We’re thrilled to announce that Aaron Poulsen, CISSP CISM CISA CRISC, has joined Hyperproof as the Senior Director of Information Security, Risk, and Compliance. Aaron has over 25 years’ experience working in various technical disciplines ranging from security and software engineering to compliance and project management. During this time, he has maintained and enhanced security, risk, and compliance programs at two internet security firms.
I recently talked to Poulsen to learn more about his career arc and got him to share some of his hard-earned experiences gained over the years of work in security, software engineering, compliance, and project management.
1. What got you into security and compliance work?
Poulsen: Security felt like a natural progression for me in my career. I enjoyed testing systems, including physical (stand here and the camera can’t see you), logical (too much data in an input field produces an information-dense error page), and administrative (we don’t have a policy that says I can’t go to THIS site). They were never done with malicious intent but more out of curiosity and, ultimately, helped improve what I later learned were controls. I think all security professionals have some degree of this desire to test systems to make them stronger and more resilient. Plus, there’s some amount of childish enjoyment and accomplishment circumnavigating controls. The difference now, as security professionals, is we bypass controls to make the overall system stronger and more resilient to attacks.
Security and compliance don’t always equate; being secure doesn’t mean you’re compliant, and the reverse is also true. Still, they complement each other in many ways. It was inevitable that I crossed paths with compliance work at some point. I admit compliance was never a career ambition. It seemed straight-up boring and tedious (to some extent, elements of compliance still can be). But I quickly learned that much of what we consider compliance isn’t simply busy work and is founded on sound security principles and organizational governance.
It’s easy to point to a framework or program and claim it doesn’t add value, that it’s just a cost of doing business. However, I’ve yet to see a company demonstrate they are less secure from meeting the requirements of a particular program or framework than they are without.
2. Why did you join Hyperproof?
Poulsen: I felt I could make a greater contribution to the compliance profession by working for a company focused on solving the problems I was facing daily while managing security and compliance teams. There is a lot of opportunities to improve how companies manage and maintain their security, compliance, and risk functions to meet an ever-evolving and increasingly complex threat landscape.
Of particular concern is helping to alleviate the burnout and exhaustion experienced by security and compliance professionals. The demand will continue to grow for more assurance that we’ve implemented and are exercising effective controls. This means we will continue to see more requirements for organizations to adopt new regulations, standards, and frameworks. That means more burden on teams to demonstrate compliance and demonstrate it in a way that meets multiple requirements across multiple programs.
By the way, I was one of Hyperproof’s earliest customers. When I saw the designs and direction they wanted to take the product, I thought, “Here’s a company that understands the challenges.” Hyperproof is working to solve one of the significant pain points I have in this space: an efficient and effective collection of evidence for multiple audits. Having worked with the Hyperproof team for over two years, I saw how much progress was made with the product and how they (we!) continue to improve through direct feedback from those we’re servicing. It’s a company that genuinely cares about the problems I and my industry peers face every day.
3. Security and compliance pros are facing increasing pressure from different stakeholders to do more with less. Do you think there are opportunities for innovation in the security assurance function?
Poulsen: Yes, absolutely. There are opportunities to leverage technology in a variety of areas that teams may not realize, may not have the time to implement, or may simply lack the tools to take advantage of them. A significant opportunity is automating evidence collection wherever possible so less time is spent getting to a state where controls can be tested. With so much time during an audit (external or internal) devoted to the collection, any improvements here will have a big impact on what compliance teams can deliver: more testing, onboarding new programs, or even just broadening the scope of what gets tested. As technology evolves, so will our ability to run end-to-end tests of controls where a compliance team receives alerts on pass/fails and overall control health through automation.
Oftentimes, teams aren’t doing more with less but simply doing more with the same, so changes to how we’re performing audits and managing risk will be crucial to ensuring companies can remain compliant and stay within their chosen level of acceptable risk. I’ve become a fan of agile auditing and a focus on reviewing and testing those controls that reflect the greatest reduction of risk to an organization.
4. What trends should security and compliance leaders be aware of and prepare for at this moment?
Poulsen: Maybe an obvious one at this point, but the remote distribution of employees presents challenges that will require new or modified security controls to ensure assets are protected like they were when we all met in a physical workspace.
I expect to see the trend continue with businesses moving more services to the cloud for a variety of reasons like labor shortages for on-prem engineers and infrastructure support. They will continue delegating some part of the compliance lift to datacenters that undergo rigorous testing, pass multiple accreditations, and maintain built-in security (if done correctly). Unfortunately, cloud expertise — especially in security — will likely continue to trail demand.
Almost assuredly we’ll see more regulation around security and privacy. I’m not a proponent for more regulation unless it’s absolutely needed, but it’s a typical reaction to solving ongoing problems. More regulation means more requirements. This leads to a larger burden placed on already-stretched teams responsible for implementing and tracking the effectiveness of controls. I believe the law of diminishing returns applies here: at some point, the increase in requirements will not only add less value but will likely work against organizations that are unable to deal with their volume and complexity.
5. Executive management teams and boards typically don’t have a strong understanding of the value of security and compliance work. How can security and compliance professionals better communicate the value of their work — so they can get sufficient resources to protect their organizations?
Poulsen: I think too many senior management teams, security, and compliance operate like many other corporate functions. In many ways they are, but it doesn’t acknowledge the breadth and scope of what role security and compliance play in an organization. Everyone is responsible, not just your security team and not just your compliance team. Everyone is accountable, in some way, for increasing or decreasing the effectiveness of these programs and thereby directly affecting the amount of risk your company is subject to.
Education in this area helps bridge the gap. So does relating security and compliance weaknesses to risks. Risks can almost always be quantified and mapped to actual currency, specifically, the loss of currency if a risk is realized.
Our job as security and compliance professionals is, in large part, to identify areas of significant weakness that raise the likelihood of a risk, measure their respective impact, assist with remediation options, and present these findings to executive management teams. It removes some abstractness from security and compliance operations when we speak in business terms: “Do (or don’t do) X, and we have a high probability of suffering losses amounting to Y.” Be able to stand by your findings and support them.
Also, bring solutions to the table and their associated remediation plans. Execs are busy and need enough information to make the best decisions for the company. That’s why we need to discover and report in a timely fashion.