We’re Very Good at SAYING We Care About Diversity

It’s extremely easy to say you want to diversify. In fact, I’ll do it right now three times.

  • We want diversity.
  • We’re very pro diversity and it’s our focus for the next year.
  • Diversity is a very important part of our security program.

Please don’t ask to though look at the lack of diversity on our staff. It doesn’t match our rhetoric.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Sujeet Bambawale (@sujeet), CISO, 7-11.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Vulcan Cyber

Full transcript

Voiceover

Ten second security tip, go.

Sujeet Bambawale

Have a phone number that anyone in your company can call at any time; a 24/7 hotline if you will, for information security emergencies.

Voiceover

It’s time to begin the CISO Security Vendor Relationship podcast.

David Spark

Welcome to the CISO Security Vendor Relationship podcast. My name is David Spark. I am the producer of the CISO series. Joining me as a co-host for this episode is Andy Ellis, operating partner at YL Ventures. We’re available at cisoseries.com, and our sponsor for this very episode is Vulcan Cyber. They were a sponsor in our very early days of the CISO Series, and they are back again supporting us as well. They by the way, I should mention, they are a wild ventures organization as well on top of it. I want to bring more about Vulcan later in the show; they do vulnerability management, so if that is of your concern, which I can’t see how it couldn’t be; it’s everyone’s concern. More about them later in the show. But Andy, you had a question that was burning, and while you were so eager to have our guests on for today’s episode, I’m going to introduce them now so you can ask your question so everyone can know the true answer to this. Our guest today is the CISO for 7-Eleven Sujeet Bambawale, and Sujeet, thank you so much for joining us.

Sujeet Bambawale

Happy to be here.

David Spark

Andy, your question for Sujeet.

Andy Ellis

So I grew up with a super big gulp in my lap whenever I was driving. Just to be very clear, huge 7-Eleven fan; I think I lived on the caffeine. And there was this urban legend growing up that, the stores were all open 24/7 so there were no locks on the doors. And then Covid hit and I had this thought, and I’m like, “Wait, there had to be locks on the doors. This would be crazy not to have locks for emergencies.” But if you never locked the doors do you even remember how to do that. So I want to know, are there locks on the doors, and did any of stores have issues figuring out how to lock their doors?

Sujeet Bambawale

Well, I’m not that close to asset protection that I would know the real answer to the question. We pride ourself on being open all the time. 24/7 is part of our brand, and we welcome customers any time of day or night. So, coming back to your question, we do have locks on the doors, but I don’t know if store staff have trouble actually locking the doors, because I don’t think we locked the doors. We were open for business.

David Spark

Do they even know where the keys are?

Andy Ellis

Do you know where the keys are, or maybe this is an information security issue, or have you moved to the era of electronic locks? I think it was Borders my mom used to work for for a while, and the mothership controlled the security systems of all of the stores. So when they were locking up you had to call somebody to lock the doors. It was crazy.

David Spark

I have a friend who’s a locksmith in Las Vegas, and during 9/11 actually some 24/7 stores shut down; specifically Walgreens on the strip, I believe, and they were called in to put locks on doors that did not have them. So that has actually happened, but it was quite a unique situation 20 plus years ago.

Are we having communication issues?

00:03:23:03

David Spark

How are you overcoming the challenges of diversity hiring. According to an article by Jonathan McBride and Rasheed Sabar on Techcrunch, most of the limitations companies put on themselves are only hurting their chances with acquiring and building a top diverse staff. For example, just having a college degree requirement knocks out 60% of the American working population. In addition, there is a growing disconnect with HR departments, and of departments that actually need the staff. And lastly, and this was mentioned in the article, training should be just as important as recruiting. So I’m going to throw this to you first, Andy. Do companies need to dismantle their hiring practices, and just start over if they want a diverse staff? Or are there simpler steps to get there?

Andy Ellis

So I do not have a soap box big enough to stand on and scream yes to the heavens for this question.

David Spark

So on the yes in terms of dismantle?

Andy Ellis

Dismantle. Everything we do in corporate America for hiring is absolutely wrong and actively harmful, and we should stop. And if you’re an HR professional and you’ve got this far, fantastic; I want to talk to you. But here’s my belief of what’s going on. Coming out of the New Haven firefighter case that makes it to the Supreme court, there is a lot of bad advice given from labor lawyers to HR departments about the value of neutral tests, which actually were a red herring in that case. But if you’re deep in supreme court law you can have fun reading it and learning about neutral tests. And what happened is they added on all of these requirements in the spirit of not actually discriminating, that are neutral tests. Oh, you have to have a college degree, but let’s be honest; unless somebody’s coming out of very specific universities, all that a college degree tells you is that some university thought it was worth fleecing this person for four years. Maybe they learned something, but it’s really about did the university accept them? And that’s what you’re really going for.

David Spark

Let me just argue that. This is a person that committed four years to an education.

Andy Ellis

To partying.

David Spark

To an education.

Andy Ellis

No, you don’t know that it was to an education. Then you might look at their grades. How many people actually go and pull transcripts and look at grades?

David Spark

Nobody does that.

Andy Ellis

Nobody does, right? So it’s a supposed neutral test you just pulled out the workforce. People put in years of experience. There’s a barrier which says if somebody isn’t already in a job, they can’t get the next job. So we add on all these things, and we have a bunch of research that says the more requirements you put on a job, the fewer women and minorities will apply for that job. We could talk about the reasons why, but it doesn’t matter. If you are hiring and you know that you have a marketing filter; because that’s what it is. Job descriptions are marketing. You’re marketing yourself, and if your marketing filter is turning away the population you want to hire, you need to change the way you market.

David Spark

Good point. Sujeet, Andy is on the highest soap box he can possibly find, is yours bigger?

Sujeet Bambawale

Security is a discipline that improves with a diverse background. I can’t underscore this even more than this. Security is a discipline. For it to be a discipline it has to grow with diversity of background. When the iPhone 3GS was just released, I was on a trip overseas in San Jose, and everyone had their chest puffed out about their unhackability, or the uncrackability of their iPhone and so on and so forth. And I remember going overseas and I mentioned this, and someone says, “Yeah, okay. We can get you one here.” And they walked me into an interesting, kind of a gray market, one of those places that you have in almost every city in the world. A younger gentleman, a kid even, he had short circuited something and he had the iPhone ready for me and good to go. Now this person, I guarantee you, did not have a traditional college degree. I don’t know if he had even completed school. But through maybe trial and error, maybe learning on the job, maybe learning just sitting on a window, maybe just flipping through books that are available to him. That’s something that today would get a significant bounty, I’m guessing, from a few vendors.

David Spark

But how could you discover someone like that? How do you? Outside of just this happenchance experience?

Andy Ellis

You let them discover you.

David Spark

So how does that happen?

Sujeet Bambawale

What you do. It is very important for security leaders in any stage of their career, to actively solicit input from different fields. You have to be as curious as you want your team members to be, as you want your organization to be. You have to look at themes that work with you. You have to look at people that work with you, and you have to constantly assess if they are, or they can be, supported and encouraged to be champions of security. So I think it is incumbent upon security leaders in all phases of their careers, to be constantly following the curiosity to see how well security can, as a discipline, benefit from the luxury of diversity. And it is really a luxury of diversity. We have to bring that into security.

There’s got to be a better way to handle this.

00:08:55:19

David Spark

We have repeatedly mentioned how deploying multi-factor authentication is one of the best techniques to dramatically reduce being compromised. But it’s not foolproof. And according to a story by Lucian Constantin at CSO Online, it may be even less so. According to the article programs like SMS Buster and SMSRanger are using Robocall to automate the process of initiating and requesting a two FAor one-time password message. The scripts mimic those of carriers and the phone numbers and the caller IDs and are spoofed to make it look like it’s coming from a legitimate source. SMSRanger claims that if they can keep the person on the line; they have an 80% completion and success rate. So, Sujeet I’m throwing this to you first. The technique is not new, but the automation is, and it’s now exacerbating the problem. Is the solution just a lot more education of users? How do we deal with this?

Sujeet Bambawale

Education of users is absolutely important. It is also helpful to make the process easier. And we live in a time and an era where that easy can be done. For example, my MFA app, I would have loved for an MFA app if I were to code it myself, to use face ID; to use biometrics on the local device. All of these things accelerate what you have and what you know, just beyond reading the code off of your screen. Now actual MFA apps, they’re not doing this so far, but if MFA apps were to do this, I think that is more and more of Turing test. So a Turing test should be burnt in into MFA apps, and of course education is important.

David Spark

Andy, what do you think?

Andy Ellis

I’m going to disagree a little on the education. I think this is a problem of architecture. The challenge of saying, “Look, we have crappy passwords that have been compromised and breached, and they’re out there.” And then after somebody presents a compromised passwords, then we’re going to send the user an SMS message and ask them to read a code back. That’s the problem, that’s bad architecture.

David Spark

Which by the way, you should mention, every time I get the MFA message from my bank, it says, “By the way, we’ll never ask you for this number.” Because of this behavior they’re required to do this additional education.

Andy Ellis

But the better model is when you have an app, and let’s take CISCO’s Duo; they’re not sponsoring here and I’m getting nothing from them. But it’s an integrated push that says hey, I’m going to ping you on your phone and you’re going to push a button to tell me that you saw this. That’s not sort of coming back through the human, that’s a great step. But that’s still phishable, because what I can do is if I broke in and typed in a password, then I can trigger the push and you get the push and you push the button. What you need is something that authenticates the user and integrates that authentication and does the push. So what we did when I was at Akamai, was we put X.509 certificates on every device, and so when you connected to a website it read your identity and did the push automatically. No password in the loop, because the password is the problem. If you have breached passwords plus SMS, you have SMS. You don’t have two factor authentication, you’re back down to only one factor realistically. So to get rid of the breached password, not just tack on something that is barely secure.

David Spark

I don’t think Sujeet’s arguing with you. He did start off with, “Let’s make this simpler.” I mean yes, you’re on the same page, Sujeet?

Andy Ellis

I do want to say SMSRanger, I love marketing, because they said if they keep the person on the line they have an 80% completion and success rate, and that’s awful. If you got all the way to the end with the person on the line and then 20% of them still didn’t click.

David Spark

It’s not clear how they wrote it. It’s like one of the things. If you got them to begin the process, it didn’t say necessarily the end of the process.

Andy Ellis

It’s clearly marketing. How many people dropped out before they even got to wherever they’re measuring their 80%. I love it. I’ve worked for security vendors and we always do things like this in our selective statistics.

David Spark

That’s why I said “claims.” Sujeet, your final thoughts about what Andy says and making this process simpler, to deal with the automation here.

Sujeet Bambawale

I’m bullish on face ID. I think that we take it everywhere we go, and I think that now technology has matured to the point where infrared sensing and LiDAR in some phones has gotten to the point where face ID can’t be fooled by a picture. And face ID is doing very well in terms of error, false positive detections and so on and so forth. So, I think let’s use the technology that’s reached the common person. Let’s do away with MFA, if we can, by adopting face ID and biometrics that are much harder to fake.

Andy Ellis

The one thing I want to add for anybody who’s implementing facial recognition, is they should have a feature where you can do an anti-pattern, so you can say this is me, and this is my twin or my son that looks just like me. So that you can know that there’s two people really close to each other in this house, and I do not want false positives.

Sponsor – Vulcan Cyber

00:14:01:01

Steve Prentice

Vulcan Cyber is a cyber risk management company that helps enterprises manage programs like vulnerability management, application security and cloud security posture. Yaniv Bar-Dayan is CEO and co-founder and he explains how they make this easy and secure.

Yaniv Bar-Dayan

What we do in Vulcan is we help consume data with a variety of sensors, scanners that the enterprise have. Consolidate this data, enrich it with external sources, prioritize the data better, and then drive the business process that helps remediate the risk, and automated fashion. From distributing the tickets automatically, to actually solving the problem for encompassing control, a patch, a changing the code, or whatever you need in order to remediate your risk. First thing that we do is, if we consume the data from the variety of sources that they have. We take it in, we fuse it, we enrich it, and we eventually provide the customer with a very precise list of the most impactful things they can resolve. Then from there, what a customer usually do, is that they define certain policies, automated policies that will distribute this data at the hands of the people, that they’re actually performing remediation. So instead of going and monitoring and filtering throughout tens of millions of vulnerabilities, they have now the ability to focus on the top 5% that are important. And also distribute its data automatically to the people who can actually resolve it, while only monitoring the process, making sure they’re meeting their SLAs.

Steve Prentice

You can find out more about their services, their freemium offering and their third annual remediation summit on December 9th, all at vulcan.bio.

It’s time to play What’s Worse.

00:15:44:21

David Spark

Alright Sujeet, do you know how this game is played, have you heard it before?

Sujeet Bambawale

Yes sir.

David Spark

Alright. So two scenarios; they’re awful, you’re not going to like either one of them. But one of them is worst from a risk perspective. Now, this comes from Ross Young, CISO of Caterpillar Financial. I always make my co-host answer first, so Andy will answer first so you can agree or disagree. I always tell my guests, I love it when they disagree with them, makes it more interesting. So here you go. Before you jump the answer, I’m going to qualify the explanation here as Ross puts it. Would you rather have a CISO who has efficient meetings that are not effective, or effective meetings that are not efficient? Now, in the explanation of this, effective may be like a rule by committee, and you get the best outcomes but they’re very slow to make. Versus efficient is, you make decisions by yourself, are very quick but perhaps you get the wrong answer from time to time because you missed someone else’s point of view. So what is worse; efficient meetings that are not effective, or effective meeting that are not efficient?

Andy Ellis

So I’m glad you had the qualifier in there because, I think when you’re saying efficient but not effective, I think Ross is saying efficient but negatively effective; like might be harmful, rather than gets nothing done. Otherwise you end up with the degenerate solution is, will they have a zero minute meeting in which nothing happens, and that would be fantastic. So he’s taken away my easy answer which I often like to go with. I think I’m going to say the worst one is the efficient and negatively effective, because I would rather be wasting the time in the meeting, but get to a good decision, so that we’re not wasting the organization. Because then maybe I can manage them around who actually wastes their time with the CISO in the meeting. But if you’re having these meetings, and then you’re driving the whole company in bad directions, because of the ineffectiveness of the meetings.

David Spark

But not always, that’s not saying every meeting becomes ineffective, it’s saying sometimes.

Andy Ellis

There’s some slider which you say, okay, this one is dangerous, I’m going to claim the slider is high enough on the negatively effective; otherwise it’s degenerative. If they’re not at all effective, then great, I’m happy to have efficient meetings that nothing happened. But if something happens that’s bad, which was Ross’s qualifier, I administer if the slider’s high enough on the badness scale to make that the worst thing for the company. Maybe it’s got an every Monday stand up. At 8.30 everybody has to show up, and it’s only a 30 minute stand up, but he’s not listening to anybody and he’s making occasional decisions that are just gutting your team. That sounds like an awful place to be in. So I think that’s the what’s worse.

David Spark

Alright, efficient meetings that are not effective, correct?

Andy Ellis

Yeah.

David Spark

Sujeet, I throw it to you. Do you agree or disagree here.

Sujeet Bambawale

I’m sorry, today I agree.

David Spark

Okay, for the same reasons or different reasons?

Andy Ellis

So I win. Just so you know that’s the way the game is played.

Sujeet Bambawale

I think that, first off, I don’t think it’s a super set problem. I think that you can have an effective meeting which is a part of the meeting’s efficiency. So I don’t think that there are two separate outcomes. But going with the spirit of the question, I think the worst outcome is just having an efficient meeting which closed on time, had the right stake holders. Somebody took meeting minutes and, if they all agreed that another meeting was necessary on this, it was a very efficient meeting, but we didn’t get to the actual risk outcome and we didn’t use everyone’s time properly. I’m a big stickler on using everyone’s time properly, because I can’t pay to get that back. So the better outcome, and I’m just restating what Andy said, but in a different way, is to have an effective meeting. To have the CISO give the right risk decision. Give people what they actually use their time to collect for, rather than everything else. My caveat for this is, I think effective is a subset of efficient, or should be regarded as one. So that’s my only caveat for this.

Andy Ellis

I like where you’re going on that, and I think Sujeet set an even lower bar than I did, because he’s just saying, if you have an effective meeting that gets nothing done, or an efficient meeting that gets nothing done, replace it with an email that’s a status update.

Sujeet Bambawale

That’s right.

Andy Ellis

Because why would you even waste any time to do nothing? I had the standard of, and you did something harmful, but if you got nothing done at all, don’t bother with the meeting.

David Spark

According to the efficient meeting, something does get done. Some decision is made. It just may not be the optimal one.

Andy Ellis

I’ve had efficient meetings where everybody just has their status update ready and gives a status update. We literally use the threat of those meetings to get people to provide written status updates. I have program managers who’d write to someone and say, “Here’s the date of the meeting. If you can get your status update in 24 hours before, you don’t have to attend.” Because then we can just send it to everybody in an email, and if you have all the people who had to give a status update to send you their status update early, you’ve now got rid of the entire meeting and saved a whole bunch of time for the company.

Sujeet Bambawale

If the consensus is, everyone agrees to have another meeting about it, come on, you’re just wasting company time on that.

Are we making the situation better or worse?

00:21:10:12

David Spark

Are you collaborative in cyber with your direct competitors? I’ve always found it quite inspiring and unique that those who work in cyber security for directly competitive organizations, share security information. While cyber security does work for the business, cyber security professions do see value in being collaborative with their direct competitors. So, I’m going to start with you Sujeet on this; in what form does this collaboration take? Do you actually do this, and how have you seen this gone up since ransomware? And where do you have to draw the line, because you are competitors? So where are you collaborating, where can you not, and how much are you doing?

Sujeet Bambawale

I think this was the only silver lining out of the ransomware cloud. And I’m not saying that the cloud has passed us, but I think that this was the only silver lining. I have been very, very happy with the amount of collaboration that I have seen amongst what could be considered industry competitors, in terms of sharing that intelligence, and in terms of really embracing the notion of that we’re fighting a common enemy. At that point it is not about who gets how many more people into stores and so on and so forth, it is about, okay, let’s share this threat intel. And I’m telling you, this was one of the joys of the last 18 months, because I think it peaked in the covid months. We had more than a few events that we have chased down, and it was such a pleasure to see multiple folks from different organizations that would typically be considered competitors, come together quickly on a phone call, with just a text message to say we want to talk about this. And just get all of those SOC teams together to talk about threat intel, that was amazing.

David Spark

That was really what it boiled down to, to threat intel.I guess through your type of retail industry it was a unique threat intel, yes?

Sujeet Bambawale

Well it’s important to see if it is targeting us, if it is targeting our vortical. What are they going after? It’s very important to know thy enemy, so to speak. Because if it is targeted, then it’s a concern. If it’s a spray and play to use an old cliché, well it is what it is. But if there’s any kind of threat targeting in the information security space, it quickly rises to be a concern. So that was one of the biggest positive outcomes, to see all of these people come together and say, okay I see this big area, here’s an IOC, I see that behavior. This is the geo that I see it coming from.

David Spark

Do you truly think this collaboration helped you dramatically?

Sujeet Bambawale

100%. I could not be a bigger proponent of keeping those communities alive.

David Spark

What would have happened if you didn’t have this, how would you have operated?

Sujeet Bambawale

We’d be working in a silo, we’d be working in a vacuum. We would be just looking at the information presented to us, and through advocating partners and so on and so forth. Because there are many partners in this space that say, well this is coming from your industry, but having that actual connection and conversation with people in my field, to say, “Is it really happening at yours?” and getting a, “Yes,” or getting a, “Here’s what we’re seeing.” That makes it very real, and more importantly it lets your team connect with their counterparts at other places, and form those relationships. And going back to what we discussed earlier on this show, it helps them reach out. It helps them expand their circle and be curious.

David Spark

There isn’t fear from security leaders that this much collaboration, staff is going to be stolen from each other.

Sujeet Bambawale

That could happen in any field. And I think expertize always shows through. So whether it is during a threat intel sharing call, whether it is at a conference, whether it is at a research publication presentation, whether it is on a podcast. I think expertize, intelligence and awareness is always going to show through. So it’s not as if those forums are going to accelerate poaching and so on and so forth. So I mean, it is what it is.

David Spark

Andy, I’m throwing this to you. You used to work at an enormous CDN, and did you collaborate with your direct competitors?

Andy Ellis

Absolutely. Sometimes without the rest of the business knowing we were doing it, sometimes with. I’ve got to say, the only place I see non-collaboration as an active thing, is sometimes in the start-up ecosystem. Anywhere that you basically have companies that are locked in a death struggle. They’re running out of money, they’ve got limited room. It doesn’t really make sense for them to invest, and certainly not invest in something that would help a competitor. But we did this all the time and sometimes we had very careful intermediaries to help us negotiate some of the equities. We’ve worked with third party researchers who are just there to help keep the competitors all honest with one another.

David Spark

Can you give me an idea of what are the things? Was it threat intel? What are the kind of things that you’re sharing?

Andy Ellis

Every big botnet that you know the name of. Something like Mirai. All of the CDNs, and frankly most of the network operators got together and we would share.

David Spark

That must be your number one threat, is endless botnets.

Andy Ellis

Oh yes. In fact I’ve had this realization. Last week I was talking to someone and I actually think we became a marketing venue for the botnets, because the only people who could measure the size of a botnet were the really big CDNs at Telco’s. So if you were a bot herder, you would put together this massive botnet. You would attack one of us, or one of our customers, just so that we would publish the size of your botnet so that you could now market how big your botnet was to all the people who might come and rent it. You’d throw these attacks that we could survive but nobody else could, so why would you attack us? And I had this, “Oh my god, maybe we’re just doing marketing for them.” But we would collaborate with each other, we’d coordinate and when and who was going to publish what research about this joint research we had done. Sometimes the hardest part was when product marketing would get involved and they were like, “I want to jump the gun because I don’t want my competitor to get involved,” Then things turn bad and I would sometimes have to step in because our company brand was at risk with all these third party researchers, that we wanted to be able to collaborate with.

David Spark

Quick question to close this out for both of you. Where is it that you can’t collaborate? This is going to get into competitiveness and we do work for the business, and we can’t collaborate at this level. What is the level that you can’t collaborate on?

Sujeet Bambawale

Anything to do with intellectual property. I think intellectual property creation is one of the core tenants of an organization; it keeps a competitive edge. And if it is something that we’re developing, incorporating has anything to do with how we treat our customer, the customer experience and so on and so forth, anything that can be differentiated. That is the blood, sweat and hard work of all of our people, and I’ll never disrespect that.

David Spark

Andy, your quick line.

Andy Ellis

I’d say the same thing. Mostly on the security type. You’re building a security product. If you’ve got this clever idea that you haven’t brought to market yet, you don’t really want to collaborate around the threat that you’re defending, and give somebody an idea that that’s an interesting threat that they should build a product for.

What’s it going to take to get them motivated?

00:28:26:06

David Spark

On the cybersecurity subreddit, a Redditor asks, is cyber security pretty much just doing paperwork the majority of the time? Now the Redditor was asking because, what was sold to them in cyber is not what they’re doing now. And others clarify that if you’re in a SOC you’re dealing with tickets which could be worse, and if you’re in GRC, you are probably doing paperwork. So my question, and I’ll start with you Andy; this might be odd to ask you since you’ve spent so long in cyber security. Early days, I don’t know if you knew what you were jumping into in general, but were you sold something differently when you were started in cyber, and did it meet your expectations? What’s your answer to this Redditor, is cyber mostly just paperwork?

Andy Ellis

I’m going to answer this Redditor with yes, but. And that but is going to be really critical. When I first came into cyber, my first job in cyber was in the air force doing information warfare. But when I first showed up at Ofcom I was hired to do security engineering, I’m going to lock down the platform, protect it, and I’m there for three days. And I get told “Hey, by the way we’ve got British standard 7799 audit starting next week, and you’re running it.” So I totally can empathize with, “Oh, you’re sold one thing,” and all of a sudden I’m running a compliance function that was not what I was told was part of my job, and I ultimately built out a whole function.

David Spark

But that was a lot of paperwork.

Andy Ellis

That was a lot of paperwork. But here’s the deal, there is a lot of paperwork that your organization has to output. That does not mean that your organization needs to spend the bulk of its time on that paperwork. That is work that is scalable and automatable if you approach it correctly. In the same way that SOC ticket handling, if you’re handling the same tickets over and over and over again, that probably means you’re being inundated with false positives, or alerts that could have automated responses. So alert fatigue is real, and these are opportunities for organizations to look at how their process works. If you’re filling out paperwork about GRC, why isn’t a system doing that for you? Why isn’t it keeping track of your documentation and helping your program managers? Because if you’re doing PCI and SOC 2, and HIPAA and FedRAMP, every control should be documented exactly once, and then replicated across all of them. You should not fill out the same statement just because you have four different controls, and 100 different customers asking you questions about it. Automate that work out of existence.

David Spark

Sujeet, you’re nodding your head a lot as Andy was speaking. Going back to early days, did you get what you expected in cyber security or was it a lot of paperwork?

Sujeet Bambawale

I think this is a stair step question, and I think that is like a blind man touching an elephant. Well it feels that way, it feels like we’re touching a part of the elephant and thinking that is all there is to it. I think this is a stair step function. In the early days, way back in my career when I was working on vendorless management and compliance, and so on and so forth, yes it seemed like a lot of paperwork, but it helped me understand the nuances of the trade craft. It helped me understand what a control was. It helped me understand how people could get past controls. What is the right way to exact diligence over any discussion. It helped me understand contract previews, it helped me understand a lot of these things. And then later on in my career, I’m very aware of the fact that if it isn’t on paper, it’s vapor. Because just like us when we look for forensic evidence and we look for a lot of things to say, okay, this is my rock solid, fully fleshed out case; this is my evidence, this is my audit trail, well if you’re lazy and you’re not keeping together an audit trail, then don’t blame the other guy. I think we have to hold ourselves to the same standards that we expect of everyone; that we should document our work, and then we should always look at it in terms of, if I were to be audited tomorrow on what I did, have I left enough footprints? And if those footprints involve some paperwork, so be it. So I think over time I have understood the need for paperwork. I type up a storm as much as anyone else in Infosec, and I understand that this is different for different layers of the career paths. I see it as a learning opportunity.

Andy Ellis

Let me give an example of a place where policy changes can be helpful. We had a system for getting access to our deployed servers, and we had engineers who needed access on a regular basis. Either they’re check listing software or they’re instant managers. And the original process was literally they had to get approval from their manager, an ops lead and a security lead. And we’re doing this for certain people every week, it’s a ton of paperwork. And what we did was, we changed it. We said, what we’re going to do is we’re going to pre-approve these people; it doesn’t need to be everybody but it’s like two dozen, and they’re pre-approved to ask for a grant, and whoever is the supervisor in the knock can grant it. All they have to do is say I need access, and if they’re asking within this bound, one person clicks yes and it’s done. So we took the paperwork and we intelligently designed it. We kept the footprints that were important to us, but we did notice that we’re doing all of this paperwork and, I was having a hard time because I’m the person who had to approve every single one. I don’t want to have to chase all of these down, and I know this person. Thinking about how to do that, but I’ll be honest, if I hadn’t been the one who was clicking all those steps, I wouldn’t have thought about how to re-write it. And that’s where Sujeet comes back to; when you’ve touched all the parts of the elephant you can decide if what you really want to have is an elephant anymore.

Sujeet Bambawale

I’ll give you an example. Most people in Infosec love the word B1, because it’s like, “Okay, drop everything and do this right now.” I’ve actually moved to a process where all B1s need documentation approval by me, and while they may seem overtly granular, it actually takes the burden away from the team. There’s a lot of shoulder taps and context switching and IMs, and people saying, “Well, you have to do this right now.” But now with that, whether it’s a genetic paperwork process, it takes the load off of them. And they get to say, “Well, nosy CISO wants to approve this, are you sure you want to take it to him?” And then it’s that paperwork that people think, “Do I really want to go to annoy Sujeet, or is this really a B1?” and I think that’s helped give some time back to the team.

Andy Ellis

This reminds me of the 15-minute rule, which a colleague of mine, Matt Ringel was a huge fan of, which said, if you get stuck, before you escalate, now take 15 minutes, and write everything you know down about the problem. Because sometimes in writing it all down you’ll realize you don’t need to escalate, but you will make everybody’s time better if you can hand them a written narrative, even if it takes you more time to write that. You make everybody else’s life cheaper, and that’s a really key thing coming back to our conversation about efficiency versus effective. You’re less efficient, but you’re more effective which increases everybody else’s efficiency.

Sujeet Bambawale

Long time sustainability, yes.

Closing

00:35:48:20

David Spark

On the money. This is great, thank you Sujeet, that was awesome. By the way, I want to thank our sponsor, Vulcan Cyber for sponsoring this episode. Now I’m going to let you have the very last word, Sujeet. By the way, for those people catching us late, it’s Sujeet Bambawale who is the CISO over at 7-Eleven who is joining us as our guest, so thank you very much. My question I have for all our guests is, are you hiring? So make sure you have an answer to that one. But first, Andy, any last words?

David Spark

So Thanksgiving is in two days and I know it’s popular to talk about Thanksgiving. It’s the place you have to deal with all of your cranky relatives who disagree with you politically.

David Spark

And do tech support. I usually end up doing tech support.

Andy Ellis

And do tech support, but I want to come back to the disagreements. I’ve got a challenge if you’re a security professional, because you often have professional disagreements with your colleagues. And the professional disagreement stems from your inability to understand the world they’re in with charity. So if you have a family member, I want you to try to understand their world with charity. Don’t pick a fight at Thanksgiving. Try to learn why they think whatever they think, and try to understand it from a positive and principled position, so that you could better engage with them. And maybe this won’t save your family. But that skill is the one you need to engage with a business owner who’s doing something you think is dangerous. You have to approach them and understand why they think this is the right choice for them, so that you can do better. So use your crazy uncle as a person to practice that on.

David Spark

It’ll keep your blood pressure down as well. Sujeet, can you think of a Thanksgiving tip, or first of all, are you hiring?

Sujeet Bambawale

Sir, we are always hiring at 7-Eleven Infosec, and encourage everyone to check out 7-Eleven Infosec careers page. We’re actually hiring both in the US and in India, and I’d love to see more people from diverse backgrounds, from different domains. We are very open and we’re looking forward to your applications.

David Spark

So if you have fixed an iPhone in a market before, Sujeet wants a chat with you.

Sujeet Bambawale

Yes man.

David Spark

Thank you very much Sujeet. Thank you very much to Andy Ellis as well, and thank you to our sponsor Vulcan Cyber; we greatly appreciate your support. And to everybody else, we greatly appreciate your contributions and listening to the CISO Security Vendor Relationship podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.