CISOs On the Tight Rope Balancing Act- An Interview with Simon Gibson, CISO at Gigamon

simon-gibson.jpg

INTERVIEW WITH Simon Gibson, Ciso of Gigamon:

CYBER SECURITY DISPATCH: SEASON 1, EPISODE 11

 

Show Notes:
On today’s episode we are joined by Simon Gibson, CISO of Gigamon. We chat to Simon at the
RSA conference about his background in cyber security and his experiences in the different
realms of the security world. As a former employee of Bloomberg and AOL, Simon has built
skills in varying positions in contrasting companies, something he believes is vital to the
flexibility of a good CISO. Our discussion covers his accumulated knowledge through these
years of work, the rising importance of data in the security sector, cost considerations and the
ethical concerns and responsibilities of companies in regards to their clients. We also chat about company hygiene and best practices for the prevention of risk accumulation. The conversation ends off on the position of cloud services and how this may alter the job of a CISO, before Simon looks back at some highlights and lowlights from the RSA Conferences of the past. 

Key Points From This Episode:

  • Some of Simon’s background and the areas in which he has worked.
  • The work Simon did at Bloomberg the and role of financial services in security.
  • The rising value of data and how this fits into an organization’s security.
  • The continuous role of a CISO in maintaining security over time.
  • Balancing risk preparation with cost effectiveness.
  • The easy ways to make sure your company is not very exposed to attack.
  • Matching your security practices to your company and it’s customer’s needs.
  • Disclosure of bugs and vulnerabilities to clients.
  • Taking responsibility for the risks you may be aware of within products.
  • The danger of incremental risk and putting an end to this growth.
  • The dimension that cloud and multi-cloud adds to these security concerns.
  • Simon’s perspective on the history of the RSA conference.
  • And much more!

Links Mentioned in Today’s Episode:
Simon Gibson on Linkedin — https://www.linkedin.com/in/simonhg
Gigamon — https://www.gigamon.com/
Gigamon on LinkedIn - https://www.linkedin.com/company/gigamon/
AOL — https://www.aol.com/
Bloomberg — https://www.bloomberg.com
RSA Conference — https://www.rsaconference.com/
DTCC — www.dtcc.com
Microsoft — https://www.microsoft.com/
Webex — https://www.webex.com/
Blue Jeans — https://www.bluejeans.com/
Facebook — https://www.facebook.com/
AWS — https://aws.amazon.com/
Chef — https://www.chef.io/chef/
Spectre Meltdown - https://meltdownattack.com/
Hitrust - https://hitrustalliance.net/

Introduction:
Welcome to another edition of Cyber Security Dispatch, this is your host Ashwin Krishnan. In this episode, CISOs on the Tight Rope Balancing Act, we speak to Simon Gibson, CISO of Gigamon and former CISO of Bloomberg and his unique experience as both a security practitioner and a vendor. He offers great insight into what CISOs are faced with today in his current role as a vendor of CISO, he offers advice on as to how vendors can bridge the gap between what they’re selling and what customers actually need using innovative approaches.

TRANSCRIPT

[0:00:37.8] Ashwin Krishnan: Thanks for joining me today, Simon Gibson, is my guest and again, this is another of our chapters in the Cyber Security Podcast series, in this case, we call it Cyber Security Dispatch which is the name of the given to this podcast series and what we typically do is get industry practitioners in security both in the other space enterprise as well as vendor space that talk about us.
Luckily for us, Simon is actually straddled both the vendor side of the house, as well as the security practitioner, it’s an interesting discussion. Why don’t you talk a little bit about your background and then we can get started.
[0:01:12.8] Simon Gibson: Yeah, thanks for having me its on day one of the RSA Conference, I’m getting my bearings and sort of just getting familiarized and going to the keynotes in the floor. I’ve been working in info-sec for about 20 years and it started way back working at AOL and trying to secure music for DRM and then move to there to sign where we were working on. It had lots to do, there was an extra cell business but there was the con that DNS resolutions.
We’re building up scale, for com net resolution and then finally, I went to Bloomberg and was the CISO there, I was there about nine years. When I left to come back home to California which is where I’m from, I got some advice which was go learn the vendor side.
You’ve only been on the practitioner by side, you’ve never sold, have enough appreciation for that, go learn that, it would be good, you know? Round you up a little bit. I wound up in Gigamon now where I wind up doing about one third building in the same practitioner, you still use Gigamon to secure our corporate headquarters, we sell, run a security operation center, we still test plenty of vendor tools and manage our security operation center.
We also do some assistance with customers and marketing. Also, some outreach in educations. We sort of sell a little bit of what we do internally, those are our sort of three things. One of the reasons we decided to do that was that if you’re not hands on and technical in doing things, you get stale pretty fast, you know?
Technology changes and I really like the feel of the security so being able to be somewhat operational, it keeps me fresh and-
[0:02:42.9] AK: It’s interesting, mention things become stale, which is true but the way you were talking about DRM, DNS, those are still very relevant today, you talk about data privacy except it’s not digital rights anymore but it’s data privacy and then DNS continues to be cornerstone of how the internet works today. Some things have changed, others have not. 
Talk a little bit about your tenure at Bloomberg and financial services historically has been kind of leading the torch when it comes to trying out new innovative security and putting measures in place, being ahead of regulations or like you said, on par with the regulations.
Is there a shift over there, do you see other industries catching up, do you use financial services starting to loosen up a little bit? Just educate us a little bit about – 
[0:03:28.5] SG: Also, it starts simply that if you think about – Bloomberg wasn’t a bank, it was a financial services data processing company, sending rich premium data to customers through the terminal and they use that to manage portfolios and – but when you think about the true financials, like banks and hedge funds, the big companies like that, if you think about it, they’re really, they’re using their money to secure their money, right? 
They don’t have – it’s very important that what they secure stays secure, right? That saying about people who rob banks because that’s where the money is. I mean, banks have always had that. They’ve always had to be ahead of most security.
A lot of it really, the truth is, there’s a saying that says, “Keep the cost of the attack greater than the value of the target.” The bad guy has to work extra hard to get out of bank and even if he does only gets a little bit and then he has a huge – that’s the theory and that’s why you see financial services as being ahead. Because the value is pretty great. 
You know, for big things like a Bloomberg or a DTCC or somebody like that, there’s systemic risk to the whole system or even one of the big banks, right? There's systemic interrelated risk so there’s a lot of motivation to keep the bad guys out.
[0:04:40.5] AK: You bring up a really interesting point where the money that you put in that’s secure because you can actually see the money behind it, right? In today’s digital world, where you’re running a CRM program, you’re running insights into your product use, et cetera. There’s so much data collection that’s happening. 
Are you seeing both as a vendor as well as a practitioner that every organization, every vertical starts to realize that they are a bank. Except, the assets they’re securing are digital data, right? Therefore, you see that same thing consider and saying, “Hey, you know what? We have so much - data is our only commodity right now that leave us secure so therefore, we need to be as incentivized or as motivated to secure that,” or is it still like “Hey, data is somebody else’s problem, let me do deal with that later?”
[0:05:27.4] SG: You know, I think you have to – even at a bank, even with the most well-funded organization, you still don’t have unlimited resources, there’s always so many hours in the day, there’s only so much you can do. You have to prioritize where to put spending is a risk. I think you know, I think perhaps you were right in not long ago, data and risk was somebody else’s problem.
You know, maybe the CIO had a person and maybe they took care of a little bit of it. I think even if you don’t consider the data that you have as sensitive or something that would put you out of business as somebody saw it. Or, what you do have to worry about are things like a ransomware attack on your system, right?
You know, hospital may not have, may have confidential data about a patient and they have trials information that somebody wants. At the end of the day, if a hospital doesn’t have any computers, it can’t do surgeries. It stops the actual, you know, I want to say the life blood, right? You do have to worry, it isn’t just the data that you're taking care of, it’s just the holistic system.
[0:06:22.8] AK: Yeah, this is really interesting because if a hospital actually got attacked, right? There was ransomware in play and the hospital actually paid or didn’t pay or whatever they did, there’s a heightened sense of awareness in that organization and presumably in the industry for a while. 
But then, just like a roller coaster, at some point, if there’s been no attack for the last two months, three years, how does a CISO justify the continued investment? It’s almost like hey, do you need to have compelling events every six months or so to keep security spend in the radar or if not, what’s the recourse?
[0:07:00.3] SG: I think again, we often forget this looking in from the outside but every organization is different, you know? Every organization has different requirements, you know, a hospital may have a Hitrust, right?
They need to conform to those change, credit card processor might have PCI to worry about those change, the requirements come along and in chip. Those sorts – there’s always change in technology. As long as technology is changing, the CISO’s job is never done, you know?
It’s unfortunate to say it but you know, you bring up a point, we used to sort of make fun of this because the CISO’s job is really, you go to the board or the CEO and you report, “Hey, we had a good quarter, no incidents,” and you get yelled at, “Well, you're not looking hard enough. Clearly, you’re not doing it right, there’s something, I know it, you're just not finding it.” 
Then if you have a breach, you go back and say, “Well we got -” “Why weren’t you defending that?” The CISO, it lives in that world of it’s always a little bit of, no one’s ever happy.
[0:07:54.2] AK: I mean, that’s a very interesting point you make. Are you seeing the – just given the fact that data is becoming so center stage to, not just business continuity but actually, business competitiveness, right? Is the understanding of a CISO’s job more so rare, across lines of businesses and the board level, more than it was a year and a half ago?
[0:08:15.7] SG: Yeah, for sure. Definitely. I think – I don’t know that it’s specifically 100% because of one type of data or another, could be because of ransomware, it could be because of data, right? It’s possible that companies are realizing that the data that they have is important.
I think you know, to be fair, there’s certainly some level or some number of companies that will look at the data they have and say, “Only this little bit is important. For the most part, this is a bunch of open source code we’ve put together but really, here is our special sauce.”
Trying to watch everything in its entirety is almost impossible. I used to sort of say,  'If you don’t have some kind of a data categorization program, your most valuable asset is equal to your least valuable asset, they’re all the same if you don’t really have a way to manage that.'
I do think companies are looking at whether it’s employee data and GDPR, there’s a big fine if you’re not compliant, right? People are going to have a bunch of trouble. I think it’s forcing people to take that – some privacy and some ownership and to be better stewards of that. I think for a long time. – 
Look, to be fair, at the end of the day, if a company doesn’t have customers, writing checks, they don’t have a security problem, right? First and foremost, you can say security is the most important thing, but at the end of the day, you don’t get paid generally to write secure software, you get paid to write software.
Then, the security is always like, we’ll come and get to that, right? I think what we’re starting to see is people are becoming much more security aware, Microsoft, today in the key note was just talking about the partnership with other companies to build secure products and that’s inherently incumbent to them to do well at. That’s changing for sure.
[0:09:42.0] AK: Interesting. Let’s talk a little bit about some of the exposes that happened over the last year, right? Ransomware gets people’s attention, crypto jacking gets people’s attention. That Spectre and Meltdown and talk about aperture web servers, talk about inherent vulnerabilities that’s been in the system front end for the years. How does a CISO work securing budget for that?
Just given the fact that you have these inherent systems but it’s Windows servers, chips in the case of Spectre meltdown. Is it like a rubber band that’s getting pulled on either side where you have these new age attacks which get attention to get to budget but then you also have this big, long, pile of "shit" that you have to take care of. That you don’t get credit for, right?
How does CISO be able to deal with this duality.
[0:10:26.2] SG: There’s a number of approaches, you know, the risk based approach as what we tend to take, which is we try to categorize all of our digital risk and we try to say, you know, for a certain amount of effort, what’s the most bang we’re going to get for our buck, right?
Again, if you’re a cloud service provider, for example, a row hammer attack, you’re going to want to make sure you're not settled to memory attacks so that you can break out of a multi-tenant VM or if you have a problem on a CPU, you’re much more finely aware that that’s something you’re going to have to worry about as opposed to you’re a company that makes tires.
You have people with computers that do manufacturing shipping and ordering logistics and payroll, all that stuff’s important. The way I look at this kinds of things, of the four most risky things, what’s the easiest to do that’s going to get us the most bang and then what’s the hardest that’s going to cost the most and may not get us as much. I try to weight those things. 
The best example is, put two factor on your email. I can’t tell you how many people run their companies with two factor on email and you’re here at RSA buying tools. If you don’t have two factor on your email, stop buying tools because somebody is just going to hack – 
Really, they’re going to just reuse the password and reset everything, you know, I’m going to go in and reset the financial services, passwords of all your employees, I’m going to go into the ERP system and the customer management system and your sales force because I have the username and password now.
If you don’t have two factor on email, everything else isn’t going to matter so go get that done. It’s going to cost time, it’s going to take budget but you're going to move the needle a lot.
[0:11:55.6] AK: You mentioned something that interestingly I was talking to another CISO yesterday and she was saying the same thing which is there is basic hygiene, right? That organizations struggle with because even look at RSA over here, we’re talking about so many vendors and the registration is going through the roof, there’s a lot of interest over here but sifting through the noise has been a challenge for CISOs, right?
Especially now with social, you have some really forward leaning CISOs who are openly talking about how they learn from each other but if a vendor comes and pitches something, it’s either you're in through one out through other or worse still, they get black listed for taking up their time.
In some sense, what advice do you have again, having been in both sides is, how does a vendor cut through the noise, right? Actually, if a solution actually comes and takes care of your basic problem, would I get time of day, would ventures actually fund me? Right?
In some sense, there’s also this challenge of saying okay, unless it’s the next big thing out there, I’m not even going to get funded. Even though like you’re saying, the risk of that happening is very, very low so what’s the best advice for vendors?
[0:13:04.6] SG: I mean for the venture, I think it is a different approach than for the vendors. I will say for the vendors, you know I said earlier not everybody has the same security problems right? At Bloomberg, we would not allow things like Webex because you can take a Webex and turn full control of your PC over. So I am sure at some point, somebody was working with someone where and an employee said, “Okay take full control of my PC”. 
Somebody remotely logged in and did something that caused something to go wrong and so they said, “That’s it. We don’t trust our employees enough to let them do this thing.” Nobody gets Webex period. And if you need something like that, we have a special tool you can get permission. It will help you get through if you actually do need to turn your PC over for somebody to do some remote work but it is not everybody. 
At Gigamon, we don’t have that policy. We allow you to use any number of Webex or Blue Jean. You need to have a meaning we're okay, we have a different tolerance for security. So remember as a vendor everybody’s security is different. Everybody has different compliant regulatory concerns. Somebody who is not PCI DSS isn’t going to have the same concerns about storing key material as somebody who is like a credit card process. 
They are going to worry much more about how they manage key materials and pin-pads. So if your solution and you target a particular either market particle of type of business, just remember that you want to talk to the customer in a way that your solution solves this problem and if it doesn’t then don’t talk to them. That is the danger of everything, your solution is not going to solve everything that your customer needs and the thing is to find the customer who your solution really works for and then you will have a friend for life in the customer but if your solution may or may not work and you’re pitching them, giving them the elevator pitch that is where the customer goes “uuh,” 
The other thing that makes it valuable for customers also is to bring other customers together because you are right, CISOs do work for other CISOs but often, we lack in some cases not all a vehicle to be together. So if a vendor can put together a global customer council of likeminded CISOs. And then the trick there is to not just have people come to talk to each other but offer something up like either a good speaker or in our case what we had proposed, we’re still sort of noodling to how to do it, we had an incident where we did a penetration test on Gigamon, we found some interesting results at the penetration test and we fixed our product but it costs us as a company to have to pull all the exacts together and start talking about how do we deal with vulnerability. 
How do we deal with disclosure, how do we deal with are we going to start a bug bounty, do we need a bug bounty, what does all of that mean? And so we are going to do a case study and share that with other CISOs about what we learned and how it made our company better and so to me as a practitioner that’s a talk I want to go here. 
[0:15:47.4] AK: Yeah and you bring a really interesting point because one of the challenges and we have seen this with Intel with Spectre Meltdown, we have seen this with Facebook, it is almost a part of what we hear and we keep hearing about, “Hey we don’t know when the breach occurred,” to actually knowing when the breach has actually happened. But even from a vendors perspective when you know you have one of those things when do you disclose that, like you we talking about, time of disclosure? 
And there is a lack of trust that develops overtime where you start seeing this, “Hey this member has known about this for years,” right? I used to work for a large networking vendor they had this for 10 years and wasn’t disclosed. So is that mindset also changing or maybe you are starting to see there is a lot more acceptance with the fact that software will be buggy and therefore, once you know about it you’d rather be able to understand the root cause which is important but also disclose it. 
[0:16:39.8] SG: Yeah, I think that is true. I know it is hard to say for everybody. I can’t speak to the universe of manufacturers. I know supply chain is a big issue with this administration that focus on supply chain and the new laws especially with China and there is a lot of focus going into supply chain and being good partner for your customer means you know just fixing bugs and I mean I think if you are going back to the early stage company, if you release really buggy products. 
And you have your customer updating them every two weeks you’re going to have a customer – yeah your customer is going to eventually go enough, but if you come to a customer and say, “Look we find something that we think is serious. You should apply this patch.” I can’t imagine any customer is going to come and say, “Wow I really wish you hadn’t told me that” you know? 
I’d say too in my career, I wanted to buy, build, and deploy stuff. And I had a team of pen testers who work for me and they would find bugs in just about every major vendor software and we got to the point once where you know I really wanted a piece of software to roll out and the guys came and so we found a really bad vulnerability and I had to say no. I couldn’t buy the product. Because I needed - it would solve a lot of my problems. 
It is what I promised in my business but it was awesome but when the rubber met the road, the thing was full of holes and it would have really put our company at risk and my guys found it and the vendor didn’t know it was there and so we had to give them, “Here’s your pen test. We can’t buy your product.” 
[0:18:05.8] AK: So let’s talk about that because that again brings up a valuable insight which is if I am on a marketing organization and I am rolling out a new marketing insight and I have to go through this “pen test” that the CISO’s team has mandated and we go through that, something comes out, I am the CMO, I have no idea what it means except the CISO is blocking me from going forward, right? 
So how do we resolve this tensions between organizations, where if the CISOs and your group understands what it means and therefore you will actually not release the product but all of the other businesses will have different compulsions and need to go to market first. How does that get resolved? 
[0:18:42.8] SG: The way we manage that is we look at the risk, we weight it, we said this is on a scale of zero to 10 and we go to the CMO and we say this is a number 10 risk. You can deploy this but if this goes up in smoke when you have to go to the CEO it’s you not me and you are going to sign right here and then we track it and we say, “How long to get it fixed?” And if the vendor doesn’t have this fixed in the next release since the quarter, then the CMO might feel better about taking on that risk. 
Getting a project started and then just that, you might go live and then a week later a patch is applied and so we take that approach where we know nothing is perfect. We don’t want to stand in the way of business, right? 
[0:19:18.4] AK: Yeah. 
[0:19:19.4] SG: But at the same time, if we know something is bad, I am going to tell you if you are the business owner and you own the risk. The problem that you get to if you don’t do this well is this clutter of incremental risk that piles up. It is like you accept one little bit of risk because that is no big deal then you accept another thing and then you accept another thing and then the next thing you look under the carpet, it is a big pile of risk. 
And so we track that and we run a little database and then the tool that tracks it for us and so we can look at the digital risk across the entire company and say this is how much, this little tiny bit of risk adds to our total incremental risk. Here is what the spend is to get rid of it, here’s who owns it. 
[0:19:55.5] AK: Wow that looks like a refreshing way to look at things and I am not sure how many enterprises follow that. 
So let us talk a little bit about cloud. I know you mentioned this earlier in the conversation which is the move to cloud and especially let’s say medium to large enterprises where they now have potentially more than one public cloud. They potentially have maybe fewer datacenters and they have the buzz but they still have datacenters. 
And let’s talk about cyber skills shortage. In this moment where we need at least basic AWS skills to set something up even though it is getting easier by the day, monitoring which is only what you guys come on, how important is this in a multi cloud work and does the cyber skills shortage actually play in the hands of the large cloud providers saying, “You know what? You can't set up a data center now, sorry,” right? So wanting to come and so how do you see that shifting? 
So really in terms of cyber skills and the impact of security when it comes to having a multi cloud environment and how does somebody go about dealing with it? 
[0:20:53.0] SG: There is a cyber-skill shortage I think because the tools that we’ve built and the orchestration frameworks that we have are not quite sufficient yet. They are getting there and as we orchestrate – at the end of the day, the holy grail of cyber is when you see an event happen on the network knowing if it is good or bad and so for the most part what happens is an event fires, a human looks at it, takes the context that they know about the organization and says good or bad. 
And when tools start to be able to do that, the cyber shortage starts to not need quite as many people to draw this context. And in clouds the problem that most people I’ve talked to run into, is it building for a specific cloud provider, means you’re building tools to deploy clouds and stand up regions and build out new machines and do your monitoring and get your – if you are using Chef and you are building out a particular type of images and different builds. 
You start to get very tightly intertwined with the cloud you are using and then when you get to multi cloud, now you have to have the same security profile from one cloud to the other. And maybe there are different operating systems in the clouds and so you have different people with one set of the Unix skills, one set of Windows skills. Well how do you make the same policy across those? 
So that is tough. That is just a massively I think organization helps that; being very organized about it. You never want to touch a machine. You want to try to be as automated as possible like where the fewer hands that have to touch something, the more likely is everything going to be the same and so the automation part is going to probably play in for getting that one.
[0:22:23.4] AK: So that’s good hygiene and practices for somebody who is going forward but I mean the whole CASB came out with the full shadow IT. So most organizations are in some form of PaaS/SaaS/IaaS across multiple cloud. So in terms of if somebody were to back risk scoring metrics is, what’s the scoring metric that the CISOs is asking for and saying, “Hey tell me how many clouds were in that we want risk of a breach is going to happen.” So how do we go about doing that in the multi cloud world? 
[0:22:51.9] SG: Yeah, if you are looking at all the sass and pass and all that stuff, I mean what we did is we started out and we took the approach of rather than doing it just to do it, let’s do it to make sure everything has two factor. So we started there and we have the list of everything because now, we need to know if it’s going to accept SAML, if we can manage it with our two factor and so now you have the list. Now you can start to score with each one.
Figure out who the owner is and you manage it that way, what is the risk of this and when you get down to it what we did is we went and talk to the number of groups across the company like the leader of each business unit and what we did is we said for each one of these things which business unit would be done, who couldn’t operate if this thing was gone and what we found was the number one that everyone had in common, believe it or not, they couldn’t operate was the phones. 
Like if our phones just went down, more people couldn’t get their work done than anyone else. I think it was five different groups or maybe it was seven different groups would all cease to work without phones and they could live off their cellphones for a little while but the whole customer support, the way we book things, there’s a whole lot of things that break when the phones break. 
The next thing was obviously our customer management database. That was the obvious one is number two but that is what we did. We went down and said for every one of these, how many groups couldn’t work and then pick the highest one and that again that’s where the focus goes. 
[0:24:07.8] AK: Very good. This has been a really fascinating conversation. Any last words? I know we had day one in RSA, what would be a really over the top RSA experience for you look like? 
[0:24:16.6] SG: That’s a good question. There’s good talks like really good talks. I mean one of the things I find depending on the year and what is going on in the industry, 2008 was a really bad RSA. That was when the financial collapse had happened, everybody in security knew how bad things were going to get and no one had any solutions in 2008 and there was no money and everybody was afraid that the world is going to end. 
I mean 2008 was the worst RSA for me and I think I didn’t come back for a couple of years and so what I find is that every five or six or eight years, there is an inspirational RSA where you hear that couple of good talks and then the message resonates and you go, “Okay I hear that -” There is a certain message coming through in these talks and I think – I am hoping that’s what will happen this year. 
[0:24:57.4] AK: Very good, thanks for your time Simon for being on the show. 
[0:24:59.8] SG: A pleasure. Thanks.

EditorAshwin Krishnan