The Importance of Validating Controls: A Conversation with Trend Micro’s Ed Cabrera

Ed Cabrera, Chief Cybersecurity Officer at Trend Micro

Eduardo Cabrera, Chief Cybersecurity Officer at Trend Micro, is fond of quoting Winston Churchill, who once said, “Difficulties mastered are opportunities won.” This is an apt idea for today’s increasingly urgent compliance and security landscape. “It used to be enough to check off a box and say, ‘Yes, we have a control to match this or that compliance rule.’ Not any more, at least not if you don’t want serious trouble in your business.”

A former CISO of the Secret Service under President George W. Bush and Advisor to the DHS National Cybersecurity & Communications Integration Center (NCCIC), Cabrera is responsible for analyzing emerging cyber threats to develop innovative and resilient enterprise risk management strategies for Fortune 500 clients and strategic partners of Trend Micro.

Controls are becoming more dynamic

According to Cabrera, security vendors and makers of Governance Risk and Compliance (GRC) solutions have become much more dynamic. They’re being asked to support controls that evolve over time. “Take ransomware,” said Cabrera. “It was a grey area for a while. You could be attacked and not have to disclose. That’s changing. Now, with HIPAA, for example, you’re obligated to report a ransomware attack. Whatever processes you have in place for breach notification need to keep up with this kind of change, and there are many of them going on today.”

The need for controls validation

The issue, as he sees it, is one of controls validation. “What’s actually working and what’s not? You need to know, and you need to know continuously,” said Cabrera. “If you implemented a control last May and haven’t checked it since, you could be in for a rude shock—not just in terms of audit, but in an arguably more serious way, with a security incident.” In collaboration with GRC (Government, Risk and Compliance) partners, Trend Micro offers ways to automate controls validation and present security managers and boards with up-to-date reporting on the status of controls. Cabrera noted, “You’re only as good as your implementation.”