Security That Fits the Needs of the Organization

Security That Fits the Needs of the Organization

February 24, 2020 • Monica Todros

There’s that old saying, “The more things change, the more things stay the same.” In cybersecurity and incident response, even with all of the new tools, increased speed, and mounting threats, a large part of keeping any organization safe comes down to taking care of the basics — the tried and true techniques that have served us well for decades.

Our guest this week is Gavin Reid, chief information security officer at Recorded Future. He’s a firm believer in taking care of the basics, empowering employees to collaborate and take healthy risks, and making sure that your communication style is concise and actionable — all good advice, tried and true.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 147 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

There’s that old saying, “The more things change, the more things stay the same.” In cybersecurity and incident response, even with all of the new tools, increased speed, and mounting threats, a large part of keeping any organization safe comes down to taking care of the basics — the tried and true techniques that have served us well for decades.

Our guest this week is Gavin Reid, chief information security officer at Recorded Future. He’s a firm believer in taking care of the basics, empowering employees to collaborate and take healthy risks, and making sure that your communication style is concise and actionable — all good advice, tried and true. Stay with us.

Gavin Reid:

So I started doing security at NASA at the Johnson Space Center a couple of decades back and from there went to go work at Cisco and I worked at Cisco for about 15 years. And then for the last four years I worked at a couple of startups, one, Lancope, they got bought by Cisco and then more recently for the last couple of years at Recorded Future.

Dave Bittner:

And so was threat intelligence always the lane that you were attracted to?

Gavin Reid:

Early on, I think I’ve worked out that we had a lot of really good incident detection tools, but they were only as good or only as useful as the intelligence that we could play into them. It’s like an intrusion detection system, if it has a really good set of signatures to look at, it can provide valuable results. If it doesn’t, it doesn’t provide anything back. And I think that’s often misunderstood in the security community, people think they buy different appliances and somehow magic will happen. You really have to have good intelligence about what the hackers are doing that you play into those tools in order for them to be effective.

Dave Bittner:

How do you come at that in terms of your management style? How do you approach that?

Gavin Reid:

I truly believe in empowerment. I used to make a lot of the same mistakes that some leaders make, in particular channeling all the hard projects to say, one of the MVPs of the team or the folks that are really, really good. And what that does is, it makes him or her stressed out and overloaded. And over time I learned to challenge employees with tasks, projects that stretch their capabilities. Be there to pick up the pieces if needed, but in that way we grow the individual and the team capabilities and we keep everyone interested and growing. So that took me a little while but eventually I learned that.

I’m also a big believer in having real connections between people in the team. Most people organically want to help and work together, but somehow the office environment gets in the way. So I really like bringing people together outside of the fluorescent lights of a conference room and have them start relationships outside of projects.

And then I think lastly, somewhere in my career I figured out I was spending more time with my team than my family. And so I really wanted those relationships to be real. At the end of the day, that’s what it’s all about. People getting together and sharing experiences. And work can be part of that if leadership cares about it.

Dave Bittner:

Can you give us some examples of the kinds of efforts that you have with your team? The types of offsite events or activities that you find useful?

Gavin Reid:

Yeah. So for example, next week in London I’m bringing together a portion of the security team where we’re just going to work on, what is our one and three year roadmap? What are we doing? What are some of the key projects that we’re taking on board? And in that way, everyone gets a say, the folks get empowered and we get to spend some time outside of work. The folks are not even … None of the folks that are on the team are actually part of the London team and so they’re away from home. So they can go out to dinner or they don’t have to come back home after work. They can spend some time after hours with the team as well.

Dave Bittner:

I think that’s a really interesting insight that, the importance of … I think especially in the technical industry like this one, it’s easy to get caught up in the numbers and the technology and all the ones and zeros. But at the end of the day, these are people and they have lives outside of work. They have families. They have wants and needs and desires and all of that gets woven through their professional life as well.

Gavin Reid:

Yeah. It’s amazing people that over email and perhaps remotely diving into a project, they can feel not a huge kinship with the other folks on the team. But once they’ve actually broken bread, shared some time outside of work, that human aspect takes over and they tend to really want to help people. It’s part of human nature.

Dave Bittner:

Now being on the C-suite yourself, I’m curious, how do you communicate messages to your own board about technical matters and do that in a way that’s understandable.

Gavin Reid:

Yeah. So what’s important to understand in that I think is, is you have to provide information that’s actionable to the board. So, you can present all kinds of interesting technical information. If there’s no action needed from them, you’re wasting their time. At one of my previous employers, we had very specific guidelines set for when and what the board needed from security before we could even go and speak to them.

So, you’ve got to provide information that’s contextually relevant to their jobs and role, providing status on projects unless they are board driven is often irrelevant. And so that’s where I see security professionals sometimes failing. They’ve got a lot of good information, they want to share it, but it’s nothing that’s really actionable. And I’d end on saying that instead of talking project, talk risk. And specifically, how that risk differs in your organization to say some of their pure organizations. That’s a really helpful context to whatever security point you’re attempting to get across.

Dave Bittner:

I guess it’s as important to know what to leave out as to what to include.

Gavin Reid:

Exactly. Yeah. I’ll give you a story about when I worked at NASA. We had a once a quarter read out to the board there, which were basically the directors of all the different directorates. From an IT and security perspective, one of my peers would give a read out and they just loved her and I gave a readout and they hated me and I analyzed it over time. I looked at what she was doing versus what I was doing. And she was giving them very, very compact, actionable information. And I was trying to give every single detail about these projects that I was on, and often went way over their heads and they didn’t appreciate it. So you have to be able to tailor your information contextually to what’s relevant to the decision making that they’re doing.

Dave Bittner:

Yeah. When you look at your own career path and the experiences you’ve had, what sort of advice do you have for folks who are coming up in the industry?

Gavin Reid:

So, one of the things, obviously there’s a lot of stuff there. I’m a big believer in understanding how technologies work. And so we see two career paths in security today. One, we have folks that have come up in the security realm where they may know a bit about vulnerabilities. They may have done some fuzzing, some pen testing, but they don’t really understand how large IT infrastructures work. And there’s definitely a limited value to the input that they can put into a large organization if they don’t understand the impact of what they’re asking. So if they don’t really understand IT infrastructure, IT architecture at scale, then when they’re making recommendations, the recommendations may not be very realistic. So I think understanding how computer networks work at a basic IT-level is extremely important.

The other thing is, personally I’ve always volunteered for the un-fun jobs. That’s the one thing I think that’s really helped me get ahead. So I wouldn’t be afraid to take on new things and be confident about it. And in doing that, one of the things I’ve also done is helped mold the job to what the company really needs. So not just what’s asked of you. I see this mistake made by many employees, they get asked or given a specific task and they feel that they should just do that. Really got to look at, what’s the total picture that you can deliver? Typically when you’re given a task and you concentrate on said task, you may find that there’s a lot of peripheral information that’s involved with the successful delivery, and you’re there, you’re the feet on the street. So make sure you deliver the total picture. Again, I would say just take on the hard jobs. Leave the cushy ones for others.

Dave Bittner:

It’s funny, I have a colleague who when it comes to following directions, he often refers to something that he calls malicious obedience. Doing exactly what you’ve been told to do knowing that it might not be in the company’s best interest.

Gavin Reid:

Yeah. There’s a story that I’ve told a couple of new teams that have maybe taken over which it’s, you may ask, say, “Hey, I need some milk.” And a good delivery on that might be someone has looked and said, “Okay, this person needs a glass. He probably needs chilled milk. He needs a napkin.” That’s really what’s involved in, “Hey, I want some milk.” A bad delivery would be getting a gallon milk jug and throwing it at his head. There’s a huge difference between the two. And there’s an ability to add additional value if you really look into what you’re being asked to do and take total ownership for it.

Dave Bittner:

But I suppose, I mean, that loops back and speaks to your own management style as well, that you’re fostering an environment where people feel as though they can take their own personal risks to interpret what they think needs to be done and not be punished for it.

Gavin Reid:
Yeah, no, absolutely. You’ve got to have a safe environment where people feel that they can try things out and be aggressive, be adventurous.

Dave Bittner:

When you look around at the landscape today in terms of what we’re facing with cyber threats, what’s at the top of your list? What are the things that you feel companies should have their eye on?

Gavin Reid:

It hasn’t really changed that much over the years. You’re going to get breached, that will happen. It’s most likely going to come through email or the web then post that, the miscreants are going to remotely control, say a PC in your environment and they’re going to try and spread laterally. When they’re doing that, they’re going to look to compromise accounts that have extended access. That same … Done the same answer to that question 10 years ago. So, once you have good capabilities at detecting and interrupting that, you can work out from there. But if you don’t, this is where you should start. If you don’t have the ability to detect, to interrupt, to respond, to recover from that scenario, that’s the most common one. It’s the one that you see being played out over and over and over again. It’s very easy to do and due to the open nature of our networks, it’s often successful.

Beyond that on unintended exposure of credentials or security controls, especially in those third parties. So, you probably have third parties that either make your product or hold sensitive data, make sure that you’re paying attention to the access that they have. If that access gets shared inappropriately, that you’ll notice it and that you’ll be able to respond to it. We’ve seen this very, very explicitly happen in the AWS space where either there’s a backup that’s left open or someone’s credentials, someone’s API key gets released on the internet and very, very quickly the hackers are scanning for this information and taking advantage of it.

Dave Bittner:

When a breach does occur, what are the first things that people should do? What should their first course of action be?

Gavin Reid:

Well, they’ve got to find out what was exposed, and depending on what was exposed, what’s the totality of that attack? What’s the potential impact? And once they’ve worked out that, really the state of the art of incident response for teams is that they can accurately look at a particular set of events and figure out the totality of the attack. And then how to quickly bring the business back to a known good state as accurately, as effectively as possible.

Dave Bittner:

In your own position as CISO, what do you consider to be the key attributes of success? What makes a good CISO in today’s environment?

Gavin Reid:

Well, I would say in a single word, flexibility. A good CISO can balance company risk with security costs to steer organizations in the right direction. As a CISO you’re responsible for navigating the company’s need for good security alongside the costs that are incurred. And there’s never really 100 percent correct solution. However, there are many incorrect paths that you could go down. And I would say an ineffective CISO, they can effectively balance. And they end up either putting the company at risk by not effectively assessing a situation or driving good security solutions, or they push for security over IT connectivity or the business needs for a quick solution. In turn that slows the business down. A really bad CISO does both of those things interchangeably.

So, on a personal level, I don’t believe in security for security’s sake. I believe security as it fits the business needs of the organization. And those are going to change depending on what is your organization? What data are you covering in the various drivers for the organization?

Dave Bittner:

I think a lot of people when they look around, they wonder, why haven’t we gotten an upper hand faster than we have? Why aren’t we farther ahead than maybe where they thought we’d be a few years back? What’s your take on that? Why do you think we’re not gaining ground faster than we are?

Gavin Reid:

Yeah. No, it’s an interesting thing. And I’m not 100 percent sure we don’t have the upper hand. We’ve got … Most businesses are working on the internet, banking, some of the most sensitive information in the world is traded securely as an integral part of how the human race works now. And when I do my job well, nothing happens. So, no one reports on that. No one reports on, nothing happened today.

I’ll tell you, when I started at Cisco, the CISO at the time asked me what I was most worried about, and my answer back in the late ’90s and today is the same thing. It’s complexity. The more IT infrastructure we have, the more complex it is, the harder it is to secure and monitor.

When we did the original active directory design at NASA and at Cisco, we didn’t have in mind it would be attacked by bad guys. We didn’t design it with that criteria. So what organizations have had to do later is throw out a lot of their existing IT infrastructure and completely replace it. And this is hard and expensive and it ends up hopefully being more secure but not necessarily offering a bunch of new capabilities. And that’s often what drives these massive IT uplifts.

This is fundamentally a hard sell and many organizations have not done it. Making this all harder is that the product landscape is endless. You combine that with environments that are really 100 percent unique and there’s no standard way of quantifying the situation. And this creates chaos from a solution perspective.

And as well I would say, some of the things that have slowed us down perhaps is, we look at incident response and detection as somehow a replacement for good security best practice. This has been exasperated by the security community selling bolt-on security appliances to somehow cure a broken security model. We’ve built security, weak or indefensible infrastructures, and fixing basics like configuration control, patching, compartmentalization, attribution, often is going to take a major IT infrastructure upgrade and very few have done this. Many more have tried to add some of those magic boxes to somehow make up for this technical debt.

You can see this is a topic I’m passionate about, but I’d say lastly, incident-wise, unfortunately we seem to have created this culture of victim shaming. It’s the organization’s fault. They got hacked. They should’ve done more of this or that. They should’ve done more of something or less of something else. And this is commonplace. And in particular the security Twitterrazzi have a lot to answer for here. This victim shaming, it’s not productive and the attitude really runs counter to working together to make things better. Things like, people don’t learn because they don’t share. Organizations are scared to talk about getting hacked because they’re worried. They quickly sweep incidents under the carpet. Instead they should be put into the spotlight. Held up so that other organizations can learn.

And then, lastly, security fundamentals. I’ve talked to hundreds of security teams all over the world. And maybe 1 percent of them have invested in doing the basics right. It’s a real rarity. We live in a target rich environment that enables, not hinders hackers.

Dave Bittner:

Our thanks to Recorded Future’s Gavin Reid for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

Too Sleepy to be Secure?

Too Sleepy to be Secure?

October 26, 2020 • Caitlin Mattingly

How many of us can say that we get enough sleep, consistently And not just the number of hours...

The FBI Builds Enduring Partnerships in Cyber

The FBI Builds Enduring Partnerships in Cyber

October 19, 2020 • Caitlin Mattingly

The US Federal Bureau of Investigation, the FBI, has taken an increasingly prominent role in the...

The Fascinating Paradox of Cryptocurrency

The Fascinating Paradox of Cryptocurrency

October 12, 2020 • Caitlin Mattingly

Our guest this week is Kim Grauer, head of research at Chainalysis, a blockchain intelligence...