CyberWire Daily - The impact of CISO Circles and cultivating a security culture.
Episode Date: September 1, 2024In this Special Edition podcast, N2K's Executive Editor Brandon Karpf speaks with Danielle Ruderman, Senior Manager for Wordwide Security Specialists at AWS, and Adam Mikeal, CISO at Texas A&M, about ...CISO Circles, security challenges faced in higher education, and fostering the culture of security. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, Thank you. that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, and AI. Learn CyberWire special edition.
On today's episode, N2K CyberWire's executive editor, Brandon Karp, sits down with Danielle Ruderman,
senior manager for worldwide security specialists at AWS,
and Adam Michael, chief information security Officer at Texas A&M.
They discuss CISO Circles' security challenges
faced in higher education
and fostering the culture of security.
The group got together
at the recent AWS Reinforce conference.
I am here today at AWS Reinforce with Danielle Ruderman,
Senior Manager for Worldwide Security Specialists,
and Adam Michael, the Chief Information Security Officer at Texas A&M.
Danielle, Adam, so great to have you on the show.
Thank you. Very happy to be here to talk about the CISO Circles.
Thank you for having me.
So yeah, as Danielle mentioned, we're here to talk about CISO Circles.
We're here to talk about the senior security executive community,
peer learning, peer learning opportunities,
the things that CISOs like Adam here are concerned with,
are focused with, and are trying to,
areas they're trying to develop in as a community. So Danielle, could you give us a sense of the CISO circles? What is the CISO circle?
How does it play out in reality on the ground? What's the value there? Sure. So the CISO circles
for AWS is a mechanism that we created for us to connect our AWS security leaders and our service
team leaders directly with our customers,
but directly with our customers in different countries.
We really wanted to make sure that we were taking our leadership out to where the customers are,
and this was really intended to be a trust-building activity.
We wanted to learn from our customers,
but we also wanted to create a space
where our customer CISOs could interact with each other
because that's really where the value comes
is hearing these conversations from CISOs could interact with each other because that's really where the value comes is hearing these conversations
from CISOs in different industries,
different businesses all be able to come together.
And it's intended to be a learning opportunity, right?
So the CISOs do learn from each other
and we're there to listen
to be part of the conversation as well.
And the big thing is that we do prioritize open discussion.
And we make a really big point about this.
As I know, Amazon does a lot of conferences.
We're here at Reinforce, right?
We're used to kind of getting up on stage and presenting and talking.
But in that environment, right, it's closed door, Chatham House rule, NDA.
And it's a real opportunity for people to be very real with each other.
You know, talk about the real issues we're facing.
And for us to share roadmap information, what we're thinking.
So it's intended to be a very collaborative, safe space. And I think, I'm hoping we have achieved
that for our customers. Well, Adam, curious from your perspective, what are those real issues that
you might be facing? And your experience with the CISO Circles would love to hear
kind of how you've experienced it so far. Sure. Well, you know, like anything else in our industry,
those issues change over time. So I've attended now two or three of the CISO Circle events.
Two were these cross-industry where we had CISOs from various sectors, right? And that was a year
or two ago. So the most recent that I've attended was one that was focused on higher ed specifically. And obviously that being just in the past six months or so, generative AI came up, security around AI and machine learning, how we deal with the contractual issues that arise there.
that arise there.
We talked about cultures of security,
how we build that within our organizations.
And also higher ed tends to lag a little bit behind a lot of other industries
in terms of how we adopt new technology.
So some of us are still dealing with issues
of adopting cloud technologies, right?
Things that might be more common now
in certain industries are still
something we are moving into, cloud-native application, things like that. I'd be curious,
Adam, to pull the thread a little bit on what you just said, because, you know, you shared that you
did host a circle at Texas A&M recently, and someone who's worked in higher ed myself and
been around that world also. Higher ed's mission has nothing to do with technology, right? Organizations tend to not focus on, you know, the security
enterprise and the IT enterprise. And so you're working for an organization that's typically
pretty focused on the students and, you know, the research part of the organization, if it's a
research institute. So I'd be curious, your experience in that environment, how you've addressed security,
how you've brought that into the community, into the culture, and then also lessons learned from
the CISO circle that you hosted at A&M. Right. Well, so yes, you're right. Technology isn't the
focus, but like any other large enterprise, right, effort in 2024, you can't accomplish the things we want to accomplish in higher ed without very strong technology as its foundation and the infrastructure.
And we are a very high research activity institution, $1.4 billion in research expenditure annually.
in research expenditure annually.
We have a lot of students where right now,
I think maybe the largest
public research institution
in the United States
by student enrollment,
78,000 students this year.
And that's just on our main campus.
Yeah, so when you deal with that scale,
you have to have technology
to enable the things you want to do.
Even basic things like teaching in the classroom, dealing with student enrollment issues, being for, you know, student, the scheduling problem of 78,000 students across multiple thousand classes and sections in hundreds of individual rooms on campus in the various buildings.
That's a big problem, right?
rooms on campus in the various buildings. That's a big problem, right? And being able to handle that requires a lot of technology infrastructure. So some of that's in the cloud, some of it's on-prem.
We are constantly evaluating and looking at where is it appropriate for us to move to cloud
workloads? Where do we need to keep things on-prem? And none of that even speaks to the research technology. Conducting research in any field,
any field in 2024,
it doesn't matter if it's,
you know, computer science
or if it's physics or chemistry
or even English in the humanities.
It is conducted with technology.
And sometimes machine learning,
lots of data science,
lots of, you know,
data that supports whatever
we're investigating. And that requires a lot of technology, right? A lot of storage, a lot of
compute. And so we're constantly trying to figure out how do we provide that to the researchers.
So our researchers can purchase cloud computing services from us through the main technology organization.
So you've also mentioned this idea of culture of security.
So I'm curious, Danielle, in your experience running CISO Circles and really managing this program, this global program at AWS, how do you see this idea of fostering culture of
security?
How do we do it as senior security executives in an effective way?
Right.
And I'll tell you a little bit of background.
So the idea of culture of security has been something that's been talked about at Amazon and AWS for a long time.
Security is our top priority.
And we've heard these stories and had these customer meetings.
And so we decided to offer this to the CISO circles because it's just over time and something that's really resonated with customers.
And the whole premise behind this, I want to give you like this idea, the phrase culture of security we use very deliberately instead of security culture.
Because culture of security is the idea that security is a priority for everybody in the company, right, everyone.
Whereas when we say security culture, we're talking about the culture of your security team itself.
And both these things are very important. But when we say culture of security, we mean, hey,
you as a security leader, security owners, how are we scaling that responsibility out to the
business so that security teams can do more with less? And that's really why the topic has resonated,
especially today, is I haven't met a CISO or security team yet that feels they have enough
resources. And so a lot of these concepts and these mechanisms that live within that idea of culture of security
are ways for CISOs and security teams
to really push that responsibility out to the business
and find ways to partner.
So the security team can really be a partner
and enabler to the business.
And your experience, Adam, in kind of incorporating that,
I mean, how do you see that idea of a culture of security?
Yeah, I completely agree with that formulation. You know, our security team, clearly we have our own culture and I work
hard to develop that. But the difficult part is getting those ideas and beliefs and the things,
priorities, the things that are important to us, how do we translate that back to the rest
of the IT organization, much less the rest of our entire
university as an organization, right? So just starting with the idea of getting that culture
of security to the rest of IT, we're under 10%, right, as a security team of the overall IT
professionals within our university. There is no way we can accomplish all the things that I want
to do. I can't move the needle on security within my organization if the only people thinking about security topics are my employees on my team. I have to get that idea, I have to get that culture moved out into the rest of the technology organization.
definitely on my mind a lot. And being able to talk about how you accomplish that with peers and learn from things that have been successful for them, that is very valuable.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Now, Danielle, you hosted a panel here at Reinforce and related to this topic we're discussing right now, culture of security.
And it struck that on that panel, you had someone from financial services, you had someone from AWS.
Here on this discussion, we have you, Danielle, from AWS, Adam from higher education.
So inherently, we're building these cross-industry connections.
So I'm curious to your perspective there and how you've approached that. It seems very intentional
that you're building these cross-industry connections and global connections in this
CISO network. Can you talk to that a little bit? Sure. Right. So the first question about this
cross-industry collaboration is we actually started the CISO circles that way because we started as a very small, scrappy program
and inviting CISOs who were interested in this format.
We just ended up with this cross-section of individuals.
And over time, we've asked, like we asked the attendees,
would you like to have a CISO circle
where it's just one industry or do you prefer it this way?
And what we've learned is by far, the preference is to mix different industries together. We have some really
interesting stories where different industries have learned from each other. In one case,
actually recently in a circle in DC, we had a media and entertainment customer and a financial
services customer struck up a conversation and it turned out one of them had solved a problem
that the other was trying to solve. And so they went off and shared knowledge together.
Again, two completely different industries.
I talked to another CISO who was a pharma executive.
And she said that she struck up a conversation with an automotive CISO.
And by talking about how the automotive CISO secures the supply chain for their manufacturing,
she was able to rethink how they secure the production line for their drugs, the drug manufacturing. And she said, I never would have thought about doing that if I
hadn't talked to this person from a completely different industry. And if you think about it,
in security, we like to segment sometimes our ISACs and our security groups by different,
right? We want to keep the likes together. Totally. But there's definitely an opportunity
to bring together different industries to learn from each other.
You know, and for us, we're bringing together customers of AWS who can, how are you using AWS in your industry?
And maybe I can learn something from that.
Having said that, we do have a few industry-specific circles.
So I think occasionally doing those is helpful. So you get a chance to talk to your peers about those issues that are very specific to say the energy industry or the auto industry, but then having the opportunity
to also do the cross industry collaboration. I think we honestly need both. Right, right.
I'm glad you brought up the ISACs. It's exactly where my mind was going of how we have pretty
stovepiped by industry ISACs in this community. But there does seem to be inherent value
in cross-industry collaboration, global collaboration. Adam, is that something that
you've been able to leverage in your role at Texas A&M? I'm curious to what extent
higher ed's been able to learn from healthcare or financial services or other types of industries.
I think generally higher ed's not great about learning from other
industries. We tend to be pretty insular. Okay. We, you know, there's, whether we admit it or not,
I think there's a culture in higher ed that tends to think that, well, you need to be in higher ed
to understand higher ed problems. And I think that's short-sighted. I have learned a lot
from my engagement with CISOs in other industries
at CISO Circle, for example. And so, yeah, I have opportunities to interact with higher ed CISOs.
We have our own industry, you know, conferences and organizations. There's Internet2, there's
Educause. That's great. And I would never give those up. We need those. But I think
that being able to have opportunities to connect with a CISO or a peer from another industry
is very valuable. So, you know, this idea of, I want to keep talking along this idea of cross
industry collaboration and global collaboration. And it's something else that struck in my mind is
we're talking about this at the highest level. We're talking about this at the CISO,
the senior executive level. What about pushing that down into the organization? What about talent
and cross-industry collaboration and learning at every level of the security enterprise? Is that
something that you've seen discussed at all in these circles or that you've considered with some
of these industry groups? So at AWS, we actually have a sister program to the AWS CISO circles. It's the
security builder circles. So after we found that the CISO circles themselves were successful,
we kicked off exactly what you're saying, a very similar opportunity, but for those within the
CISO's team. And so now that's a separate program we run globally as well. And that's much more technical. We get into the issues that more of the builders,
if you will, on the security teams care about. And that's where we are also able to bring in
our service team, PMs and GMs to come sit down with our customers. And that's been a fantastic
experience. It's almost like a mini cab, if you will, customer advisory board, because you're
getting a group of customers together to talk about something like zero trust or how are we dealing with ransomware or how are we doing threat mitigation.
And that requires us to bring security executives from multiple different teams together.
And now you've got this really cross-functional group having a conversation about a very real-world challenge for a customer.
And the service teams are able to learn very deeply, and then the customers are sharing how they're solving for it.
So for us, that's been a very popular program as well,
in addition to the CISO circles.
Wow.
Yeah, I could see the power in that potential idea.
So, you know, Adam, curious, your vision,
you know, what you're focused on
leading Texas A&M Security Enterprise
into the next, you know, this next decade,
this, you know, Gen AI, data-focused,
analytics-focused decade of security? What's your priority? What are you laser-focused on
for the next, you know, next set of your initiatives? Wow. Well, things are changing so
rapidly. I think that trust, digital trust, and privacy are going to be areas that I have to really
lean into you know I think we understand generally how to look at risk assessment
and you know vulnerability management and mitigation can't let up on that
that's not going anywhere right right you've got to sort of stay the course
but we have to back up a little bit and look at the things we're doing
from a higher elevation.
And, you know, if we stay sort of down
at the 5,000 foot level
and we're just looking at,
oh no, you know, this new CVE just released
and we've got to patch these machines.
Yeah, we've got to do all those things.
But when you back up and look at a higher level,
the changes that are happening
to the
cybersecurity field because of AI, yeah, I think it's going to change the way that I have to
interact with my executive leadership. They're not going to be just asking, oh, have you patched?
They're going to be asking, are we doing the things we need to do to protect our students,
our research data, right? The things that are important to accomplish
the business, the mission of Texas A&M. Danielle and Adam, so great to have you join us. Thank you
for being here. Thank you. Appreciate the opportunity. Thank you so much.
Our thanks to Danielle Ruderman, Senior Manager for Worldwide Security Specialists at AWS, and Adam Michael, Chief Information Security Officer at Texas A&M, for joining us.
Our CyberWire Executive Editor, Brandon Karpf, hosted the conversation.
Thanks for listening. We'll see you back here next time. Thank you. Gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.