Special Editions 9.1.24
Ep 71 | 9.1.24

The impact of CISO Circles and cultivating a security culture.

Transcript

David Bittner: [Music] Hello, and welcome to this CyberWire special edition. On today's episode, N2K CyberWire's executive editor, Brandon Karpf, sits down with Danielle Ruderman, Senior Manager for Worldwide Security Specialists at AWS, and Adam Mikeal, Chief Information Security Officer at Texas A&M. They discuss CISO Circle's security challenges faced in higher education and fostering the culture of security. The group got together at the recent AWS re.Inforce Conference. [ Music ]

Brandon Karpf: [Music] I am here today at AWS re.Inforce with Danielle Ruderman, Senior Manager for Worldwide Security Specialists, and Adam Mikeal, the Chief Information Security Officer at Texas A&M. Danielle, Adam, so great to have you on the show.

Danielle Ruderman: Thank you. Very happy to be here to talk about the CISO Circles.

Brandon Karpf: Thank you for having me. So, yeah, as Danielle mentioned, we're here to talk about CISO Circles. We're here to talk about the senior security executive community, you know, peer learning, peer learning opportunities, the things that CISOs, like, Adam here are concerned with, are focused with, and are trying to -- areas they're trying to develop in as a community. So Danielle, could you give us a sense of the CISO Circles? What is the CISO Circle? How does it play out in reality on the ground? What's the value there?

Danielle Ruderman: Sure. So the CISO Circles for AWS is a mechanism that we created for us to connect our AWS security leaders and our service team leaders directly with our customers, but directly with our customers in different countries. Right? We really wanted to make sure that we were taking our leadership out to where the customers are, and this was really intended to be a trust-building activity. We wanted to learn from our customers, but we also wanted to create a space where our customer CISOs could interact with each other, because that's really where the value comes is hearing these conversations from CISOs in different industries, different businesses all being able to come together, and it's intended to be a learning opportunity, right? So the CISOs do learn from each other, and we're there to listen and be part of the conversation as well. And the big thing is that we do prioritize open discussion, and we make a really big point about this. As I know, Amazon does a lot of conferences. We're here at re:Inforce, right? We're used to kind of getting up on stage and presenting and talking, but in that environment, right, it's closed door, Chatham House rule, NDA, and it's a real opportunity for people to be very real with each other. You know, talk about the real issues we're facing, and for us to share roadmap information, what we're thinking. So it's intended to be a very collaborate, safe space, and I'm hoping we have achieved that for our customers.

Brandon Karpf: Well, Adam, curious from your perspective, what are those real issues that you might be facing? And your experience with the CISO circles would love to hear kind of how you've experienced it so far.

Adam Mikeal: Sure. Well, you know, like anything else in our industry, those issues change over time. So I've attended now two or three of the CISO circle events. Two were these cross-industry, where we had CISOs from various sectors, right? And that was a year or two ago. So the most recent that I've attended was one that was focused on higher ed specifically. And obviously, that being just in the past six months or so, generative AI came up, security around AI and machine learning, how we deal with the contractual issues that arise there. We talked about cultures of security, and how we build that within our organizations. And also, higher ed tends to lag a little bit behind a lot of other industries in terms of how we adopt new technology, so some of us are still dealing with issues of adopting cloud technologies, right? Things that might be more common now in certain industries are still something we are moving into, cloud-native application, things like that.

Brandon Karpf: I'd be curious, Adam, to pull the thread a little bit on what you just said, because, you know, you shared that you did host a circle at Texas A&M recently. And someone who's worked in higher ed myself and been around that world also, higher ed's mission has nothing to do with technology, right? Organizations tend to not focus on, you know, the security enterprise and the IT enterprise. And so you're working for an organization that's typically pretty focused on the students and, you know, the research part of the organization, if it's a research institute. So I'd be curious your experience in that environment, how you've addressed security, how you've brought that into the community, into the culture. And then also, lessons learned from the CISO circle that you hosted at A&M.

Adam Mikeal: Right. Well, so, yes, you're right. Technology isn't the focus, but like any other large enterprise, right, effort in 2024, you can't accomplish the things we want to accomplish in higher ed without very strong technology as its foundation and the infrastructure. And we are a very high research activity institution, $1.4 billion in research expenditure annually. We have a lot of students. We're right now, I think, maybe the largest public research institution in the United States by student enrollment, 78,000 students this year. And that's just on our, you know, main campus. Yeah. So when you deal with that scale, you have to have technology to enable the things you want to do, even basic things, like, teaching in the classroom, dealing with student enrollment issues, being for, you know, student, the scheduling problem of 78,000 students across multiple thousand classes and sections in hundreds of individual rooms on campus in the various buildings. That's a big problem, right? And being able to handle that requires a lot of technology infrastructure. So some of that's in the cloud, some of it's on Prem. We are constantly evaluating and looking at where is it appropriate for us to move to cloud workloads? Where do we need to keep things on Prem? And none of that even speaks to the research technology. Conducting research in any field, any field in 2024, it doesn't matter if it's, you know, computer science or if it's physics or chemistry or even English and the humanities, it is conducted with technology. And sometimes machine learning, lots of data science, lots of, you know, data that supports whatever we're investigating. And that requires a lot of technology, right? A lot of storage, a lot of compute. And so we're constantly trying to figure out how do we provide that to the researchers? So our researchers can purchase cloud computing services from us through the main technology organization.

Brandon Karpf: So you've also mentioned this idea of culture of security. So I'm curious, Danielle, in your experience running CISO Circles and really managing this program, this global program at AWS, how do you see this idea of fostering culture of security? How do we do it as senior security executives in an effective way?

Danielle Ruderman: Right. And I'll tell you a little bit of background. So the idea of culture of security has been something that's been talked about at Amazon and AWS for a long time. Security is our top priority. And we've heard these stories and had these customer meetings, and so we decided to offer this to the CISO Circles because it's just over time and something that's really resonated with customers. And the whole premise behind this, I want to give you, like, this idea, the phrase culture of security we use very deliberately instead of security culture. Because culture of security is the idea that security is a priority for everybody in the company, right? Everyone. Whereas when we say security culture, we're talking about the culture of your security team itself. And both these things are very important. But when we say culture of security, we mean, hey, you as a security leader, security owners, how are we scaling that responsibility out to the business so that security teams can do more with less? And that's really why the topic has resonated, especially today, is I haven't met a CISO or security team yet that feels they have enough resources.

Brandon Karpf: Sure. Yeah, of course.

Danielle Ruderman: And so a lot of these concepts and these mechanisms that live within that idea of culture of security are ways for CISOs and security teams to really push that responsibility out to the business and find ways to partner so the security team can really be a partner and enabler to the business.

Brandon Karpf: And your experience, Adam, in kind of incorporating that, I mean, how do you see that idea of a culture of security?

Adam Mikeal: Yeah, I completely agree with that formulation. You know, our security team, clearly we have our own culture and I work hard to develop that. But the difficult part is getting those ideas and beliefs and the things, priorities, the things that are important to us. How do we translate that back to the rest of the IT organization? Much less the rest of our entire university as an organization, right? So just starting with the idea of getting that culture of security to the rest of IT. We're under 10 percent, right, as a security team of the overall IT professionals within our university. There is no way we can accomplish all the things that I want to do. I can't move the needle on security within my organization if the only people thinking about security topics are my employees on my team. I have to get that idea. I have to get that culture moved out into the rest of the technology organization. And so that's definitely on my mind a lot. And being able to talk about how you accomplish that [music] with peers and learn from things that have been successful for them, that is very valuable. [ Music ]

Brandon Karpf: We'll be right back. [ Music ] Now, Danielle, you hosted a panel here at re:Inforce and, you know, related to this topic we're discussing right now, the security -- the culture of security. And, you know, it struck that on that panel you had someone from financial services, you had someone from AWS. Here on this discussion, we have you, Danielle, from AWS, Adam from higher education. So, you know, inherently, we're building these cross-industry connections. So I'm curious to your perspective there and how you've approached that. It seems very intentional that you're building these cross-industry connections and global connections in this CISO network. Can you talk to that a little bit?

Danielle Ruderman: Sure. Right. So the first question about this cross-industry collaboration is we actually started the CISO circles that way because we started as a very small, scrappy program and inviting CISOs who were interested in this format. We just ended up with this cross-section of individuals. And over time, we've asked, like, we asked the attendees, would you like to have a CISO circle where it's just one industry or do you prefer it this way? And what we've learned is by far, the preference is to mix different industries together. We have some really interesting stories where different industries have learned from each other. In one case, actually recently in a circle in DC, we had a media and entertainment customer and a financial services customer struck up a conversation. And it turned out one of them had solved a problem that the other was trying to solve. And so they went off and shared knowledge together, again, two completely different industries. I talked to another CISO who was a pharma executive, and she said that she struck up a conversation with an automotive CISO. And by talking about how the automotive CISO secures the supply chain for their manufacturing, she was able to rethink how they secure the production line for their drugs, the drug manufacturing.

Brandon Karpf: Wow. Okay.

Danielle Ruderman: And she said, I never would have thought about doing that if I hadn't talked to this person from a completely different industry. And if you think about it, in security, we like to segment sometimes our ISACs and our security groups by --

Brandon Karpf: Yes.

Danielle Ruderman: -- different, right? We want to --

Brandon Karpf: Yep.

Danielle Ruderman: -- keep the likes together.

Brandon Karpf: Totally.

Danielle Ruderman: But there's definitely an opportunity to bring together different industries to learn from each other. You know, and for us, we're bringing together customers of AWS who can, how are you using AWS in your industry, and maybe I can learn something from that. Having said that, we do have a few industry-specific circles. So I think occasionally doing those is helpful. So you get a chance to talk to your peers about those issues that are very specific to say the energy industry or the auto industry. But then having the opportunity to also do the cross-industry collaboration, I think we honestly need both.

Brandon Karpf: Right. Right. You know, I'm glad you brought up the ISACs. It's exactly where my mind was going of how we have pretty stove piped by industry ISACs in this community. But there does seem to be inherent value in cross-industry collaboration, global collaboration. Adam, is that something that you've been able to leverage in your role at Texas A&M? I'm curious to what extent higher ed's been able to learn from healthcare or financial services or other types of industries.

Adam Mikeal: I think generally higher ed's not great about learning from other industries. We tend to be pretty insular.

Brandon Karpf: Okay.

Adam Mikeal: We, you know, there's -- whether we admit it or not, I think there's a culture in higher ed that tends to think that, well, you need to be in higher ed to understand higher ed problems. And I think that's short-sighted. I have learned a lot from my engagement with CISOs and other industries at CISO Circle, for example. And so, yeah. I have opportunities to interact with higher ed CISOs. We have our own industry, you know, conferences and organizations. There's Internet 2, there's EDUCAUSE. That's great. And I would never give those up. We need those. But I think that being able to have opportunities to connect with a CISO or a peer from another industry is very valuable.

Brandon Karpf: So, you know, this idea of, I want to keep talking along this idea of cross-industry collaboration and global collaboration. And something else that struck in my mind is, we're talking about this at the highest level. We're talking about this at the CISO, the senior executive level. What about pushing that down into the organization? What about talent and cross-industry collaboration and learning at every level of the security enterprise? Is that something that you've seen discussed at all in these circles or that you've considered with some of these industry groups?

Danielle Ruderman: So at AWS, we actually have a sister program to the AWS CISO Circles. It's the Security Builder Circles. So after we found that the CISO Circles themselves were successful, we kicked off exactly what you're saying. A very similar opportunity, but for those within the CISO's team. And so now that's a separate program we run globally as well. And that's much more technical. We get into the issues that more of the builders, if you will, on the security teams care about. And that's where we are also able to bring in, like, our service team, PMs and GMs to come sit down with our customers. And that's been a fantastic experience. It's almost like a mini-cab, if you will, customer advisory board. Because you're getting a group of customers together to talk about something, like, zero trust, or how are we dealing with ransomware, or how are we doing threat mitigation? And that requires us to bring security executives from multiple different teams together. And now you've got this really cross-functional group having a conversation about a very real-world challenge for a customer. And the service teams are able to learn very deeply, and then the customers are sharing how they're solving for it. So for us, that's been a very popular program as well, in addition to the CISO Circles.

Brandon Karpf: Wow. I could see the power in that potential idea. So, you know, Adam, curious, your vision, you know, what you're focused on leading Texas A&M Security Enterprise into the next, you know, this next decade, this, you know, Gen AI, data-focused, analytics-focused decade of security. What's your priority? What are you laser-focused on for the next, you know, next set of your initiatives?

Adam Mikeal: Wow. Well, things are changing so rapidly. I think that trust, digital trust, and privacy are going to be areas that I have to really lean into. You know, I think we understand generally how to look at risk assessment and, you know, vulnerability management and mitigation. Can't let up on that. That's not going anywhere, right?

Brandon Karpf: Right.

Adam Mikeal: We've got to sort of stay the course, but we have to back up a little bit and look at the things we're doing from a higher elevation. And, you know, if we stay sort of down at the 5,000-foot level and we're just looking at, oh no, you know, this new CVE just released and we've got to patch these machines, yeah, we've got to do all those things. But when you back up and look at a higher level, the changes that are happening to the cybersecurity field because of AI. Yeah, I think it's going to change the way that [music] I have to interact with my executive leadership. They're not going to be just asking, oh, have you patched? They're going to be asking, are we doing the things we need to do to protect our students, our research data, right, the things that are important to accomplish the business, the mission of Texas A&M.

Brandon Karpf: Danielle and Adam, so great to have you join us. Thank you for being here.

Danielle Ruderman: Thank you. Appreciate the opportunity.

Adam Mikeal: Thank you so much. [ Music ]

David Bittner: All right. Thanks to Danielle Ruderman, Senior Manager for Worldwide Security Specialists at AWS, and Adam Mikeal, Chief Information Security Officer at Texas A&M, for joining us. Our CyberWire Executive Editor, Brandon Karpf, hosted the conversation. Thanks for listening. We'll see you back here next time. [ Music ]