CISOs like to think of their job as managing risk. But once you get risk to an acceptable level, when do you start prioritizing efficiency?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap). Joining us is Andrew Wilder, CISO, Vetcor.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Full Transcript
Intro
0:00.000
[David Spark] CISOs like to think of their job as managing risk, but once you get risk to an acceptable level, when do you start prioritizing efficiency?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series, and joining me for this very episode, it’s Geoff Belknap. Geoff, say hello to the audience.
[Geoff Belknap] David and audience, hello. Once again, we’ve landed at Defense in Depth.
[David Spark] Sometimes I say kind of innocuous things and I don’t think much of it, but not one, but multiple people have come up to me and they do like it when I make fun of you for being – and you were not, let me stress, you were not a child actor – but I like to pretend that you were a child actor.
[Laughter]
[Geoff Belknap] No, I was a child actor.
[David Spark] What did you child act in?
[Geoff Belknap] Let’s see, I was in This is Not a Lie.
[David Spark] Were you in some school productions?
[Geoff Belknap] Yeah, yeah. I was in so many things. I was in E.T., I was in the original Ghostbusters, had a bit part in Alien.
[David Spark] You’re stretching.
[Geoff Belknap] So many things. I was the original Terminator but had a scheduling conflict, couldn’t make it.
[David Spark] I stressed you were a child actor, and you really blew it when you said that you were the original Terminator.
[Geoff Belknap] Well, it was a different script treatment then. They were going to go a different way.
[Andrew Wilder] The child Terminator.
[Geoff Belknap] The new one turned out okay.
[David Spark] I think you’re bursting everybody’s bubble right now is what’s happening.
[Laughter]
[David Spark] Hey, by the way we’re at CISOseries.com and we have lots of other programs on our network. Why not discover them all? They’re great. We have five shows now on our network. Our sponsor for today’s episode is ThreatLocker, an absolutely spectacular sponsor of the CISO Series. ThreatLocker, zero-trust endpoint protection platform, and we’ll mention that a little bit later today.
But let’s now get to the topic of today’s episode. Is “maintenance mode” a missed opportunity for CISOs? This idea came from a LinkedIn post from Brent Deterding, CISO of Afni, who made the case that rather than asking for increasing budget to “do more,” CISOs should look to embrace efficiency once they’ve managed risk to an acceptable place.
I’m going to just ask you, I don’t even know. Do, A, CISOs get risk to an acceptable place? And is that a practical philosophy and a way to go for a CISO, Geoff? What do you think?
[Geoff Belknap] Yeah, absolutely. Do they get it to a reasonable or acceptable place? I think that is a vanishingly small set of people that can say that they’ve got it, and they are now holding it at an acceptable place. There’s always ways to do better, but I think really importantly, one of those ways to do better is to hold your risk at an acceptable level as effectively and efficiently as possible, and I think this is a great conversation for us to have.
[David Spark] Yeah, I’m kind of fascinated by this conversation because I don’t think there’s an all or one, and I think there’s a lot of play in both areas, too, for that matter. Being like what you said is, is there any CISO that feels that it’s at an acceptable level? Probably not, but at the same time, doesn’t mean you have to divorce efficiency from the game, if you will.
Well, to join us for this conversation, very excited, I just got to meet this person in person in Dallas, very excited he’s recording with us. He’s been on other shows before, but now he’s with us on Defense in Depth. He is the brand-new CSO over at Vetcor, none other than Andrew Wilder. Andrew, thank you so much for joining us.
[Andrew Wilder] David, great to be here. We’ve been talking about this for a while, and as you said, we finally got to meet in person and really happy to be here with you and with Geoff.
What must a security leader be able to do?
3:38.035
[David Spark] Asa Hunt of Bighorn Painting said, “Maintenance mode is absolutely a thing because the law of diminishing returns is a thing. At a certain point, 50% more investment in security doesn’t make you 50% more secure.” That’s a good point. “So, it’s why CISOs and other leaders should be paid the big bucks, finding that optimal point of investment in security and performance.” I’m sure I have agreement from both of my guests here.
Evan Morgan of Cyber Defense Army said, “We’re rarely in maintenance mode as many of the companies we’re securing are doing quite the opposite in pushing for continual growth, so there is always a need to add or expand security capabilities for those new business ventures/operations. That definitive stance on needing more by cyber teams is due to them not being included in major business decisions, so they are always planning for the unknown being dropped on them to solve.” So, both Evan and Asa have sort of different viewpoints on this, and Evan says we can’t achieve it because the business is always growing, and Asa says at a point the managing risk isn’t worth it, for that matter.
What say you, Geoff, on this?
[Geoff Belknap] There are good points being made here, but I think the fundamental truths about leading security organizations in businesses is that there are two things that are always changing and always creating more work for you as a security leader. Your business is almost always growing, and that growth is almost always driving some technological change, a technological improvement, some shift in the business.
And the threat actors are either shifting, you’ve got different threat actors that are interested in you because you’re at different phases of growth or you’re in different evolving businesses, or just the threat actors, tactics, techniques, and procedures are shifting and evolving. That means if you spend a million dollars on your MFA solution and it’s fantastic, it has a shelf life before it stops being effective at that dollar amount.
People that bought FireEye at the very beginning when FireEye was out, if you’re just still using that same thing, it is not as effective as it was previously. And I think that’s where really thinking about the life cycle of these things and how much you need to invest and how you need to manage that investment portfolio really comes into play here in this discussion.
[David Spark] All right. I throw this to you, Andrew. I think both Evan and Asa make very good points, and I don’t think they’re conflicting either. I think they work in tandem, don’t they?
[Andrew Wilder] I agree. As Geoff said, I think they’re kind of both right. One of the things is being ready for your business to move. One of the things that makes me think about is M&A for security, right? So, M&A happens, you get a call from the CIO or whoever that says, “Hey, we’re acquiring this new company.
We need to see if they’re secure or not.” You’re going to need to jump on this and this is something that you kind of have to do. On the other hand, I think once you achieve a certain level of cyber maturity, you definitely should start to focus on maintenance mode, and I think of it as really value realization.
The reason that we have so many of these posture management tools that are popular today is because people are failing to fully leverage the tools that they have because they have so many tools, they’re so complex, they’re changing all the time, and people really need to be able to leverage what they have.
And until you kind of pause and stop and start focusing on kind of a maintenance mode and a continuous improvement mindset, until you do that, you’re probably just kind of running after things and not taking the time to really extract the full value out of the stuff that you have.
What needs to be considered?
7:17.402
[David Spark] Dmitriy Sokolovskiy of Semrush said, “Maintenance mode isn’t really a flat line, but also it isn’t an exponential growth line. It simply means that we are not making tectonic changes, but simply fighting entropy requires a sustained active effort. The problem is that business will inevitably think of it exactly as a flat line, and flat spend isn’t the best way to deal with increasing entropy.” Humberto Gauna of HGxCyber said, “This mindset is troublesome.
You don’t keep building walls around your castle for the sake of building. This contributes to why cybersecurity programs are seen as money pits. Also consider the value of what you are producing and always be ready to demonstrate some level of ROI and effectiveness of what you have already done. If a CISO thinks they need more, identify the shortcomings with data.” So, I think this really just says it’s complex.
I’m hyper simplifying. Is that the best way to just describe it, Andrew?
[Andrew Wilder] I think that is hyper simplifying it. Humberto’s comment makes me think about an analogy that Roger Grimes uses in his book, Data-Driven Defense. And the analogy that he uses for cybersecurity teams is he says, “People keep breaking into your house, and your reaction to that is you keep buying stronger and stronger locks for your front door.
But where are they breaking in? They’re breaking in through the windows.” And the analogy is to make you think about incident response. Ninety percent of attacks use similar strategies to what were used before that were effective against an organization. So, are you really doing good incident response?
And then are you doing really good after-action reviews to make sure you’re plugging all of those holes? Or are you out chasing that new shiny new toy to do something else that you think you might need to do? So, as you enter into maintenance mode and you have those finite resources, think about what are the things that you’re really focusing on, and focusing on those things that are actually being used against you.
Your best threat intel is your own threat intel.
[David Spark] Good point. How do you explain this complex situation, Geoff? Because these were two sort of attempts at doing just that, and I don’t argue that either one is right or wrong here.
[Geoff Belknap] I don’t know that every take on this has to be canonically correct or not. I think the most important thing here is, look, it gets harder year over year in different ways. But the way I would think about something like maintenance mode, and I would think about this more as like I talk with my teams about flattening the curve.
Like, look, the spend on security is going to naturally go up over time. Hopefully, it’s going up in line with inflation, or at least not faster than the business is growing, so that you’re not costing more relative to how the business is growing. And you should be looking at, like if I sell windows and doors, I know roughly the kinds of things I have to worry about what’s in my threat envelope there, and I can invest in the things that are always going to be evolving threats in that area.
If you’re a complicated company, like the one I work for, it’s much more complicated than that. But the bottom line is you need two things. You need to sort of understand what your threats are, what your risks are, and you need to really understand the money that you’re investing in whatever you’re buying, people or software or assets, how are those working, right?
And I think the conversation here from Humberto is really good. If you have no idea what the ROI is, but you’re going back to your executive leadership or the board every year and going, “Fifty percent more, please,” you better be able to articulate that you’re having some kind of measurable impact.
Because I’ll tell you what, this is a hard job, and it’s easy to feel like you’re good at it if you’re just buying more stuff from vendors every year, but at some point, you’ve got to be able to articulate that you’re having an appreciable impact on the risk.
Sponsor – ThreatLocker
11:01.819
[David Spark] Who’s our sponsor this week? Well, it is ThreatLocker, and we’re thrilled that they’re sponsoring this episode. So, let me ask you a question. Do zero-day exploits and supply chain attacks keep you up at night? They’re no fun to think about, I’ll tell you that much. So, worry no more because you can actually harden your security with ThreatLocker.
Imagine taking a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user, unless specifically authorized by your team. Now ThreatLocker helps you do this and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation is fully supported by their US-based support team.
Stop the exploitation of trusted applications within your organization to keep you running efficiently and secure, protected from ransomware. Now worldwide, companies like JetBlue, they trust ThreatLocker to secure their data and keep their business operations flying high. Now, if you want to learn more about how ThreatLocker can mitigate unknown threats and ensure compliance for your organization, well, go visit their website.
It’s ThreatLocker.com. Go there.
Is anyone happy with this solution?
12:14.294
[David Spark] Sashko Lazov of NOA Solutions said, “I wouldn’t call there is such a thing as maintenance mode in cybersecurity just because there isn’t one with cyber criminals.” That’s [Laughter] a good point. “There are always new things to be remediated, automated, made compliant, new threats, etc.
Businesses grow, and with that, also the complications and expansion around cybersecurity.” And Shawn Riley of Wolfberry said, “I believe maintenance mode might be more commonly called continuous improvement.” Ah, good definition. “Continuous improvement in cybersecurity highlights a proactive and iterative approach to maintain and enhance an organization’s security posture.” I get the sense that’s what you were talking about, Andrew.
Yes? Continuous improvement.
[Andrew Wilder] Yep. Continuous improvement makes me think of Elon Musk’s thing called the algorithm. When we were at Nestlé, we had something very similar to this that we called SSAOE, an easy acronym for us, which was Simplify, Standardize, Automate, Offshore, and Eliminate. Now, ours were not in order.
Elon Musk’s are in order. I can tell you those in a second. But the great thing was everybody on the team had a bonusable objective. Besides the projects and the incidents and the other things that they were responsible for was to figure out how to SSAOE some tasks that you were doing. And the overall goal or the vision for this was to push down lower-value tasks so the team could work on higher-value activities, and everybody saw the value in that.
Elon Musk’s QDSAA, which is Question Every Requirement, Delete Part of the Process, Simplify, Accelerate, and Automate, his are in order. So, he follows them that way. And if you read his book and think about how he did Tesla and those things, he does all that stuff. But I think as we can do that, we can start to continuously improve.
The last point on that is generative AI. We wouldn’t be really having a podcast if we didn’t use that buzzword at least once.
[David Spark] Congratulations for bringing it up first.
[Andrew Wilder] There you go. There you go.
[David Spark] [Laughter]
[Andrew Wilder] Sorry, Geoff. I know you wanted that chance.
[Laughter]
[David Spark] He waited till segment three. He had two segments to do this, and he got to talk first. So, you’re out, Geoff. Go ahead, Andy.
[Geoff Belknap] Fine.
[David Spark] [Laughter]
[Andrew Wilder] Leveraging generative AI is a great way to think about continuous improvement or SSAOE or QDSAA or whatever you’re talking about, but it’s a great way to bring those lower-value tasks down, automate them, and then allow your team to be doing more higher-value tasks.
[David Spark] I’m going to go back to Sashko’s comments like, “Hey, cyber criminals don’t have a maintenance mode. So, why should we?” But I think from what you’re saying and really all these other comments, maintenance mode is continuous improvement because how could it not be? And this also goes back to something that I asked the community a long time ago.
Is there anything in cybersecurity that’s set it and forget it? And nobody could come up with one thing.
[Geoff Belknap] I mean, the answer’s no. Nothing is set it, forget it. Just the entropy of the universe will disrupt that for you. But I think instead of thinking of the whole program as running it in maintenance mode, you really should be thinking about it maybe a little bit differently. What classes of risk can you get to a point where you feel like, all right, I got that, that’s managed enough?
Because there’s no done, but there are points where you’re like, “All right, that’s good. Now I can sort of hold that where it is and move on to something else.” And so I’ll go back to what I said before. You can get MFA or your identity system to a place where you feel good about it for the time being, and you don’t need to invest giant-sized amounts of capital or operational expense into those.
You can sort of hold them for some amount of time, and then you can pivot to like, okay, how am I doing on patching or scanning, or how am I doing on understanding my exposed risk surface? You can just move on to other things.
But what you should be doing is going, okay, once I’ve got that identity system to a place where I feel good about it, who’s now responsible for making sure that it costs me less to hold it there over time? And that can be in dollar amount, it could be in people, it could be in energy I’m spending worrying about it.
Just like how do I make sure that the amount of attention, focus, and effort that takes is lessening over time instead of increasing, or at least not growing more than other things? I think, to me, that’s what maintenance mode is. It’s just understanding either you’re making it better or you’re making it more effective, efficient over time.
[David Spark] Really, that goes back to what was asked by Brent at the very beginning about can we shift into efficiency mode? It’s like you finish stage one maintenance mode, then you move to stage two. What I’m hearing from both of you is it’s not that there’s a handoff, but there’s definitely a mix.
But definitely I get the sense that you need to do the basics at the beginning before you start. Well, I guess you’re talking about efficiency the whole way along, yes? I’m going around in circles here, but you’re doing the two simultaneously. Yes, Andrew?
[Andrew Wilder] I don’t think you’re doing the two simultaneously when you start. I think it depends on your maturity level. The last couple of roles I’ve had have been kind of almost greenfield, never had a CISO before. So, in that case, you’re building, right? You’re doing programs, you’re laying foundations, you’re building maturity and building teams and all that stuff.
I don’t think at that point you’re doing maintenance mode by default. Now, as Geoff and I both talked about, once you get to a certain level of maturity or you have certain risk where you can say, “I have this in control enough,” then you can start to focus on doing maintenance mode in those areas. But I would say, especially if you’re starting greenfield, you’re not going to be doing this from day one.
At least you probably don’t have the resources to be able to do it from day one.
What’s the ROI?
17:42.444
[David Spark] Robert Geis of World Wide Technology said, “Security should be so baked in to the execution of the business that it should grow at run rate of the business.” And Ramon Gutierrez of TEKsystems said, “If you can maintain total expenditures as percentage of total budget year over year, I personally would consider that maintenance mode.
Now, if spending extra nets me an ROI that outpaces the ROI generated by the extra going to another aspect of the business, I’d increase the budget.” So, this whole idea of, we talk about it endlessly, security should know the language of the business, should operate with the business, serves the business.
This all speaks to it, again, Geoff, yes?
[Geoff Belknap] A hundred percent. Look, I hate to burst anybody’s bubble, but I have a business degree, and this is where I usually go sideways of some of my friends who are more like war fighters in this space. But I think most businesses go through a cyclical nature of maritime and wartime in terms of footing for their defenses, depending on where they’re at.
If you’re under attack, you’re kind of in a wartime footing. You are running and gutting and responding and trying to close things down. And generally, I think at that point, if I put my business hat back on, it is okay for the growth of expenses in security to go higher potentially than the growth rate of the business or of other spend.
But if you are in maritime, if nothing bad has happened to your company, if you’re not a massive target, if your business is growing more flat, if you’re a dental office and you’re not exactly the target of foreign national intelligence services, your spend and security better be growing much lower than the growth rate or the run rate of the business.
Otherwise, you are not doing your job as an executive leader of security.
This is an important thing to think about is like when does that need to flip? And this is really what we’re talking about when we talk about risk acceptance levels for your CEO or for your board. They want a risk level that puts that growth rate below a certain amount so that they can grow the rest of the business, and then you better have a really good reason when you grow it faster than the rest of the business.
[David Spark] All right, I’m going to let you close this one out, Andrew, this whole discussion just comes down to how in sync is security with the business?
[Andrew Wilder] Yeah, so this goes to the philosophy or the definition of what is a CISO to the business? So, a CISO to the business is a subject matter expert on the topic of cybersecurity risk, and we are here to translate that into the business language so they can understand this is how risky it is and allow them to make business decisions, financial decisions based on their risk appetite.
So, I can go in and say, “Hey, we’ve got risk XYZ. Here’s three different flavors of how we can control it. This is how much each of those costs and how much those will reduce the risk.” And they can say, “We are really risk averse. We want to spend a bunch of money to fix this,” or the opposite. They can say, “We don’t care about this and let’s just let it slide,” kind of thing.
[David Spark] And by the way, have you guys historically had that exact kind of conversation? Like, “We can totally accept that risk, let’s move forward”?
[Andrew Wilder] Absolutely. Yeah, multiple times.
[David Spark] Yes?
[Andrew Wilder] Yeah, yeah. That’s kind of the general board meeting conversation.
[Geoff Belknap] Yeah. Just as a side note, that is also a board meeting conversation for every part of the business, right? Not just security risk.
[Andrew Wilder] Yeah. If everybody else is doing that, you should be doing the same thing. And you can measure the ROI in different ways, right? You can take a quantitative risk approach, reducing the probability of material impact due to a cyber event, and how much that could potentially cost and how much the controls cost.
You can look at, we talked about continuous improvement and maintenance mode, you can look at reduction of people-hours and lower value-add activities, and you can, of course, look at lowering your budget and the rate of growth of security to the pace of the business. There’s a number of different ways you can look at ROI, and a lot of times that also depends on how the business is looking at ROI.
And so you speak their same language, and you show them the cyber risks, and then you make that decision together.
Closing
21:43.891
[David Spark] And that is a good place to close this out. All right. I’m going to come with you with another question here, Andrew. There were some really good quotes here. Like there is no wrong quote, I don’t think, in this, but some really, really valid opinions on this whole issue of maintenance mode and what that means in cybersecurity.
So, Andrew, I’ll ask you which quote was your favorite and why?
[Andrew Wilder] So, my favorite quote was Shawn Riley’s because it really got us talking about this continuous improvement topic, which is what I think Brent was maybe talking about when he asked the initial question about maintenance mode. It allowed us to kind of go on a different tangent, which I thought was very interesting.
[David Spark] All right. Good call. Geoff, your favorite quote and why?
[Geoff Belknap] I think there are a bunch of these that are really good that spurred some good conversation. I’m going to go with Humberto from HGxCyber, who said the mindset’s troublesome, which I 100% agree with, and then went on to say this later, “Consider the value of what you’re protecting and always be ready to demonstrate some level of ROI and effectiveness of what you already have.” And I think this is an essential lesson, especially as we see the CISO role really evolve and mature from where it used to be, as sort of a subject matter technical expert, to now somebody who is a subject matter technical business expert in translating these technical requirements to what the business needs to know about.
And if you’re going to be spending, like I say, to just light cash on fire to fight risk, you better be able to demonstrate what the return on that giant bonfire that you’re making is for the business. Otherwise, be ready to find a different role.
[David Spark] Very, very good point. Well, that brings us to the tail end of this show. I want to thank our sponsor, that’d be ThreatLocker. Remember, zero-trust endpoint protection platform. Be proactive about your cybersecurity. Go to their website, threatlocker.com. Go check it out. Andrew, thank you so much for coming.
Let me ask you the question. Are you hiring over at Vetcor?
[Andrew Wilder] We are. We are. We are hiring a security operations lead, and we’re also hiring a manager of identity and access management.
[David Spark] Excellent. Well, if this is you, please go to – I’m assuming they have a job site at Vetcor, yes?
[Andrew Wilder] Yes, yes, we do. And they’ll be posted on LinkedIn, I think, next week.
[David Spark] I’m assuming you can reach out to you directly too as well.
[Andrew Wilder] Absolutely. Feel free to hit me up.
[David Spark] All right. And we’ll have a link to his LinkedIn profile, Andrew’s LinkedIn profile as well. Again, Andrew Wilder, who is the CSO of Vetcor. Also, Geoff Belknap, who is always fantastic on the show. Thank you so much, Geoff, for being with us. And to our audience, we greatly appreciate your contributions.
Again, if you see awesome discussions, on LinkedIn especially, we find LinkedIn’s the best, if you find awesome discussions on there, let us know. We can turn it into an entire episode of Defense in Depth. Thanks again for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.