Around three months ago, we were fortunate enough to have Wes Andrues, formerly of Secure Works and the Pentagon's Army Cyber Command, join Guru to lead our risk and compliance team. As part of his responsibilities at Guru, Wes has been establishing a security governance program that holds people accountable to industry controls so that we can demonstrate that to customers and regulators.
He joined us for this interview to both better describe that program, and also to walk through his background a bit.
Wes Andrues, Manager of Risk and Compliance @ Guru
You’ve worked at both the Department of Defense and Army Cyber Commands. Can you speak a bit about these roles and how they’ve influenced your approach to software security?
Ultimately, I got a real appreciation for the information security landscape, and it prepped me for a civilian career in risk and compliance. I can remember a specific, galvanizing moment at Cyber Command when the Commander of United States Strategic Command--yes, the guys with the missiles--asked me how many computers we had in the Defense Department at that very moment. That’s definitely a litmus test for any compliance guy, especially when you’re talking about some 2 million users spread across multiple departments and agencies. (I won’t tell you whether I had an answer!). Bottom line, security begins and ends with accountability, and therein lies the “science of compliance.”
How did your skill set evolve at SecureWorks?
Even though I was a government transplant, I understood the essence of corporate compliance. Plus, the world became much smaller and I could better engage those who could influence systems and pull levers. In the military, security accountability tended toward fuzzy math. In the corporate world, it’s a smaller problem set, more objective. Yet there are still challenges. Even for something as simple as disaster recovery, everyone must have an equal understanding of what a disaster is. Documentation, awareness, accountability, etc...the same principles apply anywhere, but they’re easier to manage at a place like SecureWorks.
What are some measures a security staff must take to ensure the protection of customer data?
The first measure is to know your environment. As simple as it might sound, an inventory of systems, applications, people, and mapping the sensitive data flow is the very first step. Then you apply some calculated professional pessimism and assess where you’re exposed. From there, you fix those areas where you need improvement. Then you rinse and repeat. That’s what’s going to give our customers reassurance, not only that we meet compliance, but that we’ve taken a hard look at what can go wrong and are in front of the risks.
Looking ahead, how do you continue to think about keeping pace with regulatory changes
Clearly something like GDPR is a new and very interesting mandate where we’ve had to apply some extra planning, but for the most part I would argue that classic risk management and security governance (that accountability thing I talked about) can withstand any regulatory change. It’s really about applying best practices, which are well established, while we watch and learn from the threat. The bad guys are always busy, because as they say, “opportunity creates the thief.” The internet is full of opportunity!
We’ve heard about this dandelion analogy and how it relates to cyber security. Please explain.
Yes, the dandelion. At the end of the day you have to ask yourself why we do any of this security stuff. We have thousands of corporate entities moving and storing millions of personal data artifacts, names, emails, credit card numbers, you name it. We read about the occasional breach, some famously large, shake our heads and move on. I liken those events to someone blowing on a puffy dandelion. The little seeds fly everywhere and ruin the collective landscape. Those data breaches are like flying spores, creating a parasitic drag on the economy in multiple ways. Identities are stolen. Cash is pilfered. Credit cards are counterfeited. Stolen data is commoditized in new and imaginative ways, fueling a dark data economy. So, security professionals should do all they can to keep the dandelions intact.
After speaking with Wes, we felt compelled to take this photo of some Glasgow street art
Thanks for your time, Wes. We're looking forward to seeing more content from you moving forward.