CISO Conversations

Conversation with Michael Blache, CISO, TaxSlayer

Back to list
Michael Blache, TaxSlayer

Michael Blache



What do you see as the most significant positive steps that government, business, and the security industry have made in the past 24 months to improve cybersecurity?

There seems to be more of an effort to define the terminology that drives security. For example, we hear the term "due diligence" a lot in the security field. And there's been more of an effort to define exactly what that means. In the past, a lot was left to interpretation for each specific industry. And I think the government has stepped in to try and help define exactly what due diligence is all about.

Of course, the first step to creating a more secure environment is to admit a problem exists. That admission is what has helped drive increased collaboration between the government and businesses in specific industries. For instance, in the tax industry we've actually started getting together with competitors to share information and help each other fight against cyberattacks. Industries as a whole usually see the same types of attacks. It's much easier to fight threats as a group than it is to fight attacks or problems on your own.

What impact has the Internet of Things had on cybersecurity planning and how has it affected your approach to operational and physical security?

Well, just like in the past it first comes down to physical security in the business locations and data centers, especially given the extremely small size of some new IoT devices. You've got Raspberry Pis that weigh about as much as a credit card and are about the same size. It's really difficult to find or detect if those things exist or have been introduced into your environment.

The key is to make sure you identify what assets you have that you're really trying to protect. Then, physically separate those assets in a manner that makes the introduction of unsanctioned small IoT devices very difficult.

On the flip side, people deploying these devices throughout their homes makes detecting the source of a threat more difficult. While you're investigating an incident, just because the device says it's coming from Bob's house down the street doesn't necessarily mean that's really where it's originating. The industry has had those problems in the past with Tor networks and similar setups where people can anonymize and disguise their location. It's just becoming much more prevalent now with the Internet of Things.

As far as the development of IoT devices, security always comes down to a risk assessment. I can't say I really blame the device makers for the somewhat limited security on today’s devices. I wish they would put more effort into the security aspect of them, but ultimately when they're building these devices it's like a TV. There's only so much that you can end up putting into the security aspect of it. Your budget for securing a TV is going to be a lot less than your budget for securing a database that houses a bunch of PII.

If you lock the device down too much, people can't do what they want to do with it. If you don't lock it down enough, you can have situations where people's privacy could be compromised. Either of those can be bad things. One is bad for the bottom line of the company. The other one is bad for the user. It's just a matter of where they weigh that risk and decide which way to go with it.

On a personal level, I love Internet of Things devices, I have them all over my home. But they are segmented and away from stuff I really care about protecting.

How can CISOs effectively deal with “shadow IT resources,” those non-sanctioned business resources that often bypass official channels to deploy technology?

I think the key to dealing with shadow IT is to always keep in tune with the trends that are going on inside your industry, what people are using, and what kinds of new technologies are coming out. People are going to do what they want to do whether you allow them to do it or not. They're going to find ways to do it. So, it's really hard with shadow IT resources to police things like Evernote and Dropbox. I have a blind faith in people that ultimately they're trying to do what they think is best. So, I like to listen to what they're trying to accomplish and figure out a way that we can accomplish what they want while also keeping the assets of the company secure.

If that means finding out we can get an enterprise version of the technology or even a competing product that we can audit and still provide them the flexibility they need, we just give them that option. Now, does that mean that they're absolutely going to use that solution? No. But the hope is that if we provide that resource, we can get them to use the approved methods instead of trying to figure out a way to do it their own way. We've had pretty good success with that. It's about providing options.

With threats becoming more organized and frequent, how much emphasis needs to be placed on end user behavior modification rather than just security awareness?

We actually treat workstations as hostile here. We know that it's not a matter of if but when. We always look at the end user as being the weakest link and the entry vector into the organization. That’s not meant as an insult to our users. It’s actually a compliment to the attackers. The bad guys are just too sophisticated and they can make even the most security conscious person do something they normally wouldn't do. We're actually moving toward what we call a “wild wild west” environment with our workstations because we know they are going to get compromised at some point in time. So the question is, "Does the compromise of the workstation lead to a compromise of the assets we actually care about?"

We focus most of our resources on protecting the assets we care about, which aren't on the workstations themselves. That helps limit the risk of the workstations becoming compromised. Even if the user clicks on a link in an email or they get a drive-by download from an advertisement on the web, it won’t impact critical assets. At the same time, we are still going to focus on those behaviors with the employee to say, "Hey, I know you understand you don't have direct access to these assets, but you still need to be aware." For example, we use a program called PhishAlarm, which allows the end users to, with a single click, forward an email they think is bad to an analyst to check. The user typically gets a response within five minutes. Those are the types of behaviors we teach our people to help protect them.

How has the role of the CISO changed over the past 3 – 5 years? How do you see it changing over the next five years? What do these changes mean for the mandatory skill sets of a CISO?

The biggest thing I've seen is the growing number of CISOs. Companies that three to five years ago didn't think they needed one are starting to realize that they do. They need that dedicated resource to help protect their organization. One of the things that we've done is separate the security department from the IT department and have the CISO report directly to the CEO. That way, the conflict of interest between operations and security goes away. The security part is focused on security, and IT is focused on operations.

I've seen that happening more and more in organizations. But I think the biggest change is the CISO role itself expanding even within smaller organizations and not just the big behemoths.

As the collaboration between the government and business entities continues, it's becoming more and more clear that even the small companies are going to end up being held responsible for due diligence. They're going to need some sort of a security department that's dedicated to handling these types of issues.

Going forward, I think the skills needed to be a CISO will blend technical and operational skills with strategic capabilities. A part of that is the regulatory component. There is so much paperwork that goes along with this job that a CISO needs to be good at both. I think if you have the experience of actually running an IT shop and knowing how to strike a balance between security and what works in operations, it will help you succeed. I don't think you can be very strategic without that type of balance. It's really easy for someone in security to come down and say, "Okay, turn on this setting because it's going to protect us from such-and-such attack." But if you don't have that operational experience, you might not understand that if you turn that setting on, all your applications are going to break and you're out of business.

Your number one goal is to protect the business. That's why you're there. That's why you get paid. Then you need to strike that balance between what it takes to secure the assets of the company versus what it takes to provide the services you are providing for your customers.