Business Outcomes and the CISO's Success
By Zane Pokorny on April 15, 2019
Joining us today is Dana Pickett. He’s CISO for Edwards Performance Solutions, as well as a principal for the cybersecurity services they offer. With over three decades in the industry, Dana has witnessed the inception and evolution of cybersecurity, from mainframes to the IoT.
He shares his thoughts on what it takes to be a successful CISO, the importance of focusing on business outcomes, effective communication with the board, proactive versus reactive threat intelligence, the utility of frameworks, and the value of peer groups.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone and welcome to episode 103 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Joining us today, is Dana Pickett. He’s CISO for Edwards Performance Solutions as well as a principal for the cybersecurity services they offer. With over three decades in the industry, Dana Pickett has witnessed the inception and evolution of cybersecurity from mainframes to IoT.
He shares his thoughts on what it takes to be a successful CISO, the importance of focusing on business outcomes, effective communication with the board, proactive versus reactive threat intelligence, the utility of frameworks, and the value of peer groups. Stay with us.
I was a systems engineer on a Honeywell machine for a company I was working for then, and all of a sudden they made a decision to bring in Big Blue, IBM, and the CIO at that time walked into my cubicle and said, “Hey, we’ve got to figure out how to secure this beast. Is this something you’d like to take three months out of your daily routine and figure out how to do that and make that work?” So that’s been almost 33 years ago, and I’ve been in what then was called data security, information security, enterprise security, now everyone calls it cybersecurity. So, that’s how my journey began. It was supposed to be a three month gig and 33 years later, here I am.
Well, I mean, give us some perspective. When you say your boss came in and said, “We have to secure this beast.” What was the state of things then and what did securing a system like that mean?
So, it’s funny. Another great question. Back then, nobody was thinking about securing the information on the mainframes, because that’s what it was back in that day, nothing but mainframes. So, there were two mainframe leaders in information security back then, and one was Top Secret and one was ACF2. And the package that was delivered with this mainframe was ACF2, so basically the CIO gave me these three five-inch thick blue binders and said … You know, it was on a Wednesday night, I’ll remember that as if it just happened a couple of days ago, and said, “Figure out how to have this mainframe secure by midnight Friday night.” So here I am working until wee hours of the morning Thursday morning and then I happened to flip through one of the manuals and said, “Oh you can put everything in warn mode for a period of time to see where there may be potential issues and then turn it into fail mode at any point in time that you want it to actually fail on certain indicators. So that was how the whole, and I’ll call it journey, started. So, it was back in the day when no one really was thinking about information security. And boy have we come a long way since then. But that said, it’s all because of the internet.
So what kinds of threats were you on the watch for?
Back then, basically all it was about, Dave, was just making sure that you had certain parameters in place to guarantee that people had the right permissions in order to get into the data that they needed to use to perform their functions. So, really, that was the extent of securing anything back then.
So there was no broader connection to the internet. At that point, was there even an internet to connect to?
Oh, no there was not. I’m trying to think when the internet actually came into play. It was back in my T. Rowe Price days. So I’m going back probably 18, it may even have been further than that, I’m going back probably 20 years ago, 18-20 years ago when this thing called the internet which now has evolved into what we call the internet of things, and it really is the internet of things. So the internet is really what I feel, is what caused or created the opportunities for businesses to understand that they need to take a step back and rethink this whole information security a little bit differently. So, with that said, you heard me say information security and all that has evolved now into what we call cybersecurity because it’s really all about the cyber space, if you will.
And so from that initial starting point, what was the pathway to lead you to where you are today at Edwards?
I took that three-month temporary job and worked at that company for probably another two years. And then I had a headhunter reach out to me and ask me if I’d be interested in coming in to interview for a job at T. Rowe Price. They were looking for somebody to come in and take over the information security group because the internet had just come to light at that point in time and the person who was responsible for information security moved over to run the internet support and services group. So I went over, interviewed with corporate and then within 24 hours, they called me back to interview with all the business units. And that just led to them offering me the job and I wound up moving to T. Rowe Price. I was in that role for six months. The person who was heading up internet support and services left and I wound up taking that group underneath my umbrella, if you will, and wound up being responsible for the internet as well as corporate data security.
So, that’s really where the opportunity came in for me to get more involved in the internet and figuring out, with the internet in play, what do we need to do differently in order to better guarantee, and you hear me say better guarantee because I would say there’s no such thing as 100 percent guarantee, to better guarantee that a company’s assets are not being tampered with, stolen, altered, or anything that you want to include in that category.
So you’ve really been witness to this whole evolution from the very beginning of what we call cybersecurity today?
That’s correct. And I will tell you, I guess it’s easy to say it’s an opportunity that I fell into and that it’s just evolved into, I think, a lot of different opportunities along my path/journey. So, that’s correct. I’ll be honest with you. I’ll say it this way, I wouldn’t trade my background for anything because I would say that I lived through the battles. I have the scars where things were done wrong and then you learn from those opportunities and move on to help companies put in a better cybersecurity program in order to move their business forward.
I think that’s a really interesting point, in that, I think there’s a lot of, I guess for lack of a better word, you know, old timers, and I put myself in that category, there’s a lot of wisdom that was gained by being around when those systems were a lot more primitive, things weren’t as easy as they are today and there were some hard lessons learned.
That’s correct. It’s kind of funny. If I can give you an example, I’m part of various peer groups and I actually head up a couple of peer groups. It’s interesting to see companies because there is a shortage of mature, seasoned security professionals out there. So what’s happened is, companies have no choice but to hire somebody right out of a college program, which is great, and I’ve helped some colleges create those four-year as well as masters programs to better guarantee that there is a flow of students that are graduating with some type of career goal in the cybersecurity space. It’s interesting. I love being part of these peer group meetings when I have somebody sitting on the other side of the table that’s just accepted a head of security … I don’t like to call it a CISO because all companies don’t have a chief information security officer, they have a head of security and that could be a chief information security officer, that could be a director of information security, cybersecurity, different companies have different titles, so I don’t really get caught up on the titles.
But it’s interesting to have these conversations with these youngsters, I call them, and a lot of them feel like they know exactly what needs to be done and they go in front of the security council or the board and try to convince the board on why they need to spend money to do a certain project and they don’t get the budget approved. And a part of that is because they aren’t seasoned, they don’t wear the battle scars and they really don’t know how to go in front of that group to sell the programming.
To be honest with you, Dave, you have to be a sales person in this space, and I mean that in a positive way, not a negative way, in order to be able to educate senior management at the C level why it’s important to invest something into creating a cybersecurity program that is tied to business outcomes. And that’s extremely important. You have to be able to create a cybersecurity program based on some type of framework that ties to business outcomes with the goal there to carry the business forward and to better guarantee that they’re not in negative press because of an event.
And I suppose a big part of that is being able to stand in front of those leaders and communicate with them using their language rather than perhaps your own.
That’s correct and part of the issue there is, there’s two tracks. What has happened over the years, Dave, is CISOs seem to take two tracks. They either take the technical track or the more strategic and forward thinking track. So what happens in a company that hires a CISO that came from the technical world, and believe me, there’s nothing wrong with that because I would argue that the better CISOs understand technology, understand the business and that’s what makes them the right candidates to move the business forward with the right cybersecurity program. But what happens in a world where you have a technical CISO, more times than not, that technical CISO doesn’t know how to go in front of a board and put things in language that they understand. And, oh by the way, you have to make it personal. Those board members have to understand, what does this really mean to me? It’s not just what does it mean to the business, what does it really mean to me? And so, what we’ve found over the years, the CISOs that are more strategic, forward thinking, are the better candidates to go in front of the C level in order to explain the importance of why they need a cybersecurity program.
Describe to us, what is your day to day like there at Edwards Performance Solutions?
So, it’s interesting. You heard that I have worn the head of security hat for 30-something years for four major companies. Edwards is the smallest company I’ve ever worked for. When I came here, I wanted to end my career proving that cybersecurity could be a revenue generator, not overhead. In the company that I worked for prior to joining Edwards, I was fortunate enough to go in, build a team to where we created a global cybersecurity program that started bringing in income, revenue, because we had a security incident response program in place and we had a security operations center, what we referred to as a SOC in place. I wanted to end my career as a CISO proving that that is attainable. Then, I took a step back, I took 10 months off, really to help with some family health, personal health issues that my mother-in-law and father were having. And to reassess, what do I want to do going forward between now and retirement.
At that point in time, I was seriously thinking about starting my own business. I even went out and got an LLC. I was going to start my own business to be able to offer services based on my 32 years of experience at a price point to companies that I wish were offered to me when I was head of a security group. It’s interesting. I was two weeks away from forming my own company when Edwards called me in. We had a conversation and I realized within 15 minutes, that, my god, Edwards is jumpstarting this whole cybersecurity arm and they want to build services and build back in solutions at a price point that small to mid-sized companies could afford.
Because it’s like anything else. Your large companies have the revenue coming in that they … It’s easier to go in front of a C level in a large company to convince them why they need to spend x amount of money for a cybersecurity program, but that’s a difficult task when you go in front of a small company. Most small companies don’t have the budget to even hire somebody to run their security program, let alone to staff it and buy solutions. So I joined the company a year and a half ago and I’ve got to tell you, it’s been an exciting time in my life and in my career because I’m giving back. I’m helping Edwards create these solutions and these programs and we’re actually rolling them out as we speak. So, it’s been very gratifying being on this side of the table, if you will, for the past year and a half.
I want to talk some about threat intelligence. It’s one of the focuses of our program here. What part do you feel like threat intelligence plays in the work that you do?
It’s interesting, I would tell you. You heard me say I wear two hats. I didn’t really explain the second part of that. So, I came in as the principle of cybersecurity to help jumpstart our cybersecurity offers. But, I also … Six months after I was here, Edwards realized, you know we really need somebody to wear that CISO hat. Here, I thought I’d given up that role. I saw the opportunity to also become the CISO for Edwards, because at the end of the day, listen, if we’re going to be selling a company services and solutions, we’ve got to be able to, I’m going to phrase it this way, drink our own Kool-aid. So that’s why I’m wearing the CISO hat.
So, to answer your question, threat intelligence, there’s two ways to look at that. If you’re talking about threat intelligence as far as what is a company doing to better guarantee that they’re not going to be susceptible to an event/threat, that’s what I call the proactive piece that any CISO should be looking at for their company. But there’s also a threat intelligence side, the other side of the table where you have your hackers and stuff that are trying to hack in. That’s also considered threat intelligence.
So I believe that threat intelligence can go both ways. What you need to do as far as having a better threat intelligence program to guarantee that hackers aren’t getting into your systems, versus what is a hacker using through threat intelligence in order to get in. So, to me, again, you heard me mention this earlier, Dave, to me, most companies create some type of information cybersecurity program without learning what’s the business all about. What is the business data/information that we really need to protect? That’s why you heard me say earlier that you have to have a program that ties to business outcomes.
So, a lot of people just rush out, buy tools, whether it’s monitoring tools, logging tools, whether it’s data leakage prevention tools, there’s hundreds of tools out there. A lot of people just go out and go through a checklist and say, “Yeah, we purchased this tool to do this. We purchased this tool to do that.” But without taking a step back and saying, “So based on our business outcomes, based on what we do as a business, what are our high level risks? What do we need to address first? What do we need to address second?” So, I would argue that any CISO, any head of security, the first thing they should do when they’re new in that job, or even if they’re in that job today and they have programs where they’re just spending money every year, they need to take a step back and do more of a high-level risk assessment. Once you do that, then you take your cybersecurity program, you have to be able to map it to some type of framework.
I’ll just use one that’s near and dear to my heart, NIST has come out with a phenomenal framework where one of the standards was developed to where … It’s called 800-53. It has different controls that go against access control, goes against backup and recovery, goes against, you know, what are IT shops doing with the information on their server farm. Is it protected? Do people log in and log out of the facility?
So, if you don’t create a cybersecurity program that’s mapped to some type of framework that gives you a maturity model of … And let’s just use a scale of 1-10, when you do this assessment based on your business outcomes, you realize, oh, I rate a two. Well, based on my business and where is my business going is a two good enough to better guarantee that we’re not going to get hacked, or better yet, that an inside person, because they may have access that they shouldn’t have, accidentally does something with that access that creates an event as well.
So, to that point, you have to create a program based on a framework, which is tied to business outcomes. Once you’ve laid that all out, and you have identified risk — high, medium, or low, however you want to identify them — then you look at what do we need to do through awareness, because I would tell you that 75 percent of what CISOs need to do if they’re not doing it today, is they need to be educating everybody within the company on what they should and shouldn’t be doing, the dos and don’ts. The other 25 percent is all about spending the money, going after the software packages that you need in order to monitor, log or what have you, or prevent.
I’m all about moving forward with putting more of a proactive program in place instead of a reactive program, where you react every time there’s an event and you band-aid it. The goal with creating a cybersecurity program based on a framework, then gives you a maturity model, Dave, where you can go in front of the board and say, listen. And I’m just going to use raw numbers. I need $100,000 to be able to address this high level risk. When you go back in front of the security council, or board or whoever you report to, whether it’s monthly, quarterly, whatever, then you go back and say, “Listen. The money you gave me three months ago, here’s the ROI. This is the return on investment. So, we’ve taken our program to where we said we would. Now we need an additional $100,000 to take it to the next level.” To me, that is the structure and how CISOs should be thinking today, especially with the internet of things and how quickly things can happen in an environment that someone thinks they have locked down and secured.
It seems to me also that, particularly as you mentioned, these budget-constrained organizations, those small and mid-sized organizations, they really need to be focused on spending those limited resources of both money and time on the things that are going to be the highest risk to them.
That’s correct. And the challenge to that, Dave, is this. And we’ve talked about it. Your small and I would even say your mid-sized companies, first and foremost, more times than not, they don’t even realize that they need some type of cybersecurity program. They’re still trying to get their arms around how do we move this business forward? How do we grow it? With that said, a small company in particular cannot afford to hire a CISO. A fully loaded CISO in today’s society is just too expensive for a small company to even consider. So, they have the challenge of, what can we do in smaller increments in order to start putting something in place that’s going to get us to an end goal. And that end goal may not be until five years from now, seven years from now. So, to that point, I think part of the challenge is, you’ve already heard me allude to the fact that there’s a shortage of seasoned CISOs out there. Well, to be honest with you, there’s a shortage of most professionals in the cybersecurity space. The last count I heard globally there’s 750,000 open cybersecurity, privacy officer, risk-type of positions that are open globally that can’t be filled because the candidates just aren’t there.
And part of the reason why one of the things that I did years ago with one of the peer groups that I formed is, we started going out and working with colleges to help colleges understand that they have to put in place some type of program to get students educated so that these positions can start being filled. We were very successful 10 years ago working with a local college that now has a four-year program in place. And we were successful seven years ago working with another college that has a four-year program in place. We’ve even been working with community colleges that have two-year programs that are being offered and we’ve even worked with some of these colleges to have them put in some certification programs. Because I would tell you, again, not all cybersecurity positions have a requirement of a four-year degree. Now, I’m all about a four-year degree because I think four-year degrees just prove that someone has the aptitude to learn and so on and so forth. But, in order to fill these positions sooner rather than later, you have to look at certifications.
What’s a certification I need to get, whether it’s ethical hacker, whether it’s a CISSP, certified information systems security professional, whether it’s a CISM, a certified information security manager. There’s various certifications out there that do not cost a lot of money and do not take a lot of time to at least get somebody better qualified to move into one of these roles.
So what are your recommendations for organizations that are trying to wrap their head around this? They’re trying to get started and make sure they’re headed in the right direction?
I have a couple of answers there, Dave, and that’s another great question. I think first and foremost, somebody within the organization, I don’t care whether it’s a small, medium, large company that may not have a formal cybersecurity program in place, and may not even have a group that’s responsible for that program, but more times than not, there’s somebody within information technology, somebody within the IT group that’s wearing a security hat. Somebody in that group is responsible for configuring firewalls, for setting up proxies, and more times than not, there’s somebody in every company that wears some type of hat where security is part of their day-to-day responsibility and they may not even know that.
So, I would say, somehow or other those folks have to start thinking about better securing the infrastructure for their company. And let’s just say that the infrastructure is not housed within their four walls. Let’s just say someone is using a cloud provider. But there has to be somebody within the company that, with all the publications and all the news and all the articles out there where someone’s hacked into various companies, somebody has to be responsible for thinking about cybersecurity. The other part of that question is, there’s various companies out there through an advisory capacity or through a consulting capacity, that would gladly come in, sit down with these organizations to help them better understand where they need to start moving to better guarantee that their company is not going to be hacked into.
And so, I would just say at a minimum, if there’s somebody within an organization that’s wearing that hat, they need to tap into the multiple resources. Companies, like I said, that do that in an advisory capacity or even peer groups. Peer groups are free. You can join any peer group. I would tell you, the best knowledge transfer that I have ever been able to give or receive over the years has been part of peer groups that either I have formed or I have joined, where you get local people together and you discuss like issues and like concerns, because the value proposition there, Dave, is, a lot of people spend a lot of time going out and looking at vendor solutions without realizing what they need that solution to accomplish. Tap into these peer groups. Tap into these resources. Learn from people that have already gone down the wrong path and spent money they shouldn’t have spent, and then realized they need to go a different direction. That would be my suggestion to these folks.
Our thanks to Dana Pickett from Edwards Performance Solutions for joining us.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Zane Pokorny, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.