A 500+ person company doesn’t have a security department. They need one and they need to convince the CEO they need one. How do you build a cybersecurity team and program from scratch?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Rishi Tripathi (@ris12hi), CISO, Mount Sinai Health System.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Tines
Full transcript
[David Spark] A 500 plus person doesn’t have a security department. They need one, and they need to convince the CEO and management that they need one. How do you build a security team and program from scratch?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And joining me for this very episode, you’ve heard him before. You’re going to hear him again. His name is Geoff Belknap, and he’s the CISO of LinkedIn. Geoff, thanks for joining us.
[Geoff Belknap] Hey, David. Thanks for having me. How are you doing?
[David Spark] I am doing fine. But we’re not going to go into a long diatribe. I’ve heard on other podcasts people go, “How are you doing? Oh, how was your weekend?” No, none of that. We’re going to end this part now.
[Geoff Belknap] That’s it. I don’t care how you’re doing actually, so let’s just move on. [Laughs]
[David Spark] That’s better. I like that. I want to mention our sponsor. Our sponsor is Tines. They are the no code automation for security teams. We’ve been talking a lot on the CISO Series about this very topic, and we will talk more about it later in the show. But first, today’s topic. It comes from a redditor, and I think this is the first episode we’ve ever done which is based on a reddit conversation. This redditor asked on the cyber security subreddit, “How can I start a cyber security department from scratch?” He’s working at a 500 plus person company that has a very old IT structure that hasn’t developed any new roles in 15 years. Now, this redditor wants to propose a role for IT security to the CEO. The redditor wants to know how to convince management, plus how to actually begin building that foundation. Geoff, have you ever been faced with such a feat being that you had to start a security program from scratch?
[Geoff Belknap] I have, and I’ve done it twice now. And I found it really rewarding. I think thankfully for me I didn’t have quite the same problem here of having to convince somebody that it was a good idea. But what I love about this concept is this is a great opportunity for us and especially with our guest to talk about what are the principles involved, why should you have a security program, and how would you convince somebody to do it. I’m super excited to get into this.
[David Spark] And we have a great guest who we’ve had on before on one of our video chats and thrilled to have him on Defense in Depth. It is the CISO for the Mount Sinai Health System, Rishi Tripathi. Rishi, thank you so much for joining us.
[Rishi Tripathi] Hi, David. Great to be here.
How do we go about measuring the risk?
2:29.696
[David Spark] Now, I’m going to remind everybody. I’m going to be reading redditor handles as I’m quoting this, so there will be some very silly names here. Just reminding everyone.
[Geoff Belknap] We apologize in advance if any if these are weird.
[David Spark] Yes. LSU_Tiger said, “Show management that not doing security is more expensive than doing security. It is then management’s job to decide how much risk they want to tolerate, knowing that it will cost them real dollars to respond to breaches, customer info disclosures, etc.” And MorpH2k said, “Some companies only have to do the math of risk versus cost. Some need to protect their customer data to avoid legal liability. And yet others have proprietary information that is business critical. What is business critical to your company, and how could that be vulnerable?” So, these two comments, Geoff, are pretty much the basics of why you need cyber security, isn’t it?
[Geoff Belknap] These are the basics of why you need it or why you’d have to do it. And they are great places to start. But I would go one step further and tell you let’s really think about now the downside but the upside. There’s always downside to not doing something. And security really is no longer the insurance part of your technology play in your organization. What we should be thinking about and what I would challenge us to think about is how can security add value to the business. Like is this going to attract bigger, better customers? Can you move into the enterprise space? Because now you have a security program, and you can articulate that. That’s a much better path to think about it.
[David Spark] That’s a really good point. Because we’ve heard this before – big enterprise companies want to work with other companies. But because they don’t have an up to snuff security program, it’s a no go.
[Geoff Belknap] Exactly. A security program of any size is probably something that can help you open up an entirely new customer base that you didn’t think about before.
[Rishi Tripathi] What Geoff is saying is absolutely right. The goal of a security program is really to protect the digital value of a company. You have to understand from the get go what that value is. If you’re a hospital, perhaps it’s an electronic health record system that facilitates the treatment of patients. If you are a broadcaster, perhaps it’s your broadcast system and so on. That’s what you need to align your security program to to actually be able to show real value.
[David Spark] The metaphor that I’ve heard many, many times… And tell me if you sort of agree with this. Is it’s the classic brakes on a racecar thing. It’s like you can’t win the race without having brakes. I would argue that a lot of what you said earlier is having a security program makes people want to do business with you. Yes, Geoff?
[Geoff Belknap] Oh, I think in this day and age absolutely. Look, exactly as pointed out here, everybody has got some regulatory requirements. Everybody has got… You’ve got to do that risk versus cost calculation. But the real competitive advantage comes from what customers can you now secure, and which customers will stick with you longer now that you have an articulable security program. I think a lot of people overlook that because we’re still stuck in that thinking of security is just downside minimization when really if you’re smart, security is about upside optimization.
How would you handle this situation?
5:56.052
[David Spark] SodaBubblesPopped said, “Nothing galvanizes management approval faster than a compliance requirement/mandate. Find any regulatory requirement of your organization or vertical and create a business case around that.” pcapdata said, “Look for allies in your legal department who can tell you what kinds of regulatory and other issues a company can face in the event of a breach.” And lastly sd_owens said, “My company was the same way, and the turning point was when our cyber security insurance provider threatened to drastically reduce our coverage and jack up premiums. Now we’re building a dedicated cyber security department.” So, Rishi, these are more sort of like immediate needs. Like you can really, really see these. These aren’t the, “Well, it might happen,” kind of needs.
[Rishi Tripathi] This is absolutely correct. What you can do… You can look for a regulatory pool [Phonetic 00:07:02], or you can look for security incidents. One of the tactics I’ve used over the years is you get into a new environment, and you start collecting smaller security incidents. Every company has them. Someone clicks on something, or someone downloads something. And soon you have a good metric of things that are happening. And you sort of start this function from the ground up by demonstrating the proactive nature and the work that you’re putting in. You add compliance requirements to it, and all of a sudden you have people who would want to support you from an investment perspective. They would be willing to kind of stand behind you as you build out the program. So, you can have different levers pulled, but I think the key is if you are in a situation where you need to demonstrate value of a security program you have to start doing things. You don’t have to necessarily wait for big funding. Funding comes… You make investments from your own time, and then you take initiative, and you provide leadership. And soon you’ll see the leadership of the company will stand behind you.
[David Spark] Geoff, is starting with compliance issues being that it’s the most immediate thing the thing that we can all see that if we don’t do this for sure we’re going to be paying this? Is that a good place to start? Or like you said, the positive angle. Or I’m assuming take it from both angles.
[Geoff Belknap] I think there’s no wrong place to start. There’s no bad place to start as long as you are saying, “Hey, we want to take our security, assess where we are, and make it better.” You’re on the right path. And again, here I go lowering the bar. Just start some place and make it better. And frankly if you can do that and show that you’re improving things from a security perspective you can almost always get some funding. An easy way to go is to say, “Hey, we have regulatory or compliance requirements. Let’s meet them.” And while I’ll say minimal, that’s a very safe and impactful way to go as well.
[David Spark] I liked the comment that was like start somewhere and make incremental improvements. What about the fear of I have to have everything right the first time and come out with everything right the first time. And then at the point of you end up doing nothing because you’re waiting to get everything else right…
[Geoff Belknap] Perfect is the enemy of good. And frankly if you have no security program today, you just need to better than you were yesterday. And just having somebody make something a little bit better is better. I think the other really great part to start is with culture. More security should be being doing outside of security than inside security. And that doesn’t mean like somebody in your accounting department running a firewall. It means people in your accounting department, or your sales team, or your system engineering team are thinking about security. You’ve got a great inquisitive culture. They’re flagging problems. They’re trying to improve the things that they do. And that is really going to be where you hit your stride and where you can build on top of.
[David Spark] All right, Rishi, I asked this question to Geoff earlier, had he ever done this – built a security program from scratch. Have you ever actually done this?
[Rishi Tripathi] Yeah, I think those of us who have been doing this for a while, we’ve all had situations like this where you come into an environment, and you basically have nothing, and you start building. And what I’ve found useful is to Geoff’s point, you just got to start doing things.
[David Spark] Can you remember when you did this the first thing that you actually started with? Can you remember?
[Rishi Tripathi] Yeah, absolutely. This was actually right after 9/11. I was working in a SCADA system down in Florida. And there was a heightened awareness around security of the SCADA systems. I was a network engineer. My boss was looking for someone to do security, and I said, “I’ll do it.” I started reading myself. I started working on collecting logs from firewall. And remember there used to be a product called Netcool. We would start aggregating logs over there. Started enforcing 2FA, a firewalling sort of…
[David Spark] So, you started to do essentially like you were saying…you started to do something.
[Rishi Tripathi] You start doing something. And I don’t think people in cyber security should be afraid of missing things. That’s the trend I see in a lot of practitioners. You never get in trouble for trying. You only get in trouble for not even giving it a shot. So, you have to keep it going. There are a lot of existing tools… I remember Snort. I deployed Snort on an old computer. So, you start somewhere. You start collecting logs. And in a year or so we were ablet o get some funding.
Sponsor – Tines
11:42.562
[Steve Prentice] Tines provides no code automation for security teams. The reason Tines came into existence is as compelling as it is practical, as Thomas Kinsella, the cofounder and CEO, explains.
[Thomas Kinsella] Tines is a security automation platform, and it’s built by practitioners for practitioners. Myself and Eoin, our CEO, we spent ten years working in information security, feeling the pain that all security analysts and security engineers feel. Way too many alerts, really hard to hire good staff, and that sense of inevitability around incidents. We realized one of the things that you could do to solve this problem is to invest in automation. We looked at all of the automation platforms out there. We didn’t like any of them, so we said we could do a better job, and we started our own. We got some incredible customers, the likes of Coinbase, Bucks [Phonetic 00:12:26], GitLab, McKesson [Phonetic 00:12:27]. So, Tines is that security automation platform that aligns analysts and engineers to automate themselves into better jobs to build their own workflows. You don’t need to be a developer. You don’t need to be a coder, but you can automate incredibly complex and incredibly [Inaudible 00:12:42] workflows that actually fit your needs. You’ve got people that working on boring stuff day to day. You’re producing a whole lot of alerts that are false positives day to day. When that large incident comes in… And it may not even be a security incident. It could be like a new vulnerability like Log4j. Those people who are already slammed, who are already overwhelmed are now spending way too much time… They can’t even focus on the stuff that was actually really important [Inaudible 00:13:03] time on the more impactful stuff.
[Steve Prentice] For more information visits tines.io.
What’s the best tool for the job?
13:14.406
[David Spark] Get ready for this. User NostrilHar said, “Don’t build a SOC. Just use an MSSP/XDR service. Don’t pay too much either. People will try to overprice everything. Get help. If you have never done it, you need someone to show you the ropes and the pitfalls. And phoenix14830 said, “An MSSP can get your network up to par while your staff gets built up to eventually accept the handoff.” So, a lot of leaning on getting help here and specifically using an MSSP to get started. What do you think of that, Geoff?
[Geoff Belknap] Well, I think first of all it’d be helpful for people to understand MSSP means managed security service provider.
[David Spark] Right.
[Geoff Belknap] And yes, it is really important for you, especially if you’re starting with nothing, to recognize that as Rishi said, you do not have to do everything. You do not have to be perfect. You just have to start somewhere. And the best place to start is go, “How many people do I have? Is it just me? Do I have maybe me and two other people? Great.” What is the most important thing for us to spend time and money on? Let’s do that, and then let’s spend money on anything else that we think is important but we don’t need to do personally. MSSP, a managed endpoint detection solution is a great way to start and go, “Great, at some point maybe we take that on. But right now, letting somebody else do that for us…” Like you’re getting the benefit. Somebody else is taking care of a very complicated thing. Fantastic. Now you can move on to whatever is more important for you to spend your time.
[David Spark] All right. Rishi, I’m throwing this back to you. Have you used MSSPs early on?
[Rishi Tripathi] Yes. And I think that industry is evolving. That industry is getting better with time. My sincere belief is technology only takes you so far. I think it’s an old saying – a fool with a tool is still a fool. You have to have the right talent before you start accumulating shelfware and a lot of technologies.
[David Spark] But a fool with a tool that seeks help will become a little less of a fool, yes?
[Rishi Tripathi] I think you’re right. You can sort of ask for help. I issue I have with MSSPs is people outsource responsibility as part of the deal with MSSP. You’re still responsible for the execution of the program, for protecting the organization. People have to remember we’re not the wardens of a company. We’re the bodyguards of the company. So, we have to be accountable for the decisions we made and any sort of MSSP deal we kind of look out for. Be extremely careful with the SLAs. Be extremely careful of the quality and so forth.
[David Spark] Well, I know a lot of MSSPs would not see themselves as outsourcing but really augmenting your existing behavior. Geoff?
[Geoff Belknap] Yeah, I think it’s a great point, what Rishi is trying to make here, which is you cannot outsource your responsibility. You cannot outsource your accountability. What you can do is get somebody to help you. If you don’t have the manpower or the software to deploy detection today, an MSSP can absolutely help you with that. But at the end of the day, it’s either Rishi or I that are sitting in the hotseat if something gets missed, if there’s a big security issue. You can’t just be like, “Well, I hired those guys. It’s their fault.” You got to just be realistic about what you’re doing.
[David Spark] Yes, Rishi?
[Rishi Tripathi] 100% agree.
What needs to be considered?
16:49.494
[David Spark] eeM-G said, “Prioritization of capabilities will depend on your company’s business model. That is to say consider how your company makes money. What are the revenue channels? What could impact those and stop the company from generating revenue? Could your company lose its ability to trade?” And Krek_Tavis said, “I would highlight that there is a lack of standard procedures for security practices, and that generates inefficiencies, wastes money, and causes security issues. To counter that, you need an information security team to create policies and a cyber security team to lead on the technical aspects.” And Temptunes48 said, “Applying security to a company that has never had any can be extremely difficult. I’ve tried to do this and ended up pulling my hair out. A simple password policy can bring howls of protest. Almost like you had to ask them to take a 50% pay cut.” I love that last quote.
[Laughter]
[David Spark] Let me ask – have you had a struggle, Rishi, in the past, especially for a company that did not have to deal with security stuff before? All of a sudden did you have a security program, and they’re not taking to it too well? Did you have this experience?
[Rishi Tripathi] Like every CISO, I’ve had those issues. You have to build sort of your own credibility. When you start implementing 2FA in a brand-new company that never had 2FA, it’s sort of a very dramatic reaction. Like, “Why do I have to push this green button or pull the cord?” And you hear things from one end of the spectrum, that “Hey, we’re not the NSA. We don’t need this level of security,” to other end like, “This will never happen again.” But slowly you start building the reputation. You start doing things that protect your company. You start kind of pulling all the levers on metrics and governance committees and so forth. You get good backing under your belt, and you show “Because of this, we’re able to protect certain amount of attacks.” And soon you will have good backing. So, I’ve seen this in the past. I think it all comes down to how you stack your security program against the business model of the company.
[David Spark] Which was our first quote there, the one from eeM-G.
[Rishi Tripathi] Exactly. So, you got to figure out what does your company do. And then what is the most revenue generating thing for your company? And then you align your security program to that. Then you get more support for protecting that because people understand…the top-level leadership understands protecting revenue, protecting digital value is key.
[David Spark] That’s a theme that’s been going through many of these comments. Geoff, what do you think of the…? I’ll ask again but sort of people having a hard time with a brand-new security policy.
[Geoff Belknap] You know, the hardest thing to get people on board with I used to say was two things – where they sit in an office, what their title is, and then the third thing often times is what the password reset policy should be. I think thankfully we’ve kind of moved past asking people to reset their password every 30 days or something like that. It’s still really hard to even now kind of negotiate with people where are we going to sit in an office, especially after the pandemic ends. But it all comes down to what your culture is or what your culture will accept and what your business needs. I think Rishi makes a great point – your job, my job, his job is not to make sure the company never makes a mistake. It’s to make sure that we can recover from that and to make sure that we are balancing what’s the most affective security decision for the organization. So, we could absolutely say, “Hey, we need everybody to do 2FA plus their password changes every day.” But your company probably doesn’t need that level of security, and your culture will not tolerate that level of security. So, it all comes down to I think as eeM-G says, prioritize your capabilities. Prioritize what your company needs, and then just try to make the best choice. Don’t try to get to a point where you’re never going to make a mistake, you’re never going to have a security issue.
[David Spark] That’s a good warning. I’ll let you close here, Rishi. From your experience of starting security programs, what was a really big mistake that you wish you hadn’t done and had you looking in hindsight and saying, “This I could have avoided.”
[Rishi Tripathi] I’ve been doing this for a while so yeah, I’ve made my share of mistakes for sure.
[David Spark] Geoff is perfect though. I just want to point that out.
[Laughter]
[Geoff Belknap] I have never made a mistake in the last 15 seconds.
[Laughter]
[Geoff Belknap] That I’m aware of.
[Rishi Tripathi] I think I would say what I could have done better is perhaps communicate within the team the sense of it’s okay to be imperfect. I think id o that more today than I did ten years ago. You have to give kudos to these people who choose this profession. This is not an easy gig. And there is that level of fear at the analyst levels that what if they miss something. I am able to better communicate that to my team. “Guys, that’s what I am here for. Take your big shots. Take chances. Make the program better.”
[Geoff Belknap] I’d like to say Rishi and I are modeling how to make mistakes. Like, “Look at us. We’re making mistakes all the time. Be like us.”
[Rishi Tripathi] Exactly. So, I would say that that perhaps would be one of the ones I would go back and fix. Just give them more courage to experiment more.
[David Spark] Let me throw this in. I know this is a little bit of a diversion, but do you feel that when you really go out of your way to show your staff your own mistakes that they feel more comfortable to be more bold?
[Geoff Belknap] Oh, I think so. Something I have started doing, which I didn’t [Distortion 00:22:56] would be as powerful as it is is just telling people, “Look, it’s your job to make a decision. We hired you because you have this level of intelligence and the capability to sort of integrate all this information you’re going to take and make a choice.” If that choice ends up not being perfect, you’re not going to get fired. You are not going to get fired for doing your best and making a good choice. You might get fired for being negligent or intentionally doing something incorrect. But if a decision you make, a really hard decision you make, comes out to be the wrong decision, that’s just part of the job. And I think sometimes people need to be reminded that our job is not to be perfect. Our job is to help business move forward.
[Rishi Tripathi] Absolutely. I couldn’t agree more. I think we have to translate these cyber jobs as any other job. In any other job, you’re not going to get fired if your intent was right, you do your due diligence, and you made the right decisions with the information you have versus if you were negligent, and you were careless. Or if you hide something. I think that’s true for any job in the world. I think for cyber security, because the headlines focus more around this big data breach, new CISO, change the whole organization, that sort of instills that fear within the analysts that they can’t afford to make a mistake. It is a high stakes game, I agree. But I think we have to let our people sort of take those shots. Otherwise they’ll just be working in fear. And then how would we solve the talent shortage, and how will we solve other issues with the industry itself?
Closing
24:38.697
[David Spark] All right, this comes to the end of our episode. But I’d like to know who had the best quote and why. Rishi, I’ll let you begin, and tell me which was your favorite. And you are going to have to mention the redditor by name.
[Geoff Belknap] [Laughs] I feel like we should almost have a thing of, “Who has the best reddit handle, and what was the best quote?”
[Rishi Tripathi] I would say almost like you asked them to take 50% pay cut.
[David Spark] That was the last guy, Temptunes48.
[Rishi Tripathi] Temptunes48. I think that was pretty funny.
[David Spark] All right. And, Geoff, your favorite?
[Geoff Belknap] I’m going to have to go with eeM-G, which I wish I could understand what you were cleverly trying to say. He and/or she said, “Prioritization of capabilities will depend on your company’s business model. That is to say consider how your company makes money. What’s the revenue channels? What could impact those and stop the company from generating revenue? Could your company lose its ability to trade?” And this is exactly the way that I think of things. What does my organization that I’m in charge of security for need? What do we do? What kind of things could impact us? By the way, this is called risk modeling. What are the kinds of things that we do? What can impact us? What do we really got to be concerned about and defend against? That is where everything flows from. That is where everything should start. That’s the perfect way to start.
[David Spark] That, I think, has been the theme of this very episode. Thank you very much, Geoff. Thank you very much, Rishi. I want to thank our sponsor, Tines. Remember, they are the no code automation for security teams. For more, check the out at tines.io. Tines.io. All right, Rishi, I’m going to let you have the very last word, and the question I always ask all my guests is, “Are you hiring?” So, make sure you have an answer for that. Geoff, I know you’re hiring.
[Geoff Belknap] We are.
[David Spark] He hires at LinkedIn. If you want to join an awesome team and work with someone as awesome as Geoff… And if you don’t know how awesome Geoff is, why don’t you just go back to a ton of previous episodes and listen to him, and you’ll figure it out.
[Geoff Belknap] There are better people than me that work on the team, too, so don’t judge it completely on me.
[David Spark] Oh, so you’re lower in terms of the better people. So, if you think Geoff is awesome, there will be a lot more awesomeness there.
[Geoff Belknap] There are definitely better people than me on that team.
[David Spark] There you go. That’s great. It’s going to be full of awesomeness. All right, Rishi, any last words, and are you hiring?
[Rishi Tripathi] Yeah, we are absolutely hiring. We are a mission driven organization. Isn’t it an awesome opportunity to come and help a hospital during a pandemic, right? So, go check out the open jobs at mountsinai.org or just drop me a note on LinkedIn.
[Geoff Belknap] Aw, a fine website.
[David Spark] Yes, we’ll have a link to his LinkedIn page on the blog post for this very episode. Thank you again, Geoff. Thank you very much, Rishi. Thank you to our audience and most importantly to the cyber security subreddit community. That was awesome. Our first show where we based an episode on a question that was asked there. So, thank you very much for you. And I hope all you redditors start listening more to this great show. Thanks for your contribution and listening to Defense in Depth.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. We’re always looking for fascinating discussions for Defense in Depth. If you’ve seen one or started one yourself, send us the link. We’d love to see it. And when any of our hosts posts a discussion on LinkedIn, participate. Your comment could be heard in a future episode. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to the CISO Series Podcast.