How ABM built a cohesive security program around zero trust

When Stephanie Franklin-Thomas joined facility management provider ABM Industries in early 2021 as the company’s first CISO, she says she found a security approach that had a lot of the right components.

That was a plus.

But Franklin-Thomas says those components weren’t fully assembled, and that was a negative—one that created a less-than-optimal security posture for the company.

“I do believe everyone wants to do a good job, but there wasn’t a program. There were pieces of a program, they just weren’t tied together; it wasn’t holistic,” she says.

So Franklin-Thomas set out to change that scenario, pursuing a plan to pull together the various pieces as well as identify and add in any missing pieces so she could create a more cohesive security program.

“They had what I would call ‘accidental security’: They were doing the right things, but they didn’t have a full program. They needed a more programmatic approach,” Franklin-Thomas explains.

Some 18 months into her tenure, Franklin-Thomas has implemented a full-scale security program for ABM, one that’s centered around the zero trust security model and one in which people, process, and technology align and work together to effectively and efficiently defend, protect and ultimately enable the business. The project earned ABM a 2022 CSO50 award for business value and thought leadership.

“Everyone is now rowing in the same direction,” she says.

‘The soup wasn’t made.’

As the new security chief and senior vice president, Franklin-Thomas says her top priority was to understand the components she had—in other words, what security elements were in place and which were missing.

One of her first steps was a NIST assessment, evaluating the existing security policies, procedures, and technologies against the control matrix to determine where the security function was proficient and where it was lacking.

She then validated her team’s findings by asking both security practitioners and other department heads whether identified security controls were indeed working and being followed.

“We went out to the business and asked: Does this exist?” Franklin-Thomas says. “And all the things they said yes to, we then moved to validation, [saying] ‘Show me.’ That’s a whole other eyeopener. We might ask about a policy and they’d say, ‘Yes, we have that,’ but when we went to find it, it wasn’t actually in place.”

This goes back to having the components, but not the assembly. Or, as Franklin-Thomas puts it: “We felt we had all the ingredients but the soup wasn’t made.”

She explains: “We at ABM and other companies are strong in technology, where security brought in everything needed, but the people and the processes weren’t equal and they need to be a perfect triangle: technology, people, and process. This is where you have the ingredients but not the soup,” she says.

Franklin-Thomas, who has held other CISO and senior positions and has a Ph.D. in organizational leadership and management, says she sees this scenario in many enterprise security functions, noting that it leads to less effective and less efficient security operations. As such, she adds, it remains one of the main stumbling blocks to overcome to advance one’s cybersecurity posture.

For example, she says, ABM had implemented multifactor authentication and followed the principle of least-privilege access but didn’t have strong documentation to ensure processes were followed.

“So for multifactor authentication and single sign-on, it was clear that everybody knew how to connect to the environment, everybody knew as an unwritten standard that if you were going to deploy anything into the environment, it had to have multifactor authentication and single sign-on, and that was very effective, but it was very informal,” she says.

Franklin-Thomas notes that ABM now uses ServiceNow workflow software to document and create audit trails to support the security team’s move to formalized processes.

As another example, she points to the fact that the company had a firewall in place but hadn’t confirmed that the firewall rules met current needs.

“We had rules, but were they always the right rules? Not necessarily,” she says, noting that firewalls in general often are too permissive.

Building the perfect triangle

Franklin-Thomas scored the security efforts she inherited against a NIST scorecard, using the measurement to help her shape her security roadmap, inform the board on the company’s security status, and prioritize.

“We did the NIST assessment to figure out where we were foundationally and identify gaps; some were technology gaps, some were around governance. Then we risked-ranked our priorities. We did quick fixes, first those high-risk items and then lower-risk ones,” she says.

As the security team was working through those stages, closing gaps and strengthening her company’s overall security posture, Franklin-Thomas says she simultaneously sought to redirect the security function’s mission.

“I wanted to move from detective to being more proactive while, of course, still maintaining that monitoring/detection proficiency,” she says, explaining that she believes the shift—in both mindset and execution—would both better defend the company from existing threats, more rapidly adjust to future ones, and more effectively enable business growth.

For her, that meant building the perfect triangle, where technology, people, and process worked together holistically and equally. According to Franklin-Thomas, that collaboration and coordination among the three overarching pieces are essential for any cybersecurity program to succeed.

Moving to zero trust

ABM is now advancing its cybersecurity program, with a big focus on zero trust principles.

Franklin-Thomas says her team is well positioned to move forward, with a holistic approach where technology, people, and process are all equally incorporated—a balance she says is critical for the zero trust model to work.

“When we started talking about zero trust, we looked at it from the three pieces: We had to get the people and the processes baked into it and make it auditable, so we can go back and make sure we’ve done the right thing every single time,” she says.

She goes back to the firewall to illustrate her point. A firewall is one technical component of implementing a zero trust security approach. But the firewall needs to be fine-tuned with rules, so the technology can accurately identify and permit through legitimate traffic while also accurately identifying and blocking illegitimate traffic as close to always as possible. Defining and implementing those rules are the people and process components, which are equally important here to success as the tool itself.

Franklin-Thomas speaks from experience, saying that she and her team have been collaborating with their business unit colleagues to examine existing rules, identify overly broad or permissible ones, and then refine the firewalls accordingly.

Also on the people and process side of the triangle, Franklin-Thomas created a risk team, embedded security into the project management office as well as the vendor management office, and reviewed security standards and governance policies. She’s also building her security team and creating a culture in which the different elements of her team—engineering, operations, risk—are collaborative to further support that holistic security approach.

“This all ties back to zero trust, so we understand how we’re granting access and ensuring least-privilege access. It’s ensuring that we are creating an entire environment that subscribes to zero trust,” she explains. “It’s really trying to look at everything in architecture, the network, edge, everything we do, that we trust nobody and we build the environment that supports that.”