Todd Foley: Hello and welcome to the CDO Magazine interview series. I’m Todd Foley, Chief Digital and Information Security Officer at Lydonia. Today, I have the pleasure of talking with Jacob Lorz, Chief Information Security Officer at Cintas. Jacob, thank you for taking the time to talk with us today.
Jacob Lorz: Hey, thanks, Todd. I appreciate the opportunity. I’m looking forward to it.
Todd Foley: How do you keep Cintas up to date with regulatory changes? What role does that play in your strategy?
Jacob Lorz: I mean, you called it out: regulatory changes and the environment itself are dynamic, so it’s a great parallel to cybersecurity. We stay up to date by establishing strong relationships with folks who work specifically in compliance. So, our compliance team and legal teams. We also self-educate by attending conferences, webinars, and events to stay informed about any new changes. What are some of the “gotchas” we need to look out for? What are the new changes coming down the pike? What are other areas that may be tripping up other companies? Beyond that, we go through third-party assessments, and I love third-party assessments because they help me identify gaps more effectively. They highlight areas where we need to shore up a process or investment to avoid findings in an assessment that actually matter.
When it comes to evidence gathering, we can begin to leverage automated activity. We’re getting to the point where we don’t have to go to someone every quarter or every year and ask for the same piece of evidence. We’re using technology to auto-acquire, auto-archive, and gather evidence so that when it’s time to present to a regulatory body, we can easily provide them with our body of evidence and artifact list. This makes their job easier as well. Here’s your schedule of tasks. We recognize what the schedule is, and here’s how we’re gathering it. Makes the whole process simpler and the conversation easier, so it’s less adversarial.
Todd Foley: Yeah, and I think focusing on that partnership and moving toward continuous compliance and self-service compliance is something that every organization has at least on their radar.
Jacob Lorz: But we’re not fully there not to give you that. I mean, we still have manual processes in play, you know, with the division, as we continue to grow is, to make that simpler, make it more effective, make it more automated.
Todd Foley: Let me ask you more about vision, longer term vision, perhaps, right. Looking ahead, if you think, you know, five to 10 years out, what’s your vision for the future of cybersecurity at Cintas and across the industry?
Jacob Lorz: We touched on it a little bit already. We will continue to invest in increased automation. I think that’s really the only way to go. We have to run successful cyber programs, you have to have a level of confidence. You often will step into an environment of chaos, and then you need to bring order to that chaos by implementing the right people and processes and technology. And then after you bring order to the chaos, you need to bring confidence to that order. So I personally believe that the best way to do that is through automated verification, validation techniques, automated controls, automated response. So that’s, you know, I’ve said it a hundred times already, this call, we’re going down that road. The future of the cybersecurity industry, however, I think is going to be interesting to watch the next 3, 5, 10 years as we kind of move into that post quantum world, which I know is kind of like another buzzword that keeps to be, that’s being ground at the moment. You know, but, I don’t know how that’s going to change the practices that we have in place. It’s certainly going to change the technology that we have in place, especially when you consider the confidentiality of the information that you’ve already encrypted or want to encrypt in the future and how to prevent red actors from breaking that. So I think that’s in itself going to be an interesting space to watch, the automation component will continue to grow. Red actors will continue to change their tactics. So keeping up to date with the MITRE, for example, and their attack matrix and saying, okay, where are they going to next? Where are some of the real world APTs working on and, and how can we combat against that? What coverage do we have? It’s all part of the larger and more broad program.
Todd Foley: Makes sense, right? And I love the idea that what we have to worry about when we talk about post-quantum isn’t just what we’ll do in the future and when that’ll become most critical, but how we’re going to deal with everything we’ve already done in a remediation program. We’ve talked about post-quantum, we’ve talked about AI. I wouldn’t be complete my buzzword bingo if I didn’t ask you about zero trust, right? So how do you think about that? How do you define it? And how are you approaching that? To your mind, a significant evolutionary change in cybersecurity or an incremental one?
Jacob Lorz: Consider it an incremental change. That’s the first time I’ve been asked that question, so kudos. I consider it incremental, not necessarily significant, because I believe that cybersecurity programs are best built around kind of the identity. And I firmly believe that zero trust, as a principle itself, is built around the identity, being that zero trust to me means not necessarily zero trust, but confidence in the trust. I’m certain that whichever identity, human or non-human, that I’m giving access to this resource is that particular identity I intended to give access to. So it’s that continuous validation along the way as well.
So, access is granted at the beginning, access is reestablished somewhere in the middle of the chain, access to the resources effectively given. For me, that’s zero trust. And there’s a zero trust identity component. There’s a zero trust network component there. I think five pillars, if I’m thinking correctly, back to NIST on zero trust. And it all kind of comes back, in my opinion, to begin with that identity.
So, it’s not an easy thing to implement, especially if you’re working with an organization that already has a technology play in place or you’re working with an organization that’s already established and hasn’t been born in the cloud. So there’s some rework that needs to happen along the way as well, and there are significant architectural changes that need to happen in order to get to a zero trust. But I think what people tend to trip up on is they want to go zero trust all or nothing, and no, it can be stepped into or phased into approach. You know, how do you eat an elephant? One bite at a time. So let’s take those small bites and work towards a zero trust methodology or zero trust concept.
Todd Foley: Well said, and I think that that’s the way that most organizations are going to end up looking at it and moving forward if they’re going to make progress at all, right? Let me ask you, if you were to give one piece of advice to organizations who are really just in the process of doing foundational work or rebuilding or building their cybersecurity program, what would it be, right? What’s your best advice to someone around where they start or where they should prioritize instead of trying to boil the ocean?
Jacob Lorz: Good question. I do get asked this one sometimes, and I thought back along my career at different ways that I’ve approached it, and it really comes back. You hit one of the words, which is foundations, and it’s going back to your foundations, going back to basics. Implementing, or taking a look at your, what is it, the CIS Top 18, now it used to be the Top 20, focusing on those first two. Establishing a true inventory of your assets, of your software, of your hardware. Understanding where your threats lie by doing a risk assessment—internal, of course, but then also third party.
Let’s take a look at your attack surface, your perimeter, your posture, and say, what do we need to shore up there? I mean, there are free services that you can even get from the Cybersecurity Infrastructure Security Agency, CISA, where they will come and do a vulnerability assessment on your attack surface and then provide you with feedback. “Okay, this is what we’ve seen. This is how we would suggest that you correct it.”
But it’s really that kind of back-to-basics approach—understanding your risk, getting the assessments done, and then dealing with the highest risk, lowest effort first. We’re going to knock those out, get some of that low-hanging fruit, take away the opportunities for the threat actors to exploit those vulnerabilities. That’s how I would start.
And then, along the lines, you know, if you’re truly intentional about building a cybersecurity program, you have to work with third-party partners through the relationships you’ve established and secure and invest in the right technology, the right people, and then start with intention, building those right components of your program.
Todd Foley: Well said. So let me wrap up with a kind of rapid-fire round, if you will—some questions I’m sure you’ve heard before, and I’ll ask you to give me a quick answer.
I’ll start with, I guess, the OCD question, because we all have a little bit of it in the security space with all the checklists we use and everything we make sure happens. For you, what’s the one cybersecurity habit you never skip?
Jacob Lorz: Yeah, I love this one. I never walk out of my house in the morning without locking the front door, and I never walk away from my computer without locking the screen.
Todd Foley: Yep. If you had to describe cybersecurity in three words only, what would they be?
Jacob Lorz: It’s essential, it’s dynamic, and it’s evolving—ever evolving, if I could use four.
Todd Foley: I like it. And then finally, what’s the biggest misconception people—and I’m including friends and family here, not just people in the industry or people within your organization—what’s the biggest misconception people have about cybersecurity?
Jacob Lorz: If we’re talking friends and family, the biggest misconception is that it’s always like the movies, where you’re just, like, banging away on a keyboard and screens are flying past, and it’s not a lot of paperwork and a lot of presentations.
Within the industry, though, within a business, within an enterprise, and an organization, I think the biggest misconception is that it’s an IT-only thought. It’s an IT-only responsibility. You know, cybersecurity is the responsibility of everybody within the organization. If they see something, they should say something. It’s the responsibility of everyone to have that kind of security-first mindset.
So, I think that’s changing, though. It’s definitely changing over the last five or ten years or so, as the cyber risks are more well published in the news, for example, and people are just more aware from their own personal experience at home how cybersecurity can negatively impact them if they don’t take the right approach to things.
Todd Foley: Yeah, definitely. People have a lot more personal cybersecurity experience than they ever used to have, I guess is the way to say it.
Jacob Lorz: Exactly.
Todd Foley: Well, thank you, Jacob, for joining me today. For our listeners and viewers, please visit cdomagazine.tech for additional interviews. It’s been a pleasure talking to you. I hope you have a great day.
Jacob Lorz: Oh, thanks a lot, Todd. I had a great time. I appreciate the conversation. It’s good talking to you.
