Gary McGraw: This is a Silver Bullet Security Podcast with Gary McGraw. I’m your host, Gary McGraw, vice president of security technology at Synopsys and author of “Software Security.” This podcast series is co-sponsored by Synopsys and IEEE Security & Privacy magazine, where a portion of this interview will appear in print. For more, see www.computer.org/security and www.synopsys.com/silverbullet. This is the 143rd in a series of interviews with security gurus, and I’m super pleased to have today with me Elena Kvochko. Hi, Elena.
Elena Kvochko: Hi, Gary.
Gary: Elena Kvochko is CIO, Group Security Function, at a top 20 financial services organization that shall remain nameless. Previously, she was manager in Information Technology Industry at World Economic Forum, where she led global partnership programs on cyber resilience and the Internet of Things and was responsible for developing relationships with top information technology industry partners.
Elena is author of numerous articles and has contributed to Forbes, the New York Times, Harvard Business Review, and other media outlets. Elena is also a member of the Wall Street Journal CIO Council. She holds both CISSP and CEH certifications and has a master’s degree in technology policy from UMass, as well as executive certificates from MIT and Yale. She lives in New York City—apparently with a broken leg. So how is your leg doing?
Elena: Well, you got a lot of information, Gary. It’s on the recovery path, hopefully.
Gary: I’m glad to hear that. We’ll talk about that later in the episode, maybe at the very end. So I thought we’d start by getting some information from you about how you got into information security in the first place.
Elena: Sure. I will tell you I started my career in cyber security probably out of frustration. I was working in technology implementation and risk assessment and risk analysis, and I saw that many of the technical projects that I was working on—even say, like, the bids for large infrastructure projects—did not contain security components a few years ago. And so I was looking for a way to change that situation at scale to impact the perception and the situation on the ground and influence the executives and business leaders and make them understand that they have to invest in security.
So from that point on, I switched into cyber security and stayed in this field. And it has been a great journey and a steep learning curve.
Gary: It’s kind of hilarious to be frustrated enough to get into a very frustrating field.
Elena: Right. But this is how…
Gary: Somewhat ironic.
Gary: Would you consider yourself more of a policy wonk or more of a technologist? Because you have a deep background in both.
Elena: Yeah, I think in my job I have to combine both. I have to combine experience in business operations and execution and management with both knowledge of technology and systems and critical systems and how to make them compliant and more secure and advance into the next level. So it would probably be a combination of both.
Gary: And you hold a CISSP and a CEH (that’s Certified Ethical Hacker, for those of you who don’t know certification)—which is definitely on the geeky side—and executive certs in management from prestigious institutions. Can you compare and contrast those sets of credentials for us?
Elena: Oh, absolutely. I think if you work in a large enterprise and if you try to kind of improve the way technology management or security management is done, I think it’s important to have an understanding of both the technical side and the business side. So, the CISSP, CEH, and other credentials, they do help demonstrate your knowledge and understanding of the technical side in addition to the day-to-day on-the-job practice and training that everyone gets. Because our industry and our field changes so fast that unless you keep yourself current, you know, it’s hard to perform. I think everybody in our industry understands that.
And on the management side, it’s important to relate what we’re seeing on the technical side, the attacker side, to business and management executives so that they understand how to prioritize the decision-making process. I think for anyone kind of working in that field, that are striving to be at the leadership level, it’s important to have an understanding of both.
Gary: Right. Yeah, that makes sense. So you find them both equally valuable, but for slightly different audiences. Is that one way to put it maybe?
Elena: Yes, or even for the same audience but just be able to digest or adjust the message depending on the situation.
Gary: Right. So towards that end, what are the duties of a security-facing CIO, like you are now, and how do they differ from CISO duties, which we spent a few episodes talking about on Silver Bullet?
Elena: Sure. So my focus and what I’m particularly passionate about it is, how can we find ways to deliver the highest possible degree of privacy and security that protects all of the enterprise, all of the clients? And one of the areas that I’m particularly proud of that I’ve been working on is what I call “end-to-end” or “holistic” security. So if you look at the way most enterprises grew or developed, they grew through organic growth or acquisitions. And what it led to is that a lot of even Fortune 500 companies, they operate and function in silos.
If you develop different products that are targeted towards different audiences, that may be a beneficial setup. You kind of have to encourage every business unit to perform. But if you’re looking at the security side, that’s one of the areas that we in the industry are trying to overcome and move towards a holistic perspective, connecting and gaining visibility across the product lines, across the business lines, and being able to have this holistic perspective through data and through being able to connect the indicators and the events to see what would be the best response or what would be the best allocation of resources.
So I think achieving a holistic perspective is where our industry will go and where I think all other enterprises should be investing or paying attention to.
Gary: That makes a lot of sense. But I’ve got to tell you, that sounds an awful lot like a CISO to me. So in your mind, what’s the difference? Or in your enterprise’s mind, what’s the difference? Or really are they just fundamentally similar?
Elena: I think it depends on kind of the composition or the setup of the team. We do focus on, for instance, implementing the privacy standards, remediating things like technical debt, improving critical system security or vendor management or other areas that help enable this holistic perspective, both on the technical side and operation side. And there is no one recipe for how to set up effective security function. I think it would really depend on the industry and on the operational setup of the company.
Gary: I totally agree with that. And in fact, we just did the CISO Report, which you might have listened to Craig Froelich talk about last episode. And that found four different approaches even to the CISO role that were directly bound to the enterprises. So I think your view there is exactly right on. I guess the matter of titles is still complicated, and it’s evolving. So there’s some opinions about whether CISOs should report to CIOs or they should be in a different organization. And nobody’s really figured it out yet. I guess we’re all looking to figure that out.
Gary: I did want to ask you what it was like to move from NGO land in the World Economic Forum, in the World Bank, to corporate life. Was that a big change for you, or was it very similar?
Elena: For me it was a very interesting transition and a great career development for me personally. In my previous job, I had a portfolio, a number of companies I was working with to drive these standards. And for instance, things like, how do we better quantify the cyber threats? So it’s where are the areas that no one company could solve alone or on its own? Whereas in my current job, I’m specifically focusing on making, the security of an enterprise better.
So there’s a lot of related aspects, but also you’re able to focus on one enterprise and one goal, which is also great. And you’re able to see the progress.
Gary: Yeah. I was going to ask you that. So, I mean, this is a little bit of a mean question, but is it easier to get stuff done in corporate land than it was in NGO land?
Elena: I don’t know, Gary. I don’t know if it’s a fair question, to be honest. I think it’s really…You cannot, kind of like, classify by the industry or the sector. It’s more about the team that you work with, right? And if you’re passionate about your job, if you have a great team to work with, anything is possible, right? And so it’s really about the culture probably more than anything else.
Gary: Right. That makes sense. So I wanted to spend a few minutes on a handful of technical topics and their security ramifications. Not too many, like maybe 2 minutes each on four things. So I’ll just name the things, and then you can say whatever comes to mind or what you think the implications are for security. The first is boundaryless—or let’s just say perimeterless massively distributed systems, which we’re building all the time. What is the impact on security of those things?
Elena: If you look at the landscape on kind of a broader, on a global level, you see that the number of mobile phones right now has exceeded the number of people on earth. And today we see a much wider application of technologies and adoption of computers. And the number of population that’s online has exceeded half of the world’s population. And it has become commonplace that every company right now is a technology company. So, and new platforms are being built to deliver the services and products that weren’t even considered before.
I think the implication of all this is that nearly everything we do right now and everything that happens in the enterprise, it generates data. And with the advancement of this big data analytics and with the advancement of those technologies that produce and generate a tremendous amount of data, I think it’s a great opportunity for us in security and technology to make things better to be able to predict what’s going to happen and to be able to answer the questions that we were not able to answer before.
Gary: That’s very optimistic. I worry about this boundary problem. You know, perimeter security is great when you have a perimeter. But perimeters are disappearing. So it seems like we’re making progress, we’re making lots more data, but we also don’t have these choke points we used to have.
Elena: Yes, but that’s the reality right now, right? So we cannot go back to perimeter basics really anymore. We live in this world, so I think we have to adjust based on what we have.
Gary: Yeah, good answer. That’s exactly right. No. 2, sorry about how, you know, whatever, trendy this is, but blockchain technology and international markets.
Elena: Yeah, that’s a great question. I think there’s definitely a lot of interesting use cases that are being explored with blockchain for IT security, for authentication, for the payment space or any other peer-to-peer transactions. And I’ve definitely seen examples of some really great applications. I think, kind of again, the optimistic part of it, a lot of the investments are being allocated into the field. And I’m sure we’re going to see a lot more applications of that at scale, as opposed to more kind of contained, local use cases that we’re seeing right now.
Gary: Yeah, it’ll be interesting to see when that gets into more normal economic markets and standard channels, to see what happens with blockchain.
We’ll be right back after this message.
If you like what you’re hearing on Silver Bullet, make sure to check out my other projects on garymcgraw.com. There, you can find writings, videos, and even original music.
Third thing—and this is, you know, towards my own heart—building security in and proactive security design versus reactive security.
Elena: Yeah, Gary. Like I said, I think in the world that we live in, you can no longer afford to be reactive, right? So you can no longer just look at your logs or indicators and look for what has already hit you, right? You have to look for what will hit you. And this is where you have to invest the resources to be able to be, like you say, proactive, you know. We sometimes use the term “intelligence-driven defense” or “data-driven defense,” right?
So you do have to look at what will happen to your organization based on the experiences that you had or your industry peers had or just where the threats are going. So you have to be more forward-looking. You can no longer afford to stay reactive.
Gary: And the good news is, I think, we’ve made a lot of progress on that in the last 10 years. There’s plenty more to do.
Elena: Exactly. Yeah.
Gary: And then the last thing, I guess, which gets towards your policy wonkness: impact of economic theory on security.
Elena: You mean from the perspective of investments or from what angle?
Gary: Oh, it doesn’t really matter. I mean, just thinking about how economic systems work and whether, by analog, we can bring those into security and drive security decisions, is what I’m thinking about.
Elena: Yeah, you’re right. I think you’re right in the sense that right now, a lot of the security decisions, they are driven and based on economics, right? And you have to almost justify and show the return on investments, which sometimes, you know, it can be challenging for the firms that haven’t invested in those metrics.
Elena: But I do think that, again, it’s not optional to invest in security. It’s part of every business. It’s mandatory. If you cannot maintain security, you cannot maintain trust. Therefore, you cannot retain your customers in your business. So it’s something that should be at the core of every enterprise. It’s not something that you would add at the end of your product development life cycle but rather integrate straight into your requirements collection, and product development, and testing, and rollout, and user education—something that should be integrated throughout the whole life cycle of your business.
Gary: So I guess I meant…Let me ask you another question. Let’s see if we can get it this way. You’ve studied the economic impact of breaches on stock prices and market cap. And that was very interesting work that you did. So tell us about those findings, and then tell us whether you’re seeing the same thing with the Equifax breach that you saw with those other historical breaches.
Elena: Yeah, I think when I looked at that, what I noticed is that there was no good way for investors, or there was no good way for just the market, to be able to price those breaches or to be able to assess the impact. And this is why I was working on the question of, how do we better quantify the cyber threats? I think there has been a lot of progress made in terms of what data can be used, and actually even the availability of data, historical data, or be able to predict the events that were done since I looked at that question. But broadly, I do think there is still a limited ability to implement it at scale.
And I think…but I think the industry—in particular, insurance industries and others—are really looking closely into this and making this, kind of like, pricing or quantification mechanisms more available and more rigorous.
Gary: So you feel like there is progress being made there? Because, I mean, one of the striking things that you showed, that you demonstrated with facts, was, “Hey, you know what? Stock price, it might have a little local hit, but it doesn’t go down because of even a major breach, when you look at Target and Home Depot and all those guys.” And I guess I’m not sure what happened with Equifax. Did you look into that one at all?
Elena: Yeah. And I think the reason for that, Gary, is because really there’s just no good way to connect the impact of the breach to the long-term business impact, you know?
Gary: Right, right.
Elena: So I think right now, as we all are becoming more aware, and as our companies are becoming more aware, and even as consumers are becoming more aware, the impact might be more visible, but I think it yet remains to be seen. You probably won’t see a huge change overnight. That will take some time to get there.
Gary: Right, right, right. I guess it’s an externality that’s difficult to bring into a system.
Another topic entirely. So you’re both an immigrant to the United States and a female in technology. And so I’m wondering, are there similarities in the sets of challenges that have to be overcome in both sets of people, both new immigrants to the country and also females in tech? Or is there any relationship there?
Elena: That’s an interesting question. I think that our industry is developing so fast and moving so fast that there is still lack of talent, right? And the industry’s hungry for talent. So if you’re talented and you know what you’re doing, there’s great opportunities in the field, right? There’s obviously the challenges that women face in technology that everybody knows about. But, I’m still optimistic. I have, for instance, you know, started and joined a lot of women-in-security initiatives to help advance the role of the women—or even the percentage of the women in the industry—as in, kind of, influence that through the hiring decisions or other ways that can help bring in more diversity in the industry.
I think this is something that I’ve seen a lot of my industry peers do. You know, I think that everyone, if they’re at a decision-making level where they can impact the composition of the team, should be focusing on this. Because with diversity comes diversity of perspectives. And with diversity of perspectives comes innovation. So in the end, we’re all going to benefit from it.
Gary: Yeah, I totally agree with that. And I do think we’ve made progress in women in technology, at least in terms of awareness so far. And we have a long way to go in terms of practice. But I’m also wondering whether the challenges faced by new immigrants are similar in nature, just because, I mean, I don’t have personal experience with either one of these sets. So what do you think about that?
Elena: So my personal perspective is that the U.S. is a very welcoming country, or was a very welcoming country, towards immigrants, and it’s a country with great opportunities. So whoever—right now it might be a difficult time, but whoever wants to make a career in the industry, there’s still great opportunities that they can leverage. So you’re right totally, to a certain extent, the challenges might be similar in the sense that you have to prove yourself. It’s kind of like you can never afford to stop, but you have to always keep improving your level and performance and show that your work is valuable. So in that sense, that’s probably similar. So…but yeah, as I said, I remain optimistic about the prospects for everyone.
Gary: Yeah, and I think that the first point that you made is exactly right on the money. Boy, do we need people. We need all kinds of people. We have a huge gap in skills and skilled people, and anything we can do to make the set of possible people we can pick from larger, the better off we’re going to be.
Gary: So, when I see all these whiny articles about how many information security professionals we need, I just think, “Well, why aren’t you talking to women? Come on.” It’s not really that hard.
Elena: And to your point, Gary, I think a lot of the times, it comes down to managers giving an opportunity to maybe a younger person, to maybe a person who hasn’t exactly had the same experience, but you see that they are talented and they have potential, so just believing in your team and believing in people you work with. And if you raise the bar higher and if you give the team an opportunity, most people stand up to the challenge. And you might be surprised what they will be able to achieve.
Gary: That’s great. That’s great. Last question, and kind of a flyer. So you scaled Mount Everest to raise money for Refugees International, which I find very inspiring, personally. So tell us about Refugees International and why you chose to support that organization.
Elena: Sure. So I was very proud of that too, so thank you for bringing that up. As I saw the rising social tensions on the global scale and also in our country, I thought, what is it that I can do to contribute to the cause and to show the executives that if they, as business leaders, stand up for the causes they believe in, it does have an impact, it does inspire others, it inspires their team, it inspires their colleagues, it inspires their industry peers.
So I chose a cause that I’m personally passionate about, which is immigration. And I chose an organization that I think is performing lifesaving work and missions, Refugees International. So I hiked Mount Everest region up to 18,300 feet.
Gary: That’s amazing.
Elena: Until I was ready to die. And everything I raised I donated to Refugees International. And I did one more similar challenge this winter, summiting Mount Aconcagua, which is the tallest mountain in South and North America in our hemisphere.
Elena: And again, donating all the proceedings to Refugees International. And my intention is to continue contributing to the cause in various ways. And I did see that my colleagues or my industry peers saw an opportunity, and they thought, you know, if I’m not a mountaineer but I was able to do that to show my support for the cause, they were or they became bolder in expressing their own beliefs and becoming more vulnerable. So hopefully, more of us can find a way to contribute, and more of us can support the causes they believe in.
Gary: Yeah, well, hugely inspirational. And at a little bit of personal cost this time too, because I understand on the way down, you broke your leg.
Elena: Yes. I was caught in a snowstorm on the way down. So unfortunately, I fell. But you know, Gary, what I learned in this experience is that whoever does not risk does not summit. I intend to bring that lesson to my professional life.
Gary: Absolutely. It’s just so inspiring. And you’re right: When you make an example like that, other people learn from you directly. And hopefully, they’ll emulate that. So thanks for doing that. It’s really awesome.
Elena: Yeah. Thank you, Gary.
Gary: It’s been a fun chat. Appreciate your time.
Elena: Thank you so much.
Gary: This has been a Silver Bullet Security Podcast with Gary McGraw. Silver Bullet is co-sponsored by Synopsys and IEEE Security & Privacy magazine and syndicated by Search Security. The November/December issue of IEEE S&P magazine includes our interview with New York Times tech reporter Nicole Perlroth, one of 12 interviews carried out over a year focused on women in security. Show links, notes, and an online discussion can be found on the Silver Bullet web page at www.synopsys.com/silverbullet. This is Gary McGraw.