Certified Public Accounting Firm; Interview with David Lam, Partner, and Chief Information Security Officer, at Miller Kaplan
Miller Kaplan is widely regarded as one of the best certified public accounting firms in the United States, and the company features a separate division that is devoted to information security. During this exclusive interview with TechBullion, the Chief Information Security Officer David Lam will provide us with additional details and insights regarding the state of information security.
We would appreciate it if you could tell us more about yourself and how you became an expert in information security.
When I was working as the Computer Services Manager for Residential Life at UCLA in 1991, I first became interested in the field of information security. We were about to become one of the first educational institutions in the country to grant access to the internet to several thousand of our students. In point of fact, for a period of half a year, we held the title of having the largest Ethernet network in the entire world. When I flew to San Francisco for training, I couldn’t believe how amazing the city was. A profession that involves warding off attacks from malicious actors sounds like it would be very fulfilling. Since that time, I’ve assisted a wide variety of companies in securing their infrastructure in a manner that is both effective and economical. In addition, I am a lecturer in the Technical Management Program at UCLA Extension, where I instruct technical professionals in the art of effective leadership.
Regarding certifications that are associated with security, I hold both a CISSP (for information security) and a CPP (for physical security). In addition to that, the ASQ has awarded me the title of Certified Six Sigma Black Belt.
What is Miller Kaplan and what unique services do you provide?
Miller Kaplan is currently ranked as one of the top 100 certified public accounting (CPA) firms in the United States. The company was established in 1941. Our certified public accountants serve as reliable consultants on a wide range of topics, assisting individuals, businesses, and other organisations in setting and achieving their monetary objectives. However, we are not simply a firm of certified public accountants. The team at Miller Kaplan offers customised services in the areas of business management, auditing, accounting, tax, licencing and royalty, industry metrics, and information security. These services are made possible by the team’s backgrounds in a variety of different industries.
When it comes to information security, we are of the opinion that businesses need to manage the security and privacy of information with the same level of discipline that they use to manage their finances and other crucial operations. The specialists at Miller Kaplan provide an objective set of eyes that can assist you in maintaining a reasonable level of security and guarantee that your company’s information technology delivers on its promises. More than 20 years ago, we began assisting clients in navigating the ever-increasingly complex laws and regulations that surround information security management. Since then, we have continued to provide this service.
Miller Kaplan has an entire department devoted to the protection of client information; how exactly do you make sure that this department provides adequate protection?
The three components that make up an effective information security management programme are as follows:
Someone has to take charge of the situation. This is me, and at Miller Kaplan I report to a group that we call our Information Governance Leadership team.
Your information security management programme needs to be defined by a set of policies and standards. These guidelines and expectations set the benchmark for excellence that you should strive to achieve. For instance, senior executives need to make sure that governance is in place so that their respective organisations are aware of whether or not information technology is living up to the promises it made to the business. In order to accomplish this, our Information Governance Leadership team was created.
In order to ensure that your programme is moving forward in accordance with your expectations, you need to hold regular meetings.
What is the current size of the global market for information and cyber security products and services, and what are the most significant challenges the industry will face in 2021?
The size of the global market for information security is estimated to be well over $150 billion, although estimates vary depending on who you ask.
The lack of sufficient qualified staff to carry out our roles is currently the most significant challenge we are up against. At this time, there is a shortage of millions of people across the world in information security roles. When you are a consultant, that is not necessarily a bad thing because it increases the value that you provide to your clients.
The ransomware attack known as Colonial Pipeline has caused major concern among security experts in the United States; in your opinion, what went wrong
We do not exactly know what went wrong with the ransomware attack; however, we do know that Colonial Pipeline had previous audits that uncovered severe deficiencies in their operations. A statement along the lines of “an eight-year-old could hack into the system” was one of the quotes pertaining to the audit that took place in 2018. We are aware that the organisation did not bring on a senior information security expert of a specific kind. Instead, they established a new position within the IT department. However, they are currently looking for a specialist in information security to hire. It is a recipe for disaster to not have someone in place to ensure that the most fundamental information security practises are being followed, which is one of the most common issues that we come across. It seems as though they did not implement even the most fundamental, low-level security hygiene, which can significantly contribute to the prevention of attacks like these.
How can technology assist businesses in taking preventative measures against cyberattacks like the ransomware that was used in the Colonial Pipeline attack?
There are some highly sophisticated technological tools available today; however, there is no alternative to the three-step process that I detailed above. It is inevitable that there will be issues if there is not an executive in charge, if there is not subject matter expertise, and if there is not a programme of policies and standards that is explicitly enforced on a regular basis. Recently, we worked with a customer who did not follow their own policy and let one of their IT staff members leave without being locked out. Despite the fact that the customer had some of the most cutting-edge technology, the member of the IT staff deleted over one hundred servers. And technology won’t be able to stop someone from divulging their passwords if they click on a link on their iPhone; this can happen even if the person is careful.
There are still many businesses that only rely on their IT departments to perform risk assessments; is this adequate?
The overemphasis on the importance of information technology is a very specific and extremely perilous way of framing the issue. The information technology department is neither qualified nor focused on the best way to ensure that your systems have a reasonable level of security. Your system’s functionality is the primary focus of information technology. Even when I worked in information technology and was responsible for security, I found that I was torn between the two goals of ensuring that systems are operational while also maintaining their safety. In addition to this, this is presuming that your IT staff has adequate training in regards to matters of security. The fact of the matter is that you cannot successfully navigate the security landscape in a way that is both efficient and cost-effective without the participation of an independent subject matter expert. In addition, information technology is rarely positioned at the appropriate level within an organisation to effectively bring about a culture shift.
The shift toward working remotely as a result of the COVID pandemic has increased the scope of the risk; the question is how we can keep up with the demand for cyber security.
Surprisingly, if you already have an effective Information Security Management Program in place, securing the remote workplace won’t be too much of a challenge for you. It is necessary to have an understanding of the primary risks, such as allowing people to use their own computers to access your company’s systems, and to implement controls that are reasonable from a business perspective in order to mitigate these risks. It is not necessary for these controls to be expensive. For instance, we have customers who have solved the issue of remote access by using Chromebooks that cost two hundred dollars each. These customers now have very reasonable security controls in place.
Do you have any opportunities that you would like to share with us from Miller Kaplan that are geared toward business partners, investors, or other business entities?
We would jump at the chance to have a conversation with businesses about the measures they are taking to keep their systems safe. Numerous businesses have informed us that their IT departments have verified that everything is operating normally. This week alone, I’ve participated in a few conversations along those lines. They have never been right about anything if there has not been a trained information security professional involved. Why not have a conversation and find out where there is significant room for improvement? I’ve never seen a situation where there isn’t significant room for improvement, so why not have it?
When it comes to working with partners, one of our favourite types of partnerships is with information technology companies and other types of vendors. In addition, one of our favourite things to do is assist information technology companies in the implementation of information security management programmes that are compatible with commercial standards.