The CISO's changing role with Andrew Wild
Dave Bittner: [00:00:01:07] Thanks again to all of our supporters on Patreon. The support we receive there helps us provide the daily news that you come to rely on. We hope you'll check it out at patreon.com/thecyberwire.
Dave Bittner: [00:00:14:23] Our podcast team is taking a break this week from the daily news, but don't fret, you can get your daily dose of cyber security news at our website, thecyberwire.com. In the meantime, we've got interviews for you this week: some interesting people we've talked to throughout the year so stay with us.
Dave Bittner: [00:00:36:17] And now a holiday message from our sponsor, Nehemiah Security. 'Twas the night before the board meeting when all through HQ, not a C-level was stirring, even finance was a-snooze. Reports were all stacked in the boardroom with care, in hopes that the members would not pull out their hair. The CISO however, was pacing the ground, mostly because he had no real metrics to sound. And the Head of IT in front of long log reviews, had just settled his brain after full backup number two. When out of the seam, alarms started to fly, they looked at each other and did not know why. Away to the reports they flew like a flash, to see which malware showed up as a hash. If only they knew where exploitables lay, and could sort them and treat them in an intelligent way. Showing true business impact and real dollars lost, could cyber finally be a justifiable cost? With Nehemiah Security so ready to assist, converting cyber into dollars is impossible to resist. More rapid than eagles the RQ dashboard it came, instantly upping their cyber risk game. Now dollars, now cents, now recommendations on threats, on exploits, financial justifications. To the top of the budget the CISO's report flew, smart cyber investments now everyone knew. To hear the rest of the story visit nehemiahsecurity.com.
Andrew Wild: [00:02:10:05] I think it's very interesting and we've heard a lot of this across the info-sec space lately about the changing role of the CISO.
Dave Bittner: [00:02:17:00] That's Andrew Wild. He's the Chief Information Security Officer at QTS Data Centers.
Andrew Wild: [00:02:22:17] I do think it's really important to talk about this because it has changed significantly. The role has changed from being really focused on technical implementation of security controls, from being responsible for managing firewalls and overseeing the configuration of intrusion detection and other technology controls, really transforming into being responsible for advising the organization about the management of IT risk. That does, obviously, include, in many cases, the operation of the technology controls, but the focus is really shifting towards management of risk.
Dave Bittner: [00:03:01:05] Yes, I certainly hear that from a lot of people. It seems almost to me like you're a translator between some of the technical people and the higher-ups in the company.
Andrew Wild: [00:03:11:23] Yes. It is an interesting role because there is the need to be able to manage technology and also provide guidance and direction to technologists. However, there is also a need to communicate across a different group of people within the organization. I spent a lot of time dealing with the general counsel's office and speaking with the different lawyers within the organization, the attorneys who are very focused on managing contractual risk to the organization. I spend time speaking with the CFO and the people in the finance organization, talking about financial risks that can result from IT security issues. So it does require the ability to communicate effectively, not only in the technology space but also across different disciplines.
Dave Bittner: [00:03:55:00] Can you give us an idea of how you go about setting your priorities?
Andrew Wild: [00:03:58:17] Well oftentimes the priorities aren't necessarily set by me. I have to react to them. This is a very dynamic world in which we live, and the IT security risks or the cyber risks if you prefer that term, are changing very rapidly. Therefore, in many cases the priorities I set are dictated by the world in which we live. There are threats the organizations are facing, and we know today – and this has been a gradual learning curve for most of us – that we can't rely upon prevention being 100% effective. Therefore, it is an effort to focus on managing risks and understanding the risks, how to prioritize them, and then how to most effectively use the limited resources that we have to try to minimize the risks.
Dave Bittner: [00:04:45:19] And how do you go about doing that in terms of, again, prioritization of the budget and resources that you have. How does that guide your decision making process?
Andrew Wild: [00:04:55:18] Well the reality for me at least is that the priorities are, like I mentioned earlier, are oftentimes somewhat dictated by external driving forces. We hear the term "compliance" and "security" and question whether they're against each other or aligned, however, the bottom line is for most people in the security world, compliance is a minimum requirement, so you have to be able to address your compliance needs or you can't stay in business. That is a driver of priorities is ensuring that we meet our compliance obligations but outside of compliance then we start to then have the ability to look at well what do we believe a threat landscape is. If you look at what most organizations are seeing today, the common refrain is that still the two biggest attack vectors are email and web browsing for an introduction of malware into an organization that will impact the confidentiality, integrity or availability of the organization's information. Therefore, once you get past the fact that I've allocated my resources to be able to meet my compliance organizations, then you have to do the threat assessment of what does a threat landscape look like for this organization.
Andrew Wild: [00:06:03:03] I would say that most organizations are probably focused right now mainly on – and it sounds simple, but it's hard to do – the email-borne attack vector as well as the web browsing attack vector. Those are probably the biggest visibility but then the other priorities have to be on your security staff, which is never as large as you would like it to be. At the end of the day, security is, for most organizations, not a revenue generating function, but a needed cost, so you are not going to have the resources that you would like to have in most cases. Therefore, you have to prioritize and determine what you put where.
Andrew Wild: [00:06:41:12] One of the things that I found effective to do is to leverage a concept of force multipliers. If you don't have enough security people in your staff, what can you do to enlist people, to grow the effectiveness of your organization by leveraging other people in the organization. This is partly done through security awareness, and also partly done by just seeking out people across the organization that have a passion for information security and seeing how you can bring them in and leverage that passion to be additional eyes and ears for what's happening in the organization. It is not just about depending upon your technology solutions to sense and detect issues, it's about leveraging the people in the organizations that are on the systems that are doing their jobs every day to look for things that are unusual and then bring those to your infosec team so that you can then leverage that to go and investigate potential issues.
Dave Bittner: [00:07:38:17] Yes, I think that's a really interesting point. One thing I hear often is the importance of properly setting incentives. I think many of us think of the IT Department stereotypically as them being the department that tells you everything that you can't do. However, if you put in positive incentives for people to be part of the team, which is what it sounds like you're proposing, that can really be a different force in a different direction.
Andrew Wild: [00:08:09:04] Yes. One way that can be handled, at least in the organization I'm in now, IT is separate from security. If you think about it, in general IT organizations and security organizations, while the end goal might be the same, the near term goal is not the same. IT is really all about availability and they'll do whatever they need to do to ensure the availability is maintained and sometimes that does mean telling users "no" because they see that as a threat to availability. Whereas modern day security organizations are really focused on business enablement which is understanding that you are consultative to the organization to achieve their business objectives. You cannot do that by saying no. There has got to be a way to say yes to help them get to the end state that they want. Sometimes it does mean "no, but", you know, you can't do this but we can do it this way which can be effective.
Andrew Wild: [00:09:10:04] There is great value in trying to collaborate across the organization and get that support from different folks around the organization. Sometimes, especially in organizations that have adopted cloud solutions, so you've got that shadow IT function going on. The ability to have that support throughout the organization, because there are things happening that you're just not going to know about, and if you don't have the trust across the organization that if they come to you and someone says, "Hey, you know, we're using this new tool and it doesn't seem quite right." They're not going to come to you with that if they think as soon as you find out about it you're going to go up to flagpole and shut them down.
Dave Bittner: [00:09:48:18] Right. I've heard people say, "I don't get my annual bonus based on my security posture or behavior". For someone who's not in the security department, it's an anchor, it's a drag on my ability to get my work done.
Andrew Wild: [00:10:02:14] There is that view and the way to combat that – and it's a cultural change for an organization – is that there has to be that engagement at the senior leader level. They have to understand the infosec program itself has to be aligned to ensure the focus is managing risk, not just about absolute prevention mindset or a mindset well, you know, this is bad so we don't do this. The program has to be aligned to risk and you have to be able to communicate with the executive staff what the risks are and what the company has put in place to be able to minimize those risks. Because if you don't get the support from the executives, then you end up with your infosec team trying to be a police force, and you can't win that way. If you're going around and policing people all the time, you are not going to get that collaboration across the organization.
Dave Bittner: [00:10:51:22] In the time that you have been in the business, and you have over 20 years' experience in the industry, what are some of the major changes that you have seen?
Andrew Wild: [00:11:00:15] First and foremost, I think this pivot to being risk manager is a significant change. When I came in, it really was about the technology. It was about managing the firewalls, managing the identity systems. And that is still an important component but the transition to focus on risk and the ability to have those discussions at the executive level really has changed things. The programs now are much more tightly aligned to business objectives because those discussions are happening with a vocabulary and a level that are at the senior leader level where they understand the reason why, and they don't necessarily need to understand the technologies behind the risk mitigation but the fact that risk is something they can quantifiable understand. At the executive level, they have been managing risk forever. Some organizations don't manage it well and they don't stay around very long, but the ones that are good at it, they understand financial risk, they understand contractual risk and now they are beginning to understand information security risk because of the changes in that the IT security risk function has now been elevated to that executive level where it's not just seen as the guys in the back room that just configure the boxes to make sure everything is okay.
Andrew Wild: [00:12:15:16] Configuring the boxes in the back room is not going to get it done with today's threat landscape. There has to be an understanding at the executive level that this is a compromise, it's a trade off. We're doing this and we estimate the risk is this and this is how we're planning to mitigate it, but it changes often. And if there's not that recurring dialog at the executive level to have that discussion about where the security program is going, where it is, and where the shortcomings are in the program. If that doesn't happen regularly you're not positioned to really be successful.
Dave Bittner: [00:12:49:07] My sense is that we are at a point where boards of directors are really understanding that this security posture needs to be a part of the organization throughout, it's not just a side organization that keeps the boxes running.
Andrew Wild: [00:13:06:02] Right, and I've been fortunate that the organizations in which I have been a part of recently have been very active and focused in communicating with the boards. You don't expect the board of directors to be the cyber experts, but you do want them to understand it is one of the three principal forms of risk to an organization. There are many but I would bucketize them into IT security risk, contractual / legal risk and then financial risk. And, as long as the board understands that and that they are agreeable to spending time – you usually don't have to ask this, they want to know the information – to get updates frequently on what is the status of the program and get that read out directly to the board. That then makes the executives more comfortable, it makes the board members more comfortable, and it just works better for the organization.
Dave Bittner: [00:13:59:07] That's Andrew Wild from QTS Data Centers.
Dave Bittner: [00:14:05:09] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, check out cylance.com.
Dave Bittner: [00:14:17:16] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe and I'm Dave Bittner. Thank you for listening.