Miller Kaplan is one of the top certified public accounting firms in the United States with a dedicated information security department. The Chief Information Security Officer David Lam will be sharing more details and security insights with us in this exclusive interview with TechBullion.
Please tell us more about yourself and your journey as an information security expert?
I started my information security journey in 1991 when I was the Computer Services Manager at Residential Life at UCLA. We were about to be one of the first universities in the nation to let several thousand students onto the Internet. In fact, for six months, we were the largest ethernet network in the world. I flew to San Francisco for training, and I was captivated. The idea of protecting your systems from the bad guys is a satisfying profession. Since then, I’ve helped many businesses cost-effectively secure their infrastructure. I also teach in the UCLA Extension Technical Management Program, which teaches technical professionals leadership skills.
I have a CISSP (information security) and a CPP (physical security) for security-related certifications. I’m also a Certified Six Sigma Black Belt by ASQ.
What is Miller Kaplan and what unique services do you provide?
Founded in 1941, Miller Kaplan is one of the top 100 certified public accounting (CPA) firms in the United States. Our CPAs are trusted consultants on many issues to help individuals, businesses, and other organizations plan and reach their financial goals. But we are more than just a CPA firm. Leveraging backgrounds from various industries, the Miller Kaplan team offers business management, audit, accounting, tax, licensing and royalty, industry metrics, and information security services tailored to each client.
For information security, we believe businesses must manage the security and privacy of information with the same discipline they use to manage finances and other critical operations. Miller Kaplan’s experts are an independent set of eyes that can help you be reasonably secure and ensure that IT fulfills its promise to your business. In addition, we have been assisting clients in navigating the ever-increasingly complex laws and regulations surrounding information security management for more than 20 years.
Miller Kaplan has a department dedicated to information security; how specifically do you ensure security from this department?
The secret sauce to an Information Security Management Program is threefold:
- Someone needs to be in charge. At Miller Kaplan, this is me, and I report to what we call our Information Governance Leadership team.
- You need to have policies and standards that define your information security management program. These policies and standards let you know the bar that you are shooting for. For example, senior executives have to ensure that governance is in place so that each organization knows that IT is fulfilling its promise to the business. That’s the purpose of our Information Governance Leadership team.
- To keep your program on track, you must meet regularly to ensure progress against your standards.
What is the current global market size of the Information and Cyber Security industry and what major issues the industry is facing in 2021?
Depending on who you ask, the global market size of information security is well over $150 billion.
The biggest issue we are facing is enough qualified staff to fulfill our roles. We’re currently millions of people short worldwide for information security roles. That’s not necessarily bad when you’re a consultant because it increases your value to your clients.
The Colonial Pipeline ransomware attack has raised major concern among US security experts, what do you think went wrong?
We don’t exactly know what went wrong in the ransomware attack, but we know that Colonial Pipeline had previous audits which uncovered severe deficiencies. One of the quotes regarding the 2018 audit was something like “an eight-year-old could hack into the system.” We know that the company did not hire a specific senior information security expert. Instead, they created a position within IT. They are trying to hire an information security expert now, though. That is one of the biggest problems we see – not having someone in place to ensure basic information security practices are in place – it’s a recipe for disaster. It sounds like they did not have the basic, low-level security hygiene in place, which really does help stop these attacks.
How can technology help companies take preventative measures against similar attacks like the Colonial Pipeline ransomware?
While there are some highly sophisticated technology tools out there, nothing substitutes for the three-step approach I detailed above. If an executive is not in charge, if there is not subject matter expertise, and a program of policies and standards explicitly enforced regularly, there will undoubtedly be problems. We recently had a client who did not lock out one of their IT staff members upon an unfriendly termination. The staff member in IT deleted over 100 servers, despite the client having some of the most advanced technology. And, technology is not going to stop someone from giving away their passwords if they click on a link on their iPhone.
Many companies still rely on IT alone to assess security risk, is this good enough?
The reliance on IT is a specific and enormously dangerous mis-framing of the problem. IT is not qualified nor focused on the right way to ensure that your systems are reasonably secure. IT is focused on getting your systems working. Even when I was working in IT and had security responsibilities, I found myself torn between the two goals – ensuring systems are up and running and keeping them secure. And, that’s assuming your IT staff is sufficiently educated in security matters. The fact is, an independent subject matter expert must be involved to successfully and cost-effectively navigate the security landscape. And, IT is rarely placed at an appropriate level within the organization to truly affect culture change.
The shift to remote work due to COVID pandemic has increased the scope of risk, how do we meet up with this Cybersecurity demand?
Interestingly enough, if you have an effective Information Security Management Program in place, securing the remote workplace is not that difficult. It’s a matter of understanding the primary risks, such as allowing people to use their own machines to access your corporate systems and putting in commercially reasonable controls to address this. Those controls do not need to be expensive. For example, we have clients who have used $200 Chromebooks to address the remote access problem and have very reasonable security controls in place.
For investors, partners, and businesses, any available opportunities you would like to share with us from Miller Kaplan?
We would love the opportunity to talk to businesses about what they are doing to secure their systems. We get a lot of companies that say their IT folks have said everything is okay. I’ve had a few of those conversations just this week. If there is not an information security professional involved, they have always been wrong. I’ve never seen a situation where there is no significant room for improvement, so why not have a conversation and find out?
With regard to partners, we love partnering with IT firms and other vendors to find synergies in working together. In addition, we love to help IT firms implement commercially reasonable Information Security Management Programs.
For more information, visit: MillerKaplan.com
