"The Insider by DFIN" is a series of video interviews featuring the latest trends, topics and key perspectives on the global capital markets.
In the second part of this Security Insider series, Dannie Combs, CISO at DFIN, dives into the complexities of new cyber threats and how DFIN’s advanced security technologies help future-proof your business against bad actors.
Host Dana Barrett and Dannie talk about what companies need to watch out for and how to mitigate risks.
In this episode, we’ll examine:
- New vulnerabilities in cloud security and their impact
- Advanced security tech built into DFIN software
- Top 3 things companies can do to outsmart bad actors
- Dannie Combs, Senior Vice President and Chief Information Security Officer at Donnelley Financial Solutions
- Dana Barrett, Host
Watch the second part of this Security Insider Series, Strategies to Protect Your Company’s Data:
Dana Barrett: - What is happening in cloud security? Because it's certainly not new, but it is more prevalent year over year over year, right? So, what is happening? And how is cloud security sort of different from, you know, the old days of everything being sort of self-contained in a data center?
Dannie Combs: - Sure. So, in short, if you think about COVID.
That's certainly accelerated the sprint towards the cloud for many organizations, and so it goes without saying
that you know the cloud, the adoption rates continue to rise and rise very rapidly. And again, my personal
opinion is because of the successes that so many organizations around the world were able to realize, with the
rapid adjustment to a work from home environment virtually overnight for virtually 2 years plus for many
So, you know, the effectiveness is there, has been demonstrated, the cost structure of the cloud has been demonstrated, and so, as with any change, security professionals need to understand how the technology is different or differs, and we need to understand, where we now have net new vulnerabilities or net new security control efficiencies that need to be closed, and that's certainly the case. So going to the question of what's changing in cloud specifically for cloud security, in the upcoming year, for example, a.) far more complexity exists in the cloud today. There are such a multitude of offerings that it's difficult to distill down what are the effective security providers out there? And so it's going to be continuing to be a bit of a challenge as the market expands for security solutions to really understand, if your needs are being met. But the good news is I’m seeing a lot more maturity in the capabilities, a lot more broader offerings in cloud security. The emphasis around identity is paramount for cloud and I’m hopeful, and I do believe that organizations are recognizing that as a result of the cloud proliferation. So you're seeing a lot more native capabilities from Microsoft, Google, AWS, etc., in just as table stakes, as base offerings, within the service they extend that they're taking a larger sense of ownership in protecting that identity. That we have a lot more monitoring tools at our disposal than we had just not long ago, but we also have a more complex series of abuse cases, I like to call them, that bad actors have defined, and unfortunately they’re successful at it.
And so degree of emphasis that our organization needs to place on monitoring, on our identity is much higher than say, the data center. Not that it was low, but it's a little bit of a pivot towards what are the priorities. And so again, the identity management, the deployment of complex passwords, and multi factor passwords, the deployment, and here's a great one of what I recommend is, we're excited to see the maturity in the software as service monitoring tools that are now available. We need to understand who you are, what assets you're coming from, what assets you're trying to access, what data sets you're trying to access. But now we also need to know where you're coming from, because you may not, and you're very likely not to be within the context of the corporate office.
The impossible travel use case is becoming very common. I should not, it's very unlikely that I will be logging in to, say Microsoft Azure, consuming emails and reports on ActiveDisclosure, and within 6 hours I moved from Chicago to Paris to Dubai. So that's just a very top of mind quick example of controls that need to be in place in the cloud that that simply weren't required in the past.
Dana Barrett: - And when you say it, it seems really obvious, but to your point, these are things maybe that weren't thought of and now it's good to hear that they are being thought of because it does seem obvious, now.
Dannie Combs: - It is refreshing to see again that Microsoft, Google, and Amazon in particular are taking a strong sense of ownership. And just offering more baseline security assurances than they were just a few years ago. A lot of that is a result of acquisitions that they've done. They had the foresight to make that determination that it was going to benefit them and their customers. And of course enables organizations like DFIN to consume those services with a high degree of confidence. The monitoring, the authentication, the network segmentation, and all those other tenets of cloud security. So there's great solutions in place today.
Dana Barrett: - I want to move on to SASE mostly because I just wanted to say SASE, but are we going to see more of it? Is it on the uptick? Can you break it down for people don't even know what I’m talking about and tell us what it is?
Dannie Combs: - Sure. I love the acronym as well and I love saying it myself. So it's a framework for securing
the cloud or hybrid environments, really taking into account a lot of the challenges that we as security
professionals have experienced for many years, and really trying to create a framework that will solve most
every use case relative to design and physical location, and the like. So, Secure Access Service Edge is the
acronym if you would, SASE, that's how we define it. And so what does it mean? If I just distill down the
definition, it is, what is a good framework that organizations can follow that's going to provide them the
assurances they need, through architecture, regardless of where the end user is at, and the answer that Gartner,
in 2019 through the definition of SASE, recommends as, well, let's push that security and really merge it with
networking and offer that as close as we possibly can to the end user. So in plain English, we're at a home
office. We probably have a cable motor provided from a local ISP and let's apply the security controls. It must
provide that monitoring service, the detective capabilities, the preventative capabilities, not in a data center
in the centralized context, but as close to the user as possible.
It's going to be faster. It's going to be cheaper. We're going to have stronger assurances of security. How a bad actor attacks you will differ from how they attack me, and so on. So, it's really that framework that is really well laid out and rapidly being adopted by organizations around the world. And it's pretty exciting to watch and exciting for us who have implemented in many respects.
So one question I get a lot is: So, Dannie, you talked about SASE today. What about Zero Trust architecture and all these other acronyms, how am I possibly going to keep up with all this? Well, the good news is that they're, broadly speaking, they're definitely interrelated.
It's more of a reflection on where you are in that journey, and SASE and Zero Trust are just that I think, it's when I speak to my friends in the security industry, and CIOs and CTOs around the world, I want them to understand that it's not a project; it's a multi-year journey that organizations need to go down, it's very much a tenet of their digital transformation. If not, they should pause and rethink that strategy.
And so, Zero Trust architecture is how we are implementing SASE is how I think about it in many respects. Areas of focus: Identity. Providing a comprehensive list of security services as close to the end user as possible. Recognizing that our perimeter, the days of the being enclosed within a data center facility are less frequent than they than they were just 2 years ago. And so how do we provide a network service that takes that into account then with the SD-WAN and other technologies that exist out there, defined within SASE, how do we do it in a cost-effective manner, and how do we do that really weaving in security into that network?
Dana Barrett: - I know we've been talking about sort of the various security factors, and how you incorporate that into all the work you're doing at DFIN. We've been talking about it sort of throughout our conversation. But can you just kind of summarize that for me and talk about, you know, how it you know again, sort of the DFIN in overall strategy, and maybe you know, with ActiveDisclosure as an example, how you’re working this in and making sure that the DFIN products in particular are as secure as they can be using Zero Trust and SASE, and all the things we've talked about.
Dannie Combs: - Absolutely it begins with, as we like to say here at DFIN, security is our DNA, but we mean it,
we really truly do. And so from a management commitment perspective, I'm very happy at the alignment that we
have from the board, the executive management team, down to the folks are supporting clients each and every day
that they operate in an environment that is security conscious.
And so it begins with getting your organization to a state of understanding that cyber threats are real, that they do happen, they happen every day. And so, how do we train our organizations? Again, we're very proactive in that regard, and we get more specific in our training. For example, for software developers supporting ActiveDisclosure. We provide very specific training courses that are around cyber security threats, that's specific to what they do, and in the outcomes they're bringing to the table at each and every day, building fantastic solutions.
DFIN also recognizes that identity is the number one most sought after asset from bad actors. They don't need your system. They need your credentials. They need your privilege within the systems and the applications. They want the insights, they want that data.
And so we put remarkable degrees of emphasis and security controls into ensuring we have confidence in the protection of identity, and therefore the permissions that are necessary to gain access to the data that our clients entrust us with. Role based access controls, table stakes: We follow strictly the model of least privilege. We provide access to only what you need, and when you need it.
The model of just in time access is extraordinarily important to DFIN. What I need today is not what I need tomorrow, and vice versa. So we were very focused on ensuring our platforms, such as ActiveDisclosure have that capability in place.
We provide a remarkable degree of assurance that we're producing code that’s secure. We have a number of technologies that are deployed, ranging from static application security testing to dynamic application security testing, and SAST and DAST technologies that we would say in security that as our developers are writing code, vulnerabilities if they exist are flagged, so that we have the opportunity to remediate them immediately. Shifting left in the secure software development lifecycle long before the vulnerability is introduced into production, to be exploited.
We go through a series of penetration tests, both internally but very importantly, we hire multiple third parties to provide us that independent assurance that our products, that ActiveDisclosure’s code, its web services, its database services, its encryption, its network, its authentication, etc. is secure, and it meets the standards of today as well as the standards that are expected in the regulations around the world. And so, we provide that, we go through that rigorous testing process, and internally and externally partnering with some of the best brands around the world.
We also go through a series of certifications. We want to ensure that our clients have that independent holistic perspective of the effectiveness of our efforts. And so we have multiple certifications, including SOC 2 that is provided presently by our good friends at Deloitte.
We have ISO27001 certifications. We have a number of others that are a little bit more broad to the enterprise, but I think it's important to highlight and showcase that it's not only DFIN that has confidence in ActiveDisclosure, so does the industry as a whole.
If we get a little bit more operational for a moment relative to security, we believe that we're a bit ahead of the curve. We have a team that’s dedicated to cyber threat intelligence and security operations, monitoring 24 by 7 by 365. I can assure you, that someone is on the lookout, that has eyes on glass, we would say, looking for that needle in the haystack of an anomalous event. We have advanced technologies in place that are very much cutting edge, providing Artificial Intelligence and machine learning enabled proactive, detective, and preventive controls, so that we can pivot as we need to, again, to identify and respond to attacks should that occur. And then, lastly, we have a supply chain security program in place that is very rigorous. We put a significant amount of emphasis on vetting who we partner with to build, deploy, and to operate our marquee product, or all of our products, truly, and all of our assets ranging from SASE security monitoring. Again to that example I spoke to earlier of impossible travel, but also, for you know, we've got hundreds of thousands of IP addresses and databases, for example, that are watching ActiveDisclosure, that if they try to connect, we will know, we will respond, we will block, we will then also investigate, and if need be, we will partner with appropriate third-party agencies, in our community-driven effort to make the world a little bit safer place.
Dana Barrett: - All right. Well, Dannie, as we wrap up, we've talked about a lot of different aspects of cyber security and the trends for this year, and what we're looking forward, not necessarily forward to about what we're looking to address this year. So, I just would love to leave people with sort of out of our conversation. What are kind of the top 3 or 4 things people need to think about when they're thinking about future proofing as much as possible their businesses against these, you know, threats and bad actors?
Dannie Combs: - Sure, it begins with the top, ensuring that your management team understands the risk landscape
and is supportive of security is so very important. So having that conversation with the board, with the
officers of the company on a routine basis is crucial.
Building a culture that’s security aware, absolutely paramount in today's age. Again, we have phishing. We have social engineering, and it's getting more complicated with deep fakes and the proliferation of artificial intelligence, being used by bad actors, and the alike.
Ensuring that you have a security team that understands the cloud. And again, the proliferation of cloud is pretty much impacting virtually, in my opinion, most companies around the world are electing to use the cloud in some manner, and so ensuring that they understand those technologies, and that they're keeping up with the proliferation of the cloud and the associated technology evolution that occurs as a result
And then ensuring that they have a security team in place. Now one may elect to partner with a third party for that. But my recommendation is to ensure you've got a lead individual who's accountable and responsible for ensuring that they are understanding of risks that face your organization, your industry, but also of your obligations for, say for reporting and other compliance matters, but most importantly is that they're monitoring partners and internal resources, to the effectiveness of their efforts and providing those updates to management regularly.
Dana Barrett: - Dannie Combs, thank you so much for being with us today. I really appreciate it. This has been the Insider by DFIN. We'll see you next time.