Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 46
Afternoon Cyber Tea with Ann Johnson 2.22.22
Ep 46 | 2.22.22

Building Customer Trust in the Face of Cyber Attacks

Show Notes
Transcript

Ann Johnson: Welcome to Afternoon Cyber Tea with Ann Johnson, where we speak with some of the biggest security influencers in the industry about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision makers. I'm Ann Johnson. Today I'm joined by Wendy Thomas, who is the president and CEO of Secureworks. In June 2021, Wendy took over the reins of the company from acting president of customer success, where she led product and engineering, operations, customer experience and Secureworks threat intelligence-focused counter threat unit and moved to CEO. 

Ann Johnson: Last year Wendy was named one of the top 25 women leaders in cybersecurity. And Wendy is no stranger to the C-suite. She has more than 25 years of experience in strategic and functional leadership roles, having served as a chief financial officer, chief product officer and vice president of strategy. Outside of the office, Wendy serves as a liaison for AFS Intercultural Programs and International Youth Exchange Organization, and she also leads the Pride Employee Resource Group for Secureworks employees to network and drive inclusion and education efforts with the company and larger community. Welcome to Afternoon Cyber Tea, Wendy. 

Wendy Thomas: Thanks, Ann. I've been looking forward to this conversation all week. 

Ann Johnson: I have, too. This is incredibly exciting. And by the way, I am also the Microsoft executive sponsor for our GLEAM employee resource group, which is our global LGBTQIA+ employees at Microsoft. So... 

Wendy Thomas: Fantastic. 

Ann Johnson: Maybe we can talk about that as we talk. 

Wendy Thomas: That would be great. 

Ann Johnson: So I love seeing that part of the title before you became CEO included president of customer success. And we certainly aren't successful if our customers are not successful, and cybersecurity is a big part of that. What do you attribute as the key to your security approach of building customer trust during this time where we're seeing all these unprecedented attacks? 

Wendy Thomas: Well, as you know, trust is everything in the security business, and there's frankly no shortcut to earning it in the first place. And you have to re-earn it every day, which is why we were very thoughtful in crafting our mission statement that we live by every day. And that mission is to secure human progress because what that means is we're all about securing our customers so that they can fulfill their mission. And this - as you mentioned, in today's threat environment, there's just no set it and forget it, right? Our customers are really looking every day, day in and day out, for a partner - right? - with both the technology and the team of experts to back it up. 

Wendy Thomas: And our first interaction with the customer is often when they're calling us and experiencing one of their worst security moments, like a ransomware attack. And how we respond to them in that moment - it means everything to them. And over the years, I've just had countless customers share stories with me of how their loyalty to Secureworks began because of our response and partnership when we stepped in to put their organization back on a secure footing and how we keep them there now. And so when I created the customer success organization and stepped into that president role, we wanted to extend that feeling of trust and reliance throughout our customers' relationship with us every single day. 

Wendy Thomas: So our customer success team is very proactive. They partner with our customers. We have dedicated customer success managers whose job it is to know our customers and their business deeply, not just their security or their technology, and then be proactive in terms of advising them on their security posture, the threats targeting not just them but others in their industry, ideas around how to advance their security program and even just how to optimize their use of our data solutions. So in short, we're basically proactively trying to help them see around corners and stay secure, and that's really our definition of customer success. 

Ann Johnson: I really like that because it's very outside-in - right? - customer-focused, understanding the challenges that they're in and then building trust. You know, we say around here that trust is gained in drips and lost and buckets. So building that trust is so important. 

Wendy Thomas: That is absolutely true. And in this industry and the situations that customers find themselves in, those opportunities for those buckets are ever present. And you just want to make sure that that's not something that they have to face without you. 

Ann Johnson: Yeah. And, you know, it's no surprise - right? - given cyber is so critical in everything that our customers and employees and consumers do. And the pandemic has certainly increased this focus on security with remote and hybrid work. So it's required SOCs to rethink how they work, right? We know that IT groups are routing more traffic directly to cloud apps rather than through networks. And in this model, we also know the traditional network security tools are just aren't enough - endpoint signal, identity-based security matter even more than ever. 

Ann Johnson: So even under the best circumstances, managing and working in a SOC is stressful. And these aren't normal times. We know that your team is under a lot of pressure, and there's a lot of visibility concerns over balancing user productivity and security so that people can work from home. I'd love to understand how this has shaped the relationship in your security operations center, how you think about machine learning and how you think about human intelligence. 

Wendy Thomas: That is a great and timely question because the human intelligence side and the machine learning side - in security, one cannot thrive without the other. So clearly, automation and machine learning are incredible value adds to what security professionals can see and do at scale. The human intelligence side helps us make the machine smarter. On the - you know, automation is a game changer in really achieving one of the most important security success factors, and that's just faster mean time to remediation. 

Wendy Thomas: Having run security operations here at SecureWorks for a couple of decades, we absolutely understand the power of the machine, right? - security is really a big data problem - of enabling the human side to upscale, and I see doing that in really two primary ways. One, you need technology that lets you cut across all the silos of a technology estate and all the silos of individual security point products - your endpoints, your firewalls - for kind of that holistic, unified view of the threat. 

Wendy Thomas: And the second one is not just the automation of the detection of those threats, but it's really the automation that humans have had to do for some time of contextualizing the threat and automating a lot of the previously manual or swivel-chair steps in an investigation. And because we've been trying to do that for our own business model for a long time, to automate as much as we can that are repetitive workflows, that's the kind of technology automation that we've built into our platform. 

Wendy Thomas: But then you say, well, what about the human side? So you've automated enough to let them scale up in terms of the value add work that they're working on that requires that human intuition. But the second piece is that what we see every day in the things that humans can do, it's got to make the machine smarter, right? So whether it's the discovery of new adversary tactics, techniques and procedures or new trends in vulnerability exploits that inform how we prioritize risks for customers, by having an incident response team that's looking at thousands of engagements and incidents and just being in the fight with our customers each day and hunting in their networks, taking all those learnings and informing the machine with that is part of a very virtuous cycle that gets that flywheel of mutual benefit and thriving going. 

Ann Johnson: It's interesting because there's those two opinions - right? - in cybersecurity, and I think it's a more nuanced conversation, as you were talking about, right? You'll hear folks say, well, you know, automation, machine learning, it's going to replace the humans in the SOC. And, of course, then you hear the other point of view that you're always going to need humans doing the same work. I think it's somewhere in between. You're going to always need humans. You're going to be able to automate the low-level tasks, and the humans are going to be able to solve really hard problems, which is what humans do well. Any thoughts on just that tension between those two thoughts? 

Wendy Thomas: I think you hit it on the head in terms of the healthy tension between those two. And the thing that I always think about is there is a human on the other side of this, right? So they are figuring out how to use tools and technology to get into your infrastructure, and so they are leveraging machine learning. But they've got that human intelligence application as well on the adversary side. So I just see it being a ways off before there doesn't need to be a human on the good guy's side figuring out how to stay ahead of them and using the machine to do that. So I think for the foreseeable future, we're in a very balanced situation there. 

Ann Johnson: Yeah, I think so. And I also think as we move through this conversation, one of the changes we saw was for a period two years ago, just about everybody went home, right? Anybody who was able to go home, you know, 80% of global employees, 80-plus percent of global employees went and worked from home. Now we have a lot of people coming back, and we're in this hybrid world. And the hybrid feels like it's the new normal. We will likely get more people coming back to the office over time. But how does that reality - right? - the remote work policies in a hybrid environment versus having everyone home or everyone on premises in your office - how does that change how a SOC needs to think and adjust and work? 

Wendy Thomas: You know, the experience of the last couple of years really forced us to see and do what many of us didn't think was possible and really has opened up our eyes to - I hate to say normal these days but a new normal - and, frankly, created a desire in a lot of us to keep the kind of flexibility that we've seen over the last couple of years. And so the SOC, I think, is particularly interesting because it's always been a place more tied to physical location and co-location of employees than other functions, right? It's physically secured. You got your experts co-located together. It's a 24/7 operation. It had a feel of in-the-moment training for kind of early career analysts. And for us and, I think, even for many of our customers, their SOC was a showcase, right? - this visual representation of a pulse on security. So it was difficult to imagine how we could address those needs - those use cases - better in a remote model, both from an operational point of view and from a teammate point of view. 

Wendy Thomas: And while certainly there are - there's no perfect model or the trade-offs are inevitable here, I do think the virtual SOC has offered us opportunities that we didn't see before on improving on that model. And one of the biggest ones has been around talent, right? This is an industry, all faced difficulty - finding, hiring, retaining cybersecurity talent. And operating a virtual SOC is a great opportunity to expand your pool of potential security team members globally so they can support their kind of desired life-work situation with a SOC career that might not have been possible previously. And when I think about the ability to cover time zones without that dreaded night shift, there's a real-life improvement there for your team that is material. 

Wendy Thomas: But that can be - it can be tricky to do this well because there's certainly a benefit to being co-located together. As we've found, a few things have been very important for sort of recreating, if you will, that pod environment in a SOC, and it is collaboration tools, right? They have to simulate that environment - chat channels, easy-to-use virtual whiteboards, standing virtual conferences. Those are incredibly important. The one that we thought we had done a good job on but really learned a lot about - knowledge repositories, knowledge management strategies - these are especially crucial when employees don't have that chance for kind of serendipitous learnings that come from being side by side. So I think that as you're also automating kind of task brokerage between remote teammates and geographic locations, you absolutely want folks to be able to see very quickly what they need to do next without a whole lot of supervision and very smooth handoffs. 

Wendy Thomas: And the - I'd say the third one that's been the toughest, that is, you know, how do you get that sustained team building and morale without that awful forced, you know, video happy hour and to build that across this now more geographically and time zone dispersed team? And the one thing that you talked about hybrid that we've realized is just important to be in person is onboarding and to have a very structured process for introducing new teammates to other people on the team to just give them that foundation of where to go to help, where you assign a dedicated buddy and where there's just no dumb question to ask. And I think that initial ice breaker and just human connection at a front has been very important to just building a foundation that a mostly remote situation can endure. 

Ann Johnson: You know, I love how you put it really practical terms, the benefits of having a remote SOC, which leads to potentially better quality of life and better outcomes because people aren't working these shifts that tend to cause exhaustion - right? - but also the need to balance that with the connected fiber of having in-person onboarding, standups that are video, things that keep the team working cohesively. It's the way leaders today need to think about the organization. It's again - it's funny - I'll say it again. So it's a nuanced conversation. We find that nuance - we're not great at having nuanced conversations right now in society, but it is a nuanced conversation. 

Wendy Thomas: It is. It's all about trade-offs and just kind of finding the best of the new world. 

Ann Johnson: So when we think then about the way our customers are working - cloud native apps, cloud first apps, mobile devices - you know, less and less about the network perimeter, how does this help you think about the security posture you're going to recommend to your customers? And how does it help you think about the threat hunting that your SOC needs to do in a different way? 

Wendy Thomas: It is a new world. Certainly, the approach to the walled castle of a network perimeter has had to shift. And clearly, you know this well, the evolution to the cloud over the last several years - whether it's applications or workloads, compute - has required that the concepts, the tools and the techniques used in, quote, "network security practices" are really reshaping or being reshaped by that new perimeter. And so in that sense, the perimeter is as relevant as it ever was. It's just evolved to be very differently shaped and sized to include mobile devices and cloud services and other applications. And so what's interesting from a security perspective is, how does that show up differently? What's the new castle wall? Now, I was reading about the - so 88 - almost 90% of Fortune 500 companies are using Azure AD - Active Directory. So congratulations. Well done. And of those, 95% are using some type of single sign-on to just ease user access, right? None of us wants to use a million passwords, so all those companies have connected their on-prem AD or their kind of other identity or platform directory to their cloud environments. You've got this kind of hybrid identity model. And what we've seen is that - what that means is that breaching any of the on-prem component that's part of a hybrid identity model, unfortunately, opens up access to users' identities outside of that on-prem security perimeter, right? So it becomes the tunnel. So as organizations who are hosting applications in the cloud, it is really important that they have network security services and security controls on their environment. Like, this is important to securing the cloud still. And I think that the ability for organizations to kind of lock the front door, detect access, manage identity, is incredibly important because everything we see in instant response engagement and really just day-to-day management of security for customers is that initial threat vector is that the actor gains access to the organization - right? - through an endpoint - an employee's laptop or mobile device or through business email compromise or some type of web application, right? It's just a tried and true technique, and because from there they can get that the prime opportunity to mitigate that risk of that broader control or access, there's an increased need for security teams to have the combination of network data combined with other data sources like endpoints to just address these situations earlier in the kill chain. 

Wendy Thomas: And that combination of data lets security analysts understand how pervasive the incident is, you know, how or what systems were accessed or compromised and how large the impact might be. And so while network tools and techniques have developed over the past years to arm security teams with ways to begin a process of a remediation and respond to the attack, they've got to evolve now, of course, to be able to block and remediate attacks from the mobile device to the cloud service. But in short, it's still very much a completely interconnected world, and we can't just pick one place in the network to protect. You've just got to operate across it faster than the threat actor does. 

Ann Johnson: You know, I think we did a survey recently and 80% of senior IT and IT leaders felt that their organizations lack sufficient protections against cyberattacks. So this means that only 20% feel prepared. What guidance would you give the 80% that are saying we just don't feel adequately prepared right now and we're overwhelmed? 

Wendy Thomas: You know, with the headlines of the past year in particular, I can understand why a high degree of confidence around preparedness would be low. And, you know, personally, SecureWorks just completed our own migration to the cloud, kind of a two-year journey - completed that a few months ago. So I understand the difficulty of maintaining security as your business and your digital footprint is evolving. When I think about how you can have some practical steps to start to not only feel more prepared but actually have some objective indicators of your preparedness, very best one is to test yourself. Get help from the outside to test yourself. If you have a larger team, set a series of tests because - right? - no one runs a marathon without practice runs leading up to it. So you only know if your environment can withstand an attack - the safest way to find out if your environment can withstand an attack - is to test yourself. And that has to be ongoing because it's going to take time to shore up your posture. But the great thing about the testing for senior IT leaders is that that testing provides much more objective information to your C-suite - your board - around investments and changes that need to be made. So first, you just get a better sense of reality instead of the unknown. 

Wendy Thomas: The second one, and we do this here at SecureWorks as well, is you prepare for the worst - right? - so you know what to do and how you'll react if there is a breach. So by engaging in simulation - right? - tabletop exercises, the team can build confidence that they have not just the proper controls in place, but they have the playbooks at the ready and the skills on the team ready to troubleshoot and run their playbook for remediation. So even exercising your communications plan so that your customers keep trust with you during a serious situation is an important part of that and just makes you able to sleep just a little bit better at night. 

Wendy Thomas: And the third one, which is such a human factor, is around the relationship of the security teams to the business and very much being a strategic partner so that security is seen as an enabler of the business, a protector of the business and the brand, rather than this compliance thing that slows things down, makes things less efficient. Because one of the biggest risks is that security is held to the side as the business is deploying a new application or making technology changes in the business to support strategic priorities and security comes in kind of at the last minute. It puts the business at tremendous risk. So evolving the relationship of security to the business is really key to a collaborative approach that keeps you safe all along the journey. So those are probably the three biggest things I would recommend to start to be able to sleep a little bit better at night. 

Ann Johnson: I think those are all really good recommendations, and I think that we always try, on this podcast, to give practical advice to our customers. So I love the fact that you're standing in there and giving really practical advice on things that people can focus on today - right? - and that don't necessarily - I always say this - cost them money. You don't have to go buy a bunch of new tech. You need to do things that are really - to become more resilient and drive cyber hygiene. And speaking of that resilience, we know there's this huge shortage in cyber talent. What are you doing to actually build, to train, to retain, to recruit the next generation of talent? 

Wendy Thomas: That is a great question because there are some real fundamentals to addressing this gap, and it's - it is one of the top three pain points we hear from prospects all the time. How do - how can I navigate the talent challenge? And it's more than just the compensation factor. I'm just going to put that to the side. When we think about putting thoughtful time and attention to attracting, growing and retaining great security teammates, there's really been three things that work for us. 

Wendy Thomas: The most important one is that mission matters, so giving security teammates that sense of belonging to a strong, collaborative community tied to a purpose that is important, right? This is the same thing I mentioned before. If the security team feels like the police or the cleanup crew, that is a very different feeling than feeling like they are part of protecting the brand and protecting their company's customers. That mission and the way that the security team is positioned is incredibly important to attracting and retaining that kind of great talent. 

Wendy Thomas: The second one is that these are curious folks, learning folks. They like seeing technologies and working out the puzzle of detection and hunting, and so continued learning and development, a career path for them, a framework by which they can grow their competencies in key areas of security is really important to them feeling a sense of progress and accomplishment and, frankly, feeling in control in a space that is changing so fast, all of us struggle to maintain current knowledge. So helping them on that journey is something that would make them stay. 

Ann Johnson: And I think that's part of it, right? We all talk about recruiting folks. The retention piece is something I don't think we make enough focus around. And these are really demanding, stressful jobs. Is there anything in particular that SecureWorks is doing - just anything super innovative on the retention front? 

Wendy Thomas: You know, I think it is just continuing to do the fundamentals. I - the other big thing - and we have a certain advantage, just because security is what we do - is that great talent attracts great talent. And so having a place to work - and customers who partner with us get the same experience, too, of - we've just expanded their team - is that few people want to be that team of one or that single hero. And being part of a team where you can truly learn and develop and, you know, talk to someone that you admire in the space and get their perspective on things is a really important aspect. 

Wendy Thomas: So I think the biggest thing we've been doing on that front is sharing that broadly with the community. So we've developed a certification and online training program and folks, you know, post on LinkedIn to be able to share that they've passed the MDR analyst or the threat hunting analyst certifications, because growing that pool of security talent out in the marketplace - it's a broader commitment that we've made, that I've personally made, to solve this problem for sort of the broader good, if you will. I just - this is a - solving this talent gap, you know, in a fight we can't afford to lose is - it's the private sector's job. It's the government's job. It's universities. It's parents. We all need to get out there and explain what a fulfilling and important career cybersecurity is. I've made a personal commitment to that in terms of diversity, as well, that helps us recruit early on in the education life cycle of kids to consider this as a great career to be in. And I think that's really the answer. They can be a hero. 

Ann Johnson: Yeah. And I think that that's a wonderful way of looking at it. And security is mission- and purpose-driven work, right? So the more you can emphasize that, it's amazing. So given - you know, you talked a little bit earlier about recent attacks and news of the past year. Can you share a little bit with our listeners about what you're working on now? 

Wendy Thomas: Absolutely. One of the really interesting things that we're working on that I'm incredibly excited about is an approach to detecting adversaries that only our experts have been doing over the years. And it's something we call TACTIC GRAPHS. So if you think about adversary tactics, techniques and procedures, this is something that we have patented. And it's essentially a new way to assess threat actor behaviors, identify those TTPs from the learnings that our Incident Response team conducts each year. They would do thousands of engagements, and we're continually learning about malicious activity in those engagements. Now, when you build this type of detection, it can be incredibly noisy, right? So when an analyst or an investigator sees this type of behavioral activity of a threat actor who's using a system admin command to kind of live off the land, so to speak, without introducing malware, humans can see patterns in the noise a lot of times and spot that malicious behavior. But how do you turn that into the machine learning piece? So our engineers and our researchers developed TACTICS GRAPHS, which let us narrow in on those TTPs. And essentially, you're rolling up behaviors into one technique. Those techniques are rolled up into a tactic, and that tactic is basically trying to obtain an objective rerouting business transactions via business email or such. 

Wendy Thomas: So by combining those behaviors into techniques and tactics, we can both reduce the noise of alerts of potential activity, but detect much broader types of malicious attacks that don't necessarily use malware. It's not just the amount of data, right? There's the diversity of data there. So as we see sequences of different types of events that we need to correlate together into tactics - right? - like a third-party email phishing alert, followed by successful authentication from an unusual location at an unusual time, this is how we are able to find activity early in the kill chain. And you get a much greater benefit of going after higher level tactics because it is so hard for a threat actor to change these types of techniques that they've honed over years of experience. And so once you are able to detect that, their friction of having to change those procedures is much more than just having to go out and use a different piece of malware. So we're all about disrupting their business model, and TACTICS GRAPHS is an absolutely innovative way to create friction for the adversary. 

Ann Johnson: So thank you. We always want to leave our audience with a couple of things that are related to next steps - right? - practical advice. What are two pieces of practical advice? 

Wendy Thomas: Two pieces of practical advice. I would say - and we touched on this a little bit - it can be really tempting to focus on future threats and technology changes and the impact they might have. But honestly, first and foremost, it really is about the fundamentals. I only half-jokingly say that people think that buying a treadmill will make them lose weight. Nope. It really is just getting up and putting one foot in front of the other. And security is much the same way. So when you think about creating friction for them, making your house the one that's well-lit, the doors are locked, the windows don't open, that's what we see as being the most effective in staying secure. So patch those internet-facing systems. Make sure you've got multifactor authentication on remote access systems. Run hunts. Run tabletop exercises. Test your resiliency as an organization. I mean, the best thing we can do to overcome these headlines is to just make sure we all have the basic controls in place to prevent, when prevention fails, to detect, and to be prepared with a great partner if something does happen - so just the fundamentals. 

Ann Johnson: That's fantastic. Well, I want to thank you so much for joining us on "Afternoon Cyber Tea" today and wish you the best of luck in your CEO role, though I don't think you'll need it. Sounds like you have things well under control. 

Wendy Thomas: Well, thank you, Ann. I really appreciate the opportunity to talk with you today. 

Ann Johnson: And I want to thank our audience for listening. Please join us next time on "Afternoon Cyber Tea." You can find us on afternooncybertea.com or wherever you get your favorite podcasts. 

Ann Johnson: We chose Wendy Thomas to join "Afternoon Cyber Tea" because she is the new president and CEO of SecureWorks, which is a company that has a long history of helping organizations secure their environments, and I wanted to get Wendy's point of view. She's a very, very accomplished and experienced executive leader, led customer success at SecureWorks, so I knew she'd have a tremendous perspective about what we need to do today to help organizations and what the future looks like. And this conversation absolutely did not disappoint.

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, CVP of Security, Compliance and Identity at Microsoft, oversees the long-term security investment and partnership strategies helping organizations become operationally resilient and unlock capabilities of Microsoft's intelligent cloud and next generation AI. From the way we tackle cyber threats to the language we use, Ann encourages the industry to get outside its comfort zones to expand how we address the evolving threat landscape.
Schedule: Tuesdays
Credits: Executive Producer is Bruce Bracken, Co-Executive Producer is Greg Ormsby, Producer is Rob Petrillo. Production Manager is Max Solomon, Scheduling and Administrative Support is Annalisa McBride, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft