CSO Perspectives (Pro) 6.14.21
Ep 50 | 6.14.21

CxO professional development.

Transcript

Rick Howard: Hey, all Rick here. If you've ever heard me speak in public or listen to some of the podcasts and webinars I've done here at the CyberWire, you may have heard me explain this idea I've had for years about this profession of ours, this cybersecurity network defender occupation. It goes something like this.

Rick Howard: Do you know what I love about the cybersecurity profession? It never changes. There's always some bad guy doing some new devious and dastardly thing to our networks, stealing our data, or destroying our infrastructure. But if I'm being honest, it's usually cool and sexy and an "Oceans 11" kind of way in how the heist is all very complicated, but ends with the gang like Brad Pitt, Matt Damon, Carl Reiner and the rest all lined up silently looking at the lovely Bellagio water fountain in Las Vegas, Nevada, after successfully completing their tasks, not talking, just enjoying their success for a minute, saying goodbye with their eyes, and then slowly walking away from each other.

Rick Howard: But it's definitely bad and we shouldn't be romanticizing it. And like I said, constantly changing, and that's the part I love. Our profession reminds me of one of my favorite old Disney cartoons. When at the beginning of the movie, Pocahontas sings about why she loves what's just around the Riverbend. As she says, you never step in the same river twice, and that's the way it is in cybersecurity. What can I say? It's exciting. Let's just say that we will never be bored. 

Rick Howard: But do you know what I hate about the cybersecurity profession? The river is always changing. There's so much information that we need to consume and understand in order to stay current in our profession, that the task is almost impossible to accomplish. It's so daunting that many of us don't know where to start. That sounds like a perfect discussion topic for the CyberWire Hash Table. 

Rick Howard: My name is Rick Howard. You are listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis.

Rick Howard: As you all know, I'm an old intelligence guy from my former U.S. Army days, and my experience running a couple of different commercial cyber intelligence units. I treat the subject of CxO professional development as my own personal intelligence collection exercise. I first have to identify the topics I'm interested in, and then I have to identify the trusted sources that I can use to learn about those topics. 

Rick Howard: For the first part, each year I draft information requirements for me to pay attention to. The cool kids in the intelligence circles call them IRs. For example, this year I've been tracking any evolution of our first principle strategies, you know, resilience, intrusion kill chain prevention, zero trust, and risk forecasting.

Rick Howard: I'm also interested in new technologies that I believe will shape the future of the security stack in the next five years or so. Things like SASE, or Secure Access Service Edge, and SDP, or Software Defined Perimeter. I'm further interested in concepts that are not quite there, but I believe we'll have a major influence in our community like security orchestration across all of our data islands, like hybrid clouds, Microsoft, Google, and Amazon, for example, SaaS tools. I mean here at the CyberWire, we're running the business on over 20 SaaS tools, data centers, the traditional kind that many of us still run, mobile devices and office buildings. Orchestrating the security stack for all those data islands is a problem the industry needs to solve and I'm looking forward to it.

Rick Howard: I am also interested in future tech, not security tech per se, but tech that will likely challenge the entire network defender community about how to secure those environments they impact, like artificial intelligence and machine learning, quantum computing and 5G. 

Rick Howard: On the people side, I'm interested in how to improve diversity and integration in our organizations and how to incorporate the ideas of intersectionality in the industry's hiring practices and promotion policies. I am also interested in how the industry is trying to fill the employment gap by transitioning veterans into our community and educating young women and minorities early about how great the network defender community is. And lastly, I'm also interested in any tips on how to convey the security status of my organization to the board. 

Rick Howard: All those topics are just me. They are what I'm interested in. So I thought I would get a second opinion. I asked Gary McAlum, the former USA CSO, and now, since he stepped down from that job in the last month or so, he has time to be a regular here at the HashTable with us. So I asked him about what he saw as topics that CSOs should be paying attention to. 

Gary McAlum: I think it's really important to stay up on current events. Current events in general, across the world, the economy, geopolitical events. But in particular, the cyber business, which is not hard to do these days, because it tends to be front page, whether it's colonial pipeline or JBS or the Massachusetts Transportation Authority. 

Gary McAlum: Artificial intelligence is one. AI has been around for awhile, but it keeps coming up now. This is probably due to some marketing hype that's out there, AI-enabled cybersecurity is being sold as the silver bullet. I'm very interested in seeing how AI has evolved. This is not new to cybersecurity, I think some of it gets thrown out as a tagline. 

Gary McAlum: Machine learning is a early version of an AI type of model. But truly AI-centric type of technologies, platforms and algorithms, I'm not sure that I've seen that yet. And so I'm really interested in staying more up to date on artificial intelligence is seeing how it's evolving. 

Gary McAlum: As I talk to startup vendors and new technologies, they have this great presentation. And they describe, "oh, this is what it can do." As the person who has to implement it in an IT environment, I'm thinking, how would you operationalize that? And when you dig into that, sometimes there's not a great answer there. It's a little bit of " we'll figure it out as we go." And that's not a great answer either. How you operationalize these technologies versus talk about them in an academic PowerPoint salesmanship type of environment is key to me. 

Gary McAlum: When you get it to the whole facial recognition aspect,  the inherent bias of facial recognition algorithms against people of color, for example. Then you translate that into how do police organizations and law enforcement organizations use it. Then you get into this whole conversation that's very disturbing around, "Hey, listen, this bias is driving us to profile a certain demographic incorrectly." There's a whole conversation around that. 

Gary McAlum: That is a problem. How did we get there? Every AI application has some built in assumptions that have to drive it. There's human involvement in that and that's where I think the errors start to be ingested.

Gary McAlum: I want to definitely dig more into the world of data science and how that can be operationalized as well. Data science, isn't new. I think it's new to the cybersecurity space. When I was running, the enterprise security group for USAA, I was responsible for fraud. If you've been in the business of fraud, consumer fraud, financial fraud, they have tons of underlying models and algorithms that's based on data science. We hired PhDs in data science. But I didn't see that same level of rigor on the cyber side. We were buying great tools, but in terms of mining and understanding all the data that we were collecting and better operationalizing it, we were starting to say, we need to take a data science approach to this.

Rick Howard: I asked Gary if he thought that data science is somehow a subset of AI and machine learning since we're talking about massive collections of data for any current machine learning algorithm. 

Gary McAlum: No, I think I see machine learning as a subset of the AI conversation. I see the data science world as a much broader ecosystem of thinking and processes and rigor around all the different sources of data that's out there, how you can use them, how you can process them, how you can learn from them. And so there might be a machine learning component to that as a subset, but yet I think there has to be some of the tooling, for example, because the data science world can only be operationalized through the tooling. I do think there is a machine learning component to it, but it doesn't naturally jump out at you. .

Rick Howard: And since we're talking about massive collections of data here, I asked Gar if he thought visualization techniques were a key element to understanding this entire knowledge domain. 

Gary McAlum: Oh, absolutely. Spreadsheets are great, but the graphic visuals are worth a million bucks. My experience with some of our really smart data scientists, there's all sorts of underlying tools and capabilities, but if they could come up with a Tableau view of a problem set, gold. Gold. I became a big fan of Tableau along the way because our data scientists were using it to display great trends that they were able to pull out around datasets.

Rick Howard: Dawn Cappelli is the Rockwell automation CISO. And, by the way, a Cybersecurity Canon Hall of Fame author for the book that she co-wrote called "The CERT Guide to Insider Threats." Written in 2012, but it's still the most comprehensive source on how to think about insider threats to your environments. But she had a different take on what she was concerned about for artificial intelligence. 

Dawn Cappelli: Just last week I was researching security issues in artificial intelligence and it really centered mainly around the fact that, especially from a security perspective, that if you are creating artificial intelligence models to try and fight the bad guys, the threat actors in the security world, those threat actors know you're doing that. And so they're gaming your systems so that you are seeing something as being normal when it's really not normal.

Rick Howard: Clearly all three of us have artificial intelligence on our radar as a key information requirement, but Dawn also has other items on that list.

Dawn Cappelli: Right now the biggest thing in my mind is this whole supply chain security. We've been worried about it since 2017, when NotPetya was propagated through the software supply chain. We've had a high priority security initiative since 2017 looking at that. So we're ahead of the game, but, we were thinking about software that we include in our products. But now you're talking about like SolarWinds. You're talking about everything you buy and you bring into your company and to look at the software supply chain for every product you bring in is not real practical. I think we'll get there. Over the years, that'll just become the way that the business runs and you can't be selling software unless you have an SDLC and you have the software bill of materials, but it's going to take a while to get there. So that's top of mind right now.

Dawn Cappelli: But aside from that cloud security is huge, everything is now in the cloud and whoever would have thought a decade ago that we would be providing services through the cloud to manufacturing environments. That was unheard of. They want it to be air gapped from their enterprise, let alone the cloud. You've gotta be kidding.  But now it's cloud. Back in my insider risk days, I used to say, you have gotta be kidding. How can you put all your information in the cloud? It's all on there all insider threats to you that whole cloud company, and now look at where we've all gone.

Dawn Cappelli: I've been reading about watering holes again. It seems like they're cropping back up again, and we really have to rely on those companies that are running those cloud-based EDR services or DNS services. We have to rely on those companies to figure out that looks like a watering hole. I see the same bad thing happening in multiple customers around the world after they visited that site. That somehow we have to get that under control. That really is scary to me.

Dawn Cappelli: I think the most important thing is for people to pay attention to their own business. You have to understand what your company's doing, what their strategic direction is, what in new innovation, they are planning to explore. You need to be right in there on the ground floor. You don't want to have to catch up later. With companies implementing things like artificial intelligence in their products, you don't want to catch up to that later and say, wait, what did you do? Oh, released that. Let's think about that. I think just staying in touch with the business and knowing what your company is doing, and it's important because when new issues arise, new risks are identified. If you really understand what's going on with the company, then you yourself can make an assessment of, is this a drop everything issue that we have to address immediately? Or is this something that just can be put on the backlog for the next PI planning session? So I think that's the most important thing in my mind. It's non-technical but a lot of security people overlook.

Rick Howard: For any intelligence collection effort identifying the what you want to know about is sometimes the hardest part of the exercise you can see from this small sample size of three CSOs, me, Gary, and Dawn that our information requirements are not the same. 

Rick Howard: Besides the topic of artificial intelligence, the information requirements lists from all three of us are different. And that's perfectly fine. There's no right answer here. You're deciding your information requirements so that you can make decisions about the business down the line. If they're no longer working for you, get rid of them. And the great thing about them is that they are easily changed. If I find later that I don't need the information on Software Defined Perimeter any longer, I just take it off the list.

Rick Howard: But step two in this process is finding reliable sources of information to feed your knowledge. And there are lots of choices, but I divide them between staying current with the news, and keeping up to date with the latest changes in my information requirements. For news, since you're the organization's face for cybersecurity, everybody expects you to be fully up to speed on whatever is happening on any given day. All the time. Sometimes that gets us into a bit of trouble. Here's Gary talking about his experience as he was just stepping into a Zoom call on a panel for the National Association of Corporate Directors orNACD. 

Gary McAlum: Yesterday I was on a panel for NACD, that I was talking at and there were literally breaking news events around the Massachusetts Transportation Authority an hour before I was going to go on this panel. I was getting some news alerts on that. I was like, oh, I ought to know that before I go into this panel. Staying sort of continuous monitoring, in that type of mode, I think is important.

Rick Howard: For me, keeping up with the latest cybersecurity news is a standard morning routine. What I'm looking for is an executive summary of the news from the previous day and not to toot our own horn here, but the best cybersecurity executive summary I have found over the years is the CyberWire's own Daily Briefing. You can find it over at our website and I've been reading it every day since long before I joined the CyberWire. You can scan it in 10 minutes, see the latest announced vulnerabilities and suggested mitigations, recent published trend reports, the newest announced vendor tools and services, updates on tech and standards, summaries of the latest legislation and upcoming conferences. It has the added benefit that it's free. From there, I alternate between WIRED online and ARS Technica to see what their reporters have drummed up overnight, and to get some detail about what they're writing about. And Dawn has a very similar morning reading habit. 

Dawn Cappelli: I try to start the morning by reading the daily newsfeeds. I have several of them that come in. There are many mornings when I never get to those daily newsfeeds, but that's how I try to start my day. Get the coffee and find out what's going on in the world. Some of them are about the big new vulnerability, send that off to the vulnerability team, make sure they know about it and find out what's our plan. Some of them are new ransomware attacks. Some of them are ransomware attacks on our customers. So I'll send them to our business teams so that they're aware in case they need help. And then other ones are just, new technologies, new companies, new metrics. Just trying to get the lay of the land and then dig in on those that deserve digging in on.

Rick Howard: Once we had the news covered, what sources do we use to keep track of our information requirements?

Rick Howard: For me, I have two go-to sources. The first source is books, and I know that you all are probably tired of me going on and on about the latest Cybersecurity Canon book that I'm excited about. I hear you. I can be a one track record sometimes and I know we are all too busy to read books. Life is busy. Being a security executive is time-consuming and let's not forget that we all have families and other interests that we need to tend to. But here's what General Mattis, the retired United States Marine Corps four-star general said about that. "The problem with being too busy to read is that you learn by experience or by your men's experience, i.e. the hard way. By reading, you learn through other's experiences, generally a better way to do business, especially in our line of work where the consequences of incompetence are so final for young men."

Rick Howard: But if that's too serious for you, how about a quote from my favorite game of Thrones character? Tyrion Lannister. 

Game of Thrones dialogue: Why do you read so much? 

Well, my brother has a sword, and I have my mind and a mind needs books like a sword needs a whetstone. That's why I read so much Jon Snow. 

Rick Howard: Ironic, I guess that he was speaking to Jon Snow, the man who knows nothing. But let me finish with one point made by my best friend Steve Winterfeld, the advisory CISO for Akamai. "Read three books on a subject and you are now the smartest person in the room on that topic" So, my go-to number one source to stay abreast of my information requirements is a book, and the Cybersecurity Canon project is a good place to start looking for your next read.

Rick Howard: And by the way, recorded books count. If I'm walking the dog or doing the dishes or cooking dinner, I'm listening to a book or a podcast because, you know, I don't like to be alone with my thoughts. That's a dangerous situation. But listening to a great book or a podcast while doing chores is a great way to multitask and stay current with the latest ideas in the field.

Rick Howard: And since I'm talking about podcasts, that's my second go-to source of information. The problem is that there are literally hundreds of security podcasts out there these days and most aren't that good. And they generally follow the same tired, two guys and a dog format where a host interviews is one or more people on a topic. They're fine, but you have to find a program that brings value to you. And I am ruthless about trying new podcasts and then quickly getting them out of the rotation when they aren't good. My two favorites right now and have been for the past five years or so is our own CyberWire Daily Podcast hosted by David Bittner, and another news show called Risky Business that is hosted out of Australia. Gary, on the other hand, is a big fan of newsletters and Google alerts. 

Gary McAlum: I have a variety of different sources that I track on. Even when I was working full time or now that I'm on my own, I monitor the news, the headlines. But I get a variety of daily newsletters and executive summaries of different things. I find these are really digestible. If I want to dig more into something, then I can go into the hyperlinks and dig more, but just getting a sense of what's going on out there. 

Gary McAlum: When I was at my former employer, there was some that we did pay for that we would get, I'm a fan of SANS. So SANS sends out a daily newsletter that I think is really good. We paid for IANS Institute Advanced Network Security. I'm a big fan of IANS. I continue to receive IANS updates. I get some military summary newsletters. That has a lot more of the geopolitical things in there, but there's cyber in there as well. I get news summaries from different sources. You can subscribe to some of these media platforms for technology. USA today is a good one, they have a whole technology section. 

Gary McAlum: I love Google alerts. I have a few different Google alerts set up on various terms around cyber, certain type of breach events. It's a really powerful tool and that way, you can get things as they're happening. The challenge with Google alerts is if the term is too broad, you're going to get everything all the time. And if it's too narrow, then you might not get it at all. You got to experiment a little bit with it, but, I'm a big fan of those.

Rick Howard: Dawn prefers newsletters too, but she likes the government-provided newsletters over the more commercial ones. 

Dawn Cappelli: The government has really upped their game over the past couple of years. I get multiple emails a day, I would say between DHS,  CISA, FBI, sometimes NSA, U.S. CERT. I subscribed to all of those government feeds and they've really come out with good information over the past few years that we weren't getting before that. We're a member of the Cybersecurity Collaborative. I'm on their executive advisory board. They send out a daily feed. That's the one that I always check first. Gartner has one that they send out every morning. Wall Street Journal, they have a cyber feed now and they're sometimes has more of a business focus, which is interesting. There's a CIO feed from the Wall Street Journal. 

Dawn Cappelli: I like to mix it up and read different feeds different mornings so that I'm getting a good wide variety of perspectives throughout the week. I don't go out looking for things. I just start with those daily emails cause I figure someone else already did the legwork of looking across the internet and figuring out what happened yesterday and overnight, so I just use their expertise.

Rick Howard: And there you have it. I treat the entire CxO professional development process as my own personal intelligence collection exercise. I first identify the things I think I need to be smart about and then I seek the sources that will provide me the most value. For me, it's news, executive summaries, books, and podcasts, but for Gary and Dawn, I think they prefer the newsletter format.

Rick Howard: And that's a wrap, not only for this episode, but for the entire season. We've covered security in different verticals, and specifically talked about finance, healthcare and energy. We talked about new responsibilities that CISOs are taking on, like securing the IOT environments, running the organization's identity program, and new ways to think about securing the supply chain. We finished up with some basics about how CxOs buy security products. And finally, with this last episode, we talked about CxOs staying current in professional development. Our next season, season six, will begin on 19 July, and everybody here on the CSO Perpectives staff is busily working on that. I think I'm going to try to sneak some vacation in there, too. AirBnB, get ready, the Howard's are about ready to invade your home. 

Rick Howard: But as always, if you agree or disagree with anything I've said or anything, our guests have said on this episode, this season, or all seasons hit me up on LinkedIn or Twitter and we can continue the conversation there. And one last note, thanks for listening everybody. All the feedback I received since we started this thing has been very helpful. As I said in this episode, we know your time is precious and there are many information sources that you can choose to spend your time with. The fact that you are still here listening to me blather on about my pet peeves, the Cybersecurity Canon project, first principles, and all of that stuff during an international pandemic is quite humbling. On behalf of everybody here on the CSO Persectives team and the CyberWire, we thank you. And we will see you here again. Same bat time, same bat channel in July.

Rick Howard: The CyberWire's CSO's Perspectives is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design, and original score. And, I am Rick Howard. Thanks for listening.