Editor's Note: This transcript was automatically transcribed, so mistakes are inevitable. You can contribute by proofreading the transcript or highlighting the mistakes. Sign up to be amongst the first contributors.
Dan Bloom is an internationally recognized expert in security and privacy. He is also the author of the book Rational Cybersecurity for Business on this episode of I.T. Visionaries. Dan has an honest and thoughtful conversation on why the role of chief information security officer is often buried within IT departments. He also discusses the importance of Byan among leadership and why zero trust is often not the best answer for every use case. Enjoy this episode.
It visionaries is created by the team at Mission Doug and brought to you by the Salesforce Customer 360 platform, the number one cloud platform for digital transformation of every experience, build connected experience, empower every employee, and deliver continuous innovation with the customer at the center of everything you do. Learn more at Salesforce.com platform. This podcast is created by the team at Mission Big.
Welcome to another episode of it, visionaries, I mean face host of visionaries, and today, special guest. Dan, what's going on? Well, I'm hanging in there through the same pandemic issues that everybody is undergoing these days. But as a security consultant and author, I'm pretty much in many ways, just living my normal life. Telecommuting and all that is nothing new to me. Yeah, I know.
It's funny how we you know, we've talked to some guests who are like, you know, going to the office every day and then other guests who who it's like, well, this is pretty much always been the case, just the families around a little bit more. You know, obviously, you know, some crazy changes here and there. So we're going to get into a bunch of cybersecurity and risk management today. We're going to talk zero trust and your background.
So let's get into it. How did you get started in technology in the first place?
Well, I originally got into the industry as a computer programmer, but fast forward to the 2000s, and I had a thriving career as an independent consulting analysts and identity management. And that was when I became the research director for also the Security and Risk Management Strategy Service at a company later acquired by Gartner. And I became actually about 15 years ago, really a cybersecurity strategist focusing on technical topics and cloud security and its early days. Then Gartner bought us, and after a few great years there, I began to Second Life as an independent consultant again in twenty fourteen with my current company, Security Architects.
And as I got back into consulting projects for large companies, I rediscovered something I'd seen earlier in my career. And that was the extent to which the technical projects I was on struggled because of organizational issues and office politics and budgets and stakeholder buy it and things like that. That's why I decided to get into my latest project, which I'll refer to a few times, which is a book called Rational Cybersecurity for Business, which is shining the spotlight on the need to align security projects better with business stakeholders.
And during the research for that, I actually came across the Harvard Business Review research that found seventy five percent of cross-functional teams are dysfunctional. And that's important because all of the security projects I've worked on are and especially the identity management ones and risk management, our cross-functional and this kind of affirm to me the importance of the new focus that I have these days on stakeholder alignment and what I covered in the book. In fact, its subtitle, The Security Let Leaders Guide to Business Alignment.
So let's get let's get into that. So why did you decide to write the book?
Well, because I saw that there wasn't a book that really tackled that subject. I guess there were some books on soft skills for chief information security officers or sisso, but there wasn't really one that looked at what is the security program, what is the architecture of the security program and how do you go through piece by piece and figure out how to align that with stakeholders to get the maximum effectiveness?
Well, one of the things I thought was pretty interesting is you're talking about Paretta principle and kind of that key question for how can leaders get 80 percent of the benefit by doing 20 percent of the work? And I think that's what all technology leaders are trying to figure out with security right now, is how do we manage risk, but how do we do it in an efficient way? Because security budgets are rising exponentially as threats rise exponentially.
Well, I hope I hope your security budget is rising because the industry, not just the threats, but the regulatory authorities and the business disruption and the technology changes are always raising the bar. Sometimes the technology gives you more automation and more capability. But first you have to figure out how it works and how to integrate it in with what you're doing. So the Parado priorities that you referred to are based on this idea, the peruto principle by an Italian economist originally also known as the 80 20 rule, and of course, 80 20.
It's a rough estimate, but anything that kind of has a power law, distribution and an economy where you have automation phenomena tend to have a power law distribution where you can have large differences in efficiency based on better or worse approach. It's worth looking at what, 20 percent of things should we be working on? And so I was kind of trying to figure out what to focus on when I was. Citing rational cyber security for business, and I kind of toyed with that question of what is the cybersecurity peruto principle?
And I came up with six priorities. You kind of indicated a risk management was real important. And it is it's one of them, maybe in some ways the most important one. And you also kind of alluded to why when you were talking about security budgets and particularly of your budgets not going up, but going down, you really have to husband your resources. But I found five other principals control baseline because you have to have some security, hygiene, access, control, creating minimal drag on the business, cyber resilience and a couple others it simplification rationalization because you can't manage what you can't secure.
So how many folks did you talk to in the course of of the book? What were some of the common themes?
So I spoke with more than 60 business and security leaders and they were pretty diverse group, I should say, because some of them were folks that are on boards of directors sort of representing risk management or cybersecurity and others are security leaders. Actual Cisco, Sun and still others were people I knew that were thought leaders. And we're just going to give me an interesting perspective about anything that I asked them. But the common themes that I did come up with were one of them, was that you kind of have to focus on the basics.
The basics are important. And that's why a control baseline was part one of my six peruto priorities. And those basics that folks talked about, in addition to security, hygiene and keeping the doors locked, so to speak, were also just basic integrity. If you're in a Sisso position and you have to go to the CEO and say interrupt the meeting with some of their biggest customers and say we've got a potential problem with a virus and we may be sending out infected emails, I need to shut down the email system for the company so we can clean it up.
You need to have established a relationship for integrity so that you'll be believed and and heard. And that's critically important. And then, you know, another basic is just leadership. You know, I think we're talking about upskilling some on this interview. You have to be able to lead your team through some trying times. I also talked a lot with folks about risk management. And this may have been a bit of a self-fulfilling prophecy because I was so interested in the subject of risk management.
And we'll probably get into that, hopefully. But I found that there was a wide variation in the maturity of risk management programs that companies had and that the ones that seem to be doing it well, we're not all doing it the same way. I mean, maybe they were using factor analysis of information risk or moving in that direction so that they could quantify their risk. But how they actually reported risks to what committees or how they made business leaders accountable for risks that was all different and really adapted to how their company culture is.
Yeah, let's get into that. Let's get into some of the risk management piece. Was there something specific that you saw in those interviews and as you were preparing the book that was different than the rest of your research or what were you seeing?
I've done a lot of research into risk management over the years, going back to when I started the security and risk management service and back before Gartner. And in those days, none of the security folks I was working with thought that you could do quantitative risk analysis. They thought that it had to be qualitative because you could not estimate the probability of a threat doing something and succeeding or that type of thing. Well, since then, we've developed in the industry the factor analysis of information, risk or fair, and that's become an open group standard.
And so I have been inspired by that. I've worked with a few companies over the last five years or so. I'm setting up a risk management program, all the processes for communicating, risk reporting, risk monitoring, risk analyzing, assessing, evaluating, identifying risk even from the teams that are looking at vulnerabilities or Pantusso reports or different issues and trying to triage what? Ones are actually risks, so I've done all this work and have all this background, but it was interesting to do these interviews for national cybersecurity, for the business where I was actually speaking with CEOs and board members and folks like that and seeing how the picture looked from there and then finding, for example, that one of the real keys is to get the accountability for information risk at the right level of the business, not down with the security manager.
That doesn't have the ability to approve a big budget, but up with the business leader that making that business leader understand what the risk was. And actually, it's a two way conversation, understanding what the business risk from his or her perspective is. They're worried about things like sole source factory failures or, you know, major competitive impairment or things like that in the US. So you kind of have a few generic risks like the risk of breach. But you also need to kind of figure out how information risk might tie into the risks that are already on the top.
Executives mind, like ransomware, could cause that sole source factory failure. So it was interesting to talk to people and kind of get that perspective and then to find out what sort of forums they had in their companies to consider those issues. So in one company, they had a corporate sustainability or corporate social responsibility committee. That's where they did their major risk assessments of the whole company. And they would have people come in from the different divisions and do reports on what their top risks were and actually hold them accountable to identifying those and describing what their action plan was.
And it was interesting to see how everybody seemed to do this a bit differently.
Yeah, that is really fascinating. How many times are you seeing the CEO as a separate entity from, like the CIO or CTO versus something that's like rolled up into the technology organization?
I think that in most cases, in my experience, the Cisco reports to the CIO or the VP of Information Technology, because when cyber information risk, which is sort of the the category that that I work with and that we in this industry generally work with, and it's a subset of business risk. Business risk includes, you know, the risks of financial risks and regulatory risks and market risks and all kinds of things. But information risk is kind of a unique animal, so to speak, and it includes broadly the risks of it out of outages or losing the ability to employ your I.T. technology on behalf of the business.
And it also includes the risk of cyber attacks and other kinds of threats or bad effects that nation states or cyber criminals can create against your company. That is all information risk. And the SASO is the head of the team that has to deal with that. But to take a step back concerning Cisco's, we actually find that many companies don't have someone with the title of Cisco. They have a security leader for their information security team. But this person could be buried down in the IT department and not have any access up to the business leadership to have the kinds of conversations that we were just alluding to about how information risk ties into their top business risks.
And so they don't even know what those businesses risks are or how the executives think about them. And the executives don't understand the technical security perspective either. And there's kind of a a real gap there. If you don't have someone that has that SASO title and actually lives with that title and specifically by having some access to the CEO or to the board of directors, whatever securities on their agenda. And I did a blog post, one of my recent ones called Where Should the Cisco Report on my site, security hyphen architect dot com, where I put a stake in the ground.
And this is also in the book that if you're a large company with a certain amount of security pressure, meaning you have some threats, you have some regulations you have to comply with, you really should have someone that has the CEO title and actually has the access and authority and responsibility that that type. Would imply, but a lot of companies don't get this yet. One survey found this was maybe last year that thirty eight percent of the Fortune 500 companies don't have someone with the CEO title.
That's pretty remarkable. I mean, it's so funny to think about the fact that it's not that widely spread. I mean, you know, I would imagine it's going to change pretty soon here. I don't really see how you couldn't have someone monitoring, you know, having that proverbial seat at the table that we talk about all the time. Managing your security just seems seems pretty outdated.
Well, I think the at the companies that don't have it, they would probably say we do have someone in security, we have a team and we have a budget. But and they may honestly think at the executive suite there that they care about security and they're handling security. But because they think it's a technical issue, you know, it's down in the IT department, there's not anything that we really need to do as business executives other than fund the position.
We really don't want the Cisco coming in here every two weeks and bombarding us with two hours of technical information, which, by the way, the CEO should not do. The Cisco should be having more of a conversation about information risk business impacts rather than technical matters. But because there's this, you know, businesses trendiness and security is from Mars phenomena, miscommunication. A lot of executives honestly don't think that it's something that they need to be too engaged with other than to fund it, which hopefully they are funding it because they've heard from the lawyers and all the trade press and all the breaches in the news that they need to fund it.
But they don't realize that it needs to be treated as a strategic matter by them to make sure that not only does so have some money, but also the Cisco has the access and the two way communication and the Cisco has support from the various business functions because at some level, cybersecurity is everyone's responsibility.
Everyone has some kind of role to play in it with all the changes that happen from, you know, covid and shelter in place, bring your device to work, turned into, you know, bring your work to home, obviously, right away. I'm curious, like, what were some of the things that you saw from a security perspective that were critical for technology leaders?
Well, no companies have been forced to accelerate remote access, obviously, and they've been forced to open up Web access to poor applications. It's almost as if the digital capabilities C.I.T. capabilities that businesses have has become a digital lifeline that you need to have just to even keep the business running in most cases. And so they've had to really expand remote access. They've had to adopt architectures like zero trust. They've had to increasingly adopt cloud computing services because those are sort of remote by definition.
You access them remotely and they work remotely. So you don't need any, you know, really on premise footprint with them. So they've had to really expand that part of the program. And we've worked with companies over the years on network segmentation architectures that assume that they got a certain amount of protection from resources or data centers being inside a secure facilities that are only touched by administrators that work for them. And now that's increasingly in question with all the remote access.
A lot of companies haven't been very well prepared. They may not have had a bring your own device program, for example. And now all of a sudden, folks are working from home and they may not have a company owned and controlled device. And so there's there's a lot of issues that companies are working through now to try to grasp that digital lifeline and not get burned.
And what about a zero trust you you just wrote recently an article about it and we talked about it a lot on the show. But do you have some concerns? Yeah.
So a zero trust is just a principle that when we grant access to an I.T. resource like a computer or a database or something like that, we should not make the trust decision to do so or not to do so based only on where the device it's accessing is coming from. That the trust decision needs to be network independent. And of course, with almost all access now being remote, you have to be able to have. Or you have to be able to maximize the application of that zero trust principle, so a zero trust architecture is an architecture where the I.T. security components are arranged to support that principle.
So I wrote this article for Dark Reading Is Zero Trust the best answer to the covid-19 lockdown? And in the article, I gave an example of an asset management company that a few years ago had an active shooter tabletop exercise. They were asking the question if there was an active shooter and we had to send everybody home, could we still run the trading and all other parts of the business? And so they were looking at zero trust. They were looking at how they could prepare more systems for Internet access.
And although the pandemic is nothing like an active shooter, the technology solution was the same and they were well prepared. Other companies like PayPal, I heard went out and bought thousands of Chrome books in February. So they got prepared. But companies that weren't prepared now are struggling a bit. But going back to zero trust, as I said, it's really the right answer in theory for an environment where you've got the need to maximize remote access, but it's not suitable for all the use cases that you may actually have in place today.
I've mentioned staff working on home computers, apps and an effective wired program. You may have to look at some other factors as to whether you can trust those devices, make a risk based decision. Also, there may be some of the applications that you're accessing are not hardened with all the ports. They don't need closed and things like that. So they're not hardened to be able to be directly exposed to the Internet. So you have to still have layered architectures and solutions that you ideally would not have in a pure zero trust architecture.
You have to look at the use cases and decide where it fits and where it doesn't fit.
I want to talk about upskilling. Clearly, there's a massive need for more cybersecurity leaders. There's more need for young folks to be getting into cybersecurity. What are the pathways? How can how can we improve folks joining cybersecurity? Because clearly companies need it.
Yeah. So I don't know that I want to get into too much about the sort of social and economic opportunities for bringing into the education system. I guess I should say I don't really want to get into that too much. But the fact is we have a shortage of an estimated three million skilled cybersecurity managers and staff. And this can mean that it can take like six months to hire a qualified security engineer or you might not be able to find a skilled incident responder or something like that.
And these are folks that they're not ready for those positions coming right out of college, the average person. So they sort of have to be trained on the job for a while or acquired from another company where they have been trained. So I kind of advise companies to look at two avenues. The First Avenue is diversity, you know, sort of broaden your focus to look at what kinds of different kinds of people might be good for the role that you need.
And secondly, to look at training or recruiting from within the organization. How can you break up those roles or change the way the work is done so that you can take the limited population of skilled people that you already have and get them training and helping other people to come up to speed and still get the work done in the process. So, you know, on the diversity side, that's really important, not just for all sorts of good social and economic reasons, but also because it can improve your team.
There is some work that's required to manage a diverse team as opposed to managing a team of people that are just like you and you know how they work. But it's worth it if you find that having a more diverse group of people can help your team expand into additional areas or perform certain functions better. For example, if you're running user awareness program, you're actually better off having someone with a marketing background or a communications background than someone with a technical security background.
So you could be looking at someone with a degree in marketing or communications rather than someone with a degree in cybersecurity to run that program with the guidance. Of security leaders, if you're looking for someone to do code reviews, there was a really interesting talk at the RSA conference, which I was actually able to attend this year, the last one before everything shut down. But it was on diversity. And one example of looking far afield was that people with high functioning Asperger's syndrome are actually ideal for code reviews because looking through ten thousand lines of code for a misplaced semicolon is the type of work that someone with that mental framework likes to do.
So you have to be creative. You have to think outside the box. And in terms of sort of reorganizing the work a little bit. Going back to my comment earlier about how security was everybody's business at some level in the company, I really am a fan of security championship programs where the security team has a budget and a mandate to go out into the IT department and into the development organizations or into the business and find people that are interested in security and give them some training, give them a security champion title and get them to do certain tasks that would normally be done by security FTE full time equivalents, but don't have to be.
There was a presentation at last year's RSA conference called Democratisation of Security, where the security leader at a company called Mudaliar talked about their security championship program and they engaged in operations and development team members and vulnerability management work and security testing work that normally security FTE would do or normally wouldn't be done as well. But because they have these security champions rewarded with education and compensation and recognition, they've actually expanded their security team from five to more than 30 people that are part of that team on a part time basis.
And so these programs are great force multipliers for the security team.
Yeah, that's a great rundown. I think, you know, as there are so many programs and different things coming up, you know, popping up every day, I think it is important to be able to have companies that can bring in folks and just go a little bit in the company, but also, you know, the programs that can do that.
Are there any trends in cybersecurity that you're following that you're particularly interested in?
Yeah, so I started talking a little bit about quantified risk management and I highlighted that it was a relatively recent capability for us and the risk management space. When I got started in this field, most of my colleagues felt you could not do it. But now with the factor analysis of information, risk and different ways of thinking about it, we can actually do a pretty good job of estimating the order of magnitude of different loss exposures or risks based on a standard model for quantified risk management.
And that's starting to get pretty broadly accepted in the industry. For example, the Securities and Exchange Commission now has strong guidelines that companies put quantified risk estimates into the quarterly or annual reports in the risk sections. And so that's a important subject because it's also necessary for business risk owners to understand the monetary impacts of risk in order to fully feel accountable and be able to take accountability for them and take the right security measures or sponsor the right security measures. They have to understand risk in business terms, like time to market monetary lost opportunity cost.
And I like to quote Jack Jones, the chairman of the Fair Institute, who likes to say, For most companies, security spend is like the advertising budget. You know, you're wasting half of it. You just don't know which half. So that's kind of one of my main passions these days, I guess, is how can we improve companies, risk management processes and how they do the analysis. Another one I really like is transformational user awareness programs that can uplift the security culture of the company.
I think they're starting to get more recognition as well as the industry starts to recognize that soft skills in the security space are just as important at some level than some of the. All skills and what we see is that if a business has a healthy security culture, then IT teams or developers or business leaders are going to bring their projects to the security reviews early on to get feedback. And if not, they're going to hide those projects and then you'll have to come in and be doctor know at the end.
And that's never good. So the bottom line is security culture can be your greatest vulnerability or it can be your greatest asset where users actually become your first line of defense, reporting suspicious signs that they're seeing, even if it's something like, hey, we have a privileged administrator that's got a lot of access rights and he works for this team. And I notice that he's having a lot of problems with his manager or, you know, not coming to work on time, having drinking problems or something like that, something that Security Department may need to keep an eye on.
It's just an example of a a human sensor and an organization, so to speak. And security programs really live and die based on the support from the end users and I.T. and then the business itself, the developers and all these people. And I'm working on a case study article for Issaka Journal where I'm speaking with the security awareness program at the Major Ivy League University. And the head of that awareness program kind of describes not only how she uses sort of a positive message to encourage people to see security as something that they can influence for their own safety at home, for example, but also using the computer support team as a network of influencers throughout the university.
She describes them as her army. And I thought that that is really an example of the kind of work that we need to do to extend the effectiveness of really small security teams across really big companies or universities or other organizations.
All right, let's get into our lightning round. These questions are fast and easy, just like the Salesforce customer three sixty platform, the number one cloud platform for digital transformation of every experience. You can go to Salesforce.com slash platform to learn more. We love Salesforce. They've been here since the very beginning of it. Visionaries. And you should go to Salesforce.com slash platform, check them out. Lightning round questions.
Dan, are you ready? OK, what app on your phone is the most fun? I have one called Explorer. Go and use it to track my dog once she runs off in the woods. It's from a company called Whistle. That's really cool. I that's a great one. If you weren't in cybersecurity, what do you think you'd be doing?
I would be a writer and I'd be writing fiction books on cybersecurity. Or maybe I'd be writing about philosophy and personal transformation.
It's a little bit of a cheat because you already are a writer. But also what habit have you picked up during shelter in place?
Oh, I picked up some bad habits because I had a root canal, actually, finally, but I had a really bad to fake and for a couple of days I had to the pain was so bad that I had to supplement Advil with whiskey. But fortunately, that's not really a habit, though, because I'm not doing that anymore. I finally got my root canal.
You know, I have all the sympathy in the world for tooth pain. That is for sure.
It is the worst you can even think. One of my condo association members said that he had a filling that came out and he had a jagged tooth sitting in his mouth for three months before he could get to the dentist or is still waiting to get to the dentist.
That's tough. OK, what is your best advice for first time? See, so.
Well, best advice is to kind of go around the company and get to know the business and IT leaders find out what their pain points are as you got to know them on a personal level and see what you can do for them to start to build some goodwill and get some credibility. You also need to do a security assessment of the company to figure out what the biggest risks are and the biggest gaps so that you can start to. Prioritize where you need to put your efforts.
Well, that's it, that's all we got for today. Dan, awesome having you on the show. Thanks again. We'll talk soon.
Thank you. Great being here. It visionaries is created by the team at Mission Dog and brought to you by the Salesforce Customer 360 platform, the number one cloud platform for digital transformation of every experience, build connected experience, empower every employee, and deliver continuous innovation with the customer at the center of everything you do. Learn more at Salesforce.com platform.