Jul 13, 2022
On Cloud Security Reinvented – Orca Security’s podcast hosted by Andy Ellis, Advisory CISO – Andy invites CISOs and Security Leaders to join the show and share their reflections from their careers in cybersecurity and experiences with cloud security.
In every episode, listeners get to hear ‘been there/done that’ advice from the security leaders who have had boots on the ground through the last decade of migrating to the cloud. This last season has featured a fascinating group of security leaders from PayPal, Google, Coca-Cola, Whole Foods, and more.
In case you missed it, we’ve curated the following 11 CISO survival strategies shared so far from this last season for you to enjoy. Read on for some classic advice and new considerations to help survive and thrive as a CISO.
Roland Cloutier, the Global Chief Security Officer at TikTok, (episode #18) shares wise advice security pros will understand: “You can’t protect what you can’t see. It doesn’t matter if it’s the cloud, data center, or physical security people. So get that transparency and visibility, get those risk programs in place, and be truthful with yourself and your business about it.”
Dan Walsh, the CISO at VillageMD, (episode #7) explains his top two priorities: “For me, access control and asset inventory are the top two. I know that, obviously, vulnerability management is important as well. In my experience, I’ve seen more problems with cloud incidents, with knowing what is in my cloud infrastructure and knowing who has access to it than because something wasn’t patched in the cloud.”
Ryan Gurney, the CISO-in-Residence at YL Ventures, (episode #8) ensures assets are identified and protected: “CISO is a tough career… I would often have CEOs come to me in passing, and they would say, ‘Hey, are we secure?’ Perhaps that was just small talk, but I took it seriously. I feel an effective CISO should be able to say, ‘Hey, listen, I’m aware of our key assets. I know how they’re protected, and I know our key risks. We actively monitor it, and we’re managing it.’”
“Don’t do it yourself. Don’t run your mail system. Pay somebody else to do that,” cautions Andy Steingruebl, CSO at Pinterest (episode #17). “It’s too big a pain with too many risks. That’s sensitive stuff, but don’t keep that in house. You’re not going to do it as well as you can pay somebody else like Google or Microsoft to do it for you.”
Ryan Gurney (episode #8) offers how investing in better cloud security can augment security staffing issues: “I’m fascinated about abstraction at the cloud layer around security controls, how we can make things quicker and easier for the CISO – especially when we consider the challenges we have with hiring security professionals today. It’s amazing how many business functions you can outsource now. The bar to entry is super low, so you can just focus on your [functions] to start with, and I think that’s fantastic.”
Depending on the industry, CISOs need to be prepared for varying levels of security requirements, especially when it comes to traffic volumes and conducting transactions online. Andy Steingruebl (episode #17): ”It’s a little bit industry-specific; you deal with lots of traffic. It was a big adjustment when I got to PayPal to realize. If you’ve been working at a lot of businesses that aren’t internet-scale businesses, you don’t understand traffic volumes and the torture testing that you put systems through. It’s the traffic volume difference between a business with a browser, an interaction component, and just a transaction piece.”
By adjusting his leadership style to match the speed of the cloud, Roland Cloutier (episode #18) has adapted to stay ahead of the pace: “You’ve got to be ready for that high level of operational tempo that we have, and adjusting my leadership style and capability to ensure that I enable that for the team has been one of the biggest learning opportunities for me.”
The sheer volume of data required to run an app like Pinterest keeps leaders like Andy Steingruebl (episode #17) on top of his game: “The biggest surprise is how much complexity is under the cover. I think a lot of people don’t understand that,” notes Andy, as he describes the massive volume of data required to run an app like Pinterest. “When you open the app, it’s deliberately built with a beautiful interface. What’s behind the scenes making that happen has an incredible amount of machinery involved, both offline and in real-time, to show you the results. And there’s a huge amount of data volume involved in doing that.”
Coming from the venture capital space, Ryan Gurney (episode #8) encourages CISOs to manage their third party security risks: “I’ve seen us go from attempts to keep all the data inside the borders of the company to utilizing private clouds, public clouds, and the explosion of right third-party SaaS apps and mobile apps. It means that there are more environments where customer company data is being housed. Accessing that and understanding your assets is super critical.”
Renee Guttman-Stark, a transformational leader in cybersecurity, who has led world-class global information security programs for Coca-Cola, Time Warner, Royal Caribbean, Campbell, and Capital One, (episode #11) notes the risks when not all IT is run by the IT department: “The other problem is that these systems that I’m talking about are generally not run by IT people. They’re outside the span of IT. So you’ve got somebody that runs a manufacturing system, and they could be buying cameras from who knows where.”
If you want to make progress in your organization regarding security, you need to let go of the “gotcha” mentality, as Brian Haugli, Managing Partner at SideChannel, and author of co-author of Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework (episode #10) believes. “We need to move to risk management, where there is gray. There is the ability to accept risk as long as it’s appropriate, but this pure black-and-white view and this ‘gotcha’ mentality that exists within security professionals — we just need to get rid of that. It’s not helping anyone at all.”
Ryan Gurney (episode #8) looks to his controls to manage cloud risks: “If something is not truly reducing risk in a meaningful way, you need to look for another control and be able to explain it. You’ll lose credibility if you can’t, or if you’re reading off a spreadsheet.”
Using examples help, as Brian Haugli (episode #10) reinforces his suggestions with clients by pointing out public security policies. “I use them as an example when I’m telling our clients or anyone, ‘Hey, if you want to talk about your security, you really need to start replicating how Amazon talks about their security posture.’ They publish, ‘Hey, we do these things. These are the controls that we meet. These are the standards that we meet.’ That transparency is huge.”
Creating a security-first workplace doesn’t require long-winded security awareness trainings for employees, according to Ryan Gurney (episode #8): “Security training needs to be short, to the point, frequent, contextual, and specific to the company and its culture. And that includes how you sign up for SaaS applications and how you manage your cloud environment.” What should security awareness training include? According to Ryan, “You should discuss only the areas that are important to the security company, security in their culture, and give people tips on how they can do things in their personal lives and help their family and friends. So, the old stuff around these long-winded four-hour-long training needs to go away.”
”Security theory has not changed. Confidentiality, integrity, and availability (CIA), or if you want to use one of the other models — they are still the same,” offers Justin Somaini (episode #14), the Chief Security Officer of Unity Technologies, a leader in the iGaming industry. “It’s how we apply that to the technology that we have today. So that basic concept of what we do and why we do it is the same.”
Justin encourages CISOs to be wary of sales buzzwords and “focus on the really important things.” He explains his approach to the security basics includes “having a proper risk management process of identifying the issues — what are the things we need to do to solve them versus changing what we are being told that we need to do from marketing and sales and otherwise.”
For Morey Haber (episode #9), the Chief Security Officer at BeyondTrust, reliability represents one of the most significant aspects of how he manages cloud security. “My parents had a jewelry store in Brooklyn, New York, and its name was Haber’s ‘Reliable’ Jewelry. The fact that my career started as a reliability engineer, and I ended up as a CSO, I still hold that word very dear. I think the key to protecting information is to make sure it’s accurate.”
“I think the basics still matter,” Ryan Gurney (episode #8) says, especially with established roles and access within the security environment. “Whether you’re in a cloud environment, in the private cloud, or an on-premise deployment, being able to establish policies, identify vulnerabilities, and patch still matter, and they’re always going to matter. And in some cases, with our cloud providers, we have to hold them accountable and work closely with them to do those things.”
When you’re ready to go beyond CISO survival, Advisory CISO Andy Ellis invites you to tune into the next Cloud Security Reinvented podcast to hear from security leaders on the enterprise frontlines. From CISO best practices to real-world career advice, these experts know what it takes to run world-class security programs. Bookmark and listen to episodes on-demand on Orca’s website here, or download and listen on your favorite streaming platform: Spotify | Apple Podcast | Google Podcast
With Orca’s platform, you can manage your cloud risks real-time and mature your cloud security program over time. Ready to see your entire cloud estate in minutes? Sign up for your free 30-day trial and cloud risk assessment today.