As the cybersecurity landscape continues to evolve at a rapid pace, we sat down with Fuze’s new Director of Information Security, Tad Gralewski, to discuss security best practices for organization’s today and hear more about how he is expanding and improving the security of the Fuze platform.
Tell us a little about yourself and your role at Fuze.
I’m a born-and-raised Chicago native who has spent the last 25 years in the information technology space. Prior to Fuze, I spent seven years in the managed services space overseeing cloud data centers where data security and integrity were at the top of the list of priorities.
In diving into this new role at Fuze, I’m very focused on analyzing existing security practices and ensuring that our team is implementing the technology and best practices needed to prevent and manage existing threats, while creating a framework that will ensure Fuze can evolve with the ever-changing security landscape.
How do you evaluate a company’s security readiness? What are some best practices they need to consider?
In the digital age, no software can ever be 100 percent protected from a breach. So it’s a constant and steady battle to stay ahead of the curve. However, there are steps that organizations can take to best fend off potential vulnerabilities, and also, to be prepared enough to minimize the impact of a breach.
At Fuze, I focus on ensuring that we have the proper foundation in place, as well as assessing the strengths of our current security programs, technologies, and processes against the NIST Cybersecurity Framework, which is typically recognized as the starting point to help organizations create a thorough security posture. This framework encompasses five pillars: identify, protect, detect, respond, and recover.
Any two companies will prioritize these pillars differently, but it’s critical that organizations pay attention to each. It is easy, for example, to invest in technology alone, and believe you’ve addressed security. By not determining risk factors or developing processes to review the information the tools are providing, and potentially adjusting business processes as a result, the value the tools are providing is minimized. This is why relying on a framework is the best way to ensure an organization is protected against all security concerns, including potential technical vulnerabilities, and can enact predefined response plans regardless of the nature of the security event.
What do you see as the most critical step (or steps) in implementing a strong security posture?
Often there is a great deal of focus on technology and infrastructure when it comes to addressing areas that might make a company vulnerable to a cyberattack. While these are critical factors, workforce education is an element that can be often overlooked.
Corporate training initiatives can have a significant impact. They can be used to educate a wider employee population about simple best practices and, in general, create awareness for the types of behavior that can leave an organization vulnerable. Whether through a webinar or a quarterly newsletter, regular communication with all staff members can make a huge difference when it comes to ensuring compliance and security in an enterprise setting. It is also important to think about specific security focused training and education for software development teams related to security elements in their software functionality.
In looking at the UC market specifically, what should CIOs ask UC vendors when it comes to security?
Data protection and data sovereignty should be the most top-of-mind when evaluating UC technology. Look for a vendor that takes a holistic approach to data security to ensure all communication is protected. In the legacy world of PBX systems, this data never left the building. Now, communication data and artifacts are stored in offsite data centers, oftentimes housed with countless other data sets. UC providers need to have the credibility to explain their processes and the related security measures to ensure CIOs feel comfortable that their data is secure.
Given your organization will largely be putting security in the hands of the UCaaS cloud provider, it is key that their security posture is intended to provide enterprise-grade security. You can determine a vendor’s ability to meet your security needs by assessing their security posture. Here are some things you should request from them:
- Third party assessments or compliance reports, such as SSAE 16 SOC 2 Type II.
- A security overview session with the vendor’s security leader to gain insight into their security program, controls, operations, and future improvement plans.
- A completed security questionnaire, or SIG. This is a pre-defined set of questions you provide that are directly applicable to your company’s business, security, and privacy requirements.