Evan Francen is an information security expert with more than 25 years of “practical” information security experience. He has an ambitious mission: fix the broken information security industry. He’s currently the CEO of FRSecure, an expert-level information security consulting company, and he’s also the CEO of SecurityStudio, a Software as a Service (SaaS) company specializing in providing best-in-class security applications.
Prior to establishing FRSecure in 2008, Francen spent more than 15 years as a leading information security professional and corporate leader in both private and public companies. He’s an “information security evangelist,” thought leader, and specialist in advising boards of directors, legal counsel in high-profile criminal and civil cases, and executive management. Francen will be the keynote speaker at Enterprise Minnesota’s event, “The Value of Peer Councils,” Tuesday, February 19 at the Shoreview Community Center.
What should we know about you and your company?
I’ve been doing information security for a long time, about 25 years. When I started in this field, we really didn’t call it information security. We were more tinkerers than anything else, and we devoted most of our energy to keeping things running. I started as a Cisco engineer in the early ‘90s, and from there I spent time at a number of large companies like Wells Fargo, U.S. Bank, and UnitedHealthcare. There are a few things that don’t mix well between me and many large companies. I’m not politically correct or good at politics. I don’t like cheating, shortcuts, or doing things incorrectly. I think these are good qualities for a security professional.
FRSecure started as two guys with a crazy mission. It’s much less crazy now because we have 70 employees and 20 partner companies who do things the way we do. We just wanted to fix a broken industry, which is what my first book, Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry?, talks about. We’re also a bunch of QSAs, pen testers, social engineers … it’s a weird place to be if you’ve never been here before, but weird in a good way. It’s a lot of fun. Today we operate globally. We have more than 1,000 clients, and we’ve completed about a few thousand FISASCOREs across 28 industries.
Let’s start with a couple definitions. What do you mean by “information security?”
Bingo, I love it! I wish more people would ask that question. If you or I were to ask ten experienced security people for their definition of information security, we’d get ten different answers. Heck, we might even get eleven or twelve! Some security people like to argue—egos can get in the way—and could spend all day arguing about it, too.
My definition of information security—the one that we work with—is managing risk to information confidentiality, integrity, and availability using administrative, physical, and technical controls. That’s a mouthful, I know, but it’s not just keeping data secret. Maintaining confidentiality is about secrecy and privacy, integrity is about making sure that the information is accurate, and availability is making sure information is available when people need it.
Has that definition evolved?
We’ve stayed pretty true to that definition from the beginning. You’ll notice our definition also includes three different types of controls: administrative, physical, and technical controls. That’s really important. Information security is not an IT issue; it’s a business issue. Technical controls is only one of three different types in our definition. Administrative controls are used to address the “people part” of security. You and I both know that people always pose the biggest challenge and most significant risk. Physical controls are the most obvious because you can touch them: locks, doors, alarm systems, etc. We have a saying we use when we try to stress the importance of physical controls, “It doesn’t matter how well your firewall works if someone steals your server.”
We speak to business people on their terms, about the things that they should be doing. I don’t think the definition has really changed in 10 years.
How about a definition of “risk?”
In the simplest of terms, it’s the likelihood of something bad happening and the impact if it did. If you wanted to go a little deeper into that definition, “likelihood and impact” really are functions of vulnerabilities and threats. A vulnerability is nothing more than a weakness, or a gap in controls. So, where there’s a vulnerability and an applicable threat, then there’s a risk there. Conversely, if I have a vulnerability but there are no threats, then there’s no risk. Those things are really important because we make decisions based on risk. Hopefully, we’re not making decisions based solely on what someone told us to do.
Do manufacturers react differently than other sectors when it comes to information security?
For sure. One of our principles is that information security is not one-size-fits-all. Every business and every organization is different. In our industry (information security), I’d estimate that 80 percent of all money spent is spent on compliance. With healthcare, you have HIPPA (Health Insurance Portability and Accountability Act of 1996), which provides data privacy and security provisions to safeguard medical information. In banking and finance, you have GLBA (Gramm-Leach-Bliley Act), also known as the Financial Services Modernization Act of 1999, which requires financial institutions to explain how they share and protect their customers’ private information. In manufacturing, there really isn’t that kind of push. When people don’t really understand something, they do what they’re told to do, and that hasn’t happened in manufacturing. I think that’s why they’re a little bit behind the times.
I recently had lunch with the Chief Information Officer (CIO) of a very large manufacturer. One of the topics we discussed, not surprisingly, was information security. He asked me a good question about what executive leadership should be concerned about, given that there isn’t any regulatory push. I gave him four common risks that his executive leadership should consider.
The first is intellectual property, both theirs and their customers’. The single most common threat to manufacturers today originates from state-sponsored actors, and they’re targeting intellectual property. Think China.
The second risk is related to financial fraud. Our company has been called in to respond to multiple incidents where accounting personnel were targeted, and in one case, the attackers made off with more than $800,000. There was no recourse; the money was lost.
The third is ransomware. We’ve read the news. You don’t need to be an expert to understand how ransomware works and what some of the consequences could be. One recent incident that we worked on cost the company an entire week of downtime and more than $200,000 in remediation and clean-up costs.
The fourth risk that we’ve seen emerging is related to attackers going after the executives personally. Executives have assets and attackers know that. Too many executives are oblivious to the risk and become easy targets.
Information security hasn’t been a strong focus for many manufacturers, and I think many of them are unaware of the risks they face. A compounding factor is the mentality that a manufacturing company only makes a widget, or a lawn mower part, or something else. Who would really want that information? An attacker does! If you make money from it, don’t you think that someone else can, too?
Some manufacturers think they’re flying under the radar. That’s false logic, there is no radar and there’s no security in obscurity. Some boards of directors and executives want security to be an IT issue. That’s the easy out, right? It’s IT’s problem, so just put it over there. That’s wrong. IT is good (hopefully) at technical things, like firewalls and antivirus software, but they aren’t the right fit to manage the people part, making sure people are well-trained and aware.
I gather you developed FISASCORE to help non-technical folks understand information security risk.
Yes, that’s one benefit. We do the assessment, calculate a FISASCORE, and communicate the results to management. It’s a simple, but effective way for them to understand and manage risk. The FISASCORE was developed to be a definitive measurement of information security risk. It’s comprehensive and accounts for all phases of information security. That’s very important, because it comes from our definition of information security. Measurement is also important because we can’t manage what we can’t measure. There are hundreds and thousands of measurements in the FISASCORE, allowing management to spend their next information security dollar where it will have the most positive impact.
We developed the FISASCORE to get people speaking the same language. “Information security” quickly gets very confusing. We measure security risk in the same way banks measure credit risk, using a scale of 300 to 850. So, when I say to somebody, “Your FISASCORE is 600,” it resonates very quickly. It helps us speak the same language.
It’s a simple measurement on the surface, but under the covers it’s much more complex. If I received a FISASCORE, I would certainly want to know if this is something that actually represents what I say it does. When I say to a board of directors, “This is your current FISASCORE,” they get it right away. I don’t have to spend a lot of time detailing everything that went into it. It’s a simple way to talk security.
Speaking the same language is critical. When I said earlier that our mission is to fix the broken industry, most of the problems we have are because we’re not speaking the same language. If I can put a numeric value on information security risk, we can start to translate what all this means. Complexity is the enemy of security. The more complex you make something, the more difficult it is to secure it. We need to make it easy for people to make good decisions.
Is there a tendency for management to get their score and leave it at that?
There used to be. One of the common comments we would get maybe three, four years ago after completing a FISASCORE was, “You took us to the edge of the cliff and then you left us hanging. What now?” We spent a lot of time trying to figure out the “what now.” So, we built a roadmap, which walks the organization through the process. “Here’s your FISASCORE today. If we do these things, this is what it will be in the future. This is when we’ll get there, and this is how much it’ll cost.” If I only had five minutes with executive management or the board, what are the most important things they should know about their information security? The answer is: this is where you’re at (FISASCORE), this is where you’re going (future FISASCORE), this is when you’ll get there (roadmap), and this is how much it will cost. It’s a process that has proven itself effective. Then, it becomes a really nice strategic plan over the next two or three years.
How do IT folks respond to the FISASCORE?
They’re so used to having security treated like it’s an IT issue. They feel like they might look bad to management. That’s one reaction. The other reaction is typically relief. Finally, somebody’s going to make the case to executive management. This isn’t just my issue (IT), this is our issue (business). If it’s the former, we try to turn it to the latter by telling the IT person, “Look, this was never your problem to begin with. It’s partially your problem, but our job is to work with the company, the organization, and take the pressure off you. This is all of our issue.” It usually works pretty well.
Where are most companies on the FISASCORE continuum?
You can apply FISASCORE to organizations as small as five or six employees and as large as 20,000. They use their FISASCORE, first, to build and manage an information security program. “Building” is what happens when your score is below where you want it to be, then you need to build things. You do things to move it up. One of the things that’s important to understand is that it’s very difficult to manage something that you can’t measure. The FISASCORE is used for that. Most companies are still in this building process. They don’t have the foundation of a good security program, so they use the FISASCORE to drive that.
Security folks sometimes struggle to communicate with their boards of directors. I remember trying to talk security with boards of directors in my earlier days. They treated it like an IT issue that didn’t go well. The FISASCORE makes the conversations go much better. We’ll now hear about board members talking to board members from other companies. “Does our other company have a similar FISASCORE?” We’re starting to see it grow that way too, which is really nice, because it’s resonating.
What are some additional benefits from FISASCORE?
Certainly, communicating with customers. There is value in telling a customer the current state of our information security program, especially a vendor risk management scenario. I can communicate the state of our information security program given the simple score. And if they want more specifics, we can address them. On the other side, you can manage vendor risk by getting (or asking for) FISASCOREs for your vendors.
Another benefit is you could use it to find better rates on cyber insurance. Lloyd’s of London has agreed to use FISASCORE to assist in cyber insurance underwriting, which is a big deal. But right now the cyber insurance market is all over the board for small to medium-sized companies. There’s not enough structure yet to that application, other than the credibility piece.
You can also use FISASCORE for accountability. We take the results of a FISASCORE and assign certain tasks. The FISASCORE is all about risk, and when I face a risk, I only have one of four options for dealing with it. I can either accept the risk as-is, mitigate the risk, transfer the risk, or avoid it altogether. So, the things that I’ve decided to either transfer to someone else or mitigate, I can apply to either an internal resource or an external resource and hold them accountable for accomplishing these things.
And the last piece is to use the FISASCORE to help determine information security budgets. If my score isn’t acceptable, or if I need to maintain a specific score, I can define what my budget should be. In our industry, in general, most companies don’t have a dedicated information security budget. I expect that will change over the coming years, especially as security becomes a bigger issue.
How do the scores break down by industry?
To date, we have data from a few thousand FISASCOREs across more than 1,000 organizations in 28 industries. The reason why the number of organizations is less than the number of FISASCOREs is because many organizations are starting to use the metric to manage security programs and regularly check how their security program is performing over time. So, it’s not uncommon for organizations to do multiple FISASCOREs, in subsequent years.
We classify 28 industries based on their NAICS code. The average FISASCORE to date is 557.28. That would be squarely in the “Poor” range. I don’t think that’s a surprise, for most people. The surprise came with the average 2017 FISASCORE of 593, which is getting much closer to that “Fair” range, a pretty significant improvement. If our data represents what business is doing, then it’s great to see improvement overall!
We can conclude that in our little corner of the world, where we operate, and who we’ve worked with, things have gotten better. The best FISASCORE industry is finance and insurance, which also isn’t that surprising, as it’s a very heavily regulated industry. This would be where banking fits in, credit unions, and the like. The accommodation and food services industry is the worst, with a 410.4.
We expect the data will get better as we continue to calculate more FISASCOREs and our partner channel continues to create FISASCOREs.
You are out speaking to executives quite a bit. Do they embrace your perspective?
The key is really to find out where they’re at, what they’re thinking and lead them where they should be. I would give a totally different presentation to a group of manufacturing CEOs versus a group of hospital CEOs. They’re thinking about different things. You have to really help it resonate, which comes down to speaking normal English. I don’t have to use a bunch of big words and acronyms. You shouldn’t be impressed by that. If people can’t speak to you in plain English, then that’s a problem.
It appears that your company is in the middle of quite a growth industry.
It’s definitely growing. It was estimated $98 billion is going to be spent on security in 2018. This year, I think the number is $118 billion. It’s a money grab right now. There’s tons of money flooding into our industry, and people are buying things that don’t pertain to their biggest risks. So, one of the challenges for executives and managers is to determine what’s snake oil and what’s actually good for their companies. I think that’s where we’re at. We’re always innovating, but we’re so foundational that if you decided not to do security this way today, it’s only a matter of time before you’re going to have to.
Going back to the definition, it’s about managing risk. It’s not about eliminating risk. Some people think, “Well, if I have a breach, then oh my goodness, the sky’s falling.” The truth is there’s nothing you can do to eliminate risk. You’re going to have to live with some amount. We’re just very fundamental, very foundational about doing things the right way.