Getting a large organization to change its approach to security controls brings to mind the old joke about the number of psychiatrists it takes to change a lightbulb. The answer: One, but the lightbulb has to want to change. As Citrix has found, change is possible when stakeholders want to change.
Blame it on Spectre and Meltdown, the catastrophic vulnerabilities in chip design that shook the tech world in 2018. Prior to the revelation of Spectre and Meltdown, each business unit at Citrix had been responsible for its own security controls. Different groups had their own particular ways of doing things and their preferred frameworks, e.g. ISO27001, SOC and so forth.
There had been attempts to unify controls, but progress had stalled. The need to bring controls under control was acute, however. This task fell to Michael Orosz and his team. Orosz, who serves as Senior Director, Global Cyber and Physical Security at Citrix. After the company realized the extent of its potential exposure, it became easier to get people to believe in a common set of controls. To this end, Orosz has led the effort to implement the Common Control Framework (CCF).
CCF, which was introduced as open source by Adobe in 2017, brings together a wide collection of controls and requirements with the intention of reducing the duplication of multiple frameworks. To illustrate the duplication that can occur in security and compliance, consider the control for backup management/resilience testing. To meet this control objective, an organization might follow ISO27001 (A12.3.1), SOC (A13), PCI/DSS (12.10.1) or all three in separate business units. This divergence of controls makes it difficult to know for sure if the full organization is compliant and secure.
In mitigation, CCF recommends a single backup control for resilience testing. It references the three related frameworks. CCF thus potentially contributes to savings of time and resources in Governance, Rick and Compliance (GRC). “It creates a single version of the truth,” Orosz said. “However, it represents a reversal of the way things had always been done. That’s not always easy.”
“It creates a single version of the truth,” Orosz said. “However, it represents a reversal of the way things had always been done. That’s not always easy.”
The adoption of CCF requires that one functional area in the organization own all security and GRC controls. “We were trying to meet stakeholders halfway,” Orosz remarked. “But what happened, interestingly, was that once people saw the value of CCF they wanted to meet us on a 75/25 basis, with us doing the heavier lifting. We could be the owners of the controls, as far as they were concerned. It led to less aggravation for them.”
Orosz’s team works on a consultative basis, nonetheless. This approach has worked well, and Citrix’s shifting business model makes it an auspicious development. “We’re doing more SaaS now, and in that mode of operating, you become the custodian of other people’s data. You have to be on your game, security-wise when you start to play that role.”
In response to the increased responsibilities inherent in SaaS, Citrix has implemented Common Controls that cover processes like Virtual Machine (VM) creation and the Software Development Lifecycle (SDLC). “You have to be confident you’re secure all the way from start to finish,” Orosz said. “CCF gives everyone a useful, common reference point to do their work.”
“We’re doing more SaaS now, and in that mode of operating, you become the custodian of other people’s data. You have to be on your game, security-wise when you start to play that role.”
The adoption of CCF has also contributed to an easing of the product certification process. Audits have grown a bit more productive, too. “The change in the overall sentiments about audits has changed along with the adoption of CCF,” Orosz added. “It’s the not the only factor, but now, when we do an audit, we want to hear the bad news, if there is any. We’d much rather find out about a risk exposure now, during an audit, than read about in the paper.”