Cybersecurity incidents usually stem from human-enabled actions. But to err is human; it is only by learning from those mistakes that we can improve. In this episode, John Riley and George Usi sit down with Wendy Epley, Principal Analyst and Information Security expert at the University of Arizona. As a seasoned professional with over 15 years of experience in regulatory trade compliance, Wendy discusses the critical importance of understanding cybersecurity contracts. She emphasizes the need for organizations to carefully review and negotiate terms, ensuring robust security clauses to protect against potential threats. Wendy shares insights into the evolving landscape of cyber risk management, shedding light on the emergence of NIST Special Publication 800-171 as a pivotal framework. Tune in to learn about Wendy’s exciting project, “CyBoRG,” an internal resource at the University fostering knowledge sharing and aligning security practices. Don’t miss this episode full of practical advice for building a resilient cybersecurity posture.
—
Watch the episode here
Navigating Cyber Risk: Building Cybersecurity Resilience With Wendy Epley
In this episode, we have an amazing guest who is a mom of two fur babies. She was an observer of the super blue blood moon and was a novice astrophotographer. We have the principal analyst and information security at Tucson University. Welcome, Wendy Epley.
Thank you for having me.
It’s great to have you. We’re going to jump in real quick here because we want to get that leading question, which is, how would you explain the difference between cybersecurity and cyber risks to somebody?
These words are often interchanged but they are related concepts and they refer though to different aspects of managing and addressing challenges with protecting information and systems. Cybersecurity is a set of practices and technologies aimed at protecting against cyber threats, while cyber risk management is a broader concept that involves assessing and mitigating the overall risk associated with using various technologies.
Cyber risk or cybersecurity is the measure for this broader strategy of managing the risk. That can include considerations of the likelihood and the potential impact of cyber incidents. Organizations need to implement robust cybersecurity measures as part of their broader cybersecurity management strategy to safeguard their assets and operations.
It goes beyond the technology and the blinking lights.
Technology is only 10% of it and 90% is human. 85% to 95% of breaches are caused by human-enabled actions. That’s why there is a strong focus on the administrative, the human type of behaviors that are happening with cyber incidents.
We say, “We’re all human after all.” It goes to coin that phrase.
We are and we’re imperfect. We do make mistakes but the question is, “Are we learning from those mistakes?”
To err is human. There are probably a lot of pundits out there who are saying that we can stop this bad behavior and these hackers. I’ll steal a quote from somebody that mentioned this topic of bad behavior. This isn’t going to stop there. There’s a reason why we have Shakespeare in the world. People in their human behavior, as much as we think we can fix it and change the way that they behave, we’re simply all humans. There’s going to be chaos and challenges. That’s where we’re at in terms of the cybersecurity world. These threat actors are not going to disappear but there are going to be behaviors within organizations as well.
We tend to maybe be in a rush to get work done or respond to an email that pops in. That can be one of the avenues where vulnerability is introduced because we’re not stopping to think or analyze what is coming into our inbox. That is one aspect of where a cyber risk may be present. We have to slow down a little bit, think about what we’re doing, and think about what’s in the inbox. It may look legit but there might be something off a little bit. We do need to take the time to analyze and make sure that we are looking for those threats because our bad actors are coming up with new ways every single day of how they are going to exploit a vulnerability. A lot of vulnerabilities come from the human side of things.
What do you think is the most significant cybersecurity risk facing companies?
We’ve heard a lot in the past about phishing attacks, ransomware, and even credential stuffing but this is my humble opinion. One area that people may not be thinking about is vulnerabilities that come from the Internet of Things or IoT devices. They’re becoming more and more integrated into our homes and businesses that sometimes they’re not even considered when assessing cyber risk. Yet, IoT devices can be exploited to gain unauthorized access, disrupt operations, or compromise data as easily as an unpatched piece of software.
There can be several factors that contribute to the increased risk associated with IoT devices. First, we’ve got the widespread adoption of IoT devices professionally and personally. It can be hard to, 1) Identify all the IoT devices that may be impacting the space, and 2) There’s no standard set of security controls that manufacturers of IoT devices must use. That brings us to a second point. Many IoT devices are designed with a focus on functionality and cost, not security. The lack of basic security practices such as strong authentication and encrypting regular software updates is what makes IoT devices vulnerable to exploitation.
The other thing too is IoT devices are typically limited in processing power and memory. That can hinder the implementation of robust security measures, making it a challenge to include complex security protocols and updates. The devices are often connected to networks which create a potential entry point for cyber attackers. You have to think about the broader impact of those breaches, which could result in potential violations of privacy regulations or even contractual obligations.
IoT devices also have insecure user interfaces, which can be exploited by attackers to manipulate device settings, extract sensitive information, or even launch attacks. This can be a problem in supply chains because regardless of the stage or the supply chain, it can lead to the distribution of compromised products, which can then make it very challenging to trace and mitigate security issues.
Some IoT devices don’t receive regular security updates or patches, which is another reason why it can be challenging to mitigate security issues. We can’t ignore the physical vulnerabilities associated with IoT devices either. They are sometimes deployed in uncontrolled environments where they might be easily tampered with. Let’s not ignore the smart devices on the wrist or sitting near where there may be sensitive conversations being had and how those devices might be picking up those conversations.
We want to maybe take a closer look at our IoT devices to mitigate those kinds of risks, monitor and manage the IoT device ecosystem, think about authentication and encryption mechanisms, and ensure that firmware and software updates are conducted regularly. Even if they can’t be conducted on the device itself, maybe they could be done on the network or the system that they’re connected to. You need to ensure that security measures are integrated across the entire lifecycle of the IoT device from the manufacturing side to end-of-life disposal.
Cyber Risk: You need to ensure that security measures are integrated across the entire life cycle of the IoT device, from the manufacturing side to end-of-life disposal.
That’s a good challenge for a CFO role and a CEO role to get their hands dirty a little bit because they tend to shy away from anything with a blinking light and leave it up to the technical folks. When it comes to right-sizing budgets and reviewing assets that may be a little outdated, especially in IoT, that’s almost mandatory. “You CFO that has that 35-year-old chiller that’s maybe in your basement or in your factory that has an internet-connected biscuit on it that was designed 25 years ago, how secure is that? What happens if that chiller, machinery, or manufacturing equipment is used to produce something that could endanger lives?
These are those situations where the right-sizing of budgets and understanding where things need to be replaced or considered for replacement and risk management have to be on the agenda of the leadership teams. My question would be then, “How do you think a CFO or a CEO should prioritize cyber risk?” The CFO is going to have to budget it. How do you see those two things happening?
They both need to work together. The CFO shouldn’t have the autonomy to make decisions that are going to sabotage the CEO’s strategic direction but they both should be involved in those conversations with the IT folks and understand what is involved. Prioritizing cyber risk is a critical responsibility not only for the CEO and the CFO but for everyone. It is a shared responsibility.
However, as cybersecurity is integral to the overall resilience and success of an organization, CEOs need to not just understand how cyber threats and incidents can impact an organization’s operations, reputation, and financial being. They need to demonstrate a commitment to cybersecurity, emphasizing its importance and promoting that culture of cybersecurity and cyber risk awareness. Cyber risk management should be second nature and ingrained in the way business is done.
One of the best ways to do this, I feel, is by adopting a federated cyber risk strategy. This will ensure that cybersecurity strategies align with and support the overall business objectives. CEOs also need to allocate efficient resources, technology, finances, and personnel to support effective cybersecurity measures. They also need to adopt a cybersecurity standard that must be met by their vendors and partners. This is achieved by outlining the minimums expected and contractual agreements and also assessing that the cybersecurity posture of third parties is meeting those minimum requirements.
We also want to see that CEOs are ensuring applicable cybersecurity regulations and standards are being adhered to. We want the CEOs to be transparent about the organization’s cybersecurity efforts and any incidents that occur. That doesn’t mean we want to hear about every single pinging and dinging that comes across but if they are significant or they pose an imminent threat, then be forthcoming. Do they have to become public? Not necessarily but address it. Don’t stick your head in the sand and pretend it’s going to go away.
It’s an indicator that something needs to be addressed and there is a weakness in the security posture. Let’s take a look at it and address it before something bigger comes along. What else should they do? You also want to have a clear and thorough communication plan of how incidents are going to be addressed internally as well as externally. Uber’s CISO got into trouble. Pushing it under the rug, pretending it didn’t happen, or making up things as they go along is not a good strategy to do.
Be honest and truthful. Mistakes happen. Let’s move on and make the changes that are needed to ensure that it doesn’t happen again. Let’s learn from those mistakes. It may not have even been your fault. It was something that happened. Move forward. Foster that culture of continuous improvement and encourage learning from past incidents. It doesn’t matter whether they were minor situations or not but we have to take a comprehensive and proactive approach to cybersecurity. It’s so important that cybersecurity is viewed as an integral part of business strategy rather than a separate isolated function.
I can imagine that the average leader is going to struggle with a solid understanding of what their technical teams are doing. This is probably where a lot of the gaps emerge. Let’s take you through that question of the disaster. What does that journey look like? Things haven’t gone right and you’ve had this disaster. What are most executives going to be feeling and experiencing after the hacker succeeds at stealing sensitive data that’s important to their organization?
The aftereffects of a successful data breach where a hacker has gained unauthorized access and stolen sensitive data can be severe and wide-ranging. It depends on what happened. The impact can extend the immediate breach incident and it may affect individuals. It can affect not just the organization but also other organizations, pipeline partners, and the broader ecosystem. Outside of the actual theft, executives also have to deal with the reputational damage and the regulatory consequences that could come from a breach.
There are most likely going to be some operational disruptions in response to the breach. There’s the financial impact to investigate, and provide credit monitoring services to affected individuals. There are legal expenses related to potential lawsuits or settlements and regulatory fines. Responding to a data breach is complex and resource-intensive. This is not something that gets settled quickly. It’s not something you can say, “We dealt with it.”
You have to expect this is going to be a long journey to bounce back from but you can bounce back from it. That’s the thing to remember. It’s not all gloom and doom. The other thing to consider is that if the vulnerability that led to the breach is not addressed adequately, hackers may exploit the same or similar vulnerability in the future. If communicating the breach is not handled right, it can exacerbate reputational damage. Despite if everything is done right and swiftly, losing customer and even employee confidence can impact an organization’s market position. Think about insurance premiums. Those could go up. Employee morale and productivity may go down. It is a stressful journey for all involved.
I’ve seen situations where insurance simply won’t renew, say, “I’m sorry, I can’t sell you cyber insurance anymore.” For some businesses, it’s devastating to their contractual obligations because a lot of contracts require that you hold it.
How your information security or cyber risk management strategy is structured can make all the difference in your insurance carrier providing you the coverage that you need. At the University of Arizona, some years ago, the cyber insurance carrier dropped our ransomware coverage and we’re like, “Why? What did we do? We’re doing everything we can.”
We ended up demonstrating to the insurance carrier how our strategy is structured, what we have in place, and the tool that we developed in-house, which is a commercial product, showing how that tool blends with managing and mitigating cyber risk. We got our ransomware coverage back. It can make a difference in what you are doing proactively which ensures that you have done your due diligence in managing and addressing cyber risks within your organization.
I see the future to some degree, especially in insurance and insurance issues around actual fires in our legislature in California because of California and fire situations. There’s a parallel there. The governor issued a requirement to insurance companies that they could not drop fire insurance for these companies that had fires. An incident is a digital fire. At what point is our government going to step in and say, “You can’t drop your ransomware insurance like that?” If you offered it before, you can’t take it away. You’re concerned about that industry having incident issues. That’s where we’re headed there with the future. What emerging trends do you think will have an impact on cybersecurity in the future?
There are so many and it depends on which space you work in. For me, we’re going to see more and more demand for compliance with the National Institute of Standards and Technology, Special Publication 800-171 from government agencies and private industry. For those of us who have been engaged in the controlled unclassified information world of things, we can’t get through a day without mentioning 800-171. At least I can’t as hard as I try.
NIST 800-171 has been popping up in contracts and projects that have nothing to do with the US Department of Defense. This is not just a standard for the cybersecurity maturity model certification framework but successful implementation and adherence to the objectives of NIST 800-171 are an indicator that an organization maintains a robust cybersecurity posture and are able to protect sensitive information. We’re going to see more and more evolution in that area.
I would agree with that. I see it coming too. Thank you for that. Tell us about you. We know that you took a look at the blue blood moon but tell us a little more about who you are. How’d you get to where you’re at there at the university?
I have been working in regulatory trade compliance for over fifteen years. That’s the import-export side of things. I’ve been doing that in higher ed since 2011. I first started at the University of Miami as their first export compliance officer. About three and a half years later, New York University poached me to be their first import and export compliance officer. My husband, who was originally from Arizona, was a fish out of water on the East Coast.
I had to get him back to his home state. That’s how we ended up in Tucson. It was in 2019 that I found this bridge to be able to cross over from the import-export compliance world into information security because there’s such a strong overlap. I have to be appreciative of the person who hired me and gave me this opportunity to come over and further evolve compliance and regulatory knowledge in the information security space. I do enjoy it and I still have that overlap with things.
It’s always nice to have a new opportunity and something maybe apply new ideas or old ideas to a new problem using the compliance for import-exports and applying it to cybersecurity. What are you working on that you’re most excited about?
I’m involved in several things. One of the things that I’m most excited about is building an ecosystem of knowledge sharing at the University of Arizona, which we are calling CYBORG. CYBORG stands for Cybersecurity Body Of Risk Guardians. This internal resource is available to our risk managers who want to work on aligning security practices within their unit against a particular standard or framework.
I’ve already got a resource that outlines all 320 practices in NIST 800-171, even calculating an assessment score for them so that they can measure come to that standard. What makes this resource unique is that it maps to the university’s information security governance and NIST 800-53 as well. We’re seeing this broader association of where these controls might impact other areas. I’m also developing a handbook that will guide these risk managers in scoping for their projects and getting into the weeds, so to speak, of maturing their cybersecurity practices.
If they choose, they can use these resources with the university’s information security risk management tool, which is provided by a company called SibylSoft where they can work in an advanced view to incorporate the work they did in the CYBORG resources and the university’s information security risk management program. It’s a shared responsibility strategy. It was intentional that CYBORG be developed to work with other information security services.
Is CYBORG available to the public as well?
No, this is internal to the university but I would be happy to share what I’m doing and our approaches with anybody who would like to do something similar in their organization.
Everything that we’ve talked about is coming true. I don’t know how closely you watch the NIST CSF, but in the new version, they’ve added what essentially is a governance component and the draft version. That is exactly what we’re talking about here when we talk about compliance and risk management. There are little signs everywhere that the responsibility for cybersecurity is no longer isolated within the confined zones of the IT and security teams. The whole organization has to pitch in and that becomes a leadership challenge. With the future in hand and knowing what you know, what actions do you think make sense for reducing their regulatory cyber risk? What would a single action item that you think they should do right away?
Read your contracts. I cannot tell you how many times engaging with people and I’m like, “Did you see this point in the contract?” “No, I rely on somebody else to do that for me.” No one enjoys reading contracts. There’s often this bias that someone without a Law degree cannot understand a contract. I don’t believe that because I don’t have a Law degree and I read contracts all the time.
Depending on the organization, a contract may be reviewed by several people and each of them is looking for their thing but none of them are looking at the contract as a whole and how different areas overlap with one another. Be mindful of those click-through agreements either. You want to ensure that what you’re clicking “I agree” isn’t giving away your privacy rights or that you’re even saying it’s okay that the company doesn’t do patches to their software.
You have to be diligent in checking out the security posture of the third parties that you’re entrusting your organization information or providing access to your network or other systems. Ensure that the contract has adequate information security clauses to protect against threats and that they are protecting your organization’s assets.
When contracts come up for renewal, that’s the time to renegotiate terms and shore up any weaknesses, especially as you, each year, should be reviewing the posture of your vendors and partners and making sure that they have not had any vulnerabilities or significant threats in the past years that could be exposing your organization or other assets to an unknown vulnerability. Read those contracts. Don’t be shy. It might take a little bit an adjustment to understand it but trust me, it’s worth it in the end to make sure what’s in those contracts.
it’s such a simple and easy ask. That’s wonderful. I imagine that for our readers, the contracts administration professionals probably got up out of the chair and started applauding as well as the attorney. Those are the two groups that I’ve heard from before and that is wonderful advice, wonderful action. You’re right. The biggest gap that we see is you can always point back to a contract. Thank you so much for that. That item is relevant.
Wendy, here’s a question for you. If you were to be able to go back in time and tell your younger self some advice, what would that advice be?
It would be don’t ever let someone tell you that you can’t do something. We can be knocked down by a lot of negativity. That may come from within our family, our friends, and the people we engage with but you know yourself the best. Don’t zero in on what everybody else thinks. Zero in on what you know you can do. If you feel you can do something, then do it.
Where can people find you? How would you like them to reach out to you?
LinkedIn is probably the best way. It’s about the only social media platform that I’m on but you can also go to the Cyber AB Marketplace. Search for me there and find me on their listing as well.
Thank you very much. Audience, thank you for reading. We hope you’ve learned something and enjoyed the conversation here. This has been another great episode of the show. We’ll see you next time. Thank you, everybody.
Important Links
About Wendy Epley
Born and raised in Miami, Florida- Have lived in Tucson, Arizona, since 2016 with my husband of 15 years
- Fun fact – I was in the movie “There’s Something About Mary”
- Obtained my Bachelor of Science in Global Business from Arizona State University
- Obtained my Master of Science in Regulatory Trade Compliance from Dunlap-Stone University
- I have several credentials in the Cybersecurity Maturity Model Certification (CMMC) ecosystem.
- Registered Practitioner Advanced
- Certified CMMC Professional
- I am currently working as a Provisional Instructor / Certified CMMC Instructor (CCI)
- I maintain my certification as an Export Compliance Professional.
- I also am a Six Sigma Green Belt
- Been with the Information Security-Governance, Risk & Compliance team since 2019
- Was the first Export Compliance Officer for the University of Miami
- 3.5 years later, New York University poached me to be their first Import & Export Compliance Officer for their New York, Shanghai, and Abu Dhabi campuses.
- Before high ed, I worked for various Fortune 100 / Fortune 500 organizations such as Honeywell, Caterpillar, Schering-Plough, and Arthur Andersen
- In October, I was appointed as the Deputy Managing Director for the American Chapter of the International Sanctions and Export Control Society
- I work with a start-up company in Tucson called SibylSoft, serving as their Chief Compliance Officer
