Every IT professional must understand the crucial relationship between IT governance, security, processes, and support from a trusted source. A well-known expert on information technology risk, Brennan Baybeck, explains what you need to know.

Brennan Baybeck is vice president of Global IT Risk Management for Oracle Corporation (USA). Baybeck leads IT security risk management for Global Customer Support Services at Oracle Corporation. In this role, he also is responsible for leading security, privacy and availability for Global IT’s key enterprise IT services, including GIT’s cloud initiatives. He has more than 20 years of experience in IT security, risk, audit and consulting and has worked in various industries designing, implementing and operating enterprise-wide programs to address global security risks. He has held leadership positions at Sun Microsystems, StorageTek and Qwest Communications, and served as an information security risk consulting manager for several years. Baybeck also has been actively involved with ISACA for more than eight years, serving as chair for various working groups and as a board director.

Transcript

Michael Krigsman: Security risk and governance are absolutely essential for IT professionals in the enterprise today. We're speaking with Brennan Baybeck, who is the vice president of Global IT Risk Management at Oracle. Brennan, how are you?

Brennan Baybeck: Great. Thank you, Michael.

Michael Krigsman: Tell us about your environment.

Brennan Baybeck: Our environment is extremely complex. We're currently in a transformation where we're moving much of our IT infrastructure and IT systems to the cloud. And so, we would be what people consider a hybrid environment where we've got things that are still on-premise in our data centers that we own and manage. We have things that are definitely all completely cloud-based, and then we have things that are in the middle that is used to help us interface the systems in the different environments.

Best Practices

Michael Krigsman: Brennan, share with us some of the practices that you follow that perhaps others can learn from.

Brennan Baybeck: The practices that we follow that I think would be beneficial for people to hear about, one is the way we manage our threats and vulnerabilities at the company. We have a governance program in place for that where we are actively seeking information from all of our vendors. Oracle is a big one, of course. Understanding what the threats and vulnerabilities are to our environments, what they're doing in relation to their products to address threats and vulnerabilities and, alongside that, we have a good asset inventory system where we keep track of all the assets so that we know what we have to patch and when and where the vulnerabilities should be applied.

Michael Krigsman: Are there specific challenges that you face as you go through and try to execute this program you're describing?

Brennan Baybeck: Yeah, definitely the asset inventory at a large company like Oracle is a challenge and all my peers that have companies of our size have the same challenges. The challenge there is that things are changing so rapidly that keeping those assets up to date, ensuring that they are automatically updated through automated techniques and things are what we're really looking for.

Oracle has got a great program around that. They link the vulnerability information as well as the patching information through that automation as well. That's very beneficial to us.

Governance and Security

Michael Krigsman: Brennan, what's the relationship between these types of governance practices and the end result of having excellent security?

Brennan Baybeck: Having a good governance program gives you many benefits. The first one is protecting the business and the critical assets of that business. The critical assets, one of the main critical assets is the data. But if you're in a services business like we are at Oracle, good governance also helps drive compliance with contractual requirements with customers, regulatory compliance with regulators.

Additionally, it also helps with ensuring that the various components of your security program are covered, whether it's security operations, change management, configuration management, patching, threat intelligence, whatever. Starting with that good governance program, those are what the benefits are.

Michael Krigsman: You're describing, it sounds like, governance that covers both the technology deployment details as well as the processes.

Brennan Baybeck: Yes. Actually, any good governance program should cover not only those two areas, the process and technology, but also the people. There's an old security saying that the people are the weakest link in the security chain. We still see that today. I've been doing this over 25 years. Especially in large organizations with companies that are moving into DevOps processes and building security into those processes. It's more like a security education and making people part of the solution versus just sitting on the edge.

Governance and DevOps

Michael Krigsman: Brennan, you mentioned DevOps, and we hear lots of discussions these days around DevOps, but we don't hear too much about the role of governance and risk management in DevOps.

Brennan Baybeck: The role is actually changing quite a bit. In the past, you would see security risk people and governance individuals kind of sitting on the edge in a checklist type approach where the project would get done and then security and governance would come in, check some boxes, and determine whether or not it's active in addressing the requirements that it's supposed to.

In DevOps, that's a lot different. Things are iterating very quickly. Things are happening; multiple iterations in a day. The governance professionals and security professionals have to kind of rethink, retool, and reskill themselves on how they're going to interface into those types of processes.

Process Change

Michael Krigsman: Well, of course, then I have to ask you; how will they retool and make sure that they're fitting into those kinds of processes?

Brennan Baybeck: As an example, what my team is considering and starting to work towards is, instead of being a person that is in there in the middle like a gatekeeper, we look to automation to do that. We look at making the developers responsible for implementing the proper security into their products and their services.

One way that we look at this is, instead of it being a security vulnerability, it's not a defect in their code. They know how to react to a defect in their code, which is, they need to fix that. It's just like any other defect that they're working to fix in the next iteration.

In the past, the security vulnerability would have been something that would ship off to a security professional to go look at, make an opinion on it, and then instruct that person to do a certain type of change. We want to get out of that role and in that process. What we want to focus on is creating the automation to allow them to move faster, create the value faster, and to enable the business.

Michael Krigsman: Okay. Brennan Baybeck, thank you so much.

Brennan Baybeck: Thank you, Michael.

Michael Krigsman: Security risk and governance are absolutely essential for IT professionals in the enterprise today. We're speaking with Brennan Baybeck, who is the vice president of Global IT Risk Management at Oracle. Brennan, how are you?

Brennan Baybeck: Great. Thank you, Michael.

Michael Krigsman: Tell us about your environment.

Brennan Baybeck: Our environment is extremely complex. We're currently in a transformation where we're moving much of our IT infrastructure and IT systems to the cloud. And so, we would be what people consider a hybrid environment where we've got things that are still on-premise in our data centers that we own and manage. We have things that are definitely all completely cloud-based, and then we have things that are in the middle that is used to help us interface the systems in the different environments.

Best Practices

Michael Krigsman: Brennan, share with us some of the practices that you follow that perhaps others can learn from.

Brennan Baybeck: The practices that we follow that I think would be beneficial for people to hear about, one is the way we manage our threats and vulnerabilities at the company. We have a governance program in place for that where we are actively seeking information from all of our vendors. Oracle is a big one, of course. Understanding what the threats and vulnerabilities are to our environments, what they're doing in relation to their products to address threats and vulnerabilities and, alongside that, we have a good asset inventory system where we keep track of all the assets so that we know what we have to patch and when and where the vulnerabilities should be applied.

Michael Krigsman: Are there specific challenges that you face as you go through and try to execute this program you're describing?

Brennan Baybeck: Yeah, definitely the asset inventory at a large company like Oracle is a challenge and all my peers that have companies of our size have the same challenges. The challenge there is that things are changing so rapidly that keeping those assets up to date, ensuring that they are automatically updated through automated techniques and things are what we're really looking for.

Oracle has got a great program around that. They link the vulnerability information as well as the patching information through that automation as well. That's very beneficial to us.

Governance and Security

Michael Krigsman: Brennan, what's the relationship between these types of governance practices and the end result of having excellent security?

Brennan Baybeck: Having a good governance program gives you many benefits. The first one is protecting the business and the critical assets of that business. The critical assets, one of the main critical assets is the data. But if you're in a services business like we are at Oracle, good governance also helps drive compliance with contractual requirements with customers, regulatory compliance with regulators.

Additionally, it also helps with ensuring that the various components of your security program are covered, whether it's security operations, change management, configuration management, patching, threat intelligence, whatever. Starting with that good governance program, those are what the benefits are.

Michael Krigsman: You're describing, it sounds like, governance that covers both the technology deployment details as well as the processes.

Brennan Baybeck: Yes. Actually, any good governance program should cover not only those two areas, the process and technology, but also the people. There's an old security saying that the people are the weakest link in the security chain. We still see that today. I've been doing this over 25 years. Especially in large organizations with companies that are moving into DevOps processes and building security into those processes. It's more like a security education and making people part of the solution versus just sitting on the edge.

Governance and DevOps

Michael Krigsman: Brennan, you mentioned DevOps, and we hear lots of discussions these days around DevOps, but we don't hear too much about the role of governance and risk management in DevOps.

Brennan Baybeck: The role is actually changing quite a bit. In the past, you would see security risk people and governance individuals kind of sitting on the edge in a checklist type approach where the project would get done and then security and governance would come in, check some boxes, and determine whether or not it's active in addressing the requirements that it's supposed to.

In DevOps, that's a lot different. Things are iterating very quickly. Things are happening; multiple iterations in a day. The governance professionals and security professionals have to kind of rethink, retool, and reskill themselves on how they're going to interface into those types of processes.

Process Change

Michael Krigsman: Well, of course, then I have to ask you; how will they retool and make sure that they're fitting into those kinds of processes?

Brennan Baybeck: As an example, what my team is considering and starting to work towards is, instead of being a person that is in there in the middle like a gatekeeper, we look to automation to do that. We look at making the developers responsible for implementing the proper security into their products and their services.

One way that we look at this is, instead of it being a security vulnerability, it's not a defect in their code. They know how to react to a defect in their code, which is, they need to fix that. It's just like any other defect that they're working to fix in the next iteration.

In the past, the security vulnerability would have been something that would ship off to a security professional to go look at, make an opinion on it, and then instruct that person to do a certain type of change. We want to get out of that role and in that process. What we want to focus on is creating the automation to allow them to move faster, create the value faster, and to enable the business.

Michael Krigsman: Okay. Brennan Baybeck, thank you so much.

Brennan Baybeck: Thank you, Michael.