Gary McGraw: This is a Silver Bullet Security podcast with Gary McGraw. I’m your host, Gary McGraw, CTO of Cigital and author of Software Security. This podcast series is co-sponsored by Cigital and IEEE Security and Privacy Magazine. This is the 114th in a series of interviews with security gurus, and I am super pleased to have with me today Peter Clay. Hi Pete.
Peter Clay: Hi Gary. Thanks so much for having me.
McGraw: Peter Clay, who we all call “Pete,” is the CISO of Qlik. Pete has more than 20 years of experience in technology change and its relationship to security from a risk management perspective. He’s been directly involved in delivery of managed security services to global, public and private sector organizations. Prior to serving as CISO at Qlik, Pete was CISO of Invotas (for full disclosure, I serve on the Invotas Advisory Board). Previous roles included work as Federal CISO at Deloitte. Pete’s clients have included DoD, the U.S. Navy, DHS, TSA, NOAA and other agencies. Pete attended Oxford and graduated Hendrix College. He lives in Virginia, currently in Charlottesville. Hi Pete.
Clay: Hi Gary, how are you?
McGraw: So you’ve been a security executive, or worked closely with security executives at the highest levels, for multiple decades. What kind of evolution have you seen in the CISO role?
Clay: It has moved so notably, even within the last 5 years that it’s almost unrecognizable from what it was. I think the CISO kind of started off as almost a hybrid role–being a little bit focused on technology, a little bit focused on legal and a little bit focused on simply being an executive and a member of the business team. It’s moved much more now in public companies to being truly more in the risk management-focused area. So they’re looking more at policy and procedure, and how do we manage socks, and how do we manage these things. Advising the managing teams on how to adequately secure the environment. The CISO has also become much more of a team leader than a solo practitioner. The focus has moved not just from IT, but understanding that information security requires everybody from legal, through talent and culture, certainly the business and finance folks, as well as simply business operations. And because they have such a broad impact across the business, the traditional role just didn’t seem to fit. So, it’s become a much broader, more business executive-facing role.
McGraw: Was the traditional role just geekier in general? Or, was the role the same, but it turned out that the first iteration of CISOs were geeks and so they over-emphasized the geeky aspect?
Clay: I don’t think it was so much that they over-emphasized the geeky aspect. In fact, a lot of conversations that I’m having now, one of the enormous challenges facing the CISO ranks is maybe they don’t have enough technology experience. Changing the focus, it really has become that there weren’t enough of the original group of CISOs to fill the expanding need. Five years ago, it took a fairly large company, or a fairly complex organization, to have somebody called a Chief Information Security Officer. Now that role has really moved down, probably out of the global 500 and into probably the global 25,000, if you will.
McGraw: So there’s more need for people, and not enough people.
Clay: Right. And so, you’re also seeing people from non-traditional backgrounds coming into it. There are a lot more attorneys, a lot more accountants, a lot more–even scary people like history majors–coming into the field.
McGraw: [laughs] Wait a minute. I’m a philosophy major, here. What are you saying?
Clay: And I was a history major. So, I can make fun of myself. The challenge there though is, without enough, the question is: is the quality still there? Or, are the right steps being taken across the board when you look at information security as not just a market, but as a group of professionals serving the greater need?
McGraw: So you mentioned a number of the major constituencies the CSO has to interact with, like the IT and network security people, legal, finance people for audits and risk management, and executives. If you had to divide that up into percentages among those four major constituencies, how would it come out?
Clay: I tend to spend 50-60% of my days, weeks and months with the technology people because I come from the school of chief information security officers that believe that technology can provide a great many of the solutions that we’re looking for, and provide them in a programmatic and systemic way that can impact the organization fast enough and in significant enough quantity to actually make a difference. I also happen to believe that since in many many cases–not all–but in many cases, the threat that we’re facing is technology-based. We have to be as fast as the attackers coming in. The next group that I spend time with, on a continuous basis, is the office of general council. I probably have almost an equal number of relationships and contacts within various OGC and attorney ranks as I do in the IT community. After that, certainly comes talent. One of the great issues, the hot button issues today, is insider threat. But the question that companies are really starting to manage, and trying to manage, is: how do you manage your insider threat effectively without turning it into roughly a police state where everybody feels like they’re under the microcosm? That’s really the talent question. And then finally would be the executive team because they want to know what’s going on and they read something in the paper and they want the answer.
McGraw: And do you have to do something to change the discussion that happens in the press, and that happens in public, to turn it into much more of a business-focus for the executives?
Clay: I think I actually have to interpret what happened because the press is always interested on almost the salacious piece of it. What happened and how it happened often times gets lost. It’s also been really interesting to watch the growth of crisis management. When one large retailer was broken into, that got all the news. The fact that the second large retailer was also similarly penetrated, but whose lead security architect was under indictment by the federal government for hacking into a previous company; that didn’t get nearly the play in the press, even though the impact of the attack was larger. And so, crisis management, and understanding how to position what happens when something goes bad, is a very effective way of managing the press. Unfortunately, it doesn’t get us to an understanding of what actually happened. Scaring people and using fear, uncertainty and doubt is only useful for a short period of time because the way to be successful in information security, as you well know, is to build it in as a programmatic function that is continuously seeking to improve and evolve as the threats change and the needs change.
McGraw: Let’s compare and contrast your most recent work for start-ups versus your previous career as a consultant for the government. Go.
Clay: First of all, I have to admit, and this is something I say publically from every stage that I’ve ever taken, in every public forum that I speak in. I spent almost 18 years as an IT consultant, 15 of those as an information security consultant. The first year that I started leading an information security group in practice, I really had cause to sit down and think about some of the things that I had said as a consultant, and almost wanted to call those people up and just apologize.
McGraw: That’s hilarious. Give me some examples.
Clay: You know, ‘identity management solution should look like this,’ while I didn’t take into account all the different stakeholders and all the different processes. I just gave a book solution. You know: ‘You can use this vulnerability scanning tool because it’s always right.’ Just silly things like that that really make sense as a consultant because your job is to move through a basic statement of work. But from operating in the environment over time, it doesn’t necessarily work out so well. Again, going back and talking about the harder and heavier lifting around maturity models and things that aren’t as sexy as vulnerability scanners and pen testing, and those sorts of things, are the ways to actually help in the information security program get to where it needs to effectively be to manage the risk.
McGraw: Yeah. And that involves measurement, which is lacking in security in general; so that you know where you stand. So you’ll be able to build a longer-term strategy instead of a quick strategy.
Clay: Absolutely. We have to take–and I’m never, even though I’ve got a bit of a military background–I’m never a big fan of comparing information security to military tactics and military things because it really doesn’t fit. Probably the stupidest thing we can really ever talk about is cyber war. There is a conflict of competing interest that in no way approaches a warfare scenario. At the same time, understanding that when you have a series of small actors that can penetrate a network using pretty commonly available issues and vulnerabilities that are commonly left open–they’re not all zero day exploits–the only way to actively combat that is to not be hypnotized by ‘well so-in-so was able to break in at this point.’ Yes, we have to mitigate the impact; but, you have to implement that programmatic standard that goes out over time, not just within your organization, but within the broader community. Because it’s not just the more you can tighten up, it’s the more you can effectively share information without legal ramifications. That’s how information security gets better.
McGraw: So I think you did a good job characterizing the difference between acting as a consultant, especially in the government, and acting as a private sector person and an executive at one place. But, let’s talk about start-ups and pace. How does the role of a CISO reconcile with being an executive in a start-up?
Clay: It reconciles pretty well, actually. Because, one of the things that’s really easy to get hypnotized by when you’re in a large corporation is the fact that it takes 3/6/9 months a year to make a change. Information security, as just the pace of the profession, is incredibly fast-paced. I’ve seen some studies that show that the information turnover for security professionals, just to stay on top of where they are, is probably 25-30% per year. So that goes far beyond that 40 hours of CPE that we all try to hit. You have to be actively engaged in it. Within a start-up, you have to be similarly engaged in all of the details that are going on in the business, and really be focused on what is the end goal that we’re trying to reach as an organization. Understand that that line will be anything in the world, any direction you want, but straight. It’s going to be messy. It’s going to be confusing. It’s going to be challenging. And so I think the disciplines fit together very very well. How you implement information security in a start-up is becoming increasingly important. Companies are now starting to look to secure their data supply chain. Data is the new gold and Google started the gold rush of 1849 by teaching us about how valuable data is. If data is the new gold, and we are now responsible to each other, both contractually and ethically, to protect each other’s data, and we have to do that very quickly and with less resources, typically, than you’d find at a large company, then you still have to be not just–compliant is just such a bad, loaded word anymore. You still have to effectively manage the risk to your own and other people’s data without compromising, or making too many compromises to, that would let the bad guys, both internally and externally in. Does that make sense?
McGraw: It does make sense. I want to go back and think about the government approach a little bit; how it evolved over the last, say, 15 years, and where it is now relative to the private sector.
Clay: I think that there’s really three different answers when you talk about the government approach. I think that you have a tier of entities which have long been recognized because they dealt in the use and exploitation of information for multiple decades – 60/70/80 years. I think in those areas, you have very different information security cultures. There’s almost no reflection anywhere else. In some cases, they’re incredibly overboard and they’re so unwieldy at this point that they actually lose the flexibility to secure the data. In other cases, they’ve done a pretty fantastic job of getting it done. You’ve got a middle tier set of agencies to include some of the state agencies now that have definitely taken the time to put the frameworks in place. But, the challenge that they face is the federal information security standards that are published are in the auditor’s dream but I’m not sure that they’re particularly useful to an information security professional. By the time you get done writing the 600-800 pages of document that go into one of those and to “be in compliance” there, the bad guys are pretty much in your network and having a good time. You’ve done nothing to effectively secure the environment, both internally and externally.
McGraw: So, too much bureaucracy and not enough real activity.
Clay: Absolutely. I mean, think about the effect of ‘do I spend 500 hours writing a security plan?’ in which that is going to be somewhat effective in communicating what I’m supposed to be doing. Or am I going to spend 500 hours spending time doing code reviews and vulnerability scans and code analysis for the major applications in that environment? Which one is going to be valuable today and tomorrow for keeping unknown events from happening? There’s got to be a better balance there is really what we’re driving to. There’s a third tier of the government that honestly just doesn’t get it. They spend money on stuff. They’re very focused on being compliant. Some of them get A’s in various report cards. And what happens is, when you look at the numbers over time, they’re broken into at an incredible rate and with incredible frequency. Almost hiding that third group of almost hiding behind the bureaucracy because almost the worst possible outcome. Well look, we did all the paperwork, but you didn’t secure your applications, you didn’t secure your environment and you tried to push some of that stuff off. So, I think to kind of summarize it, the government approach, when you cut down on the bureaucracy and paperwork and focus on the action steps, you can get some incredibly good results. But if you focus on paperwork or only trying to make somebody else happy with how you’re running your information security program, I’m not sure if I know of a faster path to failure.
McGraw: So let’s talk about reactive approaches to security which have been evolving rapidly and really under the influence of the spooks, if you want to put it that way; for the intelligence community into this notion of orchestrated response which involves detection of attack–detection of compromise. Then, figuring out what to do once you’ve detected it. And, speeding that cycle up is pretty important, I suppose. But it seems like if you focus on just reactive approaches like that, you miss out on the notion of preventing attacks by building security properly in the first place.
Clay: The challenge, and there in my mind, the profession has moved to today is, regardless of the size of the organization, you have to take the programmatic approach to security. The reactive approach of ‘somebody is doing something to me at any given point,’ first of all puts you behind the attacker by quite a bit. Because by the time you normally detect it and understand it in the context of your network, you’re already at the point of failure, or well past the point of failure. Taking a programmatic approach in building security into the applications, and the networks, and your cloud environment and your data supply chain is the only way that we’re ever going to get to the true preventive controls that we need to have. That’s where the mix comes in of understanding that it’s not just technology; it’s truly people, process and technology all together. But the process piece of that not ignored. You have to react to attacks, particularly attacks that get past a number of your defenses. But those aren’t nearly the important benchmarks except to say ‘look, you have this issue and now we need to take these actions.’ That doesn’t get you as far down the road as saying ‘these are the risks, these are the threats, this is how we’re going to programmatically address this.’ And so, the attacks then, when they come, even if they’re partially successful, that shouldn’t be the headline news. The fact that you were able to detect them is actually a good sign of a maturing environment. The fact that you were able to respond in time is a sign of a maturing environment. Then finally, the fact that you were able to remediate and get back online and be resilient; again, those are all the hallmarks of a successful program. So, attacks in that space, while they may get headlines inside or outside the organization, don’t really drive your security program.
McGraw: The idea of planning for an attack is always part of building security in as well.
McGraw: That’s worth pointing out. Back in my machine-learning days, about 20 years ago, we built systems that would classify and categorize input, then respond in some way. Do you think that AI and machine learning are going to take over orchestration?
Clay: I don’t know that they’re going to take over orchestration, because the one thing I’m pretty sure of right now as we go through the big data era, and even working for a business intelligence company today. I think that there’s an incredible challenge around AI and that is putting data in context and truly understanding what an attack is, and what is a hiccup, and calibrating those responses. I still believe for the near-term future, we’re going to see the human in the loop to help rationalize the thinking or what the tools are saying to be able to begin to direct the attack. I think once we start to mature those processes however, more and more of the machine speed will be brought to bear as we understand that better. The example of this is – go ask 10 security professionals what an attack is. I can pretty much guarantee you’re going to get 10 different answers. So you almost have to start with the vocabulary and then begin to build on that before you can teach the machines to go that direction.
McGraw: Yeah, that was just a flyer. Interesting. Have we made enough progress on security engineering?
Clay: Not even close. Not even close. In fact, one of the biggest complaints I’m hearing from both, my peers and friends throughout the industry, is we’ve completely lost focus on security engineering, both as a discipline, but also as a value added service across organizations. When you begin to think about what a security engineer can do and should be able to do, not just in the confidentiality, but also driving the integrity and availability of information, they become actually a very critical role, not just in a security program, but also in just regular IT operation focus. Because that security professional can not only prevent people from getting information, they can also ensure that it’s available in the form that it is supposed to be–at the right time and at the right place. And if there’s one thing in information security that we continuously miss the boat on, it’s that we don’t talk about how we can actually help and enable the organization to meet their specific data needs, and the security engineer is probably the point of the spear for that one.
McGraw: Or certainly should be part of the architectural discussion and part of the product strategy, I suppose. Thinking about how to build the system, security needs to be involved there.
Clay: Yeah, I would completely agree because again, when we start talking about technology, the way you win in an information security role, and you’re working with operations, is when you can truly build security in, not just as a bolt on after the application is done, trying to meet some regulatory guidance. But, where I ask to get the architects that I work with involved is when the business guy and the IT guy are sitting at a bar and they scribble something on a bar napkin. I really want the next conversation to be with one of the security architects. If they’ll do that, we can get it in, it’s much less painful and we can actually improve the quality of both the initial iteration of the application and success at once, as well.
McGraw: Last topic. Though it comes and goes, there always seems to be something about cyber war in the air. What are your views on the cyber war situation, and the notion of thinking about war as a metaphor for information security and the stuff you’re working on right now.
Clay: It is fundamentally nonsense. When you think about cyber war what we have done is, a number of organizations decided that this would be another dimension of warfare that we should truly consider. So, they build a market by making it very profitable to go out and find vulnerabilities. What I don’t think anybody counted on there was the fact that, well, when you make warfare available, you not only take it out of the hands of some sort of control, in the relationship between the nations, but you also put it in the hands of people that certainly don’t have the best intentions and are much more commonly classed as criminals. The concept that two competing interests have to be termed ‘war’ is almost solely an American concept. You can have competition for ideas without turning it into a military conflict.
McGraw: Right. I think that maybe what helped to push it towards that set of ideas, on the American side, is that the early people in computer security often came from a military background.
Clay: Even coming from a military background, the first stance and the first point is: preventing your own defeat is always in your own hands. It’s how you prepare. It’s how you train. It’s how you understand the world. It’s how you gather information. Your enemy, if you will, their defeat is also in their own hands. And by turning it into an attacker and a defender, rather than a competition for resources and understanding the value of data, it probably much more appropriately belongs in almost a legal, law enforcement stance than it does a military stance.
Clay: But you’re now at a point where, because we are so computing dependent across all of the critical infrastructures, you’re reaching a point now where over a hundred countries in the world have some form of offensive cyber capability, according to published reports; and the only thing that we’ve truly understood about all that stuff is we are now in the cyber era of mutually assured destruction. I’m just not sure, from a policy perspective, if we really want to be in the position of mutually assured destruction with somebody like Bermuda.
McGraw: We can always bring our kinetic stuff to bear, I suppose. Although, it would be wasted on Bermuda.
Clay: I think it definitely would be wasted on Bermuda. To quote Sun Tzu: it’s much better to capture something like that in tact than to shatter it.
McGraw: Alright, last question. What’s your favorite non-fiction book of all time?
Clay: William Manchester’s The Last Lion. Parts one and two. The third volume was terrible.
McGraw: And what’s that about? I don’t even know that book.
Clay: It’s about the early life of Winston Churchill. It does what great biographies should do. And that is, it puts people in the context of their time. There’s all sorts of criticisms today of Churchill, that he was racist, he was this, he was that. He was actually very much forward thinking. He was part of the story of how we got to where we are today, both in the UK and the US. Another book that’s absolutely brilliant by the same author is called A World Lit Only by Fire. It actually tells the story of how we went from the dark ages where life was nasty, brutish and short to reach the Middle Ages and the Enlightenment. It tells that story in a way that I’ve never seen or heard it spoken of before. It makes complete sense.
McGraw: Cool. I’ll have to put away my fiction-only thing for a while and maybe check those books out. Thanks, Pete. Appreciate your time today.
Clay: Thank you so much, Gary. I appreciate you having me on and I appreciate you taking the time this morning.
McGraw: This has been a Silver Bullet Security podcast with Gary McGraw. Silver Bullet is co-sponsored by Cigital and IEEE Security and Privacy Magazine and syndicated by SearchSecurity. The July/August 2015 issue by IEEE S&P Magazine focuses on multi-disciplinary security. The issue also features our interview with Katie Moussouris.