CISO Conversations

What do you see as the most significant positive steps that government, business, and the security industry have made in the past 24 months to improve cybersecurity?

Cybersecurity's increased visibility and attention is a positive thing, whether something we did right or something that organically occurred. When I started in this industry, I was literally in a basement at the large investment firm where I worked. We got very little attention from our leadership and the thought was just, “Yeah, I guess we should do some security stuff and throw some money at it.”

That's obviously changed. Almost every board and executive committee has developed a real focus on cybersecurity. You even see evidence of it when you look at something like the recent Yahoo deal where a breach had material impact on a key strategic business decision. We’ve seen cybersecurity breaches become material business drivers for organizations that are trying to do very specific, strategic things.

I don't know if that's always a good thing but we've certainly seen it become a prominent element. Another positive thing I’ve noted is that companies are starting to recognize that security can be a product differentiator in the marketplace, especially if you're providing a consumer service. This is also true in business-to-business services. If you're trying to sell something to a consumer or a business, your attention to security becomes a way to differentiate that product. It's become a whole new market for advancement and development of products and services. Again, this is not necessarily good or bad. It is, however, a side effect of the maturation of the security industry.

What impact has the Internet of Things had on cybersecurity planning and how has it affected your approach to operational and physical security?

I think that the most interesting and important aspects of IoT are not IoT itself. In other words, the fact that my refrigerator has a computer in it is not itself all that interesting or exciting. Rather, the interesting thing is the interconnectivity of such computers everywhere doing all sorts of things in all of our daily lives - in our homes, in our offices, in our pockets. And that kind of omnipresence of computational power and connectivity brings a whole bunch of challenges around privacy, security of data, and even ownership of the data.

I think we're still in the early phases of this trend, and so our planning isn't presently doing anything unique to account for IoT or related risks. However, it's certainly something that we're keeping an eye on as it evolves. Security is often an afterthought in product development, unfortunately, even in 2017. This is especially true in small startup, crowdfunded environments with a lot of bootstrap product development. Security is often thought of in "yeah, yeah, we'll get to that" terms. The message is, “Let's get our core product functionality working and we'll bolt on security later.” And of course, we all know the limitations of that approach and the challenges that come along with it. When you've already built something and only then find structural flaws, you have to retrace your steps and repair these flaws.

Your desktop computer, for example, has a carefully thought-out process for managing the lifecycle of the software that's installed on it. There are regular updates that get applied. There are ways that service providers prompt and nag you to make sure the system is as secure as reasonable.

Many IoT vendors aren't necessarily focused on these processes, though I will say that from my limited experience I don't believe that the lessons of the past are completely unheeded. From the simple use of a few home automation tools, I do see thought given to concerns like regularly updating the software. There has clearly been an effort to ensure that there is some sort of administrative interface for things like managing login credentials. That said, I would certainly expect that we will be dealing with vulnerabilities in embedded IoT platforms for some time to come.

How can CISOs effectively deal with “shadow IT resources,” those non-sanctioned business resources that often bypass official channels to deploy technology?

At my most recent companies, HBO and IAC, it's been much more of a light-touch culture from a policy perspective. I think security professionals do well to exercise a bit of carefully considered “security jiu-jitsu.” Across companies, such “shadow IT” services are indeed creeping into the organization. Suddenly, everybody is using Slack. Suddenly, everybody is using Google Drive. Rather than trying to ban it, block it, prohibit it, and stop it unilaterally, I think that in many of these cases one is better off acknowledging, "Okay, this is what people want to use. Let's just embrace that fact and do what we can to minimize the associated risks."

We try to do this as securely as we can, starting with awareness, communication, and policy around the resource’s use. We would also want to capture as much of the usage information as possible and implement centrally managed platforms so that if people are using these tools, at least we have some ability to perform access control and pull back data when people leave the company.

I think we may have to open our arms, give shadow IT a metaphorical hug, and make peace with it. However, the force of that statement depends on the culture of the organization and what the organization is managing or protecting. If you're a heavily regulated organization such as a big bank or financial institution, I do believe that the expectation should be that you're taking a much harder line and managing things with a firmer hand.

With threats becoming more organized and frequent, how much emphasis needs to be placed on end user behavior modification rather than just security awareness?

I am a technologist at heart and have always preferred technology solutions versus behavioral solutions to security problems. A well-implemented technology solution has the potential to be a lot more effective than behavioral-based solutions because people are simply a lot more fallible than computers.

As security practitioners, I don't believe that we are permitted to throw up our hands and say, "Oh, you know, there's nothing you can do about phishing. You just have to train your users and hope for the best.” Or, “There's nothing we can do about people downloading and installing malware. You just have to cross your fingers."

We should be pushing the developers and manufacturers of security technologies to do better and keep us ahead in the arms race. That said, it is an arms race, and there is a lot of innovation and advancement on the attacker side. You have to make sure that your users know how to keep themselves safe.

In other words, one must have a mix of both. But I'm personally a lot more satisfied by technology solutions because, frankly, they're just more effective.

How has the role of the CISO changed over the past 3 – 5 years? How do you see it changing over the next five years? What do these changes mean for the mandatory skill sets of a CISO?

In the last three to five years, the CISO role has evolved into a more nuanced, complex role involving strategic planning, organizational development, and efficient implementation of intervention and prevention efforts. CISOs are now frequently consulted by top executives, for example, in the initiating and negotiating of business decisions. Security, in this way, has clearly ceased to be a “yeah, yeah we’ll get to that” add-on.

This is visible in two key areas. More and more often, I see organizations putting responsibility for operational security tasks like patching and firewall management in their IT chain of command. Dedicated security teams ought to retain specialized operational responsibilities like threat hunting, penetration testing, and incident response in addition to governance, oversight, policy development, reporting, etc.

Secondarily, I now often find the security team established at a high level in the organization, perhaps under a CTO but often not under a technology leader at all. A CISO may now report directly to a CFO or COO. I think that speaks to the prominence and visibility of security and the value placed on keeping that perspective independent from the broader technology organization.

To sum it up, visibility for the CISO and the increasingly complex demands of the role has been the big change. Yes, the ideal CISO still needs a solid understanding of the operational tasks that comprise a security program. Now, however, the CISO and other top security leaders must be people who can assess risks strategically, develop programs that dovetail with the structure and interests of the business, and communicate these effectively to business leaders. This will build trusting relationships with key stakeholders in your organization, ensure that your security program is effectively delivering on your goals, and allow for a streamlined achievement of business objectives.