It’s all risk, all show, for the entire show. It’s just the kind of risk we like to take.
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Derek Vadala (@derekvadala), chief risk officer, BitSight.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, BitSight
Full transcript
Voiceover
Ten second security tip, go!
Derek Vadala
Well if December taught us anything the quick tip is remain agile around patching. We saw this in December, we will continue to see it in 2022, it’s of vital importance.
Voiceover
It’s time to begin the CISO Security Vendor Relationship podcast.
David Spark
Welcome to the CISO Security Vendor Relationship podcast. My name is David Spark, I am the Producer of the CISO Series and joining me for this very episode is my co-host Mike Johnson. He was there on episode number one. Mike, let’s hear the sound of your voice.
Mike Johnson
I was indeed and I hope my voice sounds a little bit better than episode one. But, you know, we’ll see, time will tell.
David Spark
You are more professional since episode one, we both are.
Mike Johnson
Ah yes, professional. That’s it, I’m professional.
David Spark
We’re available at CISOseries.com and our sponsor for today’s episode is BitSight and by the way they sponsored us pretty much exactly a year ago this time and they’re back again doing it again. We love having them back again. Thank you so much. And they’re responsible for bringing our guest, who I’m going to introduce in just a moment, but first I have a great follow up story to tell you Mike. So, you’re going to like this, from our December 14th 2021 show, so just a month ago, the second segment on the show so if people want to go back and listen, we had an anonymous listener who wanted to talk to key stakeholders at their company to discuss risk but needed clearance from the CIO who was not easy to talk with and gets triggered by the word risk. So the listener was asking for ways to get past this barrier. So this listener actually listened to our episode, listened to our advice and then went to go talk to the CIO and here’s what happened. And by the way this listener is the top most person in security at their company.
Mike Johnson
This is cool, I remember this question, I remember really putting myself in their shoes so I’m curious to hear how it went.
David Spark
So, the person went to the talk to the CIO, and again they’re the senior security leader, asked the CIO what his priorities are, what the big projects he’s worked on and where he wants to get to. And the security leader was forewarned that the CIO is not a big talker but he suddenly just started opening up and told the security leader that he knows what to do about every IT crisis but he doesn’t know what to do about security and that scares him. Showed some vulnerability.
Mike Johnson
Alright, great.
David Spark
And from there every conversation was about security from that point on. And the security leader did not use the word risk but definitely got the point across and they’re on very good terms now and actually Log4j actually helped because it got to see the security leader in action. I know the word Log4j and helping does not go.
Mike Johnson
It’s triggering a little bit right now, David.
David Spark
Just hearing that I know. But security leader talked about stakes, explaining like you need to know what’s at stake to know what you’re doing. And so already the security leader has another meeting set up for the following week and by the way the security leader also uses a lot of metaphors to get the point across.
Mike Johnson
Great. No that’s awesome, that is so good to hear. And you know, again thank you listener for sharing the question in the first place and really thank you for letting us know how it went. That’s awesome and congratulations I’m glad it went well.
David Spark
Yes I like the fact that the team here is acting like the Dear Abby for security conflicts if you will.
Mike Johnson
I mean you know, we can do that right? We will protect your anonymity, we will do our best to help you out and then you take it from there.
David Spark
So, if you have more questions, we’d love to help you and we would love to hear the follow up story because we’d love to echo it back. Alright, now let’s get to our guest in hand which I’m very excited about. We’re going to theme the entire episode on risk in honor of that listener who sent it in and also in honor of our guest. And it is our sponsored guest Derek Vadala who is a Chief Risk Officer over at BitSight. Derek, thank you so much for joining us.
Derek Vadala
You’re welcome, glad to be here.
It’s time to measure the risk.
00:04:32:01
David Spark
What security risk is the most severe at this point, asked a redditor on the cybersecurity subreddit. Now there were some snarky answers but everything else was not a surprise. Patching, like what you just said at the beginning Derek, users and compliance issues. Not the most severe with compliance but very complicated. But I think the most notable answer was inertia. Companies not changing and sticking with old technology and processes because either that’s the way they’ve always done it or they don’t have the bandwidth to change the process. Mike, I’m going to start with you. What do you think is the most severe cyber risk and is it the growing/change from something else or has this been a big one all the time?
Mike Johnson
So I’m going to riff off the most up-voted answer in that thread and say I am not going to broadcast my biggest cyber risk.
David Spark
Right, yes [LAUGHS].
Mike Johnson
Especially since this is being recorded. But seriously, this is kind of in that category of what’s worse questions in that there’s so many different risks out there and there are so many right answers to this question. But the one that comes to mind is somewhat related to that inertia thing. And I think about that struggle of knowing where things are and the reason why they’re related is back in the day, way back in the day, data was sitting on main frames. We knew where the main frame was, we could go touch it and that’s where everything resided. But now what we’re seeing, especially over time, is the spreading out of our computing resources, of our data, of our systems, of our applications. The Cloud is enabling this and basically requiring companies to move that direction in order to remain competitive. You kind of have to spread your data around, spread your applications, spread your servers and services around. I think that’s just going to continue and to me not knowing where things are, not knowing what’s in use, again back to Derek’s point about patching, not knowing what applications you have is going to make it really difficult to patch them. Not knowing where your data is it’s hard to know what the risk of that system being compromised if you don’t even know what’s there. So in my mind that’s where I go it’s just that risk of data, application and server and services proliferation across an environment.
David Spark
That is why asset management has taken off. Derek, I throw this to you. You look at a lot of risk from a lot of companies so you probably have like the best birds eye view to the answer to this question, what is the biggest risk that’s happening today?
Derek Vadala
Well I couldn’t agree more with Mike. I think this is an extremely important risk that people are facing but I think I’m going to go the easy route here and agree with inertia. I think the lack of agility that organizations have is really one of the things driving a lot of the issues Mike pointed out and I think that lack of agility, what does it do? It causes organizations to not be able to adapt to change. That means they can’t adopt new technologies fast enough, it means they can’t improve security by leveraging the new security designs and patterns that those technologies have to offer. It means they can’t do things like patch effectively. And what happens, they just build up tech debt over time and eventually they get to a point where it is just not possible, you can’t dig out of it. And that starts fundamentally with the process is in the organization, there’s decision making lack of agility that comes first and it really has a cascading impact throughout the organization, throughout the technology and ultimately on security.
David Spark
I can think of one, but it wasn’t security related, but it was just technology related that I was using a piece of technology that I knew was awful, it had no future and I just had to get out of it and I kept saying “I have to get out of it, I have to get out of it.” When I finally made the decision, which was some heavy lifting, everything was so much easier from that point on. Can you think of, either for yourself or other organizations you’ve seen, like what that one thing or the easy thing that sort of lifts the weight off their shoulders, Derek?
Derek Vadala
I think getting to the point of deciding that you need to make a change is often the thing that scares organizations and leaders and the individual team members that have to address these issues the most. I think once everybody is committed to the change and they know directionally where they want to be then everybody rallies around that change and they can start to move things forward. I think that’s always the hardest part and that’s not just about security or technology that’s sort of about all changes people have to adapt to in life right?
Okay, what’s the risk?
00:09:52:11
David Spark
On Quora, Yuval Ariav, a venture capitalist and founder of Fundbox, answered a question about evaluation a startup’s security protocols. He said “Over the hundreds of meetings as a founder or investor, that question is never asked especially with early stage company.” He said “Early stage VCs don’t care. That’s because (a) young companies aren’t really on anyone’s radar and (b) whatever system the company has in place today will change several times to scale, rendering any existing security related efforts useless.” So Derek, I’m assuming you look at startups. Is Yuval’s statement correct? Do startups’ security change drastically as they grow? Was measuring it’s originally position pointless? Yuval did mention there was one exception and that was companies in regulated environment. But he said the discussion never really went beyond compliance. What say you?
Derek Vadala
I think Yuval is spot on. I think not only have I looked at a lot of startups over the years, I founded a startup and you know, security, technology, hygiene are not top of mind when you’re in there kind of building a business and thinking about revenue and all these other bits. It usually starts out pretty good but it goes south very fast and of course the dirty secret of technology and security startups is they tend to be worse at this stuff than a lot of folks. I was listening to a board member at an event, maybe six months ago, who asserted should companies have a technology and cyber committee and this board member’s answer was “Well we’re a technology company so we don’t need a dedicated committee for security.” And I think point being that’s exactly why you need a dedicated committee for security because it’s the first thing that goes out the window even though people know better. So, I think there are lots of new security design patterns that are just inherent in technologies like Cloud and SaaS. And the good news is that startups are born in the Cloud, they’re using these technologies from the start so their baseline security level tends to be a lot better than it would have been ten or 15 or 20 years ago and so that’s a positive. You know, they tend to be agile with this and I do think it’s getting better over time but it is just not a priority when you’re building something new and you’re trying to sort of think about revenue and product and customers. For me I’m an ex CISO so when I was sort of in the trenches building a startup it was something that was top of mind for me but you know, it is hard to achieve that level of security when you’re in the trenches.
David Spark
Alright throwing to you Mike. VCs don’t care about security for early stage companies but if you’re a company looking at an early stage company and we’ve talked about how it’s fun to work with young early companies, you’re definitely going to be concerned about their security aren’t you?
Mike Johnson
Yes and I think it really will depend on what the startup does. You know if it’s B to C that’s a different situation but if it’s a B to B company VCs really do need to start caring and the reason is because the customers of these early stage startups care. I am not going to go and do business with someone who is fly by night when it comes to security, I can’t take that risk on behalf of my customers and that’s going to be where these early stage startups are going to be hit. In the pocket book they’re not going to be able to get the design partners they want, they’re not going to be able to get those initial logos that then propel them further.
David Spark
Let me just also comment. We’ve talked about this on the show before, big enterprise companies that have strict requirements with working with vendors they may find a start up they love but if they can’t, you know, clear the bar they’re never going to work together.
Mike Johnson
Absolutely and we’ve had several cases where someone within the company has been like “I really want to work with this new startup, they have amazing technology,” and we have had to explain to them the risks and then they end up walking away. That’s something that these companies really do need to start thinking about especially as security continues to be more and more on top of mind. I imagine that Yuval will change his answer in a few years.
Derek Vadala
That’s right and of course everything I just said aside, as soon as you’re in a startup and you get that first customer or that second customer and these requirements become apparent, look you’re now in a fire drill to get these things addressed and pretty quickly and there’s going to be a lot of scrutiny on it so there is a point at which you do have to take it seriously.
David Spark
It’s your own business survival.
Derek Vadala
That’s exactly right!
It’s time to play ‘What’s Worse?’
00:14:54:14
David Spark
Alright, Derek you know how this game is played. It’s a risk management exercise so right up your alley. And the one who has contributed is Nir Rothenberg again. By the way we were talking about creating an All-star list of contributors to What’s Worse.
Mike Johnson
Nir would be on that.
David Spark
Nir would be on the list. I’m thinking Jason Dance would be on the list, Jerich Beasonwould be on the list, trying to think who else? But we have some All-stars who have contributed some great, great ones and here’s another really good one. By the way I always ask Mike first Derek so you get a little bit longer to answer and you can agree or disagree with Mike, but I always love it when people disagree with Mike.
Mike Johnson
That’s true.
David Spark
This question applies to the entire stack, so firewalls, end point protection, application security, monitoring, the whole darn thing. What’s worse? Your entire stack is signature based, so meaning like an anti-virus it scans for file hashes and compares them to a hash list or your entire stack is heuristic based? So anomalies, behavior, what not. Which one is worse? And again it’s a whole stack, it’s either one or the other.
Mike Johnson
No I get it. Like usually what we think about is combining these two and so I really get what Nir’s ad is basically saying, pick one and stick with it. And you then take all the positives and negatives of either of those. And the way that I think about this is signature based systems are useful immediately. You bring them into your environment, you turn them on, they’re going to be finding things, or not, but they will be finding things right away. Heuristic based systems generally have a learning period where it is trying to understand your environment, trying to ‘train it’ into what’s good and what’s bad but over time probably has more value. The question in my mind boils down to are you okay with turning it on and that’s basically the most value you’re going to get out of it ever. That’s the level. Or are you okay with not great at the start but gets better over time? And then there’s somewhere in here that these lines cross. And so for me my answer would be the signature based is the worst because I want to look at the long term. I want to expect that things are going to get better over time. I am an optimist and it really shows and this is one of those areas where it’s going to be painful at first but in the long run is likely the better system of the tale.
David Spark
Alright, good answer. Derek, do you agree or disagree with Mike’s answer?
Derek Vadala
I agree with Mike. I think this is the only way you can really manage just a constant barrage of new attacks, new threat actors, new issues. You have to use the behavioral based option. Signature base, look if you were in a world where you had unlimited budget and unlimited people to just be reacting all day long maybe, but that’s not the world we live in and I think this is the forward looking way to think about this. I’ll just sort of caution one sort of point on this which is when you have something happen like a global pandemic and everyone starts working at home those behavioral based systems have to start over or at least some of them have to start over. So, it’s never a silver bullet but you know, certainly where I would be leaning.
Mike Johnson
Yes and don’t get me wrong, signature based systems absolutely have their place.
David Spark
Again this is the What’s Worse?! Game.
Mike Johnson
The terrible What’s Worse?! Game but you’re absolutely right Derek that everyone hit a reset button on their heuristic systems when everyone went home.
Please, Enough. No, more.
00:18:50:04
David Spark
Today’s topic is third party risk management. Mike, this is by the way a very hot topic for 2021, third parties. So, managing the risk has also been an issue. What have you heard enough about third party risk management and what would you like to hear a lot more?
Mike Johnson
It’s like you said David, pretty pervasive topic especially in 2021 and what I’ve heard enough of is kind of the common practice which is just send out a questionnaire. It’s like 300 questions long, it’s asking everything under the moon that you can think about and then those answers tell you everything you need to know about that vendor. That is the perfect solution. I have heard enough of that. What I really want to hear more of is a data driven approach that is scalable, it is repeatable and one of the things that questionnaires definitely do not capture is continuous. I want to see this updated, I want to know when something is changing rather than on my annual re-attestation. So that’s what I’d like to hear more of.
David Spark
Alright, I am throwing this one to you Derek and I know that BitSight is in this area, third party risk management, so please, please tell us how BitSight handles this differently.
Derek Vadala
Yes of course. So obviously we’re in the data business around third party risk management and we have been for the last ten years. And you know, we think that data analysis around third party risk is really the foundation for how to think about this problem and manage your third parties and kind of move forward the ball in terms of starting to address and resolve this issue. And that’s done by collecting massive amounts of data around observable information about third parties and then sort of connecting them into an Eco-system of risk. And I think there is a place for questionnaires. I think they are useful for things like setting scope and figuring out things like vendor relationships and the risk that they pose to you.
David Spark
Do they need to be hundreds of questions long? I think that’s more the concern.
Derek Vadala
I think it depends on the particular use case and the risk profile. Hundreds to me is a bit overkill but look there are some useful questions and sometimes those questions are not about trying to figure out does this vendor have this issue? Sometimes it’s balancing the answers to those questions off of the actual hard data sets like we have at BitSight and using it to determine if management, you know the people answering the questions, know what they’re talking about. Because sometimes you can use those questions, you know, the data may say one thing management may say something else. And that observation alone is relevant to the risk the third party is posing to you and that’s a governance question and we can validate it by bouncing these things off of each other. And so I do think there’s a use but you have to use the data itself.
David Spark
That’s extremely telling when you do that and I’ve seen this happen many times where there maybe more of a PR spin like I’m going to give you verbally the answer you want even though what we’re doing does not speak to that. And that’s essentially what you’re trying to reveal.
Derek Vadala
Yes put simply very basic question, do you use multi factor authentication for remote access? Yes. Okay, well what about this end point that we found that doesn’t use it? Right so these are things that I think can really surface whether or not there’s a holistic cyber security program in place versus just people sort of doing a check the box exercise with questionnaires. But again I want to emphasize I do think there’s value to questionnaires, they have to be calibrated the right way and you have to understand what signal you’re trying to get out of them and you have to join that with other data sets.
David Spark
Let me ask this because we had another guest on who talked about this and his whole goal was how many questions do I need to ask do I realize I do not want to work with this person? Like I don’t need hundreds I probably can do it under ten or three even. So, I like the fact that you said, “What am I getting out of this? I’m not just asking to just get them to answer questions, what am I getting out of this?” And then more to what Mike’s question was, was how do we make this continuous?
Derek Vadala
Really hard to make questions continuous, I think you can make them event driven right? So, if you think about the issue we’re seeing in December with Log4j that’s a good opportunity to ping a lot of your key suppliers and say, “Do you know about Log4j? Are you doing anything about it? What are you doing about it? When do you expect to have all of your systems identified and remediated?” Then let’s go ahead and bounce that off of other data sets to see kind of how they’re performing against the issue over time. So I think it’s hard to get continuous with questions but you could get to something that’s better than, look, I’m about to sign a contract I’m asking 300 questions and then they go in a file never to see the light of day again. I think there’s an in-between state which says periodically we re-ask a few things and when there’s a major event we go out very tactically and say what are you doing about this event? And maybe there’s some key things about that event that you can join to the other data sets.
Mike Johnson
I have a question. So the event driven perspective that you mentioned triggered a thought. The company I work for we have a lot of customers and they’re sending us questionnaires right now about how are you dealing with Log4j? I’m curious how we as vendors to customers can turn this around and can basically rather than having to field hundreds of inbound questions what signals can we provide back to our customers? How can we communicate to them that no, we got this, we’re in a good state, in a way that they’re going to be able to accept?
Derek Vadala
Yes great question Mike, I had to deal with this a few times back when I was the CISO at Moody’s. And I think there’s a pretty simple answer, you know, back when we had I think Shell Shock and a couple of the other vulnerabilities, I think that was around 2017, 2018, what we did is as soon as we became aware of this issue we prepared a statement about it and we put a banner on the website that said, look if you have questions about this particular issue click here. And then the customers would get a web page that said we’re aware of this issue, here’s what we’re doing about it and we will provide some updates here as things progress. We’re in this just like everyone else but we are committed to resolving it. And I think there are going to be some customers who still want a questionnaire filled out but I think that goes a long way to driving some credibility in your response.
What’s the best way to handle this?
00:26:15:02
David Spark
Do you and your board know how resilient you are to a cyber attack? In an article on CSO Online, Jaikumar Vijayan had a list of board issues every CISO should be able to address. And I want to pull one out, cyber resilience. The board wants to know what key business services are exposed to cyber risk? This seems like the most basic conversation that needs to happen. Mike, I’ll ask is it, and how difficult is it to come to a conclusion and build a security program around just business resilience?
Mike Johnson
So first off you should certainly be talking with your board about risk. That right there is the number one thing they want to know from a CISO. They want to know what is the exposures? They want to know what you’re doing about it and most importantly they want to know that you know what the risks are. They want to know that they can trust you as a CISO. And related to that is talking about cyber resilience. The way that I think about cyber resilience it’s how your organization will face attacks and how it’s going to either look at it as almost equal parts prevention and preparation for responding when they happen. That you’re ready is really the resilience side of it. And I think right now we actually see a lot of programs focused too heavily only on prevention. Just try and stop everything. And they’re not prepared for the attack. They’re not ready, they don’t have an instant response plan or they have one and they haven’t tested it. And so when it happens that’s when they’re testing it and that’s when they find out that it’s a bad plan. And so it’s really valuable and important to prepare for the inevitable and that’s what cyber resilience is in my mind and I think that’s also a good way of talking about bringing it back together. That’s how you talk about the risks. This is what we’re doing to minimize this risk both on the prevention side, and then on the latent risk that you cannot just make go away that then is on the preparation for the attack and how you’re going to deal with it when it happens.
David Spark
So Derek, throwing this to you. This resilience discussion I mean as Mike said most people talk prevention but do your measurements, or what BitSight do, sort of give an understanding or a score or an explanation to what a third party’s resilience is?
Derek Vadala
First of all let me just kind of frame the way that I think about this. The first thing you need to consider when you’re thinking about resilience I think is exactly as it’s put here which is what are the business services that you need to have continuously operating or recovered within a certain time frame that you’ve defined as acceptable in order to continue operating, servicing customers, generating revenue, delivering on all of your other applications? And I think security program CISO’s need to start at that part. They need to be thinking with the business what are the cyber event scenarios that could have a crippling effect on us and what are we doing to address those specifically? So if you’re not starting the conversation there I think as Mike put you’re just sort of funneling money into prevention and you don’t really know what that bad day could look like and you don’t really know how it’s going to impact the business. So I think that’s number one. I think at BitSight we’re looking at some very specific aspects of a company’s security performance over time. I think there were some insights that people can draw from that on resilience and I think probably the place you can draw some insights is really about organizational agility. So one of the things we measure is performance of organizations resolving security configuration issues, right? That’s a bit of a proxy for thinking about if you do have a crippling cyber event, how fast are you going to be able to respond and recover to a point where normal business operations can resume? So I think all security programs need to think about scenario planning and I think it’s one thing we just do not do enough of.
David Spark
Agreed. And that is a very good place to stop because that’s our advice to our listeners. Start doing more scenario planning, more table top exercises but more around if this happens how do we lessen the damage or withstand the damage and keep running? Which is really the story you want to be able to do and what are all the things doing? And actually test it, like how many people actually test their back up systems to see if it’s actually backing up anything? Which sometimes it tells you it’s backing up but unless you test it you don’t know. Alright, Derek, thank you so much. I’m going to let you have the very last word here and I want to thank your company BitSight for sponsoring today’s episode and being a phenomenal sponsor of the CISO series. But first, Mike.
Mike Johnson
Derek, thank you for joining us. I enjoyed the conversation, what I really liked was how you weaved risk into everything.
David Spark
I set that all up, Mike.
Mike Johnson
Well I want to give our guests credit for that, David.
David Spark
I do. We made a risk themed show.
Mike Johnson
Yes. But it wasn’t forced. The answers were very, very natural and you were talking about risk and I appreciated that. But one of the things that I think really stood out to me was in the discussion of our last segment. You had said something about the speed at which an organization can fix an identified security issue and using that as a proxy for how agile is the organization? How in some cases mature is the security program? And I think that was a light bulb for me and I hope it is for our listeners to really think about that speed of remediation as a good indicator of capability. So thank you for that nugget and thank you for the overall conversation and I really appreciate the discussion of risk so thank you for joining us Derek.
Derek Vadala
Thank you Mike and thanks David, really appreciated being here and look we’re here to help at BitSight. We have, I think, some great products that can support organizations both on a third party risk management perspective but also for your own security performance management where we can help you gain insight into things like how agile is the organization around fixing and remediating security issues? And I think that’s not just a telling piece of information for security it sort of says a little bit about the organization’s technical and change management agility as well. So we’re here and we’re happy to help.
David Spark
Excellent and Derek the question I ask all our guests is are you hiring?
Derek Vadala
We are hiring, we are hiring a lot. Please check out our website www.bitsight.com. The career’s page has everything you need to know and feel free to reach out to me personally if you’re interested. I’m on LinkedIn and I am very responsive.
David Spark
Excellent. Now I just want to say that I loved the only part of that that you spelled out was the www, didn’t choose to spell out the BitSight. B-I-T-S-I-G-H-T.com. By the way, with every company now you never know it sounds one way and it’s spelled with three zs, four qs and a p, you never know. But BitSight is actually spelled kind of the way you would expect it to but there are two different sights, S-I-T-E and S-I-G-H-T, this is one is S-I-G-H-T.com. B-I-T-S-I-G-H-T.com. Thank you again Derek Vadala who is the Chief Risk Officer over at BitSight. Thank you very much Mike and thank you to all our listeners for your contributions and for listening to the CISO Security Vendor Relationship podcast.
Voiceover
That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”