In this episode of Tech Deep Dive, Max Clark talks with Ntirety’s Chief Information Security Officer, Chris Riley, about what cybersecurity is today and how Ntirety works with their clients to create the kind of boundaries to move forward safely and compliantly without having an impact on the user. In addition to basic security, Chris tells us it’s not so much the outside you have to worry about, it’s the inside or the malicious actor, or the failure on one of your staff’s parts, or clicking on something that shouldn’t have been clicked on.
INTRO: [00:00] Welcome to the Tech Deep Dive Podcast, where we let our inner nerd come out and have fun getting into the weeds on all things tech. At Clarksys we believe tech should make your life better, searching Google is a waste of time, and the right vendor is often one you haven’t heard of before.
Max: [00:18] I’m Max Clark and today I’m talking with Chris Riley who is the Chief Information Security Officer AKA CISO for Ntirety. Chris, thank you for joining.
Chris: [00:27] Thanks, Max.
Max: [00:29] How did you get into security? You know, I mean your background, and I look at your LinkedIn profile, this isn’t something where you went and were an analyst for the defense department and came out of that into the private sector, which seems to be a pretty common path. What is your story and how did you get here?
Chris: [00:45] Yeah, so… pre-Y2K, so that’ll date me right off the bat – I was working for a small startup company addressing technical support for credit card terminals. As Y2K and the threats rolled around, I began to do some automation and get more into the tech side. A gentleman by the name of Tim Daniels saw some flicker of hope in me, in terms of the tech side, and brought me into the IT world and from there it just – I grew really organically, from desktop support on to handling project management, being a liaison between customers and the IT – the internal IT function, up into really designing and maintaining compliance programs. I knew right about 2010 that cybersecurity was genuinely a thing, it needed a focus, it needed a dedicated team and I started really down that managed security service avenue at that point.
Max: [01:53] I mean, 2010 is really very early for security it feels like, in the world. It wasn’t really a conversation topic; it wasn’t a focus. I mean, you were pretty early into this.
Chris: [02:03] It was absolutely client-driven, to tell you the truth. We were dealing with some very large financial institutions in the roles that I was in. I was having to balance that compliance mechanism into the security side, and in security the traditional security posture into cybersecurity… That’s really – over the last ten years, that’s what has evolved. With that, I’ve evolved, with that posture, so.
Max: [02:35] When I think back to being a network engineer, and supporting customer installations… I mean, security – up to 2010, and even after 2010 – that means a firewall and antivirus software, and that was the entire posture. We can talk about how default rules on the firewall allow any traffic outbound and all these other things that maybe aren’t the best idea, but it relates to what seems like 99% of all firewall installations. What is cybersecurity today? I mean it’s obviously beyond a firewall and antivirus software at this point.
Chris: [03:07] Yeah, whether it’s SIMs or – it depends on the maturity model, but so much of it – holistically – is determined on how an organization wants to view themselves. What they – how mature are they in determining their threat landscape? The traditional castle mentality you know, died in the early 2000s. To be concerned about the internal threat vs. the external threat, being able to see the traffic, being able to understand what your posture is against the landscape, and landscape is a cool thing to talk about now that we’re all able to work from home. That has expanded greatly. It is constantly changing, and it’s not stagnant.
Max: [04:03] So, you’re the first one to draw up acronyms on this, and we’ll come back to those in a minute. What I’d like to ask you about is: you’re the CISO for a service provider, which means you’re responsible for security for Ntirety, and at the same time Ntirety has a security practise to support your customers. I mean, what does that mean? What is your day to day like in this role and how do you balance those two needs?
Chris: [04:27] Yeah, that’s one of the cool things about my job, you know. Not only do I get to wear the internal security hat and compliance goes with that, but then there’s the outward-facing service. And so, over the last three years in developing a managed security service for our clients and prospects, compliance as a service, these are the same services that we utilized internally. So, we built a program, we turned around and went through the pain over the last handful of years, and then we took those same programs and flexed them outwards for our customers to consume. So, what’s cool about the managed security services – I’m actually a customer of our service. So, just like any of our customers, I sit down with the SOC team and they present a report for me. They walk me through what they’re seeing and how they’re seeing it. You know, I have the perspective to be able to look across our entire organization and then get their analysis to back up what my thoughts are and so, it’s incredibly cool. It’s one of the primary drivers and I think something that differentiates how we function in the space that really, I get to benefit from every day.
Max: [05:50] So, compliance – in the world like PCA compliance or HIPAA compliance or you know, government-issued compliance mandates, right?
Chris: [05:58] Yeah.
Max: [06:01] So I mean, these become… I mean, compliance response becomes mandatory for a company if they fit in those roles. We see lots of enterprises that aren’t required to have a compliance stamp attached to them. When you gauge that enterprise, it’s a very different kind of conversation-cycle, right? How do you talk to somebody about the layers and the maturity of security if they’re not being forced to go out and buy it?
Chris: [06:28] Yeah, great question! So, when I hear, “how does security apply to us,” or “we’re not a target,” it doesn’t matter. The conversation immediately goes – for me – to, can your organization fiscally handle the damage to your reputation if somebody were to breach you and take that information and make it public? Could you handle downtime or a service or business interruption? Could you handle it for a day? For ten days? You know, three weeks? What’s your threshold there and it always comes down to the money – the monetary impact that it’s going to have. But organizations at that point say “okay, so I need some basic security.” That starts the conversation, and oftentimes the basic security is, “hey, I’ve got antivirus! I’ve got the firewall, we’re good!” And that logical transition between, “hey, it’s not so much the outside you have to worry about, it’s the inside or the malicious actor, or the failure on one of your staff’s parts, or clicking on something that shouldn’t have been clicked on. Are you prepared for that?” And that then begins to open up the conversation.
Max: [07:47] Boy, that opens up a lot of dialog. So, you talk about malicious actors. You know, SANS a long time ago published a report that talked about the actual threats for organizations. At the top of those lists were accidental acts by internal employees and there was malicious acts by internal employees. I think they were like, one in two or two in three – I mean, it was significant, and what I didn’t realize at the time but as an IT person, it created a lot of conflict between the IT departments and the users of the business. How is that – is that still in play? Are users still resistant to security is security still a blocker for an actual you know, person working for a company, trying to do their job?
Chris: [08:30] The traditional ‘no’ posture, whether it’s coming because of compliance or whether it’s coming because of security, is no longer an option. If I would have known something ten years ago that I could have told myself, it would have been: be a business enabler. Get to know the business, get to understand how they need to function and then enable that business to do it in the safest, most-compliant means possible. In my role, so much of it is taking that business goal and creating kind of the boundaries, the bumpers – if you will – on either side, to turn around and allow that business to move forward safely and compliantly. That can’t be an impact to the user, the user interface has to be simple, flawless and it has to work every time. If not, the user won’t use it and therefore we’ve broken the security program.
Max: [09:36] A lot of the industry stats talk about the percentage of companies that will have as security event, will be breached, will have ransomware, what percentage of those will have what outcome or failure out of business. As individuals, we read or see on the news a lot of… this company was hacked, this financial data was lost, this customer data was stolen, you know? I still feel as humans, there’s a sense that it’s not going to happen to me. It happens to other people. As a result, I don’t need to do this. I don’t have anything valuable that I need to be worried about. How do you view that and how do you talk about that?
Chris: [10:15] Yeah, great. So, the best analogy that I’ve heard that’s not at all technical or business-related is fishing. When you’re sitting on a boat with a line in the water, you’re not looking for a specific fish, you’re looking for any fish. That translates directly into what bad actors are doing. Whether they’re using email phishing campaigns, and they’re throwing that net out wide and deep, or whether they are turning around and gathering information to make a targeted attack, they are – they started and cast that wide net. If you fall for that first click, you’re in the crosshairs. So, I think over the last handful of years – I think the perspective of, “it’s not if but when” – and consider if you don’t have the proper visibility – you potentially are already compromised. That’s the mentality shift that has to take place. It can’t be that we’re completely buttoned up and we’re absolutely secure because bad actors, the bad guys and gals, they have unlimited time, unlimited funds and they know the same tools that we use for good, half of them are using them for bad.
Max: [11:39] So what’s the goal of security? I mean, what’s the outcome that we’re trying to drive to that can be achieved? How do you look at this for your business, how do you look at this for your customers?
Chris: [11:51] So, the standard three-word response: confidentiality, integrity and availability, you know? To protect the confidentiality of data, preserve the integrity of that data and then ensure the availability. While it really sounds cliché to say, it fundamentally – any program, and I say a program because it’s again more than just that endpoint solution and your firewall – it has to encompass that. You have to be able to discover and understand your evolving threat landscape and address some of the 101 things like vulnerability and reducing those threats to the end user. But you have to be able to shift that focus, like I said prior, from the outside to the inside. The bad actors are not just on the internet, they’re already hired or within your four walls, or working remote now. And so, your security model has to have that line or side where the visibility is across your entire platform. Cybersecurity has to include some level of accountability and that accountability is top-down. One of the primary objectives that I have to do is I have to enable the business to make the right decisions. Sometimes that’s bringing to light some very ugly things, sometimes that’s evaluating a business process and ensuring that it’s not introducing risk, other times it’s simply saying, “if we’re going to do that, we need to do this in addition to security to maintain that compliance posture.”
Max: [13:32] Executives and boards have a fiduciary responsibility to the company and the shareholders, right? But how much of that fiduciary responsibility is just being aware of and making a decision… I mean, you could get into a position that says we want to implement this process, this technology, you know? We need 25% of our budget for security, and the board can meet on that and say it’s too expensive, they can’t afford it. That’s not a positive outcome. Doesn’t that meet the standard of fiduciary responsibility for the board? At what point does this conversation go from making sane decisions to you know, neglect, or much worse?
Chris: [14:12] I think that that falls directly onto me. It’s the CISO’s job or the security executive’s job to turn around and not only educate, but also create that roadmap that enables those conversations to take place. The education is the first component then, and then you have to turn around and help that shift in mentality really resonate or foster that with your board. You need to – if you’re just walking in blindly and saying, “hey, we need to spend this because of this,” and there’s no context or background, you’ve failed to appropriately present why the solution is relevant. So, I think it’s a fine line that we have to walk, which is expanding that knowledge, educating the board and giving them a chance to see how that business enablement is taking place through you know, the technology, the people or the process.
Max: [15:12] I’ve been in a bunch of conversation where security is related to insurance. You know, you have insurance in case something bad happens to you. If your building burns down, the insurance company will pay to replace it. Security was in the same vein as – you have your security policy to protect you against these things, but it’s really different. Insurance is an after-the-fact event, and is directly correlated to a financial event: you’ve lost something, something’s left something has been stolen, right? Security is in many ways a before-the-event posture, and you have to spend money to try to prevent a negative outcome. That’s a very difficult concept to get across when you start talking about budget allocation. You know, we need to spend a million dollars this year on our security position and we’re protecting billions of dollars of business behind it, but that million dollars doesn’t necessarily produce a tangible result. You can’t say we had no hackers this year, so that million dollars was valuable, or we only had five incidents, so that million was… You know. So, how does this work into the real-world budget and budget decisions for enterprises?
Chris: [16:20] Yeah, that is the balancing act that I think security professionals have been doing since Day One. Not only securing that budget but helping organizations to better understand the why behind it. Why do we need a VPN? Why would you need a remote connection when everybody comes into the office? Well, here we are in one of the largest work from home scenarios ever and organizations either chose wisely or are scrambling to enable that. So, some of it is being able to determine how best to support the business short term, long term, and again – do it securely. Other times, you’re kind of looking into the crystal ball, knowing your risk or your threat landscape and saying “we’ve got kind of a soft spot here, let’s test it, let’s determine what the best solution is and then let’s take it forward with kind of the good-better-best model and try to secure that.” So, I think it very much depends on what the business use case is, and then again, it’s a process to secure those faults.
Max: [17:36] You have this idea of the script kiddies, young people locked in their parent’s basements and downloading programs and doing nefarious things on the internet… If you have this very focused, intelligent, persistent hacker, the executive would say “somebody really wants to break into my business and hack our system”. There’s nothing we can do to prevent that from happening, so we shouldn’t try to focus on that or try to protect against it, because we’ve already lost that battle. I mean, would you agree with that position or what would you say?
Chris: [18:12] It’s my job to not agree with that! You have to secure the environment. You cannot make it easy. You have to educate your employee base, you have to enable them to understand the whys around everything from phishing to not clicking on the random links, to how to best protect the data of either themselves or the customers. So, I take that challenge on every day, and so I go back to you know, if a nation state is targeting you, that falls into a very different category than just somebody port scanning you and trying to determine what that initial soft spot is. Both of them go through very similar fundamental processes, which is gathering that information and then trying to determine on how they’re going to exploit it. That’s where we also start with the education layer – it has to be something that you enable. Not only for your teams, but also for your employee base.
Max: [19:20] How big of a problem is nation state, organized attacks at this point for you as business, or as global businesses?
Chris: [19:30] You know, the Verizon data breach investigations report from 2018 – I think – it rose 12%, in 2019 it was up 23%. Most recently, FireEye released a report beginning Q1 of this year where the APT41 Chinese Cyber espionage hacker was targeting zero-day exploits for CISCO, Citrix, et cetera. And then, we go into this pandemic and we see that Checkpoint said there were sixteen thousand new coronavirus-related domains registered since January, and more than twenty-two hundred of them were suspicious, with ninety-three confirmed as serving malware. So, it’s relevant, it’s happening. It’s out of scope. No hacker or attacker has ever said that – it’s all relevant. It’s not only huge business but that’s fundamentally a new component to how we have to view the industry. There are organizations that are making offensive and there are organizations that are making defensive cybersecurity products. You get hit with ransomware; you can actually get a helpdesk call into some very nice folks to help you convert to bitcoin. They’re there to enable. It’s functionally a massive business.
Max: [20:59] What are the real-world impacts? What are people after? What actually happens to companies? There’s a spectrum of this, but what does that spectrum look like? What is happening to companies?
Chris: [21:11] Yeah, I think everything from damage to the reputation and them not being able to recover to completely monetary or money-focused on taking intellectual property, putting an organization’s competitors out of business, the scale goes one to unlimited so quickly. Obviously, it’s a multi-billion-dollar business for the bad actors. They’re in it to make money, and they’re continuing to build or foster their position. So, we also have to continue to evolve and build and foster our defences or visibility within our programs.
Max: [22:02] A few years ago a major US retailer had a very public breach, wherein their POS terminals were infected with malware and were collecting credit card data. There’s two things I want to ask you about. THE first one was that the actual breach vector came out to be an HVAC subcontractor, and that HVAC company was compromised and then the attackers were able to bridge the networks together and get into the retailer’s infrastructure. So that’s already kind of like, jaw to the floor. The second part of this was that there was a third party security company that was involved that sending alerts to the retailer’s IT staff saying there’s something going on and you should look at it, but it was effectively ignored, dismissed or pushed aside. Let’s talk about this a little bit. That’s a very major breach, massive financial impact – it impacted their stock price, their sales, customer – I mean, the whole thing end to end. What’s the rest of the fallout in that story really look like for people in terms of working for the retailer, at the HVAC company, at the security company? What actually happened after this breach was public?
Chris: [21:11] I don’t know the specific after-the-facts for them, but I can tell you that we’re talking about a big-bucks store that even when I go in there today I certainly won’t use my Debit card. It’s that damage to reputation, whether it’s immediate or whether it’s long term. There is a lasting impact there. You touched on something that I think is critical and oftentimes we partner with third parties to eliminate some of that risk or to defer some of that risk. In this case to have security companies sending alerts means that somebody at the big-bucks store said, “hey, let’s just set it and forget it, we’re in good hands.” They didn’t uphold the side of their partnership to take notice, take alert and take action. That’s a huge challenge, especially as a managed security service provider. Oftentimes, we can see things that require specific action. We can suggest those actions, but it requires the other organization to be a willing participant and want to further their program.
Max: [24:26] That sounds like that could be a very frustrating position. I mean if you have a customer that’s engaged with you to provide security services to them and they’re not listening to you… I mean, that sounds like it’s not an environment that’s going to be successful.
Chris: [24:42] Right? I mean, we go in with a prospect early on, as this is not transactional. This is a partnership. Here’s the requirements, here’s the responsibility matrix, here’s our roles, here’s your roles. It very much is developing and maintaining and fostering and maturing a program, whether it’s security-based, whether it’s compliance-based, or whether it’s the marriage of both.
Max: [25:15] So I’m an enterprise and I have antivirus and I have firewalls and today I realize this perhaps isn’t the security posture I want to be in. From that level to what – let’s say the NSA – has to do on a daily basis, what are the steps and what are the tiers that go in? What do you define or figure out what’s appropriate, and how much is enough? Where do you start and how do you figure out where you stop?
Chris: [25:40] Yeah, whether it’s the cybersecurity maturity model, whether it’s a business maturity model, I try to break it down on a scale of one to five. One being the initialization of your program and moving to developing, defining, managing and optimizing. That’s the top level, if you will. That’s the goal for the model. You then have to break that down into further details, and you have to address critical infrastructure. For organizations, critical infrastructure can be – at a hospital, it might be their electrical grid, where for a managed service provider, that might be the infrastructure to support uptime and availability. You then go to your application security, and this is where I see it as the functional antivirus, the firewall, the encryption layer, into the traditional delivery or network security. So, you’re dealing with your logins, your passwords, and then blending into that application layer. Now, our environments are even more complex because we’ve got cloud and IOT, and so the traditional parameter that you and I consider you know – firewall was that boundary back in the day. That’s no longer there. That boundary is now working from home, that boundary is in the cloud, and that’s somebody else’s device. So, that functional program needs to be able to flex up into all of that. I think where organizations really get challenged is on how do we do that without adding tens of tools to that tech stack?
Max: [27:30] Your response is interesting to me because you really talk about identification process and program, and not necessarily tools and technology. I think a lot of people, when asked that question, say “oh, we need to use single sign on, we need an IDS system, we’re going to go get a SIM tool, do threat intelligence, endpoint detection, or MDR.” And you answered very differently from that, which was more what is our business process related to security and how do we move the business process down the road.
Chris: [27:59] I try to approach it from the business side. I try to approach it without, or with being technology agnostic if you will. When we say SIM – a security information event management system – I say “hey, we need something that will aggregate and correlate all of those logs for us.” If we – and this happened traditionally, in security where you bought a widget, you put it in place, and you allowed it to perform a function. Then, you put a person that would monitor that – quickly we realized that we’ve got dozens of pieces of technology that aren’t talking to each other and we’re having to maintain dozens of tools with a very limited human capital, or the employee base – the subject matter experts – to maintain them. And the big buzz word a couple of year ago was ‘security orchestration, automation and response’, or SOAR. It was trying to get all of these tools that we’ve had massive investments with to be able to play nicely together, to correlate. We knew that eight people on a security team – which if you had eight, that’s a massive team – you couldn’t do the armchair analysis. Your port AD person couldn’t say “hey, I’m seeing this on our firewall, systems team are you seeing this? Desktop, are you seeing this?” That time has come and gone. It’s now taking whatever that technology is and pairing it with the right human capital to maintain it and being able to have a consumption model that makes sense. As we talked earlier, that massive capex expenditure, it is very, very difficult to secure.
Max: [29:51] How big of a team, when you start talking about subject matter experts, if you’re an enterprise and you want to turn up a security practice from zero for yourself. Or, right now you’ve got your application, server and desktop staff and you have a network engineering staff… Those roles are a little blurry, but you say you want to get a firewall, and a SIM tool, we’re going to integrate a CASB tool and X-Y-Z. You go down that list and you say that you need these things. These are usually to function – we have remote users, so we need a VPN, or we want to go zero-trust, you know? What does this look like in terms of staffing? Can companies do this themselves? Is this feasible?
Chris: [30:30] Yeah, I think the national average for the unemployment or employment average for cybersecurity professionals is in the negative numbers. During this time, it’s harder to predict but I think last I saw it – at the beginning of the year – it was like a negative seven percent for cybersecurity professionals. Now, you talk about how you need to cover that spectrum of that workload 24/7/365, so now you’re talking about least nine or ten people in order to do that. You have to hope those ten people maintain their certifications, or their knowledge base. You have to keep them happy, so that they don’t go elsewhere, because it’s certainly a hard market. And you have to enable them to do what they need to do with the proper tools. So, to answer the question quite candidly, it again comes down to how much money do you want to spend and how much are you willing to continue to spend? So often I’m speaking with organizations that have an opportunity to further their program, but what they’re saying to me is, “hey, we have made a massive investment. We have hundreds of thousands of dollars sitting here and nobody to manage it, nobody to use it, and so it’s just atrophy, right here.”
Max: [32:02] On your LinkedIn this morning, you have a job post for security that you’re looking to hire for yourself. How hard is this to hire for? What is it like for you guys to find and hire and retain qualified experts in this?
Chris: [32:16] Yes, this is a balancing act. We have – I would call it – the advantage of one, being able to mature or build our own teams, develop them internally. At the same time, we absolutely go out – right now it’s a great time for us to attract top tier talent that may or may not have been displaced, and so we’re taking advantage of that situation. More importantly, as a managed security service provider, we do have the ability to offer a lot of those things. We have spectacular relations with our technology partners, we often get to play with some of those cutting-edge tools, and we are developing this service and furthering that service, not only for ourselves internally, but also to enable our customers to mature their program. So, sometimes the challenges that a traditional business has, we don’t always bump up against those.
Max: [33:29] Last year I was at a conference and a CISO spoke – he was from a brand name, multi-billion-dollar market-cap company that had a retail component. He had an eleven-million-dollar a year budget for security. I mean, the revenue of the business was billions of dollars per year, and he had an eleven-million-dollar budget to protect that revenue. I walked away from this conversation with the sense of like, was it acceptance or defeatism or you know, it seemed really off-balance to me of how little a budget actually was and the acknowledgement that he couldn’t even begin to try to protect his infrastructure in a meaningful way. It was almost like he was choosing a giant act of triage. Like, I have this much budget, what do I actually want to focus on, and this will be the most effective. Why not displace that budget – first off, two questions. How do you figure out what is an appropriate budget for your business in security, because this is not revenue related per se. And how does that budget allocation change internally vs. externally when you start partnering with a service provider?
Chris: [34:40] To answer the first question: again, it depends where you are in that maturity model. It depends on – so much of it is trying to get the max return on investment of the capital expenditure that you’ve already spent or output and maintaining it or getting it refreshed for the next cycle. That’s a dangerous game that – as security professionals – we constantly are in that cycle of one, trying to figure out what the right technology is for the organization, but then how do we support it long-term? When you talk about a managed security service provide, it becomes more of a utility. It becomes a consumable model that’s based on monthly reoccurring, rather than that massive capital expenditure, and that fixed budget headcount cost in order to maintain that. And I think that’s something that is changing in the industry right now. We’re seeing organizations that want a very similar model to how they’re dealing with their customers, that consumption model of monthly reoccurring. Let’s build a scope a program and help maintain that by deferring some of that – the technology costs, the people costs, to a service provider, and let them be that expert. Let us focus on what got our business successful and continue to innovate in that sector.
MID-ROLL: [36:17] At Clarksys we believe tech should make your life better, searching Google is a waste of time, and the right vendor is often one you haven’t heard of about. With thousands of negotiated contracts, Clarksys has helped hundreds of businesses source and implement the right tech at the right price. If you’re looking for a new vendor and want peace of mind knowing you’ve made the right decision, visit us at Clarksys.com to schedule and intro call.
Max: [36:43] What percentage of security do you think is externally focused vs. internally focused? We talk about malicious or accidental acts internally, or you hear about people putting USBs in parking lots and stuff like that, or they’re clicking on links… How much of security posture today is really focused on keeping people out, versus keeping your own people from making or doing something that then causes something to happen, right?
Chris: [37:05] I think that is one of the best questions, and probably one of the hardest. For me, I see everything as already having gotten through the outside. Our perimeter is now at the end user base, and so ensuring that you have the behavioural analysis that goes on – does Jan from HR need to go to the finance folder and then go out to dropbox.com and offload two hundred gigs of data? Is that a normal business function? To answer your question, is that an internal or an external threat? You know, so much of our landscape – because of the hybrid environment – traditionally, we would look at it as all being outside or all being inside, and functionally we can’t do that. We have to take and blend both of those, those elements. I try not to do the inside vs. outside conundrum, because it just gets me into that catch-22 logic loop.
Max: [38:11] I mean, how much of this is employee education? Don’t click on these links you mentioned, what does that look like in a training regime, or practice of how do you educate a workforce?
Chris: [38:24] I think that just like you remove end of life software, and you patch, and your asset inventory is a critical function, and what I could consider 101, employee education is right there along with that. It’s a critical function, it’s something that you have to do, it’s not appropriate to do it once a year, its appropriate to do it on an ongoing basis. Just like you’re educating your staff, you have to educate your executives, you have to educate your board – you have to be a teacher or an educator primarily. You have to do it without the hammer mentality. You can’t punish somebody for doing something wrong. You have to explain the whys – it has to come from that position of, “you did this, and this is what occurred because of that. Let’s follow that transaction through.” So, I always see it as education.
Max: [39:29] Ntirety recently launched a compliance as a service offering. Let’s talk about that, what are you providing your customers, how do you give them a compliance as a service solution?
Chris: [39:41] A couple things, and something that I think sets us apart when we talk compliance is so much of our posture, or our compliancy – let’s take PCI because it’s been around for so long. We’ve actually had our services audited and deemed PCI-compliant, so that our prospects or customers can leverage our compliance in their compliance cycle, if you will. As we were going through that, we realised organizations – just like we talked on the security front – they’re having a difficult time handling or managing that compliance program. It’s often done brute force, it’s done in spreadsheets, it’s done by a very finite group of professionals and it’s hard to then put it back up into their organization. They’ve spent so much time heads down, managing the functional compliance. So, when we determined that we were going to build a compliance program, we wanted to bring again tat top tier tact into them. We wanted to help them streamline those processes and procedures and develop workflows into an organization. We then wanted to bring the knowledge, the functional expertise to either assist their team or to augment a team that might have atrophied over the years and they couldn’t hire for. Lastly, it’s then to take those two elements and enable the organization to kind of flex whatever process, procedure, functions they have back up into their organization. We’re allowing them to champion it and not just be the compliance folks, and tracking, helping, roleplay, enabling the business conversation – if you will – how does that compliance requirement meet my business objective? IT’s been very positive; it’s been incredibly well-received, and we’ve helped a lot of organizations do it in a very cost-effective method.
Max: [41:53] What’s the timeline for this? If someone came to you and said they have a HIPAA compliance, they have a PCI compliance and they’re looking for help with it? It’s not something wherein they just sign a contract and you say boom, you’re compliant, right? You just outlined a lot of steps between point A and point B.
Chris: [42:09] It’ll be a long-term service, where we’re building or taking a program and fostering it and proving it – that being said, when an organization is open, or their back is against the wall… We had a customer in the financial industry that had one of their industry leaders experience a breach, and all of a sudden it was a requirement that everyone become PCI compliant and they had tried to figure out how to do it and it took them about six months to get to the point where they realized they needed help. Then, in six months without partnership, we were able to get them PCI compliant. That’s not the norm – they were very open, they had a dedicated team, they had top-down buy-in from their executives, and so it became their one singular goal, and we enabled that. So, it really takes the organization to buy in to any security or compliance program for it to be successful.
Max: [43:12] I can vividly remember going through a PCI type compliance audit. I mean, you hand an IT guy what’s effectively a ream of paper, of questions like: “okay, Max, you’re our IT guy, answer all these questions from us so we can become PCI compliant”. Okay, great… I think. We’ve got that tech, I guess – check? So, GDPR was really a shot across the bow. We see states in the US coming up with their own versions of this. I take an approach where I kind of feel like… until we see a lot of litigation and enforcement actions, there’s still going to be a lot of questions, right? So, the GDRP response from a lot of my customers so far has been debates between their outside counsel. What does this actually mean for you? How do you get into GDPR? It’s had a little bit of impact into their operations internally but not a ton. Oh, we think we’re compliant because our lawyer said we’re compliant. And now with California and New York and other states following suit, how does this change the landscape? What does this do to your risk posture for your business? How do you maintain this and not you know, find yourself in a lawsuit or enforcement action two years down the road?
Chris: [44:32] So, you touched on PCI and that’s one of the oldest – and I think we all have that same scar from those PCI audits, especially the initial ones. But, PCI did something very different where they kind of gave you the requirement, they gave you the testing profile, and then they gave you a little bit of guidance around it. HIPAA and Hitrust, they come at that data set of the healthcare information, they come at it from a risk perspective. Then GDPR comes out and they come at it from a legal perspective. Really another primary difference between all three of them is that GDPR came out with some huge penalties, and public penalties. They started executing, they gave everybody plenty of time, but they started executing against those penalties. You’re right, the IOC is giving some guidance, legal is obviously giving some guidance, there’s certainly some back and forth, and now we’re seeing that privacy tact take place at our state levels. I try to have the conversation of again, can that trifecta – what does your program look like from a risk perspective, how are you dealing with the data, and are you ensuring that all the folks that are coming in to that data stream, or that supply chain – if you will – both up and down that are dealing with that data, are they handling the data the same way that you are? Is it equal or more secure when you touch it and hand it off? And that really is a change, it is a shift. It’s a fundamental difference and requires us now to really look at our data flows. Again, as you’re talking about some of the levers you can pull to enhance or further your program, privacy is certainly one of them. So much of that data is not just special data or sensitive data, it’s the data that we deal with. Whether it be sales and marketing, whether it be our client list, all of that is considered in that privacy model. I would say it’s really helping organizations get some visibility and mature their security and compliance programs.
Max: [46:35] You have the same limitations at a different scale that most people have, right? That’s time, money and people. How do you prioritize your resources today? How do you align what’s in your roadmap for next year that you’re following? What does that look like and how do you balance that, and what’s on your roadmap for the next year or two years?
Chris: [47:15] Yeah, just like every security program, it’s to continue to get better visibility into what’s actually taking place across the network systems and environment as a whole. It’s automation, it’s trying to again do more with less – if you will – and oftentimes those challenges… technology can help that, but you have to apply the technology in the right places so that it doesn’t become or a time or a money suck. Lastly, it’s looking into the crystal ball and balancing it up against what you know is your risk criteria or your risk. What is the business doing that generates risk, and how can I help the business to go faster, better, stronger, and in a more secure and compliant fashion? For us, that’s scale, for us that’s enabling our customers to – regardless of where they are in their journey – to consume, hybrid cloud, data center, or any of our services in the most secure and compliant fashion.
Max: [48:22] You mentioned earlier if you could go back and talk to yourself ten years ago, you would have said or what you would have thought about… Let’s put that in the other direction: ten years from now, what do you think you would reflect on at this period of time, as it relates to security and what would that conversation with yourself be like?
Chris: [44:43] This is a really incredible time to be in the industry space. We’re in the middle of a huge work from home experiment that nobody would have ever predicted, we are dealing with technology stacks that are far more complex in our hybrid environment than we would have predicted, we’ve got more horsepower at our fingertips. Then you turn around and add that – we’ve got a huge compliancy with some big teeth that are floating around. This is an incredible time, and the shift is amazing. At the same time, the bad actors are more complex and have probably some of the best funding that they’ve ever had. So, this is really a dynamic time. I’ve been in the role for nearly three years and it’s every single day – it’s genuinely different. If I didn’t love it, I wouldn’t do it, but boy there are some great days and there are some really tough days and I think for me looking at it, I’m trying to consume as much as I can, keep myself up to date as best I can, and be open to the fact that our community as security professionals – we’re much more willing today than we were ten years ago to share information. What’s working, what’s not? And so, taking those opportunities every chance, we get, just like this podcast here, I love it. So, I appreciate it.
Max: [50:20] You mentioned working from home and COVID, and earlier we were talking about perimeter and castle-based security systems. So now you have a forced workforce that has to be distributed, and work from home remotely. Some of that is web-based SAAS applications, some of that is organizations have put a software VPN client on a device, some of that is people are shipping hardware boxes and hardware VPNs or SD-WAN boxes out to the edge. You know, a lot of that’s to deal with a performance reality of having to enable these people to work remotely and the performance wasn’t good, so put this box out there to improve performance. I take a step back from that I think, well great – you’ve put somebody’s home network and all their home devices on your corporate network, and when you pause for a second, I mean… Doesn’t that terrify you, that thought cycle?
Chris: [51:13] It does! And it gets back to not only the education of the user, but we go then immediately into the asset function and ensuring that you’re not getting weird software installed, and the behaviour that user interacts or does when they’re in their normal business process. It’s even further because we’re forcing – whether it’s to access control layers, that data or traffic flow, or just determining what gaps functionally that we have in order for business to be conducted, that’s all happening real-time. So, I’m having a conversation with folks and encouraging them to, one – celebrate what worked. What did you plan right, what did you have in place and what was successful? I’m turning around and telling technology and business leaders now that you’ve celebrated those successes, focus and be very critical of what didn’t work. Evaluate where your operations didn’t have the performance that you wanted or took too long. Are they functioning in a varied state of disaster recovery or business continuity? I call that a qualified state. And then, turn around and make the determination and go after what you need to do to rectify those immediate needs. Consume the technology the way that you need to. Don’t go out and buy the widget, be sure that you’re making the right decision, whether it’s a service, whether it’s a partnership or whether it is that – that you have the team to support it. Then pull the trigger on it very quickly, because we’re all going to be trying to consume those same technologies, services, and the people to further our environment.
Max: [53:05] Chris, I’ll give you the parting thought here. Anything we have not touched n that you’d like to share?
Chris: [53:12] I’m going through my notes, Max! We covered the gambit. We really did. I appreciate the opportunity Max to one – visit, two – talk tech, but three – to give folks the opportunity to really understand what it’s like to be a CISO, and the challenges and the pros and cons. So, thank you for the time.
Max: [53:40] Thank you, I love these – I always learn something new. I sleep a little worse at night I think, when I have a security chat.
Chris: [53:46] Yeah, it’s a little more grey in the beard – that’s what I keep seeing in my own reflections, so. We learn the best by doing it and we’re doing it on a massive scale. It’s a lot of fun, it’s a lot of challenge, but there’s no better place to be right now – thank you.
Max: [54:06] Awesome Chris, thank you again.
OUTRO: [54:08] Thanks for joining the Tech Deep Dive Podcast. At Clarksys we believe that tech should make your life better, searching Google is a waste of time, and the right vendor is often one you haven’t heard of before. We can help you buy the right tech for your business, visit us at Clarksys.com to schedule an intro call.