Event Recording

Greg van der Gaast: The Future Role of the CISO

Thank you very much. So, as you mentioned, I, I actually titled this, this presentation rethinking InfoSec. It's basically a combination of, of ideas that I like to present to the information security industry and practitioners about how we could maybe do things differently. So I'll start by introducing myself. I'm Greg Vanegas. I've been doing this for 23 years. My phone provider still lets me have the under 30 plan cuz they don't realize how old I am. I started out as,
Can you, can you hear me? Sorry, can you, we do see a, a window in the middle of your presentation. Can you do something about
It? Oh apologies. Apologies. Apologies. It's my preview window, which is going into the main of
The bay. Oh right. That's much better. Thank you.
Right. Sorry about that. So yes, I started out as a teenage hacker, as you mentioned, basically what happened is I think I was 15 or 16 years old and I saw the movie hackers and there were some hackers in there and he wound up with Angelina Joli. So I thought this is something I should investigate. And I, I Yahoo because Google didn't exist yet hacking. And I learned about Linux and operating systems and downloaded them. And about a year later, I was part of this group of teenage hackers called the mill worm. And yes, we, we did end up hack a, a nuclear weapons facility, not very long after they did some, some live atomic tests. So there was even the, the United nation security council talking about us, which was, was quite interesting, not too long after that. I moved to United States. So that was visited by some men in suits.
These men in suits from the defense department and the FBI, they made me a job offer that I couldn't refuse. They were quite specific about the couldn't refuse part of this job offer. And I spent the, the next three years working undercover for the government and the, the biggest takeaway there is I, in addition to the breaches, I may have caused earlier on, I was exposed to a lot of breaches and I saw it was quite interesting to, to observe what actually led to the breaches. Cause you had a lot of organizations with a lot of security spending security programs, security, accreditations, but they were still getting breached. And, and that shaped my thinking about how to secure things a lot after nine 11 things I was being asked to do more interesting stuff. That was a little bit too interesting for me. So I went off and I worked for NATO for a little bit.
I did the, the infield communications networks for Casa and Afghanistan. I became the head of security architecture for CGI, which is Canada's largest MSP. I worked for a number of startups as well. And I went into contracting for a while. And this is where I did, you know, the usual thing of writing policies and getting companies ISO compliant and implementing and firewalls and intrusion detection and other security technologies. And it is by far the most money I've ever made in my life. It was ridiculous. And in hindsight, it was, was also the lowest value security work I've ever done later on. At some point I was put in charge of creating a, a global security framework for a fortune 500 company. And that's what I realized. I need to actually create something that's going to work because I'm responsible for it and started kind of making these clean sheet information security programs, which is something that I, I advocate and I train other people, as you said, I'm, I'm the author of a book called rethinking InfoSec, which has some, some concept that will hint on about here.
And I'm really, I'm quite well known as being absolutely fanatical about being proactive and engaging the business to really make information security that works. So I just wanna set the stage about information security today. We see a lot of adoption of detection tooling. We see, we need more and more staff. We have the cybersecurity skills gap. There's more pressure on the skills market. The salaries are increasing. We just can't find the people. So we talk a lot about automation as the, I think the previous presentation hinted the stress levels are increasing. I can certainly vouch for that. And yet the number of incidents is, is increasing. And the scale of incidents is, is increasing. And I I've taken the, this graph here and there are many, many more that you can find like it with Google.
And in blue, you see the increase in security spending. Now what's interesting is it's not just increasing in absolute terms, but it's increasing in terms of percentage of it, budget and total company budgets, which is not sustainable. We cannot just keep spending more, a higher, higher percentage of, of the company's resources towards security, especially when the net effect is not a decrease in how much money we're losing to, to breaches the, the losses are actually running away from us. So clearly something about the approach isn't working and the industry's solution to this is spend more money, do more of it until it works. And that's quite profitable, but not necessarily good if you actually want to create assurance. And why is this happening? So one of the analogies I use is the car factory. So imagine you're standing on the street, I understand you're in Germany.
So you have several excellent car factories to choose from in this analogy. And imagine you see sheet metal going into the factory and all the parts and the sheet metal gets stamped into body shells and all the engines and transmissions and interiors and suspension. Everything gets bolted on, on the assembly line. And then the cars get pushed into the parking lot. However, they get pushed from the third floor. So all these beautiful, shiny, perfect cars crash into the parking lot, all smashed a bits. And then the people in the parking lot quick move it aside because more cars are coming, squish, squish, squish. And for each of these cars, they set them aside. They create a workspace, they assess it. They determine what's the damage. What part needs to be replaced? What's the procedure, the order of dismantling of fixing this part, what tools do we need for that?
How do we prioritize the repairs? How do we make it? So we're not stepping all over each other. What tools do we need? Let's create a quality management framework to make sure that we're doing all this right. Let's get some vendors in and some consultants that maybe teach us better ways of doing this or sell us better tools. And before you know it, you have this incredibly sophisticated mature industry in this parking lot, employing tens of thousands of highly skilled technical workers. And that's my analogy for the security industry. And the interesting thing is very few people are actually taking a step back and wondering, well, why don't we just fix the assembly line? So I think what we need is fewer of these highly technical skills and more kind of fresh eyes to look at the, at the, the problem. Cause we talk a lot about diversity, at least in the UK, we talk a lot about diversity information security, but the fact is you could have the most wonderful, colorful multiethnic background in the world, but then we tell you exactly how to, to work.
We indoctrinate you before. We'll give you a job in security to work exactly like us. And one of the successes I've had, and this is mentioned in the book is people that everyone say do not have the skills to, to do security are not qualified. I hire them because I can take a 10 year C S a C I S S P veteran who cost me a hundred thousand euros per year, put 'em on the ground. And the first thing he is gonna do is hit the ground, running, run straight to the car and start changing radiators. But I can take a 21 year old, straight out of university, zero education, zero knowledge of cyber. And the first question he asks me is why are we throwing the cars down from the third floor? And that's why strategically a fresh perspective can be a lot more valuable than the way we're currently doing things.
And one thing that interests me a lot is this highly sophisticated cyber attacks that we keep hearing about. This is a headline. I think I was the daily male newspaper here in the UK. So again, another highly sophisticated cyber attack. And when I, when I first saw this, I jokingly said, I bet you it's SQL injection from 1998. It was SQL injection from 1998. There's nothing sophisticated about most of these attacks, some of the ways in which they're monetized or exploited or the techniques to, to escalate privilege or move around or to leverage breach have changed. But the actual ways of getting that initial foothold, the actual thing that starts that kill chain as we call it tends to be the really simple stuff. It's a lack of asset management. It's a lack of patching it's poor software provisioning, poor access rights, poor code review, no architectural standards, very simple stuff.
The key to doing security well is not incredibly sophisticated next gen AI, blockchain, whatever it's do the basics. Well, do the basics holistically and sustainably so that you have a wall that goes all around the village has no gaps in it and is maintained at that level. It only needs to be about a meter and a half high, and you'll keep everyone out, cuz that's a lot more effective than building one. That's a hundred meters high, but only covers has gaps in it or only covers half the village and what you need for that, that holistic approach is a level of care and engagement and curiosity and proactivity that we don't see very often because more and more we're becoming a very technical discipline, very SecOps, very after the fact, very detect and respond. And we like to hide in our big dark room with all the monitors in it, which is fantastic when the world cup is on.
But in terms of security is not that effective. So an example I give is when I was a teenage hacker, I would wake up in the morning, well around, around noon, pour myself a bowl of Coca puffs and build myself a machine load up, open BSD or Linux or free BSD harden, it patch it. And then I would dial up onto the internet and go into internet chat rooms full of hackers. Now I had a public IP address directly on my system. I had no EDR. I had no firewall. I had no anti malware. I had absolutely nothing. And I would antagonize all these hackers and I would see them connecting to my system and trying everything they could and nothing happened. I had no security technologies at all and yet the system was inherently secure because it was built properly. And that to me is what real assurance, what security should be about instead of trying to do things further downstream and catch the things that only happened because we didn't bother truly securing the system.
We talk a lot about resilience nowadays, but it doesn't actually mean resilience because we're, we use the word resilience as recovery, which means you weren't resilient. You're, you're recovering from something. And that I think is a, is a real issue. We have to understand how things actually work. We have to get involved upstream to actually fix these processes. Now I'll skip this cuz I know we're tied on time, but we know you can scale the system. I understand that it's more complicated now and there's more dimensions. It's not just tech anymore either. It's not just the machine, the network, more machines, servers, all that stuff. There are business aspects there, political aspects or cultural aspects or human aspects, which you can scale it, but it requires understanding your organization. Understanding what people do instead of going through a checklist on ISO or N go through your org chart, find out what people do, where is the data who uses it?
What systems are involved and build your protection, build a framework around, protecting that you can map it to ISO later on. It'll be very, very easy actually, but it's very important to get engaged and build the relationships within your business to actually know what's going on. And that that's where the, the fanatical engagements comes in. Real proactivity, helping people, caring, showing interest, having people become your eyes and ears. Building relationships have detraction to, to get involved in things do what's valuable for you and not just the best practices. That's if you build security into your business, it will always be there as opposed to, if you build security afterwards and try to bolt it on, it'll be the first thing that falls off. We'll talk about the importance of ownership and what I mean by that in a couple of slides. So one saying, I hear a lot is you have to get it right every single time.
We either all the time and the attackers only have to get it right once. Well, this is why it's actually so important to be holistic and sustainable, as opposed to throwing a bunch of SecOps detect and respond resource at problems because you, most of these organizations that get breached, many of them will have spent tens, even hundreds of millions of dollars or pounds of euros in security operations. But they'll be compromised because they missed a machine cuz they didn't, they didn't have good asset management or there was a machine that didn't get patched or there was a machine that couldn't get patched because there was no architectural standard when it was created. Now it's, unmaintainable, there's a, a sun expression that says no dice, self, no dye enemy, a thousand battles, a thousand victories, which is simply if you know what's out there and you know what you have, you know how to protect it and you'll be fine.
And the reality is if, if you look at, at the other way around, if you secure vulnerability, if you eliminate the existence of that vulnerability, that will foil a billion of the enemies attacks against that vulnerability. So we have that home field advantage, but we're not leveraging it. You often hear that the attackers know our network better than we do. And that's telling because we're actually there. We should be a, we should know more than the person outside. We're not exercising enough engagement to get that knowledge that allows us to then protect it in a holistic fashion.
And I'm bouncing it. I'm bouncing from side to side of it. But one thing that I think is very important to mention is culture underneath it all. We, we like to talk about tech and make security sound like it's about tech, but ultimately it's about culture. And we tend to appropriate words in security. I don't mean user awareness. When I say culture, I mean leadership culture of culture, of care, culture of engagement, of culture, of altruism. These are very important things. So on the left is a, a bar diagram. It's not the actual bar diagram I, I got, but it was something very similar to it when I started a new role and it was a maturity assessment, there's 12 areas. And this is how our maturity has been rated by an outside assessment firm. And I immediately told them, you know, there's some good areas, some poor areas I told them, no, I don't believe this graph.
I think your average maturity is about a one or two, something like that. And they said, well, no, that's not possible because look, we have, we have eights. We have tens. We have sevens. If you do the Matthias, we're about a five and a half or a six. And I said, that's, that's simply not possible simply because an organization that scores a 10 that has that level of cared engagement to do something to absolute perfection, there is no way that in another area they'll do a terrible job of a one at a 10. It just doesn't happen. Culture tends to be something very consistent. And sometimes I don't have the opportunity to see like with a third party provider. I don't have visibility to everything they do. But if I can tell that third people are being attentive in one or two areas, it's reasonably certain that there will be attentive across the board.
And sure enough, on the right a year later, once we had better visibility, same organization, you can see how consistent the maturity is across the silos. So where they were seeing tens, it was simply cuz they hadn't dug deep enough and they didn't realize what the underlying issues were. And this also goes to show to me that most security metrics are terrible because there's, they're full of arbitrary bias and they're based on knowns and misconceptions and half truths. And you're just lacking visibility. It's very, very important to both understand the technical details, but understand that culture ties them all together earlier. Oops, earlier I mentioned ownership and ownership is something I'm gonna rush through this. Now imagine my apartment's constantly getting flooded and my floors are ruined. Now this is obviously my problem, but we insecurity often argue, well that's not our problem because it's coming from upstairs.
And we then say, we're powerless to fix it because it's coming from upstairs and you're right. But instead of hiring a thousand people to sit in my apartment with buckets of water, trying to catch the, the water coming, whenever it comes, I could just go upstairs and talk to the mid bottom, a nice bottle of red wine. And if I have to, I'll pay for their plumber to fix their pipes, just so that I don't have to deal with the issues downstream. And this is something that we tend to buy more and more and more security solutions to address gaps in business process. And it process my last role. 95% of the security spending went to it operations to help them optimize how they worked. So there were fewer gaps and fewer security issues for us to deal with. So it's really to, to take that ownership of a problem, even if it's not officially our problem, cuz the end goal is not to spend the company's money to save money, to do the best thing for everyone, strategic importance, everyone's trying to fight fires.
And instead I think people need to realize that things, everything in your environment slides over time after five years, 10 years, 20 years, all of it will be gone and you can fight fires with what you have on the table or you can try to fix the pipeline. So make sure that everything that comes out of the pipeline is a good condition and everything that comes out of it will then slowly over time display everything else because everything you're fixing right now, that's already in your environment will be gone in five years. Anyway, probably so always fix the pipeline. And, and the analogy I always use is, you know, the village at the base of the dam is flooding and people are taking their televisions downstairs and bringing them upstairs. But the dams gonna break tomorrow and the entire village is gonna be lost. So forget the TV, let the TV get ruined and go to the dam and fix the dam. And this is, this is very important in terms of prioritizing I'm a little bit short on time. So I'm rushing here. Apologies. So the end game for me is, is holistic and, and sustainable assurance. Like I'm back I'm, I'm back to the analogy of walls. It has to be consistent. It has to be all the way around and you really have to focus on doing things.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00