# 3 Industries, 3 Security Programs

# 3 Industries, 3 Security Programs
Source URL: https://www.darkreading.com/edge-articles/3-industries-3-security-programs
Date: 20221229T1700

Every organization is at risk of a cyberattack, but each organization
addresses risk differently. No one expects SMBs to take the same
approach to cybersecurity as a large enterprise, or a legacy
organization to have the same appetite for risk as a startup. Similarly,
how an organization defends itself from attack depends on various
factors, including its size, type of industry, supply chain resources,
approach to outsourcing and remote work, and global presence.

Security leaders from three very different industries sat down with Dark
Reading to discuss their respective cybersecurity programs.

John McClure is the CISO at Sinclair Broadcast, a major news and sports
broadcasting provider in the United States, with nearly 200 televisions
stations, streaming and digital platforms, and close to two dozen
sportscasts. McClure says that while Sinclair faces many of the same
cybersecurity threats that any organization faces, it is also considered
part of the critical infrastructure because it carries emergency
broadcast signals. One of the challenges that McClure has seen over the
past five years is the disappearing network borders and finding ways to
protect the network as [the way people work][1] continues to change.

Doug Shepherd is the senior director of the offensive security services
team at Jones Lang LaSalle (JLL), a worldwide commercial real estate
company with 90,000 employees in more than 60 countries. For a long
time, JLL was more of a brand than a company, Shepherd explains, but in
recent years, it has become more cohesive and working together under the
JLL model. The company's cybersecurity concerns revolve around
integrating all the different office networks into a unified model and
consolidating individual security practices into one companywide policy,
he says.

Luis Cunha is the director of security engineering at Aptiv, an
automotive technology company with 170,000 employees in 165
manufacturing plants around the world. [Operational technology
security][2] is as important to Aptiv as information technology, with
endpoint security across all technologies a major concern, Cunha says.

## Size of Security Team

There is no "right" size when it comes to the security team. Some
organizations have large teams, and others partner with third-party
providers to offset small teams. That difference is very clear at
Sinclair, JLL, and Aptiv.

When Shepherd first came to JLL, most security was outsourced, but now
there are 100 people on the security team, he says. However, Shepherd
believes the team is a little undersized considering the size of the
company.

Outsourcing in such a distributed company meant that each office was
setting its own policies. JLL's focus on unifying security is driving
its decision to move away from outsourcing. The goal is to reduce its
reliance on outsourcing and eventually bring in contractors who work
directly with the security staff, Shepherd says.

Sinclair's McClure didn't provide exact numbers â€” he just says his
security team meets the industry average. At Sinclair, security is
handled both in-house and outsourced. Sinclair relies on outsourcing for
skills that are difficult to recruit and retain in-house, such as
[threat hunting][3], McClure says.

And then there is Aptiv, with 35 people on its security team â€” up from
five on the engineering team a year ago, according to Cunha. Cunha
thinks Aptiv has outsourced too much, which has an impact on the
organization's agility and flexibility. When you outsource, you lose the
ability to change and react to security problems quickly, he says.

## Investing in Security Tech

What kind of security technologies an organization invests in depends on
factors such as regulatory and compliance requirements, the type of
threats the organization sees, and its technology stack. As
organizations move more of their operations to the cloud, they are
investing in cloud security. With the shift to distributed computing,
identity becomes an even more critical area of focus.

McClure says Sinclair is investing in a number of technologies,
including endpoint detection and response (EDR), [extended detection and
response (XDR)][4], and endpoint security, with an emphasis on identity
and cloud security.

The broadcasting provider is also relying on automation to support the
volume and velocity of data that is driven across its networks, says
McClure. While some of the automation capabilities are native to the
technology in use, the company also utilizes [security orchestration,
automation, and response (SOAR)][5] technologies across multiple
platforms.

In contrast, automation is in its "very early days" for JLL, Shepherd
says, as the organization moves away from outsourcing to in-house
security. The company is focusing on endpoint and cloud security, and
that is also where the focus is for automation. Shepherd is designing
automation that pulls data from every endpoint every 15 minutes to look
for indicators of risk in real time.

In the past, security was siloed at Jones Lang LaSalle, so the current
focus is to set up technology that will allow the security team to have
better visibility into the whole environment, Shepherd says.

Aptiv's focus is a little different, as the company is looking to adopt
technology that brings more security efficiency and quality, with a
greater focus on [secure access service edge (SASE)][6], Cunha says.
Aptiv also invests in operational technology security for its
manufacturing plants. There are a lot of different vendors for both
types of security, and a goal for Cunha is better consolidation of
technology and vendor solutions. Orchestration and automation tools play
a very important role integrating security tools.

## Road to Data-Driven Security

As far as Aptiv's Cunha is concerned, you can't have orchestration and
automation without solid data analytics. Engineering teams use data
analytics to improve security tools, Cunha says, bringing search
capabilities to the SOC. Cunha's team performs its own data analytics
rather than relying on a platform.

Like automation, data analytics is still in the early stages at JLL, but
the data is still useful, Shepherd says. JLL uses analytics to help
determine whatâ€™s happening on the perimeter, he says.

Data analytics are used to control coverage and control efficiency, as
it helps Sinclair understand the business and the assets that need to be
protected, McClure says.

## Biggest Security Concerns

Ransomware is the threat that keeps Shepherd up at night. It is the
biggest concern for JLL because of how it disrupts business operations,
he says.

Aptiv's Cunha's worries center around threats that impact data liability
and organizational reputation, he says. While phishing is a common
attack vector, Cunha also has to contend with lesser-known threats
against operational technologies.

For McClure, ransomware and cybercrime are the biggest concerns, but he
points out that cyber threats have not become more sophisticated.
Instead, he thinks the barrier to entry for attackers has gotten lower,
which is why there are more attacks. The attack vectors themselves, he
says, haven't changed much over the years, and cybercriminals are using
the same methods to get into the system.

The volume of attacks is the greater challenge for organizations,
McClure says, not increased sophistication in attacks.

[1]: https://www.darkreading.com/edge-articles/2022-security-priorities-staffing-and-remote-work
[2]: https://www.darkreading.com/operations/security-culture-an-ot-survival-story
[3]: https://www.darkreading.com/attacks-breaches/human-threat-hunters-are-essential-to-thwarting-zero-day-attacks
[4]: https://www.darkreading.com/dr-tech/now-that-edr-is-obvious-what-comes-next-
[5]: https://www.darkreading.com/operations/coming-soon-to-a-soc-near-you-posture-management-and-virtual-assisstants
[6]: https://www.darkreading.com/cloud/sase-definition-still-cloudy-forum-proposes-standard