A CISO’s Journey From the City to the Private Sector

This is Recorded Future, inside threat intelligence for cybersecurity. _Dave Bittner_:

Hello everyone, and thanks for joining us for episode 69 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest today is Gary Hayslip. He’s vice president and chief information security officer at Webroot, a cybersecurity and threat intelligence company. Prior to joining Webroot, he was the CISO for the city of San Diego, and before that served active duty with the U.S. Navy and as a U.S. Federal Government employee.

He’s the author of “The CISO Desk Reference Guide,” and is an active cyber evangelist and popular keynote speaker. He shares his thoughts on team building, recruiting talent in a highly competitive jobs market, and the importance of actionable threat intelligence. Stay with us.

Gary Hayslip:

Well, I’ve been in the cybersecurity field … I’ve been a CISO for over the last 10 years. You know, I spent four years as the CISO for the city of San Diego. While at the city of San Diego, I was working with a lot of the different cyber startups here in San Diego. I partnered with several of them as I was building out the security program that we were using to protect a lot of our “smart city” projects, and I just happened to be in that process. I met one of the local startups here called CyberFlow Analytics, and they were purchased by Webroot. While Webroot was doing due diligence on them and taking a look at them, I guess they got to know me.

And then, later on at RSA, they offered me the position and I thought it was pretty intriguing. I had been thinking about, you know, leaving the public side and coming over to the private industry anyhow. I really liked the company and I liked the people, and so I decided to go ahead and step over.

Dave Bittner:

Could you give us a little idea of what the contrast is between the time you spent in the public sector and the types of things you take care of now at a place like Webroot?

Gary Hayslip:

On the public side, like I said, I was in the military for 20 years and then was in federal civil service for almost seven years. Then, I was with the city of San Diego for four. So, you’ve got extensive experience on the public side, you know, and then I stepped over. I’ve been in the private industry side for about the last 18 months. There is a big difference, you know? I find a lot of it is the revenue. You know, revenue drives a lot of the things that happen in the private industry. On the public side, there is no such thing as revenue. It’s just taxpayer dollars. That’s always there. You may have different amounts of it every year, but it’s predominantly always there. So there’s different motivators for services that are done. There’s different motivators for how you do your job.

I’ve had to adjust on being in the private industry, and the fact of how quickly things can move. If a organization needs to go ahead and reorganize and move departments and people around because they’re … You know, they’ve got new products that are coming along and they want to go ahead and capture a chunk of the market before competitors catch up, they’ll do that quickly. Where, like, on the public side, I worked for organizations in the government where we needed to make a change and reorganize. Three years later, we were still doing it, still talking about it.

So, you know, it is very different in some ways. Just the speed in how quickly things can get done. But with that said, though, I mean, I’ve been a government CISO and I’ve been a private industry CISO. A lot of the threats are relatively the same. You know, scale may be a little different and we still have problems with educating employees and educating executive staff. You still have issues following cyber hygiene and trying to manage things. The biggest difference you find, a lot of times, is on the federal side, you know, as a CISO, the risk is pretty much black and white. If you use NIST as your framework, you know, there’s very little leeway as to how much room you have to be compliant or not.

You know, I used to joke that as a federal CISO, I had a bit of a hammer in which I could beat people and make them be compliant and make them follow what I needed to do. When I transitioned from being a CISO at the city, that kind of went away, because cities don’t really … You know, they don’t really follow any kind of framework or any kind of directives. It’s suggested, you know? The state of California can make suggestions that cities should follow for data privacy or for cybersecurity, but in the end game, it’s really up to the city. You know, what they want to do because it’s their funds.

When I got to the city of San Diego, I had to totally adjust how I managed security teams, and I had to totally adjust how I approached the organization and managed our risks. Because when I worked for DoD, they had to follow things. When I was at the city, they didn’t have to listen to me at all. So, I mean, it’s like, you start having to get out and meet people. You start having to build relationships. You start having to collaborate. So in some ways, you know, working at the city was very much like the private industry.

Dave Bittner:

Can you describe to us, what is the process that you’ve used for building those security teams?

Gary Hayslip:

For me, building out my teams, a lot of it is … One of the first things I do when I come into an organization is, I go out and I do a lot of the “meet and greet,” you know, or I’m going out and talking to the different departments. I’m kind of figuring out, okay, what do they know about information security? What do they know about my department? What services are we provided with? You know, what things are screwed up? What things are they angry about? And in talking to them, I find out what applications and what data and what things are important to them to be able to do the job. And then, I come back and I spend time with my staff figuring out, okay, what do we do? What services are we providing? What’s our security stack? What technologies are ours? I start making these lists so I can better understand, from a service perspective, what value we provide to the business.

And once I understand that and I understand the technologies and the different services and everything that we’re providing to the organization and the various business units, I jump into my … You know, the current people I have on my staff, I’ll jump into their job descriptions and make sure they’re all updated. I’ll talk with HR and get an idea as to what they’re recruiting, what they’ve recruited in the past.

I find a lot of HRs that I’ve worked with don’t really understand how to recruit cybersecurity. It’s very, very different. They honestly think they’re just recruiting an IT person. And I’m like, “No. No, no, no.” There’s different skill sets. Plus the fact that they’re at a high demand, and you’re going to find that you don’t recruit a cybersecurity position like you do an IT position. They’re very unique. You know, both of them are different.

And so, I spend a lot of time just understanding my current state, where my team’s at, and what we’re doing so that I can then, you know, one, update everyone’s job descriptions, and two, figure out what I have missing or what I’m short on. What skills, what training my staff needs. And then, from that I start … I’ll do a full assessment, you know, like a risk assessment of the organization so I can kind of establish a baseline of where we’re at. And that’ll basically result into a strategic plan and projects that we’re going to be doing, you know, over the next upcoming years.

And all of that goes into managing the team. Because as I start looking at the security stack and figuring out what may need to be changed out or what may need to be updated, I then look at my staff and figure out, okay, how badly training-wise … You know, what do these guys need? It doesn’t help me if I’m looking at, okay, I want to go full on and I want to do orchestration and I want to go ahead and upgrade and this, that, and the other. If none of my guys know how to do pipeline or know how to script … You know?

That’s one of the things that I got to take a look at as I’m reviewing everything. It gives me … Like, not only do I establish, you know, a risk baseline for my organization, I really establish a baseline for my security program itself. With that baseline I can start setting up, okay, what kind of training do I need? Do I need more FTEs? And if so, what kind of skill sets do I need from them?

I actually … I’ve done this before when I was with DoD and at the city and I’m doing it here, where I actually will build a matrix where I list all of my people, what certifications they have, what kinds of skill sets and experience they have. And then, I start balancing out as to, you know, what trainings I need to start sending them to. Because I need my staff at a certain maturity level before I can bring in certain technologies. I’m not going to bring in something, and then none of my people can use it because they don’t have … You know, they’re not ready for it yet. So, I kind of balance the technology with the people.

Dave Bittner:

Now, you mentioned the difference between hiring IT folks and cybersecurity folks. Can we dig into that a little bit? What are the differences there?

Gary Hayslip:

The way I kind of look at it is, there’s nothing good or bad about it, actually. I mean, I come from IT. I was a network architect. I was a software developer, got into security and got into forensics. I find a lot of, you know, most CISOs that I know, especially a lot of them that come from the military and come from DoD, many of us were in network engineering and stuff like that before we even got into security.

And that’s one of the things for people that I mentor, I tell them, “You should look at getting some network experience and everything first before you get heavily into security so that way you will better understand how networks are put together and how data flows and the different protocols.” I even recommend that they spend time learning cloud and learning, some of the different platforms and stuff, because it helps visualize how networks are put together before you start thinking about security controls and how to protect them.

And so, I mean, the differences I find between the two is that — I used to be a CIO, so I used to hire IT people — some of it is mindset, and some of it is skill. You know, IT is very operational-related. It’s very “current state,” you know, what’s happening today. I need to have email up, I need to have internet up. These applications need to be available. Boom, boom, boom, it’s happening right now. Security is happening operationally right now, but it’s also more of a long-term view. And it’s also more of an enterprise view.

Because security is not in a box, I mean, cyber pretty much flows through all the business units, you know? It’s really orientated around data. You know, it’s orientated around … Because the networks … To me, the networks don’t really have any solid perimeters anymore, because perimeters are floating around on tablets and smartphones and all kinds of other devices. Security is more oriented toward what the organization does with its data and where its data is at, who they’re partnered with, and who’s using that data. And as more and more organizations move into the cloud and leverage cloud, now data is international. You know, it’s all over the place.

You know, with the more mature security programs, you’re getting involved with cloud. You’re getting involved with — geolocational-wise — where is my data? Am I able to bring that up? Am I able to pull reports to see, you know, where it’s at? What if I’m looking at it from an incident response perspective? You know, am I taking into account that we’re a cloud-oriented organization and we’re spread across the globe, not just located in one area? Again, when I go ahead and I kind of balance those or I look at someone who’s … You know, they were a network engineer and they’ve done firewalls and stuff and they’ve been kind of very oriented toward that particular thing.

Where the security team, you know, I kind of look at … We have a lot more of a broader focus because of the way cybersecurity is used today. And I’ll be honest with you, right now, because of the shortages of being able to find security talent, especially medium to senior-level people, I’m even looking at … You know, I have no problem hiring network engineers and just converting them over to security or hiring people that know … You know, guys that know DevOps that are developers and want to get into security.

Making them … I’m more than happy to go ahead and, you know, take someone who has those skill sets, and they’re very interested in security, and just go ahead and train them. You know, it’s becoming harder and harder to find talent. Here in San Diego, there’s a very large competition for talent because of all the different cyber organizations and everything here.

Dave Bittner:

Now, how much of the work of a CISO do you suppose is technical versus diplomacy, versus your being a translator between the higher-level people, the board, and the other folks at that board level?

Gary Hayslip:

I would say it’s probably about … It’s probably about 60/40. You know, about 60 percent of the time, it’s more technical because you’re working with your teams or you’re working with peers and you’re solving risk issues. Or you’re solving, you know, technology issues. You’re trying to orchestrate, or trying to connect different platforms and to share data. A lot of that is technical. So, I mean, you still have to be able to speak that language and understand security and risk and be able to work with the different … Not just the network engineers or the security architects, but also people in DevOps.

And then, the other 40 percent is the management, the politics, the strategy, the evangelizing. You know, why security is important to the organization. Not just internally to employees, but also to partners. Also, being able to speak to the board. I mean, when you present to the board, you know, you don’t talk technology. You don’t talk threats and vulnerabilities. It’s really a business discussion.

You know, you’ve got to go ahead and take that whole technical speak that you’re used to chattering away in when you’re talking to other CISOs and other security people and flip it and instead talk about risk. You know, talk about loss of services. Talk about impact to business operations. It’s … The investment I did several years ago on my MBA is definitely paying off. You know, I did that on purpose, just so that I would better understand that side of the business.

Dave Bittner:

Yeah, it’s a really interesting insight. I want to switch gears a little bit and talk about threat intelligence, as we do on this show. So, what is your take on threat intelligence? Where do you think it fits in? What’s the importance that it plays?

Gary Hayslip:

I honestly look at threat intelligence as going ahead and putting security controls in place to go ahead and protect my organization, to go ahead and reduce risk. I look at threat intelligence as something that helps … Basically, like, it enhances it. You know what I’m saying? I mean, I’ve got limited resources, you know, for technology, for my staff. And so, when I am deploying these things and putting controls in place, I need ways to be able to figure out how to prioritize. You know, what do we mitigate first? To prioritize which controls are more important than others. From an incident response perspective, which things should be remediated first, because they have more of an impact on the organization.

You know, threat intelligence helps us do a lot of that. It goes ahead and it helps us prioritize, not just being able to go ahead and train my staff on how to respond to incidents and everything, but also helps me prioritize as to which vulnerabilities should we patch first. Because they’re, you know, active in the wild. You know, I kind of like to go ahead and weigh several things as I’m looking at patches and I’m looking at things that we need to remediate or fix.

Dave Bittner:

Yeah, and it strikes me … There’s that difference between information and intelligence, and that you really want things to be actionable.

Gary Hayslip:

Oh, yeah. Yeah, and not only … In fact, our CTO here at Webroot, Hal Lonas, he likes to say, “Real threat intelligence.” You know, and he’s talking about threat intelligence that’s in real time and that’s contextual. I’ve given several talks on this, and it’s fascinating, just the thousands of different feeds out there, and services. Whether it’s open source or whether it’s a paid service, there’s tons of different types of threat intelligence out there. But when you think about it, almost anything that creates a log could be used as intelligence, you know? And it’s up to the organization as to how they want to use it.

Whether it’s internal intelligence — you know, stuff that they’ve collected over time because of previous breaches that they’ve had before, and that kind of data where they can tell, okay, we’re getting hit by these types of phishing and spam emails. So, hey, let’s change our employee training to incorporate something new to try to reduce these numbers. You know, or whether it’s external threat intelligence that, hey, we’re signing up for this service, but we’ve gone in and done some checking the boxes because, you know, we don’t want the whole thing, the big broad swath of data, because 80 percent of it doesn’t really apply to us. If we’re a company that’s using SAP, well, why do I want threat intelligence on Oracle? You know what I’m saying?

Or if we’re a company that’s using Cisco devices, well, I definitely want threat intel on Cisco, you know? I don’t want threat intel on Juniper. I want things that apply, and then, not only do I want data that applies to my infrastructure and my stack that I currently have installed, but I want threat intelligence that’s not two years old. I want threat intelligence that’s, you know, in real time. Or as close to real time as possible. So, that way, at least I’m looking at something that’s current, and it helps me prioritize okay, hey, what do we need to work on?

I think that’s a big discussion I find, is that … You know, for Webroot, predominantly, most of our customers are MSSP or the SMB market. The SMB market is swamped, just trying to do basic hygiene. Just doing the basic security stuff that they can do to go ahead and, you know, stay in business. Threat intelligence, to me, tends to be one of those mature types of security controls that organizations start doing as they grow.

So, a lot of times, they end contracting it out to someone who’s a service provider, and they want their service provider to handle that kind of stuff. And you know, that’s where I kind of look at it. Whether it’s an MSSP doing it or whether it’s another business doing it, to me, it’s an enhancement to your security controls. You know, it helps you make choices and prioritize what to do with the limited resources that you have. You know, the limited security budget that you have. So, at least you know that the money that you’re spending, the FTEs that you’re hiring, they’re for specific things that are current, that actually apply to you.

Dave Bittner:

As you look forward, you know, the general security landscape — is there anything that you think isn’t getting the proper attention that it deserves? Is there anything that you scratch your head and you think to yourself, “Boy, people are missing this. We should be paying more attention to this”?

Gary Hayslip:

The interesting thing that I find that is, we’re dealing with an acceleration of threats. For the longest time it was, you know, it was APTs — the advanced persistent threats. You got nation states behind it using advanced malware. And now, you’ve got advanced persistent bots, you know, that are using machine learning. And you got smarter, more realistic types of phishing and spam emails that you’re seeing. You know, a lot of this is because of stuff that’s … They’re starting to use AI and machine learning to get behind. At Webroot, we’ve been using AI, machine learning. I think our first models were back in 2006. We’ve been using them for quite a long time.

But what I’m seeing now is, the industry itself is starting to incorporate that because the threats that we’re facing are incorporating that. They’re getting smarter. You know, the adversaries that we’re dealing with, they’re not stupid. I mean, they’re going to go ahead and … Honestly, they’re going to use a lot of the same tools, technologies, and techniques that we use to make their operations better. You know, to save them money. Which kind of sucks, because then it makes it harder for us to fight the fight. I mean, I honestly feel like we’re in a digital Cold War in a lot of ways.

Some of the biggest things that I’m really concerned about, when you really think of the internet on a daily basis and the data that’s flown on the internet, I think over 40 percent … Easily 40 percent of that data is not human traffic — it’s bot traffic. There’s so much automated stuff that’s going on on networks now. And how much of it is malware-based? And you know, I worry about that, because we fight about … You know, we fight it daily. You know, as my … I’ve got young kids, and as they’re getting older, they’re connected into everything. When they get emails and stuff, and when they get things as they’re in college and in school and, you know, just accepting things, they don’t really understand that, hey, the internet’s a very dark place. So, I worry about that a lot.

Dave Bittner:

Yeah. So, it’s an interesting insight. I mean, I wonder … To use an analogy, I wonder, you know, my parents and yours probably had stories about growing up when polio was a thing. And measles and mumps, and you know, those sorts of things that we don’t really think about because we have effective inoculations against them. I wonder if we’ll see similar things with our own kids? Are there going to be some of these problems that we deal with that they’ll consider quaint, or you know, that their parents had stories about that they just don’t have to deal with, but then, there’ll be new things they have to deal with?

Gary Hayslip:

Oh, yeah. I mean, it’s like the whole idea about privacy and how … I was basically raised that privacy was something that you were born with and it was a God-given right. And now, it seems like it’s a commodity that you buy. I think it’s definitely going to be a shift for them. But at the same time, you know, as I spend time with them, it’s amazing how quickly they use technology, and how quickly they pick things up and… Because they’re just so used to having it around them.

Dave Bittner:

Our thanks to Gary Hayslip from Webroot for joining us. If you enjoyed this podcast, we hope you’ll take the time to rate it and leave a review on iTunes. It really does help people find the show.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner. Thanks for listening.