Top 10 CISO Best Practices

Published:

Jul 07, 2022

Reading time:

14 Minutes

A look back at best practices shared by guest CISOs on Orca’s Cloud Security Reinvented podcast, hosted by Orca Security Advisory CISO, Andy Ellis.

Orca Security’s Cloud Security Reinvented podcast, hosted by Andy Ellis, Orca’s Advisory CISO, is now rounding out another season, and we’ve curated the golden nuggets of advice shared from our recent guest CISOs on a variety of cybersecurity and cloud security topics.

This year, Andy has interviewed security experts from companies like Pinterest, TikTok, VillageMD, BeyondTrust, and more. You can listen to this season’s podcasts here.

10. Focus on vulnerability management

”We have an amazing opportunity to solve some very difficult problems,” notes Justin Somaini, the Chief Security Officer of Unity Technologies, a leader in the iGaming industry (episode #14). “Let’s take patch management or asset management. If you’re in a multi-cloud space, you have those APIs to be able to identify and an asset management system to be able to change the model and how you do patches. Patch each system, but go back to gold and then do a refresh and have it be scaled. Those are amazing opportunities for core fundamental problems that we’ve had for well over 25-30 years.”

For Morey Haber, the Chief Security Officer at BeyondTrust, (episode #9), risk priorities are dialed into vulnerability management and privileges: “What resonates most today are the two primary attack vectors — vulnerability and exploits of privileged accounts. It doesn’t matter where the software is running; you still have to be able to identify a mistake, flaw, or vulnerability, if it is exploitable, and how you are going to correct it. Secondly, any type of privileges that can allow authentication — how those are being managed, governed, and monitored are the biggest disciplines.”

To highlight the expertise shared in the first half of 2022, we’ve collected the best bits of advice from these experts. In this first installment, these are the top 10 CISO Best Practices shared.

9. Automate cloud security as much as possible

Cloud security automation offers the advantage of control, according to Nick Selby, Director of the Software Assurance Practice at Trail of Bits (episode #12): “We should be automating absolutely everything because if you’re not automating it, you don’t have control over it. If you’re not understanding that you can automate every step possible, then you don’t understand you’re behind on your technology.”

Security expert Sameer Sait as former CISO of Amazon’s Whole Foods Market (episode #15) agrees that automation is key: “I think we should start thinking like those very smart engineers who are building cloud-native solutions, and about how we can automate discovery, remediation, and things that we know, with a high degree of probability, to be problems that can be solved via X, Y, and Z protocols.”

“If you touch it three times, you need to automate it and be done with it,” offered Renee Guttmann-Stark (episode #11), a transformational leader in cybersecurity, who has led world-class global information security programs for Coca-Cola, Time Warner, Royal Caribbean, Campbell, and Capital One.

Justin Somaini (episode #14) believes automation can accelerate ”our ability to drive faster identification, remediation, or highly automate a process so that it’s effectively removing the human element and driving it more towards an automated identify-and-fix process.”

Security automation that allows human innovation to create more, versus delivering more busywork, is what interests Nick Vigier, CISO and the owner of Rising Tide Security (episode #13): “Letting humans be the creative entities that allow the business to innovate versus just doing busywork, or just working harder, is the real promise and what I’m really excited about.”

8. Cloud configuration is key

Nick Selby (episode #12) explains why speed and cloud configuration go hand-in-hand: “When you make mistakes in the cloud, you are being stupid at cloud speed, and stupid at cloud speed is really fast. So configuration becomes absolutely essential.”

“Speed and scale are the biggest perks of cloud computing,” notes Roland Cloutier, the Global Chief Security Officer at TikTok (episode #18), on the benefits of the cloud. “Today, we might have a dynamic attack issue, and in less than an hour, I can spin up an environment that has six times the data center capability that I was protecting before. The speed and the scale are just insane. I also think that with that comes the pace of innovation.”

7. Unify security policies across teams

After his experience in managing security at popular internet applications, like PayPal and Pinterest, Andy Steingruebl, the CSO at Pinterest (episode #17), advocates for the unification of security: “In the pure security space, I think unification. Trying to unify things into simpler policies that we can have — we can go back to having a declarative security policy. I’m a big fan of protocols and declarative security policies — not the things that are enforced by code, but things that you can look at in a policy and reason about.” Andy continues, “Slowly but surely we’re moving managed code and programming languages that make it harder to make some of the security mistakes of the past… taking the burden off lots of folks and eliminating a whole bunch of attacks.”

Brian Haugli, Managing Partner at SideChannel, and co-author of Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework (episode #10) advises that security practitioners get to know their colleagues in GRC: “If you’re a SOC analyst, even if you are a pen tester or you’re in a hunt team or whatever, learn what is going on within the policy because it’ll help you a lot more than [others]. Conversely, if you’ve always been an auditor or a policy person, really try to understand what the actual technical components of those policies mean to the folks who are reading them, using them, and have to abide by them.”

6. Shift security left

Integrating shift left security into development team workflows is a priority for Meg Anderson (episode #16), CISO of Principal Financial Group: “There’s definitely more ownership by the cloud team and the cloud engineers as compared to relying on specialists that were previously in the infrastructure team. The ‘shifting security left’ conversation we’ve had over the last decade is something that we really need to keep our eye on, because that automation is critical to integrating security into the deployment pipelines and allowing engineers to own their code and its security.”

The management of ownership of assets and processes is key for security leaders today, noted Sameer Sait (episode #15): “In the non-cloud native world, there is a kind of alignment of accountability, responsibility, ownership, and influence. I think in the cloud world because we expect to just move really, really fast, and we expect things to get taken care of by a certain set of individuals that are working in DevOps, you just sprinkle on some security and expect it to kind of magically get taken care of. I think there’s a little bit of the ‘who owns what’ and [we should be] finding ways to align on the exceptions so that even the exception process has accountability and responsibility.”

Sameer explains his views on cloud tech and service providers: “I hope to see more and more big tech companies embracing partnerships with tech security companies to make it so seamless that it becomes part and parcel of how we operate in the cloud. I’m seeing that happen, and that’s getting me super excited because I care as much about the usability of a product as I should, and the product manager should care as much about the security of that product. And if we both have those shared outcomes, I think we’ll do very well.”

5. Get organizational and board buy-in

Meg Anderson (episode #16) has learned how to get support across the organization: “Now I see the value in not just asking for investment or the tangible things that you might need, but in asking for support and finding out who will be your advocates in the organization. If you want to make a change and really ask for what you need to get something completed, get somebody to help you across the organization.”

”The topic of security – and this is probably a double-edged sword – has risen to a board-level conversation,” notes Justin Somaini (episode #14). He offered this advice to get the Board’s buy-in on security initiatives: “The problem is board members generally don’t come from that ilk or that cloth. So you have to train and educate them on what cybersecurity or physical security is. But once you do, they’re deeply concerned about it, and they just need help and guidance to focus, and they will support you.”

4. Learn from regulated industries

Sameer Sait (episode #15) explains how his experience in financial services security expanded his vantage as a CISO: “I think the financial services industry really set me up well, given that there was a higher level of awareness and expectations around cyber risks and the impact of those risks. Coming out of those highly regulated, well-managed and risk-managed industries taught me a lot about what a good bar or a high bar for a cybersecurity program looks like.”

Healthcare has historically been one of the slowest adopters in the cloud due to strict regulatory requirements. Dan Walsh (episode #7) sees more security leaders working through their healthcare cloud security requirements to offset the rising costs of on-prem storage: “I would also say that healthcare has been a bit of a slow adopter to the cloud as compared to some of the other industries, but I do think that because of the focus on rising costs and trying to keep them down, it’s inevitable, and it is happening. In my opinion, we’re easily over halfway there.”

For industries like SaaS, the security challenges are still complex. “You’re working in the gaming industry, it’s different from financial institutions.” explains Justin Somaini (episode #14). Security for tech companies should cover multi-cloud environments: “You have a very energized and technical base culture to work for or work with. However, when you secure SaaS, it’s agile. When you start driving the CI/CD pipeline security capabilities and when you’re starting to, or not starting, but trying to deal with the infrastructure, a multi-cloud concept scales up and scales down.”

3. Navigate the on-premise bias

One of the issues is team hesitancy when on-premises investments have been made, as Sameer Sait (episode #15) has seen in his career: “There’s been a little bit of hesitation to change, and I don’t know if technology or security has actually been an enabler for that or more of, ‘Hold on a second, how do we make sure connectivity is good? How do we make sure our data is centralized in terms of storage? How do we move off of systems that we’ve built for 20 years and have worked fine for us?’ So a little bit of the ‘If it isn’t broken, why fix it?’ was what I saw in the physical store space.”

Understand potential biases preventing cloud-native adoption

Is there bias against migrating to cloud-native environments? Nick Selby (episode #12) offers this perspective: “A lot of the people who are making those decisions about scaling up operations are the same people who grew up in an on-prem space where the data center was in the basement.” Nick continues, “And those people, no matter what they do, still have this bias toward the way we used to do things. And that doesn’t fly in the cloud world.”

Compare cloud costs and potential savings

Regulated industries, like healthcare, are moving past the usual on-premises objectives and making the move to the cloud to save costs. “In order to run a large health care company at scale, these days, you have to start in the cloud,” shares Dan (episode #7) as he’s seen the healthcare industry making the move to the cloud. “You can’t start on-premise. Just financially, that doesn’t make any sense.”

2. Implement thoughtful cloud migrations

When migrating to the cloud, it is important to spend some time planning the cloud architecture and take advantage of new cloud-native technologies, such as containers, Kubernetes, and serverless.

Nick Vigier, CISO and the owner of Rising Tide Security (episode #13) notes the cloud migrations he’s seen are not all adopting cloud-native architectures: “From what I’ve seen in the field, from a CSO perspective, you have a lot of companies that have forklifted from more physical infrastructures straight into the cloud, and it just doesn’t work that way. You can get away with it, but it’s going to cost you a lot more. It’s going to be a lot more inefficient, and getting cloud-native is really what organizations should be focusing on in a very real sense — which requires a very different set of skills.”

Cloud migration projects can actually reduce risk when cloud-native security is in place, but as Chris Foulon (episode #6) knows, that’s not how it usually goes. As co-host of Breaking Into CyberSecurity and cybersecurity strategist, Chris has heard about and experienced his fair share of mismanaged cloud migration projects: “This idea that you can just pick up and drop your old designs that you had on-premise… a) you’re not taking advantage of the design architecture in the cloud, and b) you’re just really moving your risk from on-premise to cloud.”

1. Build and manage the right in-house team

“Your teams have to know a little about everything because they’re all different. They all have different capabilities,” shares Renee (episode #11) on how leading today’s security teams has changed, especially within the domains of cloud security operations and DevOps engineering. “I find that now you’re basically in multiple clouds. You’ve got several service providers; you might have somebody doing operations for you. And one of the things that I think is extremely difficult right now is figuring out who’s on first. You need to have some direction for where the ship is going. And so, it’s really about creating the mission, creating the values, and respecting each other.”

The in-house team’s time is critical to protect, according to Sameer Sait (episode #15): “I need to protect my team’s time to focus on things that they’re working on.” To meet that goal, Sameer focuses on team engagement and productivity: “So I think keeping your people or your team engaged and productive, but also not on a death march just because work is piling up is super important in leadership — even more important than the knowledge you have of cybersecurity.”

Dan Walsh (episode #7) offers another approach to filling security gaps on his team: find good security people throughout the organization to improve overall capabilities. According to Dan, “If I can find an engineering team that scans their source code for open source vulnerabilities, and that makes sure that their cloud infrastructure access and vulnerabilities are managed very well, I’m going to pull those people into my [team]; I want them.”

According to Dan, hiring and building a team is about having enough experience to know the talent you need to build the bench: “You don’t have to be the expert in the domain that you’re managing, but I would say that you need to get more than an inch deep in it in order to make sure you hire the right person for it.”

Stay tuned for Orca’s Cloud Security Reinvented podcast

In the next few weeks, we’ll feature three more articles covering more CISO “Greatest Hits” recaps with quotes from our favorite moments on this past season’s Cloud Security Reinvented. All these podcasts are available on demand and through subscription on these streaming platforms: Spotify | Apple Podcast | Google Podcast

Are you ready to elevate your cloud security program? Find out how Orca Security’s leading cloud security platform can work in your environment by watching a recorded demo or signing up for a free 30-day trial and risk assessment today.