How Salvation Army Australia’s CISO moved away from ‘extreme risk’

When he took on a role as executive manager of cybersecurity for the Salvation Army Australia in 2019, Lachlan McGill knew he was in for a challenge, but it was only as he began educating himself about the organisation’s reach, and its woeful cybersecurity status, that he realised just how big a challenge it would be.

Security protections had evolved in a piecemeal way over time as the organisation worked to maintain the cybersecurity of its operations — which span a broad portfolio of services including aged care, employment services, retail, domestic violence support, homelessness, alcohol and drug addiction, and more — and McGill saw his remit laid out before him.

“When I got to the Salvos there was no formal awareness program in place and no vulnerability management program,” he said during the recent Gartner Security & Risk Management Summit in Sydney, where he noted that “subpar” web and email filtering made it clear there was a lot of work to be done to get cybersecurity at the “very complex organisation” up to scratch.

With maturity at a low level, McGill said that there was work to be done to ensure all those services provided were secured.

Even before joining the organisation, discussions about the Salvos’ enterprise risk-management strategy had revealed the immensity of the task, with the board’s fledgling enterprise risk register already flagging the organisation’s cybersecurity risk as being “extreme”.

“Although [an extreme risk rating] can be quite alarming for some people, I saw it as something positive. I saw it as a way to get support, and there was definitely support there,” McGill said about how the organisation had already been working with Secureworks to formalise a strategy for enterprise risk management.

Patching holes in the cybersecurity posture

Even with top-level support, however, addressing underlying weaknesses in the organisation’s security architecture was a 12-month endeavour. One major shortcoming was the lack of visibility across the Salvos’ IT infrastructure, compounded by a lack of adequately skilled staff to monitor and action its infrastructure.

To address these issues, a core long-term goal was the addition of a managed security operations centre (SOC), which McGill promoted to the executive even as his team worked to reduce overall cyber risk by filling gaps in vulnerability management, security awareness training, email filtering, and other key cybersecurity capabilities.

The team simultaneously faced a host of other challenges as new government requirements elevated the importance of clear, auditable cybersecurity controls.

Specifically, Department of Education, Skills & Employment (DESE) guidelines required employment services providers like the Salvos’ Employment Plus to demonstrate compliance with a host of cybersecurity standards — including the Essential Eight Maturity Model, ISO 27001, and the government’s Information Security Manual (ISM) — in order to be accredited under the DESE’s Right Fit for Risk (RFFR) program.

McGill’s cybersecurity team of four had been working with the 450 staff of Employment Plus for 18 months to attain RFFR certification in a process that, he said, “is going reasonably well — but it’s only a matter of time until there are more obligations coming to the rest of the business.”

The Salvation Army moves all core workloads to the cloud

As well as coping with the myriad demands of the COVID-19 pandemic’s work-from-home shift (and attendant migration to Microsoft Office 365), McGill’s team has been working to maintain security throughout the course of a far-reaching cloud transformation initiative.

That initiative has seen nearly all of its core workloads — including HR, service delivery, access management, incident management, financials, a corporate learning platform, and “just about our entire security toolset” — moved to the Microsoft Azure cloud platform, rapidly improving application security controls, according to McGill.

“Vendors have come along in leaps and bounds in the level of security they’re deploying in the cloud” in recent years, he explained, “and we won’t put anything on-prem unless there’s a very compelling reason to do so.”

Throughout the multi-headed program of work, McGill regularly referred to the enterprise risk framework to explain to the board how the project was progressing and what else was needed.

“They’d often ask what it was going to take to get the risk from ‘extreme’ down a level to ‘high’. I said that there were some key deliverables that we had to do, and that a managed SOC was one of them. I didn’t really leave them with a lot of choice,” McGill said.

Board support can be a two-way street, however — something McGill learned late last year, when the board organised a cybersecurity maturity assessment and excluded him and the chief information officer from the proceedings.

The board only wanted an external consultant in the meeting, McGill explained, so they could grill them about progress to date and what resources would be necessary to continue improving the organisation’s cybersecurity posture.

It was a pop quiz on McGill’s progress to date — and “we got a relatively good scorecard,” he said.

After this the board asked what it would take to reach target maturity, to which he replied they were going to need to triple the size of the cybersecurity team. He got an email the next day that said those resources were approved.

Better visibility supports the target state

Given the success of McGill’s team in managing cybersecurity risk, taking the step, towards a managed SOC capable of providing the badly-needed visibility across the organisation became distinctly possible with that additional commitment of resources.

With such a diverse array of business operations to engage, McGill reached out to executive committees, senior management, and other administrators to advocate for the SOC and involve them in his work to improve the collective cybersecurity posture.

After issuing an RFP that attracted seven vendors, McGill’s team narrowed the search down to three and ultimately settled on Perth-based Seamless Intelligence, which proposed an on-premises SOC combining LogRhythm’s SIEM environment and its own managed security services.

“Because of the growing but lower capability of the skill set in the team, I needed a platform that could do the automation and orchestration” that wasn’t, as with so many other platforms, “an add-on”, McGill said.

Visibility where it’s needed most

Working together, the Salvos and Seamless Intelligence teams were able to stand up the SOC in around four weeks “until we started getting meaningful alerts,” McGill said, “and 18 months later I couldn’t be happier with what we’ve got.”

The Seamless team has proven be to be extremely proactive in analysing new malware and adjusting the SIEM platform’s rule set to ensure a high degree of protection.

This proved critical after Russia’s invasion of Ukraine, when heightened concerns about cybersecurity compromise led the Salvos board to ask McGill how the conflict might affect their enterprise risk.

“I already had in my inbox an email from Seamless Intelligence saying that these are the exploits and TTPs of the Russians’ attacks and the rule set already in place to detect all of them,” McGill said.

“I hadn’t asked for it yet, but it just arrived in my inbox and I had it” to address the executives’ concerns.

That was a prime example of the importance of taking a broad, enterprise risk-focused approach to cybersecurity — and looking past the capabilities of the platform for a partner capable of ensuring that those defences remain as nimble as possible.

Although “the SIEMs on the market are all capable,” McGill said, “they all do things a little bit differently [so] you’ve got to have a team with great expertise to be able to run it and support it for you.”

Full article attribution is made to its original source and author.