Mark-David McLaughlin, Ph.D., Director of Security and Risk Management at Acuity Brands, Inc.
As cyber attacks escalate on businesses and governments, Acuity Brands continues to refine and harden the security on the digital components of its products and services, adopting and customizing the Product Security Incident Response Team (PSIRT) model and applying PPDRL (Prepare, Prevent, Detect, Response and Learn) security methodology. These security teams are on the front line of the battle between IoT digitally-enabled devices or technologies and cybercriminals. Acuity Brands is taking a proactive approach to protect its customers, taking a lesson from recent trends in other industries.
IT equipment vendors such as Cisco, Dell, Intel and Microsoft have well-established PSIRT programs. In the IoT space only a few vendors have PSIRT programs over five years old. A handful of others, including Acuity Brands, have proactively initiated security implementations. After years establishing the team, we recently publicized our PSIRT efforts in an effort to help drive the security and prevention posture of the industry where customers are connected through devices in an end-to-end system or solution..
In October 2018, ARC Advisory Group published an article that described the PPDRL security model. In this post, I introduced the company’s custom-developed Product Security Response Process (PSRP) and examined how it incorporated best practices from the PSIRT and PPDRL models that most effectively support Acuity Brands’ unique IoT ecosystem.
Figure 1. PSIRT Framework Diagram
Figure 2: The PPDRL Model
Acuity Brands' PSIRT/PPDRL Commitment
Industry analysts are strongly advising organizations to proactively protect themselves against system intrusion. Prevention is highlighted as an important first step but it is not the end goal; as the industry saying goes, ‘it’s not a matter if but when’ an intrusion will occur. However, successful intrusions and exploits take time to establish and execute. It is entirely possible to detect and thwart intrusions before they mature within the target system or component. This is the goal of Acuity Brands’ security program.
Implementation of an incident management-based PSIRT/PPDRL security strategy makes not only good business sense, but also provides crucial peace of mind to our customers and stakeholders. The company goal is to maintain a rigorous, full-spectrum strategy, which not only erects preventative measures but also establishes detection, response, mitigation and review to further harden systems. This proactive management approach is what I have taken in building Acuity Brands’ Product Security Response Process (PSRP) program.
In a future blog, I will explore the PSRP program.
Mark-David McLaughlin, Ph.D.
Director of Security and Risk Management, Acuity Brands Lighting, Inc.
Mark-David McLaughlin has over 20 years’ experience in the field of information security. In his role of Director of Security and Risk Management at Acuity Brands Lighting, Dr. McLaughlin helps ensure security practices are an integral part of the company’s IoT offerings. Prior to his current role, Dr. McLaughlin held a variety of information security related positions at IBM and Cisco; these roles include building a product incident response team, serving as a customer advocate in Cisco’s managed security service offering, performing security architecture reviews, conducting penetration tests, and developing software that supported security features on embedded hardware platforms.
Dr. McLaughlin has filed several patents and has presented world-wide on topics ranging from security metrics to analytics to the ethical disclosure of security vulnerabilities. Dr. McLaughlin holds a PhD with a focus on Information Security, an MBA with a specialization in telecommunications, and a BS in Computer Science.