CyberWire Daily - The CISO's changing role with Andrew Wild
Episode Date: December 28, 2017Andrew Wild is CISO at QTS Data Centers. He shares his insights into the changing role of the Chief Information Security Officer, as businesses shift their focus toward risk. Learn more about your ad ...choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Our podcast team is taking a break this week from the daily news.
But don't fret.
You can get your daily dose of cybersecurity news at our website, thecyberwire.com.
In the meantime, we've got interviews for you this week, some interesting people we've talked to throughout the year.
So stay with us.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
I think it's very interesting, and we've heard a lot of this across the InfoSec space lately about the changing role of the CISO.
That's Andrew Wild. He's the Chief Information Security Officer at QTS Data
Centers. I do think it's really important to talk about this because it has changed significantly.
We've adopted the role has changed from being really focused on technical implementation of
security controls and from being responsible for managing firewalls and overseeing the configuration of intrusion
detection and other technology controls, really transforming into being responsible for advising
the organization about the management of IT risk. Now, that does obviously include, in many cases,
the operation of the technology controls, but the focus is really shifting towards management of risk. Yeah, I certainly hear that from a lot of folks. And it seems almost to me
like you're sort of a translator between some of the technical people and the higher-ups in the
company. Yeah, it's an interesting role because there is the need to be able to manage technology
folks and also provide guidance and direction to technologists. But there's also a
need to communicate across a different group of folks within the organization. But I spend a lot
of time dealing with the general counsel's office and speaking with the different lawyers within the
organization, the attorneys who are very focused on managing contractual risks to the organization.
I spend time speaking with the CFO and the folks in the finance organization, talking about financial risks that can result
from IT security issues. So it does require the ability to communicate effectively,
not only in the technology space, but also across different disciplines.
Can you give us an idea of how you go about setting your priorities?
Well, oftentimes the priorities aren't necessarily set by me.
I have to react to them.
This is a very dynamic world in which we live in,
and the IT security risks, or the cyber risks if you prefer that term,
are changing very rapidly.
So in many cases, the priorities I set are dictated by the world in which we live.
There are threats to the
organizations facing, and we know today, and this has been a gradual learning curve for most of us,
that we can't rely upon prevention being 100% effective. So it's an effort to focus on managing
risks and how to understand the risks, how to prioritize them, and then how to most effectively use the
limited resources that we have to try to minimize the risks. And how do you go about doing that in
terms of, again, prioritization of the budget and resources that you have? How does that guide
your decision-making process? Well, the reality for me, at least, is that the priorities are,
like I mentioned earlier, but I'll go into a little more detail now, are oftentimes somewhat dictated by external driving forces.
You know, we hear the term compliance and security, and are they against each other? Are they aligned?
But the bottom line is for most folks in the security world, compliance is the minimum requirement.
So you have to be able to address your compliance needs or you can't stay in business. That's a driver of priorities is ensuring that we meet our compliance obligations.
But outside of compliance, then we start to then have the ability to look at, well, what do we
believe the threat landscape is? And if you look at what most organizations are seeing today,
I mean, the common refrain is that still the two biggest attack vectors are email and web browsing.
For an introduction of malware into an organization, then it can impact the confidentiality, integrity, or availability of the organization's information.
So once you get past the fact that, okay, I've allocated my resources to be able to meet my compliance organizations,
then you have to do the threat assessment of what does a threat landscape look like for this organization. And I would say that
most organizations are probably focused right now mainly on, and it sounds simple, but it's hard to
do, the email-borne attack vector as well as the web browsing attack vector. That's what are
probably the biggest visibility. But then the other priorities have to be on your security staff is never as large as you
would like it to be.
I mean, at the end of the day, security is, for most organizations, not a revenue generating
function.
So you're a cost, a needed cost, but yet a cost.
So you're not going to have the resources that you would like to have in most cases.
So you've got to prioritize and determine
what do you put where.
One of the things that I found effective to do
is to leverage a concept of force multipliers.
So you don't have enough security people in your staff,
but what can you do to enlist, deputize,
whatever word you want to use
to grow the effectiveness of your organization
by leveraging other people in the organization. This is partly done through security awareness and also partly done by just
seeking out people across the organization that have a passion for information security
and seeing how you can bring them in and leverage that passion to be additional eyes and ears for
what's happening in your organization. It's not just about depending
upon your technology solutions to sense and detect issues. It's about leveraging the people
in your organizations that are on the systems that are doing their jobs every day to look for
things that are unusual and then bring those to your InfoSec team that you can then leverage that
to go and investigate potential issues. Yeah, I think that's a really interesting point. I mean, and one thing I hear often is the importance of properly setting incentives.
I think many of us think of the IT department, you know, sometimes it's almost a stereotype about,
you know, them being the department that tells you everything that you can't do.
But if you put in positive incentives for people to be part of the team,
which is what it sounds like you're proposing,
that can really be a different force in a different direction.
Yeah, and I think it's one way that can be handled,
at least in the organization I'm in now, IT is separate from security.
Because if you think about it, in general,
IT organizations and security
organizations, while the end goal might be the same, the near term goal is not the same.
IT is really all about availability. And they'll do whatever they need to do to ensure the
availability is maintained. And sometimes that does mean telling users no, because they see that
as a threat to availability. Whereas modern day security orgs are really focused on, and I'm going to use the buzzword
here, business enablement, which is understanding that you are consultative to the organization
to achieve their business objectives.
You can't do that by saying no.
There's got to be a way to say yes to help them get to what the end state that they want. Now, sometimes
it does mean no, but you can't do this, but we can do it this way, which can be effective.
There is great value in trying to collaborate across the organization and get that support
from different folks around the organization. And sometimes, especially in organizations that have adopted cloud solutions,
so you've got that shadow IT function going on,
the ability to have that support throughout the organization,
because there are things happening that you're just not going to know about.
And if you don't have the trust across the organization,
that if they come to you and someone says,
hey, you know, we're using this new tool and it doesn't seem quite right. If they, they're not going to come to you with that.
If they think as soon as you find out about it, you're going to go up the flagpole and shut them
down. Right. Right. And I've heard people say, you know, I, I, my, I don't get my annual bonus
based on my security posture or behavior. You know, as, as someone who's not in the security
department, it's an anchor, it's a drag on my ability to get my work done.
There is that view and the way to combat that. And it's a cultural change for an organization is
there has to be that engagement at the senior leader level. They have to understand the InfoSec
program itself has to be aligned to ensure the focus is managing risk, not just about absolute prevention mindset
or a mindset, well, you know, this is bad, so we don't do this. The program has to be aligned to
risks, and you have to be able to communicate with the executive staff what the risks are
and what the company has put in place to be able to minimize those risks. Because if you don't get
the support from the executives, then you end up with your InfoSec team trying to be a police force. You can't win that way.
If you're going around and policing people all the time, you're not going to get that
collaboration across the organization. In the time that you've been in the business,
and you've got over 20 years experience in the industry, what are some of the major changes
that you've seen?
Well, first and foremost, I think this pivot to being a risk manager is a significant change.
When I came in, it really was about the technology. It was about managing the firewalls,
managing the identity systems. And that's still an important component. But the transition to focus on risk and the ability to have those discussions at the executive level really has changed things.
The programs now are much more tightly aligned to business objectives because those discussions are happening with a vocabulary and a level that are at the senior leader level where they understand the reason why.
And they don't necessarily need to understand the technologies behind the risk mitigation, but the fact that risk is something they can quantifiably understand.
At the executive level, they've been managing risk forever.
Some organizations don't manage it well, and they don't stay around very long.
But the ones that are good at it, they understand financial risk.
They understand contractual risk.
They understand contractual risk, and now they're beginning to understand information security risk because of the changes in that the IT security risk function has now been elevated to that executive level where it's not just seen as, oh, that's the guys in the back room that just configure the boxes to make sure everything's okay.
Configuring the boxes in the back room is not going to get it done with today's threat landscape. There has to be an understanding at the executive level that this is a compromise.
It's a trade-off. We're doing this and we estimate the risk of this and this is how we're planning to
mitigate it, but it changes often. And if there's not that recurring dialogue at the executive level
to have that discussion about where the security program is going,
where it is, where are the shortcomings in the program.
If that doesn't happen regularly, you're not positioned to really be successful.
My sense is that we're at a point where boards of directors are really understanding that
this security posture needs to be a part of the organization throughout. It's not just,
like you said earlier, a side organization that sort of keeps the boxes running.
Right. And I've been fortunate that the organizations in which I've been a part of
recently have been very active and focused in communicating with the boards. You don't expect
the board of directors to be the cyber experts, but you do want them to understand it is one of the three principal forms of risk to an organization.
There are many, but I would bucketize them into IT security risk, contractual risk, contractual legal, and then financial risk.
that, and then they're willing to, well, it's oftentimes not willing, if they are agreeable to spending time, and you usually don't have to ask this, they want to know the information,
to get updates frequently on what is the status of the program and get that readout directly to
the board. That then makes the executives more comfortable, it makes the board members more
comfortable, and it just works better for the organization. That's Andrew Wild from QTS Data Centers.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.