Dr. Margaret Layton (Meg) has been working in the IT industry for over two decades. In 2001, she joined a start-up company that was acquired by Symantec, and she has since been working in various roles within the company, both on products and working on the intelligence that fuels the front-line responders. She is Director of Engineering for the Cyber Security Services business unit, working with a talented team of software engineers and security professionals building tools for our defenders in cyberspace. Meg has a Doctorate of Information Assurance from the University of Fairfax. She also holds a Master of Science degree in Telecommunications and Computing Management from Polytechnic University in New York, which is now a part of NYU; and a Bachelor’s of Art in Political Science from Albertus Magnus College. Meg maintains several certifications in the Cyber Security realm that she is passionate about, including both the CISSP and CSSLP certifications from ISC(2), and GIAC certifications for Incident Handling, Forensic Analysis, and Penetration Testing. She is CNSS 4011 and 4012 certified. In her role as Director of Engineering, she also holds Agile certifications. She lives in Virginia with her husband and children, and volunteers as a Technical Mentor for local CyberPatriot organizations, as well as serving as Adjunct Professor for colleges, teaching courses in Information Security, including Computer Forensics and Risk Assessment.
If you had to choose one event that led you to work in information security, what would it be and why?
Meg Layton: There’s probably a couple of different things that led down the path. When I tell of my start, I often discuss the influence of working in telecom during the dotcom era and working in Africa while learning security. Security in a developing country is much different than what happens in the U.S.
However, if I had to consider the defining “Here I am and I should stay here” would be the Nimda virus outbreak in 2001. It was what I like to call “the other date in September” that year. I was working in a government facility which was still on severe lockdown. My job was to monitor early versions of SIEM alerting and contact the contractor if I saw anything unusual. There were a lot of delays getting through security in the morning because I forgot that I had my husband’s fishing rods in the van, and metal tubes are suspicious to facilities on lockdown.
I got to my desk, put down my things, checked my screens (it looked fine) and went to get coffee. By the time I returned to the desk, my screen was scrolling through alerts in a ridiculous manner. Because it was a locked down facility, I could only make phone calls.
I called my office. They called a couple of people, and that’s where I found out how collaborative the community really was. By the time the external monitoring service called the facility to “warn of suspicious activity,” we had already removed most of the servers, had an executive briefing, and written rules that would group together and let us know if other infections existed.
A lot of the work that goes on in infosec seems like it is not recognized. But that day, I found the power of smart people working together and making a difference. And plus, I was good at it.
Why do you like working in the information security environment?
Meg Layton: Every day you are solving problems. It isn’t always obvious how, but every day you solve a problem. And in infosec, those problems are often what I tell my kids are “People problems.” Infosec exists because of human traits: desire, doubt, trust, integrity. Human beings are unpredictable and fallible, and all of that is why infosec exists. So there is not always a right answer to a problem, there is just a more secure one or a different way of approaching it. That makes it interesting, every day.
If a n00b to the infosec world asked you for a piece of advice, what would it be?
Meg Layton: Infosec is a wide river, and to get across you need to pick a wave to ride and always learn. The best and most talented people I know in infosec know there is always more to learn. Remember you have to keep learning, since the technology changes so fast you won’t ever get to the “end” and “know everything.” Make mistakes, learn from them, and move on. I guess that was more than a single piece of advice.
What is the most important issue facing professionals in the information security landscape today? Why?
Meg Layton: That’s a hard one because I think there’s a lot. But I think the biggest issue is likely the inability for many professionals to connect their issues with the business needs. The ability to do that will influence investments, regulations, laws, and the future of technology.
I often think of that line from Jurassic Park, “you were so preoccupied with whether you could, you didn’t stop to think if you should.” As we push for agile and faster and more connected, this springs to mind often. How do you articulate how to make things safer in a way that matters not only today, but will matter tomorrow? The infosec professionals better figure it out, and fast.
What is the most important issue facing consumers in the information security landscape today? Why?
Meg Layton: Also hard. Because there is so much facing consumers and so many of them don’t even know it. Probably the biggest issue is understanding the difference between privacy and security combined with the transparency that organizations provide surrounding these topics. Many consumers are simply unaware, or consider things hard. The stigma needs to change so that the security is accessible and easy to the user so they can have the power to protect themselves.
What are your three “guilty pleasures” that have nothing to do with information security?
Meg Layton: Buffy the Vampire Slayer, because obviously. Musical theater, or really any theater. I often tell folks that my first computer was actually a lighting board, so really theater is why I got into tech. It is not beyond the possibility that I will randomly break into song if I need to. Yay Stage Crew! Third, scrapbooking. I do a lot of preserving of memories and putting pictures on the page kind of soothes me.
What’s your favorite book-to-movie adaptation and why?
Meg Layton: This is tricky. Because I like books so much more than the movies in most cases, and I always have my kids read the books first. What world you enter in your mind when you read is seldom what is created on the screen. So it is going to have to be a toss up, and both because of the sheer talent of the people who created characters: The original Willy Wonka and the Chocolate Factory with Gene Wilder, and the Princess Bride – because, that casting was just genius.
Blog
Compliance Offers Internal Stakeholder Value: Automation as Transmogrifier
Compliance offers internal stakeholder value even though your stakeholders don’t always see it. Anyone who’s ever been a fan of Calvin and Hobbes cartoons will remember Calvin’s transmogrifier, the cardboard box that magically transforms him into whatever he wants to be. Compliance automation is the way CISOs and CIOs magically transform compliance into internal stakeholder value.
Request a demo today to see how you can transform compliance into internal stakeholder value.
How to Define Stakeholders
Defining your stakeholders is the first step to showing them the value of compliance. You have internal stakeholders as well as external stakeholders. You have high level stakeholders, and you have those who need detailed information.
Internal stakeholders are often the ones you worry about most because they make decisions about your resources. If you provide them with clear information, they will value you more.
ZenGRC offers different levels of information presentation that allow you to give your stakeholders what they need, the way they need it. Being able to decompose your reporting by demographic makes you more effective and helps transform compliance into more than a requirement. Now, you can show your internal and external partners how your value affects them.
Board of Directors
Your Board needs to know the high level vision of your compliance to prove that they have done their due diligence. For companies that need to be SOX compliant, reporting to the Board has legal ramifications as well as business concerns.
With this in mind, you need a compliance tool that offers your Board a quick view of where you’re compliant, how you manage your vendors, and how this relates to the financial bottom line. If you’re currently managing this information on spreadsheets, making this information clear to your Board is time consuming.
ZenGRC offers high level views such as risk heat maps and a system of record dashboard that gives an easy to digest visual showing the percentages of controls finalized and mapped. When your Board wants to know what you’ve been doing to protect the company, this shows them exactly what they need in a way that they’ll understand.
Executives
You know as a member of the c-suite what your cohort needs. However, you’re also the technical one in the group. Your vice presidents, chief financial officers, and chief executive officers don’t need to understand the technical side of compliance. They need you to show them how compliance fits into their corporate strategies.
Your c-suite wants to know their risk, how you’re mitigating it, and how they can turn that into a financial asset. This means they don’t want the details of your definitions of the threats, vulnerabilities, and controls. They want the overview that shows how you’re protecting the organization and how that affects their strategies.
Automated tools allow you to use clean visuals that show the needed metrics. With ZenGRC’s comprehensive dashboard, you can show your c-suite the current risk profile and your controls for those risks. For example, the status bar graph offers your c-suite a color-coded visual of the tasks assigned, in progress, and completed. This provides the metrics needed to inform long-term business decisions.
Senior Management
These are your guys “in the weeds.” They’re helping you do the work to protect your organization. They’re the ones reviewing access logs. They’re the ones creating passwords. They’re the ones training your company’s employees.
These stakeholders need to be able to share information with you and with each other. If you’re collecting their reviews in documents and spreadsheets, you’re putting your information at risk. If two departments use different controls to protect the same asset, you have a compliance problem.
Automation allows you to store information in a single location while offering your internal stakeholders a comprehensive workflow that organizes information. ZenGRC’s tool for compliance increases stakeholder value by allowing your senior managers to see each other’s information so they can streamline their reviews and documentation. More importantly, you get to set access controls. This means that you decide not only what people see but also what they can change. With automation, you can destroy information silos, give people the information needed for their own tasks, and control your program.
Contributors
These stakeholders are everyone else in the organization who need to understand your compliance stance. They can be middle managers, specialists, auditors, or analysts. For example, your sales team may need to understand your vendor management stance to help sell the organization to a client.
With ZenGRC’s platform, your compliance offers stakeholder value by giving you an easy way to share the compliance posture and milestones. If your sales team needs to know your vendor risk tolerance, they can see it. If your business analyst is trying to streamline business processes, they need to see what controls you have in place before implementing a new application, such as payment processing. This means that ZenGRC’s single source of truth can give the information your stakeholders need to do their jobs more efficiently.
Automating Compliance Offers Internal Stakeholder Value
Your internal stakeholders need to know how you’re servicing them. To do that, you have to share information in ways they understand.
ZenGRC is not only easy for your internal stakeholders to use but also provides easy-to-digest information. Request a demo today.
Risk Management Automation and Customer Engagement: Rupees in the Grass
Risk management automation and customer engagement don’t automatically appear interrelated. In The Legend of Zelda, rupees (the game’s form of currency) could be obtained in exciting ways, such as defeating enemies. However, they could be obtained more easily by doing mundane tasks like cutting grass or bushes. Risk management automation is the rupee of customer engagement because it is the hidden treasure in the mundane activity.
If you’re curious about going on a quest for better customer engagement by using ZenGRC, schedule a demo or call one of our GRC heroes.
Why Word of Mouth Matters
Your customers have more value than just the money they spend on your product. Customer lifetime value (CLV) accounts for both the customer’s spending on your product and the intangibles associated with that customer’s business.
One of these intangibles is word of mouth, and it’s basically free marketing. If you’re a company that people like, they’re going to talk about you. If they’re sharing their positive experiences, they’re selling your business without you having to pay someone to come up with a slogan.
This is why it’s important to include word of mouth as part of your CLV calculations. However, that’s not as easy as it sounds. For the most part, individual customers have fluctuating values.
Some customers really upsell you and convince an otherwise uninterested individual to invest in what you’re selling. This direct value aligns with your business strategies—without that customer, the listener wouldn’t have thought to buy your product. That listener is a direct profit increase.
Some customers simply talk about your product or service even though the listener was going to buy it anyway. This acts as a cost savings. You never had to spend money to reach the listener. That cost savings to your marketing is an indirect value associated with the original customer.
While both of these need to be incorporated in your CLV, the latter is your rupee in the tall grass, hiding but valuable.
How Reputation Relates to Word of Mouth
If people are talking positively about your business, your business is going to succeed. Just like little kids on a playground, customers chatter. According to a 2015 Moz survey, 67.7% of survey respondents said that online reviews impacted their purchasing decisions.
Social value, the personal or social network interactions with a business, and emotional value, the feelings that product elicits, are two of the main drivers for customer engagement. Internet reviews, therefore, are the foundation of your reputation because they incorporate both social value and emotion. A positive review means that social value is related to positive emotions. Negative reviews offer the opposite.
Why InfoSec Compliance is the Silent Partner
While most people don’t understand the technicalities of information security, they do understand words like “Equifax” and “WannaCry.” News organizations cover breaches more often as they become more costly and more dangerous to consumers.
People fear what they don’t understand. When people don’t understand how to protect their information, they rely on their business partners to protect them. This means your customers are relying on you to defeat the enemy so you can earn your rupees.
What Happens wWhen a Breach Occurs?
While positive reviews lead to more purchases, negative reviews lead to loss of income. On average, a customer with a bad experience shares this experience with eight to sixteen people. Those people then share with their friends. This means that a single breached customer can lead to a loss of forty to eighty customers.
Loss of reputation impacts your business just as much as your positive customer engagement outreach practices do.
How Enterprise Risk Management Automation and Customer Engagement Are Your Rupees in the Tall Grass
Enterprise risk management automation helps you keep your house in order. When you’re meeting security compliance requirements, your customers know they can trust you. If you’re SOC compliant, your customers know that you’ve analyzed your risks and established controls to protect their information.
When they trust you, they’re loyal to you. This means that your customers are going to talk about you, and they’re going to do it in a positive manner. Each one of those customers is adding value to your business.
How Enterprise Risk Management Automation Helps
Over the next few years, the industry is going to see a rise in compliance standards. Not only will the GDPR be implemented in 2018, but more regulatory requirements are possible consequences of the Equifax breach.
This means that you need to know not only where you’re already compliant but also what you need to do to get fully compliant quickly. ZenGRC provides gap analysis of your current compliance controls, their overlap with new regulations/standards, and the remaining gaps in compliance.
Managing your security reviews and software updates as part of your compliance program helps keep you safe from a breach. Compliance is not security. However, compliance ensures that you’re following best practices that help keep your systems safe.
How to Value an Automated Compliance Tool’s ROI
For many in the c-suite, an automated tool is one more expense. If your current spreadsheets are effectively managing your compliance, then you might find it hard to justify the cost of an automated tool. It may seem difficult to reconcile the seemingly intangible benefit of “time savings” with your organization’s bottom line.
However, automated compliance tools come with a hidden value, just like cutting the tall grass in The Legend of Zelda can bring you rupees. This hidden value is integral to your customer engagement strategy.
When you have a tool that makes information security compliance more efficient, your CISO and your IT department spend less time on administrative tasks and more time on protecting you. When they spend more time protecting you, they keep your systems safer. When your systems are safer, you’re less likely to have a data breach. If you’re less likely to have a data breach, your customers can trust you and spread a positive message about your business.
In other words, you’re getting not just cost savings, but also positive word of mouth, from your automated tool. As your information security stance becomes more important to customer engagement, you need to focus your resources on the areas that matter. This means cutting down on administrative duties like tracking tasks and gathering documentation.
If your quest is to add revenue by bringing in more customers, use a tool that helps you cut down that tall grass to find the rupees.
Tiphaine Romand-Latapie: Wednesday’s Women in Infosec
Photographer: Gilles Cohen
Tiphaine Romand-Latapie is leading a team of hackers at Airbus. Tiphaine’s first love is cryptography. She previously worked as a telecommunications operator Orange, where she was in charge of new product security. Tired of meetings full of misunderstandings, she decided to 1) record the most absurd quotes she heard, and 2) design a role playing game to teach people about the basic principles of infosec that she published in 2016 at BHUSA. She likes to be the translator between the highly technical security team and the rest of the world.
If you had to choose one event that led you to work in information security, what would it be and why?
Tiphaine Romand-Latapie: I studied Mathematics applied to Computer Sciences, and during those studies, I discovered Cryptography. It was really my first glance at infosec, and I loved the technical challenges and the cat and mouse game that you find in infosec.
Why do you like working in the information security environment?
Tiphaine Romand-Latapie: There are so many reasons. First, you are in a position to help people. Second, you work with everyone, discovering so many different jobs or technology in the process. This leads to the third reason which is the “puzzle” aspect, discovering the way to answer a challenging issue. Finally, I love that you are forced to always put yourself in others’ shoes (what will the attacker do ? Why my business is asking me that? Will my user follow this recommendation? etc.)
If a n00b to the infosec world asked you for a piece of advice, what would it be?
Tiphaine Romand-Latapie: To a n00b entering the professional infosec world, I’d say: the rest of the world doesn’t care about the technicalities (even if they are beautiful and important), your job is to understand those for them. Most of practitioners come in infosec for the technical aspects and find themselves disappointed with their management/client for not caring about them. This makes them feel undervalued when it is not the point at all.
What is the most important issue facing professionals in the information security landscape today? Why?
Tiphaine Romand-Latapie: The gap between what infosec experts consider basic facts and what the rest of the world actually understands. And I am not talking about basic technical facts, but “life facts” like who are the attackers, the diversity of their profiles, what is sensitive information etc. The consequence is that we don’t speak the same language most of the time. It is frustrating for everyone. This is why I have created my role playing game, to make non security-practitioners aware of what we consider basic facts.
What is the most important issue facing consumers in the information security landscape today? Why?
Tiphaine Romand-Latapie: I’ll answer the same than for the previous question. When you don’t really understand why you need security, all infosec seems scary, or useless. The FUD communication doesn’t help at all. We need to teach people to ask themselves the rights questions: what do I want to protect? Against whom? So they feel empowered instead of crushed.
What are your three “guilty pleasures” that have nothing to do with information security?
Tiphaine Romand-Latapie: 1) Reading (I don’t feel very guilty about it) SciFi, Fantasy or Thrillers 2) Taking naps 🙂 3) Taking a day off to be all by myself to regroup (no husband no kid, just me and a book)
What’s your favorite book-to-movie adaptation and why?
Tiphaine Romand-Latapie: Outch, very hard question … the first that came to my mind (maybe because it is recent) is “Arrival”: the film is changing some elements of the story but do not betray at all the spirit of the book in my opinion. And for once, the end was not rewritten in favor of a “happy ending “ .
Challenges of Compliance Management: Automation to the Rescue
The challenges of compliance management are increasing, not decreasing. As data breaches hit the news regularly, you’re stuck between your customers and your Board. Both want answers, but they have different needs. Negotiating these needs while trying to keep up-to-date comes with the stress of being the one person who stands between your organization and the certain doom of a cyberattack.
This is why an automated tool is more than a nifty gadget—it’s a necessary compliance management solution. To better understand how ZenGRC can solve your eight most pressing problems, book a demo with one of our experts.
Communicating Across Areas
Siloed information presents one of the biggest challenges facing compliance managers. When departments don’t speak to one another, they duplicate each other’s work and waste resources. This is inefficient! In addition, the overlap of many compliance programs means that changes to one control may impact multiple programs.
Compliance management tools flatten this process by letting you see all of the programs affected by a control. This allows you to stay compliant without wasting time and resources to ensure that all the I’s are dotted and t’s are crossed.
Source of Truth
The old adage about too many cooks in the kitchen can apply when many employees are setting controls. When different departments are involved in the management of your security program, you may have too much information in too many different places telling too many different stories. This can lead to a lack of cohesion in your compliance program.
An automated GRC tool offers you a single location to house all your data. By doing this, you create a single source of truth that provides visibility into your landscape and leads to better audit results.
Spreadsheets
Many compliance programs start out small, so at first, spreadsheets seem like an obvious, low-cost answer. In the short term, this is true. However, unless you want your business to stagnate, you need to be agile and prepare your program to mature from the start.
While GRC tools cost money upfront, they offer sleek designs that can help you start small while preparing you to end big. For those new to creating overarching compliance programs, you need easy-to-use tools that allow you to set up a program quickly and efficiently. Instead of slogging through the process and wasting resources trying to determine the important standards, find a tool that helps you negotiate this. The right tool will allow you to grow as you need to add more compliance to your ever-evolving business.
Outdated Software
You started with a software, but maintaining it has suddenly become unwieldy. As your organization matures, the outdated software no longer provides services that match your evolving needs. These tools are nothing more than screwdrivers when what you really need is a power drill.
Finding a SaaS tool that can rapidly respond to your changing needs makes all the difference in speeding up your compliance and saving time. SaaS software constantly updates because it’s web-based. You don’t have to update your system because the platform does that for you!
Increased Liability
Thanks to Equifax, legislators are looking to increase regulatory standards for information security. The more regulations, the more work you’re going to have. Moreover, your Board of Directors will want to know how you plan to tackle these changes. Reuters notes that 60% of compliance specialists surveyed expect their personal liability to increase in 2017 and 2018.
If you’re worried that you can be held responsible for a security problem, you need a compliance management tool and reporting system that lets you see your landscape. Automation gives you visibility into your compliance program by helping you engage in gap analyses. ZenGRC offers a “Program Health” dashboard that lets you see how strong your compliance stance is for different programs. This insight gives you the ability to focus your efforts on the areas of greatest compliance risk.
New Regulations
With the GDPR rollout in 2018 and US legislators itching to incorporate fines, the information security sector is in a state of flux. New regulations force the creation of yet more compliance programs. However, everyone knows that these will draw from current standards.
Automation’s ease of control mapping will be one of the most important tools to help adapt to these new regulations. When you can see the map of your current controls and standards, you can see which of your processes already match these new requirements. Now, all you have to do is focus on the add new controls to stay up-to-date.
Know Your Value
Agent Carter from the Captain America stories famously told men who doubted her, “I know my value.” Compliance is increasingly important. As we all know, compliance is the key to protecting companies from data breaches and cyberattacks. This means that your work is an increasingly valuable asset. However, some people may not believe this.
Be your organization’s Agent Carter but use automation to show your Board metrics. Finding the right metrics means gathering data efficiently. Automation offers you one location to store and track the compliance management benefits you provide to your organization to help you continue to set benchmarks and goals.
Third-Party Risks
Whether you’re the vendor or you’re managing the vendor, business interconnectedness means that everyone’s risks align. Vendor risk is like a house of cards; if one falls, the whole structure collapses. This means that you have to prove your compliance to your customers as well as track the compliance of your vendors.
This continuous tracking means that you need one location where you can access information. Automation aggregates information in a single location so that you can answer customer questions or view vendor SOC reports at a moment’s notice.
Compliance Fatigue
You know that look. Sometimes you see it in the mirror, sometimes from employees. It’s that look of “oh dear goodness, not again.” With today’s rapid business pace and an increased workload, responding to and making numerous compliance requests is leading to that look.
Automation helps you get your rest and keep fatigue at bay. Being able to schedule tasks and monitor their completion takes you out of the loop. You don’t need to nag people, and they won’t feel overwhelmed by your requests. Moreover, with ZenGRC’s gamification model, your employees feel a sense of success and reward upon task completion.
You don’t need to face the challenges of compliance management alone. With ZenGRC you’ve got experts to help and a tool that can streamline your process. Book a demo today to see how you can ease your burden with automation.