Wendy Nather, who leads the Advisory CISO team at Cisco, talks about the shift of security from a control organization to a service organization, the “security poverty line,” and other major challenges that CISOs are dealing with. Below is a transcribed version of the interview, which is part of a series of conversations by Decipher with CISOs across the security industry.
Lindsey O’Donnell-Welch: Talk about how you got your start in the cybersecurity industry and particularly as a CISO.
Wendy Nather: I was a liberal arts major and I started doing some things with word processing on computers as side jobs, and so I ended up going into tech as a technical writer and then became a system administrator. At that time, the private options trading firm that I was working for was acquired by a Swiss bank, so I moved to Zurich to work on a large relocation there, and was put in charge of the system administration team. When that was done, the Swiss bank decided to outsource its IT operations, and I was put on a task force to try to figure out how we could do that without violating Swiss banking law, which involved protecting data, especially customer data, inside of Switzerland. When I finished work with that task force they decided to put me in charge of security for the AMEA region, and they moved me to London. So that’s how I got into security, I was “volun-told.”
At that time, this was the mid-90s, there was no CISO title, as such. I was a director of information technology, and I was in charge of security for the region. I don't know if you would call that a CISO thing or not. I reported to someone who was in charge of security globally for the investment bank. But he didn't have a CISO title either. So I don't know where you want to draw that line. After I came back to the states, I'm moved back to Texas, and I took a job running security for the Texas Education Agency. And they called me an information security officer, or ISO. Again, I was the one in charge of security, but I don't know if you want to call it a CISO position, it probably would be called the CISO position today. But it wasn't at the time.
Lindsey O’Donnell-Welch: Could you tell us a little bit about your current role as advisory CISO and what that entails?
Wendy Nather: When I was in charge of security for the Texas Education Agency, I did that for five years. And then I became an industry analyst. I worked for 451 Research, which is now part of S&P Global. And within a year, I was in charge of the team. So I was the director of the information security practice. And I did that for five years. So I talked with literally hundreds of security vendors. After that, I helped to stand up the retail Intelligence Sharing and Analysis Center, the retail ISAC, and I was the research director for that. And from there, I came to Duo and had to figure out what I could do, how I could contribute to the mission. And what I ended up doing was bringing my perspective as a former CISO and research director and analyst to bear, to help all the different aspects of what Duo was doing - engineering and design and marketing and everything. And so I had to come up with a title for that. And they asked me to hire more people to do more of that. So I built a team and called it the advisory CISOs. So all former practitioners, and security executives, who use their background to advise both inside and outside of the company.
“Probably the most important thing I learned was that security is done by people, not by technology.”
Lindsey O’Donnell-Welch: When you've been talking about your career, it seems like you have a lot of experience around different sectors like retail, like education. How has dealing with a diverse variety of sectors shaped how you deal with different security issues?
Wendy Nather: It definitely has helped to have experience working with different sectors, because the constraints and requirements and driving motivators for each type of business are very different. So it really helps - if you're taking a generic solution, and trying to apply it to a sector - it helps if you know, this is never going to work in this particular circumstance, or you can try to do this, but they're going to push back on it because this is culturally not something that they tend to support, or these organizations don't run their own networks, so you're not going to be putting any firewalls in. And things like that. So definitely having a broad set of experiences helps. If you look at Helen Patton, who's now the [Cisco Security Business Group] CISO, and she was part of my team before that, she used to be the CISO at Ohio State University. And you would think that’s just higher education, but it's not because they also have a hospital on site, they had a hotel, they had a nuclear reactor, they had an airport. So they had basically everything that you would need to secure for a small city, and she had experience trying to secure all of those things. So the background is very important.
Lindsey O’Donnell-Welch: What are some of the biggest lessons that you have learned from your experiences in the cybersecurity industry so far?
Wendy Nather: Probably the most important thing I learned was that security is done by people, not by technology. And any technology that you try to implement in an environment is going to be either helped or constrained or both by the people involved. So it's people who operate it, people who run it, people who either understand it or don't, depending on how well it's designed. And you need to be able to motivate those people to work with you because you can't do everything by yourself. So running security is one of the hardest social engineering tasks that you'll ever see. If you get 1,000 people to click on a link, I'm not impressed. But if you get 1,000 people to stop clicking on links, then I will be impressed. So even though it seems like it's a technology role - and you do have to understand the technology - you have to understand more about how people are going to understand it, use it and apply it.
Lindsey O’Donnell-Welch: That's such a good point. Cybersecurity comes down to human nature - it's human nature to click an email, to click a link in an email, if you think it's from your boss or from someone in PR, for example.
Wendy Nather: And then you start asking yourself, well, why am I fighting so hard to get them to stop clicking on things when clicking things is what you're supposed to do? That's what the internet is for. And so you start thinking about, well, why am I trying to get people to stop doing the natural expected thing? Is there a better way to do this? And then you start thinking about, well, let's go back, and question all our fundamental assumptions and think about how we can design things better.
“Now, organizations need security to be a service organization, not a control organization. And security needs to approach it that way.”
Lindsey O’Donnell-Welch: How has the job and the role of CISO evolved over time, either in terms of responsibilities, or how CISOs are perceived by others across the organization?
Wendy Nather: I think the most important fundamental shift has been that security used to be thought of as a control organization, and it would operate as one. So any employees that use technology, they would be subject to all of the rules and policies that security made up, and they would be enforced and everything. And because the only technology you used was what your employer gave you, there was a very straight line there for control. And that has completely changed. Now, organizations need security to be a service organization, not a control organization. And security needs to approach it that way. Not that we're going to make the rules and enforce them. But we're going to negotiate with what the business needs security to be. And we're going to help them implement security in what they're doing. So it's a very different way of looking at security.
Lindsey O’Donnell-Welch: Could you give an example of that?
Wendy Nather: One of the most common ones is the business wants to roll out something new - either it's a new process or a new application or something - and it used to be that they would have to go and ask for permission from security to do this, and security would examine it and go “yes or no,” and security could stop it, because they controlled everything. Today, our technology is so widely dispersed and consumer friendly and set up for any kind of procurement with a credit card. Security has no visibility or control over what the business decides to do. So it has to be a peer-to-peer relationship, where the business hopefully comes to security and says, “we would like to do this, what's the best way to do it?” And security says, “well, what are you most concerned about? Here's what we can think of, let's talk together about what safeguards we can put in.” And there are some things that only the business can do. And there's some things that security has to organize centrally, and put into effect. And so they have to work together to do that. So it's much more of a negotiation, but the business can go out and do whatever they want to, and security may not necessarily even notice it or hear about it until it's been breached, and it's way too late. So it's security's job to rework the entire relationship between security as a service organization and the business that it's serving.
Lindsey O’Donnell-Welch: Is that a big challenge right now for organizations, or is it something that CISOs and leadership teams are actually getting better at, that they're starting to embrace?
Wendy Nather: It depends a lot on the culture of the organization. In very high discipline organizations like the military, it's still very much a control organization, a control function, and whether the people who are affected by it like it or dislike it, this is the way it's going to operate. Or in financial institutions, you're still going to see a lot of security policies being enforced because they have to be, because money is at stake. But in many other areas - especially in high tech, where the cultural focus is on innovation, and being able to move fast and break things - that's where you will see all areas of the business moving fast and breaking things, without necessarily any regard for security. So I see a lot of security personnel in those areas struggling to catch up with what the business is doing, trying to find out what they're doing, either looking through procurement and credit card records to see what the business has just started paying for from the cloud and figuring out what they're doing with it, or tracking network traffic, doing packet captures to try to figure out what their infrastructure is communicating with and why. So it can be a real catch up game for some organizations. In more mature organizations, regardless of where you are, I see CISOs being pragmatic and sitting down and going, “Okay, this is a partnership now, how are we going to rework this relationship so that we all know what we need to know, and we talk about the important things?”
“Part of the culture that affects security at an organization is just the business culture.”
Lindsey O’Donnell-Welch: That’s the sense I'm getting when talking to different CISOs, is that it should be a partnership, and that communication is a top priority- being able to communicate the business risks, and what's a priority for organizations and what needs to be secure.
Wendy Nather: It really is. And you still see a lot of situations where a CISO will go to a chief operating officer and say ‘we really need to buy this to secure our users.” And the COO may look at and say, “Well, you know, I don't disagree with you. And this sounds like a really good idea. But we're not spending the money on that right now.” And so what can the CISO do? There are business priorities that you can't override. And so that's an ongoing challenge for CISOs, no matter where you are.
Lindsey O’Donnell-Welch: You mentioned culture earlier, too. Can you talk a little bit about security culture - what that is, first of all, and why it's important for an organization?
Wendy Nather: Part of the culture that affects security at an organization is just the business culture. And that can be something like in retail, for example, or in hospitality, you never disrupt the guest experience. That is a big maxim. So anything that's going to create friction with your customer wanting to stay at your hotel is a no no. So that's why you don't see a lot of multi-factor authentication in programs in hospitality, because it's seen as something that disrupts the guest experience, and if the guest doesn't like it, they'll go someplace else, to another brand, and they won't come back for six or seven years. There's the type of culture that says, “well, we're a security company, and we better be good at security ourselves. Otherwise, we can't sell what we do.” So that will be a motivating argument for a lot of security initiatives. On the other hand, you have healthcare where the most overriding priority is to save lives. So if you have to open up a system and get rid of the access control in order to save a life, you're going to do that. So security has to take a backseat. So it all comes down to where the trade offs are, and what your business culture tells you those trade offs need to be, or usually are. And so as a security person, you have to work on fitting your security imperatives to that business culture, because you can't walk into healthcare and say, “I don't care, I'm going to be putting multi-factor authentication on all of this medical equipment and we're not taking it off.” You won't last very long.
So part of security culture has to be, “well, I know that there is something that's always going to take priority over my security requirements. And so how can I mitigate that? How can I live with that? Can I build a security culture that is more about reporting things, rather than preventing things?” If we can't prevent things, what can we detect? What can we convince people to notify us about, and to cooperate with us about this? And if you can sell that to all of your employees, that's the most useful thing you can do. Because the best thing that's ever happened to me is when a co-worker has come into my office and shut the door and said, “I think there's something you need to know.” So that's the sort of security culture, in general, you want to be building up within the context of what your business culture is.
“A lot of the fundamentals for a security program aren't seen as security, but they're vital to being able to do good security.”
Lindsey O’Donnell-Welch: How do you even start to do that? I imagine there's a lot that goes into trying to understand the business process and talking to different people and listening to what they need.
Wendy Nather: A lot of it is just as you said, talking to people, finding out what they need, finding out where the “go” and “no go” areas are. “Can I try this?” “Oh, no, that would be terrible, nobody would go for that.” Or “we tried this once. But it didn't work. And this is why it didn't work. So try it a different way.” So you have to learn the business really, really well. You have to build good relationships with people. Everybody who needs to implement things on your behalf, or who simply are using them, understanding them, can have some sort of feedback to give you, especially if it's a user who is non technical, who has their own experience with what you're trying to implement, and has something to say about it. That's really important. So you spend a lot of time building relationships, looking at the technology, looking at the operational processes and going, “do we even know what we have?” Because a lot of times, the answer is no. Or, “we have 15 of this database. Why?” And trying to figure out whether that's something that you can fix, because the security drive is always to simplify, consolidate and mitigate. So you just keep working on all of those things, and try to lay out a battle plan of what can I start implementing that's going to create the least friction? What's cheapest? What's easiest? What helps to mitigate our risk the most? And there can be different answers to all of those. So you sort of have to lay things out and go, “Okay, here's what I can do.”
Lindsey O’Donnell-Welch: When you talk about connecting to different people in the organization, are there specific relationships that are important to tap into for a CISO?
Wendy Nather: Usually, both top down and bottom up are good approaches, in and of themselves, for different reasons. And so you really need to do both. You need to have the buy in, above you, and at your peer level for what you're trying to do. But at the same time, it really helps to go and get to know people in different departments who have different experiences, operating or implementing security, or simply being affected by it. And it's really good to find out who is influential in each department, and sort of get those linchpins on your side, because they will help affect and influence the other people in their departments. So if you can get champions for your cause at every level, first of all, they're going to give you different feedback because there are different levels and they will have different experiences and that's all valuable, but also, the influence that they're going to have on their coworkers is invaluable too.
Lindsey O’Donnell-Welch: When you're looking at building an effective cybersecurity program, what are the most critical first steps for organizations?
Wendy Nather: There's a pyramid that I've drawn in the past that shows the most basic stuff that you need to do, and going up to the top of the pyramid, which is where your security controls are, and you really need the fundamentals in place before you can make good use of security products. And the first one is really to understand and identify what you have. And it sounds really simple, but it's not, it's one of the hardest things that organizations have to do, particularly since half of the infrastructure we have right now is outside of our control. We're working and sharing data and applications and networks with partners. We have customers or third parties that are using our resources and affecting them. And so finding out what we have, and defining whether it's ours or not is much harder than you’d think. Which is why we've seen startups like Bit Discovery that popped up to try to address this problem.
The next thing is once you know what you have, to be able to control changes to it, either to stop people from making changes when you don't want them to - and that's also part of keeping attackers from making changes to it - but also, you need to be able to make changes swiftly and efficiently when you do need to. And so those are two sides of the same coin. Either we need to turn this on, or we need to turn this off, we need to move this, we need to replace it. Being able to make those changes, and control them, is the next level. Then the next level up is understanding the risks that you have. So going through threat intelligence, finding out from your peers what they're seeing, determining what your most important assets are, and not just what they're worth to you, but what they might be worth to an attacker, because sometimes they're very different. So understanding your threat landscape and your risk is the next level. And finally, once you understand all that, then you can start getting security products in and actually using them. Because if you're using a scanner, for example, and finding vulnerabilities, but you can't fix anything, because you can't influence changes, then that vulnerability scanner is not going to help you a lot. So a lot of the fundamentals for a security program aren't seen as security, but they're vital to being able to do good security.
“The questions are, what dynamics are in place, both systemic and individual, to an organization, that are keeping them from being able to execute well on security, and how can we help with that?”
Lindsey O’Donnell-Welch: Is supply chain changing how CISOs are looking at their threat environment at all?
Wendy Nather: Yeah, the supply chain has always been a problem, or always been an issue. And it's just gotten very prominent because of some of the bigger breaches recently. But CISOs have been struggling with this for a long time. It has gotten worse because of the decentralized nature of our infrastructure and because of the ecosystem in which we are working, where a lot of times partners use each other, competitors also partner, and use some of the same things or supply things to each other. And so it's a big web of responsibilities. It's not really a chain where you get all the way to the end and you stop, like there's a supplier who gives you something and then you give somebody else something, you're passing things in different directions. Or you're all using the same components that came from someplace else and you all sit around and go, “well, this one has a vulnerability now what do we do about it? Who's going to fix this? Does anybody know who's supposed to be fixing this?” It’s not a hierarchy anymore where it's very clear who's supposed to be responsible for what.
Lindsey O’Donnell-Welch: What concerns you the most right now about the threat landscape?
Wendy Nather: You know I’m going to have to go towards the security poverty line. Ever since I worked for state government and started my job with a literal budget of zero, and no people, this is the biggest challenge that I see for organizations of all sizes, because there are so many dynamics that play into how you operate security. It’s not just a matter of having enough money. It’s also being able to have people in place that have the experience and skills to know what to do. There’s being able to do things in your environment despite the constraints that you have, and then there’s the influence, being able to control the security of those suppliers that you’re dependent on. All of those things are much harder for organizations than we realize. And it’s because those organizations are not going to get up on the stage at RSA and say “hey, we’re having problems with this.” No one’s going to talk about that. But if I talk about it, people will come up to me after and say, “yeah, that’s us, don’t tell anyone.”
So it’s a widespread problem that we need to address, and it’s not a simple one. We can’t go on just scanning and scolding organizations and telling them “you must not care very much about security,” or “why aren’t you spending more,” or “why didn’t you understand this,” or “this was so simple, how could you have messed this up?” Those are not helpful questions to be asking. The questions are, what dynamics are in place, both systemic and individual, to an organization, that are keeping them from being able to execute well on security, and how can we help with that? Every organization that is breached now affects a lot of us. Even those of us who have never heard of that organization are affected by a breach someplace else. We are all realizing that we need to be responsible for one another. And we have to help out. That is the biggest trend, above and beyond the threats - threat actors will come and go - but if we can’t solve these dynamic problems of security, it doesn’t matter who is attacking us, we’re not going to be able to do anything about it.