You’ve just joined a company as CISO, what’s the very first step you would take to improve the security posture of your new company?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our guest Olivia Rose, vp of IT and security, Amplitude.

Got feedback? Join the conversation on LinkedIn.

Thanks to our sponsor, Proofpoint

Sixty six percent of CISOs feel their organization is unprepared to handle a cyberattack and 58% consider human error to be their biggest cyber vulnerability. Proofpoint’s 2021 Voice of the CISO report explores key challenges facing CISOs after an unprecedented twelve months. Get the report.

Full transcript

David Spark

You’ve just joined a company as CISO. What’s the very first step you would take to improve the security posture of your new company?

Voiceover

You’re listening to Defense in Depth.

David Spark

Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. Joining for this very episode is co-host, Steve Zaluski. Steve, prove to everyone you’re actually there.

Steve Zalewski

Hello, David.

David Spark

There he is. He is there. Our sponsor for today’s episode is Proofpoint. Thank you so much, Proofpoint, for jumping on board. By the way, if ransomware issues is of concern, you’ll want to stay tuned to what they have to say later on in the show. Our topic today, Steve, over on LinkedIn, Charles Chibueze of Deloitte, asks the question I asked in the opening tease. “You’re a new CISO, what do you first do to improve your company’s security?” Now, we’ve actually asked this question many times on our various CISO Series shows. The most common response has been to listen, learn the business, the environment, and understand the crown jewels. So, the question I’m going to be pushing here for us, in this discussion, is, is there a way to fast track the learning so you can be in an educated place to make decisions? Because my feel, when they hire a new CISO, they’re not, like, “Great. They can spend time learning the business.” That’s not on top of their plate, is it, when they hire you, Steve?

Steve Zalewski

Correct. And, I look at it as perception and reality, they don’t seem to be intersecting when you’re a new CISO coming in and everybody says, “This is what you do.” So, part of my conversation is, “You have to move faster”, but we don’t understand how to move faster when the perception is what we’re chasing and the reality is what we’re trying to understand.

David Spark

We’re going to try to dig a little deeper onto this very topic, beyond the just, learn the business, kind of thing, which is the most common answer that we hear, and we’ve heard it before, and to help us in this conversation is a CISO who has actually done this twice. Built a security program from start. She’s in middle of round two as we speak, so she will have a lot of experience to speak to this subject, and she’s been on our shows before, but not on this one, so I’m excited to bring her on. It is the CISO for Amplitude, Olivia Rose. Olivia, thank you so much for joining us.

Olivia Rose

Hello. I am so happy to be here again. You’re my favorite show to be on.

Where do we begin?

00:02:38:21

David Spark

Gary Taylor of Guideantz Cyber Risk Management said what we’ve heard before, “Understand the business. If you don’t understand that, you can’t improve anything”, and I think that’s an interesting way to put it actually. And, Samuel Kahura Wachira of CIC Insurance Company said, “Understand what you’re dealing with. Get to understand your stakeholders, what processes are defined, what is used, what is abused, what works, what doesn’t, what technology is in place, why it’s there, what works and what doesn’t.” Alright, Steve, this seems the generic launching point we hear from everybody. How hard it is to get to the point where, “Alright, I got it. I’m familiar. Let’s start doing things”, or is there a way to sidestep and start doing things even before you know the business?

Steve Zalewski

So, what I’m going to say is, my experience, like I think Olivia’s is, no two shops are the same. I don’t care what you are walking into or who, no two shops are the same, meaning what it is that you’re trying to be held accountable for, and what you have to work with, and trying to do all that assessment, that’s where everybody is saying, “Give me time”, and what I look at it is is you’re a visiting chef coming to Olivia’s house, and you have to cook a meal for her and her family with whatever is in her refrigerator, and she has to be happy, and that’s the perception versus reality of what we’re trying to do to move faster.

David Spark

I like that metaphor. I’m going to throw this to you, Olivia. Did you have to learn everything in the refrigerator at Amplitude?

Olivia Rose

[LAUGHS] I don’t understand where you get the time to do that. People say all the time all these things like, “OK, so, for the first 30 days you need to go around, you need to learn the business, you need to learn where the crown jewels are, and then, the next 30 days after that you need to get to know your team, and so on, and by the time 90 days rolls around you should have a plan in place and know where your gaps are”, and I’m looking at this, and twice I’ve come into a company and both times I’ve just been like, “Where do you have the time?”, because this is, in reality, what happens. OK? For all of you who want to be CISOs and are going into a new company. I’m going to tell you what reality is right now. What happens is, the first week is a vacation week. Meaning, everyone gives you a lot of latitude and time to go around and meet everybody, and everyone says, “Oh well, I want to talk to you about this problem, but I’ll wait until you get your feet wet a little bit more.” The second week is when you’re no longer new and the vacation is over. So, while you’re still trying to figure out how to use the expense report system and how to figure out how [a slack which channels to join and you haven’t even signed up for health insurance yet, you are being bombarded from all over the place with things like, “This is broken.” “The WAF isn’t working.” “We got this pen test finding back, which is critical.”

David Spark

By the way, did this kind of stuff happen to you in both your organizations?

Olivia Rose

Both. You don’t have the luxury of time to go…

David Spark

And so, you’re in week two or three, this is happening?

Olivia Rose

We do. If you even get that. You don’t have the luxury of time to go around and meet everybody, and get to know the environment or where the crown jewels are. You come in there and you can figure it out, right off the bat. This is what you have to do. You have to figure out what kind of business it is, what should the crown jewels be. Then you’re got to figure out by yourself where they typically are, and you should know that even coming in, whether they’re an AWS cloud company or they’re on PRIM or whatever they’re using. You should know that from your interviews already, and you should already know who the stakeholders and decision makers are from your interviews already. So, I do respect the opinion of people who write articles and talk about the first 90 days and the steps that you need to take but, in reality, it doesn’t happen. You don’t get that kind of lenient schedule.

Steve Zalewski

So, I’m going to jump in here on you, Olivia, because I’m going to say, this is set up for success is what they’re trying to do when they write about it. Set up for failure is what’s actually happening. It’s because you’re having to start to make decisions way before you’re ready, and most of us don’t have the luxury of having a prior CISO there to support the transition, or if you’re the first time they are a CISO you have unbounded expectations and no baseline to start that build from.

Olivia Rose

That’s very true, and in both my cases, I’ve been the first security leader in the door, so it would be nice to have that luxury one day. [LAUGHS]

If you look at the problem this way.

00:07:54:00

David Spark

Charles Chibueze, who is the author of this post from Deloitte, threw out a challenge to the group. He said, “What do you think about a CISO who decides to start with a penetration test? Comes [UNSURE OF WORD] to say, “See what we’ve got.” Now, my question to add to that, how much does the CISO need to know about the environment before they do the pen test? Could they do it with zero knowledge? And, would a pen test, out of the gate, fast track a lot of unknown information or would it annoy a lot of people. I’m going to start with you, Steve.

Steve Zalewski

What you really have is 48 hours to talk to your staff and figure out who you can trust and who you can’t and, based on that, start making some decisions. If you can’t trust your staff go for a pen test, because what you can tell everybody is, “I’m not sure who I can trust yet, so I’m going to start with a pen test”, but you’ve got to, in 24 to 48 hours, just make some really hard decisions on how you’re going to handle this, to start to elbow out some room to live until tomorrow, because if, all of a sudden, you have an incident because you’ve got an incident team who’s used to coming and telling you every little thing that happens, and you’re now spending 12 of your 24 hours working on incidences that are irrelevant, that’s what I mean, you’ve got to start making some real hard decisions to push things back, and start to figure out who you’re going to trust in 48 hours.

David Spark

Alright, I’m going to throw the same question to you, Olivia. I like your answer there. Could you do this, and have you done a pen test out of the gate?

Olivia Rose

This is such a loaded question. [LAUGHS] I can’t figure out which way I would go. I think it really depends on the environment I’m walking into. Part of me says, “I don’t know the entire environment that would be pen tested”, so I may not do a full scope, or part of me goes, “Well, if I did a pen test and I get the findings, I don’t know how things work quite yet to prioritize or remediate.” Which group does it? Does my group do it? Who does it, how fast and so on. So, in my mind, I would just, personally, I think it’s up to the CISO’s comfort. I would, personally, want to get a little more comfortable with how things are. I would give it, probably, two to three weeks, and then, possibly, do it if I was not getting answers. It also depends if they’ve already recently had a pen test done by a reputable company, or if they’ve had a risk assessment done recently, so it depends on that as well. But, if I did choose to wait I would definitely pray for nothing to hit us, to be honest.

David Spark

Here’s more my question is, again, this is me just shooting from the hip here, let’s just say you did a pen test early on, would it actually help speed up decision making, like you said, on week two I’ve got to deal with this and that, would it actually help in that? Or, it’s not really going to help in that environment?

Olivia Rose

I think it depends on the CISO and their background. For me, it would not, because I have years upon years upon years of being an advisory CISO and I’m trained to go into environments and very quickly sensing and picking up what’s going on. So, I lean on that. However, a more technical CISO without that experience may feel more comfortable with doing the pen test.

David Spark

I’m going to throw it to you, Steve.

Steve Zalewski

And, I’m going to say, guess what Olivia? You’re doing the very thing that we’re talking about here, which was it depends. I don’t know. Maybe. I need time. The whole exercise here is this isn’t war. You have to triage. You do 24 to 48. Every decision you make is a decision to move you further forward so that you have tomorrow. Not, well, what are the implications when tomorrow comes? You’ve got to stay alive, right? You do a pen test, you do a quick check. What’s the value to the business. If it’s e-commerce driven, I want a pen test on my e-commerce site. I don’t care what it finds. I want to have a baseline to know what it is. If it tips over, that’s awesome, because, guess what? I just focused on the most important thing.

Olivia Rose

Yes, OK, if we’re in a war situation [LAUGHS] like it could be with you, but we’re, typically, not. But, it depends. If they’ve had a recent pen test I would definitely lean heavily on that.

Sponsor – Proofpoint

00:12:20:21

Steve Prentice

It has long been said that human beings are, indeed, the primary weak point of cyber security, which means they should also be the primary focus of the solution. Proofpoint is an organization that provides a multi-faceted approach to people centric security, and Brian Reed, who is on their security strategy team believes this has great efficacy than, as he puts it, “Just throwing tools at the problem, throwing phishing tests over the wall to see if they stick.” I asked him how they deliver their solution. Is it software, API or training?

Brian Reed

The answer is really all of the above, depending on the products and the capabilities there, so, certainly, APIs can be great things, like, provide visibility into application usage in the past, and provide some insight and some predictive ability for the kinds of things that you might do in the future. Certainly a technology like remote browser isolation can take an active role. When you go to a website that’s unsanctioned or unapproved and you don’t have the ability to put on a full nPoint agent per se to have that visibility at the nPoint, like you might want to. And, the same thing for security awareness training, and having a diverse set of content is critically important. You can’t just say, “Hey, you’re failing phishing attacks or simulations. Let me just throw a bunch of CBT modules at you.” That’s not a very effective way to make your people smarter and to really empower and enable your users.

Steve Prentice

For more information visit Proofpoint.com

What are the best ways to take advantage of this?

00:13:59:05

David Spark

Carlos Neto of CyberSecOp said, “Interview the team. Find out where they are happy and pain points. Begin the relationship before I even look at the technology stack compliance requirements.” Now, Jesse R. J. Qurollo of the Q. SECRET SERVICE said, “People facilitate mission success, so I would start with establishing a pleasant working relationship with decision makers, and take note of toxicity where it exists.” And, Ejovi Agarvin, of Willis Towers Watson, also referenced something called the power interest matrix, which is a chart showing how much or little management you need to do of people, depending on their interest and power within the organization. And, lastly, toxicity not only reduces productivity, but as Judai B noted, “It also breeds insider threats.” So, I will start with you, Olivia. This is all speaking about people and about the need to get people to work for you and work in the way you need them to work, and they’re saying, like, I just need to know what the environment of the people is before anything else. How much do you believe that?

Olivia Rose

I really don’t. In both my cases I came in and there were people here and I go in with the assumption that they are adults and they can continue doing their jobs for another three to four weeks until I get my bearings. That’s how I look at it and, along the way, of course I reach out to them and connect and care about them, but, to me, it’s more important to find out what’s going on with the environment rather than build a power interest matrix.

David Spark

Good point. Alright, Steve, what’s your take on this? How much do you need to get the people on your side in the first three or four weeks, because, you know, the first impression is always the most important, right, Steve?

Steve Zalewski

That’s right. And, if you’re in a five billion dollar, 10,000 person company who’s got security, versus you’re in a 200 person startup that’s just trying to get to security, to Olivia’s point very different, so who you have to make happy, that’s the whole point. The value of a decision is that you make a decision. It doesn’t have to be right, OK? What you’re demonstrating is, you’re coming in, doing that triage based on your experience and starting a plan forward, and the decisions, right or wrong, are setting the tone for how you believe you have to succeed with this organization, and you course correct, because every decision is a checkpoint, and if you don’t make a decision it’s hard to make checkpoints, and that against the size of the company then predicates whether you’re trying to look at the business to make it happy, or whether you’re focused on your team. But, the decision making is the most important thing to get started on that, to establish your brand in the company.

David Spark

But, with that being said, and I’m going to throw this one to you, Olivia, have you done this or you made an early decision? You told the team, “By the way, I did this”, and did you get any flack for it, like, “Hey, you know, we really shouldn’t have done that”, or they’re, like, “OK.” How do they respond when you’re making those very early decisions? And, is it, by the way, scary to make those decisions? Like, “Oh, jeez, how are they going to respond to this?”

Olivia Rose

I communicate a lot. I pop in on the slack in the mornings. “Hey, how are you?” They know they’re not forgotten. It’s just, my team has to expect that here is a security leader coming in who has a big job to do and a lot of heaviness and responsibility, and, quite honestly, I know this sounds really harsh, but somebody who’s clamoring for my attention in the first two to three weeks, you know, I’m going to start thinking some not so positive things about them. I’m going to think that they’re looking for attention. I like to hire adults who are excellent at what they do and have a very positive attitude, and I’m very lucky in that regard. So, I don’t feel like I need to tell people, “Hey, look, we’ll get back with you in a few weeks”, but I actually do. I say, “Let me get an idea of, you know, comfortable here, and then we will start setting up meetings”, and I walk the walk and I talk the talk. So, if you say something like that and you follow through people begin to trust you and they’ll follow your example. So, that’s my attitude, and it’s been very successful.

What are we going to do now?

00:18:36:23

David Spark

Matt Ivaliotes of CardX said, “One huge relationship would be with HR, both for purposes of aligning on compliance, and to make sure that we’re not handcuffing ourselves in terms of the talent we recruit into infosec”, and Conrad Culling of Millennium Space Systems said, “Make sure MFA is everywhere, and everything is encrypted and backed up. There goes most of your security posture issues.” Steve, I’m going to start with Conrad’s line. I, kind of, like that of, before you look at anything just do this, because we talk about this on the show all the time. Especially, like, MFA and, he doesn’t mention this, but password management. If they don’t have some of the really core basic stuff, oh my God, get that instituted right away. Yes, Steve?

Steve Zalewski

Here’s what I like about this, which was one way to survive, right, to do this is you’ve got to ask some hard questions, and you’ve got to decide do the hard questions have to be asked within my team, whatever the size of the team is? Or, do the hard questions have to be asked to my peers, depending upon the executive level that I’m with? So, on one hand, I want to come in and I go, “I want to see the business impact analysis. I want to see my risk register at the business level because I need to know what in the business is the most important thing to protect.” So, what I’m putting the business on notice is, “I have an expectation that you’re doing your job. I need these documents and this information to do mine. I don’t need to do an assessment. You just tell me what it is, and if you don’t have it”, we can have a conversation right there. Now, I’m at a decision point. Within my team it’s the same thing. What is my identity [naxos] management program look like? That’s the first thing I want to know. How mature is that program that I know who has access to what, because everything else is premised on, if I don’t know what it is or who it is, how can I know what it is? What to do about it? So, that’s a case where I would quickly go, I need these two sets of questions answered. One is business facing and one is internal so that I can immediately then come back and figure out which of the two is critical. But, you see me doing this triaging concept of, with my experience, what decisions do I have to put on the table in the near term to establish who I’m going to be as a leader and start to build that trust into the organization, as well as respect.

David Spark

Olivia, did you do something like this in your interviewing, where you were learning a little bit about the environment. I’m assuming, during the interview process, you learned a little bit about the environment. Oh, you’re waving your hand.

Steve Zalewski

I was going to say, she’s making funny faces at me, so, clearly, she’s got her opinion.

Olivia Rose

[LAUGHS] I’m waving my hand at Steve. Actually, can I address Conrad’s comment?

David Spark

Sure, go ahead.

Olivia Rose

So, make sure MFA is everywhere and everything is encrypted, backed up, there goes most of your security posture issues. OK. So, I would like you to go in as a new CISO and say, “MFA needs to be everywhere. Everywhere it’s not, put it in.” “OK.” Do you know how much backlash you’re going to get? Holy moly. Oh, my God. That’s the first thing. Your gonna come across as somebody who is black or white. You know, there’s no gray in the middle. You are somebody who likes to cut off access and makes it difficult for everyone to get in and do their jobs. That is the reputation you’re going to get. The second thing is, everything is encrypted backed up, that doesn’t work in real life because there are databases of data that, for example, in the cloud, that if you encrypt them, for example, you are going to decrease velocity. You can’t just back things up and encrypt things when you’re coming in as a CISO because there are many decision points to make that kind of decision. So, if I’ve come in and I’m going to wave my wand and I’m going to say, “Let’s MFA everything and make sure everything is encrypted and backed up”, and then, yes, there goes most of my security posture issues, I’m going to get kicked out in my third week there for being too harsh.

David Spark

I read Conrad’s line though more about, make sure some really basic fundamentals and, yes, he’s saying it more with a sort of like a bull in a china shop attitude, but what I see in that, and I’m reading a little bit more between the lines, is that in those interviews that you have, and you’re finding a little about their environment. It’s, like, “Have you tried to implement MFA?”, and they say, “Oh, no, we haven’t even done that?” and, I’m, like, “Alright, we’re going to get rolling on that pretty soon, kind of a thing. Even though it’s not going to be everywhere. I’m, like, “Alright, I’m walking into a shop that doesn’t have MFA. We’re going to look into why that isn’t the case and, maybe, we can get fast tracked that.” I’m throwing that out as an example. Was there an example like that where you heard something early on and are, like, “Yes, we’re going to have to address this quickly.”

Olivia Rose

Yes, of course. Because in the interviews there’s always one or two people who just, literally, tell you everything because they really want you to get the lay of the land before you make a decision. [LAUGHS] So, you do know, kind of, at a high level where the problems are and, typically, problems are the same anywhere across all organizations. Anyway, so put those two things together and, pretty much, know what you’re walking into. For example, one, I, of course, can’t say what it was, but I was told very clearly on what the problem was, and I came in thinking, oh, this is not hard. There are solutions that fix these kinds of the problems. But, the more I heard about it the more I realized this has impact from several teams who are overloaded with X, Y and Z, who don’t have the capacity or the knowledge. This is a much larger concept, and so, as a CISO, you have to look at the big picture and how things snowball into each other, and look at the time and the resources it takes as well. You can’t just go in and say, “Do this.”

Steve Zalewski

Well, and Olivia, you can also accept the risk. If the company has spent the last two years digging this hole, and now you know it, right? Technology probably isn’t your answer. It’s because the people in the process aren’t ready. So, what you say is, “Hey, for the next six months we’re accepting this risk, because if you want me to ready, fire, aim, I will. But, you sign on the dotted line for the consequence of that.” See what I mean? You’ve got to make hard calls.

Olivia Rose

Yes, absolutely, and if they say, “Well, we want to go for this type of compliance”, you can say, “Isn’t going to happen.”

Steve Zalewski

That’s just it, right? Which was, my job is to tell you the brutal truth and then work together to get where you need to be.

Closing

00:25:33:06

David Spark

The the brutal truth is, this episode is now coming to a close.

Olivia Rose

[GASP]

David Spark

And, with that gasp, Olivia, I will ask you, what was your favorite quote and why?

Olivia Rose

You know what? My favorite quote actually came from Steve.

David Spark

Oh, wow, Steve.

Olivia Rose

You had some doovies today.

David Spark

That’s why he’s the co-host. He’s awesome. What did Steve say that you liked so much…that I can shoot down, by the way. Go ahead. [LAUGHS]

Olivia Rose

It was one at the very beginning. Perception does not equal reality. Yes.

David Spark

Yes, and I think you double down on that quite nicely later on.

Olivia Rose

[LAUGHS] Did I make myself clear? [LAUGHS]

David Spark

Do you know what this reminds me of? Years ago I met this woman who, before she had kids herself, she taught a maternity class, which I thought was bizarre, and she taught this very, sort of, new agey way of raising kids and stuff, and then, she had children herself, and then, after she had children, she realized she should have titled the class Raise Your Kids With Bribes and Threats. [LAUGHS]

Olivia Rose

[LAUGHS] See.

David Spark

Which is not something she realized before she had kids, and that’s what I think about when I think about the perception and reality. It’s, like, you want to approach it the new agey way of having the 30 days here, and the 30 days there, but the reality is, there’s going to be a lot of bribes and threats to get this darn thing done.

Olivia Rose

Good luck with that. That’s what I say.

David Spark

Alright, Steve, your favorite quote and why? And, by the way, you are not pressured to mention a quote from Olivia. [LAUGHS]

Olivia Rose

Come on.

Steve Zalewski

I’m actually going to pick a quote that has a lot to do with Olivia doing such a great job really working with us and taking this apart. This was Defense in Depth. This was knock it off. What have we got to do, right? And, I’m going to go with Gary Taylor from Guideantz Cyber Risk Management, where he says, “Understand the business. If you don’t understand that, you can’t improve anything.” But, here’s my take on that. He’s not thinking it through. What we’ve really talked about today is you want to have to understand the business of security and the security of business, and you have to put both of those lens on, because that’s the business, because the business of security is what Olivia’s trying to handle and me. But, the security of business is the ultimate goal of what we’re trying to do, and you’d better have answers to both of those and that your decision making is taking into account that, and that’s really what we teased out today, and why I like that quote.

David Spark

I agree as well. Thank you very much, Olivia. Thank you, Steve. Thank you to our sponsor, Proofpoint. I appreciate our audience and all the contributions you give. If you see a phenomenal conversation online please let me know about that, and keep contributing to the CISO series, and tell your friends to listen, if you haven’t done that. And, I don’t say this enough, go leave a review on iTunes for the podcast, and join us on one of our Friday video chats. If you’re listening now on Thursday, we probably have a video chat tomorrow. Just go to CISOseries.com and click the register for video chats button and join us. It’s a lot of fun. Thank you again, everybody. Wait, you’ve got something to say, what?

Steve Zalewski

Olivia, are you hiring?

David Spark

Oh yes, I always forget. I’m sorry. Are you hiring, Olivia?

Olivia Rose

I will be in a few months.I just hired two stellar director level positions, so I will be, but I would like to point everybody to please remove your professional college requirements and your crazy certification requirements for entry level jobs. I think it’s critical that we level the playing field for everybody who can’t afford to go to college or has not had the time or ability to network with others, so that is a project that’s close to my heart.

Steve Zalewski

Here here. I second that. Absolutely.

David Spark

And now, I’ll say, thank you everybody for participating and listening to Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.