Rick Holland, CISO at ReliaQuest, talks about the role of empathy in building out an organization’s security program. Below is a transcribed version of the interview, which is part of a series of conversations by Decipher with CISOs across the security industry.
Lindsey O’Donnell-Welch: Can you tell me a little bit about your own background and your path into cybersecurity?
Rick Holland: I was in the U.S. Army, and I was in intelligence. So I went Army straight out of high school - I was a really good student, but I didn't want to go to college at that time. So I joined the Army in intel. And that gave me technical skills that I then parlayed into, like tech support, and help desk, and then desktop support. And then Sarbanes-Oxley happened. I was at a public company at the time, and we needed somebody to work with Deloitte on internal audit. And it's like, wow, I've been building these Windows XP laptops, I'd sure like to do something different. And so I started doing the IT audit components for the controls for Sarbanes-Oxley, so like financial controls, and stuff like that. And then I parlayed from that into the lone security guy at a company. And then from there, I went into higher education, which was actually really fun. I worked at the University of Texas at Dallas in a broader team. And that was cool, because you had students hacking, irresponsible disclosure, you had students hacking, because they're trying to cheat. We had two public breaches that we were also involved in. So it was a very interesting threat landscape to work in from the students to the adversaries. And I went from there into sales engineering at a VAR for a couple of years, which is helpful, because that's that kind of prepped me for going into Forrester Research. I'm friends with John Kindervag, who's the creator of zero trust. And John's been a mentor of mine. And so John recruited me into Forrester. So then I spent four and a half years there at Forrester and I covered all the "threaty" stuff. So my career has had a lot of these "threaty" angles from my time in the military, to doing incident response and higher education. And then to Forrester and I covered threat intel and vulnerability management and incident response, that sort of stuff. And Digital Shadows was a customer of mine at Forrester. And I was like, in the ivory tower telling people and vendors what to do, but I hadn't been a practitioner for quite some time - six and a half years since I left for Forrester - So I wanted to come build a company. And so you know, I had the opportunity to do that at Digital Shadows; we needed a CISO because we were growing. And so I established this security program here. And then ultimately, we got acquired by ReliaQuest, the deal closed in the summer. And now we're just working on the integration of the two companies together, continuing to do CISO work, continuing to run the intelligence team here in the new world as well.
Lindsey O’Donnell-Welch: What have been the biggest transformative career experiences that ultimately shaped your track as a CISO?
Rick Holland: That's a good question. I would say it's Forrester. Your peers at Forrester are the brightest people in identity and access management, or the brightest people in whatever their discipline was. So I was around top performers, which rubbed off on me. And then also at Forrester we were doing consulting for Fortune 10s. So I got to do maturity assessments, I got to talk to CTOs, CIOs, CISOs, of some of the biggest companies in the world with some of the biggest challenges in the world and got to partner with them to try to come up with solutions. So I think that time at Forrester was particularly useful for me from just all of the knowledge that I was kind of soaking in, and the experiences that I was having there, but also it gave me appreciation, because a lot of the companies I was working with were like, the one percenters are the "haves." And then you realize that there's so many "have nots" that are out there, if I quote, Wendy Nather, and the security poverty line, most people live below those cybersecurity poverty line. So,there's two sides of the track and I got exposed to one side of the track, but had a lot of appreciation for the other side of the track, and continue to. So Forrester, I think, was probably the most transformative experience in my career, and certainly, you know, set my path up well, for being a CISO.
“If you want to have a good culture, you’ve got to first start with your security teams, and they need to have a good culture, so investing in them, retaining them, having internal training, external training, career pathing, all those things are important.”
Lindsey O’Donnell-Welch: What is important for building out a security culture in a business?
Rick Holland: It is all about people. There's this tendency to buy the newest technology, or the flashiest whatever at RSA or at BlackHat in Vegas. But, you know, if you want to have a good culture, you’ve got to first start with your security teams, and they need to have a good culture, so investing in them, retaining them, having internal training, external training, career pathing, all those things are important. Because I think if you don't have a good culture, within your security function, you're gonna fail at having a good culture more broadly, across the entire company, because it'll be kind of obvious, if your security team is not bought in, that no one else is going to get bought in. So I think that's a really, really key component.
I probably learned things the wrong way when I was a lone security person - I was kind of proud to be the Department of No Guy - And my CIO, who was my boss at the time, gave me some really good feedback in talking about enabling people, and helping them do their job, that they're just trying to do their job, they're not a security expert like you. And I think that's really, really key still, to this day. How are you going to have a positive culture, a security minded culture, if you're super negative about your customers, your partners, your colleagues? And having technology that is transparent, understanding that managing passwords is a pain in the butt for people, having empathy for these people that we're trying to protect I think is really, really key to having a strong security culture as well.
Lindsey O’Donnell-Welch: When you're looking at kind of building out an effective cybersecurity program, are there a couple of critical steps that you would say are most important?
Rick Holland: Yeah, I think the first one is alignment of the program to the business itself. We don't do security for security, we do security for our business, or our nonprofit or whatever the kind of organization is that we're trying to protect, and understanding what the goals and objectives are for that company or organization are really really key and then translating that into this security program. I'll give you a this specific example there; one of the things that I've been talking about for years, it's more applicable to public companies, but it still applies to private is public companies have their SEC filings, and one of the SEC filings is a Form 10-K. And that Form 10-K has a risk factors section, and it usually has between like eight and 20, 10 to 15, something along those lines, risks that the company has to the overall business. And there'll be things like supply chain, whether some places maybe gets hit by wildfires, or hurricanes or whatever, but being able to have a business discussion, and being able to understand what the risks are to the business and how you can try to mitigate those risks from a cybersecurity or physical security perspective, as well. And if you look at retail - with Black Friday - if you look at a 10-K from a public retailer, they'll probably have things in there about their employees, their rewards program, and how that is key for loyalty and maintaining stickiness with customers. So if you're coming into a new program, looking at a Form 10-K, or just the annual report; knowing what the business is focused on, where the business is going to grow, and then mapping it out to people, process and technology, and how you can give visibility into risk, how you can then mitigate risk, it's almost a blueprint for the from the program, it's the top-down blueprint for the program. But it also lets you critically talk in terms of "business cares about," right. I've seen a lot of prediction stuff, and suggestions for 2023 planning right now. But most of it is focused on hey, you need to invest in API security, or you need to invest in cloud security. Really, what we need to be doing is investing our time in understanding the business goals for 2023. And then figure out what people, process and technology is needed to give visibility into risks, and then mitigate them. Is a business expanding into a new region of the world? What are the threats there? How do you protect employees when they're there? Is the business rolling out a new piece of software that's going to generate 20 percent of the net new revenue for the year? How do you secure that? So I think the Form 10-Ks, if I was with a public company, I'd be listening to the CEO's quarterly call every quarter. And now if you're not a public company, you still have a risk committee of some sort. So being engaged with the risk committee, understanding the risk, but that's another place you can go if you just don't have access to the public filings there. So that's where I like to start as a hey, let's just make sure I'm aligned on what the business objectives are, how I can do that.
The other part, to me, again, goes back to the people, which I think is the most important part of the people, process and technology. How are you going to recruit people? Don't always try to recruit unicorns, it's a highly competitive market, don't have these ridiculous job descriptions, that act like they're for inexperienced people but really, you need 10 years of experience to get the role. Have a mix of experienced people and very junior people that you can train up, and then do creative things, remote working, flexible working, I'm going to give you a SANS class every year, or whatever the case may be, have an actual curriculum to try to maintain these folks. And I think it's the most painful thing in a program when you have someone you've invested time in, and they leave prematurely; we know everyone's going to leave at some point. But if you invest and you lose somebody at a year to a year and a half, well, perhaps you could have gotten another year out of them. And you know, that can be quite material, right? If you have to ramp up, learn the organization all over again, learn the tools, and all that sort of stuff. So I really think it's what's the overall corporate strategy? How do you map to it and be able to talk in terms of business concerns? And then how are you going to staff the people needed to act on all the promises that you're going to make to the business about helping secure and minimize risk?
“We don't do security for security, we do security for our business.”
Lindsey O’Donnell-Welch: How can organizations pinpoint gaps in their existing security programs?
Rick Holland: There's a top-down approach, which is the first step. If I was a new CISO, in the first 100 days, it's like here's a moratorium on spending. And we're going to evaluate all the technology that we have in our stack. And one of the lines that I came up with when I was at Forrester and I have implemented it in my practices, I didn't call it defense in depth, at Forrester, I called it expense in depth, meaning people will just buy more junk, typically technology; instead of investing in people, they're buying the latest whatever it is at RSA, Blackhat. What we should be doing is looking at our overall technology stack understanding what the business wants us to accomplish, what the threat landscape looks like, and then actually measuring the controls that we have in the environment. And how well implemented are these controls to start with? And if they are implemented are they doing what we expected of them? So a health and welfare check on all of the existing technology that we have, looking for overlap, this ties into the expense in depth. You have one solution that does maybe 40 percent of what you need, and then you out by another solution that does 60 percent and then you've got this overlap. So understanding, where's the overlap ,where you don't need overlap, is really, really key. And on top of that, the platform play - I mean, we've been talking about single panes of glass for maybe 20 years there - But I would make the case that for most organizations, I'd rather have maybe a B, that's a platform that I can implement across my environment, and it reduces complexity and enables people to work more effectively, I have tools that you can get enrichment natively, that sort of thing - versus going out and buying a bunch of point solutions, Best In Breed point solutions. Because I may have an A plus. But if it's not integrated into my stack, how's it going to help me? I think the platform that's effective is a better thing for most of the companies out there, because pragmatically speaking, you're not gonna be able to keep the people to run all these individual point solutions long enough.
Lindsey O’Donnell-Welch: How has the job of CISO evolved over time?
Rick Holland: It's a joke from a Forrester time of like "Big C," "little C" CISOs, where there's a lot of people that have a CISO title, but they don't have a seat at the executive table. And it's almost like, Thanksgiving's coming up, and you got the kid's table. And the adults are the adult's table, and how many CISOs are "little C" CISOs at the kids table? If you look back - certainly in my career and career trajectory - a lot of folks were focused on the number of vulnerabilities, the number of anti-virus hits, or the number of NMAP scans, or, insert whatever super tactical security metric that you could, and those were getting presented up the chain of command. So the CISOs have almost relegated themselves as the technical person that really doesn't get what I was talking about from the top-down and understanding the business goals, and then mapping controls to it, and then trying to have outcomes and metrics that are aligned to the business versus outcomes and metrics that are aligned to this API security implementation or this new cloud access security broker, whatever the case may be. So, we've relegated ourselves in many cases to the non-technical role. We've been shifting - in fact, you've had the "BISOs" come up - as in the Business Information Security Officer - And part of that also come up in large organizations with lots of functional units in it. And you're going to be the BISO for this division. And you're still going to roll up to the global CISO, and that sort of thing. But in many ways, I think the rise of the CISO has illustrated the technical and wrong focus that many CISOs have historically had, and now trying to shed that perception. We can be a business partner and understand what the company is trying to accomplish.
“I would contend that opportunistic ransomware should probably be at the top of most companies' threat models.”
Lindsey O’Donnell-Welch: What top security advice would you have for organizations just in terms of how to better secure themselves, or if there are any measures that they can take either culturally or organizationally around security?
Rick Holland: Well, I think one we touched on is just empathy, I think, across the whole program and for the people that we're trying to protect and enable. There's probably two other points that I would make: One, it's not rocket science. And it was far easier for me as an analyst in the ivory tower at Forrester to say, do the basics, versus implementing the basics, because as a practitioning CISO, the basics are not easy; rolling out multifactor authentication across an entire organization globally, across all apps, that's not a small feat. But it is the foundational types of things that raise the bar for the attackers that are out there. So multifactor authentication is obviously one; patching is another one, but you could say, "Hey, Rick, the 90s called, I mean, this is the exact advice that you would have had in the 90s. And it's true." But it also illustrates just how hard it is to do these things in a very heterogeneous environment. You know, it'd be one thing if you're a cloud native, and everything's running in AWS, and you can account for drift, but the reality is companies are very disparate, they grow from M&A, they have complex supply chains. It's very difficult to do the basics, but we shouldn't give up on the foundational things, right.
And the third one is - and we see this a lot because we track cybercriminals at Digital Shadows, and we track the ransomware actors, and we track the initial access brokers - but they're getting in from unpatched public-facing things. We can be on the hamster wheel of patching the rest of our lives. But there's certain things that we do need to patch and the external stuff has got to be patched. Microsoft Exchange on prem is a really good example, adversaries have been abusing that for you know, since Q1 of of last year. So patching the external services, and not having things like RDP public-facing, put it behind the VPN, because the adversaries are looking for low hanging fruit. And if you have an unpatched Citrix server, a Juniper SSL VPN, a Microsoft Exchange server, people are gonna go after that. If you have RDP, or anything that has a login portal that is exposed to the internet, it's trivial for adversaries to buy credentials to your environment, and then they can just start running all those creds through to see what gets in their initial access. So it's a little bit of both. One, top level is empathy, then, the foundational stuff, but know that that's a long journey, and we shouldn't give up. And then very specifically, is trying to reduce your attack surface to make it that much harder for adversaries to get in.
Lindsey O’Donnell-Welch: What are the top security threats that are keeping you up at night?
Rick Holland: I would contend that opportunistic ransomware should probably be at the top of most companies' threat models. So that's definitely one; if you're in different sectors, you'll have different actors that target you, but certainly, that one is is big. And then I just think the complexity of the attack surface. We have so much to defend. And if we're able to again, if you take that approach where I was talking about like the crown jewels analysis or like the retailer that wants to protect their rewards program, understanding the systems that are most important to your business and focusing on protecting them because we can't protect all the things, but if we can protect the 20 percent of our environment that is most important and essentially sacrifice the rest if need be, at least we still protect that 20 percent crown jewel.