Using the New Toys to Solve the Legacy Issues - An Interview with Scott Laliberte of Protiviti

Interview with Scott Laliberte of Protiviti:

Cyber Security Dispatch: Season 2, Episode 09

 

Show Notes:
Today on the show we speak with Scott Laliberte, the former Information Security Systems Officer for the US Coastguard and Managing Director and Global Leader of the Cyber Security and Privacy Practice at the global consulting firm, Protiviti. In this episode, we discuss the necessary mindset shift that CISOs need to make and why we need to be using new technological toys, like AI and machine learning, to solve legacy issues. Scott shares his findings on how CISOs need to and are starting to talk the business language and how the changing narrative of what security does for business can lead to a more cohesive enterprise. We find out why acknowledging weaknesses, foregrounding transparency and “talking the talk”
can lead to a CISO’s longevity and success. In addition, we discuss the tech skills shortage and how the industry is working to create a balance between the experienced workforce and the new kids on the block.

Key Points From This Episode:

• Find out more about Scott and his background in the industry.
• Using newer technologies to mitigate risk issues.
• The importance of measuring vulnerability and patch programs.
• Speaking in business terms versus technical terms.
• Addressing patching and hardening caused performance issues.
• Resolving a CISO’s mandate versus the line of business mandate.
• What are the guiding principles of organization collaboration?
• Getting the business to realize that they are the brakes on the car.
• How do we define world class security?
• Why the best security is secure but transparent to the end user.
• Why CISOs have to start explaining problems in business terms.
• How a CISO can still stay relevant knowing that a threat is out there.
• Find out why CISOs need to start acknowledging their weaknesses.
• How CISOs can make the shift from tech heads to business leaders.
• Companies are realizing they need a more business minded CISO.
• Managing CISO fear and how to ensure a long-term position.
• The common trait that Scott sees in successful CISOs.
• Why unsuccessful CISOs don’t want to be the bearer of bad news.
• Are we really facing a cyber skills shortage?
• And much more!

Links Mentioned in Today’s Episode:
Scott Laliberte – https://www.linkedin.com/in/scott-laliberte-1629551/
US Coastguard – https://www.uscg.mil/
Protiviti – https://www.protiviti.com/US-en/
Protiviti on LinkedIn – https://www.linkedin.com/company/protiviti/
Spectre/Meltdown – https://meltdownattack.com/
Coleman Group – http://www.colemangrpinc.com/portfolio/cyber-security/
The Evolution Of The CISO Role And Organizational Readiness – https://www.csoonline.com/article/2838371/security-leadership/the-evolution-of-the-ciso-role-and-organizational-readiness.html
The New CISO: How The Role Has Changed In 5 Years – https://www.csoonline.com/article/2126087/it-strategy/strategic-planning-erm-the-new-ciso-how-the-role-has-changed-in-5-years.html
Facebook CSO Alex Stamos To Leave The Company – https://www.cyberscoop.com/alex-stamos-facebook-ciso-resigns-steps-down/
RSA Conference – https://www.rsaconference.com/

Introduction:
Welcome to another edition of Cyber Security Dispatch, this is your host Ashwin Krishnan. In this episode, Using the New Toys to Solve the Legacy Issues, we speak with Scott Laliberte, the former Information Security Systems Officer for the US Coastguard and Managing Director and Global Leader of the Cyber Security and Privacy Practice at the global consulting firm, Protiviti.
Scott shares his findings on how CISOs need to and are starting to talk the business language and how the changing narrative of what security does for the business can lead to a more cohesive enterprise.

TRANSCRIPT
[0:00:41.1] AK: Welcome everybody to the Cyber Security Dispatch, this is a series of podcasts that we’re doing, bringing in COD leaders both from the vendor space as well as the practitioner space, talking about security and privacy but more so from a real life perspective, rather than just pontificating about what should happen. 
In that context, I have today with me, Scott Laliberte and I will have him introduce himself because it’s too much for me to talk about. So go ahead Scott.
[0:01:07.1] SL: Thanks. I’m Scott Laliberte, I’m a Managing Director of Protiviti. I’m the global leader of our cyber security practice, been in that role for a little over a year now but I’ve been with the firm since the start. I’ve come up through those ranks leading our technical security services arm and prior to that, I ran IT for the US coastguard many years ago.
Right now I’m kind of helping clients manage all the challenges in cyber, trying to keep up with the latest threats and do that while balancing that with the need to do business quickly and in a cost effective manner.
[0:01:36.2] AK: Wow, okay, you just said something that if you can do that then there will be lots of followers who would say “Hey Scott, how will you do that?” Let’s talk a little bit about the report that just came out, I believe recently, as recently as Monday. Okay.
Can you talk about like what are some of the ‘Aha moments that were new but also a reinforcement of things that we knew all along but just saying “Hey, this thing continues to plague us.”
[0:01:57.7] SL: Sure, yeah. The report covers nine years of scanned data that we have accumulated so it’s all the deidentified data, of course. But we wanted to look at that historical trending to see, have things gotten better, have things gotten worse?
What we saw is that, it’s pretty much stayed the same, there’s been some ups and downs from years to years but there’s still a lot of high risk vulnerabilities that exist in environments. Many of them are very old, still a lot of outdated operating systems that are out there and it just doesn’t seem like we’re making a whole lot of headway with that problem which is compounding a problem with all the new threat actors that are out there, the constant bombarding.
These just present numerous avenues by which attackers go in. We’re not winning the battle on that front. Until we do, it’s going to be very hard to make strides forward.
[0:02:47.7] AK: Why don’t you talk a little bit about that because I mean, it seems surprising on the one hand we’re talking about AI and machine learning and cloud native, right? It’s almost like the rubber band that’s getting stretched with you getting into the new and yet, based more to your saying, what others are also saying, which is we have this long legacy of “ship” that is completely unprotected, right?
Is there going to be a defining moment, whether it’s Spectre or Meltdown? We’ve seen enough of these that there’s going to be a shift saying “Okay, our ML (Machine Learning) is all fine but that can wait until we really get our house in order,” or do you think that this – what’s the reverse?
[0:03:24.3] SL: What’s the reverse. I think we can get a little bit better on the problem at hand, right? But I also think some of the newer technologies that you mentioned like AI, machine learning, a lot of RPA (Robot Process Automation) can be another way to mitigate this issue, right?
We’re not going to fully solve this issue but we can use some of the newer technologies to mitigate the risk that they create. I think a couple of the ways we can get better on this issue - I see two real big aspects here.
One is, really having measurement of your vulnerability management programs and new patch management programs and measuring that return on investment and measuring the progress. We haven’t seen a lot of organizations doing that real well. That which you don’t measure is hard to tell if you’re improving or not and making progress in that regard.
That is a key measure. Having metrics in place, really being able to look at time that the vulnerabilities are existing in the environment, time to patch, making sure that you’re patching the highest ones first, you’re mitigating those risks, are you getting better, worse? Are you getting the value of the return on investment from that effort?
[0:04:28.2] AK: Yup.
[0:04:28.5] SL: Some of that I think involves speaking in business terms, right? Us, in the security profession, we tend to speak in technical terms. The people that control press meetings are speaking in business terms. So – using some methodologies like the fair risk assessment methodology, trying to bring some quantification to the problem and showing how the investment can then offset the risk, can also help with that articulation of investment dollars and metrics.
The other big problem that is still difficult is patching and hardening caused performance issues, right? You know, having been in that world and you probably hadn’t been in that world, you’ve always got to make the decision, do you take the risk of applying the patch and bringing something down or do you take the risk of just letting it ride and pray that nothing happens.
That’s where I think we can take benefit from some of these new technologies like the AI, the machine learning, advanced user behavior analytics, to try and put detective and preventive technologies and processes running over the top. You’ve still got that vulnerable underneath infrastructure foundation, but you’re protecting it better through trying to intercept the attacker before they get there, containing the damage, taking action to mitigate any risk that occurs or exploits that occur. I see that technology really as a mitigation to deal with the underlying problems.
[0:05:46.0] AK: You bring that interesting an interesting point, again, as being something that’s been around for decades, right? Which is the struggle if you will within business of a CISOs (Chief Information Security Officer) mandate versus the line of business mandate.

[0:05:57.1] SL: Yeah, exactly.
[0:05:58.7] AK: How does that get resolved? Like you mentioned earlier, those CISOs have to become better marketers, they have to understand lines of instances, the verse, just pontificating, sitting on the sidelines and do businesses also have to start realizing that if their customer data gets out, it doesn’t matter what the business does because you’re all toast together, right?
I mean, are there guiding principles in terms of how these organizations need to work together and if so, why hasn’t it happened so far?
[0:06:25.4] SL: Yeah, there’s guiding principles but it’s hard. I think they speak different languages, right? You’ve got two communities speaking different languages, we got to find that common language to unite them. I use this analogy - we use this analogy of Protiviti back in the day when we founded it - we said: “Why do you have brakes on a car?” And everybody’s first answer always is, “Well, to slow you down, slow the car down.” We look at it as, you have brakes on a car so you can go fast, right? Without the brakes, without the controls, without security, you’re going to crash into a wall. Getting the business to realize that you’re the brakes on the car so that they can go faster, is a big mindset to have in place.
The other thing is helping to find what’s world class, right? In security a lot of times when you think, world class security is just you’re secure, nobody’s going to get in it, we’ve prevented everything. But really looking at it there’s two axis to world class, there’s being secure, and there’s being nimble, reactive, quick, and enabler to the business and the best security is: secure but transparent to the end user and helping the business to achieve their objectives much faster.
With that common goal, you’ve got both people on the same set of music, right? Working together, I think the CISO really does have to start looking at themselves as needing to explain the problem in business terms, right? Starting with the business processes and working back to the underlying technology processes and showing them what lost events actually look like.
You know, they have all that customer data that goes out, here’s the loss that we could experience, here’s the data that supports it and here are the actions that we could take to mitigate that respite. If we encrypted that data securely, now it’s not getting out, we don’t have to report. Therefore, this five-million-dollar loss event, it becomes of non-event.
Those types of business terms, the CFO, the CRO that are holding the purse strings, will understand that better.
[0:08:23.0] AK: Let’s double click on that one, because you hit upon an important challenge that organizations face. Particularly CISOs is, they all slave to the quarterly metrics, right? And finances on the hook, marketing is typically on the hook in terms of leads generator. You went to RSA, you say “How many leads did we get?” Sales obviously is measured.
Engineering sometimes is productively also, right? 
But from a CISO standpoint, when you have a compelling event, when you have Spectre Meltdown, something like that. Suddenly, the CISO’s in the radar, and he or she is answerable. But then, let’s say the compelling event goes away, right?
All the other lines of businesses are still in the crosshairs of the CEO and the board. Answerable. But the CISO, I mean, how does he or she actually make themselves relevant in this environment where – there isn’t the compelling event that has happened, god forbid, right? They’re actually good news.
Going up over there and saying you know what? “We haven’t been hacked for the last 90 days.” How does that manifest itself? I mean, how can a CISO still stay relevant knowing that the threat is out there even though you haven’t been breached or maybe you’ve been breached.
[0:09:28.4] SL: Well, I think you have to use all available data that you have, right? Just because you haven’t been hacked or experienced a breach doesn’t mean that your peer group hasn’t, and you can draw that correlation of, “Look what happened to *fill in the name*,” and really embracing that they’re not any different, right? Like a lot of CISOs I think are afraid to let the board know and let executive management know how vulnerable they really are.
They’re trying to paint this glossy picture because they think they’re going to get fired if they don’t; but you know, I think acknowledging that you're similar and you have the same weaknesses and then trying to prioritize the investments that will make those risks be reduced, not go away because you’re never going to go away, it’s what needs to happen so you get the funding that you need.
But it just can’t be “Hey, I want to go buy this Coleman tool,” right? I just want to slap in deceptive technology because this is the new hottest thing that’s out there, it needs to be more of – by doing that, right? We need to reduce the likelihood of the insider threat or the bad actor, getting to compromise and do these things and relating that back to the business loss event that they’re all worried about, that they saw the peer group having.
[0:10:34.9] AK: Again, you’re bringing about the whole question of ROI (Return on Investment) at this point, right? Which is for every investment that goes in, the deception being some other technology is, now you’re asking the CISO to be more of a business leader, right? You talked about earlier, CISO’s are tech heads and have grown up that way.
How does that shift happen? Which is okay, on the one hand, you’re forced with like a marketing and sales person talking about security internally and the other hand you have to justify every dollar of investment going in, saying how does it directly impact your risk posture, right? Is there training available for that?
Are CISOs standing up and saying, “Okay, we need to rethink the way we look at our job description.”
[0:11:14.9] SL: I think they’re starting to realize it. I’ve had more requests by CISOs that I work with to help them prepare a board presentation, to help them prepare board metrics, they’re starting to realize that they need to do that, they’re reaching out for help and trying to not just have it be coming in saying, “Help me with this presentation,” but “Help me understand how I can present better, what I can do to really convince them and make them understand.”
When you go into a board meeting for the first time, you sit there and you’re talking to people that are really smart, intelligent business people. Many of them are older, they have trouble relating to technology to begin with. You see their faces when you start trying to describe some of this.
I look at it almost like I’m trying to explain the concept to my parents or my grandparents, right? You have to almost put it in those terms but CISO’s I think are realizing it. I think companies are realizing they often need a more business minded CISO who can then have a very technical team under them or your counterpart on the team. But if they don’t start putting that lens on it, they are just going to continue to not be relevant to the business and therefore not get what they need to be successful. 
[0:12:22.4] AK: So this is a part joke-part reality, I don’t know what it is, but I learned about this in my previous job where one of our top sales guys was saying “Okay, if I sell to a CISO the first thing I do is I go and see how long she has been in her job. If she has been in the job more than nine months, then I am actually going to start selling to her not with the intent of selling into where she is right now but because she is going to be out of the job in 18 months, to the next company she goes in.”
And it’s part funny but it is also the realization of saying, “Hey the average turnover is 18 months to two years” because something bad is going to happen and somebody’s neck is on the line and that means it is the CISO, right? So how can somebody operate in this fear mentality of saying, “Okay so I am going to be out, what is the investment?” I mean I was talking to a CISO about four days ago and she’s been in her job for six years. 
So she’s saying, “I’m throwing all the statistics out the window, right?” So every day is a gift, I mean how does the existential side if you will of the CISO spinning out itself play into all of these decisions? 
[0:13:25.1] SL: They can’t go into the position fearing that. When you fear something, it’s like my kids that are in sports. When you fear the bad outcome, it is going to happen. You’ve got to play the game looking at you are going to be here long term and what do I need to do to be successful? I have many friends that have been CISO’s for six to 10 years and the ones that are successful have really made a point of making management understand what needs to be done. 
Not being afraid of being the bearer of bad news upfront and saying, “You know what we are not perfect. We do have exposures and here the exposures are and here is my plan to go after them. I hope these are the right order to go in but if we don’t, these are the other things that we need to have in place. We need to have the cyber insurance in place because we’re probably going to have a loss event and that’s what it’s here for. We have to have the response plan in place to so we can mitigate it and we have to get legal on the business we’re involved in and understanding that risk and owning it and know each one other jobs are.” They’ve got buy in to the business and when something bad happens you know the rest of the business is prepared for it. It is not a call out on the carpet and “Why did this happen? We don’t understand, you told us everything was great.” 
The ones that I see unsuccessful and the ones that come in and they don’t want to be the bearer of bad news, right? They don’t want to rock the boat, they’re just going to do a status quo, they’re going to try and ask for things and make incremental improvements and they reported to the board and management that things are fine and then that event happens, or the near miss happens and that’s all it takes to they lose credibility quickly. Once you lose trust and credibility, you’re not going to be there very long.
[0:14:56.8] AK: So you are actually sparking another train of thought. So I just wrote an article in CSO Online about two days ago talking about the role of the CISO and how he or she is going to be the guardian of the galaxy. I use Alex Stamos example at Facebook saying, so he is actually stood up a year ago, to Sheryl and Mark and talked about the fact that they haven’t been able to cover the data and know how much data is exposed, right? 
But apparently he was shushed and he was put in position with his powers were taken away, etcetera but I was taking a much more forward looking stance saying, “Hey the CISO’s role is no longer just a relegated – or focused on just protecting the enterprise assets. It’s focused on practically the customer assets. So it is no longer just about the switches and your database servers, etcetera. It’s all about the customer data.”

So looking at what happened to Alex and when he tried to stand up and say, “Hey this is a problem” and he’s on his way out even though they are trying to window dress that saying, “Hey he is leaving for personal reasons” but people see through that, right? So and to your point, how does a CISO reconcile with the fact that here is an example of somebody who’s trying to do the right thing for the greater good and got jacked? 
[0:16:08.6] SL: Yeah. 
[0:16:08.9] AK: And as you are saying, I mean it is not easy but it is less painful to just play along and pretend that everything is okay knowing that a breach is going to happen and it seems like probably the toughest job on the planet. 
[0:16:22.5] SL: It is a tough job, right? With risk comes reward, you know I think the example you gave there is going to have a pretty – he’s not have a very hard time finding another job, right? He played it the right way, people are going to see he played it the right way, they are going to want somebody like that for it. Conversely the organizations that don’t play right with, they are going to probably have a hard time attracting really good talent to fill that role. 
Until they realized you know you have to treat people a certain way, you have to be able to take the right stance, and then you will start to get the rewards for that. You know I always have played it off as you got to do the right thing regardless and you know it will come back around. 
[0:16:57.7] AK: You know that is a great point of saying that, “Hey” I mean his role or his image now transcends Facebook right? Now coming back, so that is actually an interesting point just looking at the foot traffic and just the amount of energy and then you hear about cyber skills shortage, right? You were saying, “Hey it is impossible to hire people,” and you’re not getting enough even certified, how do you reconcile that? 
I mean are there other people over there who are just here to pick up buzzwords so they can – or do we truly have a cyber-skill shortage or is it an artificially made up thing just to get more budget or...?
[0:17:31.1] SL: No I think there is a skills shortage. I think especially in an experienced space, it is like this industry has boomed so much in the last few years and you don’t have that big group of people with seven to 15 years’ experience, right? Because it is a relatively new field. We are getting I think a really good crop of new folks that are coming in the business. We have been hiring pretty aggressively off campus, they have some very good programs and very smart people that are coming into it that have new fresh ideas. They just don’t have that long experience you draw on and they may not have the management skills etcetera, but it is nice to see that coming along. 
So I think the skills shortage will start taking care of itself but that experienced person is where we’re having issues. I also think we can use some of the technology to try and automate some of the lower level functions, right? Like using robotic process automation after it but provision and de-previsioning. 
Trying to use AI, artificial intelligence for some of the lower level analyst type of work and stock level, the whole one level two steps up and getting the people that we do have to focus on the higher value type activities. So you are putting the resources that you do have on higher value actions right and trying to automate the lower level ones. It’s going to have to be that double pronged approach and just when you think you are going to start getting over that skills shortage, the problem gets bigger. 
There are new aspects to it like IOT’s in the space and all of these new technologies that now - even the seven to 15-year people don’t even have any experience dealing with that - they just got to take the logic and experience they have and try to apply it to the new technologies and then the really more junior people need to fill that gap. I’ve been having pretty good success by pairing more experienced people with some of the newer folks coming out of these new programs and working together, they both benefit right? And that is helping fill the skills gap a little bit and shortage a bit, but we are going to continue to have those problems as well. 
[0:19:24.3] AK: That is interesting, so you touched on IOT (Internet of Things) and AI and I don’t think any podcast is complete unless we talk about those things. Yes, I mean that is no doubt an explosion that is going on right? And there’s been enough funnels about it and keynotes, etcetera. Industrial control systems as well as stuff that is coming to our homes. I mean just like you talked about earlier, if an enterprise itself has a long tail of old servers, etcetera on pads and machines, are we getting into a situation where SMBs (Small-to Medium-sized Business) is an SMEs (Small-to Medium-sized Enterprise) and consumers are going to have the same thing? 
[0:19:55.4] SL: Yeah.
[0:19:55.6] AK: And you bought the NIST thermometer from three years ago and does it have to be bashed? So how do you see this play out? Is a consumer, going to become a big enterprise and do you have to knock on the socket at home and is there opportunity on the flipside for vendors for that? 
[0:20:10.9] SL: I think it is a huge problem. I think about how many IOT devices, smart devices you have in your home, right? I ran out of fingers and toes and my friends fingers and toes very quickly, right? Just as my son’s room will probably get an explosion of those devices and let’s face it, the consumer is not going to pass on the stuff, right? So we are working with a lot of the manufacturers as well to start building security into the product. 
I think what’s going to fall upon the consumer is to reward those manufacturers that have security mindset and are building it into the product set and not just going for the cheapest device on the market, right? I think it is going to take a few events of the consumers getting burned and seeing why that’s important to do that. I also think that you have now businesses that are pointing at IOT into every aspect of the business, right? 
Whether it is a smart building, it’s the manufacturing plant, whatever that is. It is now creating new risk factors for them. It’s not just loss of data, right? It could be loss of life, it could be loss of productivity and managing those technologies is not always the easiest thing for them to do. They are often reliant on the manufacturer or the person in developing. We need to figure out a way to get better control of that, right? Maybe some CASB (Cloud Access Security Brokers) technology, etcetera. 
But this problem is going to explode, right? I think it is just a matter of time before the bad guys figure out and start going after those devices and threatening people with loss events rather than just encrypting their data. It is going to get them payments much quicker is what I meant. So we have got to get ahead of this very quickly. 
[0:21:42.1] AK: Yeah and it is interesting you mentioned, we talked about Alex and Facebook but these are the high tech companies who can recover relatively quickly and they know tech. If we talked about mining systems and INS control systems where the business is not really technology but they’ve got tracking of – 
[0:21:56.1] SL: They got reliant on it. 
[0:21:57.0] AK: Yeah.
[0:21:57.2] SL: Heavily reliant, right? And they wouldn’t think of themselves as a technology company. 
[0:21:59.7] AK: Tech company, correct. Cool, we are almost out of time, any last words that you have? I mean things that you are seeing that you feel both pleasantly surprised by as well as why it is still happening?
[0:22:11.3] SL: I am pleasantly surprised with some of the newer technologies that are coming out. I think we have a lot of promise with artificial intelligence and those types of aspects, but I do always say, you know we’re taking an industry that has been very immature in that space, right? We are all, the big things we used to monitor for right: failed log in attempts and changing passwords, something like that is very rudimentary type things. 
And now we are going fast forward to AI, machine learning to attack these problems. We need to make sure we are feeding it the right data and the right algorithms all that kind of stuff but that is where we have to go in order to keep up with the threats because it has always been out pacing us. Then we also have to think about the flipside of that technology being used against us, right? That is coming as well. If we don’t start preparing ourselves for that we’re going to be faced with a really big reality here. 
[0:22:59.4] AK: Absolutely, I mean technology is a bit democratic in nature, right? 
[0:23:02.9] SL: That is right. 
[0:23:03.3] AK: Everybody gets access to it, the good guys and the bad guys. 
[0:23:05.8] SL: It doesn’t care who is using it. 
[0:23:07.4] AK: Yeah so I mean this has been fascinating. Thanks for the time and then looking forward to seeing what you guys do in the future as well. 
[0:23:14.6] SL: Thank you. I enjoyed the conversation.