Aviva Zacks of Safety Detective had the privilege of interviewing Katie McCullough, CISO of OneNeck. She found out how her company’s staff’s specialized expertise sets them apart from other security companies.
Safety Detectives: What has been the cybersecurity journey for OneNeck?
Katie McCullough: We get the importance of security. You see a lot in the industry where managed services providers, in particular, are a regular target for cybercriminals, so we have always invested heavily in our own security. We are also part of a much larger organization, so holistically we spend millions of dollars in security for our own needs and for protecting the services we provide to customers.
There is a constantly increased threat landscape, so we wanted to be able to leverage our experience and skills to help our customers. We believe in using proven standards and adjusting those based on our business and our customers, so we highly leverage the Center for Internet Security Critical Security Controls.
Our key partnerships have proven experience in security technologies but also complement the other services that we provide. So, it was a natural fit for us to provide security as a foundational piece to our customers.
Finally, as a secure managed services provider, we have a wide skillset. It’s not just about security; we can do systems and networking and storage, and so much of security is about securing those technologies. You need expertise in those technologies to complete the cycle of getting things secure.
SD: What does your company do to keep the cloud safe?
KM: We design with security in mind, right from the start. Our security experts work hand-in-hand with our cloud architects as our cloud is built and maintained to ensure we are implementing security as part of our architecture. Key elements include assuring proper segmentation is put in place, how access is handled for our internal use as well as customers, and that we have secure builds that we leverage when allocating an environment to a customer. Additionally, it’s maintaining our robust security practices through normal validations such as auditing, monitoring, scanning, and penetration testing.
SD: What verticals use your security services?
KM: We have customers that span many industries, though certainly in the medical industry, municipalities, and manufacturers. Bottom line: security is a major concern for every type of vertical.
Compliance needs might be different in a financial industry versus a medical industry, but we also have a breadth of knowledge, so we don’t target a certain industry. We go where we are needed, and based on sound security practices, we have been able to help customers in any of those industries.
SD: What keeps your company ahead of its competition?
KM: We have a huge differentiator within OneNeck. We have staffing and services that help implement the controls needed to keep your company secure. We can implement and maintain those standards so it’s not a burden on your already highly burdened IT teams. We also have the huge benefit of understanding the technology tools available to address the security threat landscape, but more importantly to understand what the threat landscape is. So I think those two things are huge differentiators for us and that we not only have people that know security, we actually have people that can help fix the security problems, not just tell you what they are. In that, by nature of who we are, we have a huge investment in security and understanding where the technologies are going and where the threats are coming from.
SD: What is the worst cyberthreat today?
KM: There are so many more remote workers, and when you have a pandemic like this, cybercriminals have a mechanism to go after people. They’re looking for information, and if you stamp anything with COVID or with some of the social unrest in America right now, in an email or on a website, you might draw someone’s interest, and those cybercriminals know that.
Also, cybercriminals have gotten much more efficient in their tools, and there are so many more tools and cybercriminals out there that they don’t target people anymore. They throw out their malicious software and see what they can find. And so, our mid-market customers are much more exposed because they don’t necessarily have the investments in security tools, but they’re under the same level of threat as the big financial firms and the Fortune 100 companies that can invest in all those technologies. The playing field in some way for the cybercriminals just became an equal playing field, and everybody is at risk. So, people have to be prepared for that, whether you’re a small, medium, or enterprise business.
SD: How is the pandemic going to change cybersecurity of the future?
KM: Back in the day, you had a firewall, and everybody was behind it, and you had a foundational control between you and how the cybercriminals could get at your infrastructure and your data. And now with remote co-workers, with so many of the SaaS and cloud solutions, there are no boundaries. And that’s what you have to be prepared for. Ultimately, with your co-workers trying to figure out how to work remotely, they’re sharing data in new ways, and sometimes they’re figuring that out on their own instead of corporate resources. And so, you have to know where your data is going because shadow IT is going to increase because IT is so busy right now. And unless you’ve got good protocols in place to understand when that’s happening, shadow IT is going to happen with the many cloud and SaaS resources that are available out there.
Recent research from 451 Research shows that two-thirds of the organizations that went remote in March are planning on permanently staying with their remote workforce. So, we’ve got to make this investment around how we protect our boundaries, and it’s going to have to be maintained. And along with that, 451 showed that there is certainly an increase in spending around things like collaboration and communication and mobile devices. Security almost doubled in spend because people are realizing that where they might have been a little laxer in the past because they felt like they had everything controlled within the corporate network, there’s more there that needs to be done, and it’s beyond just protecting the boundary and understanding where your data is going. It’s back to those foundational good practices to make sure those configurations you’re putting in place and how people are accessing things are done in a least-privileged perspective and that you’re constantly looking for vulnerabilities through active monitoring and responding in real-time to any threats that arise.