Security Needs to Be Easy to Use and Easy to Explain

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 97 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest today is Chris Betz, senior vice president and chief security officer at CenturyLink. His career journey has led him through a variety of well-known organizations, including the U.S. Air Force, NSA, CBS, Microsoft, Apple, and now CenturyLink.

He shares some of the lessons he’s learned along the way, his leadership style, the challenges he sees the industry facing in the near future, as well as his thoughts on threat intelligence and privacy. Stay with us.

Chris Betz:

I started off in the Air Force straight out of school. I was an Air Force Academy grad, so I didn’t have too many choices in terms of where I went, but I was in a fortunate position that, while I was still in college, I was able to do some independent study in cybersecurity at the Air Force Information Warfare Center.

I don’t know if it was related to that or not, the Air Force systems are somewhat opaque, but I ended up landing in a role early on — actually, my first job out — where I was able to get involved in some aspects of cybersecurity, namely certification and accreditation, and from there managed to bump into a bunch of the right folks and found my way up to NSA where I was able to do, both in and out of uniform, a bunch of different technical roles in cybersecurity.

Then, once I left NSA, I went on to CBS, and then Microsoft and Apple, where I had various roles, everything from technical engineering to policy cybersecurity. It’s been a great blend. In tech, I really found my passion for not just cybersecurity and engineering, which is what brought me to CenturyLink, but that combination of being able to be innovative and forward-leaning and building new and different services combined with cybersecurity, and then, frankly, the security overall background and opportunities that this provides me with.

Dave Bittner:

Before we dig into what you’re up to there are CenturyLink, if you’ll indulge me as an old-timer who goes way back, I have to ask you to contrast your experiences at Microsoft and Apple.

Chris Betz:

I really, really loved the passion at Apple. Just incredible passion for cybersecurity, for user-facing features. It matches my passion for privacy and security. It also really helps me bring out how to make things easy for people because I truly believe that cybersecurity, that security in general, should be easy to use. That’s tricky to accomplish, but man, it’s terribly important.

Microsoft just has an incredible ability to deliver — deliver at scale and deliver over and over again for enterprises. So learning from how they engineer and build big cloud services and systems for enterprises was an incredible experience as well. I really think that, while they have very different cultures and very different approaches, it’s a great combination of experiences and, really, some dynamic, dynamic places.

Dave Bittner:

How neat for you to be able to have gone through both of them, to take with you the benefits from two very different cultures.

Chris Betz:

I’ve been really blessed by opportunity to be at a number of different companies with very different cultures. It’s both a challenge to learn what’s important in the different cultures as well as a great opportunity, as you said, to be able to bring out different things from each place and continue to build a better me and a better security organization.

Dave Bittner:

Let’s dig into your day to day at CenturyLink. Before we dig into that, can you give us an overview? What does CenturyLink do? What’s the breadth of the products and services that you provide?

Chris Betz:

CenturyLink is an incredibly fun organization. It’s the second-largest telecommunications company when it comes to enterprises. It has really changed over the past 25 years. I think we’ve got somewhere around 450,000 miles of fiber over 60 countries, and so it’s really a global network, a global presence with massive peering with other network companies. That gives us a unique set of visibility into the network, which is incredibly important from a cybersecurity standpoint.

It also is an incredible business where it’s not just network, but it’s IT and other services that we provide for a wide variety of customers, as well as our consumers. It really does stretch back to my prior experience, everything from the enterprise muscle to the consumer muscle, and it really gives a great platform for us to continue to build cybersecurity both into what we deliver as well as on top of specialized services.

Dave Bittner:

As the chief security officer there, how do you break your tasks down into their component pieces? How do you keep from being overwhelmed by the scale of what you’re up against?

Chris Betz:

First, magic is making sure I’ve got good people on the team. Without good people, there’s no way I could scale to do the job. Really, it’s about having leaders who are not just capable of doing the work, but finding the people who are passionate and able to transform the organization because, in the communications industry, we’re in a great place, but it’s also a very challenging place. We’re moving from very traditional telecommunications models that come out of Ma Bell and into a field that is so technology-oriented that, within the next five to 10 years, it’s going to be very, very difficult to tell the difference between us and the big tech companies. Making that transformation is incredibly important, and you have to have leaders who can scale to do that.

It’s a combination of teaching, coaching, self-education, and finding and growing the right folks. That’s at all levels, not just my directs, and it’s not just managers. It’s also ICs. I think that’s one of the characteristics that I’ve brought out of my experience, really, across Microsoft, Apple, and even NSA, is how much those organizations value individual contributors who are also leaders. You don’t just have to be a manager to move forward in cybersecurity or in tech or in engineering. As you know, some of the most influential people don’t have any management responsibilities at all. That’s key for us here, and that’s key for building a good team.

Dave Bittner:

How would you describe your leadership style with your team?

Chris Betz:

I think the better question is, “How would they describe it?” I try to focus hard on making sure that I’m equipping people to do the job and allowing them to execute and then holding them responsible. That’s the only way to really scale.

One of the more interesting concepts I came across … I don’t know, five, 10 years ago, was on the difference between coaching and teaching. They talked a lot about coaching being a skill that you use when somebody has the tools and knows the answer, but they need help getting there, and so it involves asking questions, challenging them, helping them find the right insights to solve the problems. That’s terribly important in terms of being able to get people to take on that work themselves and really be able to scale and execute on their own.

I try to fall back to teaching only when I don’t believe they’ve got those tools because, to be honest, it’s not fair and it’s painful to try to coach somebody about something that they don’t know, and so, it’s finding that right balance. I’ll be honest, I’m constantly working at it. I am a driven personality, and so it’s natural to fall into teaching habits, but it’s terribly, terribly important to use coaching and other tools that help really build capacity within the organization.

Dave Bittner:

What’s your relationship with folks like the board of directors?

Chris Betz:

Funny you ask that. I, let’s see, two hours ago finished talking to the board of directors on cybersecurity. Yeah, I meet with them at least once a quarter. We have really thoughtful and important conversations about risk and the direction we’re headed as an organization. They’re a great sounding board, but they’re also a good way to make sure that I’m focused on the right things, and it helps me keep strategic focus on the organization because, let’s be honest, cybersecurity is a ton of fun, and it’s really exciting, and it’s great to get into the day-to-day defense and the technology. Being able to take that step back and making sure that you’re part of the business success, not only with your business partners but at the all-up company, is an important reminder.

Dave Bittner:

I guess, is it fair to say that you provide almost a translation layer between the technical folks and the folks who are managing risk at a board level?

Chris Betz:

I think that’s true to some extent. In some ways, cybersecurity, while nuanced, is not more complex than other aspects of business, finance, et cetera. Each area has its own complexity and its own nuance. I think many of the core concepts in cybersecurity are relatively straightforward. My job is to enable the right risk decisions at the right level in the company. We focus on protecting sensitive data, keeping services running for customers, maintaining accuracy of our data, certifications for trust, protecting people and our assets. Those concepts are straightforward.

This goes back to my thinking on, good security is easy to use. I think good security can be easy to explain. As you point out, the implementation is terribly, terribly tricky, and that’s where I need to be very thoughtful, but I think of myself less as a translation layer and more of a way that we’re making sure we’re keeping focus on the high-level objectives, while I’m also thinking about the technology and the way we use it to protect our folks and our data.

Dave Bittner:

I guess there’s a risk of becoming siloed, that the security folks … You need to be communicating with the different leaders throughout the company.

Chris Betz:

You’re spot on. Fortunately, at CenturyLink, there’s little opportunity for me to be siloed. Frankly, on a daily basis, if not on a weekly basis, I’m meeting with many of the leaders who are responsible for our products, for our engineering, for our IT, as we look at what products we’re building, where we’re going, what direction we’re driving. I work with my peers. It’s everything from the network that we provide to our customers and to ourselves, as well as the software that we’re building to provide advanced services.

The way CenturyLink runs the business has been great and really embracing. I’m there at the table in all those conversations. I’m adding both as an engineering leader and as a security leader, and that means that it’s hard to get separated, but you point out one of the major traps of security is to be siloed. I’m just very fortunate to be in a company that’s so forward leaning that that’s not really as much of a challenge as it is in other companies.

Dave Bittner:

I’m curious, one of the things that we touch on here regularly is threat intelligence. I’m curious about your take on that. Where do you feel like threat intelligence fits into the day to day and your ability to do the things you do?

Chris Betz:

I know you’ve spoken with Mike Benjamin in the past, so you know a lot about our threat intelligence, and frankly, our passion for it and my passion for it. In fact, just today we announced Black Lotus Labs launching, which is an even larger focus on our threat intelligence programs within CenturyLink, and so it’s definitely an area where I’ve been investing heavily.

I mentioned earlier in our conversation, about the scope and span of CenturyLink’s networks. That gives an incredibly rich place for us to be able to observe and counter malicious activity of all sorts. We get well over 100 billion NetFlow records each day. I think it’s up into 115 or so billion NetFlow records each day. Based on that and a set of honey pots and honey networks and some other neat technology, we’re able to monitor many thousand C2 (command and control) servers on an ongoing basis.

That turns not only into threat intelligence that enables our products to be more secure, but a big part of how I think about cybersecurity is that, and one of the big advantages of being a large communications company, is that I think we should do our best to provide a cleaner internet experience, a cleaner network experience. To that end, we take on nearly 40 command and control networks every month and knock them off our networks, knock them globally of the internet and really block that traffic. It helps reduce distributed denial-of-service attacks. It also takes a bunch of malware command and control off the internet.

That capability to act based on the threat intelligence is really exciting, and so, as you point out, threat intelligence is a crucial part of what we do. It’s something that we’re investing heavily in from a machine learning standpoint, from an automation standpoint, from a big data standpoint, but it’s not just to learn and it’s not just to share with other people. It’s also to be that execution arm that takes action to provide a cleaner internet experience.

Dave Bittner:

What is your philosophy when it comes to sharing information with other organizations? Obviously, you’ve got competitors out there. You are a business. It strikes me that also, as a security company, there’s a benefit for everybody to be able to share some of that information around.

Chris Betz:

We share and consume avidly with other partners. One of the things that I’ve been fortunate enough to do, by coming here, is to be able to light up different parts of and form new relationships with different parts of the tech industry than we’ve had in the past in addition to our traditional partners because, as you say, it is so important to share information back and forth, to have those ongoing conversations, and be able to act in a concerted fashion.

Yes, there is competition in the market, and yes, we provide cybersecurity services, but threat intelligence is not something I think about in terms of, where should I compete in threat intelligence? I think about threat intelligence more in terms of, how do we collaborate to take down the bad guys? If there’s any competition, it should be in how fast I can react to that, and how quickly I can eliminate it, and how secure I can keep my customers, not about, can we pin down the right bad guys? Because that problem is too hard and the bad guys are too plentiful. We need to take them down as quickly as possible.

Dave Bittner:

What are the things that you see rising up over the next year or so? What are the threats that you have your eye on?

Chris Betz:

I’m always watching, especially with … To hit some topics that we’re all familiar with, but with IoT and the plethora of devices continuing to come out, I do continue to worry about expansion of distributed denial-of-service attacks. I am worried about both increased volumetric attacks, because those trends haven’t slowed down, as well as some of the more sophisticated resource exhaustion attacks that happen deeper at higher protocol layers above layer seven. Those are always top of mind to me because they’re so disruptive and carry so many secondary effects even on the organizations that aren’t targeted. Frankly, they’re too cheap. People can go on the black market, pay a minimal amount of money, and have a massive impact. That’s very concerning.

I think that some of the geopolitics are going to continue to drive a much more combative cyber environment from a sophisticated actor perspective. I think it is going to continue to be very important to discuss what are thoughtful norms that people can be held accountable for and that countries can be held accountable for because I don’t see that environment getting any easier. As there’s a number of different questions about, what are norms internationally, whether it be Brexit and other events in Europe, or the relationships that the U.S. and other countries have or even changes in the global space between China, Russia, and the Middle East. It’s going to continue to be a challenging environment.

Large companies like ourselves and small companies around the world, as we participate in global trade, are going to be affected and need to pay a lot of attention to it. I don’t know that there’s anything particularly unique about that insight, but I think it’s important that we stay focused on some of these core fundamental threats because they’re not going away. While we see a lot of discussion and speculation about some new and novel things, and we have to keep an eye on those, we can’t lose sight of the ongoing and enduring kinds of attacks that we see and how to defend against those.

Dave Bittner:

Where do you think, in an organization like CenturyLink, your responsibilities lie when it comes to privacy?

Chris Betz:

Privacy is near and dear to my heart. It is something that I think is incredibly important. I’ve been very interested in watching the tapestry of regulations around the globe occur. I think CenturyLink has been very clear about our perspective in terms of how important customer data is, how important privacy is. We spend a lot of time making sure that we offer services that enable our customers to be both private and secure.

I’ve been really enjoying watching the trend. I think it’s going to be challenging to balance the thoughtfulness in terms of how we make systems private and secure while still remaining usable. Those are some big challenges we’re going to have to deal with over the next few years in regulation, but I’m happy to be part of a company that takes privacy as seriously as we do and is focused on it on the going-forward basis.

Dave Bittner:

With the unique view that you have, with the global view of the internet and communications that you enjoy in the position that you have with a company as large as CenturyLink, what words of wisdom do you have for the rest of us?

Chris Betz:

Start with the fundamentals. They don’t go away, but there’s a reason why phishing, unpatched systems, et cetera, remain a key issue. Second is, focus on core versus context. I think there’s other language for that that’s become more popular recently, but I work hard on making sure that the things that I’m focused on are unique to us. Where we can use solutions that are well put together, I’m going to look at outsourcing them because there are companies out there that are going to be spending a ton of time and energy getting really, really good at this specific area, and I don’t need to rebuild that internally. I should just leverage that.

The ability to execute threat intelligence on email is not something that I’ve got an in-house capability for today. It’s something where I partner with others who are able to take the threat intelligence, both ours and other people’s, and really execute that to make sure our email is as protected as possible, and so I’ve chosen not to make that core. If, at some point, I choose to make that core, potentially, I’m going to go put a bunch of engineering cycles in, then I’m going to triple down on it, and so it is that balance of figuring out where you want to be strong internally and where you’re going to really go in full force with full capability and where you want to rely on somebody else who is going to be doing that all day long and can really bring that kind of focus and capability. It’s that blend of a managed service versus an in-house.

Dave Bittner:

Our thanks to Chris Betz from CenturyLink for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Zane Pokorny, Executive Producer Greg Barrette. The show is produced by The CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.