Yesterday, we published the first part of an informative and practical discussion with Global Relay’s Chief Information Security Officer (CISO), Laurence Lafond. In today’s second part, Lafond focused on the interactions between tech, processes and people, the risks associated with relying on vendors, corporate incident response teams, and the common mistakes that businesses should aim to avoid making in 2025.

Systems = Technology + Process + People

“I see systems as being composed of technology, process and people, with each of these elements backing each other up,” Lafond said. The least predictable of those areas – which makes it the weakest one – is the people one.

With technology, he explained, you can document what you have physically put into place, the quality of hardware, the track records of vendors, etc., things that are measurable. Processes might be a little less measurable, but with the right focus, you can determine if a process is good or not good, especially with a multiple set of eyes on it.

But then there are people.

“People could have had bad sleep the night before, have some trauma in their lives that they’re dealing with, and whatever it might be could interrupt their thoughts as they do such things as cutting and pasting information from one place to another and make mistakes,” Lafond said. “This is why we use the technology and processes aspects to help us with the more unpredictable people one.”

He believes that for CISO’s is important to measure how we are looking at things and to make sure we know what the risks are to the business based on a quantitative value, which is why measuring key performance indicators is so important, as well as key risk indicators, which can go up with time if they are not mitigated and reflect what risks exist and how we can reduce our exposure to (and harm from) them.

“Quantifying the impacts of the people part of equation does help reduce the risk and helps me sleep better at night,” Lafond added.

“Managing a data security program, there’s a lot of consideration of where to fish and where to cut bait, and this is where standards become critically important.”

Laurence Lafond, CISO, Global Relay

He explained that it is the CISO’s role to ensure that the inevitable mistakes that are made have a minimal impact on the organization, and that people can do their jobs as friction-free as possible.

Another challenge, he said, is knowing you have only a certain amount of time to spend on all of the security risks present in any organization and then make the determination as to how much effort is allocated, based on that evaluation of risk.

Compounding the complexity here is the fact that the evaluation of the risk might not be repeatable, nor do you always get the same assessment from multiple security professionals in terms of the same risk, he pointed out.

Some areas that can lead to a difference in viewpoints are perimeter controls and whether additional layers to those controls need to be added, he said. Defense in depth is a strategy that leverages multiple security measures to protect an organization’s assets and is another cost for the organization and layer of work for it.

The thinking with “defense in depth,” he suggested, is that if one line of defense is compromised, additional layers exist as a backup to ensure that threats are stopped along the way. Although often needed, it can feel inefficient and tie up resources for the organization.

“So, in managing a data security program, there’s a lot of consideration of where to fish and where to cut bait, and this is where standards become critically important.”

Reliance on vendors

I asked Lafond about the risks that any reliance on vendors brings to an organization, and specifically alluded to the CrowdStrike failure in July.

He brought up the case of a bakery located in New York City as an illustration.

“Let’s say the bakery gets an overwhelming number of positive reviews about a new cake it has put on sale,” he said. “That can seem like a good thing, but it can also lead to the bakery getting crushed by orders, and that can actually be devastating to a small business, which is an unintended consequence here.”

“Businesses must ask themselves what are the processes and technology you can leverage to cushion the impact of problems from that other, more unpredictable risk area and still provide the services it provides its customers.”

Laurence Lafond, CISO, Global Relay

We are seeing a little of this in terms of the technologies that are getting deployed in the internet, he said. One winner gets ahead of the others, and suddenly everyone is using that winner. And in some areas, like operating systems, we see a concentration of just three vendors – Linux, Mac and Windows – which limits organizations’ choices.

So, on July 19, a global IT outage stemming from a faulty CrowdStrike software update affected the ability of businesses in a variety of industry sectors to perform their most basic and essential tasks – from healthcare and banking providers to airlines and car dealerships.

“CrowdStrike was a vendor popular with one of those operating systems’ users – Windows – so there was a great potential for significant security disruption,” he explained. “This type of interconnectedness is a risk that will stay with us for the foreseeable future, and organizations need to account for and mitigate it.”

One of the reasons the CrowdStrike disruption occurred was because the organization did not have strong controls over its deployment of software, he stated. Had those controls been in place it should really have caught this software issue before it was deployed widely.

There are things that can be put into place to help prevent this type of thing, and in this case, there was some evidence CrowdStrike and its personnel did not follow its own documented processes for the deployment, he noted.

Lafond emphasized this was not a criticism of the company as much as a reminder that this can easily happen and that it is one of the significant challenges in an organization – again, dealing with unpredictable people that can fail to follow policies.

“You don’t want a whistleblower being the one to bring these issues to regulators when you can implement the right controls to detect the issues and enable you to handle them first.”

Laurence Lafond, CISO, Global Relay

“Businesses must ask themselves what are the processes and technology you can leverage to cushion the impact of problems from that other, more unpredictable risk area and still provide the services it provides its customers,” he said.

CISOs need to keep track of these personnel issues. This includes determining if personnel are burying certain issues.

“You don’t want a whistleblower being the one to bring these issues to regulators when you can implement the right controls to detect the issues and enable you to handle them first with the right processes.”

Lafond pointed out that internal threats cannot be minimized. Security professionals sometimes are unduly focused on the protections in place from the outside in – external risks and actors – but some tools and people on the inside can be true vulnerabilities.

Interesting and scary is what Lafond describes as not coming from the inside or outside necessarily – but from the side.

A “side-channel attack” in cybersecurity, he notes, is a method where an attacker exploits unintended information leaks from things like a system’s power consumption, timing variations, or signals from monitors, to gain sensitive data, rather than directly attacking the system’s encryption algorithm itself.

Basically, the attacker gathers information from the “side channel” of a device’s operation to compromise its security. Air-gapped systems that have been physically segregated from other computers or networks can help and have traditionally been thought of as a strong security protection, but side-channel attackers have gotten around them, he said.

“It is a constant cat and mouse game of evolution with these risks and types of attacks.”

Incident response team

In the cybersecurity world, Lafond observed, the preparation and response to cyber incidents revolves around the concepts of red, blue and purple teams.

“Red teams are posing as attackers trying to break into something. A blue team is a defender, protecting a resource against attacks. And the purple team operates in the middle, assessing the various risks from each end and assisting in ferreting out issues that are important to recognize and address,” he said.

This incident response team should be made up of people that can think how an attacker might think, with ethical standards kept quite high. And you want an understanding of the technology they are dealing with – some people with more general breadth, and others with deeper understanding into specific technologies, he explained.

You want someone who knows how encryption works and how access controls can be circumvented and logs turned off. You want people that can see events that are seemingly insignificant to others and detect the cybersecurity implications from them, he said.

Lafond said this about educational training that was interesting: “I like having some folks there that are liberal-arts trained.” He said the reason is because they tend to think more holistically and carefully about incidents and not just not the technology pieces.

And security professionals with broad operations experience have significant breadth and can bring a lot to the table, compared to people whose backgrounds may be concentrated in highly specialized areas, such as pure development work, he said.

To add clarity around the distinct roles, Lafond said security professionals with development work backgrounds focus on a highly deterministic model – take a computer and make sure that when you command it to do something, it does it the same way the second time around.

But in the operations world, you have hardware that crashes unexpectedly, and you have systems issues, and you have to deal with disaster recovery scenarios and serious business events gone awry – so these are the folks that know the many ways things can go wrong.

I asked Lafond where and how compliance professionals fit into the task of incident planning and working with the security team generally.

Rather than focus on drills, Lafond counsels doing scheduled tests of critical components of the security apparatus, such as of the back-ups – mainly to prove you can restore those back-ups.

He said compliance professionals think about how to protect the organization as a whole and what processes will ensure that happens – which is the bridge connecting them to the security team. He had an employee once that said: “if you buy security, you get compliance for free.”

Meaning, if you put a lot of effort into cybersecurity measures, such as having a good SIEM (Security Information and Event Management) software tool in place to monitor and analyze our network – and good password vaults and mature access controls – all of this can help you achieve your compliance goals, such as passing audits and other reviews, he said.

In thinking of our customers and their compliance departments, we need to understand and appreciate what compliance obligations they face – at the international, national and regional levels, he said. That is, in terms of the assurances they need to provide those regulators about the resiliency of their suppliers’ cybersecurity programs.

We want the banks and other customers of ours to appreciate and see evidence of our processes being strong, so they can report about this to those regulatory bodies.

Speaking of international requirements, Lafond mentioned the EU law DORA, the Digital Operational Resilience Act, which sets new requirements for organizations to strengthen their digital security, especially in managing third-party risks. “To help our customers meet those requirements,” he said, “we let them know what controls we have as their supplier in protecting their data that they have to show adherence to under that law.”

I asked Lafond about drills – maybe performing them on a summer Friday or right before a big holiday weekend, and he said they happen in business continuity planning and disaster preparedness drills but were more popular about 10 years ago than today – at least the surprise ones.

This is because some people can think it’s a real attack, he said, and this is a real problem – one that can even happen when you’re just doing phishing tests. “We don’t want to make people unduly stressed out,” he said.

Rather than focus on drills, Lafond counsels doing scheduled tests of critical components of the security apparatus, such as of the back-ups – mainly to prove you can restore those back-ups. “We do a restore test on an annual basis that we can show as evidence to auditors and customers that is of critical importance,” Lafond said.

Working with industry associations

Lafond said, like a lot of other companies, Global Relay belongs to a number of industry associations that provides its members an opportunity to share some trends and thoughts on security issues within a Chatham House Rules atmosphere.

“That can help bring up issues that help everyone there better understand,” he said. “We also have customers ask us to engage in some sharing of what we’re seeing in the larger internet space – a back-and-forth dialogue that, again, is meant to benefit both parties.”

They have not been overly successful, though, he said, as they are difficult to sustain and work better in theory than in practice.

Lafond said some companies use some crowdsourcing efforts to open up their systems to researchers who go into their networks and look for vulnerabilities, reporting on them to security experts from a variety of firms as lessons learned. Bug bounty efforts fall into this category, wherein a company pays an individual to find bugs or problems with their services over the internet.

Lafond said these can be helpful, but they vary quite a bit in quality and present a certain amount of added risk posed to those organizations participating in them.

Lafond said his interactions with regulators mainly stem from interactions with customers who are sharing their regulatory obligations. As one of their main vendors, this often means Global Relay has to adhere to the same set of standards, so the customer can stay compliant and continue to adhere to all regulatory obligations.

Common mistakes

I asked Lafond to share his hit list of items companies get wrong and could fairly easily correct.

Multi-factor authentication (MFA) – and not mandating it for any kind of access from the internet – was his number one.

In thinking of phishing tests, he said a number that is thrown around is that, on average, without security awareness, 30% of employees click into the first phishing email you send out as a test. Considering this decently high number, he said MFA has to be there as a security element guarding one’s credentials.

And closely related to that, he said, as companies use more services in the cloud, organizations should realize they have a good amount of data and systems stored there – from HR benefits and recruitments systems to thousands of Google documents.

Those should be secured with single sign-on, where possible, and although that can cost more, it is worth it to know that when an employee leaves the organization, they cannot access these cloud servers and this data, he said.

Finally, Lafond said organizations need to stay focused on their perimeter protections, remembering that the internet in general is simply not a safe space.

Use MFA, have good firewalls, use single sign-on, and leverage back-ups and restore test your back-ups, because these basic ingredients of cybersecurity hygiene accomplish more than you would think.