October was Cybersecurity Awareness Month, and throughout the month the IT-ISAC hosted a number of webinars highlighting different topics in the cybersecurity industry – including an Ask Me Anything (AMA) session with our Critical SaaS Special Interest Group’s CISO members. We’ve compiled and condensed their answers from this session into a question-and-answer interview that is available to read below.
The panelists for the webinar included:
Deepen Desai, Chief Security Officer - Zscaler
Jeffrey DiMuro, Deputy Chief Information Security Officer - ServiceNow
James Dolph, Chief Information Security Officer - GuideWire
Chris Niggel, Regional CSO, Americas - Okta
The members of this SIG also recently authored and released a white paper on the Shared Responsibility model, titled Are You Sharing the Responsibility?: Key Practices for SaaS Application End Users’ Ultimate Protection. The paper is available for download on the CSaaS SIG page of the IT-ISAC website.
There are many people looking for CISO positions - how did you get to the position you are in now?
Deepen: “I was looking to go into the field of medicine […] But the starting point was when I was doing my Master's at San Jose State. I had the pleasure of living with two other roommates while doing my Master's and saw them playing a video game. And one of them was actually using some kind of aimbot or wallhack or whatever you want to call it. [...] So my first experience was actually building an anti-cheat client for an online gaming league while I was doing my Master's.”
Jeff: “Back in 1999, as the world was changing, getting ready for 2000, I got recruited over to work for Nortel. And my career there and my love for math, and just learning all about encryption and sonic networks and dense wave division, multiplexing, all kinds of technology. It just took off. And I found my real passion working in the security field, but approaching it from a business aspect. I had many years in the business and understanding. I think one of the things that I think helps people in our field is to understand what the business goes through every day and what they're trying to achieve.”
James: “So I was a really curious kid. And I think really what got me interested in security was there was this guy named Captain Midnight, who I saw on the news had overridden the signal to HBO. And it just, my whole, everything in my brain turned to like – “Wait, I didn't know you could do that!” And now I wanted to do that to everything. [...] So I worked a lot in IT jobs and then eventually joined a consulting company and started doing some offensive security, which I think is a fun way to start out. [...] And then eventually I started learning more about how to lead teams and how you do these things at scale.”
Chris: “I came in through an IT background, systems administration, network administration, and I was working for a consulting company in San Francisco. We provided basically IT for hire to small and medium businesses. So I get a phone call one night from one of my customers and they say their phone system is down. They're running an asterisk VoIP system that had been set up by the owner's son a year ago and no one had ever touched it. [...] And I realized that that server had been taken over by a threat actor. It was being actively used to target systems in Taiwan, which was really cool to see. Of course, the customer was pretty unhappy because they couldn't make any phone calls. So for my job at that point, I learned very much that security was just a part of my metric, which was uptime. Something I had to have, something I had to learn in order to achieve uptime for my systems.”
What is your top priority or top three priorities in your current roles?
Deepen: “I'm going to share a representative of the top three that I'm tracking. Number one – this has been the case ever since pandemic or even before, but more so after pandemic – public cloud security. [...] Number two is around insider threats. This is where we have seen threat actors actually going after some of the staff members in certain countries and literally offering them $20,000 a week to gain access. What do you do in that case? [...] Number three, and this can be controversial, because I know there's a mixed feeling around generative AI and AI. But security around the development environment as well as the production environment as it pertains to using generative AI applications.”
Jeff: “I'm going to add third-party security, supply chain. That's one of the biggest issues that I think goes unnoticed. All of us have many, many different third parties. Some of us have hundreds, some of us have thousands. Some of our clients might have tens of thousands of suppliers and vendors that they use.”
James: “When you're in the CISO role, one thing that's really important is communication. I spent a lot of my time translating to the board of directors and the executive team and the CEO, and then into the line level managers, and then communicating with engineers at the engineering level and communicating with all the different security dialects that we have within our own team, right? [...] So I feel like it can't be overlooked that communicating is one of the important skills in this role, because what we do is so esoteric and so poorly understood.”
Chris: “There's one thread that each of us has pulled as we're talking about careers as well. And that, as James mentioned, is communication. Security is now recognized as being so important to organizations. The SEC has now asked for reporting to boards and reporting in our public company statements about cybersecurity. [...] We, as security, have to be in tune with what the business is doing. We have to be enablers in order for us to be successful in our roles. And that holds true for everybody in security.”
In July, we all heard about the CrowdStrike incident. Though it wasn't a cyber attack, it did have long-term impacts on both the people and organizations. How have these recent and public incidents impacted your role and companies, and what you are doing now?
Chris: “As a critical SaaS provider, probably the biggest impact, honestly, to me has been the increase in number of questions and the diligence into resiliency. Organizations are just a lot more aware of the impact that their vendors can have on their business now and really want to understand what that impact is and how to manage it.”
James: “I think in the same way that we need to be prepared for these cyber incidents that we all think about every single day, 24 hours a day, even when we're sleeping, I think it's important that every organization thinks about what software is critical in your organization outside of a security perspective.”
Deepen: “I think the piece that I'll add to what both Chris and James mentioned is testing that out. [...] Make sure you have processes around how you could recover from an unlikely incident – and are you able to stay operational?”
Jeff: “I have to look at it differently. These were dynamic updates. So under that shared responsibility model we accepted a dynamic update, right? Under that shared responsibility, is the model now changing where rather than accepting a dynamic update throughout our entire farm, maybe we have an A, B implementation, or maybe we have to check that dynamic update before we push it out, right? There's always a trade-off between efficacy and efficiency. We want those zero days. We want that update as quickly as possible, but are we willing to accept it – for exactly what happened? Are we blurring the lines in terms of what we accept from an efficiency point of view versus what we accept from an efficacy point of view?”
Deepen: “We do a lot of security feed updates, and I was talking to many organizations as a result. I’ll just comment on what we’ve been doing. Yes, we need to push those dynamic updates as soon as possible, but we’ve always by principle used the staggered update mechanism. [...] In a shared responsibility model, the vendor must do everything they can to ensure you don’t have the level of impact that happened last time. The consumer-side responsibility is to be prepared - if the vendor did everything they can and still failed, what would that disaster recovery look like for you, and does your vendor provide you an option?”
How do you all ensure that critical data isn’t overlooked in the wake of an incident? And how do you effectively handle all of the information being pushed out?
James: “When you’re in the heat of the moment, everyone is excited. To go back to one of the themes, practicing these types of things is very important. A few of us participated in Cyber Storm, and that was a good way to practice these types of things. From a tactical standpoint you can do something as simple as assigning a scribe focused on just capturing information while your incident commanders and others will do other activities. I think the other thing is, in the future, we're going to have things like generative AI and transcription and other stuff that will help us to find the signal in the noise a lot better. We don't need generative AI to do that right now. I think we can do some common sense things, but this will become a lot faster and better and more automated in the future.”
Chris: “We've talked about communication – and it goes into that internal communication as well during events to make sure that the right people are involved, especially that your legal team is involved, if you're dealing with a security event that could require notification, either to customers or regulators. But one thing that I use [...] is the Incident Command System. So FEMA has created what's called the ICS. You can actually get training for this for free from the government. [...] But this is a program that's designed to help incident responders manage and triage large scale disasters. But it can be used just as easily for small scale disasters or incidents within your own organization.”
Jeff: “The only other thing I'll throw in there is like a simple foundational thing. If everything went to heck in a handbasket, would you know how to get ahold of your colleagues? So things like call trees, things like [...] pen and paper and understanding that I have a printout of everybody's phone number. Or using maybe a non-native application.”
With the speed at which the current cybersecurity landscape is changing or evolving, how are companies updating their access management strategies?
Chris: “This is kind of what we do right here at Okta. So I think the key things that we're seeing is organizations are moving towards using phishing resistant authenticators. And in some cases, actually getting rid of passwords entirely. [...] So these are things like Yubikeys, WebAuth tokens, so like the biometrics that are built in your laptops or your phones – it’s super important to protect against the threats that we're seeing right now.”
What would you recommend if an organization can’t go passwordless to become more phishing resistant?
James: “Get a password manager and use passkeys if you're asking from a personal standpoint would be my advice.”
Deepen: “FIDO2 compliant MFA, ideally different from your IDP vendors. If the IDP vendor has a bad day, you still have one additional layer over there. The only thing I'll add to what was said was, implementing posture check on what device someone is coming in from using the authorized credentials. [...]
And then, last piece is step up authentication. This is new. [...] There's a whole different segment of continuous authentication and step up MFA.”
Jeff: “Least privilege access control [...] So it's one thing from an authentication perspective. It's another thing from an authorization perspective, right? And this is where we've talked about, for 25, 30 years, defense in depth when it comes to security. So yes, you still have to penetrate the front door, but once I'm in the front door, if I can lock down the rooms of what that person can gain access to.”
Chris: “We do have one question in the Q&A asking about how to best secure her environment. And I think this conversation really hits upon that. [...] For the applications that you're using, especially as a small business or small business owner, they now support some type of multi-factor authentication. Make sure that that's turned on. Be very cognizant of how you're accessing those resources and you're not following links that may be sent to you in email, so that we can kind of stay away from the common ways of phishing.”
As a cloud service provider, what concerns you most about leveraging other cloud service providers, knowing what you personally know about your organization's security posture?
James: “I find that these large cloud providers, the ones that we use to do these very specialized things inside of our organizations, have such a good understanding of their service that they can make investments in security that I can't make as a CISO. [...] The thing that worries me the most is like, do we understand the shared responsibility model well enough to meet up to our side of the bargain? And it kind of gets to what we talk about in this paper.”
Jeff: “I have empathy for our provider. What I try to do is treat them the same way that I wanna be treated. So when I look at them in terms of their security, I look at the foundation security that we have and that's what I'm hoping that they have to secure my data within their environment. So I don't ask them to do anything that I can't do or is not available”
Everyone's had an, “Oh crap, what just happened” moment in their career. And I would love to hear some of those from you all.
Chris: “We were upgrading the Exchange server. Of course, it failed and it knocked out email to half of the organization. And this was a company that absolutely ran on email. [...] And the first thing that I did was I sent half the team home because I knew this was not a problem we were gonna fix in a couple of hours. [...] My first step was, “How do I manage the resources that I have to be able to respond to this event?” And that's something that I've carried with me from that point forward is when something bad happens, irrespective of what it is, understand quickly: What are your resources? How does it compare to the problem that you need to solve? And then figure out how to assign those.”
James: “In the early part of my career, I was very, very focused on delivery and doing a good job. But what I missed was this sort of aspect of communication. And I had this experience where I talked to the current CISO and I said, “Hey, what is it that I can do better in this role?” And he's like, “Frankly, I'm not clear on what you're doing.” [...] It's really important to not only do a good job, but to make sure that it's clear the value that you're providing in the organization and how to communicate that in a way that's not bragging, but also helps the organization to see the value that you provide, because that provides opportunities later in your career.”
Talk about something that you would or currently are training or educating your employees on.
Jeff: “We are hypervigilant on just trying to train our people from a phishing point of view, using different techniques and different products in the market. What we've done is we've come up with different mnemonics to remind people to slow down before you click on anything, before you respond to anything”
Deepen: “Training is very important. Your employees are your last line of defense as well. I see it in a positive way, where when that Scattered Spider campaign kicked up, last year [...] We shared an advisory with all the organizations out there as well. [...] Educating when the issue is happening is equally important. Periodic education is good, but educating the user at the time they're about to make the mistake is even more effective is what I've seen. And that's what we're using on our end.”
James: "The topic that really sticks out to me just based on what we're all seeing in the public arena is how do you instill a sense of skepticism in your employees, even when you're trying to have a trustworthy relationship between them? [...] If something seems weird, if something seems funny, we'd rather have the noise on our security operations team, is sort of the message that we're sending – and trying to get people to just be a little bit suspicious, even if it leads to nothing.”
Chris: “One of the things that we've done is we've stopped focusing the training on how do you protect the company and change it to how do you protect yourself? [...] If we can help our employees protect themselves, they'll be much more invested in learning those than telling them how they can protect the business that, quite frankly, they may or may not care for.”
This hour-long, AMA-style webinar was the first of its kind for the CSaaS SIG group and one we hope to do again in the new year. For additional information about the CSaaS SIG click here or if you have any questions for our CISOs feel free to email us at memebership@it-isac.org.
Comments