Should we look at money lost from deteriorating security products the same way we look at money lost to threat actors? If so, we need to systematically look at how we weed out dead weight from our security portfolios.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Shawn Bowen, VP and deputy CISO – Gaming, Microsoft. Joining us is Adam Fletcher, CSO, Blackstone.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Full Transcript
Intro
0:00.000
[David Spark] Should we look at money lost from deteriorating security products the same way we look at money lost to threat actors? If so, we need to systematically look at how we weed out dead weight from our security portfolios.
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO series, and we have a guest co-host today. It’s Shawn Bowen, who, this is the first time I’m saying, is the former CISO over at World Kinect Corporation. I should say when you hear it he’s the former. As we record this, he still works there.
Shawn, say hello to the audience.
[Shawn Bowen] Thanks for having me again, David. I think I’m at 17 now.
[David Spark] He has been on this show many, many times. He’s our go-to fantastic guest and guest co-host, for that matter. Our sponsor for today’s episode is ThreatLocker, zero-trust endpoint platform. Actually, a platform that sort of helps you towards that zero-trust effort. And we’re going to be talking about just that a little bit later in the show.
But first, Shawn, I’m going to talk about our topic. So, we talk about getting hacked through a third party all the time. But rather than through a data leak or an API, Dan Houser proposed on LinkedIn that our cyber programs can spoil over time. Neglected tools can be just as damaging to the bottom line as a threat actor.
Now, this is what Dan claims. He goes on to propose that it was a case of being hacked by a vendor, his terms, and CISOs were spending money on a solution that only increased the risk. So, what say you? How can we “defend” against that kind of waste in the same way we defend against threat actors? Or is that framing a little too dramatic here?
[Shawn Bowen] Well, I definitely think it’s a little too dramatic because when you hear hacked by, that’s typically placing the verb context on the vendor, the fault on the vendor, which is not the case. This is you’re being hacked by your own negligence, in my opinion. And it’s no different than any of the CIO’s responsibilities, right?
If you have a system, an application that’s written in FoxPro, which hasn’t been supported in 16 years, that’s your negligence, right? There’s a reason why I know this particular language is the problem child in the situation.
[David Spark] Have you had to put hands on FoxPro recently?
[Shawn Bowen] No comment, sir.
[David Spark] No comment, okay. [Laughter] Wow. Correct me if I’m wrong, that was a Mac database of some sort, FoxPro, yes?
[Shawn Bowen] I think it was Microsoft, but I think it hasn’t been supported… I think the last update was 2007, [Distortion 00:02:47] support was 2012. But that’s what we’re talking about here, right? Is continuing to hire someone who’s in that skillset or maintain someone where you’re not modernizing your environment.
And the concept that Dan’s saying is not incorrect, that we can’t keep fighting today’s battles with yesterday’s technology. So, you have to continue and invest and stay on that pace, at some level pace based off of your industry and the threats that are to your particular environment because not all of us have the same threat picture.
[David Spark] And also, let me point out, and this is something another CISO said to me a while ago, it isn’t about something going way out of date, like FoxPro. It’s just essentially the drift that apps have. Like this one CISO asked me, or what he would like to know from vendors that go, “Hey, I set this up today.
I’d like to know six months from now, nine months from now, a year from now, how out of whack is whatever I configured it at the beginning of the year?” And that’s what he would like to know. And I think that is probably more of a problem than anything else, is that keeping up to date on how applications sort of drift or settings drift, for that matter, can cause serious problems.
Agree or disagree on this one?
[Shawn Bowen] Yeah, that makes sense. I think it’s one of those things where we say this all the time, right? You can’t set it and forget it. And so not only is it the language or the program, the application that you’re using, but it’s also those configurations, your tactics that you’re doing things.
We don’t do antivirus signature files like the old 10 years ago, right? We have anomalous, we have heuristics. We have a bunch of different things that we look at completely different than we did, even with just the basic antivirus programs from 20 years ago, right? So, you have to also configure it differently because you’re looking for something differently.
[David Spark] All right. Let’s bring on our guest, a good friend of yours and someone we’ve yet to have on the show, so I’m thrilled that he’s joining us. It is the CSO for Blackstone, none other than Adam Fletcher. Adam, thank you so much for joining us.
[Adam Fletcher] Thank you for having me, David. Good to see you, Shawn.
What’s the issue here?
4:54.687
[David Spark] Shawn Nunley of Wiz said, “It’s even worse.” Referring to this situation we’re talking about, usually, “Usually the security product ends up generating alerts and open tickets at a rate that doesn’t help anyone at all, and now you have to spend people to close out alerts that don’t impact risk at all.
So, 4 million turns into 10 million down the drain pretty fast and weakens security.” And Todd Hammond over at State Street said, “I’m a huge advocate of being software absent when planning control environments. Break down the threat management ideas into use cases and workflows. Evaluate where technology fits in the workflows for the use cases.
This informs tech requirements. Evaluate your current tech stack to determine if existing tech fits any one of those use cases or requirements. Then look at new tech solutions. This improves time to value, reduces tech overlap, helps define criteria to proof of concept success, and informs implementation requirements.” Todd seems pretty linear and logical about this approach, Shawn, yes?
[Shawn Bowen] That’s exactly how it should be done. You should forget all of your solutions and focus on the service being provided or the control being provided, right? And even within one environment, one industry, or one enterprise, you might have five different solutions for that one control just because you have different databases or different operating systems, different threat pictures.
You might have OT or an IT environment, but the same control has to be achieved. And so agreed, it needs to be technology agnostic for your initial solution, and then you apply what software, what solution can meet that desired state. But that’s, ideally, that’s the academically correct way to do it.
We recognize that that’s not often how it happens, unfortunately. And sometimes it’s how do we… It’s kind of the NASA program, right? We throw all the parts on the table and go, “What can we defend with this?” And we try and figure out, tape that together.
[David Spark] All right. I throw this to you, Adam. So, Todd has the right solution here. And Shawn alluded to the fact, he goes, “That’s what we should do,” but alluding to the fact that often it doesn’t happen. So, what does happen that people don’t approach this logically?
[Adam Fletcher] So, if I can first comment on the premise, I also feel like the premise was a bit extreme. I think that there is a big difference between having a leak in your house that ends up causing a bunch of water damage that costs you a lot of money to fix, and someone breaking into your house and stealing all of your valuables.
They’re not the same thing. If we could apply that to our security tools, I think, and I’m a big analogy guy, you’ll see that, I think that we can think about our security tools as any type of tools. And if we think about them as kitchen knives, over time, your kitchen knives get dull, and you have a choice, right?
You can either buy a sharpener and sharpen your kitchen knives, or you can replace your kitchen knives and go out and spend the money to buy a new set. And I think we as an industry are not great, or we could be better at how we do that with our security tools. Number one, we tend not to do the best job of engaging with the vendors to find out how the tools are getting better on a quarter-by-quarter or semi-annual basis.
[David Spark] That’s a good point.
[Adam Fletcher] And to be fair, the vendors also don’t do the best job of taking care of their existing customers and saying, “Hey, did you know that you can get more value from the product by implementing these additional features that we’ve developed in the last quarter or two quarters?” So, I think there’s a bi-directional relationship there that would help us sharpen our knives and get better use out of the tools that we already have.
But there’s also a lot of opportunity, I think, to look at the tools that you have every 6 months, every 12 months, and say, “Are we getting good value from these? Or should we replace them with something that’s new and better in the market?”
What needs to be considered?
9:18.453
[David Spark] Greg Thompson said, “That sounds like an execution failure to me. Easy to blame the vendor. But if I buy a product and fail to put it to work, that’s on me. And if a vendor outwits me by convincing me to buy something that adds little value, also on me. There are vendors selling stuff to customers who know they won’t get any value.
But there are also customers who buy that health club membership and never use it.” Great analogy there. And Brandi Wolfe over at Resultant said, “I have seen both sides and blame falls on both parties. Vendors only caring about profit and selling products to untapped customers they know won’t benefit or the customer doesn’t understand their needs.
Organizations who do not understand cybersecurity or their maturity posture, yet seem to buy every security tool/hardware imaginable, believing it will somehow ‘fix’ the fact that they don’t understand their security program and weaknesses. Security has to be sold to an entire organization and to ‘allow’ hired security professionals to have input on what tools or even hardware an organization feels they need to purchase.
If you don’t have in-house security, invest in them as it is also investing in the future.” So, this is kind of a buyer beware situation. Yes, Adam?
[Adam Fletcher] Oh, of course it is. And I think I would extend the health club analogy into the second quote from Brandi and say, “In the health industry, people are looking for the pill that helps them lose weight or get stronger, whatever it is, and that just doesn’t exist.” I think security is similar, right?
People want a magic technology that is going to prevent all attacks, stop ransomware, help them recover, stop phishing, whatever it is. But as we all know, defense in depth is what does that. It’s layers of tools. It’s doing the fundamentals. It’s training your employees. It’s patching. It’s having a threat intelligence program.
All of these things put together are what reduce the likelihood and impact of an incident. There is no magic shake or magic pill, and you can’t just buy the health club membership and not use it. All of those things put together contribute to our success as a security industry. So, I think that’s a really important way to kind of put those two quotes together and say, “This is what we should be doing.”
[David Spark] Very good point. Shawn, have you fallen into the trap personally and said mea culpa or seen others do the same thing?
[Shawn Bowen] I love shiny objects, man. I buy them all the time. It’s going to happen. I think summing up the comments and what Adam said, there’s a quote that I love to say. I think it applies to everything, not just security. Consistency beats intensity every time. And consistency is the hardest thing to do.
Whether that’s being a security professional showing up to work every day, a dad, a spouse, you name it. Like going to the gym, you can do 20 hours at the gym in full intensity and then take off the next 20 days. And that is not the same as showing up to the gym 20 days in a row. And it’s the same with security.
If you’re not constantly tweaking, adjusting, improving, and trying to find ways to modernize your environment…
And that’s what I do like about Brandy’s final comment of if you don’t have it now, security, invest in it. Even if you do have it now, security, invest in them and make sure that you have that consistency over time. The vendors are selling stuff. Their job is to sell. They’re doing a good job. Buyer beware, it’s bad on me, etc.
They’re doing their job. Their job is to sell product. That’s what they were hired for. Now to add a point earlier, I would love QBRs to be more informational rather than a sales pitch. I regularly have to correct QBRs. When we have a QBR with a vendor, they start off with, “Here’s our new products.” And my first question is, is it a new SKU I need to buy?
If it is, save it. I want to discuss about your performance and what we can do better and what’s on the roadmap for what I’ve already paid for so that we can be better with the tools we already have. Because if you want that regular recurring revenue, you need to keep me as a customer first before I go buy new products.
And so to Adam’s point earlier, you have to invest in your customers just as we have to invest in ourselves and be better at those tools. A lot of people are very quick to say, “Oh, I hate this. That product sucks. This thing sucks.” And it’s because they didn’t try. And so I challenge my team all the time, squeeze the juice as much as you can first, then tell me that you’re ready for a new fruit.
[David Spark] Let me ask you both a quick question because I know Andy Ellis kind of made this comment. Do you believe, and again, obviously there’s a range, but in every sort of category in cybersecurity, there are dozens, sometimes over a hundred products in one single category. Do you feel like any of the 5 or 10 products that are, I guess, rated best, whatever, you could literally just throw a dart at the five or six that you need the first…
I mean, I know you have tons of tools, but just as long as you trained, configured, and set it up, fine. You’d be fine with these tools versus these tools, just assuming that you did your due diligence on your side. And again, just looking for quick responses. Do you feel that’s true or not at all? Like you really, really have to vet out the tools, every single one of them.
Shawn?
[Shawn Bowen] I think there’s a big rock. Yeah. Does it work with your operating system, your cloud hosting environment, etc.? That’s a big rock thing. You’re going to get 85% there, I think, with that. I think that’s accurate. I think there’s some use cases where you need to get into, does this integrate with your stuff better than others?
[David Spark] Right.
[Shawn Bowen] But that’s, for me, that’s where efficiency’s gained. I’d much rather take 10 B products that integrate really well versus top-of-the-line A++ products that don’t integrate. And so that’s where I’m looking for more so than some of the nitty gritty features.
[David Spark] Adam, quick response to this. What do you think?
[Adam Fletcher] I agree. And just a quick anecdote, I would say we were once in a situation where there were two competing products in a segment and they were neck and neck, I mean literally a toss-up. And the CEO of one of the cloud security products that integrated with the product that we were looking at, he reached out to me and said, “Just want you to know, we have 15 shared customers with one of these products that you’re looking at, and we have zero shared customers with the other one that you’re looking at.
So, because you’re one of our best customers, I know you’re going to make a decision that’s best for your organization that your team likes, but thought this might be an interesting data point for you.” And it did. And that’s Shawn’s point about does it integrate well? We could have gone with either of those products, but the one that integrated with our existing stack was clearly the one that we should have gone with.
Sponsor – ThreatLocker
16:41.452
[David Spark] Who’s our sponsor this week? Why, it’s ThreatLocker, a phenomenal sponsor of the CISO Series. Do zero-day exploits and supply chain attacks keep you up at night? Of course they do. That is their job is to stress you out. Well, worry no more. You can actually harden your security environment with ThreatLocker.
So, imagine taking a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user, unless specifically authorized by your team. They actually have a quite interesting way they do this, not in a means that would bring your business to a halt, but actually keeps business running.
So, ThreatLocker helps you do this and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US-based support team. So, stop the exploitation of trusted applications within your organization to keep you running efficiently and secure, protected from ransomware.
Worldwide, companies like JetBlue, they trust ThreatLocker to secure their data and keep their business operations flying high. To learn more about how ThreatLocker can mitigate unknown threats and ensure compliance for your organization, just go visit them at threatlocker.com.
Who can solve this?
18:01.716
[David Spark] Igor Barshteyn of pens.com said, “You need to remediate people and process issues first and foremost, and only once those are in decent shape should you be adding technology on top to automate the correct process you developed to make people’s lives easier. Every ‘magical’ tech solution takes CAPEX for implementation and OPEX and a trained staff to operate.
Just buying something and having it sit there, especially before you know where your process gaps are, is entirely useless and is more of a “compliance check boxing exercise’ rather than an improvement in security.” So, that last paragraph there from Igor sounds like something we have all seen before.
Yes, Shawn?
[Shawn Bowen] Oh, absolutely. The whole thing, I love that you come at… I try to correct people without being overly correctly correcting. But I love when you say people, process, then technology, not people, process, and technology because it should be in order, not an equal list, right? And so he’s right.
You need to get the right people in place. The right people will solve things with open source or with just putting in thoughts and working through things without even worrying about technology. And then that process allows it to be repeatable and be able to get through all the problems. And once you do that, then you get into the technology piece.
We’ve done that here at World Kinect.
I remember two years ago, we were looking at some application security software, and we met with a bunch of people. And after sitting through the meetings of just the RFIs, just meeting with vendors and asking questions, a few of us took a look around the room and we realized that the majority of the people that were going to be affected by the technology were out of their depth.
And it was not a worthwhile exercise to spend half a million dollars on a application security product when we didn’t have the maturity to use it. And so to any of the analogies here, right? You can start with just jogging around the block rather than paying for the gym membership. You don’t have to invest money right away to start getting healthy.
And so we started with a lot of open-source products to build out the process, to test that, and that took really smart people and us building a really good process.
And now that we’ve matured and we have people that understand the DevSecOps components and where that security is being injected, we can now look at what product fits our process the best, and what product do the people understand and like the best. And so they’re right. The CAPEX and OPEX is a spend.
You’re going to have to spend it. If you’re going to institute a new process, regardless of technology, you need to institute…you’re going to spend some of that investment there. Then once it’s in place, now you can look at picking the right tool or upgrading that tool. But if you’re buying a tool before you have those other two things in place, you’re definitely doing things out of order.
[David Spark] I’m assuming I’m going to throw this to you, Adam, in that there are certain things that are easier to operate than others, that require less OPEX than others. Is it something you can see where you’re going through the purchase process about like, “Oh, I see myself spending a fortune on this versus this other tool that won’t make me…” or I won’t be as required to spend a fortune?
[Adam Fletcher] Well, I think one thing to think about there is if you do a proof of concept, how long it takes you to do a proof of concept is probably a good canary for how long it’s going to take you to implement in production and see value from something. I’ve worked with several products over my career where POCs were highly complex.
There were a lot of integrations. It took a lot to set it up and see that value in the POC. And then you get excited because you have a successful POC, and you think that it’s immediately going to just transition into production and you’re going to see the same value at scale from the same product. But that’s not always the case.
And if you look at products where you see value in the first day, that almost always correlates to seeing value at scale in a very short amount of time. But if it takes you six months to POC a product, that should be a red flag because production and doing it at scale is probably going to be a huge issue, and it’s going to take you a long time.
And we’re going to be talking about the theme of this podcast, which is do we have products that are sitting there sucking money from our budgets that we’re not getting appropriate value from?
[Shawn Bowen] Yeah, I think the Air Force, we use the term, I think it’s all the DOD, but we use the term IOC and FOC. So, the initial operating capability and full operational capability. And so I like to use those same types of terms here. When will we get to IOC so that we’re using it good enough that we can take the training wheels off, but we’re not quite doing full BMX tricks yet.
So, that’s FOC, right? So, general rule, I like to be 10% of my contract time should be getting me to IOC. So, if I’m spending three, six months to get to IOC, that means I’m on a three-year, six year can… That’s not good investment on my part, or three- or five-year investment, like no one wants to sign those contracts.
So, if I could be up and running in a month, and fully IOC, my team’s using the tool, and now we’re just tweaking and refining it, that means I’m on a good one-year contract, and we’re looking where we’re going. If you’re too sticky to take that long or too complex to take that long, I can’t hire any new people because all my new people have to spend that same amount of time learning a new product.
And so trying to make things easier is definitely a necessity when possible, and when it’s a really complex system, yeah, you might need to invest for longer.
[Adam Fletcher] I also think that as an industry group, we tend to not think about the human part of operationalizing technology. We get very excited about the technology. It’s fun to do POCs on innovative stuff. And then we buy it, and you realize that everybody on your team has already spread relatively thin.
So, now you’re asking someone to put into production and operationalize a new tool. And you’re taking someone who’s already got five things under their remit, and now you’re giving them six, so they spend less time on all six things. Operationalizing that is even harder now because they have less time to spend on it, less energy to focus on it.
And that should come into play when the purchase decision is made, not after.
What are the elements that make a great solution?
24:46.652
[David Spark] Brian Moeller of Walmart Global Tech said, “I love the logic, but not necessarily the approach. Fear, uncertainty, and doubt have historically been the way to encourage executive support, and that sometimes leads towards wasting resources. But there’s no need to play the panic card. I think our industry is finally beginning to realize the business approach to solving these problems and realizing that fear, uncertainty, and doubt, and maybe panic aren’t the best ways to manage a business problem.” I will let you start with this, Adam.
Yes, that is not the way to solve a business problem. And yet, I’m sure you see others going down that path and you have to right the ship.
[Adam Fletcher] It is true. And I think the double-edged sword that security leaders have dealt with over the last few years is that to our benefit, the mainstream media has picked up on breaches and cyber-attacks in zero days, and now our executive teams and our boards read about that almost constantly.
But sometimes to our detriment, they are asking about that almost constantly. They’re asking, are we prepared for this? Could this have happened to us? So, you have to get into a cadence, really, of managing the panic and explaining that our approach is independent of any one event. Our approach is such that we are preventing, detecting, and responding to anything that could happen.
And we use what happens outside of our own sphere of influence to understand whether we’re doing things the right way, whether our defense in depth strategy is actually working. And over time, I think you start to build credibility, and you start to build trust around managing that panic. So that it’s no longer kind of external forces using fear, uncertainty, and doubt to drive the business or to drive leadership towards supporting the security teams.
You’re supporting the security teams because you know that they are already on top of all of these things on an ongoing basis.
[David Spark] Shawn, I’ll let you close this out with your thought.
[Shawn Bowen] Yeah, I think obviously Adam understands all this and is on the same page as a lot of us are. We don’t like the fear, uncertainty, doubt piece. I’m not going to use the entire quote, I’ll use a part of the quote, but fear is born of ignorance. And so if it’s our opportunity to educate someone, and that’s executive management, that’s the board, whoever it is, even our users, the more educated we are, the less fearful we’re going to be in the situations that we’re in.
And so trying to educate the folks rather than strike them with fear and getting them to buy a product that’s based on fear, as soon as they become educated we’re on our back heels.
And that’s not the position we should be in. We should be partners with our executive team, we should be partners with other CISOs and with our industry partners in the vendor space. And we should be working on educating the global population. The more educated we are in cybersecurity, the less we have to worry about the tooling configuration that we need to do because people know inherently what to do.
Like I’m not educating, I’m not teaching my team how to be a security professional. I’m equipping them with knowledge so they realize and ask questions, “Well, I should be doing this,” and they’ll take the initiative to put us in a good place. I think that’s the approach that a lot of the good CISOs really want to back is leave this world with more educated in cybersecurity than when we found them.
Closing
28:42.144
[David Spark] Very good point. Well, that brings us to the final portion of our show where I ask both of you which quote was your favorite and why? All right, I will start with you, Adam.
[Adam Fletcher] I would say Greg’s. I do think that the health club analogy is a good one. There are no magic bullets out there in cybersecurity. There are no technologies that are going to prevent every threat if you’re not doing the fundamentals. So, that one resonated with me, and I liked to extend it a little.
[David Spark] Shawn, which quote was your favorite and why?
[Shawn Bowen] I’ll take Todd’s because I love being academically accurate and hoping that we would all be a good use case for academia, not an example of what not to do.
[David Spark] To remind everyone, he was like the second quote where he provided the very linear explanation of how you should approach this.
[Shawn Bowen] Yeah. Being agnostic for our controls and thinking about things thoroughly through the processes, I think that’s the right way, and we need to remember that. Don’t cut corners when you’re doing your basic processes because there’s going to be a time and place, there’s an incident where you need to “cut corners.” But if your daily habit is cutting corners and not doing things right when an incident happens or when you need to speed through the process, you’re cutting a page in half and that’s no longer productive.
[David Spark] Excellent. Well, that brings us to the tail end of the show. Our sponsor for today’s episode is ThreatLocker, zero-trust endpoint platform. Go check them out at threatlocker.com. Let them help you build out your zero-trust plan with a deny-by-default approach. Thank you very much, Adam, for joining us.
I can’t believe it’s been this long since we’ve had you as a guest, but I appreciate you, Shawn, introducing us to Adam. We would love to get you back on again. Shawn, as always, we love having you on the show. And thank you to our audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.