Defense in Depth: Who Investigates Cyber Solutions?

Cyber professionals, who is responsible on your team for investigating new solutions?

Check out this post and this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Nick Ryan, director of enterprise technology security and risk, Baker Tilly.

Nick Ryan, Baker Tilly and David Spark, CISO Series

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor Votiro

Can you trust that your content and data is free of malware and ransomware? With Votiro you can. Votiro removes evasive and unknown malware from content in milliseconds, without impacting file fidelity or usability. It even works on password-protected and zipped files. Plus, it’s an API, so it integrates with everything – including Microsoft 365. Learn more at Votiro.com.

Full transcript

[David Spark] Cyber professionals, who is responsible on your team for investigating new solutions?

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And joining e for this very episode is Steve Zalewski. You may remember him because his voice sounds exactly like…

[Steve Zalewski] Hello, audience.

[David Spark] Yes, it sounds just like that. Our sponsor for today’s episode is Votiro. Now, if you have data that needs to get through because people need to do their jobs, that’s what they need to do, they will actually take the bad part out of that and let the data actually live and go through. Because there is a bad part of it. Again, assuming it has a malicious payload. And there’s a good part. So, why don’t we just keep the good part? Anyways, more on Votiro later on in the show. But first, Steve, our topic today. On LinkedIn I asked this question – who’s responsible for the discovery, reviewing, testing, and purchasing? And I asked, “Is it a collaborative effort, and how is that handled?” And I should also mention I got inspired from another post on LinkedIn, which we also used some of the answers, from Brett Williams, who Major General for United States Airforce, retired, and he’s now a speaker. So, Steve, how did you handle this issue of who is responsible for new solutions on all these levels.

[Steve Zalewski] I would say there’s two points here. First, it is one of the most misunderstood processes that I think we as an industry and for producers of products to understand. The second is it’s also one that’s undergoing an awful lot of change, and so we need to be very salient about what’s about to happen to that process as well.

[David Spark] Excellent point. Well, our guest to help with this very discussion on this topic, which I’m excited about… Which by the way, I know a lot of vendors are going to have a lot of piqued interest. Is actually an in studio guest because he is local to me here in lovely Carlsbad, California. It is Nick Ryan, the director of Enterprise Technology Security and Risk over at Baker Tilly. Nick, thanks for being here.

[Nick Ryan] Hey, David and Steve. Thanks for having me. Glad to be here.

What are the best ways to take advantage of this?

2:21.351

[David Spark] Dustin Sachs of the Performance Food Group said, “Business unit is responsible for most elements. Procurement handles the contracting process. InfoSec does the TPRM review. And legal does the contract review. Discovery and testing are best handled by the business unit. The exception is that sometimes IT handles the testing for the business unit, but this is rare.” So, as in the most sort of complete answer of everything that I saw, Dustin was it. Now, there is a lot of variations to this though. Jonathan Waldrop of Insight Global said, “The size and maturity of the organization also plays into this. In small organizations and teams, the process can be relatively self-contained. In larger organizations, there are extensive purchasing rules and regulations.” Kind of what Dustin mentioned. “That have strict processes and segmentation of duties to avoid conflicts of interest.” So, Steve, I will start with you. Is this how it happens in the large ideal world? And how much of this truly does play out?

[Steve Zalewski] Yeah, I would say when I was at Levis, Dustin was right. Very organized, very discreet components. And you had to follow the process. If you deviated from the process, it didn’t make any different who you were, you weren’t buying it. As a procurer of security services, I would say this is accurate for big companies. On the other side…and this is the part we want to talk about…is in smaller companies, startups, whatever, where get the job done to sell is the primary motivator then it’s almost like the wild west that the CISO can say, “I need $50,000,” and the CFO just goes, “Go.” And he’s spending, and you have almost no process. Which is why I started with the it’s one of the most misunderstood processes in most companies where you really need to know that first.

[David Spark] So, Nick, your company is, what, 8,000 employees?

[Nick Ryan] 7,500, yeah.

[David Spark] Pretty close. So, sizeable. How close are you to the description Dustin put out?

[Nick Ryan] Yeah, it’s very, very close. There’s a process. And the larger the company, the more red tape naturally. There’s a lot more explaining that has to be done with the purchases. And a lot of times they’ll want to see, “Hey, what’s the ROI on the money we’ve already spent on tools before I give you the green light on this money.” So, there’s some things you have to consider before getting to being able to buy a solution.

[David Spark] Hold it. But that doesn’t hinder you from exploring a solution. And how much of “ROI” are you able to actually show with a security solution?

[Nick Ryan] Yeah, it’s tough. There is ways to show time saved, hours saved from your internal team. There’s metrics to show if you’re looking at an email security solution there may be ways you can actually show tangible results from malicious emails stopped, things like that. But there are some tools, frankly, that are going to be keeping more the security on the backend where it needs to be, and at the front end users aren’t going to see it. And there might not be ROI that’s going to be tangible in those ways. So, that is an element for sure.

[Steve Zalewski] So, let me riff on that for a moment. Here’s the thing about ROI. Figures don’t lie. Liars figure. So, what you’re really saying is, “No. Whose ROI is important?” Is it the CFO’s? The CISO’s? Is it for the purchasing department? And so the establishment of an ROI is as much part of the process as the actual measurement of the ROI.

[David Spark] Let me ask, first off, either of you worked in any kind of government job? We had a guest on once who talked about how difficult and complicated the procurement process is and also the RFP process is. Even if he wanted, he could write himself a perfect pitch so that it would get through the process. It’s that opaque.

[Steve Zalewski] And that’s what I said, which was at every point in time you have to know who your consumer is and position to get past that milestone to the next one. So, it’s not about you. It’s about everybody else.

[Nick Ryan] Yeah, that’s a great point, Steve, because there are certainly things that would fall on your risk register, and it might be an acceptable ROI to show that we’ve just mitigated this risk, so the next time we have the auditors come for our SOC 2 report they’re going to be satisfied with this. And the business might say, “That is ROI.”

[Steve Zalewski] Right, and the finance people are going to say, “Hey, wait a minute. I just gave you CAPEX dollars, and that’s a three-year investment. And now you want to spend OPEX dollars? I don’t have any of those.” And so therefore the ROI is completely out of whack. And that’s so examples of what we were talking about of the difference of ROI.

What would a successful engagement look like?

7:31.349

[David Spark] Joshua Bregler of AWS said, “Everyone, it’s integral to our work. You come up with an idea. You write a concise data driven paper to present to team and leadership, refine, and revise.” And Jonathan R, CISO over at Lightspin, said, “Discovery is crowdsourced, doesn’t need to be the security team either. Sometimes someone outside can find a cool thing. Review and test would be the direct team if you even need to buy something, but then someone else handles purchase of course.” And Christopher Zell, CISO over at The Wendys Company, said, “I am the one that is responsible for authorizing the purchase. But if my leaders want the POC (proof of concept) tech, more power to them. I don’t need to encumber them with unnecessary red tape and have them feel as though they have no voice in the matter.” So, Nick, our first segment we talked about red tape, and everyone else here is saying red tape doesn’t help. If they want to discover anyone, go to it. How much of that is possible in your environment?

[Nick Ryan] Yeah, that’s certainly possible. But I think a successful engagement… Let’s not forget that the security department’s role in an organization is to align with the business goals and help them get there. So, success to me is we are keeping the company moving towards the goals that it wants to attain, and this is a way that we can tangibly show that we are meeting that goal by mitigating a certain risk or addressing a problem that we have.

[David Spark] All right. And, Steve, why shouldn’t it just be open to everybody? You see something cool, let us know about it.

[Steve Zalewski] This gets back to what your job is as a CISO. When I was at Levis, I used to say my job was to get a hundred dollars and to work with the team to use that hundred dollars the most affectively we can. My job was to make sure that the legal, the purchasing, the finance teams all had runway to know what I was going to do so that my team in doing product selection and internally having the debate as to what we were going to buy was what we could focus on.

[Nick Ryan] Yeah, that’s a great point. One thing I think about, too, is crowdsourcing is a great option because your team members are in the trenches, and they can see what’s going on. They have great ideas. But sometimes they don’t see the connection between that tool and other elements of the business – whether it’s more tools or a business process. So, kind of as a CISO, filling in the gaps of the business with those ideas and bringing them to the surface to make something a materially right decision.

[David Spark] Let’s get to the whole subject of the vendor pitches, because the vendors do want to know who’s going to review this stuff because they want to get stuff in the hands. Does your team understand the desire from the vendor’s side and that you don’t need to say yes to everyone, but if something intrigues you, yes, do say yes? How much of that is understood, and how much…? Because I know you’re getting hammered by requests. How many people within your team are also getting hit?

[Nick Ryan] Yeah, it’s nonstop. For an organization of our size, 7,500 people, they’re knocking on every door to see who is going to open. There are people on a team…in my team who are leadership positions that certainly have a vote, but there are also folks who don’t have a vote, but they have a voice. So, getting the summation of the people that have voices and the people that have votes, bubbling that to the top. But ultimately, too, I like to tell vendors play the long game. I might not be interested today, but knowing the technology is out there, knowing what kind of AI and machine learning that you’re using… That might not be a problem that I’m solving today, but tomorrow it will be. So, you might be looking for a quick sale, but I would encourage you to play the long game because I might have that problem, and I’ll know where to turn when I do.

[David Spark] Steve, what’s your experience?

[Steve Zalewski] Yeah, I’m going to riff on this one because this is a warning. We’ve had this conversation before, which was do you realize I have as much as a year’s worth of labor put into my internal alignment for when I’m going to spend. This is not money just shows up. This is I have to budget. I have to set expectations. I have to do quarterly planning for when I’m going to spend it. I’m accountable to it. So, if you want to come in and try to upset the apple cart by going around because you happen to know the CFO through a buddy or through the CEO, or you want to do a spam to try to get other people engaged, be very wary. Because what you just did was screwed me, and I’m going to screw you. So, you need to understand. That’s what I started with, first and foremost, is have the open conversation. Help me understand how purchasing works for you in your role, in your company.

[Nick Ryan] Yeah, Steve, and I would also add onto that from a CISO’s perspective, being up front with your budget cycle and telling the vendors what they can expect, and setting that realistic expectation goes a long way. Because I’ve seen too many people that don’t say that, and the salespeople get super excited just to come to the end of the process and realize, “Oh, no, they’re not going to be able to purchase until July of next year.”

[Steve Zalewski] Yep, and they put themselves in a bad situation because then they made internal commitments, and now they’re going to try to go around. So, full disclosure is not on the onus of the CISO. It’s the sales teams to know to ask the right questions and spend the time to farm, to do that relationship building. And then the wild card always is, “Hey, look, incidents happen all the time, and you never let a good incident go to waste.” So, there’s always opportunities to find pots of money to either accelerate something or to bring something in different. That’s where the relationships come in.

Sponsor – Votiro

13:24.837

[Steve Prentice] Content disarm and reconstruction as a service is a technology that allows people to use their documents without having to think twice before opening. That’s a fresh idea. Aviv Grafi, founder of Votiro, explains how it works.

[Aviv Grafi] Content disarmament reconstruction or CDR is a technology that allows enterprises in essentially every business to get all the content from outside – files, documents, anything that they need to consume internally – without the need to do things before they open that content. We are applying a technology called Positive Selection. Instead of screening an Excel spreadsheet with the malicious macros that might be in it, we don’t care about that. We know what is the good stuff. So, we’re taking all the good content and deliver that in a safe way within milliseconds. Every user can just do their work without any delays, without any blocking of files, and other content.

[Steve Prentice] Votiro started out by delivering the service for email but now offers a fully hosted software solution as an API. They now have the ability to secure content and data, and train applications, too.

[Aviv Grafi] So, in fact, using Votiro’s API, every application can enhance its security and productivity, but just within minutes by plugging Votiro’s technology that is hosted into the traffic and business flow.

[Steve Prentice] For more information about Votiro and how it can work for you, go to votiro.com.

What are they looking for?

14:57.425

[David Spark] Matthew Biby, CISO at Satcom Direct, said, “It depends on the company, culture, procurement, process, size of team, and ultimately the problems we are trying to solve. It is the responsibility of every security leader to know what is working and what is not in the program.” Love that key line at the end. And Jonathan Waldrop again from Insight Global said, “It’s key to have real requirements for a tool before you even start discussing vendors and especially before you do any demos. Shiny object syndrome, while humorous, is a real thing. And if you’re not careful, you end up overbuying or buying something that doesn’t even do what you need it to.” All right, I need to know from both of you, have you ever fallen victim to shiny object syndrome? Steve, Nick?

[Steve Zalewski] Oh, absolutely.

[Nick Ryan] Yep, absolutely.

[David Spark] Do you want to say what shiny object you bought and what you did?

[Steve Zalewski] It’s what makes it happy. Once in a while to have a shiny object, to be able to come in and just look at it and go, “That’s just cool. That’s just something that I want.” Okay? So, I bought myself a really nice watch because I just thought it was a really cool technology. Absolutely.

[Nick Ryan] Yeah, I’ve had situations, especially right after an incident, where the flood gates have been open with the cash, and we’ve gone out and made purchases out of all the bad feelings we were feeling about the incident. We were trying to make ourselves feel better with impulse purchases.

[David Spark] [Laughs]

[Steve Zalewski] Absolutely.

[David Spark] Okay, well, hold on. Now, interesting you mention this because vendors listening to this are going to brighten up. So, you have an incident. People know about it. A, do you get the vendor pounce? And I know it’s frustrating, but if you see something shin you like, you may jump for it. What do you think? Steve?

[Steve Zalewski] I would say it’s the other way around which was when I’m shopping or when my organization is shopping, my security guys will go, “We like these eight tools.” I go, “You can only buy two.” And we talk about those two. Okay? But if we have the other eight teed up, six teed up, we’ve looked at them then to the point like Ryan said, which is well, sometimes money from heaven. And then what we’ll do is we go a little deeper into the wish list. And all of a sudden those relationships that have been farmed, you get bluebirds, and we buy some stuff we wouldn’t otherwise buy. That’s how I see it.

[Nick Ryan] Yeah, absolutely. I agree. You always start with a longer list than what you actually end up procuring. So, in those moments of the floodgates are open, the money is there to be spent, you’re going back to that list because you’ve already spent the time and invested it into the demos, making sure that the requirements are a good fit. It becomes an easy Christmas wish list to strike off.

What’s the best tool for the job?

17:51.727

[David Spark] John Bowen, CISO for World Fuel Services, said probably the most popular quote, and he said, “New solutions? Not until you finished implementing the last tool I got you.” And Allen Westley of L3Harris Technologies said, “If I do hear something interesting in a pitch, I go to our IT security teams and ask, ‘Can we replicate this capability with our existing tools?’ Perhaps leveraging an existing vendor relationship to see if an API can be written to deliver the same result. In short, always dive deep into the tools you already have to make sure you are getting the value you paid for.” And by the way… We did a whole thing about tool consolidation, and the guest we had on, he literally created a big spreadsheet to show all the tools they had, all the capabilities, and noticed all the duplicate capabilities he had. And he just started pare down. It was an insane amount. And he just started eliminating tools as he’s realizing what he had. So, both of you are nodding heads. How much of that sort of deep dive have you done, Nick?

[Nick Ryan] Yeah, I’ve certainly done a lot of it. And ultimately I think we need to as an industry shift from looking for the best in breed to the best in fit. Because it’s easy to go out there and buy the number one, the most expensive, the, “I need a PAM solution, so I’m just going to spend the money on the best PAM solution out there.” But that might not actually fit, and you’re going to have bigger problems that you’re going to have to unwind later. And another thing, we always joke that Microsoft will get you 80% of the way with any of their tool sets. So, an in house inventory of knowing how important is it to…maybe we take that 80%, and then we find a tool that covers the remaining 20 versus buying a tool that gets you 100% out of the box.

[David Spark] Interesting way of thinking about. How about you, Steve?

[Steve Zalewski] I would say what is the best tool for the job is the same as when the board asks you, “Are you secure?” It is no longer an appropriate question to ask. What you really want to say is for the effectiveness that I need to protect the company, do I have the right capabilities in house and ask yourself that every six months. Because most tools have all kinds of things that you can bolt on, and that’s not the point. It’s not about the efficiency of the tools that you purchased. It’s about the effectiveness of the tools in conjunction with your people and processes to protect your company. So, don’t be afraid to abandon tools that you may only have for a year or 18 months if you realized you overbought, or you realized at the time it was the best decision, and now the decision has changed.

[Nick Ryan] Also to add to that, Steve… That’s a great point. One thing I think about is each tool that you’ve purchased, they have product roadmaps that they are working all throughout the year. And a common thing we forget is we bought this tool five years ago, but no one thinks to go back and see how the solution has matured, if they’ve done a merger or acquisition that offers new elements to their solution that you didn’t think were previously available.

[David Spark] So, here’s something I want to throw out at both of you. And we talked about this on a whole episode, and we call it Camry security. When you hear companies talk about, “We’re the Cadillac of this. We’re the best in breed of this.” Like what you’re saying. And best fit is interesting, but also the situation of, “Well, I don’t need to drive a Cadillac. I can do fine with a Camry, a Honda. It’ll do what I need it to do. I don’t need the most expensive best solution on the market.” And the comment that was made at the time was, “I don’t need to buy Splunk. I can buy something way, way cheaper.” Because that has been the number one complaint about that product.

[Nick Ryan] Yeah, I would say the Camry is a good analogy. And in my opinion, the most expensive purchases can sometimes be done by having a lack of understanding of the scope. If you correctly scope your needs, you’re not necessarily going to always go for the Ferrari, the Lamborghini. But if you do get to a point where you have a clear scope and the only product that addresses everything and gives you a future state that you can aspire to with that product then it makes sense to invest.

[Steve Zalewski] I’m going to riff on that and take a different view. I’m going to go, look, for the most part these decisions become political decisions. If I’m going to buy a Cadillac it may be because I have a lot of money, but more likely I’m working in a company where one of the ROIs is they want to be able to say, “We are better than our peers in how we’re doing this, and so we bought the most expensive security tool because it’s better.” In other companies, it’s what’s good enough. And so what I would say is never underestimate the power of politics when making a decision on the type of tool that’s appropriate for you and your cop any at this point in time.

[Nick Ryan] Yeah, the other thing that would be to keep in mind is there’s value in future decisions. Meaning if you’ve bought 10 different products that are the Camrys, you’re going to have more leeway in the 11th product if you say, “You know what? Now we’re going to invest in the more expensive Cadillac, and we have a track record of showing that we’re not constantly overbuying and getting more than what we actually need.”

Closing

23:33.372

[David Spark] Excellent point. And we’re going to close it on that. Thank you very much, Nick Ryan, of Baker Tilly, and my cohost, Steve Zalewski. Now we’re getting to the point of the show where I ask what was your favorite quote, and why. And I will start with you, Nick. Which one is your favorite quote?

[Nick Ryan] Yeah, Shawn Bowen’s quote about the new solution not until you finished implementing the tool I already got you is so relevant. It’s humorous, and it’s so true. That question comes up a lot with CIOs or whoever you might report to, saying, “We just gave you all this money, and now you want to buy something else. What’s wrong with what we just gave you?” Right? I just think that’s…

[David Spark] Why do I have to buy you a Cadillac? Don’t you have a Camry currently?

[Nick Ryan] Right. “Isn’t that good enough? We haven’t had an incident; therefore why do we need to spend more money?”

[David Spark] Steve, your favorite?

[Steve Zalewski] So, I think this is the first time I am also going to do Shawn Bowen for a different reason, which was everybody says it’s about the efficiency of the tool. Once you buy something, it becomes a CFO issue. Tell me you’re getting every last penny out of it. And my point is that is totally the wrong question to be asking. It is how affective am I being in protecting the company and that you should reject this argument at every opportunity and talk about efficiency and the ability to throw tools out as soon as your needs no longer match what you had last year.

[David Spark] Interesting other take. Well, thank you very much, Steve. Thank you very much, Nick. Nick Ryan of Baker Tilly. I’m going to let you have the last word, by the way. I always asks our guests if you’re hiring, so have an answer for that. And, Steve, if you have any last thoughts, please let us know. But first I want to mention our sponsor, Votiro. They are votiro.com. Check out their solutions as we were describing earlier, and they had talked about, for making sure business gets done and doesn’t let simple malware like attached to emails prevent you from doing your work. All right? Steve, any last thoughts?


[Steve Zalewski] Yep, I would say to every sales rep out there, the question who’s responsible for discovery, reviewing, testing, and purchasing should be if not the first then the second question that you ask in any engagement to set the playing field.

[David Spark] Good point. Nick, are you hiring?

[Nick Ryan] I am hiring. I’m looking for a couple of governance risk and compliance, some GRC professionals, some auditors who have an eye for policies, procedures, and aligning them with controls.

[David Spark] Awesome. And if they want to apply for the job or get in contact with you, what’s the best way of doing that?

[Nick Ryan] Yeah, best way of LinkedIn. You can certainly add me there. And also Baker Tilly has a career page. You could go there and apply as well.

[David Spark] bakertilly.com, right?

[Nick Ryan] Correct.

[David Spark] That’s bakertilly.com. Hey, and you know, our website is CISOseries.com. You can always go there. Not only do we have this show, but we have a bunch of other shows as well. And actually by the time you hear this, hopefully we’ve launched yet another show, God willing. All right, I want to thank my guest, Nick Ryan, with Baker Tilly, and my cohost, Steve Zalewski, as well. And by the way, our producers were listening in today as well just to make sure we recorded an excellent show for all of you. Thanks as always for your contributions and for listening to Defense in Depth.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. We’re always looking for fascinating discussions for Defense in Depth. If you’ve seen one or started one yourself, send us the link. We’d love to see it. And when any of our hosts posts a discussion on LinkedIn, participate. Your comment could be heard in a future episode. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to the CISO Series Podcast.

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.