Jacob Lorz, VP, Information Technology and CISO at Cintas, speaks with Todd Foley, Lydonia Chief Digital Officer and CISO, about his role, how cybersecurity leadership has evolved, key incidents that shaped his approach, the importance of a verification and validation team, and the critical mindset shift toward a security-first strategy.
Cintas Corporation, a Fortune 500 company headquartered in Cincinnati, provides businesses of all sizes with innovative solutions, products, and services designed to keep their facilities clean, their employees safe, and their teams professionally attired.
Shedding light on his trajectory and role, Lorz states that cybersecurity became a passion over two decades ago. Sharing the story, he recalls how a threat actor compromised one of his then organization’s internet-facing file-sharing services.
This incident ignited a passion in Lorz to dig deep, recognize the root cause, and figure out how to prevent it from happening again. Consequently, he learned Cisco PIX firewall.
Eventually, says Lorz, the perspective of security evolved from just putting technical controls in place to a more holistic approach of understanding the people and the process components.
He further notes that it is critical to understand the business benefits related to a program, besides reducing opportunities for threat actors. It is necessary to find the opportunity for business enablement.
“What a security executive and practitioner has to realize is it’s about how we allow the business to continue to run and generate the revenue or continue operations, or continue to service customers,” says Lorz.
Lorz highlights that the executive leadership at Cintas is now more cyber-aware than ever. Unlike in the past, today’s cyber leaders not only recognize risks but also understand the opportunities to implement risk-reducing controls. They are increasingly comfortable assessing residual risk and effectively communicating these insights to non-technical stakeholders.
Adding on, Lorz states that throughout the whole process, it is critical to bear in mind the impact on the end-user population. “We want to keep coming back to enablement, but we want to continue to have our partners and our employees operate effectively and efficiently without adding unnecessary pain through cyber risk reduction.”
The fun part, according to him, is doing all that and still being the security champion and getting board-level and executive support.
Speaking of incidents that shaped his approach, Lorz recalls yet another incident at a previous organization. There, the IT team set up some infrastructure in a cloud space, and the security team put all the right controls in place. A call from the finance team asking about the reason behind the monthly bills shooting up made the team realize that a threat actor had successfully compromised.
Taking this as a lesson, Lorz states that since then, he has never been happy and comfortable with what he has built. Post that incident, he calls for a “verification validation” team at every workplace. He considers this a continuous internal self-assessment based on the required cadence.
Lorz maintains, “We’re going to assess the effectiveness and the correctness of the control and the process that we’ve put in place, so I will invest resources. I will build the team necessary to ensure that what we’ve put in place is operating correctly so that we’re not caught off guard again.”
Developing a cybersecurity program consists of multiple components, such as an engineering team, an operations team, and a GRC (Governance, Risk, and Compliance) team. He furthermore emphasizes the need for possibly a sub-team within the GRC function that is specifically responsible for collaborating with other teams to track progress.
Their role involves assessing what has been built, implemented, or documented over the past month or quarter and compiling that information into a continuous validation task list. This team serves as a frontline defense before engaging with internal auditors or third-party auditors.
While those audits are still essential, this function ensures that potential issues are identified early, says Lorz. Their goal is to catch any discrepancies, such as configuration drift or unintended over-permissioning, even if the established security tools and processes fail, he adds.
To establish this practice in the culture, Lorz states that it is critical to highlight successes and make a mindset shift to a security-first thought. “We’re only better at the end of the day because somebody else isn’t going to take whatever we found and use that as a point of exploitation,” he concludes.
