“There are three essential skill sets a modern day CSO must have. The first is knowledge of the business to better align a security strategy to company objectives without being a blocker to innovation. The second is technical breadth. Third and most important is evangelism: you have to be able to clearly articulate and sell the team strategy from the top down and across the organization,” says George Gerchow, Chief Security Officer at Sumo Logic.
But people skills cannot be overlooked, he adds. When you have to justify the company’s risk positions and get the business side to sign on on implementing proper security even though it might be cheaper to pay fines instead, understanding people can come in handy.
Learning from experience
Gerchow has had the opportunity to see the problem of company security from a number of different vantage points.
He started off in networking and technical engineering roles in a variety of organizations (finance, government, security). From there he moved into a pre-sales role for a software development company, then joined VMware to lead the company’s efforts around compliance and security.
He learned something every step of the way: the relevance of rules and compliance for getting the job done, how the non-IT-and-security side works, how the cloud affects everything across IT, and how to work with distributed teams at scale with a heavy focus on delivering agile services.
As the CSO of Sumo Logic, and especially since the advent of GDPR, he says that being able to work and collaborate with the board on understanding privacy and security issues is important.
“It’s also about understanding the dynamic between IT security and the data protection officer role – that DPO role can’t be responsible for IT, so there’s a separation of responsibilities while you are also working to the same goals. That could be an opportunity for conflict if you don’t manage it well,” he told Help Net Security.
Adopting new technologies
But getting the board on board will take CSOs only so far: they should also think about implementing new technology trends such as containers, serverless, and automation.
Thinking well in advance about the risk involved in moving to new IT platforms should allow CSOs to make sure that some things (e.g., privacy by design) are taken into account from the start and the emphasis on security and compliance is kept.
“It’s also worth keeping up with what is taking place on the security side by looking at the low hanging fruit for security problems. Patching machines, keeping software updated, managing access control – these are all well-understood issues that keep getting exploited,” he notes.
“The big problems like WannaCry in 2017 were all due to known issues. Understanding those breaches and patching vulnerabilities quickly should keep companies ahead of the large majority of potential attacks.”
New technologies such as containers should also make this easier.
“Rather than having to build upon that existing IT infrastructure and keep updating it, you can use a clean container build each time that is up to date. You keep the containers as up to date as possible, you audit any third-party software or plug-ins that get used within those containers continuously, and you focus on those images in your library,” he explains.
“Keeping that library of images as secure as possible will need a different approach, but it should benefit security teams compared to having to support huge amounts of out of date software and operating system images.”
Making a case for automation
Gerchow pushes his team every day to find ways to automate their tasks, so they can focus on what matters most.
This is where their skills and experience can come into their own, he says, as automating things means automating a process, and that requires skill to make the process as redundant and resilient as possible.
The goal of automation is not to make people unnecessary, but to make it possible for all members of the security team to step into a lead security or CSO role in the future.
“If you automate a poor process – or automate a good process badly – that will lead to future security problems and you end up in a worse place than you started in. So full understanding and insight is necessary here, and you don’t get that without experience and you can’t get that doing only those daily routine tasks,” he explains.
“You only get this from looking at things in context and getting the opportunity to see the bigger picture across IT security, across IT in general, and across the business. Automation, machine learning, more decision support… whatever you call it, that kind of technology should make good people greater. We can make a difference to the business because we understand the risks, the requirements and the opportunities that security can support. ”
Once his team understood this mindset, they could see the value in it. It also helped the company’s retention rates, as the people knew they had a great path for their career.
“It also helped my department’s development: the HR team knows that when I need someone, it is because of a specific requirement and I can back it with data that I have no wasted resource. So I can always get those roles when I ask for them,” he adds.
IT and security on the same page
On a day to day basis, it’s important to keep teams on the same page when it comes to security.
“You have a lot of different teams within IT, and their goals can be different. However, if you have a culture in development that is all about new, different, fast releases and one in IT that is about risk prevention and control, they will end up at loggerheads. Getting those teams to work towards a common goal is essential, but it takes culture changes to embed that within the company and stop it being one-off actions,” he points out.
One way of encouraging developers to understand security and make it a priority is to change how they are rewarded as teams. For example, bonuses should be awarded when they deliver clean code without issues, and not just when the deliver code quickly.
“We have to look at how to bring forward the lessons of managing risk and how we can apply them at scale. We want to be secure, but we also want to make the most of the speed and agility that exists in IT today. We can’t block this, or people will look for ways around the rules that are there,” he adds. “So, it’s less about saying no to new approaches, and more about helping them understand context and why things need to work through different ways.”