind of a spreadsheet or usually PowerPoint. So it’s not very dynamic, it’s not very agile, it’s not very future proofed.
Tom Temin And if you are worried about FISMA scorecards and that kind of thing, and you figured out a way to get them filled out every quarter or whatever it is, then you’re going to stick with those platforms.
Igor Volovich Yeah, there’s a lot of investment that’s been made into these models, and there’s also a lot of business model wrapped around it. So you’ve got the federal systems integrators, you’ve got the big consulting firms where it’s just kind of more of a button seats model. They will send you 50 ISSOs, the information system security officers, and ISSM’s, and they will sort of run that program for you. So there may not be a lot of interest in doing things like automation. And if they do automation, a recent conference actually at a Gartner conference in D.C. about a month ago, we talked about that, and the analysts actually spoke about this differentiation where a lot of folks in the marketplace who are doing workflow automation actually starting to claim compliance automation, because everybody is interested in compliance automation. The industry is recognizing that there is a lot being invested into these manual processes. A lot of overhead is being spent, and not a lot of results. So in order to evolve, you have to automate. And so some of the existing players who have a lot of incumbency, who already built into a lot of these environments are saying, Well, we’re doing workflow automation, we’ll just call it compliance automation. And there is a distinct difference there. And I think the folks who are buying these services and products need to be a lot more educated about how that actually works.
Tom Temin Right. Because the question, I guess is are you complying with the right things? I think of compliance and resilience, like suppose you’re getting dressed for a formal occasion, and you spend a lot of time fussing with your tie because your necktie has to look right, your bowtie has to be perfect, and the buttons have to all be aligned. And while you’re doing all that, your pants fall down, that’s when you need resilience.
Igor Volovich Well, to extend that analogy, I would say imagine doing that, and then having to do a wardrobe change every 5 minutes. It’s hard to do if you don’t have Velcro on your outfit. So it has to look good, but also has to be very agile, very dynamic, very adaptable. And you really don’t know, you might be starting with a formal event in the morning, and then by the afternoon you’re going to play a rugby rugby game. Because incidents keep coming, threats keep evolving. So you kind of have to be jumping from one to the next. It’s very hard to do with a rigid, legacy manually based compliance program. And more memoranda are going to be spawned by that executive order 14038. And also, we have this precedent based enforcement model.
Igor Volovich So we start with [Commodity Futures Trading Commission (CFTC)]. CFTC, [Federal Trade Commission (FTC)], [Securities and Exchange Commission (SEC)], they’re all coming out with the rules that basically are saying the same thing. A, they want to enforce their mandates, they want to enforce their authority. They want to make sure that there is more transparency, more awareness about the existing resilience and the security posture of these environments. And it’s challenging the leaders to demonstrate security expertise, but also to be accountable and responsible for what happens with their environments. We can’t just say, look, we did our best and here’s that compliance report from a year ago that says we did so. That’s not good enough, because the bad guys don’t look at check boxes and don’t look at the compliance reports. So they want to get these environments, regulated environments, into the same space. Get the threats of operating in, which is real time. Impossible to do a legacy compliance mindset, impossible through the legacy compliance programs, you have to automate. And even though they’re not calling for that by the actual term, they’re not saying, Hey, we need you to do compliance automation. The implication is absolutely there. Because you simply cannot throw more people at this problem without evolving their ability, your actual compliance capability, the maturity, the compliance program, not just your controls, but your ability to demonstrate compliance that has to evolve.
Tom Temin We’re speaking with Igor Volovich. He is vice president for compliance strategy at Qmulos. And yeah, before you said that you just don’t want to automate your workflows, but you want to automate the compliance process itself. The implication is that compliance itself has to change continually over time, and therefore to automate a given process may not yield that ability to keep up with the times, which can change daily.
Igor Volovich Correct, absolutely. So threats change daily, they evolve daily. We’re seeing things like Moveit, we’re seeing things like the CLOP ransomware attack, the Microsoft O365 attack recently, which we still don’t know how it works. We have some ideas, the private keys get compromised, but Microsoft is not saying how. And of course, all the phishing stuff. So I just commented yesterday actually on the new worm GPT, which is in a malicious clone of ChatGPT. Which allows bad guys to basically bypass all the filters and all the controls that have been built by open AI to craft really, really good phishing emails. And guess what? Phishing emails still work. That’s why there’s so much focus around making that a capability for the bad guys. And so my contention is this, if your entire security apparatus, if your entire security program can be subverted by a phishing email, well, then you’re not doing the right kind of threat modeling and your compliance program is just a static historical reporting function. You’re always looking backwards. The idea is to bring it back into real time and converge on these timelines. Your security operations works in real time. Your risk management should be looking at the real time and into the future. But compliance always look backwards. So again, we want to converge on those timelines. The only way to do that is through automation. And what I say, when people ask me what is it that I do for a living? And what is compliance strategy? Thinking strategically about compliance as a tool of risk management, bringing it to real time, That is really the objective what we’re trying to fulfill here. And by doing that, you’re ready to answer many other questions. So you may not even be able to predict. And these questions might come from anywhere. From the White House, from [Department of Homeland Security (DHS)], from [Cybersecurity and Infrastructure Security Agency (CISA)], from FTC, SEC and now CFTC. So everybody’s converging on the regulatory compliance side. The enforcement side is becoming a lot more onerous, a lot more strict. And the scrutiny on the leadership and the kinds of decisions that they make, these are the kinds of things that keep coming down the pike. And I think it’s only going to get worse for the guys who are not coming to the table with the right kind of thinking, with evolving their compliance mindset and then evolving that compliance program to our automation.
Tom Temin It seems like you need to have some imagination over what it is that you envision is encompassed by compliance. There are certain baseline things that are statutory or regulatory, but beyond that you need to think of it, tell me if I’m right here, compliance in terms of what is the actual threat environment. What do I need to do? What do my systems need to do that may not be statutory or may not be regulatory, but are real because that’s what the threat looks like.
Igor Volovich Absolutely. So here’s a thing. Folks tend to think of compliance as just this cost of doing business. It’s a comp we have to run. We do it periodically. There’s this kind of a cadence built around it. We’ve got our audit cycle, it comes around every year we might have to recertify. In the federal space, absolutely. The ATO’s right, the authority to operate, that’s a three hour cycle. And you have to recertify periodically. But it’s not uncommon. And when we talk to our clients, we see it all the time. We ask them, what is the oldest, what’s your time horizon? What’s the oldest piece of data that’s informing your knowledge of your current posture and resilient state? They go back and they say, Well, yeah, we have data from three years ago, because that is completely legal. That is absolutely correct. So you can still do compliance perfectly well and still be three years behind. Now, the bad guys don’t look at those reports. Right. They’re hacking environment right now. So how come your knowledge is not real time? So again, you got to converge. You’ve got to get to that same real time environment, a real time mindset about collecting this information in real time, processing in real time, reporting in real time. So you have that situational awareness that matches your adversaries. You take that, you multiply that times are asymmetric threat profile that’s just built into this model to begin with. Too many bad guys not enough defenders. They have infinite resources, we don’t. So we have to be very strategic in how we apply the limited resources that we have. And doing this based on risk is the only way to get it done. So you mentioned threats. Good threat modeling, it counts for things like the Human Factor. So the phishing email that shows up at three in the morning and somebody clicks on it, and then you have business email compromised and somebody transfers, does a wire transfer of $20 million and going to Singapore and then scattering to the wind. These are the kinds of things you can account for. But again only if you’re thinking about risk, not technology.
Igor Volovich And what I think I found particularly interesting, the speech that Commissioner Romero said, Safety Commissioner Romero talked about. She mentioned that they’re probably getting these new rules, that they’re pushing for more consistency. They want more transparency, they want more accountability at the top. But what I found interesting is that she actually sponsors a technology advisory committee within the CFTC, and that’s where these rules are being put out. We’re not talking about technology. Technology is where these things typically happen. That’s the real world in which we want to have these conversations. But it’s not about technology. That’s a very bottom up approach. And I think a lot of environments still think that way, a lot of leaders still think that way. They think about what’s the latest threat category, What is my response capability that I have to on board? It’s not about that, it’s about doing a top down based on risk, based on your mission profile, understanding the business context. And guess what, we already have a model for doing that, and it’s called frameworks, standards and mandates. And how do you do that? You do it through compliance. Again, we have all the tools, we have all the models, we have all the scaffolding built around it. The only thing that’s missing is doing it in real time. And again, I hate to keep saying it, but the punch line is you can only do it with automation.