Special Editions 10.29.24
Ep 78 | 10.29.24

Solution Spotlight: Cultivating cybersecurity culture.

Transcript

Dave Bittner: Hello, everyone, and thanks for joining us for this N2K CyberWire Special Edition. On today's episode, our own Simone Petrella speaks with Chris Porter, Chief Information Security Officer at Fannie Mae. They are discussing "Cultivating Cyber Security Culture and Talent". [ Music ]

Simone Petrella: I want to kick off with maybe just letting you share a little bit about yourself and your journey into the role of CISO with our audience.

Chris Porter: Yes, certainly. And I would say it's been quite an interesting path. And I'll go back to college because I think that helps set the scene a little bit on how I got to where I am today. I started off as premed when I came out of high school, and unfortunately I met organic chemistry and some other --

Simone Petrella: Man --

Chris Porter: -- of the classes in college --

Simone Petrella: -- I feel like that is the downfall of all premed is organic chemistry.

Chris Porter: Yes. And I joke today that I think that it saved lives, me going through that class probably, so. And so I bounced around for a little while during school. At one point I moved from premed to sports medicine. I was an athletic trainer for the women's soccer team for a summer, and then I moved over to the men's and women's swim team. And at that point, I had started majoring in psychology, kind of realized that I wasn't going to make the money that I was hoping to make once I got out of college, and so I kind of pivoted to economics, where I ended up having a double major in economics and psychology. But the entire time, though, I was always a computer guy. I grew up with computers, I used them all the time. On my hall during my first year in college like everybody would come to me and ask how to do certain things because I just had a knack for them. But I didn't think about computer engineering or anything like that when I first went to school, because my thought, back then at least -- I mean this was a long time ago, was that the computer jobs were working at Radio Shack and being surrounded by hardware; not that there's anything wrong with that, but that's generally what I thought about at the time. And so I sort of bounced around a little bit. I came out of school, I worked at a small startup in Charlottesville, which is where University of Virginia is; I worked there for a year. I went and became an economist working for a small beltway bandit, and did risk analysis for utility privatization. So I'd would travel around the country looking at whether or not they should take their water, or sewer system, or electrical system on a base and privatize it. And so that's where I first got my view into what risk management actually was and like the tradeoff choices and decisions around those kinds of things. But I'll tell you, the biggest thing was like I took a pivotal trip to visit one of my best friends who went to Virginia Tech -- and, you know, again, that's -- there's nothing wrong with that, as our rival college. But he was working some -- for a bunch of companies in Silicon Valley. I toured with him and, you know, saw the sought. I think he was at Cisco at the time. And I was just like really enamored with the energy that was out in Silicon Valley, and, you know, how technology was so different than what I had thought it was. And so as I flew back from the -- San Jose I think at the time, you know, I sort of made a choice in my mind that I was going to move over to IT. And so that's where my real experience started. I went found a job working for a help desk at a law firm in DC, learned infrastructure, moved to New Orleans, followed my now wife down there when she went to graduate school, and I worked for LSU Health Sciences Center doing sort of a jack of all trades help desk support, and network engineering, and infrastructure support. Came back to the DC area, worked as a security consultant for TrueSecure, which was a small startup. It ended up becoming CyberTrust and then got acquired by Verizon. And so for several years I worked as a security consultant. Funny enough, I was a security consultant for Fannie Mae for several of those years. And so it's kind of a weird, interesting sort of pivot to what I'm doing today compared to what I was doing, you know, close to 20 years ago at this point. And I also did research at Verizon. So for several years I was one of the lead researchers and writers of the Verizon Data Breach Report, so this was from like the second report, so '08/'09 through when I left in 2015. And so I did nothing but study cyber incidents. Came up with a framework to analyze cyber incidents, studied all of these forensic reports. We created a cyber intelligence center at Verizon at the time leveraging information from those reports and, you know, really got an understanding of like how companies could improve their cybersecurity. And then that's where I took the jump, became a deputy CISO here at Fannie Mae back in 2015, and a year later got promoted. And so, you know, I've been at Fannie Mae this coming January will be ten years, and in April I will have been the CISO for nine years. So it's kind of like I'm in my fourth or fifth CISO life here at Fannie Mae.

Simone Petrella: What an incredible journey. And as unique as your story is, I think it's more common than we give ourselves credit for when we talk to people in leadership today, because there was no cybersecurity degree program, there was maybe computer engineering. How much do you think that the background that you've had majoring in economics and psychology, and some of the work experience you gained before you fully made the jump into IT and then into security shaped your perspective now as a CISO and how you think about not only your own path, but then maybe some of those who are the future talent coming into cybersecurity?

Chris Porter: Yes, certainly. And I see today that there's a lot of talent out there that isn't in traditional computer science/computer engineering backgrounds. A lot of the sort of major programs that are coming out, they're all founded in a data science/data analytics kind of background. So I do a lot of work with the University of Virginia, the McIntire School of Commerce down there, and they have an entire program around data science. And you know, the skills that you learn there on data science are incredibly helpful when it comes to any sort of, you know, IT and technology job that's out there. You're learning how to code, you're learning how to manipulate data, you're learning how to get insights from data, and that's a lot of what we do in technology today are those kinds of things. But you said something interesting about like my background as with economics and psychology, you know, today that background would actually be the whole field of behavioral economics, and the whole like thinking fast and slow when it comes to like Kahneman and Tversky and some of the books that have come out since then. But there's a whole lot of sort of psychology and economics baked into how we do cybersecurity today. So when you think about phishing messages, and the cognitive bias, and the availability heuristics around clicking on links, and you're doing so without thinking about it because you're not taking the moment to say, "Hey, wait a second, should I click on this or not," you're just in auto drive as you're like doing your emails, that is a huge psychology and economics -- behavioral economics kind of issue. Like how do we slow people's thought process down just enough to where like, "You know what, I shouldn't open that attachment because it's from some weird name, and I should -- I've never received an email from that person." So there's a lot of psychology that comes into what we do in security today, especially when it comes to the integration of like business and security together.

Dave Bittner: We'll be right back. [ Music ]

Simone Petrella: One of the things that I think has been really interesting in 2024 is that this is the year we finally have data, staying on the data science theme, on the workforce, on the cybersecurity workforce that shows that demonstrably cybersecurity employers are unable to find experienced workers, and yet new cybersecurity workers can't find their first job. And we've intuitively been saying this now for a number of years, but we actually have looked through the job data. Seven percent of jobs posted for cybersecurity work are currently requiring two or less years of experience; 77 are requiring, you know, over -- 77% are requiring over that amount. And ISC2 just released its first look for its annual workforce study and found that this is the first year that the global workforce and aggregate has actually stagnated. And it's actually kind of tapped out compared to large growth numbers year over year. I'm curious what your take is on that. Is that something that you relate to in your role and you're seeing play out, or are we over -- you know, are we kind of overstating the issue?

Chris Porter: No, I think that that is an issue. You know, when you look at -- trying to remember the most recent sort of supply/demand statistics out there. You know, you always see these numbers out there that there's 3.4 million cybersecurity jobs that are unfilled. And then as you mentioned before, you know, it's hard for the folks who have less experience to get that first job. And I think that's partly due to the pressure that is on organizations to meet their cybersecurity requirements and meet the sort of -- the threats that are out there, right? Like you constantly have this educated, unyielding threat environment of nation-state, organized crime, individual, you know, attackers that are constantly hitting organizations. And on the other hand, you need to have seasoned cybersecurity professionals that can come in to kind of meet those kinds of challenges. And then I think on top of that, you know, you've got different digital transformations that are going on across lots of different companies where there's a massive skill set shift from your traditional cybersecurity skill sets into more developer-like skill sets for cybersecurity engineers, where it's a lot more about -- in cloud about integration, and engineering, and security as code, compliance as code, and all of those kinds of things. And so you've got this -- like these sort of skill set pieces where you have to do both during the transition, and you have to build the skill sets to be able to meet the demand of the IT infrastructures that we're going to be having over the next several years, all the while having all these new challenges that are coming up, right, Quantum; like Quantum is going to be a bigger problem -- or an earlier problem than what we probably thought five or ten years ago, GenAI and like all the value that businesses can get out of GenAI that how do you secure the GenAI that your company's wanting to use to create business value for their customers or for internal efficiencies? And so you're constantly trying to defend against -- I think this is -- actually just reminds me of something. Dan Geer, who's one of the, you know, huge cybersecurity, you know, wisdom guys over the years, had mentioned something about the asymmetry that comes with cybersecurity, and that we have to protect against all threats that have ever had, all threats that are happening today, and all new attacks that might be happening in the future that we -- or don't know about, and the bad guys only have to be right one time. And so that's the field of play that we're in. And so I definitely understand the challenge. There was also recently -- I think it's Daniel Miessler who's a cybersecurity guy that's on Twitter and has his own little company, puts out some different information and different newsletters. He actually had a recent discussion just on this very problem around talent shortage and things like that. And he came away with a couple of different interesting takeaways. One is that applicants don't have a lot of the skill sets to do the work, what you just described, right, "Hey, we're looking for people that have five plus years of experience." You know, that's because of the challenges that are out there. Few companies have the resources or are looking to train new hires on these things. And you know, that's -- it's more apprenticeship like training, as opposed to like, "Hey, I can go build the talent, you know, early on and then kind of move them along." Another one was around just like recruiting in HR. You know, the entire process of like matching skill sets with sort of the middleman/middlewoman HR role also makes it very challenging for hiring managers. So that whole process makes it difficult as well just in, you know, how do you simplify in a way so that you can, you know get the right sort of folks in? But I do think it's a mindset change. You know, we generally have an associates program where we're bringing in new talent every year and finding the right roles for them to be able to learn and grow within the organization, and then moving them around to the right thing. So like, one of the things that my team is focused on this next year is like developing a very specific cybersecurity associates program to do just that, kind of build a general skill set so that we can find the right roles for them and kind of fit people in, and then help them grow with those kinds of opportunities.

Simone Petrella: And what's incredible to hear about a program like that you're building is you're embracing what is a long-term approach, because you have to grow the talent, to what you described at the beginning, which is we have this short-termism because the problem is right in front of us today. And we as an industry, as a profession, we're kind of stuck in this catch-22 because you need the experience, talent in order to resolve those threats that exist today. But, you know, I sit here and I look and I'm like, you know, "This experience talent is going to start to age out anyway. So if we don't actually solve the bottleneck that we've created in the middle, we're going to actually be in a worse place, you know, five, ten years down the road as we progress in this space." The other thing that kind of strikes me as you bring up kind of, you know, those that are resourced and kind of putting these programs together, there is this dichotomy -- I don't know if this is something you've seen in your peer circle of CISOs, that you know, those companies that are most situated or have the most resources to build these more long-term programs are also the ones that don't necessarily have to because they can afford to pay the salaries to attract the more experienced talent.

Chris Porter: Yes. There's a whole concept out there. And I can't remember who coined this over the years, but the "cybersecurity poverty line". And it's essentially this line where the more resourced companies had the ability to have the more mature security programs, the more -- as you mentioned, you know, hire the more seasoned veterans in the space, and be able to manage their threats in a different way than those below the poverty line who, you know, may not have a CISO. They may barely have a handful of cybersecurity people, you know, to even handle it, the issues at all, or it's just an IT engineer that has security responsibilities. And that is a challenge, right? And you know, one of the ways to kind of look at this in some ways is a lot like the more -- the larger companies that are above the line, you know, they generally have to do business with those below the line. So then it just becomes third-party risk for -- sort of fourth-party risk. So you end up dealing with the issue overall anyway, except then you have different kinds of problems that come out, right? Now your regulatory pressure on the requirements that you put on your third parties, you know, then, you know, basically, you know, elevates what kind of third party you can do business with, and then you lose out on working with smaller businesses and those that might be further down in the -- below that security poverty line. So it's one of those challenges that everybody's kind of working through trying to, you know, protect your company, because ultimately that's our responsibility as CISOs and cybersecurity professionals, but how do you also protect your ecosystem, your industry, and those kinds of things as well?

Simone Petrella: Yes. Maybe we should coin a new term here today about the cyber talent inequity gap, or the inequality gap; because what I think what you're describing is a version of that playing out with poverty, right? So those who can have the talent do and those that can't are just kind of trying to muddle through with maybe a couple IT folks that are also there for security. How do you think -- in your role as a leader and having, you know, been with your organization for a long time and been in this profession, how do you think about the skills that not only individuals but your team needs to execute on a security strategy?

Chris Porter: Yes, I mean, I think one of the, you know, big skills is, you know, you have to have leaders that have curiosity and that are willing to, you know, ask questions and kind of get down into the weeds. You know, I try to find folks that are sort of player coaches; so not only do they have the experience of like sometimes doing the work, but also the ability to coach those that are now doing the work. And those are hard, right, you the find the right skill sets of people who have the technical acumen, but also the -- sort of the leadership capabilities that they've built themselves over time. And you know, being a leader is a choice. Right, you have to choose to develop yourself as a leader to learn new ways of managing people, and building strategies, and those kinds of things. It's a very different skill set than it is to go learn a technical skill set. "Hey, I want to go learn cloud security in AWS and go get my security architecture, you know, certification." Yes, you can go do that, but it's harder like leading a large diverse group of individuals and trying to get everybody moving in the same direction and holding all of them accountable for that. So it's tough. But I will start with, you know, aside from like finding the right kinds of leaders to help lead, I grew up playing team sports. And because of that, that's kind of the mindset that I bring into how I lead my organization, but just in general. And you know, so you want to have people that can play the right roles, you know, the right positions. You want people to have high psychological safety so that they can raise their hand and say, "Well, you know, I've got some experience in this place and have you ever considered this?" And then you still need to have people on the team that are willing to accept that advice or answering that question. And that's hard, right, like you have to have a team and you have to build this sort of dynamic where people are okay getting some type of constructive criticism or advice and those kinds of things. And that's also tough. But that's one of the challenges of being a leader and running a team. And I kind of go back to when you think about team sports also, you think about different kinds of sports where like hey, you have a superstar like a LeBron James in basketball. And you know that with that person, like you're going to be able to go really, really far, you can make it to the playoffs or whatever. And that would be something that's called a "strong link sport", like the stronger players you have, the further you can go; versus what I think cybersecurity is, which is more of a weak link sport. It's probably a lot more like American football or soccer, right, it's, you know, you're only as good as the weakest part of your team. And so like in those sports, hey, if your, you know, left offensive back is weak, then that's where you're going to get attacked all the time. And you'll see that, especially in a soccer match, you'll just see them going after that part of the field over and over again. Similarly, in American football, you know, if they know that the cornerback just sprained his ankle and, you know, is limping around out there and they've got them in a one-on-one position, boom, it's over, and they will just go over, and over, and over again. And I think that's the same thing when it comes to cybersecurity. You know, we have to be able to raise like the boats and skill sets on everybody on the team, and we've got to try to eliminate those weak link;, not just in technologies and processes, but also, you know, in the people space, too, we've got to improve that across the board.

Simone Petrella: I love the team sports analogy, but in full disclosure, Rick Howard and I have a whole article and an episode we talk about how cybersecurity is like money ball in baseball; [laughs] because for this exact same reason twofold, one, you know, you're dealing with a limited budget and so if you can't afford to have the Yankees', you know, salary opportunities, then you're going to have to kind of play the Oakland As and figure out how to just get to the most important metric and get on base. But one of the things that I think is so interesting about all these analogies is how few times we in the security profession -- I've been a consultant and have worked in retail and -- like I've done all those things, too, and sometimes we haven't really done a great job of defining of what we think the position on the field is, and then all of a sudden we're surprised when you put a player in the position and all of a sudden we're like, "You're not doing what we thought you would do," and it's like, "Well, no one told me what it means to be first base, or second base, or, you know, running back."

Chris Porter: No, I think you're right. I mean, and I -- but I also think that the dynamism of cybersecurity is that like you can put a player on the field and the field changes while the position is there. That's one of the big things about -- that's different, I think, in our area is that, you know, I could wake up tomorrow and there's going to be a brand new kind of attack that I have never heard of before, and we have to somehow within a few hours protect the company against it. That is unlike most occupations out there, right? And I think that's one of the things that I find that I love about cybersecurity where I have passion around it is that you have that kind of continuous learning opportunity where you're always learning, you're always working against some type of active adversary. And it's, you know, this tit for tat kind of thing, right, like you're trying to get better constantly, trying to shore up your weaknesses all the time, and then you're trying to like look across the field of vision and try to predict in some cases what those changes might be. And I think that's that the biggest difference, right, as I mentioned, like sometimes it's -- you're right, like what I think I need isn't what I need, and so you just have to be able to, you know, quickly learn from that, and pivot, and fail fast, and all those clichés around that kind of thing, and just keep moving, as they say.

Simone Petrella: What's -- final question here, what's your advice, then, to those who have organizations who are dealing with this constantly dynamic threat landscape where the field is changing? How do we think about creating programs to kind of have the right people, and get them into the field, and grow them, and attract and grow those skills that we need to kind of just be resilient in the face of an ever-changing threat landscape?

Chris Porter: Yes, I mean, I think it's the -- finding the right sort of archetype of a person that can help you with that; so like as I mentioned earlier, when I try to find leaders that are curious. Like the other kind of leaders that I like and even, you know, folks on the team or what I call "thread pullers", right, like -- because a lot of cyber security is around like just pulling threads, "Hey, I see this thread over here. It's really weird. Here, I'm going to pull this and see where it goes," and like following it to the end and be like, "Oh, do we have an issue here? What do we need to fix? You know, how do we get in our backlog and start working on it?" And I think if you find the right people that are curious thread pullers and are willing to have that sort of continuous learning mindset, then you're going to be able to find the right people to like run those teams, because they're going to be eager to learn, they're going to want to learn, they're going to want to, you know, kind of figure stuff out. I think the other piece is, you know, just like we as a community have to continue to educate our next generation of cybersecurity engineers, analysts, et cetera. I mean, this is one of the reasons that I, you know, am -- work with the University of Virginia in the McIntire School of Commerce. In fact, I think this next Monday, I'm actually going to be speaking to a class in the afternoon, and it's about cybersecurity, and the challenges, and those kinds of things, to kind of help them get a view of what those kinds of things are. And I think that's just something that we all have to commit to is how do we educate the next generation to make it better and then also find ways to give opportunities to those as they're coming up, you know, from the ranks.

Simone Petrella: Well, Chris, thank you so much for joining me this afternoon. Really appreciate your time, and thank you so much for your insights.

Chris Porter: You're welcome. Take care. [ Music ]

Dave Bittner: Our thanks to Chris Porter, Chief Information Security Officer at Fannie Mae for joining us. That was N2K's Simone Petrella on the mic. Thanks for joining us. We'll see you back here next time. [ Music ]