Defense in Depth: Building a Cybersecurity Culture

How do you begin building a cybersecurity culture for the whole company? And, more importantly, how do you maintain that?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Mike Hanley (@_mph4), CSO, GitHub.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Anjuna

Anjuna Confidential Cloud software effortlessly enables enterprises to safely run even their most sensitive workloads in the public cloud. Unlike complex perimeter security solutions easily breached by insiders and malicious code, Anjuna leverages the strongest secure computing technologies available to make the public cloud the most secure computing resource anywhere.

Full transcript

[David Spark] How do you begin building a cyber security culture for the whole company? And more importantly, how do you maintain that?

[Voiceover] Welcome to Defense in Depth

[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISCO series. And joining me for this very episode is Geoff Belknap. You may know him as the CISO of LinkedIn and the cohost currently of this show. Geoff, make it clear that you’re actually here.

[Geoff Belknap] Hi. I am Geoff and not a prerecording of Geoff. Welcome to Defense in Depth.

[David Spark] He couldn’t do that if that was a recording at all.

[Geoff Belknap] It would literally be illegal.

[David Spark] Yes, against California law.

[Geoff Belknap] That’s right.

[David Spark] And I believe a federal law, too. We’ll figure out what that is. Our sponsor for today’s episode is Anjuna. If you are trying to create private secure spaces on public clouds, guess what? Anjuna is a company that could help you in doing just that. And guess what? We’ll talk more about them and hear from Anjuna later in the show. But first, I would like to talk about our topic. This comes from Yehudah Sunshine of Odix. And he hosted a poll on LinkedIn asking, “When building a cyber security culture, where is the most important place to start?” 51% said the C-suite buy in. So, the top down. But 37% said employee education. That would be bottom up. My guess, it depends on your organization’s structure as to which one is more appropriate. Some organizations have processes that bubble up from the bottom, while others have powerful leadership from the top. Yehudah made the critical point that, “Everyone is happy to support X. It’s something else entirely to spend the time, mind space, and resources to make the idea something the entire organization lives by.” And his real question was, and I hope we can come to some understanding on the show, and I will ask you, Geoff, “How can you tell when you’ve reached the saturation point and the cyber philosophy has finally taken over? Is it something that’s clear, or are these moments…?” What do you think?

[Geoff Belknap] It’s one of these je ne sais quoi. When it’s happening, you know it. But I think very broadly, it’s when the company cares about security and not just cares about saying they care about security. But when they actually seem to want to give things the time and consideration, you’ve won. And I think it’ll be really interesting to talk to our guests today about how do we get there.

[David Spark] Well, our guest… We’re thrilled to have him on. We had him on the other show and brought him on this show. He is the CSO over at GitHub, Mike Hanley. Mike, thank you so much for joining us.

[Mike Hanley] David, thank you for having me. And good to see you, and good to see you as well, Geoff.

[Geoff Belknap] Good to see you.

How do I start?

2:45.471

[David Spark] Mollie Chard over at Capgemini said, “I think employee education and C suite buy in are both top of the priority list, but they should come hand in hand. You can start employee education without much funding/budget via various methods – email, internet, externet, in person training. But may not be very affective if you don’t have a budget for it or time allocated for it.” And Sarah Aalborg of DSB said, “When you finally have the mapping between the risk scenario, behavior, and needed initiative, you can approach management because now you can argue for the needed time and budget.” So, I don’t think you’d ever get an argument from someone saying, “Yes, we want to have a culture where people are concerned about security.” I don’t see anyone would say no to that. But what Yehudah mentioned and both Mollie and Sarah mentioned is getting the action to move forward to make it a critical time financial decision. How does that come about, Geoff?

[Geoff Belknap] I think the missing element here is really there’s a layer between C suite and all the other employees. There are a lot of leaders in the organization. Some of them are in actual senior leadership role, and some of them are sort of de facto leaders like people the organization looks up to. What I find is if you really want to change the culture, you’ve got to map those people out, and you’ve got to start helping those people see why security is important to what they’re doing – a transition layer. That mapping really has to be, “Why does security impact me? I’m making decisions maybe about my product, or sales, or whatever it is. Why do I care?” Not like, “I don’t care. Please change my mind.” Although in some cases…I’d be interested to hear if Mike has experience that, but you have to them a reason for it to matter to them for them to really connect with that idea. And when you do, that’s when you start to really see them care about it, and that’s when you start to see… I’ve got partners in different parts of the business that are like, “Hey, did you get all the headcount you need? Do you  need me to advocate for you? Do you want to put something together?” That’s when you really know that you’ve started to win.

[David Spark] I will say, Mike Johnson, the cohost over at the other show, he references the why do I care by making the security personal. Like dealing with peoples’ personal security, and then they understand it for the business. Mike Hanley, your thought?

[Mike Hanley] Yeah. I totally agree with what Geoff said in terms of mapping out the organization – finding who are your influencers if you will and how can you actually enable them to help carry the message for you. Especially as a leader. You’ve got a finite amount of time, finite amount of places that you can actually show up. I haven’t figured out bilocation yet. Geoff, I don’t know if you have. I can only be in one meeting and send one email at a time. But acknowledging that I agree with everything that Geoff said, I would also say as a leader, the organization is looking for you as the senior security executive, if you’re the CISO, to model the behavior that you then want to see through that network of influencers, through the rest of your team, etc. And I think that tone setting is so important. Because I’ll go back to… If you read sort of like old school business management textbooks. You look at like Peter Drucker, sort of the classic, “How we built GE into a titan.”

And one of his famous quotes, of course, is, “Culture eats strategy for breakfast.” And I’m sure if he had had a CISO at the time, if that had been in vogue in earlier competing days, I’m sure his CISO would have said, “Security culture eats security strategy for breakfast.” And the value that your employees place on it and their ability to understand and articulate its importance to their job, the business, the outcomes that it produces for your customers is actually pretty critical. Because the reality, especially in… GitHub is a good sized organization. I don’t actually expect everybody at GitHub to be a security expert, nor is that a goal of the security program. But I do want them to understand that security is important to our customers, and developers, and their day job because that’s what means they raise their hand when they need help. And that’s why we have a team and a function to kind of come in from there. So, I think the culture of people can ask for help, people know when to ask for help, they know of whom to ask them, and that it’s a safe space for them to bring their concerns, their problems, their mistakes, their questions… You got to have that kind of environment if you want to have a healthy security culture. Especially in a fast-moving software company.

How would you handle the situation?  

7:06.151

[David Spark] Nick Santora over at Curricula said, “It starts with actually caring and not just saying we care about security.” Now, we mentioned that yes, Osama Salah over at the Department of Finance for Abu Dhabi said, “You can’t force it. You can only set the conditions and encourage the adoption of that behavior by others. Just talking about security has no value when staff observes that actual behavior of management does not match it.” So, let me start with you, Mike, in that I’ll say this about physical security. I was talking about this in environments where physical security is incredibly critical like chemical and oil refineries, when the management does not put on the hard hat and does not go through the critical processes that one needs to do for security, everyone sees that. And so how does sort of the visibility of management security impact everyone else?

[Mike Hanley] I think kind of going back to what we said a minute ago. I mean, it is the most important thing, and I think Nick’s point about actually caring, not just saying we care about it. Though interestingly… And I’m sure Geoff gets these emails, too. I get a lot of vendor security emails that start with, “As the chief security officer at GitHub, do you care about security?”

[David Spark] Oh my God. [Laughs]

[Mike Hanley] That’s a topic for another show. I get a lot of those, Geoff. I’m sure you get them, too.

[Geoff Belknap] I’m always like, “You got me. How’d you find out?”

[Laughter]

[Mike Hanley] But no, I mean demonstrating, again, the behaviors or the activities that you value and showing people that you take it seriously. I don’t follow a different incident response process if there’s something that I want to report to the team. I go through the front door like everybody else and ask for help. If there’s an escalation, reminding people the reasons that we have these processes. It’s to help get a repeatable outcome out of the security program and the faculties that we’ve put in place, etc. And I think the point about you can’t force it is probably the most important point of the second quote. And that’s an important one, especially because I think as a leader, generally speaking you can implement controls, guardrails, boundaries, etc. But forcing people to do things, generally there’s a misalignment in incentives if you get into a situation like that. But what you can do is motivate people, and you can incent them to behave in a particular way. And I think the most core part about that, frankly, is just providing the transparency as to why this thing matters.

We’ve been in security cultures…I’m sure Geoff has been as well where the security team is like not the most transparent or collaborative entity around. And there’s an err of, “We’re the super-secret security squad, and secret squirrel. And we can’t talk about anything that we do, and we can’t tell you why we’re asking you these questions.” And really I think the opposite approach is critical because teams are just trying to get their jobs done. Whether it’s finance closing the books at the end of the month, or a software engineering team trying to ship a feature that they promised. You’ve got to be up front about what your goals are, how it aligns with what they’re trying to get done, and how you can support them. That’s the way you can actually row the boat in the same direction and let them know that you’re all on the same team and that you’re not there actually to provide an opposing force to what they’re trying to do for the business.

[David Spark] Geoff, I worked for ZDTV, which was a television network and later become known as Tech TV. And one of our very high-level executives clicked on an email malware, which we had been reporting on on our network and launched it through our network. I just think about everyone’s attitude towards that person was like, “How long have you been with…? You just don’t get it, and yet you’re kind of running the show.” So, have you had these kind of incidences where someone so high up…? Now, making mistakes is one thing. There are honest mistakes. But where there’s such a clear lack of care and security, it’s like, “You’re really not helping.” How do you deal with that kind of thing?

[Geoff Belknap] I have definitely been in those scenarios. Not anything recently. Everyone I work with or have worked with or have worked with recently, you’re the best, and I love you.

[David Spark] [Laughs] Again, and I was mentioning something 20 plus years ago.

[Geoff Belknap] Yeah, I think there are definitely poor executives and poor leaders who sort of like, “Do as I say, not as I do.” Which is a terrible leadership methodology. But by and large, whether it be a CEO or a brand new engineering intern, everybody is trying to do their best. What I find is a lot of times people project that they expect a CEO or an executive might not do the right thing or might expect some special treatment. And in reality, 99.9% of those folks that I’ve interacted with, they want to do the same thing. They want to experience the same thing. And I want the experience that a very busy executive who might be running a part of the business has to be the same that an engineering intern might have, that a new salesperson might have.

Because if it’s going to be so intrusive that it makes the executive not want to engage with it, well, then I’m probably ruining the day of a lowly intern or a lowly salesperson. And I think user experience is part of that journey. If you are a security team that is deploying a user experience that’s no fun, you yourself… I think to Mike’s point, you’re ruining the culture yourself. You’re putting yourself on a bad path. I think to the point I think Mike was making earlier, transparency is really great. But consistency and a willingness to engage with people and be honest with them about what you’re really worried about, what the problem really is, and engage with people that make mistakes as someone who made a mistake and not the somebody who has now ruined the company is really key to reinforcing that. I think sometimes we as security people need to be as much in the customer service business as we are in the technology business.

Sponsor – Anjuna

12:45.063

[Steve Prentice] What’s in store for 2022 for your data and your business? Anjuna wants you to know. According to Anjuna customer, Michael Shrank [Phonetic 0:12:52], who is group CISO of Adidas, ransomware is going to get a lot more expensive.

[Michael Schrank] There will be ransomware payments which will go way above a hundred million.

[Steve Prentice] This, he says, is due to a growing sophistication amongst ransomware groups paired with the deployment of game changing weapons like Lof4J.  

[Michael Schrank] We did see ransomware groups becoming way more agile in adopting to this new vulnerability and using that new vulnerability in their malware. And this is something we had not seen before at that speed.

[Steve Prentice] Then there’s the matter of economics.

[Michael Schrank] Even if you look at the insurance market as an example and they are trying to get a cyber insurance, you will see that those insurers are way more cautious now because they see there are way too many payouts on the policies that they made in the past.

[Steve Prentice] Although for ransomware gangs, the ROI remains high, and the ransoms will continue to rise.

[Michael Schrank] The efforts the attackers need to put in are still very low compared to the payouts they actually get from doing this. 2022 will be the year of the big numbers.

[Steve Prentice] This insight has been brought to you by Anjuna security. Anjuna provides software that builds completely private confidential clouds on the public cloud. Protect against attacks and fines by securing your data in any cloud. Learn more at ajuna.io.

If you looked at the problem this way

14:21.184

[David Spark] Andrew Hornback with SeaCube Container said, “Changing corporate culture requires a lot of things. Most importantly is the ability to ‘read the room.’ Some tactics work in some places, not in others.” Mollie Chard from Capgemini said, “People have different learning styles, so diversifying the delivery and making the content relatable and engaging are both vital.” Mike, you are nodding your head to both. Have you had to do this?

[Mike Hanley] Yeah, you got to understand in each context what is your business trying to accomplish. And I think as a CISO, you’ve got to look at what’s on the truck in terms of existing capabilities, where is the business trying to go, and how can I create a function and drive a culture that moves us where we’re trying to get to and protects the opportunity to get there. Each organization is different. So, if you’re at a service provider, or a product company, or a not for profit, or a government entity, you’re going to have a very different set of missions, funding goals, potentially culture in way of working and delivering on things. My last couple jobs have been at software companies, particularly companies that make software products or produce software platforms. And there’s some commonality there for sure. But the way a company grows up, and its history, and its lineage certainly informs the behaviors inside the organization. You definitely have to adapt and understand those things. But the history is important really in so far as it helps you drive where you need to go. It’s important not to get caught too far in what did or didn’t go right five years ago and really keep it kind of forward looking. But yeah, I definitely think as a leader, your job is to understand the climate, the broader business objectives, and work to create the culture that fits for that. And while it might look similar from software company to software company, for example, it’s not necessarily always going to look the same. And I think certainly different verticals have different character, and you need to be able to adapt to that.

[Geoff Belknap] I was going to say I think Andrew and Mollie really are the right path here. Because to Mike’s point, not everybody thinks about the thing the same way that you do. Not everybody is in the same part of the business as you are. And so often… This is I think… Mike was giving great strategic advice. Let me give you some tactical advice, dear listener. So often engineering teams, especially security teams, try to train everyone to be a better engineer, and to think about security like an engineer thinks about security, and just completely miss the point of like we were talking about with the other Mike earlier… We really have to connect the security story to everybody, and that means finding a reason for them to care and translating it into something personal for them. Maybe it’s not personal about their personal security, but we have to read the room and understand different people from different teams need to know different things about security. Not everybody needs to know the finer grained technical details, but we have to connected with them at that level. And if we don’t, we’ve missed the boat entirely.

[David Spark] Would you in some cases think that certain messengers tell it better, or it’s just who it’s coming from is better? And I’ll just throw this perfect example… My wife and I have figured out the following. I do tech support for her mother, and she does tech support for my mother. [Laughs] And it’s worked out beautifully.

[Geoff Belknap] It really does. I’m maybe giving away too many secrets here, but I have people on my team that are phenomenal at connecting with some of the go to market teams, and I think vice versa. They probably wouldn’t be as good at connecting with the product team or with an engineering team, but I have other people that are just unbelievably good at connecting security to an engineering team, or to… And it’s different approaches. There are different styles. There are different history. They both care about security and are excellent practitioners. It’s just they have different styles, and it works better for different parts of the business. So, neither of them are less valuable than the other, but that diversity of perspective and experience is part of what makes a great security team. And it’s definitely a key ingredient to a great security culture.

[David Spark] Do you want to add something to that, Mike?

[Mike Hanley] Yeah, the thing I’d add to Geoff’s point, too, is just explore different modes of communication. Everybody has had to do this because of COVID-19, and we’re all behind a camera and a microphone at this point for the most part for health and safety of everybody involved. But some companies are heavy on chat ops, and that might be the best way to experience interacting with the security team as opposed to a pop up that interferes with whatever you’re working on. Or some people might want to interact with a form rather than a human being. I think those are just important cultural things to understand about how does the team want to get work done, and can you meet them where they’re at in order to create and engineer those experiences.

This is not just a security issue

19:08.677

[David Spark] Dutch Schwartz over at AWS had some pretty good advice here, I think. “Cyber security culture is simply culture. It’s not separate but rather woven into company culture.” He goes onto say, “I would offer up that cyber security culture is more than just awareness. It’s a recognition and internalization by all employees that acting securely is about customer care.” What was just brought up moments ago. He goes on to say, “Enabling your mission and can be thought of as an attribute of quality. People learn through stories. Tell them stories that are engaging and meaningful for everyone – the HR specialist, the finance analyst, the developer, and the newest intern.” Mike, this kind of sums up kind of everything we’ve been talking about on this show. It needs to be part of the DNA.

[Mike Hanley] Yeah, let me tell you the trick on this one for all the listeners. The sooner you figure out that the whole company is the security team and that you actually have the full force of the organization at your disposal if you’re wiling to meet them where they’re at and work with and through them the better. Because the next individual analyst role that you hire might help you get capacity in one team, for example. But if you can figure out how to get the full force of the organization to bear to secure the organization, now you’re really rocking and rolling. And creating that agency, and… This requires transparency of course, like we talked about a minute ago. But creating that agency and actually really just getting people involved in security, people want to be involved in that. And I think if you set them up so that they’ve got the transparency and then to some extent where it makes sense a say in how things are going, this can actually be really powerful. Good example… And this is something I’ve been doing the last couple jobs is every time I have a company all hands, the very first thing that I say is, “Raise your hand if you’re on the security team.”

And I get a couple thousand hands that go up. This isn’t a cheesy thing that I’m saying just to get a laugh out of people. I need and expect everyone to be thinking about it, aware of it, and really involved in it. I will often… I think Dutch points this out in the quote. Give examples of, “Here’s something awesome that happened in finance that was security related.” Or, “Here’s something awesome that happened in sales where a sales rep did the right thing.” Or, “Here’s an engineer who did something above and beyond the call of duty.” And the current swag currency that people are trying to get inside GitHub on this is the GitHub security team jackets, which we give away for exceptional security behavior or contributions. But those are available to everybody because everybody has got a role in helping secure the company. And just making that really, really visible and pointing out like, “Hey, we’re here to help, and there’s plenty of security work that my team will do as a function.” But the whole security team, which is really the entire employee base… It’s the day to day stuff there that gives you just such a broad and robust sensor network. It’s better than any tool that you can buy.

[Geoff Belknap] I did a thing very similar to that at another company where it was like, “I saved the company.” I think we had buttons and t-shirts. It was like, “You reported a phishing email.” Or, “You reported an incident.” People were really excited about getting those, and it was a great way to do that. I also think it’s a really interesting point. I wonder how many of our peers that are super frustrated about their role and stressed out about how things are going have not spent enough time trying to bring the rest of the company along with them and to get the rest of the company to sort of do the heavy lifting for them. I bet it’s more people than we’d like to admit.

[Mike Hanley] Yeah, well, this is a first team, second team. If you think about as a CISO, I do think it is really important to think about yourself as running the company. Your job is to help run the company. You happen to have a security team and function, which is part of your contribution to running the company. But you’re an executive running the business first, and your second team is really the team and the resources that report to you. I think if you put it in that context and you think about like, “How are we driving this thing forward together, and how does my team contribute to that,” it definitely helps set you up for thinking about the biggest possible picture first and how to enable the whole company. And then have your team be maximized in its efficacy in that construct.

Close

23:27.388

[David Spark] Excellent point. And that brings us to the very end of our episode. Tight, compact, lots of amazing advice. Phenomenal, both of you. All right, now comes the part of the show where I ask both of you, what was your favorite quote, and why? And Mike, I will begin with you. Which quote was your favorite, and why?

[Mike Hanley] My favorite quote is definitely the changing corporate culture requires a lot of things, but most important is the ability to read the room. Some tactics work in some places, not in others. I think if I bubble that up a little bit, what this is really saying is you need to orient and understand what’s happening around you, the needs of the people around you that you’re trying to serve, and the broader business objectives that you’re trying to accomplish. And figure out how to leverage that such that you can maximize the effect that you and your team in a positive way on the organization. That business acumen, if you will, I think has probably never been more important than it is right now. And for all you potential future security leaders out there or potential future CISOs, that is an important skill to master.

[David Spark] That is Andrew Hornback. All right, Geoff, is your favorite the same or something different?

[Geoff Belknap] I love that one, but I’m going to go with Dutch Schwartz here because I feel like he tapped into something that probably could be a show in and of itself. But specifically the part of his quote where he said, “People learn through stories. Tell them stories that are engaging and meaningful for everyone.” And really that is the key. I think one of the best books I read was by a guy named Chuck Wendig, which was called “Damn Fine Stories.” And it really stitched together how to make sure you’re telling a narrative that connects with people. Really the book is meant for people that are writing books, but your job here is to be chief storyteller about why security matters to people. I think things like that are helpful.

[David Spark] Excellent. And I read a book and I can’t remember who the author is…but “Make it Stick.” Same concept about getting concepts to adhere, if you will, and certain techniques of storytelling as well. All right, let’s wrap this up. I want to thank our sponsor for today’s episode, Anjuna. Again, they make the public cloud private. For more about them, Anjuna.com. Thank them very much for sponsoring this episode of the show. Geoff, I know that you’re always hiring. So, if you want to work at LinkedIn and work with an awesome person like Geoff Belknap, why you wouldn’t I don’t know, please just contact Geoff directly. By the way, would it have any value to you, Geoff, if someone said, “I heard you on the show, and that’s why I’m reaching out.”

[Geoff Belknap] I mean, it would make me feel great. I think a lot of the job here is making sure that people understand the culture that they might be stepping into is something that they would enjoy.

[David Spark] Okay. Now, Mike, final words. I believe you’re hiring because we talked about this recently. Any other last words?

[Mike Hanley] Yeah, just we are hiring, David. The security team at GitHub is about two and a half times bigger than it was 12 months ago, and we’ve got several dozen roles open in the next few months across all the disciplines, so check out our GitHub career site and look under the security tab for more information on open roles. We would love to hear from you.

[David Spark] Awesome. Thank you very much, Mike Hanley, who is the CSO over at GitHub. Thank you very much to my cohost, Geoff Belknap, CISO over at LinkedIn. And thank you to our audience, as always, for your great contributions and for listening to Defense in Depth.

[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.