Security Unlocked: CISO Series with Bret Arsenault 7.30.21
Ep 6 | 7.30.21

Developing Influential Security Leaders: Roland Cloutier, TikTok


Bret Arsenault: Hi Bret Aresnault, Chief Information Security Officer in a little company called Microsoft. Recently I was approached by some customers who were really struggling with the complexities of the security landscape. In particular, just looking for some practical advice. With the increase in threats, with the changing landscape and digital transformation that's going on, people are really trying to understand from experts what they could practically that would actually help them in this new threat landscape we're living in today. And I realized how fortunate I am to have met with some of the sharpest minds on this topic, whether it's competitors, vendors, internal Microsoft people, government people, who all share a vision for a mission how to better protect ourselves. This created an opportunity to take some of those learnings and share them in this podcast series. Hopefully you'll find this interesting. I know I'll learn a lot from it.

Bret Arsenault: Today I'm joined by Roland Cloutier, Chief Security Officer of ByteDance and TikTok. Roland's an accomplished leader and author with over 25 years of experience in the military, law enforcement and commercial sector. He is one of today's leading experts in corporate and enterprise security, cyber defense program development and business operations protection. Roland joined TikTok a little over a year ago. As the Global Chief Security Office he is accountable for leading and delivering security, risk and privacy protection programs for the world's fastest growing social media and video sharing platform. Prior to joining TikTok Roland spent ten years as Corporate Vice President and Global Chief Security Officer and ADP, a global provider of comprehensive and parallel services and human resources management solutions.

Bret Arsenault: Today, Roland and I are going to talk about resiliency and effectively planning for future cyber security demands while security the present, which is one of the primary topics in his book, Becoming a Global Chief Security Executive Officer. Roland, the only problem I have, of course, is had you written this book 20 years ago you could have saved me a lot of hassle, my friend.

Roland Cloutier: Well I had to wait to get all the tips from you, Bret.

Bret Arsenault: [LAUGHS] You like when the truth would serve you better, I love it. Hey, listen welcome to the Security Unlocked, Roland. I'm super excited you're here. Obviously we've known each other for a while, we share experiences all the way back to New Hampshire. For any of you who don't know, it's just an upside down version of Vermont. Super exciting. Well now let's start with your first remembrance of our getting together and then I'll share mine.

Roland Cloutier: Oh, you know, I think this dates back to when you weren't a CISO, I think you were coming out of IT in the CTO's office and I had gone to Redman as a Chief Security Officer for a CISO conference and they were announcing you as the new guy. It had to be like 20 years ago and we hit it off and figured out we were two guys from New Hampshire that made it out and we're doing big things, so it's been a while.

Bret Arsenault: Yeah, it has. Actually, that's funny. I forgot about that. I spent years as a CTO on the product side and then moved over into the operations side, so the industry, the career, the roles, everything has evolved quite a bit. I guess we say we met too long ago.

Roland Cloutier: Very true.

Bret Arsenault: Oh it's amazing. But seriously I mean I've always watched your career even before this when you were at EMC and a bunch of other things. You've done amazing work and I think, like you said, the role of security is so different now than it was a long time ago. There's sort of a common theme about many of the people in security, that are practitioners, have a background either in law enforcement or military and that's similar to you. First, thank you for your service, but maybe a little bit of how you got into security in the first place and what you're doing now.

Roland Cloutier: Yeah, it's funny you say that Bret, and not too long ago it wasn't like that. I mean, you didn't necessarily see former law enforcement in core cyber positions. What I think what makes it so interesting for men and women coming out of the military or government service in this space is really two things, first the fundamental, most of the great practitioners, whether they're former military or government or not, they love what they do. I mean, they have a true passion for protecting their fellow citizens, the world in which they live in. I love service and I love serving others and I think the excitement I get about consistently be able to meet the needs of our general society in this area match up to that career field.

Roland Cloutier: And the second major area is really about the discipline of protection. And whether you're coming from an investigations background or a global protection or the military, you learn core concepts in being able to defend something, whether it's a base or a country or the principles or government. You've learned some real critical skills growing up through that world and you can pretty easily convert those into how you protect a company or how you protect a data center or how you protect an economy, so I think those two things have served me well over time and that's why I think a lot of people are drawn to this career field from government.

Bret Arsenault: Thanks Roland for sharing those two perspectives, I think that's super helpful. A good friend of mine once told me, if you can find a place where you're advocation meets your vocation, you sort of reached the nexus in your life. And so super glad that's worked out for you. I feel as well here that this is a mission, it's not just about the role and so it's great to know that we're doing something good here, which we hope anyway is super helpful. What are some of the skills that you really lean on the most from your time in the service? You think of the juxtaposition of the two things, I'd love to get some corollaries there.

Roland Cloutier: From my perspective it's really super easy. I think first and foremost is discipline. You know, if you're in this business you've got a lot of stuff coming at you, you have to make the decisions, you have to be consistent in the way that you measure and think and execute. You're under a lot of pressure all of the time and that self discipline on being able to prioritize, to be able to breathe, to be able to take that information in and take it one step at a time is super important. And I think I really got that from time in military and government. The second thing is, I was kidding you before, there's some basic things around defending things. We talk about in cyber and information security defense and depth, they had that back in the Roman days, so when you're in the military and you're learning doctrine and you're learning security methodology for defending nuclear assets for a country, you actually learn a lot of those principles and they can just be really reapplied.

Roland Cloutier: And the third thing for me, and everyone's a little different, but I learned leadership. I think as an NCO and I wasn't an office, I was an NCO and was working my way up the ranks and then into Federal law enforcement, you have to learn to lead humans. This is a difficult job. There's never an end. There's always a pile in front of you and you're leading people that want to go up that hill and charge that hill with you and to do that well you have to be educated in leadership. And I think one of the things that I like most about this job is leadership and I'm fortunate that I've had insanely great leaders along the way starting in my time in the military and law enforcement and I've been able to carry that through and help educate others.

Roland Cloutier: A quick side note, a great CISO once told me, we were talking about how to measure your career, and this was probably 15 years ago at least, and he says, "I measure it by the number of CISOs I've placed out in the world." And I've always thought that's really interesting. It's something that I keep in the back of my mind and I think I'm up to something like 19 CISOs that have worked for me in one capacity or another and now are CISOs out in the world. Being able to create those leaders is exciting to me.

Bret Arsenault: No, that's a great way to think about out and it's a great way to measure success, obviously. If I could lean a little bit on that and again in your book, Becoming a Global Chief Security Executive Officer, and you share the experiences of about how to advance the organization's security program architecture and we've talked about that, but we also really talked about how you effectively plan for the future demands of leadership in global security and people talent is a huge part of that. The output that you were just talking about is awesome, but then there's the input and the growing demand on need for skills, so how do you think about identifying those examples of future demands and how you really deal with that?

Roland Cloutier: It really all starts with the business. That's why that play on the words of Chief Security Executive Officer.

Bret Arsenault: I tried to get the enunciation right on executive office, hopefully I didn't miss it.

Roland Cloutier: No, I mean, it's perfect because people give it like that's a weird way to put CISO or C-I-S-O in a book. It's all about how do you impact the business you're serving and that business can be an agency or a public or private company or a school, it really doesn't matter, but the point is you're there in service of a business, some sort of business and what I wanted to be able to document is this concept of business operations protection and being a business security person and ensuring that you have this level of understanding of what you're trying to accomplish through the eyes of the business.

Roland Cloutier: A lot of the book is based on how do you build things that support that mechanism? There are a few areas that I'm obviously passionate about. There's the area of convergence, which means, why have 15 different security groups report into 12 difference sections of the business, up to seven different leaders who all compete for the same budget across the same board and the same risk organization and so on and so forth, so I believe convergence is a mechanism to give transparency to the executive leadership and the board of a company. It enables you to prioritize across all aspects and disciplines of security risk and privacy operations. I would start there.

Roland Cloutier: Secondarily, I think, risk is a big discussion here. Many risk organizations, enterprise risk organizations, but the reality is as a security leader and practitioner we're all in risk. And so how do you formulate a portion of your organization to look at the controls that you've committed to, to the efficacy or your ability to defend those controls and how do you measure, monitor it and measure risk against those to prioritize. Like all of those are important, so I think two big topics for me is always going to be convergence and risk.

Bret Arsenault: It makes sense and I wasn't just jabbing you on the executive thing because I think if you look at the role, ten years or even five years ago, it's radically different and sort of pushing on our New Hampshire heritage and bucolic pictures and you think about the role, the CFO, which was one time an accounting position and now it's a business leadership role. Or the CIO, which is a business leadership role. And security, I think you've nailed it, is really changed in the last, I'd say five years, but I'd love your perspective on when you think it really sort of changed into that view. But on this topic of executive leadership for securities, it is relatively new, I mean relative to being a role of deeply technically people to really evolving to a risk and business leader and what precipitated a lot of that change do you think in the last decade?

Roland Cloutier: Yeah I said you were probably closer with the last five years. I think that's when we've seen it and it's because of the massive impact of major technical disruptions within global ecosystems of businesses. And if you think about any day current business, it is a massive digital ecosystem. You have your supply chain, your software chain, your delivery mechanisms, you can even go to a mom and pop store in the middle of a city in east Kambampoob somewhere and they're actually entering their orders for the week online. This is the way the world has turned to and the larger the organization the more the technology has become the heart, soul and core of how the organization operates.

Roland Cloutier: These disruptions you've you seen, when you see over 50% of the world transport impacted through a cyber attack on a shipping company in Europe. Those are big numbers and so I think people are starting to realize, hey, what do we do if? How does this impact us if? And responsible leaders in executive management in these companies have said we have to have a change. Security does have to a "seat at the table," but we have to have the right people in that seat to be able to truly understand the risk and how we counter that risk.

Roland Cloutier: The other thing is I think education's getting better, Bret. I'm seeing a lot of people come out of these, what used to be technical information security undergrad programs, now with these business impacting post grad programs that you see major universities like Maryland or you see naval post grad. They're turning out not just good technology leaders, they're turning out good business leaders and understanding the business impact, so the level of practitionership is going up, the level of transparency and impact to business organizations is really being solidified through unfortunately real acts that we're seeing. And quite frankly we were some of the founding people. You look at Steve Kay who started one of the first CISOs, we're really the next generation down from that, so this is a short lifespan, we're talking less than 20 years of true executive leadership in this security risk and privacy area, so we're just growing, we're maturing where CIOs, I say, were 10-15 years ago.

Bret Arsenault: Yeah that's a great analogy. And I like your point about the technology transformations regardless of their business. And since you brought it up I'll do a shameless plug for Chutters in Littleton, New Hampshire, the longest candy bar in the world and they actually do their orders online as well. So, if you're in Littleton, go up and get some candy from Chutters. Not many people would know that off the top of their heads, so I figured I would throw it out there. Speaking of northern New Hampshire, which many would consider to be a different sovereignty than southern New Hampshire and Massachusetts.

Roland Cloutier: Above the notch versus below the notch. Very different parts of the world.

Bret Arsenault: Exactly and I've lived on both sides of that notch and I understand, but I think if you take sovereignty beyond the State level and you think Microsoft operates globally, TikTok operates globally, how do you navigate the balance of protecting your customers data and maintaining trust with them relative to the sovereignty requirements because it's so different in Germany, Asia, going to the US, south America and different parts. I'd love to hear your views on that as a person running a large global organization.

Roland Cloutier: So, first you need partners. I mean, you don't do this job alone, you don't do this in the cover of darkness and figure things out. I mean, you need other leaders in the area of privacy, you need leaders in the area of legal and regulatory requirements to help really decipher the daily change in how individual sovereign nations make decisions about protecting their consumers. And really that's all it is. I mean, yes it is about national defense in some ways, but most of these are based on protecting consumers, so you need to understand those first and foremost.

Roland Cloutier: Secondarily, I think a lot of organizations, and certainly we are taking the focus on how do you regionalize the concept. When you think about what was originally GDPR and the move to other things, but how do you start to develop your business in such a way where your data residency, your data management, your data transfer is managed in a regional format. Where you're developing global teams that understand that this is how our business will operate in the future and you're constructing products that understand and operate in that same way instead of just security and privacy and posing requirements on top of products, you have this by design mechanism. Security and privacy by design built into the product with regionality. That's our approach, that's how we're doing, but it takes a lot of partnership and a lot of education.

Bret Arsenault: And it's going to be more complex with the increase in regulatory pressure and a lot of other, like I refer it to digital xenophobia, we have to keep working on how we manage in that world. I love your idea of partnership for sure and I love the regionalization. I think, one of the things for me that's probably most interesting and I think you're uniquely qualified to answer, we really try to drive a culture of security where everyone has what role and what they're accountable for. Not everyone is a security person, but everyone has security as part of their job, and obviously when I think about it, ensuring our developers and engineers are doing all the right things, do you think about your career from tech company, financial company to social media company, how do you think about consistently driving in a culture of security. It's the fifth page in your book on driving accountability, which I love, so how do you think about it across that spectrum?

Roland Cloutier: I think you said it, it's all about the culture, stupid. I mean, that's how it was explained to me. By the way, it's the number one thing that I have to be reminded of on a constant basis. You guys are what in 136 countries or something like that? We're a little behind you, but you're in 86 countries around the globe doing service operations in like 40 something countries and every cutlure's different. So, you have to understand the culture, but the one most important thing that I think that has been able to bridge that gap no matter if it is culture or language or what have you is context. And what I mean by that is if you just explain something to someone like why that is bad if that happens, what could happen, how it would impact the company, the organization, their job and you give you them for instances and they educated on it, they consume that and they want to do the right thing. 99.98% of the people in the world want to do the right thing, so when you educate them and you spend as much time explaining the criticality of what they need to do in that context, they'll do it for you. You can bang them over the head with Powerpoints and click here and fishing tests and validation within the SDLC and you can make them education moments by design integration, but at the end of the day if you spend time with them, person to person, human to human, educating them, they become your best proponent in the company.

Bret Arsenault: Certainly building an army of advocates is a great thing to do go. I try to balance like how much do they need to know about security versus how much do we enable them. Like we say to help developers fall into the pit of success. Like, how do you think about that as a way of thinking about it?

Roland Cloutier: So, I think what you have to explain to them is the downstream residual impact and provide them with the tooling as a mechanism by how they do their job natively. Meaning, if you ask them to go out of their process, if you ask them to go out of their pipeline, you're going to have problems. What are you doing? You're re-engineering the way that a 4,000, 10,000, 50,000 person workforce actually operates.

Roland Cloutier: You have to integrate yourself with their tools teams. You have to have back end integrated applications that provides them with the information within their documentation, within their lanes. You have to do the hard work up front or should I say out back to push it to them, so they don't even know it's happening. You look at some of the cool technologies today that when you're doing in code, prior to submission validation of like the OAS top 20 and pops up in front of the engineer and oh, by the way would you like to take the course. That is fantastic, these organizations that are implementing those or making their lives easier. And when you get into the QA within the CICD pipeline, security becomes an embedded part of how that goes into the measurement of quality within the business. That changes everything. When you go from measuring it as a security flaw to a quality flaw, that's how engineers think, that's how they need to understand it. So, the better a security portfolio can integrate into that engineering concept mindset and just have people inside the organization doing this type of work for you, I think the better you become and the more integrated you become.

Bret Arsenault: I love from the security to quality, I think that's a great way to think about it, for sure. One of the other points, we're going to transition a little here, obviously it's been an interesting year plus with a lot of global situations going on with pandemics, social injustice and all the other components, but one thing that's for sure is that we have a different way of working going forward. Many companies are having a different way. We've learned we can be productive more remote than we were before and still be secure. I'm curious what you personally have learned from some of these recent incidents that have gone on and how you think about securing the new hybrid workplace? Like, it still shocks me today that I look at the data and only 18% of enterprise entities are using MFA as an example. So, how do you think about the hybrid workplace going forward and what are some of the key learnings you've had?

Roland Cloutier: Well not having worked at home for more than two weeks at any time in my life, I did not realize actually the amount my dogs barked, so that was a good learning experience. No, on a serious note from a pure work perspective is a quick reminder, I changed jobs in the middle of the pandemic. It was right at the beginning, actually, before it really exploded. I had a month off, I came back in April 2020 and the world was a different place. So, I actually didn't meet anybody for a year, everything was remote. I didn't have the contacts, I didn't have those personal relationships, so doing that remotely was a pretty big deal for me. Learning how to manage teams, learning how to integrate and really learn personalities through remote mechanisms was new for me. Some people have done that all their lives, but it was certainly new for me.

Roland Cloutier: But when it gets into the context, again, of protection, boy that came interesting. You used to have 400 campuses around the world you were protecting and all of a sudden you had 100,000 end points or 200,000 end points you were dealing with and that becomes your zone. I think the zero trust model has been a big success for us as we think about protecting what really matters most and that's the data. So, how do we put zero trust capabilities, not just inside our product, but within our enterprise itself? As you think about the future of where this is going, some of these concepts of brick and mortar defense and tiered integrated enterprise defense really moves out and potentially these hybrid cloud work environments I think are going to be great. I mean, I know you've been experimenting with them, we've been experimenting with them. How do you get that end point for a user to actually be in a protected cloud context? Data's not leaving the building, so to speak, it's always operating within that protected area. I think the zero trust ability around things like multi-factor authentication on the back end. I mean, certificates are back in a big way.

Roland Cloutier: You know, integrated authentication with PKI infrastructure to do some of these really cool things gives you that high level of assurance and authority, it gives you detailed audit that you forget you can even get out of a system sometime, but not that will provide it for you down to the data element level. I think those are some great things. And listen I look at it like this, our business is going to change every day, every month, every year, we're going to be replanning for the products it's going to deliver, the formation of the type of business we are, JVs, digital ecosystems, so this is just another change in how we need to take a step back, remodel our protection defenses and then go out and retool for the coming year.

Bret Arsenault: Yeah as you pointed out, I forgot that you started there during that period, so not connecting with folks in the normal way or the usual way, the way you used to is definitely a different way of thinking about it. I think for us we've always talked about people being productive and secure and now like in this it's really taught us a lot about what does it mean to be productive, secure and healthy, both physically and mentally and I think that's going to be a big part of how we recalibrate our workforce in thinking about how we can make we can do all three of those at any given time. That will be pretty fun. And as you said, I think a remodeling is the term you used and I'll remember that, but I won't share that with my family. I can't take another remodel.

Bret Arsenault: This is probably the fun part of the podcast, if you haven't had fun so far. Did you take up any new skills or interests during the pandemic? I know you have the Russel Wilson terriers, so I thought maybe you have taken up something new along the way?

Roland Cloutier: You know, I started this new job in building this new organization in the middle of the pandemic. I don't even remember the last year, so no I haven't done anything new. It's one of those things where my bride keeps telling me I need to get a hobby, but I'm not there yet. So, I'm taking ideas and the winner gets a nice TikTok t-shirt, just saying.

Bret Arsenault: Ooh, I'm going to have to do that. My daughter, as you know I've called you for TikTok advice and my daughter's dying for TikTok shirt, so we'll put our heads together and come up with something for you. What book are you currently reading besides Becoming a Global Chief Security Executive Officer and what's one book that you would recommend? And you can recommend that one if you want.

Roland Cloutier: [LAUGHS]. No, that's okay. Let's see this is going to be funny, but I try to when I read a book I disconnect. So, recently I have not been reading business books. I'm on the path of all the James Patterson books right now, so I'm now with Kill Alex Cross, you know a nice crime thriller. My background, I like crime thrillers, so it gives me great for work, I mean, how to investigate things, of course.

Bret Arsenault: I was going to say. [LAUGHS].

Roland Cloutier: But I'm often asked about the different books and there's so many books that practitioners can read that are just fantastic. I'm going to throw one out there that's a blast from the past. I'm not even sure who owns it and obviously I'm in the van in my backyard right now so I can't go to the book shelf and get it, but a lot of times what practitioners ask about is how do I communicate better? How do I explain what I'm trying to articulate about a critical issue? And there's a very simple book. It's a short read. I think it's called, How to Say it with Charts. It's a yellow book and I go back to it all the time out of the thousands of books I have and I say that because it gives practitioners an understanding of the way the human brain works, of how they can look at pictures and images and charts and visuals and consume information. Often times it's hard for us to take a complex risk issue and turn that into an easy visual that a non-practitioner can actually digest and understand especially at the executive level. So, I often tell people that ask that question, go read that book. It's a great way for them to take a second look at how they're delivering information.

Bret Arsenault: That's a great recommendation. I think on that note, that's when you realize you become an editors, it's like you like the USA Today version of giving a pie chart or a graph, right? Instead of the 20 page doc or the RTFM component, so I think it's totally fair though. It turns out good advice from counsel in my house was, you can have 10% of the people understand 100% of your security job or you can have 100% understand the 10% and you'd be way better off in the latter, so start drawing with a crayon more often. I think that's probably a good thing I should keep in my mind myself. So, here's the big call to action that every person on the podcast has to actually answer, this is the practical advice. So tell the audience in priority order, what are the three things you'd recommend security leaders can do today to plan for the future while securing the present? Three things you would tell people to go do after this call.

Roland Cloutier: Okay, number one, value chain risk assessment. Number one thing you can do to understand your business. We talk about this concept of business operations protection. How do you protect a business if you don't know how to make money? If you don't know how they deliver product to market? How they actually monetize things? Go figure that out. Figure out the subsystems and do a prioritized risk assessment in each one of those areas and not only will you secure your business now, but you'll build those relationships and a capability to quickly assess changes in the business for where it's going in the future, so that's number one.

Roland Cloutier: Number two, for executive leaders do a three year staffing plan. I know that sounds crazy, but if you can get a three year view on your business, where we're going to e-commerce, we're going multinational, what have you. Understand the technology areas. And the reason I say this is because the way that you deliver your services are through people, it's through your team, it's through the job families you create, you recruit and you put to market. And so if you still have firewall engineers ones, you're probably a little behind the mark here. If you're thinking about cloud, next generation API analyst defense, if you're thinking about jobs like that, you're probably on the right track. You need to create those position, train the people you have now to be in the those positions and start recruiting down the pipeline two to three years out with universities to make sure you have the right people. So, that'll help you now and will help you in the future.

Roland Cloutier: I think the third is, go back to school. And I don't mean necessarily go back and get a post grad, but education is a life long need. Our businesses change, our worlds change, our understandings change. We all have bias. Take a step back and assess your gap areas and then go take an online course, go take a certificate course, go to a symposium on whatever, it doesn't matter. Go learn something new this year that you can bring back to yourself, to your business and to your team. And I think if you can do those three things you'll be pretty successful over the coming years.

Bret Arsenault: That's a great list. I love and I think on that last one in particular we refer to growth mindset and I think one of the things that is amazing about this profession is everyday you learn something new and much like my math degree, whatever I'm doing now makes me realize what I was doing before seems a lot easier, so basically I means every single time you take a class it just further shows you how much you don't know and then that reaffirms my 16 year old view that I know absolutely nothing. So, I keep pushing down that path of confirming that I know nothing. But I do think that's a great point though and you raise a great thing, you don't have to go to a class, you don't have to go an onprem, you can, but you can also do like a class. I learned the best way to make a sous vide steak on TikTok, so I mean there's a lot of things and different ways you can learn, so I love those three things.

Bret Arsenault: Thank you so much, Roland. Of course, I appreciate the time and the lovely view you have that will help a lot of our listeners, I hope, be more effective and practical and great security leaders, executive security leaders.

Roland Cloutier: Well Bret thanks for the time and I really appreciate having the chat with you. It's always fun and remember you too can always make TikToks to impart your knowledge on all of us.

Bret Arsenault: We should follow up. I should go do that. Get a little more learned in this space. Maybe that's my learning to go do. I appreciate it.

Roland Cloutier: Alright, thanks Bret.

Bret Arsenault: Yeah take care. Have a great day, good to see you.

Roland Cloutier: You too.

Bret Arsenault: Thanks for listening. I look forward to our next episode and remember, stay safe and stay secure.