Defense in Depth: How Can We Simplify Security?

Why is cybersecurity becoming so complex? What is one thing we can do, even if it’s small, to head us off in the right direction of simplicity?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Leda Muller, CISO at Stanford, Residential and Dining Enterprises.

Got feedback? Join the conversation on LinkedIn.

Thanks to our sponsor, Eclypsium

Eclypsium is the enterprise firmware security company. Our comprehensive, cloud-based platform identifies, verifies, and fortifies firmware and hardware in laptops, servers, network gear and devices. The Eclypsium platform secures against persistent and stealthy firmware attacks, provides continuous device integrity, delivers firmware patching at scale, and prevents ransomware and malicious implants

Full transcript

David Spark

Why is cybersecurity becoming so complex? What is one thing we can do, even if it’s small, to head us off in the right direction of simplicity?

Voiceover

You’ve listening to Defense In Depth.

David Spark

Welcome to Defense In Depth. My name is David Spark. I’m the producer of the CISO series and joining me for this very episode is the very eloquent and very wise Steve Zalewski. Steve, the sound of your voice, so people know to blame throughout the show.

Steve Zalewski

Good afternoon audience.

David Spark

That is the sound of Steve Zalewski’s voice. You’ll hear that a lot more, but first I want to mention our sponsor, Eclypsium. They actually have a rather interesting solution that we have not seen from a previous sponsor and that is looking at firmware code throughout the enterprise. Identifying, verifying and fortifying it all throughout. More about them later in the show, so stay tuned for that. Now next, Steve, I want to talk about today’s topic and it was something that you brought up. You started a rather heated discussion on LinkedIn about cybersecurity just becoming more and more complex and you were looking for suggestions on how to make it less complex. First, what do you think is causing the increase in complexity and second, where in general should we be looking for simplicity?

Steve Zalewski

Yes. So, I want to start by staying I hit a moment of frustration and literally vented to the audience.

David Spark

By the way, in all your years of cybersecurity, this was your first and only moment in frustration?

Steve Zalewski

No.

David Spark

Okay. Good and clear. Go on. You mentioned to the audience?

Steve Zalewski

So, at the moment of frustration and said I want to hear what other people are thinking, because where I was going was why does KISS keep it simple, continue to be further and further in our rear view mirror as a guiding principle for security organizations? And so, that was the simple question. Now, the responses surprised me somewhat with the breadth, depth and perspectives of the suggestions and recommendations. They were everywhere. As a whole, I would say the complexity is a result of both the maturity and the immaturity of the security domain. And we’ll talk about that. And as far as where in general should we be looking to simplify? It’s clearly in the future. That the day has not come yet and that we need to figure out how the time machine works and jump forward ten years, and I think we’re going to get there.

David Spark

Well, we’ll be there in ten years and the person to help us on this journey, who you brought to us for the show, we’re very excited to have her on, first time on any CISO series programing, it is the CISO at Stanford Residential and Dining Enterprises, Leda Muller. Leda, thank you so much for joining us.

Leda Muller

Great. Thanks for having me today. Happy to be here.

How do I start?

David Spark

Tony M said “Learning to effectively communicate cyber risk across all levels of the organization, from the support staff all the way up to the Board of Directors, when you can do that, it allows for easier conversations around implementing tighter security controls, hiring more staff or buying a new product.” And Dutch Schwartz of AWS said “With technical stakeholders…” And he’s, you know, sort of referencing what Tony said about the communications, and so he says “With technical stakeholders, like Dev teams, talk about security as quality and with business peers, use a language and key metrics of success for the business. To deliver a high quality experience to our customers we’ll be investing in X which will also ensure we hit our Time To Revenue goals of Y, else bad thing Z happens.” And Alon Bender of CLEER Security added “Most successful cybersecurity professionals I have worked with were those who could tell the cybersecurity story without talking about a single feature or product.” And I love that last quote, which I think kind of sums everything here is “A good storyteller that does not get them into any weeds whatsoever.” Steve?

Steve Zalewski

I agree. I think Alon Bender did a great job of simply saying this is where the future is. If we can go forward, we all have to be there. But the maturity and immaturity of the organization and the people is the reality. And so, I thought that was a great statement. But I like what Dutch had to say, and the same thing with Tony, because what you’re saying is can you communicate well? Can you tell a good story? Yes. Do you have good technical controls? Do you understand your risk? So, keeping it simple and trying to do a simple thing, really depends upon you as the CISO and the comfort level that you have in your role in the company you’re in, to try to figure out what simple looks like.

David Spark

Leda, we’ve heard this story many times that the CISO is the great communicator and has to speak many different languages of the business. Do you see that as your role?

Leda Muller

Yes, definitely. In our organization at Residential and Dining Enterprises, I have probably every type of role and position that you can think of– Custodians, Facilities Managers, Technical Project Managers, Construction Managers– and I need to understand what they’re doing in their day-to-day business to be able to support them and do it securely. So I definitely see that.

David Spark

And what helps in the simplifying process and think back for a second? Like, I’m guessing you didn’t start like, oh, I’m going to be simple on day one. Like, we never sort of behave like that. You know, and that’s one of the things that’s kind of interesting about all things in general is that the simpler something is, the harder it is to get there. So, I’m interested to know, can you think about, like, where you were and how hard it was to get there?

Leda Muller

Yes, definitely. The way I learned and where I am today is really learning about the organization. Some things were simple. I started out in our Housing Department and learned what was going on from Housing and I was just in my little world in Housing and not understanding what Dining was doing and what Hospitality was doing. In 2008 we actually shifted my group to help Central and I was able to learn what the operators are doing. And thinking security, as I moved into that role, how we would be able to progress to move forward.

David Spark

Alright. I’m going to have you close this out Steve. Your one tip to simplify communications or to improve storytelling?

Steve Zalewski

I’ve got nothing.

David Spark

No.

Steve Zalewski

What I would say is take the complexity and take the pride you have in being able to solve hard problems and tell the story to your three year old. That really you want to dumb down what you do. To not be security, but to be what’s important to the organization, whatever that looks like. I would say that’s my one tip that I’ve taken away around what keep it simple looks like and simplicity as the next step in your organization.

What are the best practices?

David Spark

Dom Walterspiel of Wiz said “It has to start with 100% visibility into what actually matters most to an organization.” And by the way, this was echoed many times in the thread. And Dragos Stanescu of SecurityHubs said “The complexity is often the result of missing appropriate information” and he recommended a clear image of exposure, third party supply chain and its risks and to conduct threat models. Now, Abhishek Singh, he threw a whole different wrench into the discussion. He’s from Araali Networks and he said “One would traditionally think that visibility is the first step.” And, you know, we’ve heard this line, like, many times. We’ve all heard it. Like, you can’t protect what you don’t know you have. Like, we’ve heard this so many times. But Abhishek goes on and said “But visibility is part of the complexity today, and contributes to it, information fatigue. The first thing is to identify your protect surface. You don’t need visibility for that. What are you trying to protect?” So, these are two concepts really at odds here. Steve, where do you lay? Do you need to take inventory which, by the way, is at the beginning of the CIS controls or understand your surface and understand what you’re protecting?

Steve Zalewski

So, as a traditionalist, you can’t protect what you can’t see.

David Spark

Right. The line we’ve heard many times.

Steve Zalewski

We’ve heard that line over and over again, right? And we’re being required to see more and more that was out of scope, even as little as six and nine months ago.

David Spark

And again, this is Abhishek’s argument.

Steve Zalewski

And so, what I like about Abhishek– and I know him and he’s doing some great work over there and he’s really thinking this through– which was what are you trying to protect? He’s made the leap now from don’t try to just create a lake of everything that you can see and be responsible to protect it, but understand what your risks are and what you really need to protect and set your perimeters around that. So, start to look at risk. And so he’s beginning to make that conversation, “I’ll never see it all, I’ll never protect it all, I’ll never contain it all, so I’m an insurance policy now and so, what is it that I truly have to do to be able to communicate that simple story?” So, I really like where he’s gone, because I think he has made the bridge between KISS old school and KISS second generation.

David Spark

Leda, how do you feel about this? Again, do you have to have a full inventory before you can even begin? Again, it’s what we all believe. Abhishek says “No, just know your data and protect that.”

Leda Muller

Right. You know, I’m going to go back to the last 18, 19 months with Covid. We’ve been very pivotal, right? Our business has changed and new products and applications have come to bear into our organization, so I agree with the risk, I agree with what we see in what surface, but it seems to be changing, and just like we were talking about security, it is happening faster and faster. Change is happening and we need to be pivotal to understand what’s going on within our organization.

Steve Zalewski

But, I want to tell you, Leda tells a great story, right? Which was she’s responsible for dining, she’s responsible for hoteling and she was talking about all the stoves now being Wi-Fi enabled and all the ovens. So, 18 months ago or two years ago, she didn’t have to worry about the stoves being hacked and no food being served to a whole bunch of hungry college kids.

David Spark

Do you have a lot of appliances that are Wi-Fi enabled then?

Leda Muller

There’s more and more IOT and it’s not only that, it’s also the temperature monitoring. Not only with the food. We used to monitor the temperature for the food, but it’s also the people. That was something that came in during Covid, that we wanted to check temperature and it’s looking at the IOT devices, what’s on the network, what’s not on the network and anything of the stuff that’s not on the network, where’s that data going?

Sponsor – Eclypsium

Steve Prentice

Action speaks louder than words. Perhaps no-one is more passionate about this idea than Scott Scheferman, Principal Strategist at Eclypsium. A company dedicated to proactive firmware defense. In his words “Without proper action you’re doing cybderdefense wrong.”

Scott Scheferman

A lot of times we do cyber theater and we talk amongst ourselves and we all kind of nod our heads. If you don’t already know that you shouldn’t be using multifactor over SMS, you’re doing it wrong and you haven’t taken that action as an organization fast enough. If you don’t already know that actors like TrickBot are going down to firmware and then you have aTrickBot infection and then your forensics are not actually looking to see if the device itself is compromised at firmware level before you reintroduce the device to the contested environment, you’re doing it wrong. So, we tend to focus on this low-hanging fruit, kind of patch cycles and dealing with requests from the Board saying “Hey, are we protected from the latest thing I just read about in the news?” And you kind of get in this fire drill on your heels mode and you’re telling yourself what’s the matter if when not if and you’re building your whole legacy as CISO as one that’s reactive and one that anticipates a breach and my call to arms for a CISO is just to say is the second you build your legacy around being on your heels you will, in fact, find yourself on your heels reacting all the time. When you can tweak these areas you start to realize I can actually get ahead of these things as an organization, a SecOps cadence. Being able to make decisions that matter and in time to matter, fast enough to matter.

Steve Prentice

To learn more about Scott and his team’s approach to proactive firmware security go to Eclypsium.com.

What are we going to do now?

Voiceover

David Spark

Jonathan Waldrop of Insight Global said, “Get the most out of your current toolset/licensing before you buy the next shiny technology and leave the default config in place.” We’ve heard this a bunch of times too and I must say, learning more about what you have and buying the next shiny thing, buying the next shiny thing is always easier than learning more about what you have, I have sort of discovered. Let me go on to say that Tim Prendergast of strongDM said, “Resetting the playing field and making everyone equal

stakeholders at the table is the only way to reduce the current biases in most organizations. So Lena, this is interesting. Just work with the environment you have actually is kind of the number one tip for simplicity from both Jonathan and Tim. What do you think?

Leda Muller

I agree. Just recently I think I had an aha moment about two weeks ago with the solutions that we’re using right now and we were looking at another shiny new toy. We don’t have the resources to help manage that shiny new toy.

David Spark

And, by the way, let me pause you for a second. It probably really was a shiny new toy and you probably wanted it.

Leda Muller

Oh yeah.

David Spark

And the problem is, it’s like, but who’s going to manage this, how is it going to actually work, how are we going to roll it out? Like, I was just talking about this with another start up and the problem is not them buying your product. That’s got to be the easiest part of this whole process. It’s everything around it.

Leda Muller

Yes. No, definitely.

David Spark

And that’s, I think, where this whole complexity discussion is.

Leda Muller

Yes, definitely. I would have loved to have gone forward with this product, but we don’t have the resources and I said let’s take a look at what we have and what can we do, because we still haven’t done the deeper dive into what we have and the information and the analytics that it can provide to us. So, I’m at that point where I don’t want to look at other products, because they’re solving different problems, but I’m almost looking at that one shot fits all again. Remember, the one stop fits all? Because the products that I do have were pulling this information from this one. This information from this one. We still have to pull that all together in a PDF, in a spreadsheet. So, that’s kind of where we’re at right now, so I do like what Jonathan says and that’s where we’re at right now.

David Spark

So, Steve, then per Leda’s comment, is the complexity this need to constantly integrate product to product to product?

Steve Zalewski

So, there are 6,000 vendors out there, product vendors.

David Spark

By the way, that number keeps changing, I will tell you.

Steve Zalewski

Yes. And it only keeps getting larger. It was 4,000, then it was 5,000.

David Spark

The market is definitely not shrinking.

Steve Zalewski

Right. So, it’s like going to Costco and looking at all the different TVs every week and trying to figure out which one you want.

David Spark

No, there’s 6,000 of them.

Steve Zalewski

There’s 6,000 TVs and you’re going to Costco and you’re trying to figure it out. My point being, like Leda, don’t go to Costco. You’ve got to stop going because you won’t buy a TV, but what you’re going to go do is go buy five other things you didn’t know you needed because you’re out there shopping. And to Leda’s point, there’s always a new shiny object. So, my challenge to myself was, alright, wait a minute. Instead of going to shop more, what are my least effective tools or processes that I want to stop doing, so that I can create some capacity to be able to go somewhere. To the point of don’t go shopping, but look at how effective what you have is and simple doesn’t mean keeping everything you have. Clean house once in a while. And I think that’s an area that we can talk about, a lot of people can challenge themselves to do, is to think about the insurance policies that you’re effectively taking and which ones is it time to just cancel.

David Spark

Let me ask either of you, can you think of a single example where you actually looked back a product that you didn’t know could do X and you’re like, oh wow, we can implement this now? Either of you have a story like that?

Steve Zalewski

So, I do. And I’ll use the product name. KnowBe4, for security awareness. So that you can do security awareness campaigns. And then they implemented security awareness training. And then they did internationalization. Okay, all good things. Well, they had a whole another module out there for physical security. And so then, one of the people were saying “Well, why don’t we implement the physical security component too, because corporate security and physical security also has a play?” And so, there’s a case where we weren’t leveraging every component of the product that we bought. So, the efficiency of leverage wasn’t there, but in trying to drive efficiency, the question was how effective was the tool at doing some of the additional things it could do?

What aspects haven’t been considered?

Voiceover

David Spark

A couple of very interesting takes on this problem. First from Erik Bloch of Sprinklr and he said, “Work backwards. What are the outcomes you want to see? Often by reframing the question, you can come up with new ways to solve it. The days of buying the best of breed point solutions is over. Simplicity and outcomes are the key.” Kind of a tip to what you just said Leda. And I’ll also close here with Duane Gran of Blue Ridge ESOP Associates. He said, “I would try to approach this by soliciting feedback bottom-up. The junior analyst can tell you that three-fourths of the functionality is duplicated in these two tools.” So, a nice tip of the hat to our last segment there. Leda, have you done this work backwards or, like, hey, why don’t I talk to the people who are touching these tools all the time to tell me what’s going on?

Leda Muller

Yes. What I will say, from my Senior Lead Analyst, who isn’t one of our tools and our vendors, the vendor engagement that we’ve had with this one vendor has been awesome. We have monthly meetings with them and four out of the five feedback that we’ve provided have now been implemented into the solution. So they are listening to what we are facing in our day-to-day and what our needs are, and if it’s not in the tool, they implemented it.

David Spark

That’s awesome. That is a true partnership.

Leda Muller

That is a true partnership and it’s been amazing. I just have to say that. It’s been amazing and I’ve been very happy on what now that we’re getting. And, again, what we didn’t know that was in the product that is in the product or what we’ve asked for is now there and it’s helping tremendously.

David Spark

And that kind of feeds into what we were just talking about in the last segment. Getting more out of what you already have. Steve, what do you think of the work backwards technique or just talking to the people who are touching the products all the time?

Steve Zalewski

Yes. So, I understand and talk to the people that are touching the products all the time, because they know what’s working and not working. So they’ll tell you what to do incrementally, which generally implies more resources, more time, more effort. What I really like about Erik and work backwards, another way to think about that is what are you going to stop doing? What are you going to take out of scope and explicitly tell people I cannot do those problems anymore or I cannot accept those problems? That the working backwards that he’s talking about as a CISO is how do you simplify your organization and do that in a way that clearly communicates the risks that you can do something about and those that you can’t? And can’t means people, process or technology. But it really hammered home for me when I read Erik’s about “Don’t just tell everybody what’s in scope and why you need more resources. Be very clear about what’s out of scope or what you’re taking out of scope, so that you can keep it simple and you can maximize the effectiveness over the efficiency.”

David Spark

And by the way, you tipped something that we need to do a future episode in. What should we stop doing in cybersecurity? What can we do to give us more time? And this feeds into simplicity right there. You know, I always say this, does anyone know anybody who works in cybersecurity, or any business, but let’s just stay in cybersecurity because that’s what we’re talking about, does anybody know anyone in cybersecurity that works a 40 hour work week?

Steve Zalewski

No.

Leda Muller

No. But one thing to add and, again, another aha moment, more that’s coming into cybersecurity with privacy and other areas that are being covered, we are expanding our depth and breadth.

David Spark

And physical security being one of them.

Leda Muller

And physical security, right? So, I don’t know where the border is on it.

David Spark

It’s more than just the surface area to protect, it’s the different vectors you need to deal with.

David Spark

Well, that brings us to the very end of the show. Leda, thank you very much. I asked for both of you to give me your favorite quote and why. Leda, what was your favorite quote and why?

Leda Muller

I liked Alon’s. Alon Bender’s. Most successful cybersecurity professionals I’ve worked with were those who could tell the cybersecurity story without talking about a single feature or product. And it does go back to storytelling and communication.

David Spark

And do you adhere to that philosophy?

Leda Muller

Yes.

David Spark

Do you ever find yourself falling out of it?

Leda Muller

I’m sure once in a while.

David Spark

But this product is so cool. You should see what it does.

Leda Muller

Right.

David Spark

Steve, your favorite quote and why?

Steve Zalewski

So, I have a tie this week. First time ever. Between Abishek Singh of Araali Networks, because what I really liked was he challenged the status quo. Get simple, okay? What are you going to do? Which was let’s start looking at what you’re trying to protect, right? So call into question what you’re doing. And then the second one, and I think at the end the one I really have to give it to is Erik Bloch from Sprinklr. Work backwards. Really simplicity and outcomes are the key that, that’s the way you’re gonna handle it. So, I think he really did the best, in my mind, for summarizing it, but I really like have Abishek had a really clear example of one of the ways that you can address simple simplicity. That’s mine.

David Spark

Well, I think the two actually go hand-in-hand, because work backwards, I mean, what we all said. Well it’s data it’s ultimately what we’re protecting. We’re not trying to protect firewalls.

Steve Zalewski

Well, and that’s what I mean, which was, it was really good, because one dovetailed on the other. One is very practical, one was really nice from a thematic perspective of, like I said, what’s the one thing that you’re gonna do to simplify your responsibility, so to speak, so that we can do this. And we’ve talked about a whole bunch of ways, which is why all those responses were all over. What did I say? Maturity and immaturity are both reasons why we have a challenge and we need to look to the future. We need to get to the future for a lot of these, so that we can just start to summarize and simplify and not keep touching all the different parts of the elephants. Let’s get to the legs, the trunk, the ears and not just be touching parts.

Closing

David Spark

An excellent point. Alright, well that comes to our very end of the show. I want to thank our sponsor, Eclypsium. That’s E C L Y P S I U M. Eclypsium. For your firmware protection needs, check them out. Both of you have any last thoughts? And, by the way, Leda, I always ask our guests, are you hiring?

Leda Muller

Yes. Yes, we’re hiring. Yes.

David Spark

Well, I want you to make a final plea for any staff you’re looking for, or anything you’d like to say. But first, I’ll let you have the last word Leda. For Steve, any last words?

Steve Zalewski

I would say this was yet another very difficult topic. That we took it apart as best we could. There’s no simple answer, but I think we’ve got some simple themes and really appreciated the audience and the people that offer their perspectives. I think it was really valuable, it’s really high quality input from our audience, so thank you.

David Spark

Leda, if I want to work on your team, where cybersecurity is becoming simpler every day, where would I go?

Leda Muller

You’d go to the Stanford careers website at careers.stanford@edu. You’ll see everything listed there.

David Spark

Any other last words about this topic or anything else you want to pitch?

Leda Muller

Sure. Yes, I do want to pitch. Started a non-profit called Pocket Security and we started it back in March, so it’s brand new and it’s basically a non-profit for non-profits, to help them with their cybersecurity. So, we’re one of the few, or maybe the only one that is out there. So, very excited. We’re putting in for some grants right now and we’ve been building our Board and our strategic advisors and so, you can go to pocketsecurity.org and look at our website.

David Spark

I’m assuming there’s ways to get involved there?

Leda Muller

There’s ways to get involved, yes definitely. We can always use help. So, very exciting.

David Spark

Excellent. Well, thank you very much. That was our guest of today. That was Leda Muller, who is the CISO at Stanford Residential and Dining Enterprises and also Steve Zalewski and a huge thanks to our audience, as always, for your participation and for listening to Defense In Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.