PROFILE
Company: Barnes
Business activities: Advanced processes, automation solutions, and applied technologies for aerospace, packaging, medical, and mobility industries.
Employees: 6,500
Founded: 1857
Headquarters: Bristol, CT
Barnes, a Rolls-Royce supplier, takes a team approach to cybersecurity. Shawn Young, Barnes’ director of cybersecurity, shares what that means.
Q: What’s the current cybersecurity threat level Barnes faces?
S.Y.: We see indicators of attempted compromise almost daily. Our investments in the NIST Cybersecurity Framework Detect and Protect functions have improved our ability to identify abnormal conditions in the environment and automate our isolation capabilities at the point of attack.
However, the largest threat vector to our organization continues to be email. We've focused upfront on how we protect mail flow. We have multiple layers of security in place to reduce the likelihood that malicious emails reach our end users. This includes “hands on keyboard” human reviews of any email released from quarantine.
Q: You spend a lot of time anticipating how to respond to attacks. What’s involved?
S.Y.: I have a relatively small cyber department with three direct reports. To supplement core competencies, we’ve built strong relationships with our vendors, who provide depth and bench strength.
Furthermore, we have a dotted-line Cyber Security Incident Response Team reaching across the globe. This team consists of approximately 15 professionals with strong IT backgrounds. The team design provides agility and allows quick alignment to focus on the highest areas of risk to the organization.
Q: What’s the starting point for an effective response?
S.Y.: One of our best investments was to create a strong incident response process. This includes criteria to evaluate risks, to categorize risks, and then to establish the appropriate escalation procedures to engage our senior leadership team.
From there, we created an executive-level incident response playbook, which is engaged at certain risk thresholds tied to predetermined escalation criteria. The playbook engages an executive-level incident response team, creating a seamless process and a team effort to best mitigate any risk to the organization.
Q: Does the incident response team meet regularly? Do you do tabletop exercises?
S.Y.: Yes, we meet twice a month. Just to let you understand the maturity of our program from a governance perspective, early on it was about getting everyone on board, helping the business understand risk appetite. Because obviously we can spend fortunes on cybersecurity and still not mitigate 100% of the risk. This early work enabled the right discussion with leadership, and as a result led to more robust governance.
We update our Board of Directors quarterly, and in May every year have extended time with our Board to share our strategy and provide a holistic program review. Cybersecurity is a top-of-mind issue and a high-priority item for all levels of leadership. We continue to develop resilience by conducting regular tabletop exercises.
Q: You can educate your workforce, but it still takes just one employee error to put the company at risk, right?
S.Y.: We have made a significant investment in cybersecurity awareness training, including a robust onboarding training process as new people come into the business. We've enhanced our investment in phishing simulations along with mandatory training and retesting for “clickers.” We consider training a cornerstone to the continued success of our cyber program.