CISO Conversations

Conversation with Steve Pugh, CISO, Ionic Security

Back to list
Steve Pugh, Ionic Security

Steve Pugh

Ionic Security


What do you see as the most significant positive steps that government, business, and the security industry have made in the past 24 months to improve cybersecurity?

The biggest change is that people are now really taking cybersecurity seriously. It’s not the guys in a black t-shirt in the corner of a room trying to protect the network.” It has become a significant business problem as well as a personal problem.

When I first started my professional career in the Air Force, I was essentially put in charge of a network but it was very much a commodity IT service. Nobody thought much more about security than perhaps a firewall. It wasn't even to the extent of "Is it configured properly?" but just "Does it exist on the network?" (Which it did).

Now if you look at the way IT environments are stood up, they are almost a natural resource that’s prized, protected, and resourced appropriately. And it's very much operationalized. Instead of "Do you have internet? Check. Firewall? Check." it's "Do you have a secure way to operate in your environment?"

This security allows the enterprise to become a platform for bigger and better things. You can see that as the internet has exploded, the Internet of Things continues to challenge capacity and security. I think that's the biggest leap forward, that people recognize the importance of security in applications, infrastructure, and data. And that's good for cybersecurity professionals.

What impact has the Internet of Things had on cybersecurity planning and how has it affected your approach to operational and physical security?

If you look at the maturation from commodity networks to operationalization of cybersecurity and information technology, it was really about focus on the infrastructure protection – the firewalls, IDS, IPS, etc. But before there were firewalls, networks were just stuff connected to other stuff. And we had the approach of, "Oh, we should probably gate this a little bit with firewalls and then IDS and IPS and all those things.” We spent a lot of time and cycles protecting the infrastructure.

While infrastructure protection was necessary, we were trying to protect the data. That was important to us. Is it intellectual property? Is it military command orders? Is it PII or HIPAA-type data? Is it financial data? It's all about the data. And so now we're hitting a turning point.

We do infrastructure protection pretty well. Now let's figure out how we can do data protection. Enter the Internet of Things and all of a sudden you have many more devices connected that are sending a lot more data. If you put a camera in your house, that's a very personal device. So how do you ensure that the data and the video that the camera captures is being properly secured and protected while operating in a secure way?

I think that the Mirai botnet opened a lot of peoples' eyes, showing that some of the IoT devices being developed don't necessarily have the security standards that one would expect. I think that's our biggest challenge for IoT. How do we take the lessons learned from traditional enterprise infrastructure protection and data protection models and apply that to the Internet of Things?

We're doing some pretty cool work at Ionic. The government is obviously very interested in making sure that IoT is secure. The Department of Homeland Security, for example, awarded us a Phase One contract to go out and do some interesting data protection initiatives around the Internet of Things. Then they followed up with a Phase Two round of funding and we're actively working on that now. At the end of the day, it's just about protecting the data and making security accessible to individuals.

How can CISOs effectively deal with “shadow IT resources,” those non-sanctioned business resources that often bypass official channels to deploy technology?

That's certainly a challenge. I know every IT administrator and CISO deals with it. My advice is to essentially create an environment that's secure but do it in such a way that it's transparent to the end user. That means when you're doing your day-to-day business, there's no reason for security to get in your customer’s way. You should be able to create a secure environment so your users operate in a frictionless way. On the business side of things, we want you to ultimately be as productive as possible and to move and operate as efficiently as possible. If security gets in the way, that's what traditionally caused these shadow IT resources to exist.

Adam Ghetti, Ionic’s founder and CEO, uses the example of getting a glass of water. You just turn on the faucet. You don't have to think about all the processing and everything that it took to get that clean water into your glass. You just drink it. It's there. It's just something that happens.

We want to get to the point where security is like that all over the place. If you do something or your system does something that's out of bounds of what’s normal, that's when security should be there. Much like your ABS brakes or a seatbelt works, it saves the day when needed but shouldn't be in your face.

In my experience, being transparent when both communicating to our customers about what we're doing for security and how we operate the security stack in the background is how I deal with many of the shadow IT resources. I want my users to default to using my environment because they feel safe enough to do so without worry of losing productivity.

I also think there's a balance between education and establishing procedures. Communication is certainly part of that. It definitely helps to have a conversation with your users and understand their frustrations and challenges so that you can tweak your security stack. That’s why cybersecurity implementation is such an art and takes creativity. CISOs have to answer this question: “How do you secure an environment in such a way that people can operate in a frictionless way?” I think that's why cybersecurity is challenging for most people because a cookie-cutter approach doesn't work. Every network for which I've had cybersecurity responsibility has had a different look, implementation, and set of technologies. The strategy has all been custom-tailored to that environment for maximum impact.

With threats becoming more organized and frequent, how much emphasis needs to be placed on end user behavior modification rather than just security awareness?

There's a balance between leveraging technologies in such a way that you can create the most secure robust environment possible while still giving people access as appropriately as they need it. For example, if you take the metaphor of visiting a large city, there are obviously pockets where crime is high. And there are certain times of day when the threat is much higher, and so you just don't go to those areas at night alone. It’s helpful to know that and be reminded. Education is part of that. You want people to know how to operate in a safe manner.

But people also get mugged in broad daylight in the middle of the city. So, CISOs have to be prepared and respond to those types of unexpected events and limit the damage should something like that occur. But it's about balance. As security awareness and people's understanding matures, you can start having some of those higher-level conversations about, say, ransomware. But at the end of the day, my grandmother just wants to check her email. She doesn't necessarily need to know what cryptographic algorithm some ransomware is using.

How has the role of the CISO changed over the past 3 – 5 years? How do you see it changing over the next five years? What do these changes mean for the mandatory skill sets of a CISO?

The CISO role is one of the most dynamic executive roles that I've seen. Over the past three to five years, I’ve talked to many people who were steeped in the traditional IT operations side of the house before moving more into the cybersecurity side. It was pretty rare to find somebody who had been doing cybersecurity for their entire career. Traditionally, CISOs were computer scientists, computer engineers, or someone who maybe was a hobbyist and fell into cybersecurity.

Now, you're starting to see many people who have been cybersecurity experts for their entire professional career taking leadership roles. But as I mentioned earlier, much of the CISO focus had to do with infrastructure protection. Now as we start to focus more on data protection, that area opens up the conversation for privacy. Reading the tea leaves for the next three to five years, I think privacy is going to become one of the biggest new tasks in the CISO’s job jar. If you take a look at General Data Protection Regulation (GDPR) in Europe, we're looking at some incredible fines for non-compliance—as much as four percent of a company’s global revenue for a PII breach. I can see privacy becoming one of the new things upon which a CISO focuses.

Because the CISO is in charge of security, security essentially ensures privacy, I think those two roles are going to be inextricably linked. CISOs will need to recognize that privacy is important and then have the means to actually provide the privacy for the business. The question that will be asked of CISOs is: "How are you going to protect me from having to pay four percent of my global revenue with the data we hold?" For me personally, that makes the CISO's role really exciting, especially at Ionic. Essentially, our platform enables you to do some really awesome data protection and segment it appropriately. I can only imagine that the rest of the world will follow suit with GDPR. GDPR is just the tip of the iceberg. CISOs will need greater dynamic visibility of where their data is flowing and how it's protected.

While privacy might change the CISO skill set a little bit, I think fundamentally if a CISO understands data security and infrastructure security, they will be fine. Those skill sets directly apply to privacy through data protection. Instead of standing up a new Chief Privacy Officer or some similar role, much of the privacy responsibility will fall to the CISO—just given the digital nature of trying to protect all that personal information.