CyberWire Daily - Solution Spotlight: Cultivating cybersecurity culture. [Special Edition]
Episode Date: October 29, 2024In this Solution Spotlight episode, our very own Simone Petrella sits down with Chris Porter, the Chief Information Security Officer at Fannie Mae. As a seasoned expert in the financial and cybersecur...ity sectors, Chris shares insights into how Fannie Mae navigates the complexities of securing one of the nation's most critical financial institutions. Together, they discuss Fannie Mae's evolving cybersecurity posture, balancing innovation with risk management, and the critical strategies employed to protect sensitive data in an increasingly digital and interconnected world. Chris also delves into the importance of collaboration across the industry, highlighting partnerships and intelligence-sharing as vital components in mitigating cyber threats. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code n2k. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, Thank you. that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, and AI. Learn more for this N2K CyberWire special edition.
On today's episode, our own Simone Petrella speaks with Chris Porter,
Chief Information Security Officer at Fannie Mae.
They're discussing cultivating cybersecurity culture and talent.
I want to kick off with maybe just letting you share a little bit about yourself and your journey into the role of CISO with our audience. Yeah, certainly. And I would say it's been
quite an interesting path.
And I'll go back to college because I think that helps set the scene a little bit
on how I got to where I am today. I started off as pre-med when I came out of high school.
And unfortunately, I met organic chemistry and some other classes in college.
I feel like that is the downfall of all pre-med
is organic chemistry. And I joke today that I think that it saved lives, me going through that
class probably. And so I bounced around for a little while during school. At one point,
I moved from pre-med to sports medicine. I was an athletic trainer for the women's soccer team for
a summer. And then I moved over to the men's and women's swim team.
And at that point, I had started majoring in psychology,
kind of realized that I wasn't going to make the money that I was hoping to make
once I got out of college.
And so I kind of pivoted to economics,
where I ended up having a double major in economics and psychology.
But the entire time, though, I was always a computer guy. I grew up with computers. I used
them all the time. On my hall during my first year in college, everybody would come to me and ask
how to do certain things because I just had a knack for them. But I didn't think about computer engineering
or anything like that when I first went to school because my thought back then, at least, I mean,
this was a long time ago, was that the computer jobs were working at Radio Shack and being
surrounded by hardware. Not that there's anything wrong with that, but that's generally what I
thought about at the time. And so I sort of bounced around a little bit.
I came out of school.
I worked at a small startup in Charlottesville, which is where University of Virginia is.
I worked there for a year.
I went and became an economist working for a small beltway bandit and did risk analysis for utility privatization.
did risk analysis for utility privatization.
So I'd travel all around the country looking at whether or not they should take their water or sewer system or electrical system on a base and privatize it.
And so that's where I first got my view into what risk management actually was and the
trade-off choices and decisions around those kinds of things.
But I'd say the biggest thing was I took a pivotal trip to visit one of my best friends
who went to Virginia Tech.
And again, there's nothing wrong with that as our rival college.
But he was working for a bunch of companies in Silicon Valley.
I toured with him and saw the sock.
I think he was at Cisco at the time. And I was just
really enamored with the energy that was out in Silicon Valley and how technology was so different
than what I had thought it was. And so as I flew back from San Jose, I think at the time,
from San Jose, I think, at the time,
I sort of made a choice in my mind that I was going to move over to IT.
And so that's where my real experience started.
I found a job working for a help desk
at a law firm in DC,
learned infrastructure,
moved to New Orleans,
followed my now wife down there when she went to graduate school.
And I worked for LSU Health Sciences Center doing sort of jack of all trades,
help desk support and network engineering and infrastructure support.
Came back to the DC area, worked as a security consultant for TrueSecure,
which was a small startup. It ended up becoming Cybertrust
and then got acquired by Verizon. And so for several years, I worked as a security consultant.
Funny enough, I was a security consultant for Fannie Mae for several of those years. And so
it's kind of a weird, interesting sort of pivot to what I'm doing today compared to what I was doing
close to 20 years ago at
this point. And I also did research at Verizon. So for several years, I was one of the lead
researchers and writers of the Verizon Data Breach Report. So this was from like the second report,
so 08, 09 through when I left in 2015. And so I did nothing but study cyber incidents, came up with a framework to analyze
cyber incidents, studied all of these forensic reports. We created a cyber intelligence center
at Verizon at the time, leveraging information from those reports, and really got an understanding
of how companies could improve their cybersecurity. And then that's where I took the jump,
became a deputy CISO here at Fannie Mae back in 2015,
and a year later got promoted.
And so I've been at Fannie Mae,
this coming January will be 10 years.
And in April, I will have been the CISO for nine years.
So it's kind of like I'm in my fourth or fifth CISO life
here at Fady Bay.
What an incredible journey. And as unique as your story is, I think it's more common than
we give ourselves credit for when we talk to people in leadership today, because there was no
cybersecurity degree program. There was maybe computer engineering. How much do you think that
the background that you had,
majoring in economics and psychology and some of the work experience you gained before you fully
made the jump into IT and then into security, shaped your perspective now as a CISO and how
you think about not only your own path, but then maybe some of those who are the future talent
coming into cybersecurity? Yeah, certainly. And I see today
that there's a lot of talent out there that isn't in traditional computer science, computer
engineering backgrounds. A lot of the sort of major programs that are coming out, they're all
founded in a data science, data analytics kind of background. So I do a lot of work with the
University of Virginia, the McIntyre School of Commerce down there, and they have an entire
program around data science. And the skills that you learn there on data science are incredibly
helpful when it comes to any sort of IT and know, IT and technology job that's out there.
You're learning how to code, you're learning how to manipulate data, you're learning how to get
insights from data. And that's, that's a lot of what we do in technology today are those kinds
of things. But you said something interesting about like, my background as with economics and
psychology, you know, today, that background would actually
be the whole field of behavioral economics and the whole like thinking fast and slow when it
comes to like Kahneman and Tversky and some of the books that have come out since then.
But there's a whole lot of sort of psychology and economics baked into how we do cybersecurity today.
So when you think about phishing messages and the cognitive bias and the availability heuristics around clicking on links,
and you're doing so without thinking about it because you're not taking a moment to say,
hey, wait a second, should I click on this or not?
You're just in auto drive as you're doing your emails.
That is a huge psychology and economics and behavioral economics kind of issue. How do we slow people's thought
process down just enough that we're like, you know what? I shouldn't open that attachment because
it's from some weird name and I've never received an email from that person. So there's a lot of
psychology that comes into what we do in security
today, especially when it comes to the integration of business and security together. We'll be right
back. Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
One of the things that I think has been really interesting in 2024
is that this is the year we finally have data, staying on the data
science theme, on the workforce, on the cybersecurity workforce that shows that
demonstrably cybersecurity employers are unable to find experienced workers, and yet new cybersecurity
workers can't find their first job. And we've intuitively been saying this now for a number
of years, but we actually have looked through the job data.
7% of jobs posted for cybersecurity work are currently requiring two or less years of experience.
77% are requiring over that amount.
And ISE2 just released its first look for its annual workforce study and found that this is the first year that the global workforce in aggregate has actually stagnated. And it's actually kind of
tapped out compared to large growth numbers year over year. I'm curious what your take is on that.
Is that something that you relate to in your role and you're seeing play out? Or are we over,
and you're seeing play out?
Or are we overstating the issue?
No, I think that is an issue.
When you look at trying to remember the most recent supply-demand statistics out there,
you always see these numbers out there
that there's 3.4 million cybersecurity jobs
that are unfilled.
And then as you mentioned before,
it's hard for the folks who have less experience
to get that first job.
And I think that's partly due to the pressure
that is on organizations
to meet their cybersecurity requirements
and meet the sort of the threats that are out there, right?
Like, you constantly have this educated, unyielding threat environment of nation-states, organized crime, individual attackers that are constantly hitting organizations.
individual, you know, attackers that are constantly hitting organizations. And on the other hand, you need to have seasoned cybersecurity professionals that can come in to lots of different companies where there's a massive skill set shift from your traditional cybersecurity skill sets into more
developer-like skill sets for cybersecurity engineers, where it's a lot more about in cloud,
about integration and engineering and security as code, compliance as code,
and all of those kinds of things. And so you've got these sort of skill set pieces where you have
to do both during the transition, and you have to build the skill sets to be able to meet the demand
of the IT infrastructures that we're going to be having over the next several years.
All the while having all these new challenges that are coming up, right?
Quantum is going to be a bigger problem or an earlier problem than what we probably thought five or 10 years ago.
Gen AI and all the value that businesses can get out of gen AI,
but how do you secure the gen AI that your company's wanting to use
to create business value for their customers or for internal efficiencies?
And so you're constantly trying to defend against...
I think this actually just reminds me of something.
Dan Geer, who's one of the huge
cybersecurity wisdom guys
over the years, had mentioned something about the asymmetry
that comes with cybersecurity and that we have to protect
against all threats that have ever
had, all threats that are happening today
and all new attacks that might be happening in the future
that we don't know about.
And the bad guys only have to be right one time.
And so that's the field of play that we're in.
And so I definitely understand the challenge.
There was also recently, I think it's Daniel Missler, who's a
cybersecurity guy that's on Twitter and has his own little company, puts out some different
information in different newsletters. He actually had a recent discussion just on this very problem
around talent shortage and things like that. And he came away with a couple of different interesting takeaways. One is that applicants don't have a lot of the skill sets to do the work,
what you just described, right? Hey, we're looking for people that have five plus years of experience.
You know, that's because of the challenges that are out there. Few companies have the resources or are looking to train new hires on these things.
And it's more apprenticeship-like training as opposed to like, hey, I can go build the talent
early on and then kind of move them along. Another one was around just recruiting in HR.
The entire process of matching skill sets with the middleman, middlewoman HR role also makes it very challenging for hiring managers. So that whole process makes it difficult as well. Just in, you know, how do you simplify it in a way so that you can, you know can get the right sort of folks in.
But I do think it's a mindset change.
We generally have an associates program where we're bringing in new talent every year
and finding the right roles for them to be able to learn and grow within the organization
and then moving them around to the right thing.
So like one of the things that my team
is focused on this next year
is like developing a very specific
cybersecurity associates program to do just that.
Kind of build a general skillset
so that we can find the right roles for them
and kind of fit people in
and then help them grow with those kinds of opportunities.
And what's incredible to hear about a program like that you're building is it's embracing
what is a long-term approach because you have to grow the talent to what you described at the
beginning, which is we have this short-termism because the problem is right in front of us today.
And we as an industry, as a profession, we're kind of stuck in this catch-22
because you need the experienced talent in order to resolve those threats that exist today. But
I sit here and I look and I'm like, this experienced talent is going to start to age out
anyway. So if we don't actually solve the bottleneck that we've created in the middle,
we're going to actually be in a worse place five you know, five, 10 years down the road as we progress
in this space. The other thing that kind of strikes me as you bring up kind of, you know,
those that are resourced and kind of putting these programs together, there is this dichotomy. I
don't know if this is something you've seen in your peer circles of CISOs that, you know, those
companies that are most situated or have the most resources to build
these more long-term programs are also the ones that don't necessarily have to because they can
afford to pay the salaries to attract the more experienced talent. Yeah, there's a whole concept
out there, and I can't remember who coined this over the years, but the cybersecurity poverty line. And it's essentially this line where the more
resourced companies have the ability to have the more mature security programs, the more,
as you mentioned, you know, hire the more seasoned veterans in the space and be able to
manage their threats in a different way than those below the poverty line who, you know, may not have a CISO.
They may barely have a handful of cybersecurity people, you know, to even handle it, the issues at all.
Or it's just an IT engineer that has security responsibilities.
And that is a challenge, right? And one of the ways to kind of look at this
in some ways is a lot like the larger companies that are above the line, they generally have to
do business with those below the line. So then it just becomes third-party risk for us or fourth-party
risk. So you end up dealing with the issue overall anyways, except then you have different kinds of problems that come out, right?
Now your regulatory pressure on the requirements that you put on your third parties then basically elevates what kind of third party you can do business with.
kind of third party you can do business with.
And then you lose out on working with smaller businesses and those that might be further down
below that security property line.
So it's one of those challenges
that everybody's kind of working through,
trying to protect your company,
because ultimately that's our responsibility
as CISOs and cybersecurity professionals.
But how do you
also protect your ecosystem, your industry, and those kinds of things as well? Yeah. Maybe we
should coin a new term here today about the cyber talent inequity gap or the inequality gap,
because I think what we're describing is a version of that playing out with poverty, right? So those
who can have the talent do and those that can't are just kind of trying to muddle through with maybe a couple IT folks that are also there for security.
How do you think in your role as a leader and having been with your organization for a long time and been in this profession, how do you think about the skills that not only individuals, but your team needs to execute on a security strategy?
on a security strategy?
Yeah, I mean, I think one of the big skills is you have to have leaders that have curiosity
and that are willing to ask questions
and kind of get down into the weeds.
I try to find folks that are sort of player coaches.
So not only do they have the experience
of sometimes doing the work,
but also the ability to coach those that are now doing the work. And those are hard, right? You
have to find the right skill sets of people who have the technical acumen, but also the sort of
leadership capabilities that they've built themselves over time. And being a leader is a choice, right? You
have to choose to develop yourself as a leader, to learn new ways of managing people and building
strategies and those kinds of things. It's a very different skill set than it is to go learn a
technical skill set. Hey, I want to go learn cloud security and AWS
and go get my security architecture certification.
Yeah, you can go do that.
But it's harder leading a large, diverse group of individuals
and trying to get everybody moving in the same direction
and holding all of them accountable for that.
So it's tough.
But I will start with, aside from finding the right kinds of leaders
to help lead, I grew up playing team sports. And because of that, that's kind of the mindset that I
bring into how I lead my organization, but just in general. And, you know, so you want to have people that can play the right roles,
you know, the right positions. You want people to have high psychological safety so that they
can raise their hand and say, well, you know, I've got some experience in this place. And
have you ever considered this? And then you still need to have people on the team that are willing
to accept that advice or answering that question. And that's hard, right? Like, do still need to have people on the team that are willing to accept that advice or answering that question.
And that's hard, right?
Like, do you have to have a team and you have to build this sort of dynamic where people are okay getting some type of constructive criticism or advice and those kinds of things?
And that's also tough.
But that's one of the challenges of being a leader and
running a team. And I kind of go back to when you think about team sports, also, you think about
different kinds of sports where like, hey, you have a superstar, like a LeBron James in basketball,
and you know that with that person, you're going to be able to go really, really far.
You can make it to the playoffs or whatever.
And that would be something that's called a strong link sport.
The stronger players you have, the further you can go.
Versus what I think cybersecurity is,
which is more of a weak link sport,
it's probably a lot more like American football or soccer.
You're only as good
as the weakest part of your team.
And so like in those sports,
hey, if your, you know, left defensive back is weak,
then that's where you're going to get attacked all the time.
And you'll see that, especially in a soccer match,
you'll just see them going after that part of the field
over and over again.
Similarly, in American football,
if they know that the cornerback just sprained his ankle
and is limping around out there
and they've got them in a one-on-one position,
boom, it's over.
And they will just go over and over and over again.
And I think that's the same thing
when it comes to cybersecurity.
We have to be able to raise the boats and skill sets on everybody on the team.
And we've got to try to eliminate those weak links, not just in technologies and processes, but also in the people space too.
We've got to improve that across the board.
I love the team sports analogy.
across the board. I love the team sports analogy, but in full disclosure, Rick Howard and I have a whole article and episode. We talk about how cybersecurity is like money ball in baseball,
because for this exact same reason, twofold. One, you know, you're dealing with a limited budget.
And so if you can't afford to have the Yankees, you know, salary opportunities, then you're going to have to kind of play the
Oakland A's and figure out how to just get to the most important metric and get on base.
But one of the things that I think is so interesting about all these analogies is how few
times we in the security profession, I've been a consultant and I've worked in retail and like
I've done all those things too. And sometimes we haven't really done a great job of defining what we think the position on the
field is. And then all of a sudden, we're surprised when you put a player in the position and all of
a sudden we're like, well, you're not doing what we thought you would do. And it's like, well,
no one told me what it means to be first base or second base or running back.
No, I think you're right. I mean, but I also think that the dynamism of
cybersecurity is that, like, you can put a player on the field and the field changes while the
position's there. That's one of the big things about that's different, I think, in our area,
is that, you know, I can wake up tomorrow and there's
going to be a brand new kind of attack that I've never heard of before. And we have to somehow,
within a few hours, protect the company against it. That is unlike most occupations out there,
right? And I think that's one of the things that I find that I love about cybersecurity
where I have passion around it is that you have that kind of continuous learning opportunity
where you're always learning, you're always working against some type of active adversary.
And it's, you know, this tit for tat kind of thing, right? You're trying to get better
constantly, trying to shore up your weaknesses all the time. And then you're trying to look
across the field of vision and try to predict, in some cases, what those changes might be.
And I think that's the biggest difference, right?
As I mentioned, sometimes it's, you're right,
what I think I need isn't what I need.
And so you just have to be able to quickly learn from that
and pivot and fail fast
and all those cliches around that kind of thing
and just keep moving, as they say.
What's, final question here, what's your advice then to those who have organizations who are
dealing with this constantly dynamic threat landscape where the field is changing? How do
we think about creating programs to kind of have the right people and get them into the field and
grow them and attract and grow those skills
that we need to kind of just be resilient in the face of an ever-changing threat landscape.
Yeah, I mean, I think it's the finding the right sort of archetype of a person
that can help you with that. So like, as I mentioned earlier, when I try to find leaders that are curious, the other
kinds of leaders that I like and even folks on the team
are what I call thread pullers.
Because a lot of cybersecurity is around just pulling threads. Hey, I see this thread over here.
It's really weird. Here, I'm going to pull this and see where it goes.
And following it to
the end and be like, oh, do we have an issue here? What do we need to fix? How do we get in our
backlog and start working on it? And I think if you find the right people that are curious,
thread pullers, and are willing to have that sort of continuous learning mindset,
then you're going to be able to find the right people
to run those teams
because they're going to be eager to learn.
They're going to want to learn.
They're going to want to figure stuff out.
I think the other piece is just like
we as a community have to continue to educate our next generation of cybersecurity engineers,
analysts, etc. I mean, this is one of the reasons that I, you know, work with the University of
Virginia and the McIntyre School of Commerce. In fact, I think this next Monday, I'm actually
going to be speaking to a class in the afternoon.
And it's about cybersecurity and the challenges and those kinds of things to kind of help them get a view of what those kinds of things are.
And I think that's just something that we all have to commit to
is how do we educate the next generation to make them better
and then also find ways to give opportunities to those as they're coming up, you know, from the ranks.
Well, Chris, thank you so much for joining me this afternoon.
Really appreciate your time and thank you so much for your insights.
You're welcome. Take care.
Our thanks to Chris Porter, Chief Information Security Officer at Fannie Mae, for joining us.
That was N2K's Simone Petrella on the mic.
Thanks for joining us. We'll see you back here next time. Thank you. through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.