While building a security culture is a bedrock for overall resilience, identifying it and quantifying it is quite difficult. It’s quite unlike the more metrics-driven side of cybersecurity. How do you evaluate the cultural aspects of your security program?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Rinki Sethi, vp and CISO, BILL. Joining us is our sponsored guest, Lamont Orange, CISO, Cyera.
This episode was recorded in front of a live audience at Cyera’s first DataSec conference (November 2024) in Dallas. Thanks to Adam Holland, CISO, Wendy’s, Farah Rahman of Vibrant Emotional Health and 988 Lifeline, and Biji John of USAA for our questions in the episode.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Cyera
Full Transcript
Intro
0:00.000
[Voiceover] Biggest mistake I ever made in security. Go!
[Lamont Orange] Wow. The biggest mistake I ever made… It’s a story about trust and verify. When a CISO has to code something and think that it’ll work out great, it’s a problem. I did a denial of service on myself.
[Voiceover] You’re listening to CISO Series Podcast, recorded in front of a live audience in Dallas.
[David Spark] Welcome, everybody, to the CISO Series Podcast. My name is David Spark. I am the producer and host of the CISO Series. Sitting to my immediate left is my guest cohost, on stage with me right now, Rinki Sethi, who is the CISO of BILL. Let’s hear it for Rinki. Say hello to the audience.
[Rinki Sethi] Hi, everyone.
[David Spark] All right. We are available at ciso-dev.davidspark.dcgws.com. And our sponsor for today’s episode is Cyera, know your data, keep it secure. And there is a reason they’re the sponsor. Because we’re at their event here at the Data Sec Conference in Dallas. And, Rinki, this is your third time on stage so far.
[Rinki Sethi] I know. Is it too much?
[David Spark] It is. Have we seen too much of Rinki or no?
[Crowd] No.
[David Spark] You see, they love you. They can’t get enough of you. So, here’s the thing though. I’ve already seen a number of tropes that I see at security conferences all the time. So, here’s a classic one I’ve seen, and you tell me if you’ve caught other ones. One is we’re the last thing before lunch, dinner, drinks.
You’ve caught that one?
[Rinki Sethi] Yep.
[David Spark] You’ve heard that before. The other one is asking if people are awake and if they need coffee. Now, this one, I don’t know if I’ve seen it, but I hear it all the time during sessions is, “Look into your crystal ball and tell me what’s going X years from now.” Have you heard that one yet?
[Rinki Sethi] Yep. I think I was asked that one.
[David Spark] Were you asked that one? How did you answer?
[Rinki Sethi] I think it was something around data and identity coming together.
[David Spark] Well, let’s hope so. All right. Did you catch any other tropes that I missed here?
[Rinki Sethi] I don’t think so.
[Lamont Orange] I think so.
[David Spark] That’s Lamont Orange. Let’s hear it for Lamont. Our sponsored guest from Cyera. He’s the field CISO. Let’s hear it for Lamont.
[Lamont Orange] Appreciate being here.
How have you actually pulled this off?
2:22.276
[David Spark] “We will never get the number of security incidents to zero, and that shouldn’t be the goal. Instead, we need to continuously raise the bar for attackers, reduce the damage from security breaches when they inevitably happen, and make it easier and faster to recover.” Now, that’s a quote that came from a blog post by Ross Haleliuk and Nathan Case on Venture in Security.
The security philosophy of “resilience” has become the next evolution in how security professionals approach cybersecurity. Now, the assumption is we’re going to get hit, how do we make it hurt less? So, I’m going to start with you, Rinki, on this one. From the architectural level all the way to the people on the ground, how does a security program change when the goal is resilience?
[Rinki Sethi] I think the security program is still all about defending and protecting your company’s data, and so we’re still focused. And I’m in this space because I’m a big believer that you have to put up the right defenses. I think the big thing that’s changed is when you think about resiliency, you’re thinking about crises planning and how security is integrated in such a deep way with the business, partnering with legal teams, with the rest of your coms team, basically every function to make sure you have solid crises management planning and testing of your security program to make sure you can bounce back if you had a breach.
But I still think the way you architect your security program is with the right defensive controls in place.
[David Spark] All right, well, that’s [Inaudible 00:04:03] All right, you have been a CISO for quite some time, Lamont, yes?
[Lamont Orange] Yes, absolutely.
[David Spark] Now, did you have a life before? I mean I don’t want to say you didn’t have resilience but where resilience was more the focus. Do you remember that time before then?
[Lamont Orange] Yeah, it was called recovery. I think that’s what everybody went to.
[David Spark] Okay.
[Lamont Orange] Recoverable is one of the paradigms that we always plan for. We plan for the breach. We plan for the smoking hole. There was a BC, and that’s business continuity. It was one of those types of scenarios. And we plan for the worst. The pandemic was supposed to be the bird flu, and that’s what we planned for.
But when you start to think about resiliency today, what we’re really talking about is in the event, how do we keep business running as usual, not in a state where we are not 100%. But it’s a state where we are continuing to conduct business as usual.
[David Spark] So, another question is… Because I remember talking to a CISO a while ago, and I mentioned this on the show before, where he sort of just from the hip asked the business, “What’s truly the longest you could go without the internet?” And they said, “I don’t know, two days.” Then it happened to them, and they realized, “Oh, no, we can’t go an hour.” How do you get that…?” Because that answer to that question is the beginning of your resilience program.
So, obviously that’s not the way to ask it. So, how do you get a better answer to that question, Rinki?
[Rinki Sethi] Yeah, I think you have to do a surprise breach exercise.
[David Spark] So, a little, mini chaos monkey effort?
[Rinki Sethi] For sure, yeah. And I think boards should be demanding this. Exec teams should be demanding this. Do a surprise breach exercise and find out how long you can live without it. And, yeah, hopefully this becomes a part of the culture. At first they might hate you as a part of the security team, but they’ll get over it and understand why this is so important to do.
Especially when you catch the folks during a surprise breach that are sipping martinis at the beach on vacation.
[David Spark] I like that. Surprise breach. What do you suggest, Lamont?
[Lamont Orange] So, I think it’s still something that we have to come back to. Running in a degraded state is still unacceptable. When you’re looking at resilience, you’re running at your optimal state continuously. So, now we have to go back and look at some principles that we started with. Do I have duplicated processes?
Do I know how to execute a different type of internet? Maybe I have diversity coming into my buildings where I can still get internet and still perform my functions when my primary function come up. I think as we’re talking about this, this is still more of that conversation around DR and BCP, and we’re beyond that.
What works? What’s not working?
6:42.908
[David Spark] Do you have zero idea where your sensitive data is located? Hopefully, you don’t. But about 15% of all security professionals have no clue. Now, this is according to Cyera’s recent DSP, Data Security Posture Management Adoption Report. And when we say no clue, we really mean no clue. I’m saying the question is when you’re asked really broad questions like, “Do you know if your data is on prem or on SaaS.” So, obviously not knowing where your data is has lots of implications beyond security such as privacy, data governance, and compliance.
So, our sponsor, Cyera, is a DSPM provider, which is a new and quickly crowded space. They’re betting that it can solve a lot of these issues and either supplement or completely replace other technologies such as DLP, data classification, CSPM, SIEM, and manual audits. So, this is totally your wheelhouse, Lamont, so I’m starting with you.
What do you think DSPM solves? What categories do you think it’s pushing out? And be honest with me, where do you think it’s falling short?
[Lamont Orange] Man, I love this question because there is so many different things. So, foundationally, I would say DSP is really about data classification and discovery. And we’ve learned throughout our zero-trust journey, our SaaS journeys and everything else that it all starts with data classification and discovery and being able to promote action across that.
So, some of the technologies… I think death by the PMs. Yes, they all go away. There is no more PMs. SSPM, CSPM. They all go away. And what we’re aspiring to do is move up the stream to a data security platform. Now, remember, a three-letter is when you are 100% in Gartner’s wheelhouse, for sure. That’s when you have arrived.
So, when you talk about data security platforms, you’re talking about the ability to be able to control the flow. To be able to monitor data movement. And we’ll get to that word of lineage as well. That’s where we’re starting to go. You’ll get to data subject requests and response. You’ll get to governance.
And those are the complete components and packages where I think that you move to true data security.
[David Spark] All right, you’re a customer of Cyera, Rinki, and you have seen life before DSPM and after. So, what have you seen replaced or I guess enhanced, supplement? What do you say?
[Rinki Sethi] Yeah, I just talked about this at a panel earlier, but I think the way that the tools were even five, six, seven years ago around data DSPM or data classification, data lineage, and those areas, they were so manual, and they were such a heavy lift on security teams that we had to find a different way.
It just wasn’t an area where CISOs were investing unless there were heavy regulatory requirements that mandated the CISO implement something there. I think that’s changed. And obviously being a customer of Cyera, I think the tech stack that they have, how they leverage AI, and how a lot of the discovery is done in an automated fashion.
I think the areas now where I’m looking forward to seeing DSPM growing into is mixing that identity and access management to truly solve zero trust. But then also looking at how you can build micro models to help now with the next gen DLP because I think the old school DLP is out.
[David Spark] All right. So, I think that the linchpin or the keystone…and it’s been talked about at this event…is AI. And if that didn’t exist, if the automation of the classification didn’t exist, none of this would happen. I mean, yes, is that the case, Lamont?
[Lamont Orange] I think the AI gives us the opportunity to do it. We know that this data security problem has been a problem for as long as many of us have been CISOs and security and technology leaders. But we never had unlimited resources. We never had unlimited budget. What the AI allows us to do is scale.
It also allows us to provide the context to understand that our hand drawing on a board that becomes a picture is now some sort of diagram. Or it could be some sort of MNA strategy. Previously when we look at our DLP, it just says it’s a picture. It’s a JPEG. It has no other information about it. But now with AI, we can actually get to the data that we really care about and also start to understand what we don’t care about.
And that leads to us removing that data, not paying the storage cost, not paying to compute. So, it makes us a little bit more operationally efficient and cost conscious within our programs.
[David Spark] Yeah, we’ve been hearing from conversations with other CISOs here about deleting the data, which is reducing your attack surface when you’re deleting the data. Have you been able to sort of get control and actually delete your data, Rinki?
[Rinki Sethi] I think that’s a work in progress. I think data deletion… There’s now not just regulatory requirements but contractual requirements around it. I think you have to find ways to still build that into your engineering function to ensure that you’re meeting requirements. I think the first thing that you have to do is understand where all the data is, especially the data that you want to delete before you build any kind of practices that are going to delete the actual data.
You have to understand where it is.
[Lamont Orange] But isn’t deletion a part of baby steps? You have to… You just can’t hit the delete button and hit the select and delete all of that data. But with the context, I think it allows you to tear away at some of that data and reduce it over time. And I think that’s really what we are striving for as technology and security leaders.
We know we can’t select all and hit delete or star, dot, star. And it asks you like eight times, “Do you want to delete?” And you say, “Yes.” We can’t do that anymore. You have to understand exactly what you’re deleting, and who’s using it or who was using it, and then you can get rid of it at that point.
Who’s our sponsor this week?
12:44.561
[David Spark] We are all familiar with our sponsor because we’re at their wonderful event. But for those of you listening at home, let me tell you. The data is the most fundamental component to business success. It’s also the fastest growing attack surface. Rapid cloud and AI adoption has created unprecedented data sprawl stretching legacy security systems and cyber professionals beyond their limits.
Now, today, nearly all organizations face challenges in identifying where their most critical data is stored, understanding its business relevance, assessing associated risk, and ensuring its secure use. Now, consider this scenario. If 100 of your employees’ OneDrive accounts were compromised, could you quickly assess what data was involved and report it back to stakeholders with confidence?
Cyera answers this critical question and more. Removing the operational friction that holds back traditional security approaches by providing a new dimension of data visibility. Now, their platform helps you proactively secure your data ecosystem, reduce risk, and demonstrate compliance. Now, with Cyera, this is what you can do – automatically discover and prioritize data risk across environments with unmatched speed.
Achieve business specific data classification at scale with 95% precision. Combine data, risk, and identity security for the first time, offering unified control and visibility. And lastly, protect sensitive data in motion with AI driven data loss prevention. Are you ready to protect your dataverse?
Learn more at cyera.io.
It’s time to play “What’s Worse?”
14:38.120
[David Spark] All right. So, those of you who are fans of the CISO Series, you’re familiar with this game. It’s called “What’s Worse?” And essentially, we have two horrible scenarios here. They’re I think potentially equal bad. The two of you might not think that way. But this is really a risk management exercise.
So, I will have you answer first, Rinki. And that gives you, Lamont, more time to decide how you want to answer. I want to know of these two scenarios, which one do you think is worse? Okay? Here we go. This comes from Jay Dance of StubHub. He’s given us a lot of great “What’s Worse” scenarios.
And here’s your two scenarios. You got a security program, and it focuses on security, but it ignores integrity and availability. Pretty bad, right? Let’s flip it. You got a business that focuses on integrity and availability but ignores security. Which one is worse?
[Rinki Sethi] Geez. They’re both terrible because security has integrity baked into it. But I think if I had to choose one, a business that’s focusing on integrity and availability but ignoring security, that’s worse. So, you focus on security, and hopefully they’ll get the integrity piece there.
[David Spark] Hopefully it’ll fall into place, you think?
[Rinki Sethi] Yeah. Hopefully that’s a part of their security program.
[David Spark] But don’t you think if you’re going into integrity and availability, the process of integrity and availability may by accident be security but probably not?
[Rinki Sethi] Security is, to me, trust. And so if integrity is not a part of how you’re building security, something is wrong. So, I’d say I’d take a bet on the place that’s focused on security, not the place that’s saying, “Oh, we do integrity and availability,” but skipping security.
[David Spark] Well, again, neither one is good here. But, all right. So, you are saying that integrity and availability…a business focused on is worse than a security program that’s focus is security with no integrity and availability?
[Rinki Sethi] I think so. These both suck.
[David Spark] Yeah, I know. I know, that’s the point of the game. You finally got it, good job. All right. That is Rinki’s argument. I’m throwing this one to you, Lamont.
[Lamont Orange] Yes.
[David Spark] You’ve got a security program that focuses on security but ignored integrity and availability. Or flip it. The business focuses on integrity and availability but ignores security. Which one is worse?
[Lamont Orange] So, I, too, will take door number one. I think if a company focuses on security, we can hope… That’s one strategy.
[David Spark] That’s better. The game is called “What’s Worse?” So, you’re supposed to pick the one that’s worse. So, you’d say the second one is worse?
[Lamont Orange] The second one is worse.
[David Spark] Okay. So, explain.
[Lamont Orange] So, the second one is worse because if you don’t focus on security, you’re going to open yourself up to potential breaches, to potential disclosures, loss of data that goes against the company brand and trust. And it doesn’t matter at that point. That business can go out of business.
[David Spark] All right. Well, but I’m going to play the part of the business here. And it goes, “Well, if we don’t have integrity and availability, what kind of business do we have? There is no security unless we got the business focus of integrity and availability.”
[Lamont Orange] They absolutely suck, and they depend on what day and what happens.
[Laughter]
[David Spark] So, one day it might be good to do one?
[Lamont Orange] One day. And…
[Crosstalk 00:18:03]
[Lamont Orange] …the other one. But I would bet on security. And if we have secure data, we have security in our processes, and the way we develop the company, we’ll get some integrity. And we might get some availability.
[Laughter]
[David Spark] All right, I’m throwing this one to the audience here. I’m going to ask you, what do you think is worse? Remember, you’ve got to applaud for the one that is worse. Not the one you prefer but the one that is worse. Okay, so they both agree that a business that focuses on integrity and availability and ignores security is worse.
By applaud, how many people agree with that?
[Applause]
[David Spark] Okay, a good percentage. Now, how many people think it’s far worse, a security program that focuses on security but ignores integrity and availability.
[Applause]
[David Spark] All right. I would say about two-thirds agree, about a third disagree.
Oh, no! That totally SOCs.
18:53.649
[David Spark] All right. We have a board. This is our game board behind us, for those of us in the room that can see this board. But I will describe this to the audience as well. We have a board of 12 hidden incidents, if you will, or situations. 11 of them stink, Rinki and Lamont, but one of them you will like.
What you’re going to do is one by one… And Rinki will go first. She’ll be the color blue, and Lamont will be the color red in this game. You’ll see in just a second what I’m talking about. You’re going to each pick three total. You’ll go one at a time here. And then what you have is going to be your environment, and you’re going to argue to the audience as to why your environment is not as bad as that person’s environment.
Okay? You got that? All right, so, Rinki, you go first. Pick any number, 1 to 12.
[Rinki Sethi] One.
[David Spark] All right, one. All right, your employees took bribes to install remote access software. Not good. All right. All right, that’s not good. Let’s pick a number, Lamont.
[Lamont Orange] Four.
[David Spark] Four. Your engineer keeps deferring software updates for two years. All right. You have yet to find the good one, both of you, just so you know. Pick another number.
[Rinki Sethi] Two.
[David Spark] Two. Network documentation is published as Ikea instructions. All right. Might be a tad confusing here. All right, Lamont, pick a number.
[Lamont Orange] Hopefully the best will the last one. Number 11.
[David Spark] Number 11, your APT group leaves a one-star review after a successful breach. Not that awful. Just someone doesn’t like it. All right, last one. You pick one, Rinki.
[Rinki Sethi] Three.
[David Spark] Number three. Let’s see what it is. Everyone made admin because “hierarchy is bad for office culture.” Maybe not good. All right, last one for you, Lamont.
[Lamont Orange] Let’s go with number eight.
[David Spark] Number eight. Your logs are deleted after 24 hours. All right. All right, so let me just review for the audience that’s listening. Rinki’s situation is the following – employees took bribes to install remote access software. You’re not paying them enough, Rinki. All right, the second is network documentation is published as Ikea instructions.
I don’t know how well they’re going to get along with that. And everyone is made admin because “hierarchy is bad for office culture.” You have a bad security culture here, and you’ve opened yourself up to a lot of problems. Okay, that is not good, but let’s see what we have with Lamont. The engineer keeps deferring software updates for two years.
Not good at all, Lamont. Your logs are deleted after 24 hours. You better work super, duper fast. And the other one, not so bad. APT group leaves a one-star review after a successful breach. But you did have a successful breach, but a one-star review. They didn’t like what they found. So, that’s actually pretty good I would say.
[Lamont Orange] I’ll take it. It’s tough. [Laughs]
[David Spark] All right, I’ll start with you, Rinki. Why is your situation not as bad as Lamont here?
[Rinki Sethi] I mean I haven’t been breached. He was breached, right?
[David Spark] That is a good point. You haven’t been breached. But it’s possible they… The APT group left a one-star review, so they probably didn’t see much of anything good.
[Rinki Sethi] No, the one-star review is because your security was that bad that they got everything.
[David Spark] Aw, that is a good, good point. It could have very much been that.
[Lamont Orange] I’m feeling kind of vulnerable at the moment.
[Laughter]
[David Spark] All right. Anything to add to that, Rinki? Again, you’ve got this, “Everyone made admin.”
[Rinki Sethi] Yeah, that’s like every valley culture, isn’t it? So, we know how to protect against that. But we haven’t been breached, so I think our environment is a lot better than Lamont’s environment here.
[David Spark] All right, Lamont, argue why you’re not nearly as bad.
[Lamont Orange] Man, this is going to be tough. I’ve picked some really bad people at this point. So, I’ll say for one thing, the employees took bribes. You have so many insiders in your environment.
[David Spark] Oh, yeah, that’s really bad, Rinki.
[Lamont Orange] I think that’s pretty bad. We can assume there’s key loggers in everything everywhere.
[David Spark] All right.
[Lamont Orange] So, they’re taking data. I might have been breached, but I got one star. They didn’t find anything. I’m going on that side.
[David Spark] I know. You have two different views of what that one-star review looks like. All righ.t
[Lamont Orange] I look at it as a positive.
[David Spark] All right, this is all up to the audience here. Remember, you don’t want more applause on this situation. Because the game is called “That Totally SOCs.” So, I want to know by applause, how many people think Lamont’s situation is worse? By applause, how many people think Lamont’s is worse?
[Applause]
[David Spark] Rinki is applauding. How many people think Rinki’s situation is far worse?
[Applause]
[David Spark] Rinki, you’ve lost.
Close your eyes. Breathe in. It’s time for a little security philosophy.
23:37.146
[David Spark] When designing security policies and plans for information systems, the long-term usage of the information must be taken into account. Now, this design process inevitably means making tradeoffs, said Vincent Triola in a recent Medium post. Now, this can be looked at in terms of the classic CIA triad of confidentiality, integrity, and availability.
But simply trying to balance these three aspects without taking into account large business priorities will inevitably lead to inefficiency and failure. Triola also pointed to research from Microsoft that outlined four other areas of potential tradeoffs when designing security – usability, cost effectiveness, functionality, and aesthetics.
So, I’ll start with you, Rinki, on this one. How do you address these balancing acts of maintaining CIA, confidentiality, integrity, and ability, with the security design the business needs? And I heard you earlier say that good UX/UI security design should help the business move. So, tell us, how do you get all of these working in conjunction here?
[Rinki Sethi] Yeah, I strongly believe in most cases that user experience should be better if you do security right. And that way people are actually using the security systems that are in place, and they’re saying, “This makes my life easier and better.” There are those few instances where you have to purposefully introduce friction.
But I think for the most part, you can solve both at the same time. And I think that especially when you’re building products for customers, you have to constantly think about that. You want kind of the security to almost be invisible to them in such a way that they don’t even notice it, and so there’s no friction, and they want to leverage a service because it’s better, and it’s more trusted.
[David Spark] All right, well, I would say that is the ideal. But I talked to a lot of security professionals, and they said, “Yes, we do want to make it invisible, and in some cases you can.” But often, security has to create a barrier at some point. Lamont, what do you think?
[Lamont Orange] No, I think friction is calculated. What we…
[David Spark] Good point.
[Lamont Orange] …tend to do historically is that we induce friction that makes it feel good for security. And I think that’s where we tend to put up even more political barriers within our companies and our organizations, and we create more gaps. Because our workforce, our end users, they will do what they need to do in order…in their minds, what they need to do to do their jobs.
So, I do believe that invisible transparency security…the best security is the security that they don’t know that they’re using. That paradigm is absolutely true. But there are times when we want to do calculated friction to say, “Did you really mean to delete this? Did you really mean to share this out before you do it?” We know you can do it.
So, coaching goes a long way. I think there’s also relationships. Security is a team sport. So, we have to build that security culture and discipline throughout the company. So, we, as security leaders, have to sometimes step outside of our box, too, to build those relationships with our engineering teams, our HR teams, our IT teams even, and even some of just the business lines to say that, “Hey, we’re security, and we truly are here to help.
And we know how to help you do your job.”
[David Spark] So, I really love the examples you gave of, “Did you really mean to do that?” Because sometimes we do… And those are very welcome messages often. Like, “Oh, yes, geez. I didn’t mean to do that.” I’m interested to know from you, Rinki, can you give me an example of something that very clearly created friction at one point and you did actually make it invisible?
[Rinki Sethi] You mean like a change in the security program that…?
[David Spark] Change in the security program. Something in UX, something in UI. It could be anything. I’m just looking for one example. Because there is no question, security used to be very sort of kludge, if you will. And we’re learning that if we want the business to like security a lot more, not see them as the department of “no,” there has to be sort of a more friendly relationship.
So, obviously, like the four examples of usability, cost effectiveness, functionality, and aesthetics, what have you…? You could have used any of those or all of those. What have you sort of turned to to make it maybe not clearly invisible but definitely less friction but still achieve the same purpose?
[Rinki Sethi] Yeah, I think the… And I talked about this earlier. But I think the introduction of YubiKey. There was a little bit of friction and uptick in making it operational. But before that, we were doing Okta push. And it’s like, “Oh, you…” And that had big security risk. So, I would say we still introduce friction, but it’s now seamless.
You just touch something, and you’re in. You don’t even need to worry about having your phone nearby. You don’t need to worry if you’re on the plane that, “Oh, am I going to get the Okta push notification or not?” So, it’s where we did introduce friction purposefully. But in more of an invisible way.
It’s obviously not invisible. YubiKeys are visible. But, yeah, it was easier and less friction.
[[David Spark] But, Lamont, the other issue is people don’t go, “Yay, change.” There’s never that reaction. But then you get… There’s a point of pushing back on change, but then there’s the point after change where it’s, “I don’t remember a time before this.” How does that evolve?
[Lamont Orange] So, I think there is the piece of transparency, too. I’ve grown throughout my 25+ years of doing this. There was a time that I just did stuff, and you just had to deal with it. There’s the other times now that I’ll say, “Let’s get to the why we’re doing it, and hopefully we can get the agreement there.” And once we get the agreement for the “why,” now we can talk about the how I’ll do it.
And I like your partnership. So, I think that transparency, the open ended communication, the continual reporting. I think one of the things that used to…at least I got feedback…that used to irritate some of my team members is that they asked security for a question, and security says, “Don’t worry about it.
We’ve got it under control.” “Do as I say, not as I do,” kind of thing. But now if we tell them, “Hey, you put in a ticket. This is happening. This is what state it’s in. We appreciate you.” All of those types of things, it’s more of that human interaction where you’re part of the solution and making everybody feel that way.
Versus we were always telling them that, “You’re part of the problem.” And even policies. How many of us have looked at our acceptable use policies? It’s 15 pages of stuff that says, “Thou shall not do these things.” How about we give them the one page that says, “This is what you can do. Everything else, ask a question.” I think they’ll understand that a lot better.
That’s just that open ended of transparency.
Can this be measured?
30:46.357
[David Spark] “Building a security culture is a bedrock for overall resilience. But when we go into the world of culture, we enter a discipline that is much harder to quantify than metrics driven like cyber security,” argued Amanda Draeger of Liberty Mutual Insurance on LinkedIn. So, she argued that a security culture needs to start from the top with large organizations empowering CISOs to appoint cyber responsibilities to other leaders, and what metrics your security program chooses to prioritize will tell you what the organization values.
So, I’m going to start with you, Lamont. And speak for yourself. Now, in the past, with clients, whatever. How are you and others evaluating the cultural aspects of your security program?
[Lamont Orange] So, I’ll say one thing is around today. Today’s security, everyone realizes or at least I assume at this point and have the conversations often that security is a team sport. So, with that sport, I like to create champions in each of my business units. And they tend to be in the…know of security.
They’re badge carrying members. They come to the staff meetings. They get the updates. So, again, they’re part of the decision-making process. And I think that’s been the key to success. When I was in some of my previous roles earlier on in career, again, it goes back to some of, “Do as I say.” And it went over well to an extent.
[Laughs] But I think that lack of transparency, not creating that push and pull activity where you feel like you’re part of the culture tends to make more of an adversarial relationship between different organizations and groups. And I think that’s the failure point. I’ll admit, I failed a few times in my early CISO roles because I felt that I was the police instead of a security organization.
[David Spark] Now, Rinki, we hear… Like I’ve heard from Mike Johnson, one of my cohosts… Anecdotally, he says, “I know the culture is improving when people come to me and ask personal questions about their security.” They really it’s really impactful. But is there something more than anecdotal that we can measure?
And, again, beyond phishing test pieces. Anything else?
[Rinki Sethi] Yeah, I think a lot of products now, like Lamont mentioned this earlier, introduce a little bit of friction purposefully. That, “Hey, did you mean to do that?” And it’s like you say yes or no. There’s really good data you get from that. I also believe employees self-reporting when they made a mistake or saying, “Hey, I think the security control is not right.” That’s a huge metric to track, and it really talks a lot to the culture that you’ve built in a company.
[David Spark] So, just more reporting about security in every aspect?
[Rinki Sethi] That’s right.
[David Spark] Now, here’s a question. I’ve asked this before. Do you provide a full feedback loop where someone reports that and you get back to them, saying, “Hey, that information was valuable to us. This is what we did.”
[Rinki Sethi] Absolutely. If they come and say, “Hey, we accidentally sent this data somewhere, and this is how I did it,” we’ll probably fix something in our security program to put better preventative controls, and we’ll absolutely follow back and talk to the employee and not just thank them and reward them but then also let them know how we fixed this and how they helped fix this for the company.
[David Spark] Do you see they do it again and again after that? Like you see them doing more reporting after that, too?
[Rinki Sethi] Oh, yeah. And not only that. It makes them a champion. I think champions programs are highly valuable. It makes them a champion for the business. And then of course they’ll say, “The security team is not our enemy, they’re a friend. You can report if you’ve made mistakes or something is wrong without having consequences for it.”
[David Spark] I personally am hearing this term of the security department of “no” as being more of a historical comment. That people don’t really talk about security like that. How do you feel, Lamont?
[Lamont Orange] I think the paradigm is shifting very much. And when you start to build that relationship with your workforce and your different information workers, and different departments, and functional groups, you tend to change that paradigm. Instead of the house of N-O, you’re the house of K-N-O-W.
Then they come to you and ask you questions. You get the personal, “How do I secure this at home?” You get that, “Hey, I just bought this new phone. What should I do? Should I turn on the AI? Have you got any concerns about it?” It becomes a lot… I mean we’re back in offices now, so it is the hallway talk.
It is the water cooler talk around security. And you can start to measure that within your culture. Because you may not have said anything about security. “Let’s just go do it.” But now everybody is asking the question. And even programmatically, if you… Since we’re back in offices, shoulder surfing, badges.
Do you have your badge? I’ve seen that happen. And if you don’t have your badge, and I don’t know you, let me introduce myself. Oh, you don’t belong here. You’re not supposed to be here. So, you’re starting to get that culture within practice, and that shows that you’re making movement as well.
It’s time for the audience question speed round.
35:59.421
[David Spark] I have here in my hands a number of questions that I’ve gotten from you, the audience. And with our few minutes that we have left, we’re going to get through as many of these as we possibly can. So, not looking for long answers on any of these. As quick as you can. This comes from BJ John [Phonetic 00:36:23] over at USAA.
And I love this question. Either one of you jump in right away. What made you angry recently?
[Rinki Sethi] Probably one of my kids.
[Laughter]
[David Spark] Well, we don’t want to throw them under the bus here. Specifically within your work. I should have qualified that here. Within your work, what made you angry recently? Or just about the industry. It doesn’t have to be your specific job. Something you saw in the industry also that might have made you angry.
[Rinki Sethi] I think it’s the discussion on platform versus niche solution. I think the way the industry talks about that is frustrating.
[David Spark] By the way, that is another trope. Everyone says, “Oh, a platform, high integration. Niche is the best of breed.” Which we know that is actually not true.
[Lamont Orange] I think it’s the regulatory landscape.
[David Spark] That’s what made you angry recently?
[Lamont Orange] Yeah. That made me angry recently.
[David Spark] What specifically?
[Lamont Orange] It continues to make me angry because we have all these different regulatory statutes and requirements that we have to do as CISOs and everything. It makes it feel as though the CISO has the weight of the entire company from a security perspective, and we don’t. It’s a team sport. When we show you our metrics, we show you our controls, we show you our capabilities, there is no such thing as a silver bullet.
But every regulation tends to indicate that you must have one, or you will be punished.
[David Spark] All right, let’s quick answer this. Have you…? This comes from Ferra Ramon [Phonetic 00:37:50], who is with Vibrant Emotional Health and 988 Lifeline. And I don’t want to put words in your mouth here, but have you given up on the single pane of glass concept?
[Lamont Orange] [Laughs] That’s a 15-year conversation at least. So, the answer is I think the single pane of glass has evolved. It becomes different.
[David Spark] Okay.
[Lamont Orange] It’s all about integrations today. The single pane of glass was really after integrations, but we never said that’s what the end goal was. And I think platforms… There will be more than one platform, but platforms need to integrate with one another. And then at some point, yes, you will need a platform maybe to rule them all.
Especially if you figure that the largest attack surface is data. So, you will need something to rule all those signals.
[David Spark] Have you given up on single pane?
[Rinki Sethi] We’ll add it to the platform versus niche solution discussion.
[David Spark] Okay, there you go. That’s how you feel about it. All right, good. All right, here we go. From Adam Holland, who’s the CISO over at Wendy’s. You are hit with a major incident. Who…? And it can’t be your lawyer and it can’t be within your company. Who is your first call?
[Rinki Sethi] Oh, with a major incident? My security operations leader.
[David Spark] No, no, it’s not somebody within your company.
[Rinki Sethi] Oh, not within the company.
[David Spark] Like in terms of who do you look to for support, or for help, or for advice, or what do you do? Who is that person? I know the first call you’re making is within the company but the first call you make to someone outside.
[Lamont Orange] I’m calling Rinki.
[Laughter]
[Rinki Sethi] There we go. I’m going to call Lamont now.
[Laughter]
[Lamont Orange] That’s right, we’re a support system.
[David Spark] All right, last question. Here we go. This is anonymous. You’re going to have to really come to the plate on this one. “I’ve been in cyber 20 years. I’m frustrated with the industry. Convince me not to leave.”
[Rinki Sethi] I feel like we’re solving some of the toughest challenges. So, if you’re curious minded and want to solve some of the toughest battles we have right now and yet to come, this is the place to be.
[Lamont Orange] Yeah, I think it’s the most exciting profession to be in. It’s continuing to evolve. There’s lots of challenges. So, no day, no month is the same. This is the place where you get the spice of life.
Closing
40:07.114
[David Spark] Well, that brings us to the very end of the show. Let’s hear it for my guests, Rinki Sethi of BILL and Lamont Orange of Cyera.
[Applause]
[David Spark] Huge thanks to our sponsor. That would be Cyera. Remember, go to their website, cyera.io. Rinki, are you hiring over there at BILL?
[Rinki Sethi] We sure are.
[David Spark] And also I know you do want to plug something that your daughter is doing. Please let us know.
[Rinki Sethi] Yes. Yes, my daughter is working on a cyber safety, anti-cyber bullying after being cyber bullied at her school and being turned down for her cyber security club idea. Now she’s got 50 kids around the United States that are working on this and really changing the curriculum at schools to include cyber security and cyber safety, so I wanted to plug that.
And if any of your kids or anybody you know is interested, have them join the initiative.
[David Spark] Well, send me the link. We will put it on the blog post.
[Applause]
[David Spark] It’ll be on the blog post for this very episode. Lamont, you are, I know, hiring at Cyera because you’re growing like mad, like a weed.
[Lamont Orange] Absolutely. Please reach out to me.
[David Spark] Reach out to specifically Lamont. He’ll make sure you get hired.
[Lamont Orange] I’ll get you to the right place.
[Laughter]
[David Spark] He’ll get you to the right… He has no responsibility for that, but he has some responsibility, right?
[Lamont Orange] I have lots of responsibility for that.
[David Spark] There you go. Thank you very much. Thank you to Cyera for bringing us out. And thank you to the audience. We greatly appreciate you listening to the CISO Series Podcast.
[Applause]
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, ciso-dev.davidspark.dcgws.com. Please join us on Fridays for our live shows —Super Cyber Friday, our Virtual Meetup, and Cyber Security Headlines Week in Review. This show thrives on your input.
Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to the CISO Series Podcast.