Is the Enterprise Browser Secure? A CISO Speaks.

Explore cybersecurity at scale with Teleperformance CISO Jeff Schilling on CXOTalk episode 850. Learn how Island's enterprise browser secures global operations and balances security with usability. 

25:16

Aug 15, 2024
12,819 Views

In CXOTalk episode 850, host Michael Krigsman speaks about cybersecurity challenges with Jeff Schilling, Chief Information Security Officer of Teleperformance, one of the world's largest business process outsourcing firms. With 500,000 employees across 100 countries, Teleperformance faces unique security risks due to its global reach and diverse client base. 

Schilling discusses how his team manages these challenges, using innovative technologies like the Island Enterprise Browser to enhance security while maintaining employee productivity.

The conversation explores Teleperformance's approach to balancing robust security measures with operational efficiency, the importance of collaboration between security and IT teams, and strategies for effective risk management in a complex, multinational environment. Schilling also shares insights on measuring security value and implementing new technologies across a global organization.

Episode Highlights

Implement granular security controls through enterprise browsers

  • Utilize enterprise browsers to manage employee interactions with corporate and client environments, allowing for fine-tuned control over data access and usage.
  • Leverage browser-based security features to extend the lifespan of hardware investments and reduce endpoint capital expenditures.

Balance security measures with user experience

  • Strive to make security measures invisible to employees, engineering security out of the user experience where possible.
  • Implement flexible policies and quick approval processes to accommodate legitimate business needs while maintaining security.

Collaborate closely with clients on shared risk management

  • Conduct regular risk assessments for each client to identify and categorize risks as company-owned, jointly-owned, or client-owned.
  • Provide documented reports to clients detailing the results of security risk assessments and recommendations for mitigation.

Align security strategy with IT infrastructure

  • Foster a strong partnership between the CISO and CIO to ensure security measures support and enhance overall IT strategy.
  • Integrate security solutions with existing IT service management tools to streamline processes and improve response times.

Adapt security training and awareness programs

  • Create engaging, scenario-based training that focuses on practical situations employees may encounter.
  • Regularly test employee knowledge through simulated phishing campaigns and use results to inform penetration testing and red team exercises.

Key Takeaways

Transform the browser from a security risk into an enterprise asset

The enterprise browser can be a powerful tool for managing security risks and improving operational efficiency. By implementing granular controls through the browser, companies can protect sensitive data, reduce hardware costs, and simplify the user experience. This approach allows organizations to balance robust security measures with employee productivity, creating a win-win situation for IT and business operations.

Implement shared risk management with clients

In a business process outsourcing environment, security is a shared responsibility between the company and its clients. Regular risk assessments and clear communication about risk ownership are crucial for maintaining strong client relationships and protecting both parties' interests. Companies can build trust and differentiate themselves in the market by proactively identifying and addressing security concerns.

Design invisible security for maximum effectiveness

The most effective security measures are often those employees don't notice. By engineering security controls into the background of daily operations, companies can reduce the burden on employees while keeping a strong security posture. This approach minimizes disruptions to workflow, increases compliance, and allows employees to focus on their core responsibilities rather than complex security procedures

Episode Participants

Jeff Schilling is Teleperformance’s Chief Information Security Officer responsible for the overall direction, coordination, and evaluation of the cybersecurity function and global information security incident response. He serves as the strategic advisor to the Board of Directors and C-Suite on all matters relating to cybersecurity posture, readiness, investment, and risk. He is a retired U.S. Army Colonel with 24 years of military experience in IT service management, product management, Chief Information Officer roles, information security, and global cyber operations. Since retiring from military service, Jeff’s functions have included managing an international incident response practice and multiple Chief Information Security Officer positions for global multitenant service provider companies.

Michael Krigsman is a globally recognized analyst, strategic advisor, and industry commentator known for his deep expertise in digital transformation, innovation, and leadership. He has presented at industry events worldwide and written extensively on the reasons for IT failures. His work has been referenced in the media over 1,000 times and in more than 50 books and journal articles; his commentary on technology trends and business strategy reaches a global audience.

Transcript

Michael Krigsman: Welcome to CXOTalk where we discuss leadership, AI, and the digital economy. I'm Michael Krigsman, and we are talking cybersecurity at scale with Jeff Schilling, Chief Information Security Officer of Teleperformance, a large business process outsourcing company with 500,000 employees.

I want to give a huge shoutout to the Island Enterprise Browser, which is making today's episode possible. Jeff, tell us about Teleperformance.

Jeff Schilling: Teleperformance is the largest business process outsourcing company in the world. We deliver client experience services in 170 countries with a physical presence in approximately 100 countries.

Our main goal is to reduce friction between our clients and their customers by providing the right human touch and emotional intelligence powered by advanced analytics, AI, and machine learning.

Michael Krigsman: Jeff, tell us about your role as chief information security officer.

Jeff Schilling: I'm the global CISO. I've been with the company for about 4.5 years.

On my team, I have about 600 employees in over 40 countries. Basically, we're responsible for the information security monitoring and response, as well as I have a fraud detection and response team.

Because of our contractual requirements, we also have to stay compliant with some of the global information security standards that are out there such as ISO 27001, ISO 27701, PCI DSS, as well as high trust where we deliver U.S. care health services.

Michael Krigsman: Jeff, you mentioned the word friction. What do you mean by that?

Jeff Schilling: Teleperformance, what we do for a living is provide customer experience. It's our bread and butter. A lot of our clients, they have other things that they do for their customers.

What we do is we go out and we recruit the best humans with the best emotional intelligence. Then we apply the technologies to support those humans to deliver those customer experiences. That could be generative AI solutions as well as the telephony as well as chat solutions that help our clients engage with their customers.

Michael Krigsman: Jeff, what are the unique challenges of securing a global BPO company?

Jeff Schilling: Our global reach is probably the biggest challenge being in over 100 countries. Then we also operate in 300 languages as well as 300 different cultures. And so, understanding how to manage security across those global human terrain is something that we have to take into account.

The other thing is my security program isn't just my security program. I have a shared risk management program with our 1,400 clients because we have a shared risk environment that we have to ensure that my security program complements our customer security programs.

Then like any company our size, our CEO and founder started the company with 10 people, 10 telephones, over 40 years ago. Now we're 500,000 employees.

We've grown through acquisition. Any company that's grown through acquisition has a lot of IT boundaries out there that you have to work across. And so, that's one of the other big challenges is having those solutions that allow us to work across those multiple IT environments.

Michael Krigsman: Jeff, how does Island's enterprise browser help you manage these various risks?

Jeff Schilling: One of the things that you have to level set on what is a browser. The browser is our employees' window into not only our corporate environment but also into our client service delivery environment because many of our clients use a browser-delivered application for agents to work on, and our agents are who is working for our clients.

What Island gives us is that tool to manage how our employees interact with our corporate environment as well as our clients' applications and then be able to manage that risk very granularly. One use case that I call out, we may have a client that may want our agents that are supporting them to be able to go to YouTube to watch YouTube videos for some reason.

That can be a risk in that if they're allowed to be able to do comments in YouTube. That could be a way that they could get data out of the environment. Being able to render that YouTube experience for sometimes our back office employees or our front office employees, but then be able to not render the ability to do comments is one of those granular controls that I'm talking about.

Then the last thing is because we're such a large IT environment, having that remote access to those different environments without some of our key IT professionals (as well as some of our workforce management folks that are centralized in our global business services) without having to have all those different logins to those different environments is a plus to use Island for that remote access.

Michael Krigsman: It sounds like the way you use Island is highly multifaceted.

Jeff Schilling: A couple of things that were really hard for us to do at scale. First is data loss protection both from say a chat scenario as well as files moving around our environment that maybe corporate confidential, corporate restricted. We don't want that to move out of the environment, as well as some digital rights management.

Island is a great solution for that as well as just simply controlling the Web access of our employees – similar to what a proxy does, I think, but even better – because it can manage that presentation layer and mask things that we don't want our employees maybe to be able to do.

Then the last piece from the browser perspective is the secure password vault is very effective for us. Having that in an environment that we can control (as opposed to maybe, say, back office employees using their personal accounts to save their passwords in their browsers) is definitely a huge value for us.

Then two other major things that Island brings to us is that ability to reduce our virtual desktop infrastructure, especially where we have key employees that are accessing multiple environments. Instead of stacking those virtual desktop licenses on one user, then they just need one virtual desktop. Then they can use Island to interact with the different environments.

Then probably the thing that my CIO likes the best about Island is it allows us to extend some of the capex investments that we make on endpoints from three to four years to maybe six to seven years because many of our employees are only interacting with the Office environment through the Office productivity tools. All that can be done through Island as the enterprise browser, so it really drives down the equipment and endpoint needs that an employee has and allows us to stretch out that capex spend.

Michael Krigsman: Jeff, how is your team organized?

Jeff Schilling: I have a global staff of about 250 security professionals. Then we have four regional CISOs.

Each regional CISO has a portion of the organization that is somewhere between 90,000 and 120,000 employees. On their security staff, they have approximately 100 folks. We're organized into those four regions.

Michael Krigsman: How does your security organization interact with the rest of this very, very large business?

Jeff Schilling: We run several governance processes of which I'm a co-chair with other key leaders. On the procurement side, it's the third-party risk management committee. On the privacy side is the Teleperformance privacy and security committee. Then with the enterprise risk management team, I am a co-chair to our global compliance and security council.

We run that governance process to ensure that we're managing risk across those four towers inside the corporate business. But then we also interact on a daily basis because we're constantly monitoring our environment both for information security incidents and cybersecurity incidents as well as fraud incidents.

There are really two different ways. It's through a governance process and then as well as a service provider providing those security services to all of our business owners.

Michael Krigsman: Given your large footprint, you must be a kind of early warning system for various evolving attacks and threats.

Jeff Schilling: It's not just because of who we are. In fact, not many people have heard of Teleperformance. But they definitely have heard of every one of our clients because, of those 1,400 clients, 850 of them are Fortune 1000 companies. A lot of the time the threat actors may actually be attacking our clients but the target that they're actually attacking is Teleperformance.

Michael Krigsman: As these threat actors become more sophisticated and their techniques evolve, what is the impact on your response?

Jeff Schilling: At the end of the day, we want to focus that we do four things very well when it comes to cybersecurity.

The first thing that we want to do is to protect our environment from rogue access. That means a threat actor getting a foothold inside of our environment. In fact, I'll tell you most of our security spend goes into the technology to provide that first key performance factor.

The next thing that we do is we have to protect elevated privileges because, with a 500,000-person company, we know that we're never going to be able to prevent that rogue access every time. So, at the end of the day, the threat actors are trying to get after elevated privileges, so if we make our elevated privileges using FIDO2 technology to really protect those and make it almost impossible to compromise, then the threat actors are typically not able to get what they need from the environment if they can't elevate privileges.

The third thing that we do is we want to protect against data leakage. Data leakage doesn't always occur just because of a data breach or security incident. Sometimes employees just make mistakes.

That's where a tool like Island comes in to really help us because, as that browser, a lot of the times that data is moved and accessed through the browser, and then we can write the security controls inside of Island.io to make sure that if we don't want a piece of data to leave the environment, we can tag it. As an employee tries to move that data, then Island would prevent that.

Then the last thing is we know that we're not going to be perfect. We need to ensure that we can respond very quickly and decisively when we do detect an incident. That's something that we measure on a monthly basis to make sure that we're staying ahead of the threat, which right now the average threat can usually get a foothold within an environment in less than 60 minutes. Our goal is to be able to detect, respond, and mitigate in under 30 minutes.

Michael Krigsman: Island then is the intermediary between employees and the outside Internet and, therefore, that's how you're able to manage security through Island. Is that a correct way of saying it?

Jeff Schilling: I think it's both the outside world and how we interact with the World Wide Web, as well as it's internal with our corporate applications because we also access our files (whether it's in SharePoint and other Office productivity tools) using the browser. Actually, that's where I think that we get the best return on investments is controlling how our employees are interacting with our internal corporate environment.

Michael Krigsman: On this topic of controls, how do you balance security and control against ease of use and not putting obstacles in the way of your employees as they do their daily work?

Jeff Schilling: One of the things that we try to do with our security program is make it invisible to our employees and make it where our employees don't really have to think about security.

I know that that sounds counterintuitive because a lot of CISOs want the employees thinking about security and training on security. But when you operate at the scale that we operate at, we have to do the best we can to engineer the security out of the user experience so that they're being protected but they don't really have to take any actions.

That's where a technology like Island is great for us because we can granularly control how they interact with both the external world when it comes to their Internet browsing as well as how they access our corporate Office productivity tools.

Michael Krigsman: You're putting policies in place that enable employees to do their work but, hopefully, don't present obstacles or interfere with that work getting done.

Jeff Schilling: Obviously, we're not going to be perfect at that. A good use case here that we've engineered is there may be a website that one of our back-office employees needs to go to but maybe where we have it blocked for some reason. Maybe it's in a category of sites. Maybe it's gambling. Maybe it's something that we don't want our employees to go to on a regular basis.

When that happens, we have an integration with our service management tools such that that employee can request to have that open. And because Island does great integration with our IT service management tools, within hours we can have that website unblocked and approved – what could typically maybe take weeks to get done.

Michael Krigsman: You maintain the flexibility to be responsive to the business needs while keeping those policies in place.

Jeff Schilling: Yes, absolutely.

Michael Krigsman: Jeff, how do you measure and communicate the value, the importance of security to the organization?

Jeff Schilling: Obviously, our company has made a huge investment in the security technology that we use. One of the things I communicate back to the business is how well are we implementing that security technology. What really helps us is when the security vendors can provide benchmarking or some type of tool that can help us measure how well we've implemented the full capabilities.

Then with a partner like Island, it's even more valuable in that sometimes we may have a use case that maybe Island is just on the edge of just being able to handle. Then being able to communicate that to them that maybe there's a feature request that we would like to either tweak a capability that they have or an added capability, that's huge value for us.

Then how do we measure it to the business? For us, it's all about business impact. Did we have any interruption in service, and was there a financial impact to the company or a client due to any type of security incident that we may have?

Then the last thing that we are trying to provide value back to the company for is protecting our reputation. As you know from all the data breaches that are announced almost every day, especially now with the new SEC reporting requirements, it can really take a company a long time to recover from a major security incident. And so, that's another piece that we try to show the value back to the company is that we're managing our reputation and not having damage from a major security incident.

Michael Krigsman: You're looking at both industry performance benchmark data as well as security breaches and other impacts directly on the business. That's your measurement approach.

Jeff Schilling: Yes.

Michael Krigsman: Jeff, how do you use risk assessments and penetration testing to identify areas for improvement?

Jeff Schilling: Our service delivery environment is a shared risk environment. Our agents are logging into our IT infrastructure. Then they are connecting to our client infrastructure where they use the applications that our clients manage to deliver those services.

We have to constantly do risk assessments for every single client to understand – because every client is unique – to understand what are the risks that are Teleperformance's own risks that we need to mitigate on our side, and then what are some of the ones that are jointly owned by us, and then what are the ones on the client side that we see that the client should address? Continuously communicate that to the client so that we understand where the risk is.

Now the pen testing and red teaming for us is important because of the global complexity of Teleperformance and especially the complexity of our IT environment. We have to constantly be checking to make sure that our security controls, as well as our policies, are in place and that they are working as designed.

We use penetration testing and red teaming to basically check our environment. We do it in a scenario base.

The way I like to explain it is, what if an agent had their machine compromised? What would a threat actor be able to do with that? Then we run a pen test or red teaming from there.

What if the red teaming person or the threat actor gets access to a help desk person's environment? Then we do the penetration test from there.

We don't start with the red team having to get access. We assume that at some point the threat actors are going to get access, so we do more of a scenario-based red teaming.

Michael Krigsman: You're working highly collaboratively with your clients. You have your own set of standards and processes. Then you're interacting with them as a shared security responsibility we could say.

Jeff Schilling: Right. We actually send them documented reports to every single client that we call Security Risk Assessment that really gives the results of that security risk assessment. Then also it provides that bending of the risk, whether they're Teleperformance-owned risks or risks that we share together and that we need to work on together to solve, or if it's on the client side.

Michael Krigsman: Again, it's a highly collaborative approach.

Jeff Schilling: Yeah, absolutely.

Michael Krigsman: What about your process for rolling out or introducing new software?

Jeff Schilling: We're constantly doing gap assessments to see what holes we have in our security strategy. Because the threat actor is always changing, we can never sit back and say, "Well, we're done."

We've made all these investments in security, so we're constantly doing gap assessments, but we usually try to formulate all the gaps towards the fourth quarter and really understand what are the gaps that we need to close for the next year. Then we go through a process of looking for solutions and doing proof of concepts and bake-offs to see which technologies are best suited for Teleperformance.

Then obviously, we'll make a selection out of that. Then you have to go through the third-party risk assessment as well as a contracting process.

Then you have to establish a good global project plan. We have some of the best project managers in the world to make sure that you're doing the full implementation of that technology.

When I ran an incident response practice years ago, when we would roll up into a company, that was usually the biggest thing that we noticed was that the security technology was bought and paid for but the companies never fully implemented the technology. That's something that we focus on here in Teleperformance, and we have very detailed project plans to make sure we fully implement.

Michael Krigsman: We've just spoken about rolling out tools, but what about the processes?

Jeff Schilling: We typically align to the industry best practices, and those best practices are measured every year through our certifications, whether it's ISO 27001, ISO 27701, PIC DSS. We also get SOC2 certified. So, we're constantly being checked and ensure that we align to those best practices because we have to have that documentation for our clients.

But then, obviously, things change. The threat actors change. So, really where we see the most change happening is down at that procedure level in how we respond when certain things happen.

Our processes stay pretty standard and aligned to the industry best practices, but our procedures is where that tactical change happens that allows us to adjust to what a threat actor is doing.

Michael Krigsman: You were just describing the rollout process for new software, new technologies, new tools. Can you use Island as an example and tell us how you rolled that product out?

Jeff Schilling: We were looking for a solution in how we managed our corporate interaction with both the external Web as well as our business productivity tools, and a secure browser seemed like the technology that we were looking for. Once we decided to go with Island, we really partnered with our IT platform team that's responsible for our desktop experience for our employees, and that partnership has really made this project take off and really kind of go quickly because we're trying to not only solve a security problem with the enterprise browser but we're also solving an IT problem, and that's access to those many networks.

Michael Krigsman: Jeff, your comments indicate a very close relationship between your team in security and the IT team. I think this is such an important point.

Jeff Schilling: I think that any CISO that's not partnered with their CIO is set up for failure. This has been my third CISO role, and I would say I have the best relationship with our CIO and our IT organization of any of those last three companies that I've worked for.

It's funny because this is the first time that I actually don't work directly for the CIO. But that partnership between the two of us is very important.

I like him to look to me as a service provider and he's my customer. And so, we work hard every day to make sure that we are staying up with the IT direction that they're going in, their IT strategy, as well as ensuring that we provide the security services to his organization to make sure that they're protected.

Michael Krigsman: This close relationship is very clear. It's very apparent.

Jeff Schilling: Yes.

Michael Krigsman: Jeff, what are the security and awareness training challenges in such a large organization of 500,000 people?

Jeff Schilling: One of the things we always try to do is to keep our employees' responsibilities to a minimum. In other words, the security technology is protecting them and there is not much that the employee has to do.

Unfortunately, you never get to where that's zero, so one of the things that we do, and this sounds counterintuitive, but I actually shortened the training last year. We made it more engaging.

What we actually saw was that the test questions were a little harder and they weren't so much gotcha, but the employees actually performed better because the training was more scenario-based.

The other thing that we do is we also test the knowledge through phishing emails because, at the end of the day, that's still how the threat actors get access into most large enterprise environments is through phishing email. We send out about 100,000 phishing emails a month across our whole environment.

We test that on a regular basis, and we like to measure what is our click percentage. Not only what is our click percentage, but how many of those employees actually follow through with the actions that the threat actor is asking them to do in the email.

Then the last piece of that is this also informs our red team and our penetration testing team on where they need to focus when they are engaging our employees through that red teaming and pen testing to see where our weaknesses are.

Then the last thing that we have the capability to do is, as we see emerging threats – say we see threat actors, SMS, phishing our employees and maybe pretending to be our CEO – we can send out what we call BOLO messages (be on the lookout messages) very quickly to all of our employees within hours with a particular message. Then we can translate it into the 14 operational languages that we use to make sure everyone is aware of an emerging tactic, technique, and procedure.

Michael Krigsman: At the end of the day, Island is helping simplify your technology landscape. At the same time, it's efficient from a cost standpoint. It's helping you save money.

Jeff Schilling: Absolutely, and it's really making our employees' window to our corporate and client environments simpler, safer, without the employees feeling the impact of security technology on their everyday productivity.

Michael Krigsman: It's a good combination.

Jeff Schilling: Yes.

Michael Krigsman: Jeff Schilling, thank you so much for taking time to speak with us.

Jeff Schilling: Yeah, I appreciate your time, and thank you for this opportunity.

Published Date: Aug 15, 2024

Author: Michael Krigsman

Episode ID: 850