Exclusive Industry Interview with LzBeth Malig
To celebrate the final day of this year’s Women’s History Month, LzBeth Malig, Director of Information Security & Compliance at Concord Technologies sat down for an exclusive interview with Alyne's Head of North America, Tyler Gowen to share how Concord Technologies leveraged Alyne to streamline their information security and compliance processes as well as some industry insights as a female security leader.
About Concord Technologies
Concord Technologies is the leading industry player, developing new Artificial Intelligence technologies. Concord was built on a simple principle: take care of people, and make the exchange of information easier. Over the last 20 years, Concord has advanced from a modest Seattle-run and operated business to an international organisation trusted by more than 200,000 users with their mission-critical data. Today, they are responsible for sending and receiving millions of documents every day in healthcare, technology, and financial markets. With a 97% customer retention rate and delivery reliability that is unparalleled in the industry, Concord is committed to being the partner organisations can trust with their data.
About LzBeth Malig
Lzbeth Malig is a female security leader at Concord Technologies who views security as a business enabler, rather than a cost centre. She strongly believes that security should be a balance between risk, usability and cost where security practice should be a norm in any organisation. LzBeth Malig has been been in the Information Technology field for over 20 years and has always been interested in the security side of things as she finds it extremely fascinating. According to LzBeth, Fortunately (or unfortunately), it is not as exciting as depicted by the entertainment industry, and in this sector, bad guys don’t wear hoodies. They are much more sophisticated. Her current role puts her behind a desk reading and writing a lot as a big part of security is policies, process and controls – collaborating daily alongside legal regarding contracts and agreements. She also works across the company for the risk management program, business continuity, getting buy-ins for security ‘stuff’, and is also in charge of leading the annual audits.
How Concord leverage Alyne to streamline their information security and compliance processes
Tyler: What were some of the biggest challenges your organisation faced prior to using Alyne?
LzBeth: Many GRC tools provide a control statement without providing proper context thus, the information security and compliance department have to provide details on the controls, convert each control into a question, determine the artifacts that are needed, etc. This requires time and effort.
One unique capability with Alyne that solved this challenge is Alyne’s question and answer format that makes documenting controls, mapping to regulations and running assessments easy. With Alyne, aside from the control statement, there is a specific assessment question, maturity specific answer options and the ability to automate suggesting of relevant evidence to back-up assessment responses. Additionally, each assessment topic or individual question can be delegated to different individuals so there is no chasing people via email. This saves time and creates operational efficiencies.
Tyler: How does your organisation leverage Alyne’s solution?
LzBeth: Currently, our focus in Alyne is running Assessments on Controls.
Tyler: What would you say makes Alyne unique?
LzBeth: One uniqueness, which I find very helpful is the downstream risk analysis. Alyne is the only tool that provides automatic downstream Risk Analysis from Control Assessments. Once the control specific Assessment questions are answered, there’s a list of potential risks raised as a result of the Assessment response. This is because Alyne has mapped every Control to a vast Risk Library in addition to global regulations, laws and standards. This identifies potential risks that otherwise would be undefined.
Tyler: What advice would you give decision-makers when choosing a RegTech solution such as ours?
LzBeth: There are many solutions out there, so make certain to prioritise requirements before comparing vendors. Some solutions are best for Risks Analysis, some are best for process reviews, etc.
Tyler: Can you tell us what’s next in how your organisation will utilise Alyne's capabilities?
LzBeth: We are planning to utilise Alyne’s ‘Documents’ functionality for creating and managing both new and existing policies directly within Alyne. We will link our policies to Alyne’s Control Library so updates to policies and Controls become automated.
Having a career as a security leader in Seattle
Tyler: You stated “Too often, security leaders can have a reputation for saying "no" as the default answer. How do you ensure that you don’t get a reputation for saying no and what do you do when you encounter someone saying no to you?
LzBeth: I think I would phrase the question to Information Security differently. Instead of "Can I do x?" I like to think of it as "I need to do x, how can you help me achieve that securely?" With an open discussion, we can work together to find the optimal solution, albeit it may not be the solution one has in mind. Information Security should not be and is not a barrier to success, our goal is not to make life difficult – trust me, really, our goal is to balance risks and opportunities.
Tyler: You are located in Seattle, a technology hub. What regional differences, if any, do you see in the corporate approach to risk?
LzBeth: I don’t think there is much of a difference as we are all very connected these days. Seattle was a start-up nucleus and still remains in the nationwide Top 10 in start-up growth. As start-ups tend to fuel a lot of creativity and invention, more agile to explore new technology, maybe there were more original ideas? However, Seattle also anchors two of the largest tech companies in the world and have extremely mature resources. I think it has a great balance between foundational, conventional and innovative approaches in all things technology.
Current risk landscape
Tyler: What is currently the most overhyped risk topic or risk issue?
LzBeth: Now this is going to get me into all kinds of controversy – aka trouble. In my personal opinion, there is a lot of emphasis put on certifications rather than the actual security capability. Following certain standards is a great starting point, but I’ve also seen far too many "check the box" efforts to achieve certifications. I came across during my auditing years: "untrained" employees being shuffled to different floors to avoid being subject to auditor questions during the audit week. If only the company would spend as much effort in doing the actual work.
As a security professional, the rationale for certifications should be the achievement of security standard, not for driving sales. However, as someone in a leadership position, I also understand that revenue is why any for-profit business exists. It’s a long-standing rift that keeps things interesting.
Tyler: What risk topic is not given the appropriate attention it deserves?
LzBeth: Call me paranoid because I think there are risks that are inherent within the computer processors themselves. We don’t hear about them as much because it’s not sensational and the impact is hard to quantify.
Here are some articles that LzBeth recommends technology professionals to read:
The future development of risk
Tyler: How will risk evolve over the next five years?
LzBeth: I think machine learning will continue to augment human decision-making to enhance the efficiency of security tools, help to weed out the noise so to speak. This would allow us, humans, to focus on what’s important rather than spending extensive time trying to find what’s important. Privacy remains to be one of the higher risks for many companies. With the growth of privacy regulations introduced across the globe, it is difficult for companies to reconcile all the possible compliance gaps.
Working remotely has been the norm for most of us these days, and I believe Zero Trust architecture to protect enterprise systems will become mainstream. Defending the perimeter, using only username and password, is no longer sufficient so the need for "Never trust, always verify" for every request whether it’s inside or outside the network is critical. NIST SP 800-207 is all about Zero Trust, Microsoft has blogs devoted to Zero Trust, it’s up to each CISO to decide what’s best for their company.
Tyler: What risk capability does not exist today that you wish did?
LzBeth: This is interesting. I would really like to see an email digital signature / encryption protocol that works across all email providers / platforms / clients. I think most of the time, the email digital signature only works within the same network / platform / provider, otherwise, the email sent will not display correctly for the recipient. In my use case, I use digital signatures mostly for specific anti-spoofing and message integrity. It is frustrating that it doesn’t always function as expected.
How does LzBeth stay ahead in her role?
Tyler: What resources do you leverage for relevant industry news and updates?
LzBeth: I am on so many email lists it’s not even funny! However, I do like ICS-CERT, US-CERT, different blogs, for example, Tripwire, Cisco Talos, Heimdal, Guardian, etc. I also follow blogs from individuals like Bruce Schneier, Troy Hunt, Marco Ramilli as they cover a wide range of topics in the technical space.
Tyler: What is the most common misconception business lines have about you and your role?
LzBeth: This really depends on the company. I have jobs where I’m seen as mostly technical and make technical decisions, and at times, help out within tech teams. In other instances, I’m seen as non-technical and deal mostly with legal and compliance. Most business lines would think that "she answers security questions, deal with customer security stuff, do audits, come up policies and security requirements, explain GDPR, PCI etc.".
However, I also do a lot of technical solution reviews, cost-benefit analysis, bringing systems online and security architecture analysis.
Tyler: What is the most common security or risk practice people perform, but actually don't?
LzBeth: I never write down the password. I always lock my computer when I leave my desk.