Steve Zalewski is the Interim CISO at Levi Strauss & Co., and an esteemed member of the Balbix Advisory Board. Balbix founder and CEO Gaurav Banga recently met Steve for a chat on how organizations can kick their cybersecurity programs into high gear to keep up with the attackers and the general need for speed in cybersecurity. An informative and educational discussion ensued. Watch the video or read the transcript below.
TRANSCRIPT
Gaurav Banga
Steve, as we’ve discussed, Friday is my favorite day and I’ve written about this publicly. This is the day when I choose to connect with people like you, gain from your insights, and have a candid conversation around how do we move forward. How we move forward as an industry on this exceptionally serious business of cybersecurity, which has gotten even more serious in the last few years. I remember this time a few months ago… gosh, it must be now six months ago. You said something that kind of just hit me on the face which is, it’s all about speed. And you talked about it’s a simple concept, it’s all about speed. So, with that, I really want to make sure that the folks that are listening to this get a better idea of what you meant or what you mean, when you say it’s all about speed because I think a lot of people can benefit from that. So, I guess the question is; Steve, why is speed important in the business of cybersecurity or information security?
Steve Zalewski
Part of that is… there’s a second part of that which is; it’s all about speed and speed kills. And what I mean by that is the attackers are using automation continuously to kill us. As an industry, all of us are trying to sell products and they [the attackers] effectively are preventing us from doing that. So, we have one common enemy so to speak but we’re solving it with 1000 little armies. That’s why I say speed kills. So, they’re killing us with the speed of automation that they’re adopting and we are not reciprocating, we are not using the same tools that they are to our advantage and therefore, we can’t stop them at the same speed that they’re attacking us. And as long as that foundational brutal truth holds true, we’re losing.
And so, if speed kills, speed kills bidirectionally. So, let’s get on that bus and figure out how we get better ourselves, and stop using static-type methodologies and use automation. And the word I use is polymorphic defense. We can’t be everywhere at once but if we move quicker, we can more likely be where we need to be, when we need to be, as the attackers are using their polymorphic attack scenarios to touch our various perimeters. Now that, unfortunately, sounds pretty technical and I know it uses some military terminology, but the underlying reason of why we have to adopt speed and speed kills, that’s how I arrived at that conclusion.
Gaurav Banga
That’s very, very well said. So, you said the adversary is already using speed against us. We are not, at least as an industry, using speed. So, why is it so hard to be fast in the business of information security? What gets in the way of speed from a defender standpoint?
Steve Zalewski
So, I actually have been thinking about this and my question is; why are we so afraid to automate? That was how I translate that around, which is speed… which is, why as an industry do we try to put people into the automation path because we don’t trust automation? So, the very thing we have to do, we sabotage ourselves; why is that? And the answer, in my mind, I think is pretty complex, and it has to do with the fact that as a 30-year-old industry, and the different verticals that cybersecurity has to manage; electrical or healthcare or retail… There are so many use cases and such a wide variety of adoption of maturity, that every CISO effectively is a unicorn in looking at how they value automation. And let me give you an example. Because again, it sounds like I’m weaseling out of the conversation, but what I’m really trying to do is understand the 1000 facets of the conversation where we’re all having the same conversation but differently. Some people or some organizations, look at automation of prevention, I’m going to talk about prevent, detect, contain. I’m going to talk about no automation, some automation, high automation. Because that is the matrix to understand what an organization’s cybersecurity posture is and why they’re either aggressively adopting automation, or limiting the adoption because they can’t provide the value proposition to their leadership or they’re just afraid. And here’s where I say that; let’s assume that you’re worrying about prevention, so I want to prevent bad things from happening. Well, to do that, you have to start with detection because I can’t protect what I can’t see.
“ To prevent bad things from happening, you have to start with detection because you can’t protect what you can’t see…”
There’s my SIEM, so I’m going to start to correlate all that information and then I’m going to use automation to find more and more things that are potentially an issue. Well, in that case, automation, is it good or bad for me? Because if I’ve only got a limited number of analysts and the automation is finding more and more potentially bad things, I’ve done myself a disservice because I haven’t matured my prevention automation where I can take the output of a detection and potentially automate that to prevent. So, now you started early on the maturity for detection and it’s slowing you down because the efficiency that you’re hoping to gain, you haven’t thought through enough of the automation process between, prevent, detect and contain, to actually see, not necessarily to drive efficiency, but to drive a better business value to protect the company.
Gaurav Banga
Steve, you’ve talked about this a lot, which is; you’re protecting the business, you’re protecting the business, you’re protecting the business, and that’s the only thing that matters, and if you’re not protecting the business. I talk to a lot of CISOs, customers, prospects, and I still see this huge spectrum of folks on one end who are obviously trying to do absolutely the right thing, they’re very closely aligned with what you just outlined; then why would you not automate? They have a mandate; let’s automate everything. And then, of course, they had their minor challenges like, I can’t hire enough data scientists and things like that, so should I build vs. buy and those things that are always there in business, but at least you’re on the right track. And then there are others that are much, much earlier in the journey and I just want to say… let’s say for a second you are advising a CISO or a CIO in one of those organizations which is not in a good place from a cybersecurity maturity standpoint, and they describe to you; we run a vulnerability scan via Qualys once every three months, or maybe once every six months and we use, Qualys, Tenable, Rapid7 and the tools out there, the three big ones and a host of 20 odd smaller ones, less well-known companies. And then we go patch if we have to. We get a checkbox for keeping ourselves safe and that is how we have always done things. What would you say to these folks? And then if they say, well, you know, why is this not good enough; what would you say to that?
Steve Zalewski
So, the first thing I’m going to say is; are you a technical CISO or a risk CISO? Because what I’m really calling out here and you talk from when I say this, which is how does this sell more jeans… is oftentimes the challenge I will put to a security provider, and it’s non-sequitur. They’re so enamored of what the security solution can do, and why we have to have it that they’re not thinking about the business value proposition. Is the ROI there for me? And so, the conversation for me then becomes, look… you’re an insurance policy provider, that’s what you do with business risk. And so, as I’m looking at the maturity like you talked about, what you’re realizing is, you’ve got CISOs that are technologists talking to the CIO, where efficient efficiency and efficacy of the tool drives 80% of the conversation, when this is not an IT problem. I can’t secure the company for most people. I can’t just lock it down because of the coefficient of friction that I’m going to implement on the business processes, the business is going to rebel and it’s just a matter of where is that friction coefficient going to be? So, if I now come back and say; I can’t secure the company, but I can certainly protect key facets of the company. What is most important to the company; protecting patient records, providing health care, delivering power, selling jeans? It doesn’t make any difference what it is but you got to apply that so that then you can figure out, given the resources I have, the capabilities of people, process, and technology, where is that balance against key business risk so that you can make some hard decisions. And then the last thing I’ll simply say is; in many of these conversations, what happens is, in order to make the efficiency play, you need more people because you commit to maintaining your current perimeter of capability, and then you want to implement this new perimeter and then you’ll eventually stand down some of the old people. So, it’s like you have to build a new trench while you’re in your current trench and you don’t want to take any of the people out of the current trench to go build a new one, that’s going to be better, you need more people; you’ve just set yourself up for failure. That’s where all of a sudden efficiency of automation gets in the way of the value proposition. So, that’s when we have these conversations, I start to talk to people and I say, what are you going to stop doing to improve automation? Because that efficiency play as soon as you need more people doesn’t fly? So, again, it’s getting back to; okay, well, if I’m going to stop doing some things, is that a defense in depth? Is that compensating controls? Is that going to your leadership team and simply saying, look, it’s not as important that I worry about insider threat, as it is that I worry about phishing? And so, let’s be clear on where my key facets of attack are and move my defense to be the speed and the focus to be on where the key risks are.
Gaurav Banga 13:19
So, this is very insightful, Steve. I guess the question really then becomes that if you are is CISO that is talking the language of IT and vulnerabilities, and not being able to map it on to business, the conversation is not going to go very far because the business is never going to appreciate what you’re really doing to protect the brand, protect the business.
Steve Zalewski
So, this speaks to the responsibilities in my mind of what the CISO or the security leadership responsibility is to the business; which is mostly CISOs are IT-based. They know IT, they report to a CIO. They’ve come up through those ranks, they understand deficiency and measurement. And that’s what I said, which was; there are a thousand CISOs out there and they’re all unique with regards to what the company is, what the value proposition is, what they have for capability. There’s no commonality, we’re just too young and everybody is just all over the map, so the titles don’t mean anything. So, as we’re having these conversations, the whole goal is if you don’t know what’s most important to protect, and you simply rely on a good security program, the entrance barrier to a good security program for many CISOs is beyond reach. It’s just going to cost too much in people and resources to establish all the necessary components of a full-fledged security program. And you can try to outsource and everything else, but at the end of the day let’s just say it’s going to cost you $1.5 million for a 300 person company to put all the right basics in because attackers don’t only attack you one way because of your size, they use all of the methodologies. Well, at $1.5 million, the company just isn’t making that much money, they can give you half a million dollars; well, now, that’s just it, which was as a CISO, what do you not do and still hold that commitment? Well, you can’t treat it as a set of IT functions. You have to now think about it from a business perspective to be able to think about the true risk and then apply the automation where you can to be able to manage it. So, what I’m asking people to do as we have this conversation is; how does it sell more jeans? Let’s have that business conversation right upfront. Your company may or may not align to that, but again, it depends on the size of the company, the individuals. But the fact that you, as the security practitioner, are going to now have this conversation with your CIO, and a business conversation with your CIO, you need that flexibility; otherwise, how do you sleep at night? How do you go to bed knowing you have an impossible task? And that’s part of why this automation conversation I think is really touching on some of these larger issues with how we as a set of practitioners providing security, need to up our game, to really get to the business value proposition with everybody we talked to so that we can get to where we need to be over the next 20 years.
Gaurav Banga
Steve, you just touched upon this; a CISO’s barrier to running a good security program is knowing what you’re protecting because if you don’t know what you’re protecting, you got nothing. You talked about this as one of the three brutal truths of cybersecurity that you and I have discussed many times. Which is that organizations for the most part still do not have an accurate or complete idea of what it is that they’re protecting; an asset inventory, which is also linked to business context. You can protect what you don’t know about.
Steve Zalewski
Agreed. Here’s how I think about that; I can’t protect what I can’t see. I can’t see what I can’t discover. But once I discover something, do I want to see it? Now that sounds like an oxymoron, here’s why. As a CISO, I have the responsibility. The day I arrived, I’m responsible for the company, all the assets, all the responsibility. So, as I go through and start to do asset inventory, I start to get visibility into what’s out there. Before I go show people what I find, you have to socialize that with your leadership teams, with others. Because commitments have already been made and people may have made statements at the leadership level around their tolerance to risk or what their current posture is, and they didn’t really understand what it is. So, when you’re bringing data back to the table, that’s why I say which was; seeing it, getting visibility, and then acknowledging discovery of what that visibility provides is a distinct step because you’ve got to give the potentially you, your team and other leadership teams in the business, a chance to be able to rationalize the discovery that you’re going to bring to the table. All our OT, our operational technologies are completely separated from our IT network. We’ve got them hardwired in; nothing happens. You do a little discovery and you’re like; hey, how come these eight IT devices are sitting on my OT network? Well, let’s not report that yet, let’s do a little research, discovery socialization, to figure out what it is so that we can characterize that appropriately. Because the risk to the company now is your brand management; you’re a public company or it gets out So, that’s why I say automation is important but comes back to discover it, get that visibility, then I can figure out how to manage it, and depending upon what I want to manage, I can automate as much as I can. So, that’s why I say every decision is really kind of a unique decision because you’re having to then look at the team, I’ve only got so much money, what do I do? An example for me would be in stores. We have owned and operated stores around the world. We also have franchisee stores. I can tell my owned and operated stores what to do. Here’s my point of sale system. Here’s my network segmentation. Here’s I’m having PCI. My franchisee stores, that’s a contract with them that they’re selling our jeans. I can’t necessarily tell them what to use for technology and capabilities in the stores. Point of sale systems, networks, or the antivirus on. So, how do I put a bubble around that problem that I can’t solve yet I’m responsible for protecting Levi’s brand, as an example.
Gaurav Banga
Steve, if you look at the situation that a lot of new CISOs would be in, even old CISOs, and let’s say they listen to this conversation and they will say; aha, and start nodding or I get it, I need to invest in automation. And like you said, maybe they have not been doing a lot of automation in the past, so they need to have a conversation with their boss, the CIO, maybe the CFO, whoever it is, and maybe the audit committee or the board of directors and say… I need to make a new bet. It’s almost like saying, “Yeah, you guys trusted me but you know what? I just had an epiphany yesterday, and I had a wake-up call yesterday, and I really want to bring it up to you guys and we need to move. The good news is, we know what we’re not doing. The bad news is you still have to do it. It’s a good way.” So, you want to have this insightful conversation with your board and you know, the attention spans of boards and background is not non-technical, more CFO-ish like, and then CIO-ish like, although there are obviously exceptions. So, what advice would you give to a CISO like that, who has maybe 15 minutes or five minutes to sell automation to their CFO and the Board of Directors? Can you add maybe a few tips?
Steve Zalewski
Sure. I’m going to go through a maturity curve in 30 seconds here. So, what I’ll actually say is you can pick any of the three ways I’m talking about to have that conversation.
The first way is you if your board is technical, or if you’re technical or you’re having the first conversation, then your conversation is going to be; what are the security controls that I have in place? Identity Nexus management, network protection, security awareness training, phishing, risk assessment; have that conversation, that’s how you’re breaking down your ability to provide protection to the company and it can provide a set of measurements and potentially metrics, goes well with IT, fits within what the CIO wants. The board may not resonate well, but they understand it’s coming from the CIO and that’s just how technologists speak. Good first shot, okay?
Second level, second-generation; transition out from one of security controls to a cyber risk conversation. Talk to them now about prevent, detect, and recover. And the way I did this is I said, look… I went to the board, I said; I’ve talked to you about all these security controls, but that’s not important, let’s talk about the business. So, my job I said was; my job is to prevent the compromise of our systems where our ability to sell jeans is impacted, prevent that. Second is, but it will happen so detect when I’ve had a compromise in my supply chain so that I’m not selling as many jeans as I could and contain that. Isolate that part of the company’s supply chain, or whatever the incident is so that I can reestablish integrity in the business decision-making processes and keep selling jeans for all the unimpacted areas, and then remediate that impacted area and that’s contained. That introduces cyber resiliency. Now, what we’re saying is we’re continuously attacked, we’re continuously recovering, that is the way we do it. We prevent, detect and contain. So, now they’re understanding it’s an attack methodology as opposed to a disaster recovery, or an IT availability conversation. You just made a huge leap.
And then the third part of automation, what we did is we said; alright, now we’re going to go beyond that, what is the business and what is security’s responsibility to the business? And we say we do three things. Our job is to protect the brand. Our job is to protect our people. And our job is to protect our supply chain. That everything we do is for one or more of those three things. So, now, instead of just talking about, prevent, or detect or recover, I say; look, our brand is our e-commerce site for commercial fraud and it’s the social contract with our consumers for all of that consumer data that we hold. We violate that, we’re in big trouble. That’s brand management and so, therefore, what am I doing there? What am I doing to prevent that situation? What am I doing to detect it and how can I contain it if it’s ransomware… if it’s a phishing attack? And so, now, they’re simply saying; oh, so now I’m starting to look at your program as to where the investments are against the key revenue opportunity. Protect our people… we have creatives and designers. They are people that think about cloth, think about how you look; there’s emotional content to that. These designers are not IT professionals. They need to put a bubble around them for them to do their job but they trust, they’re highly communicative therefore phishing campaigns and social attacks are highly successful with them because they’re designed to trust. Now, it’s not my job to get them to think evil, it’s my job to put a bubble around them. So, therefore, everything I can do for preventing phishing emails, or proactively talking to them if we think that they might have made a mistake, or malware attacks coming in. We put everything we can against that for people process and technology because protecting our people is protecting our business, but it’s a different avenue now. And then our supply chain, which was… look, we make jeans. If you impact my physical supply chain of manufacturing and distributing jeans; I always tell everybody, my job is to sell jeans. I say what’s the most important thing that I have to do? I have to make sure that there are jeans in the stores. So long as the stores are open and there’s inventory in the stores, we’re making money. I may not know how much, I may not know everywhere, but as long as I know I got inventory, I’m chilling; can’t screw that up. And then the second part of that is, as digital transformation is pushing us all into the cloud, now I’ve got third-party and fourth-party risk for all of these digital providers of services that integrate into my supply chain. How do I manage that risk? Underneath that, cyber resiliency, that we realized that in doing all that there’s going to be attacking and have to recover. Now, when you have the conversation around automation, this is where we got to the business value proposition. So, the board would say; look, we’re really worried about the supply chain now because we’ve seen ransomware, we saw the Microsoft issue, we saw Solar Winds, so what is our posture to be able to manage that risk against the other risks that you’ve already outlined? Because it’s a balanced conversation and that was for me the beauty of the conversation then is, here are the levers I have, here’s what I can do with the dollars, here are my resources, here’s what we’re doing, here’s my experience and my expertise offering as to how we’re going to do this. But we have to push automation and containment at the forefront of what our ability is because like I said, at the end of the day, I have to take insurance policies, I have to protect, speed is the objective, polymorphic defense to make it harder for the bad guys so they go somewhere else. So, now we’re back to its speed in automation. In order to be able to do this and approaching the board, you’re going to look at technology, you can look at cyber risk or you can look at business risk, to be able to give them the levers to have a conversation with you to know what insurance policies you’re going to take, and what risks you’re going to accept.
Gaurav Banga
That’s just fantastic Steve, very good, very good insights. Well, I guess one last question I have for you is; is it fair to say that if you are innovating… well, you all have to innovate in cybersecurity because obviously, the status quo is not cutting across the industry for most of us, almost all of us. So, if we put our dollars into buckets, running the business and changing the business, and in the dollars of changing the business, is it fair to say that of all the different elements that you would put in that, speed and automation would be perhaps at the very top?
Steve Zalewski
So, I’m going back into this answer. What I see most security practitioners and most companies doing to their security practitioners, is they’re backing them into a corner, and here’s how they’re doing it; digital transformation, speed of doing business. They are driving efficiencies into their business processes, but they’re doing it in a way where they’re trying to fail fast. I’m going to do something regionally, I’m going to do something locally, I’m going to do something regionally for how I’m going to do business. And a lot of that is now leveraging other suppliers and the third-party supply chain that are higher risk because they’re not necessarily big players anymore, driving efficiency. And yet, from a security perspective, you’re now introducing higher risks in the supply chain that I can’t necessarily manage, yet I’m obligated to protect the company. So, as the company pushes itself into riskier and riskier supply chain options because they have to make money and they have to drive costs down, they can fail fast, I can’t fail. What should I do? And so, that’s why I say which was; automation and speed in figuring out what to do here is not necessarily actually improving my posture. It’s actually a defensive action to try to maintain my existing posture as I’m pushing out into new areas and accepting more risk. So, I have to highly innovate to look at third party risk, fourth party risk, imputed risk that’s occurring as the business is moving to new types of transformation. And so, therefore, my innovation in many cases is just trying to maintain the status quo of my current capability to protect the company, insurance policies as they’re changing. That’s what we’re doing and the quicker we acknowledge that that’s why the quicker we can then look to the board and simply say, if I’ve got a dollar, and you’re pushing lots and lots into the cloud on me, and I don’t have a lot of capability there, I’m going have to spend most of that dollar just to try to get basic security capability to be able to manage the risks of the company. It’s all at the expense of either doing other types of innovation, or giving up on things I used to do because as important as they are, I have to acknowledge I don’t have enough; so, what do I stop doing? And that’s I think, where the transition is going between innovation versus maintaining the status quo from a CISO’s perspective of looking at their risk posture.
Gaurav Banga
That’s a great place to end I think. Thank you so much, Steve. This is perfect.
Steve Zalewski
Great, thank you. Obviously, Gaurav, I’ve enjoyed this as well. Hopefully, people have found it useful and I’m looking forward to continuing our Friday conversations.
Gaurav Banga
I’m looking forward to that. Thank you so much.