What Kind of Challenges Do You Foresee In Firing Me?

What Kind of Challenges Do You Foresee In Firing Me?

This show was recorded in front of a live audience in New York City!

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series, and a special guest host, Aaron Zollman, CISO & vp, platform engineering, Cedar. Our guest is Colin Ahern, chief cyber officer for the State of New York.

(L to R) David Spark, producer, CISO Series, Aaron Zollman, CISO & vp, platform engineering, Cedar, and Colin Ahern, chief cyber officer for the State of New York.

Check out all our photos from the event.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsors OpenVPN, SlashNext, and Votiro

Take the cost and complexity out of secure networking with OpenVPN. Whether you choose our cloud-delivered or self-hosted solution, subscriptions are based on concurrent connections, so you pay for what you actually use. Start today with free connections, no credit card required, and scale to paid when you’re ready.
SlashNext, a leader in SaaS-based Integrated Cloud Messaging Security across email, web, and mobile has the industry’s first artificial intelligence solution, HumanAI, that uses generative AI to defend against advanced business email compromise (BEC), supply chain attacks, executive impersonation, and financial fraud. Request a demo today.
No matter what technology or training you provide, humans are still the greatest risk to your security. Votiro’s API-centric product sanitizes every file before it hits the endpoint, so the files that your employees open are safe. This happens in milliseconds, so the business stays safe and never slows down.

Full transcript

[Voiceover] Best advice I ever got in security. Go!

[Colin Ahern] Good organizations do routine things routinely, but they keep in mind that the initial report is always wrong. If you’re lucky, the initial report is only wrong because it’s incomplete. But in a typical situation, the information is wrong because someone, either an adversary or someone trying to protect their own career or job, is actively lying to you.

[Voiceover] It’s time to begin the CISO Series Podcast – recorded in front of a live audience in New York City.

[Applause]

[David Spark] Wow! That is an audience! All right, that is one awesome audience. Thank you very much, New York! My name is David Spark. I am the producer and the host of the CISO Series. We can be found at CISOseries.com. I want to mention my co-host, who’s a guest co-host, who’s sitting to my immediate left here. It is Aaron Zollman. He’s the CISO and VP of Platform Engineering over at Cedar. Let’s hear it for Aaron!

[Applause]

[Aaron Zollman] Good evening, David.

[David Spark] Thank you very much. And I also want a huge thanks to our sponsors today, all regular sponsors with the CISO Series. We love that they’re sponsoring our New York Show. Let’s hear it for OpenVPN, SlashNext, and Votiro. Thank you so much.

[Applause]

[David Spark] They’re the reason we’re here, they’re the reason you’re here and all that. And as I mentioned, we’re in front of a live audience in New York. You are a 10-year resident now, Aaron, in New York?

[Aaron Zollman] Ten years I’ve been here, from Manhattan, Brooklyn, it’s been great in the city.

[David Spark] All right. I’m actually going to bring in our guest today because I want to ask him about his New York experience. It is actually the Chief Cyber Officer for the State of New York, so Connecticut can screw it.

[Laughter]

[Colin Ahern] We love Connecticut, for the record.

[David Spark] You do? You do love? It’s Colin Ahern. Let’s hear it for Colin.

[Applause]

[David Spark] Colin, you said you are a four-generation New Yorker?

[Colin Ahern] Correct.

[David Spark] You have kids who are now five-generation New Yorker.

[Colin Ahern] That’s right. A member of my daughter’s family has been living continuously in the five boroughs since the 1840s.

[David Spark] Do you know what your oldest generation did here in New York?

[Colin Ahern] I do actually. They were a Hansom cab driver, so like a cab driver, but when it was a horse.

[David Spark] Oh. That’s very, very cool. That’s awesome.

Why is everyone talking about this now?

2:43.417

[David Spark] All right. The Biden administration is very skittish about cloud providers and how they’re securing our information. Now this according to an article by John Sakellariadis in POLITICO, which pretty much lists off everyone’s concerns about cloud providers. This mishmash of concerns, such as multiple disruptions from one attack, foreign adversaries utilizing their services, and the separation of cloud from cloud security. So, luckily, the FTC is open to our thoughts on this issue. They’ve posted a form asking for comments on their request for information about cloud computing providers. So, I’m going to actually start with you, Colin, on this. So, what’s your advice for the FTC? What doesn’t the government currently know about cloud providers that they should know? I mean, cloud providers are playing along, I should mention, but they do have regulations to work with federal agencies and banks. I’m not getting the sense that there’s any magical information that’s going to put anyone at ease. What’s missing here?

[Colin Ahern] I think a couple of things. One, compliance and regulation is not the enemy. Two, we all want a more predictable, more stable, more resilient ecosystem. What we’ve seen certainly at the State from our Department of Financial Services and other regulators, the SEC, if you look at recent S-1 statements, public filings, many corporations are listing concentration risk, cloud risk, as a key risk for their business. So, not only do we as a society, as a country, need to focus on resilience of our services more broadly, but we want to work with the private sector to understand what are the outcome based, what are the security and resilience outcomes that we want or need from our cloud providers.

And I would say also know your customer. We have situations in which adversaries are trying to skirt economic sanctions or other export restrictions via the cloud. That’s obviously a concern for the Biden Administration. And obviously, one example, semiconductors. Obviously, New York has a very unique place in the semiconductor industry. Over the summer, Micron, which is a maker of memory chips, announced a $100 billion semiconductor fabrication facility that’s being built in Upstate New York outside of Syracuse. So, these are real capabilities that really matter to not just New Yorkers in the jobs that will be created, but to businesses that need to manage their own workloads in the cloud, that need access to the things that cloud providers can and do provide that are of tremendous benefit to the United States and her allies.

[David Spark] Aaron, what are they missing here?

[Aaron Zollman] So, I think there’s this fear of concentration for the big cloud providers, and I get that, but I think there’s one thing that maybe people are missing which is that the hyper scalers are actually better at a lot of things than people even one click down, and the hyper scalers do really well at responding to incidents. They’ve built pretty powerful internal teams. I read I think the Politico article that you referenced, and one of their comments was, “We don’t know what’s going on inside the cloud providers, we don’t know what they’re doing for security,” and I don’t buy that at all.

[David Spark] There’s been this sort of like attitude for those who don’t know, like, what are they doing, but there is a good amount of insight you’re getting.

[Aaron Zollman] There’s a ton of insight that they talk about publicly, and more than that. Like if you build a relationship with the cloud providers, you can actually learn a lot more. It might be you need a deeper contractual relationship; you need a reason for them to trust you and talk to you. But it doesn’t have to be a large amount of spend, right? One of the things that I do is I work with a bunch of other security engineers, and when we together ask questions of Amazon, we get much better answers because we come with details and they believe that we know what we’re talking about. That used to be maybe harder to do, but I think these orgs are much more approachable. You can learn kind of what they care about and how it’s evolving. So, I hope the government does that. I will give the cloud providers one bit of criticism which is software people are much quicker to announce CVEs, talk through what they’re doing. Cloud providers don’t really have a good way of doing that and so the community’s kind of had to build its own way of talking about and communicating vulns.

[Colin Ahern] I think another thing that’s interesting is, and Mike Aiello, who formerly of Google Cloud, now of White Ops I believe, has something called “the unverifiable trust surface.” One of the things that regulation typically does is when there’s information asymmetry such as between a provider and a buyer, so one of the things that obviously the cloud providers are currently very well incentivized to do is to reduce this unverifiable trust surface. And one of the things I think that Aaron just mentioned is not just industry groups, but also the government, the government as a consumer, for example. FedRAMP, the Federal Risk Management Program, and other things – StateRAMP and DoD IL4 and DoD IL5. If you’re using a cloud provider and they ascribe or they represent to you contractually that they’re meeting these, they have in fact meaningfully reduced the unverifiable trust surface because obviously there’s, in this case, the government as a buyer saying, “You must be this tall to ride this ride. You need to do the following things in order to receive my information.” And so that has I think second- and third-order effects that are positive for the overall marketplace.

Pay attention. It’s security awareness training time.

8:06.160

[David Spark] So, on this show we stress the importance of cybersecurity being everyone’s responsibility. Unfortunately, that feeling is not pervasive in government according to Ivanti’s recent Government Cybersecurity Status Report. Some highlights from the report: Only 19% of US government employees think their actions matter to company security, and I should note that the global average is 34%; 17% of employees don’t feel safe admitting to a mistake; 36% did not report a phishing email; and sadly, this one is a big ouch, 21% don’t care if their organization gets hacked. Oh! The apathy! And what’s worse is younger people care even less on this. So, yeah, this is not good. So, is this behavior the function of working in government, or is there something else going on here? And I know you’re in government, Colin, but I want to ask you first, Aaron.

[Aaron Zollman] Well, I used to be in government. I don’t know, I kind of want to go on rant mode here a little bit.

[David Spark] Please do.

[Aaron Zollman] Is this a safe space for rant mode? The argument about phishing tests just kind of sets me off a little because this feels to me like something that the industry has done to ourselves. We say security is everyone’s responsibility, but then we give them barely actionable advice and long, boring compliance trainings. What do you expect to happen? There’s even research out there that shows that phishing tests are ineffective, cause people to be more likely to click on things.

[David Spark] By the way, the person who normally sits in your seat, Mike Johnson, doesn’t do any phishing tests at all.

[Aaron Zollman] And neither do I. I spend a disturbing amount of time having to respond to security questionnaires and explaining why I won’t do it. We have a one-pager up. We’ll move on for that. But your clicker’s going to click and it poisons the relationship with the sec team. I think the important thing to think about is how do I communicate security needs and communicate security knowledge in a way that is clear and enabling an understanding of what their job is. Some people’s job is literally to click on emails. Like, don’t tell them not to click. That’s not going to work.

[David Spark] By the way, do you think in any way this is unique to government?

[Colin Ahern] No. No. I’ve been in and out of government for – I don’t want to age myself – but the last 20 years. From academia, teaching, teaching overseas, finance here in New York, other places, and I would say no, it’s not unique. We do have to build processes that are responsive to a reality which is that different people have different responsibilities but everyone has some responsibility. And in particular, when we deal with security instance, we want to be cognizant of the fact that we really want to educate a stakeholder, be they an executive or a Help Desk engineer, that they need to be thinking about three things. Number one, what are the immediate actions I need to take. Two, what are the short-term strategies that I or my organization, my team, whoever needs to take in order to cure this event, to escalate this to an appropriate party, what have you. And three, everyone should have a voice in the long-term strategies of their organization to get better over time.

And in particular for government, we invest in people. One of the things that a career in the Civil Service offers you is education, training. Not just a job but a career. And so we want to be part of teams that people feel are safe psychological spaces for people to make mistakes. And we should assume that people because they’re tired, because they’re hungry, because it’s stressful, are going to make mistakes, and we have organizations teams that we have at the state in our building and via .gov/jobs that are places where we have your back. And I think that’s an important reality that people need to feel appropriately held accountable for when there are errors of omission or commission that are lapses of judgment – moral, ethical, or legal. But also a situation in which an honest mistake isn’t going to be one that’s dealt with in an unfair way.

[Aaron Zollman] People know when they’re being supported and people know when they’re being held to “gotchas.” And CISA just this morning released a paper about secure by design and shifting responsibility, like towards the designers and manufacturers to building things that are easier to secure. Like why release a hardening guide when you could instead release a loosening guide? Makes perfect sense the first time you hear it. And so to me, that’s one of the things that’s really cool, and so I look at people who’ve released products like Netflix, Stethoscope that gives people information at the moment they need it, and even internally we try to do. Use a SOR platform to give people just like one little nudge at the moment something happens. It’s far more effective.

Sponsor – OpenVPN

12:56.311

[David Spark] We have many sponsors for today’s episode but let me tell you about one of them – OpenVPN. So, do you think providing zero-trust access to applications is a complex and tedious task? Well, not with OpenVPN solutions. OpenVPN offers two powerful network security tools. Their self-hosted solution that’s called Access Server, and their cloud-delivered solution, CloudConnexa. So, with CloudConnexa from OpenVPN, patent-pending technologies allow you to deploy software connectors wherever applications are hosted, even in networks with IP address overlap. Now, identity-aware application access is provided without the need for complicated IP routing configuration. And CloudConnexa segregates trusted internet traffic and has built-in content filtering and IDS/IPS to minimize your attack surface even further.

And if you’re looking for a reliable self-hosted solution for secure network connectivity, Access Server by OpenVPN provides active-active clustering for high availability and scalability. Economical per connection pricing is available for both solutions. That’s per connection, per use. But you can get started right now for free and see for yourself how easy it is to set up and manage your network. Just go to their site. Visit openvpn.net to learn more.

It’s time to play “What’s Worse?”

14:41.405

[David Spark] Our “What’s Worse?” scenario here is brought to us by Osmand Young. So, those of you who are regular listeners of the CISO Series Podcast know that this is a pseudonym. And Osmand, he says here that he works for SeaTech Astronomy, again, a made-up company, but he writes these unbelievably creative scenarios. And this is a good one. It’s long, I’m warning you, so hang tight, and there’s three options here. Normally in our “What’s Worse?” scenarios there’s only two options and it’s a risk management exercise. So, keep in mind all three of them stink. You just have to figure out which one of the three is worse. So, here we go.

For 12 months, you have been CISO of a small nonprofit organization that provides life-changing services to people throughout the world, and you feel strongly about keeping its mission going. However, through no fault of its own, your organization has recently drawn the ire of a hostile nation-state that persistently attacks the network. Due to needed improvements in security architecture over the last year, you have successfully warded off these attacks, but your organization does not yet have a good backup or DR, disaster recovery, strategy. So, if attackers got on the network, they could wipe out the entire organization with no hope of recovery.

Now, here’s the kicker. Tomorrow, a research firm with this nation shocks the world by revealing they have solved the remaining technical issues with quantum computing and have created a working supercomputer able to break the strongest encryption algorithms in less than 10 days. Abruptly, the world finds itself in the post-quantum era and none of the proposed post-quantum encryption algorithms are ready for implementation yet. Your board of directors needs recommendations on what to do now. Here are your three plans. One, disconnect everything from the internet.

[Laughter]

[David Spark] And go back to pre-internet operations until post-quantum algorithms can be implemented. This will effectively shut down the organization for months but it will be on your terms and you will be able to scale back up in the future once you are ready. Two, begin aggressively rotating encryption keys and passwords for everything once a week. This is both expensive and a complicated process and even though you will remain operational, this will stretch your limited resources of the nonprofit and cut deeply into its application to carry out its mission. And the last, accept the risk. You hope the nation-state has bigger fish to fry with their new tool before they get to you. In the meantime, you will begin aggressively working on a disaster recovery strategy. Aaron, you’re up first, what’s worst?

[Aaron Zollman] I think the worst thing is rotating encryption. It’s a lot of work, a lot of detail, and if you screw it up once, you’ve lost a lot of access to your network. So, depending on what you’re worried about, one or three makes sense to me. I would not want to compromise assets in the field, so number one is probably my first choice.

[David Spark] Hold it, wait. Number one is disconnect everything?

[Aaron Zollman] Disconnect everything. If I’ve got people at risk doing service…

[David Spark] That’s the worst?

[Aaron Zollman] Oh, no. That’s probably my best choice.

[David Spark] That’s your best. So, the worst?

[Aaron Zollman] Worst one’s number two.

[David Spark] Okay.

[Aaron Zollman] Number two. I apologize.

[David Spark] The game’s called “What’s Worse?” not “What’s Best?” All right. But there is nothing best here. Okay. Number two, rotating. How do you feel about this, Colin?

[Colin Ahern] I think there’s a couple things. The questions that I would ask myself, number one is we know as cryptographers and people who love applied mathematics like me that do the encryption that we’re using have a feature called “perfect forward secrecy” because that would substantially change my impression of both the feasibility and the outcome of rotating our keys. Why? If we achieve perfect forward secrecy, we could by rolling the keys in fact be protecting ourselves on a net-net basis for the rolling seven-day period. If that’s not true, then rolling the keys is actually just Kabuki theater and we don’t want to do that. Assuming that we have encryption with perfect forward secrecy, which is again, a big assumption. If we have legacy things or other things, that won’t be true, but let’s assume it is. So, then two might be feasible and desirable.

[David Spark] So, you think it’s the best where he thinks it’s the worst?

[Colin Ahern] I would say it might be the best; however, I think accepting the risk is probably the worst thing here because the way the scenario’s set up is this is not paranoia. These people are really after you. We have things that foreign nation-states supporting the Ukrainians against the Russians’ disastrous war of choice, other elements throughout the world, there are absolutely nonprofits doing God’s work in horrible places and so it is a very real outcome. We know that foreign nation-states that wish to harm the United States and her way of life are out there and are actively trying to do this. So, I would think accepting the risk is tantamount to Russian roulette, pardon the pun point.

[David Spark] All right, all right. So, you think number three is the worst, you think number two. Three being accepting the risk, number two rotating encryption keys. You in fact think that might be the best option. Number one, neither of you thought it’s the worst, of disconnect everything. All right. Now we’re going to go to the audience. Remember, number one is disconnect everything, two is rotate encryption keys, and three, accept the risk and just hope you won’t get fried. So, by applause, again, what’s worse not what’s best. By applause, how many think disconnecting everything is the worst option? Nobody thinks that’s the worst?

[Light applause]

[David Spark] Wait. A few. We’re getting a smatter, about three or four here, okay. Number two, aggressively rotating encryption keys. Is that worse?

[Applause]

[David Spark] All right. And the third, accepting the risk.

[Applause]

[David Spark] All right. A lot of people didn’t vote, I just want to point out, you have to actually play in “What’s Worse?” All right. I got one more “What’s Worse?” scenario for you because we got a little bit of time to do this. All right. This one comes from me. I came up with this “What’s Worse?” scenario, it’s far shorter. What’s worse, and actually, I’ll have you, Colin, answer this one first. What’s worse, realizing you don’t have a single good backup and it’s going to take you a month to generate at least one good one thus leaving you vulnerable for that period, or you’ve got an intruder who’s snooping around your system but nothing has happened yet. What’s Worse?

[Colin Ahern] Probably the first.

[David Spark] First? Not having a decent backup and it’s going to take you a month? Why is that worse than having an intruder and nothing’s happened yet?

[Colin Ahern] Well, I think that if we’re in a post-zero-trust world, I think we’re assuming that any one endpoint in our network very well might be compromised, and to me it’s worse to not be able to look an executive in the eye and say, “Should something bad occur, we could recover from it.” Saying that a person is or is not here and may or may not be doing nefarious deeds, that’s Tuesday, or Wednesday, whatever it is.

[David Spark] Okay. All right, all right. All right, where do you feel?

[Aaron Zollman] Obviously it depends on the details and where in the network they are, but let’s assume that it’s in someplace bad. I’m going to pick the intruder in the core. And I’m going to pick that mostly by reliance on my day job. I deal with a lot of sensitive health data and my job is helping hospitals bill. We lose those bills for a couple of weeks, get data from the hospitals, I think people are going to be all right. We lose patient records, it’s really bad. It actually causes bad outcomes for real people. So, the intruder is the thing I worry about.

[David Spark] All right. Now by applause from the audience, how many people think not having a backup – again, split decision here, I like that – by applause, how many think not having the backup is worse? By applause?

[Applause]

[David Spark] And shanking ahead right here. By applause, having an intruder but they could do something too. Is that worse?

[Applause]

[David Spark] Ever so slightly more on that one, I think, ever so slightly more.

Sponsor – SlashNext

23:03.261

[David Spark] All right. The rising use of AI tools and automation to deliver fast moving cyber threats has rendered email security that relies on threat feeds, URL rewriting, and block lists ineffective. So, combine these new tools with the way people work using multiple devices, communicating and collaborating outside of traditional security defenses, users are more exposed than ever to cyberattacks. The cyber criminals know that most email has at least some protections in place and have therefore been turning their attention to alternative forms of messaging like SMS or smishing. This trend, combined with the fact that employees increasingly use the same devices for both work and personal purposes, has accelerated phishing by – get ready for this – a whopping 61% compared to last year.

Our sponsor SlashNext protects the modern workforce by stopping business email compromise, credential theft, account takeover, scams, malware, and exploits using patented HumanAI technology to stop zero-hour attacks using generative AI, relationship graphs, contextual analysis, natural language processing, and computer vision with 99.9% accuracy and a one in a million false positive rate. In addition, SlashNext LiveScan scans URLs and attachments in real time to fully render content and apply multiple machine learning classifiers to detect and block threats in real time. For more, you got to go to their website, check them out at slashnext.com.

Is this the best solution?

25:00.182

[David Spark] I am talking about ChatGPT. Is that the best solution? All right. So, two weeks before this recording, Microsoft rolled out a preview version of Security Copilot, it’s a ChatGPT-powered tool to automate cybersecurity tasks. According to Microsoft, this product will simplify and make sense of threat intelligence, also correlating and summarizing data on attacks, plus prioritizing and making recommendations, as reported by Ryan Naraine in SecurityWeek, who also noted, “Cybersecurity experts are already using generative AI chatbots to simplify and enhance software development, reverse engineering, and malware analysis tasks.” SecurityWeek says we will probably see similar offerings from Cisco, Palo Alto Networks, and Google. I’ll ask both of you, but I’m going to start with you, Colin. Have you used ChatGPT for any security efforts? I can give you one example. I know of one CISO who used it just to write the first draft of his security program. What have you done?

[Colin Ahern] We have not. We’re exploring the offerings in the marketplace. I think there’s some pretty significant questions that have to be answered, both as a society… I think it was two days ago, from two days before this recording, the Department of Commerce opened for a 60-day comment period about the future of AI and generative AI technologies generally. It’s actually a good treatment of some of the questions, so I think if you’re curious, go to the Department of Commerce to learn more. I would also say as we look towards the future, I think very probably the next 10 to 30 years are going to be defined by people that can use this technology but also do three things. One, do it safely. Two, do it in a way that’s sensitive to the kind of domain of problem that they’re dealing with. Not all problems lend themselves to all solutions, and it’s very probable that ChatGPT lends itself to very many fine problems. But the technology is moving I think at an extremely rapid clip. It is very impressive. I think that if you’re not paying attention to ChatGPT and generative AI, you absolutely should be as a security practitioner.

I’d also say that we have 700,000 security jobs open in the United States. And like I mentioned before, the state is significantly adding to its cyber workforce from a Civil Service perspective. So, we do think that there is very probably a future in which the government wants to take advantage of cutting-edge tools, in particular for things to increase, say, explainability for benefit programs. There are things that they simply do not lend themselves to solutions that don’t involve a computer, and we already have, for example, chatbot-enabled government sites. We already have situations in which the government… We’re trying to explain to our citizens, our residents, and our visitors how a program works and how you can get a benefit. Maybe there’s a future in which a ChatGPT or another generative AI can increase the explainability, increase the depth of understanding of someone trying to take advantage of something that is their benefit.

[David Spark] All right. Have you done anything, Aaron, to see a benefit, a use of it in security?

[Aaron Zollman] Nothing in production but we’ve tested some things, and I’m pretty excited about it. It seems to be really good at classification tasks, kind of assisting people. I think the thing that’s been most useful in a development sense has been help me find an expert. Trying to Google and understand expertise of 50 different things that I need to understand is really hard. ChatGPT usually is a good enough starting point to help to understand, so I’m pretty bullish on it. I mean, what did we just talk about around trying to make things more targeted and directly attaching to people’s jobs? This is what ChatGPT seems to be good at, so I’m pretty excited about it. But no, we’re not in production with anything yet.

[David Spark] There’s also sort of the negative fear and in fact, actually, there was a question here. Mike Wilkes of NYU had this question. I was going to save it for later in the show but it’s appropriate to bring it up. How do we embrace this generative AI rather than just fearing it and banning it?

[Aaron Zollman] Well, I think we need to be thinking about probably roughly three things. Number one is safety. What can the tools do, who has access to them, how do we know that they’re being used in ways that are safe and beneficial. One is safety. Two is explainability. There are situations in which we’re, and I think everyone is rightly concerned about, in general the use of algorithms and other algorithmic technology for significant decisions. Explainability is a key feature in many ways of certain algorithmic systems; however, generative AI is, at current understanding and current technology, not one that lends itself generally to explainability, although I would say all of the major players are working very significantly in that direction. And then three is privacy. There are very real privacy, copyright, artists, creators whose data is being trained upon, and was it an informed consent? How these things have acquired and, in some cases, used things that public domain/not public domain are questions that very probably we need to answer before we fully embrace them as a society.

[Colin Ahern] I think the most important thing for us as security people is to understand that not all generative AIs and not all generative AI workflows are the same. Using a pre-trend model on your own systems versus calling into an API that might be learning versus fine tuning something that exists, these are all different processes. Using a SaaS product built on AI is a whole other kettle of fish. And right now, those things are all getting conflated.

They’re young, eager, and want in on cybersecurity.

30:46.222

[David Spark] So, we have a room full of security professionals here with varying degrees of satisfaction with their current job. Am I right on that? Yes, okay. On the cybersecurity subreddit, a redditor offered some tips on getting a job interview, and one tip included a list of questions the interviewee should ask at the end of the interview. Now, a few of my favorites, here they are, three. If you hired me today, how would you know in 3 months’ time that I was the right fit? What qualities seem to be missing in the other candidates you’ve talked to? And what kind of challenges for the department do you foresee in the future? So, I’m going to start with you, Colin, on this. What do you think of these questions and how would you answer them if actually a candidate asked? And do you have any other questions you’ve heard from candidates that you think are better?

[Colin Ahern] Well, I think the state, like I mentioned before, and government in general takes a unique perspective towards its workforce, the Civil Service, and in fact the state expects to train you. We have formal mentorship programs, we have experience in education Civil Service examinations, we have the State Police Academy. So, the state has, New York State in particular I think, has a unique capability to grow, manage, retain, retrain and reskill a workforce. That aside, I think generally speaking, at a certain point, certainly at the elite levels and I think many of our government organizations, all of them, are really elite organizations, and that’s what security teams are at really the places in which they operate, and everybody’s smart and everybody works hard. And how hard are you to work with? And how hard is it for you to learn something new? And how seriously do you take training? How seriously do you take professional development? So, I think those are some of the things we look towards.

And really, we want a triple threat. Everybody wants a triple threat. They want someone with, A, domain knowledge. There’s a certain class of problem, there’s a certain kind of thing that this is what we do here. And that varies. We have the Division of Homeland Security and Emergency Services that are responding to multiple hazards across the state each and every day. That’s the domain. We have the state police, the New York State Intelligence Center, they’re the state’s counterterrorism fusion center, that’s a unique domain. So, there’s certain domain knowledge that’s required.

Two is technical skill. I think everyone is looking for people that have certain technical skills, so a quantitative background. But writing is a technical skill. We’re looking for communicators, we’re looking for writers, we’re looking for policy people, we’re looking for experts, we’re looking for programmers. And then three is a strategic outlook. So, really, can you see the bigger picture? Because that helps you. Like I mentioned before, we need people who understand what are the immediate actions, what are the short-term mitigations. How can you, even at the lowest level – and we don’t use the word “low-skilled,” I don’t believe that that exists – how do you contribute even as an individual contributor to the long-term strategies that need to make an organization. Because security changes every day.

[David Spark] All right. So, have you heard these kinds of questions before? And you heard anything better and did you like these questions?

[Aaron Zollman] I think they’re great questions to ask. I think the things, to lean off on what Colin said, is the skills that are missing, the skills that are the hardest in some ways to develop are the technology of writing and the technology of learning. Any individual technical skill is going to change five years from now. So, the question that I love to ask in an interview is what made it hard. So, I look at a project you’ve done recently and I ask you to tell me what the difficult parts of it were. And that really helps you crystallize your analysis but also show that you pushed through, overcame it, and understand what the value is. If you can apply that repeatedly, the tech skills will come.

Sponsor – Votiro

34:41.270

[David Spark] So, I do not need to tell this audience, but we all know that files are the lifeblood of business, and your employees will open the files they need to do their jobs, that’s just how business works, and they’ll do it whether they’re safe or not. So, Votiro ensures your employees only open safe files. With Votiro, every incoming file is treated as malicious. Instead of looking for known bad malware signatures, Votiro’s Content Disarm & Reconstruction tech finds only the known good elements of a file and copies them to a clean, fully functional template of the same file type. This means the zero-day threats that would have otherwise bypassed your signature-based detection tools are prevented with Votiro.

This also happens in near real time, so your business never slows down. No more threats getting by your AV, no more quarantining of files, and no more waiting on a sandbox before being able to go about your business. Votiro is API-centric and can plug into anywhere you receive files. From email, web downloads, web applications, FTP, content collaboration platforms like Box and more, Votiro proactively makes incoming files safe. Learn more by going to their site, votiro.com.

It’s time for the audience question speed round.

36:14.012

[David Spark] All right. We’ve got an audience, and I am holding in my hand a lot of questions, so I’m looking for quick, snappy answers to these. We’ll see how many we can get through. We have about five minutes left in the show, so let’s do this. This one comes from Adrivel Ruiz from Sovereign. What’s been your biggest communication change? What have you changed in your own communications as a security leader?

[Colin Ahern] I had a boss when I was in the Army as an Army officer who said, “Every time you get a new boss, every time you get a new audience, you have to understand how they want to receive three kinds of information. One, decision-oriented information. Two, general awareness items. And three, alarms or wake-me-up things.” So, every place I go, I seek to understand because we all live in matrix organizations. Obviously as the principal cyber advisor to the governor, I need to understand what Governor Hochul wants to know on a day-to-day basis for her own awareness as the Governor of New York. But two, what are the things that she seeks the input from other stakeholders on. So, understanding what the boss wants and needs. But not along a single axis if you want, but along multiple axes I think is, as a security executive, fundamental to clear, consistent, and concise communications.

[David Spark] Good answer. Got a quick answer for me?

[Aaron Zollman] Every answer I give contains a why, a what, and a how. Any given person I’m talking to, I give them the answer to their question, the what; I give them the why so that we understand the context; and I add a little bit of how, just to help send them on their way and make sure that they know what they can do next.

[David Spark] All right, quickly. Are you for or against a single pane of glass? This comes from Wade Nodine of Cloudflare. Do you like the single pane of glass concept or you hate it?

[Colin Ahern] I don’t think it exists.

[David Spark] You don’t think it…? All right, good answer. What do you think?

[Aaron Zollman] It is poorly insulating and I also don’t believe it exists.

[David Spark] All right, good answer. Whitney Coleman of Clarium said – this is a good one – what can a vendor/partner do to show continuous value? Just give me one example of how they can do that.

[Colin Ahern] Adhere to the state’s procurement laws.

[Laughter]

[David Spark] Okay. That’s good, I like that.

[Aaron Zollman] Do what it says on the tin, it’s the “I hired you for a purpose, don’t try to do everything.”

[David Spark] Ah, that’s a good point. All right. From Jacob von der Linden of Lawrence Harvey said what does a CISO look for in a recruiter? What do you look for in a recruiter?

[Colin Ahern] I’ve never had one so I don’t know.

[David Spark] You don’t know, all right. What do you look for?

[Aaron Zollman] Understand the market, understand the roles. I want to tell you what’s unique about my environment, but I don’t want to have to explain what a AppSec engineer is and what the difference between application security and product security are. I expect you to kind of have that as baseline knowledge.

[David Spark] All right. Is tool sprawl really a problem? Peter Stern of IBM wants to know.

[Colin Ahern] Yes.

[David Spark] It is?

[Colin Ahern] Yes.

[David Spark] Like how bad have you seen it?

[Colin Ahern] I think that whenever we get into an organization, we have to ask ourselves as leaders are we spending effectively, are we spending efficiently. And in the case of our government, spending taxpayer dollars is a sacred trust, and so we have to understand because the environment changes in many cases at a different velocity, has a different shape, than the changes that any procurement organization, however well-intentioned, well-resourced, and well-processed can account for, so we as executives need to be continually asking ourselves, “Are we doing the right thing? Are we spending the right thing on the right thing?”

[Aaron Zollman] Same. Tool sprawl is a problem, tool sprawl is inevitable because the organization’s goals have changed through time, and I can’t rip and replace everything every time the organization changes. It’s constant vigilance. There’s no one pane of glass, there’s no one platform that will solve all my problems. I have to continuously evolve the environment.

[David Spark] All right. Let’s do two quick questions. Is Active Directory really that bad? Josh Roth of Optiv wants to know.

[Aaron Zollman] I literally say on recruiting calls one advantage of coming to work for Cedar is you will never touch Active Directory or Exchange as long as I’m in this job.

[Laughter]

[Aaron Zollman] Literally say that.

[David Spark] All right. Do you agree Active Directory is painful?

[Colin Ahern] Active Directory is an incredibly valuable tool.

[Laughter]

[Colin Ahern] I think like many things…

[David Spark] I got a very politically correct response from our government employee, excellent answer. Yes? Okay, we’ll leave it at that, let’s leave it at that. All right. Security data lake, all data in one spot, is that practical? Phil Beyer who’s formerly of Etsy wants to know. Like throw all your data in one space, everyone has access to it, and you just secure that huge, massive pit.

[Colin Ahern] I think that there is two ways to approach a problem like this. One is data right, the other one is decision left. So, I think that if you have a threat-informed, use-case-driven security operations organization, and you’re starting…so I’m starting decision right. What are the decisions I need my SOC analyst, my cyber incident response team, my cyber threat intelligence team, what is the sum total or sum of sums, M(n) set of problems that my decision makers need to make, my executives? So, I go left. MITRE ATT&CK framework, use cases, industrial control system, OT. It is possible and desirable to start with a threat-informed, decision-centric security data lake. And in fact, the governor announced in February of last year the Joint Security Operations Center, which is absolutely taking that approach across the state. We’ve had I think very significant success in the early stages of this program, and we’re doing more. But you don’t start by, “What do I have and what can I do with it?” Although certainly some of that has to occur on some basis. Start with, “What are the outcomes I need to achieve and what data do I need to get it?” Because like Aaron just said, the circumstances change every day and that’s fine, but we need to stay decision left.

[David Spark] All right. Give me a quick answer about data lakes, security data lakes.

[Aaron Zollman] The existence of a data lake doesn’t mean everyone has access to everything. You have to work to secure it like you have to secure any aggregation of data. But I think they’re valuable because although I agree you want to go decision right, you do not know today what decisions you’re going to make tomorrow and being able to have hunters and analysts ask speculative questions is super valuable.

[Colin Ahern] No, that’s a great point. And I think that there is definitely a situation in which you want to err probably on the side of verbosity rather than svelteness. I think that’s a word, maybe I just made it up. But I think in particular where you have to select what are the top 6 or 10 or 15 applications, crown jewels, use cases, sources of telemetry. And then what is the balance between – to Aaron’s point – verbosity and future-proofing my security data lake with every time I put something in system A, it costs money, a person’s got to maintain it, it could break, etc. So, I think that’s a great point, Aaron.

[David Spark] Very good.

Closing

43:32.229

[David Spark]

[David Spark] That brings us to the end of this very show. Let’s hear it, New York!

[Applause]

[David Spark] My guests Aaron Zollman and Colin Ahern, from Cedar and the State of New York respectively. I want a huge thanks for our sponsors also – OpenVPN, SlashNext, and Votiro. Thank you all three.

[Applause]

[David Spark] And I also want to thank David Raviv and the New York Information Security Meetup Group. Many of you here are members of that organization as well. Thank you for hosting the show, producing the show, making this very possible. Aaron, Colin, any last words you’d like to say, a plug? I know you’re hiring, yes?

[Colin Ahern] Yeah. The state is hiring. And be engaged. There are lots of ways to give back to your community. I really love the security community, not just in New York but around the country and around the world because we care about other people’s problems. During the pandemic, we saw it with this community. So, A, thank you New York security community, and B, please continue to get involved and stay involved because it’s definitely not going to get better if you don’t try.

[Aaron Zollman] Cedar is certainly hiring but to go on Colin’s point on security community, there’s a particular community of cloud security engineers I work with, fwd:cloudsec, our call for proposals is open. We do a very practitioner-focused conference the day before re:Inforce, and we would love to have you. Even if what you do is not squarely in the center of cloud security, a lot of other roles affect what we do as well.

[David Spark] All right. Well, thank you again, both of you. Thank you to the audience and we greatly appreciate it. Thank you for listening and participating in the CISO Series Podcast.

[Applause]

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday and Cybersecurity Headlines Week in Review. This show thrives on your input. We’re always looking for more discussions, questions, and “What’s Worse?” scenarios. If you’re interested in sponsoring the podcast, check out the explainer videos we have under the Sponsor menu on CISOseries.com and/or contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.