Americas

  • United States

Asia

Oceania

Mary K. Pratt
Contributing writer

How ABM built a cohesive security program around zero trust

Feature
Aug 18, 20227 mins
CSO50IT LeadershipZero Trust

CISO Stephanie Franklin-Thomas advances ABMโ€™s security program with a holistic approach to zero trust, putting equal emphasis on people, process, and technology.

stephanie franklin thomas 1200x800
Credit: ABM Industries

When Stephanie Franklin-Thomas joined facility management provider ABM Industries in early 2021 as the companyโ€™s first CISO, she says she found a security approach that had a lot of the right components.

That was a plus.

But Franklin-Thomas says those components werenโ€™t fully assembled, and that was a negativeโ€”one that created a less-than-optimal security posture for the company.

โ€œI do believe everyone wants to do a good job, but there wasnโ€™t a program. There were pieces of a program, they just werenโ€™t tied together; it wasnโ€™t holistic,โ€ she says.

So Franklin-Thomas set out to change that scenario, pursuing a plan to pull together the various pieces as well as identify and add in any missing pieces so she could create a more cohesive security program.

โ€œThey had what I would call โ€˜accidental securityโ€™: They were doing the right things, but they didnโ€™t have a full program. They needed a more programmatic approach,โ€ Franklin-Thomas explains.

Some 18 months into her tenure, Franklin-Thomas has implemented a full-scale security program for ABM, one thatโ€™s centered around the zero trust security model and one in which people, process, and technology align and work together to effectively and efficiently defend, protect and ultimately enable the business. The project earned ABM a 2022 CSO50 award for business value and thought leadership.

โ€œEveryone is now rowing in the same direction,โ€ she says.

โ€˜The soup wasnโ€™t made.โ€™

As the new security chief and senior vice president, Franklin-Thomas says her top priority was to understand the components she hadโ€”in other words, what security elements were in place and which were missing.

One of her first steps was a NIST assessment, evaluating the existing security policies, procedures, and technologies against the control matrix to determine where the security function was proficient and where it was lacking.

She then validated her teamโ€™s findings by asking both security practitioners and other department heads whether identified security controls were indeed working and being followed.

โ€œWe went out to the business and asked: Does this exist?โ€ Franklin-Thomas says. โ€œAnd all the things they said yes to, we then moved to validation, [saying] โ€˜Show me.โ€™ Thatโ€™s a whole other eyeopener. We might ask about a policy and theyโ€™d say, โ€˜Yes, we have that,โ€™ but when we went to find it, it wasnโ€™t actually in place.โ€

This goes back to having the components, but not the assembly. Or, as Franklin-Thomas puts it: โ€œWe felt we had all the ingredients but the soup wasnโ€™t made.โ€

She explains: โ€œWe at ABM and other companies are strong in technology, where security brought in everything needed, but the people and the processes werenโ€™t equal and they need to be a perfect triangle: technology, people, and process. This is where you have the ingredients but not the soup,โ€ she says.

Franklin-Thomas, who has held other CISO and senior positions and has a Ph.D. in organizational leadership and management, says she sees this scenario in many enterprise security functions, noting that it leads to less effective and less efficient security operations. As such, she adds, it remains one of the main stumbling blocks to overcome to advance oneโ€™s cybersecurity posture.

For example, she says, ABM had implemented multifactor authentication and followed the principle of least-privilege access but didnโ€™t have strong documentation to ensure processes were followed.

โ€œSo for multifactor authentication and single sign-on, it was clear that everybody knew how to connect to the environment, everybody knew as an unwritten standard that if you were going to deploy anything into the environment, it had to have multifactor authentication and single sign-on, and that was very effective, but it was very informal,โ€ she says.

Franklin-Thomas notes that ABM now uses ServiceNow workflow software to document and create audit trails to support the security teamโ€™s move to formalized processes.

As another example, she points to the fact that the company had a firewall in place but hadnโ€™t confirmed that the firewall rules met current needs.

โ€œWe had rules, but were they always the right rules? Not necessarily,โ€ she says, noting that firewalls in general often are too permissive.

Building the perfect triangle

Franklin-Thomas scored the security efforts she inherited against a NIST scorecard, using the measurement to help her shape her security roadmap, inform the board on the companyโ€™s security status, and prioritize.

โ€œWe did the NIST assessment to figure out where we were foundationally and identify gaps; some were technology gaps, some were around governance. Then we risked-ranked our priorities. We did quick fixes, first those high-risk items and then lower-risk ones,โ€ she says.

As the security team was working through those stages, closing gaps and strengthening her companyโ€™s overall security posture, Franklin-Thomas says she simultaneously sought to redirect the security functionโ€™s mission.

โ€œI wanted to move from detective to being more proactive while, of course, still maintaining that monitoring/detection proficiency,โ€ she says, explaining that she believes the shiftโ€”in both mindset and executionโ€”would both better defend the company from existing threats, more rapidly adjust to future ones, and more effectively enable business growth.

For her, that meant building the perfect triangle, where technology, people, and process worked together holistically and equally. According to Franklin-Thomas, that collaboration and coordination among the three overarching pieces are essential for any cybersecurity program to succeed.

Moving to zero trust

ABM is now advancing its cybersecurity program, with a big focus on zero trust principles.

Franklin-Thomas says her team is well positioned to move forward, with a holistic approach where technology, people, and process are all equally incorporatedโ€”a balance she says is critical for the zero trust model to work.

โ€œWhen we started talking about zero trust, we looked at it from the three pieces: We had to get the people and the processes baked into it and make it auditable, so we can go back and make sure weโ€™ve done the right thing every single time,โ€ she says.

She goes back to the firewall to illustrate her point. A firewall is one technical component of implementing a zero trust security approach. But the firewall needs to be fine-tuned with rules, so the technology can accurately identify and permit through legitimate traffic while also accurately identifying and blocking illegitimate traffic as close to always as possible. Defining and implementing those rules are the people and process components, which are equally important here to success as the tool itself.

Franklin-Thomas speaks from experience, saying that she and her team have been collaborating with their business unit colleagues to examine existing rules, identify overly broad or permissible ones, and then refine the firewalls accordingly.

Also on the people and process side of the triangle, Franklin-Thomas created a risk team, embedded security into the project management office as well as the vendor management office, and reviewed security standards and governance policies. Sheโ€™s also building her security team and creating a culture in which the different elements of her teamโ€”engineering, operations, riskโ€”are collaborative to further support that holistic security approach.

โ€œThis all ties back to zero trust, so we understand how weโ€™re granting access and ensuring least-privilege access. Itโ€™s ensuring that we are creating an entire environment that subscribes to zero trust,โ€ she explains. โ€œItโ€™s really trying to look at everything in architecture, the network, edge, everything we do, that we trust nobody and we build the environment that supports that.โ€

Mary K. Pratt

Mary K. Pratt is a freelance writer based in Massachusetts. She worked for nearly a decade as a staff reporter and editor at various newspapers and has covered a wide range of topics over the years. Her work has appeared on the Wall Street Journal, the Boston Globe, the Boston Business Journal, and the MIT Technology Review among other publications. Today Mary reports mostly on enterprise IT and cybersecurity strategy and management, with most of her work appearing in CIO, CSO, and TechTarget.

Mary won a 2025 AZBEE award for her government coverage on CIO.com.

More from this author