CISO Talk: The Human Side of Cybersecurity

Defining what cybersecurity is usually boils down to people, process and technology. Your security solution will only be as strong as the weakest link—and people are the weakest link. Phishing is the most prevalent and damaging cybersecurity threat, and it is a human problem. So, how can organizations empower their teams to be successful, more efficient and happier?

In this episode of CISO Talk, Mike Rothman, Mitchell Ashley, Mat Newfield and Alan Shimel come together to discuss the human side of cybersecurity and the view of humans in the new normal.

The video of the conversation is below, followed by the transcript. Enjoy!

Transcript

Alan Shimel: Hey, everyone. This is Alan Shimel, and welcome to another episode of CISO Talk. This is kind of our first official episode with a real cast. And I couldn’t think, actually, of a better cast of characters. I was going to say gentlemen, but let’s go with characters. To join us today, let me introduce you. Frist of all, as my co-host who’s been here to kind of help me germinate the idea, Mathew Newfield. Mat Newfield of Unisys. So, Mat, welcome. And then, our—

Mathew Newfield: Thank you.

Shimel: Thank you. And our two additional guests today are Mitchell Ashley, CEO/founder of Accelerated Strategies Group and, of course, long-time collaborator of mine. And then joining us is another long-time friend. Actually, we’ve come to find out he’s a longer friend of Mathew’s than he is of mine. But that just makes him old; none other than Mike Rothman. One of the co-founders of Securosis, founder of DisruptOps and then general security. He used to be a lot—you’re a happy security guy now.

Mike Rothman: Gadfly is probably—

Shimel: A security gadfly. Yeah. Yeah. Just hopping from flower to flower. It’s kind of how I envision you, Mike. [Laughs] Anyway. Guys, first of all, thanks and welcome. Thanks for joining us. Our topic for today’s CISO Talk is the issue of humans and cybersecurity. I think, you know, though we always try to think of humans at the core of what we’re doing, for too long we have missed—we’ve forgotten than. We’ve gotten, as usual, you know, attention deficit disorder and dealing with processes and new tools and, you know, what’s going on.

But I think with COVID, we’ve had a chance to recenter our thinking around what’s happening with remote workers and the human element of it. Mat, I know it’s a subject that’s near and dear to you. So if you don’t mind, I’m going to ask you to kick it off. And, Mike, I know that you also—with the Securosis and the DisruptOps team, have some real thoughts on this as well. And I’m looking forward to both of you. Mat, go ahead.

Newfield: Yeah. It’s a really important topic because I think over the years—and you were joking. Mike and I have known each other for almost 20 years, which is just always hard to believe. But, you know, as cybersecurity professionals we have a tendency to really focus on the bits and bytes of the world. Right? “What tools? What techniques?” You know, we’ve done everything from—and Mike would remember this ETO we used to work with, liked to talk about layered security and swiss cheese. And you just have to put enough of these layers in to stop things.

And, you know, we built up that mentality. You buy a lot of tools, you buy a lot of stuff. And, you know, you talk about the work from home. We also built up these walls even with remote worker access within our own facilities. We put in tools. We put in techniques within the buildings we manage where we had our staff. And the outliers were those people that work from a coffee shop on an infrequent basis or those of us who worked as sort of road warriors and traveled. And we were the exception, not the rule. And one of the things that’s happened over the past few months that really hit home for me was talking to a lot of CIO’s and CEO’s out in the market as I’ve been asked to do a lot of advising from a cyber perspective.

And hearing them time and time again say, “You know, I don’t understand why we’re meeting. I gave my staff desktops, laptops,” whatever it may be, “Told them I’d pay for their high-speed internet. Just told them to go work from home. I love working from home ’cause I have a home office.” And you sit, and you look at him and go, “Wow. I didn’t know every one of your employees had a special home office; had high-speed internet access; had air conditioning.” Had anything to make working from home a good thing. Like children that may have activities they have to go to, et cetera. And that forgetfulness has brought the human piece back to the center of our mind and thinking.

You know, one of the things that happened to me right after COVID hit and we sent everybody home, I was on the phone with a co-worker of mine who was in Europe. And I could barely hear him. We hadn’t even done the video yet. And I was like, “Look, man. I need you to do me a favor and turn your radio down or whatever that is. You got to stop it. I can’t hear you.” And he’s like, “Look. I apologize. There are five of us in a two-bedroom apartment in Belgium. That’s my daughter practicing her harp because she’s not allowed to go to school to do that anymore.” And I was like, “Whoa. Whoa. Whoa. I’m so sorry. I am so sorry.”

And it sort of hit me in the face that we have to remember there are humans involved here. And I’m going to hand it to you, Mike, because you flipped it to the other side. If you start really thinking this way and you change your mentality—it also helps from a cybersecurity perspective. You know, you start asking different questions like, “Why are people attacking you? What is in it for them?” And you can start really thinking through different ways that don’t always involve, “Let me buy more stuff. Let me implement more stuff.” You can start thinking of, “Why are people circumnavigating the controls I put in place, and how do I make people’s lives easier?” But I know you’ve written a ton on this. Love to get your thoughts.

Rothman: Yeah. I have, Mat. And, you know, I guess I’ll go back—you know, again. Just ’cause we’re all old guys, and we’ve been doing this for way too long—right—I’ll go back to kind of one of the oldest kind of adages that we learn when we were, you know, hardly off the truck. Right? You know, first getting into security. And that was, “It’s not about tech. Right? It’s a combination of people, process and technology.” Right? The PPT. And the fact is, people is first. 

Newfield: Always.

Rothman: Again. We’ve gotten lazy because it’s easier just to buy something and hope that the problem goes away. The problem doesn’t go away. Right? It’s people, you know, kind of ultimately—we’ve always talked about, “People is the weakest link. What are the biggest attack surfaces?” Right? Phishing is probably still number one. What is that? That’s a people problem. I mean, from the time I wrote “Pragmatic CSO” in 2007, right, I had—and it was kind of controversial at the time—I talked about the need for security awareness training. Right? People are like, “Oh, that doesn’t work. Those knuckleheads. They can never do anything. Blah-blah-blah-blah-blah.” Right?

And the fact is, well, you’re right. There are some knuckleheads that you are never going to appeal to. They’re the special people. Right? The ones that bring in, you know, million-dollar deals or the CEO or who have photos of the CEO. Right? But they’re the untouchable’s. And I can say that. Right, Mat? You have like a real job, so you can say stuff like this. But they’re the untouchable’s. Right? You can’t touch them. So you know what? You clean up the mess. But the fact is, if you don’t do something like awareness training, you’re cleaning up the mess for everybody. And the reality is—go ahead.

Newfield: I don’t know. I was going to say, to your point, it puts you at least in a defensible position. And that’s the thing we talk about all the time—is, you’re right. It only takes one person to fail phishing. Right? If you look at all the breaches that have happened, not every administrator at company A fell for that phishing attack that caused the problem. Just took one. But if you have your programs and you go back to your pragmatic papers and you have the programs in place, then these people in my position can say, “I have a program.”

We’ve trained people, and we understand that the reason we say training doesn’t always work is because, let’s be honest, people don’t change generally unless they’re on the precipice of destruction. Unless it impacts them right now, their health, their money, their family, their friends, their—right now, people are very hard to change. And you see that in the health sector. I mean, the gyms love it. Everybody signs up for a gym in January, and nobody goes in February. It’s the same in our world. Right? 

Mitchell Ashley: You know, Mat, you were talking about the patterns and the characteristics of what the attacker are like; what their motivations are. I mean, we talk about that all the time in security. Rarely do we really talk about, “What’s the patterns? What’s the behaviors of end users?” The people that are using devices, systems, whatever that are being secured. You know, long ago Alan and I got into security about the same time [laughs] you guys get each other.

And I quickly developed this belief of, “End users”—their idea of security is convenience. That’s what they’re after. ‘Cause they got a job to get done. They don’t—and we do a bad job of designing products that get in their way. Let’s be honest. We have certainly in the past and probably still do today. But, you know, you’re talking about training. And I’m going to disagree with you about training, but [laughs] this could be an interesting conversation. But—

Rothman: You haven’t heard me yet.

Newfield: I know we’re not. But putting so much of that on the end user, I think security has to be seamless, invisible as much as possible so the end user is not having to make a decision. This file just was a Trojan. “What do you want to do? I don’t know. I want to get my e-mail sent, cancel.” We sort of do this to ourselves in the way we design products. But my point is, we have to understand even better than the attackers the communities that we’re either creating products for or we’re implementing in our organizations. And what’s their level of tolerance of how much they’re going to both take this getting in the way as opposed to selling that deal, or how much do we have to educate them? And is that really realistic to expect them to do that?” So okay. Go.

Shimel: Let me jump in a second. ‘Cause I’ve bit my tongue or bit my lip. “You know what? My name is Alan, and I’m a reformed security person. Welcome, Alan.” I used to believe what you guys believe. Right? And then, I kind of got DevOps religion. and when I first came into DevOps, I thought my mission was going to be to bring the good word of security to the developer world. Right? And I was going to be sane Alan, you know, preaching security to developers and ops people. Because after all, those people, they didn’t care about security. And they thought we were just the people who say, “No.” And I would never get them to give a crap about security. But, you know, a funny thing happened over the last six years. You know what I learned? No one raises their hand and says, “I want to develop crappy code; low-quality, buggy, shitty code.” 

Ashley: Insecure. Yeah. 

Shimel: Insecure code. And no one, Mat, in your organization—or Mike—even the people, even that CEO who might be trading dirty pictures or whatever. None of them raise their hand and say, “I want my company to be the next headline about a data breach,” or, “I want to be a victim of phishing.” Right? The road to perdition is lined with the best of intentions. But people want to do the right thing. People want to do the right thing. I think it’s our job as a CISO, as a tools provider and as analysts to give—spread the good word; give people the chance to do the right thing.

Show them that path to doing the right thing; allowing a developer to hit a button to test their code when they first committed to Git. Right? Or whatever, you know, they’re putting it on. Allowing people to do e-mail in a maybe more secure fashion. Right? The people who are truly just, “I don’t give a flying you-know-what,” I think, Mike, those are a lot fewer and far between than we maybe think consciously—especially within the security community.

Rothman: I agree. And, Al, one of the things I’ll bring up which I know is very timely for you… Mitchell’s kids are older. Right? Mat, I’m not sure how old your kids are. But, you know, the reality is, at some point you have to rely or trust the people that you work with—and, you know, in my case I don’t work with my kids. But I have to trust them that over the last 17 to 19 years, almost 20 years, I’ve taught them a thing or two so that when they get into certain situations, they don’t do the wrong thing.

By the way. That had to do with five or six years of them screwing up everything; where it was just like constantly screwing stuff up and me going, “Okay,” As my younger daughter did this, you know—did something really stupid like two weeks ago. Right? And after she got off the punishment, my first thing was, “What’d you learn?” Right? Because I’m trying to reinforce all of those things. “What’d you learn?” “Well, dad, don’t lie.” Okay. That’s a good one.” Right? 

Shimel: “Finally getting it,” they say in Vegas. Yeah.

Newfield: “That’s a good one.” Right? “Don’t lie.” And then, the second one was great. She goes, “Don’t do anything stupid.” And I’m like, “All right. My work’s done here.” Right? Now, obviously there’s a lot more work in terms of, you know, kind of what stupid means and all that. But, you know, again. So without our employees and a lot of the people we’re responsible for based upon our charter and our mission, right, we have to at least attempt to try to help them understand, “What is right? What is wrong?” Give them the tools to make the decisions because, “Yes, Mitchell. I would love to have, you know, systems that kind of engineer around people’s stupidity.” Right?

But Rich, my partner Rich Mogull, has said for many years, “If your security strategy is based upon people—or, humans changing their behavior, it’s a pretty crappy strategy.” Right? And he’s been right every time, and I tell that story probably 50 times a year because that’s exactly the point. We have to think about equipping people with the knowledge they need to make the decisions to do the right thing. And to Mat’s point, we have to have a program in place for when they don’t. But if 100% of the people are doing it 100% of the time, we’ve got no shot. 

Newfield: Yeah. And let’s be honest. If you step back and think about—let’s equate this to something that everybody gets like driving. Right? We all want—if we’ve all taken classes, you’ve done your driver’s ed—and a lot of us have been driving a long time. But there’s still signs that tell us what we should and should not be doing. There is still stoplights and stop signs and yield signs and air bags and breaks and anti-lock brakes and all of these things because people make mistakes. I hope I’m not coming across that. I don’t think our employees, and I don’t mean at Unisys—I just mean in general—are malicious in their intent.

But you guys said something at the beginning that’s true. “I’ve got a deal to get out, and my future is predicated on getting this deal signed or getting this code out the door.” And if it’s not the part of my DNA to think of security and to really take that extra ten seconds, that is a difficult thing for people to make part of their DNA. And we can train, train, train and train. But the bigger point—and, Mike, you’re saying is spot-on for me—is, it only takes that one. Right?

It takes one person who’s not paying attention on a highway to plow into the back, and you have an 87-car pileup. It takes one person to Click the Link and enter their admin credentials into a foreign Website—and foreign being not part of your organization—to cause a breach. And there are no amount of techniques or tools that we can put in place to stop that 100% of the time. We’ve all tried—everybody’s bought software. I mean, heck, if you go to the big conference in San Francisco every year without throwing names out there—there are 1,000 vendors that say, “If you buy my stuff, bad stuff won’t happen.” And they’re all full of it. That is never, ever, ever going to happen. And-

Shimel: That’s Mat saying that. You could still sponsor. We appreciate if [laughter]—

Newfield: But nothing—it still goes with my point. Nothing is ____. Right? And you can look at every major breach. Just go for the past five years. And you can start thinking through them in your head. “Did any of the not have the major components that we would consider part of a cybersecurity tech strategy?” Everything from stuff on the endpoints to your classic IDS, IDP, firewall, HIDS, all of these—they have them, and they still got breached. And it’s a human element that we’ve got to get back to because it’s those mistakes. It’s the config mistakes. It’s the patch mistakes. It’s the process mistakes that lead to organizational downfall.

And again. For a lot of people, if all we ever talk about is, “You’re going to impact the company”—for a lot of people, that doesn’t mean much to them. If you make it personal, make it about their friends, their family and them. “If you do this, you won’t get a paycheck. You will be impacted. Your friends will be impacted.” And again. It goes back to human element. If things start to become more impactful—I mean, even in our organization, and we’re sizable, we have a phishing program that we do. I test every employee multiples times a quarter through an adaptive phishing strategy.

And people fail. I mean, they fail well more than I want them to. But we make it personal. I have—for certain failures, they get a phone call from me. Other failures get a phone call from maybe their senior leadership member. You know? We call them the SLT here. But we make it personal; not punitive but personal. “Why are you failing these things? What can I do to make it better for you? How can I improve it so that you don’t fail the test? Because if you’re willing to fail a test, think about your personal life.” And one of the equations we do is, “You’re right. Your worst-case scenario is, you’re out of a job.”

And maybe you don’t look at this place as a career but a job. But the same techniques we’re training you on—what happens if you fall for it in your home PC where you don’t have EDR and anti-virus, all of these controls that we’ve put in, anti-ransomware, and you lose your checking account?” Right? You lose your retirement funds. You find out that your personal e-mail has been compromised because you Clicked something, and everybody you’ve ever known is starting to receive e-mails asking for funds, and your friends are falling for it.” Again. You bring that personal touch back in, and things can—I think people can change by doing that.

Rothman: So did we beat you down yet, Mitchell?

Ashley: I was 6-4 at the beginning of this. [Laughs] No. We’re on the same team here. Sort of. But no. I think what we’re—what you’re saying is, “Yes, we have to be understanding and compassionate towards people. That’s ultimately for a lot of things where the attack is going to come to.” Right? ‘Cause that’s often—I would say security attackers are like water. They’ll float to the easiest path to get to whatever they’re after. Right? And if it’s you or it’s somebody else, it’s the system—whatever. I like the phishing idea of—essentially what you’re doing is roleplaying. You’re giving people an opportunity to experience an attack but not know it.

So it’s kind of uninformed roleplay. I like that. Of course, that could be done in a, you know, wall of sheep kind of black hat kind of way; or it could be done in a, “Hey. By the way, here’s what happened, and here’s why we do this and what, you know—tell the truth and don’t be stupid.” Right? “Don’t’ do stupid things. Whatever the lessons are from that. I also wonder if—is there a culture in the security organizations of fear of failure where, you know, “If we get a breach, I’m going to lose my job.”

Right? “And if I look really bad on a pen test, you know, that’s my neck. I’m out of here.” I suppose too, you know, that I’m sure there’s different bubbles of security engineers and their talents and skills and all of that kind of thing. It’s about checking each other’s work so you kind of have to take that part of the compassion to that part of the organization. Do we not?

Newfield: Yeah. I mean, look. Transparency is a key mantra for me. And when we run tests, I’m not black-hatting people and trying to bust them. If you fail the test, you get a popup that says, “You failed the test, and here’s why. Here are the indicators of phish that you missed. Here’s what you need to do.” You’re going to get another test. Right? And you want—it’s to build muscle memory. It’s not to fire people. But there should be a healthy fear—

Shimel: It’s got to be a carrot and a stick is what you’re saying.

Newfield: Yeah. Exactly. A carrot and a stick. But there should be that healthy fear. I mean, when I’m driving a car, there is a healthy fear. If I’m flying down the road not caring that what’s around the corner could be somebody I’m going to work, it’s the same concept in my head where on a day-to-day basis—it’s not a person fear like, “I’m going to lose my job,” but, “My team is going to lose their job. We are going to be hurt in industry if something really bad happens that I’m culpable for; that I haven’t spotted, or I really screwed this up, or I’m negligent.”

Sure. You don’t want to feel like you’re the scapegoat to other people’s problems. But, you know, I think that’s key. And you said—I love the water analogy. But if you really step back and think, there’s always going to be attacks. And there’s nothing we’re going to do about it. I mean, and I hate these terms. Phishing I get. But now I’m dealing with smishing, and everybody’s like—

Shimel: Yeah. we got them too.

Newfield: Someone said smishing, and I was like, “You mean SMS phishing?” And they’re like, “No. No. We call it smishing.” And I’m like-

Shimel: I’d say gesundheit if somebody-

Newfield: No. No.

Ashley: But Barney—I told Barney she was being smish—she liked the idea. She thought it was cute. It’s a Yiddish term, is it not?

Shimel: Yeah. It was a Yiddish word. Smish; mishka yu. But let me say something.

Newfield: Mm-hmm.

Shimel: You know, Mike—and Rich Vogel isn’t always right. But he’s right about this. But I’m going to take—I’m going to look at it from a different angle but the same kind of think what you’re saying. We can’t blame humans for being humans. Whether you want to say they’re smart humans or stupid humans, I’m not here to judge. But they’re humans. And that’s what we’re talking about here, is humans.

And so, we can’t blame humans for being humans. A eureka moment for me was—I guess it was back in 2007 or 2008. It was right around, Mitchell, when I left still, you were out already. And all of a sudden, we started seeing a big thing in the industry. Mike, you were there. I remember talking to you about this. That, “Hey. Instead of putting 100% of our efforts into prevention, we should put a lot of money into response. Because we’re not going to prevent everything. And you know why? ‘Cause humans are humans. 

Newfield: Easy to prevent so yeah.

Shimel: Right. We could do the best we can.

Ashley: Especially to Mat. I mean, you know, we kind of started something, “Oh, humans. And we’ve forgotten about it because of COVID.” How have your planning, you know, kind of efforts and your strategies, you know, really changed when obviously you don’t have people in the office anymore? You’ve got potentially more attack surface. Or maybe less. I mean, it depends on how you look at it. Because to me, that’s fascinating. Right? Because it’s not about, “All right. You know, we can all agree we got to do some stuff. But the reality is, the stuff that we’re doing necessarily has to change, and it has to evolve because we’re dealing with a different type of attack surface right now.” So how have you kind of gone through that idea? And then, I’ll talk about some of the stuff that Rich and I are working on.

Newfield: Yeah. I mean, there’s some stuff that we’re putting out in market right now that we’ve implemented that I’m really excited later this summer to let people know about. But we spend a lot of our time actually splitting out the world and the roles for people who are working from home and ensuring that we had an open line of communication with them to figure out, “What is it they actually needed to work from home?” And then built programs specific to them.

The problem with that is, it works really well for—we call them associates or employees. It put a huge burden on the cyber team and the IT organization because we couldn’t do what you could do in the past; which is, if you are in this role working in this office, you get this stuff; end of story. It now depended on what region, “What was your power situation, your air conditioning situation, your remote access needs, your living situation?” We have some of our employees that we talk to that live by themselves.

So we see them as much lower risk than, “I’ve got eight people in my home, three of which are working at different companies, you know,” yada-yada, so on and so forth. So we’ve really tried to build a strategy that took a lot of that into account. And we’re putting some things in people’s homes right now to really segment out the house. We have a concept called COI’s here, or communities of interest, with our platform. And we’re working to get that all the way out to peoples’ houses so that when my son—who is majoring in cybersecurity and spent the last semester at home, when he decides to download—

Shimel: I’m sure that ended well.

Newfield: Oh yeah. [Laughs] Nothing like going to his little office. It’s right outside this room going, “Look. Let me be very clear. If I see you do what you just did again, you’re not going to be majoring in cybersecurity anymore.”

Ashley: Mat, can I ask you about this?

Shimel: We’ve all been there.

Ashley: Now that you went through this phase of, “Okay. We got to react. Let’s put things in place to see what people need,” what do you see as the next thing? I mean, is this—is it a steady state from here now that you’ve got things in place? What is—I mean, you know—

Rothman: Let me hit on that one, Mat, because that kind of gets to some of the stuff that Rich and I have been talking about. Right? Because we’ve been for the last 10 years, we’ve been doing this cloud thing. Right? You know, kind of didn’t go into the DevOps thing, but really the cloud security piece of it and obviously that impacts DevOps. But we saw really, you know, basically three things that were happening. Right? First, SASS was really replacing a lot of the front office applications that organizations had. Right?

This was our tidal wave stuff from five or six years ago. Public cloud or infrastructures of service was really replacing the data center over time. And the devices really had to stand alone because you had no idea where they were going to be from a mobility standpoint. So we’re kind of there. now. Right? In a lot of those cases. But what ended up happening is, that, where a lot of folks really wanted to get to, SASS infrastructure and public cloud and true mobility over a period of five to six years, we got there in two weeks. Right?

Because, you know, we just didn’t have an option to do a lot of things. And Rich and I were just, you know, kind of brainstorming about it. And I kind of came up with this idea that, “You know, when this thing went down—right—it was about, ‘Go fast.'” We went from 25, 30% of people to 95% of people, if not more. We got to go fast. Right? Which means building out the infrastructure that I don’t love. Right? That I really wanted to architect away and the best example of that I have is, right, folks have wanted to move towards SASS and 0 Trust-type kind of inbound access. You know what? I’m building on my VPN ’cause I got the boxes. Right? And I can call my person, and they’ll Send me more boxes. And I’ll be—

Shimel: More licenses.

Rothman: Even more licenses. And I’ll be able to, you know, support these folks fast. Right? And then on the other side of that, there’s the, “Do it right.” And the problem is, “Go fast and do it right,” tend to be really difficult to do at the same time. So, you know, I think we’re at this point now where – and, Mat, I think that’s really talking about where a lot of this stuff that you were… now you’re starting to think about those profiles of, “What do these folks need?” Now you’re starting to think about, “What does right look like in this new order of business?” Figuring we’re probably not going to get back into the office for probably another year. Right?

Google announced it was going to be another year. They’re not going to be the last to do that. So really, I think the focus now—especially relative to that human element is, “How can these people be successful?” But what does right look like? When I say, “Do it right, what does that look like for your organization knowing that you’re going to be embracing SASS, knowing that you’re going to be moving a lot of your stuff to public Cloud and knowing that, due to a microscopic thing now we’re in a situation where we are mobile whether we like it or not?

Newfield: And let’s be honest. You may be at 95%. So we’re at 95% work from home right now. We’re never going to go back to 80% work from an office. Most companies are going to flip all the way back to that. And if you’ve had these open, honest conversations I think what a lot of people have also come to the realization is, you can be just as productive at home for certain roles and regions than you are in an office, if not more productive; especially in high-volume areas where it may be a two-hour-each-way commute. You think of certain high-populous cities around the world, people are going back.

We were lucky. We were already so heavily cloud and SASS-based that our move was a lot easier. Our CIO and I had been pushing this for quite a while prior. And we had our own remote access solution. So we weren’t stuck on the VPN problem. But you are right. Big knee-jerk. And a lot of people also have a—I think a major problem in the fact that they’re sitting right now in just a few months later, and they go, “We’re not in the news. I haven’t heard of any problems. Everything I did must’ve been great. Let’s move onto the next thing.” And what was my point. And I think what you’re saying-

Shimel: Saying it’s done. Yeah.

Newfield: You got to take a breath and go, “Okay. Stop and turn around and look at everything you just did with a fine-toothed comb.” And that’s where when I said the heavy work’s on our IT organization and cyber, it’s, “Okay. We hit the knee-jerk. We sent everybody home. Thousands of people in 48 hours. Thousands to work from home. In industry types of locations where it’s never happened. Ever. Right? I mean, think of help desks and service desks and back office—

Shimel: Call centers.

Newfield: Call centers. You know, the individuals we sent home may have been in this field for 20, 30 years and they’ve never worked from home. They’re not situated for that. We all have to step back, and that’s just not people in our industry. Think of HR. Think of our legal teams. Think of all of these functions that have to look back and go, “What do—are we sure we don’t have a problem? And how are we going to transition that to a long-term strategy?” That’s a ton of work and really what we’re focused on. It’s what our boards are asking for and what we need to be able to do. 

Shimel: You know—so you know what? Look. Here at MediaOps, we’re a small piddling of a company. Right? But Mitchell knows this ’cause he helped me with it. When this stuff first went down, we were in what I called Hair on Fire mode. Right?

Newfield: Mm-hmm.

Shimel: “We’re just going to do it. We’re kind of running because there’s a big bear chasing us, and I got to—I don’t got to be the fastest guy here. I just got to run faster than Mike.” Right? And so, we were in hair-on-fire mode. And we did that. And that lasted—was it till about June, Mitchell? And then, I said, “Okay, guys. We’re done running around like hair-on-fire. We’ve got to transition to new normal.”

And I think more than anything else, that’s what cyber has to do—and, Mat, to your point, whole organizations have to do. And we have to say, “Okay. Maybe we bought all the VPN licenses and boxes I’m going to buy. Because at this point, at some point, I’m going to make flowerpots out of them.” Right? And it got me through my hair-on-fire mode, but what’s my new normal operations mode? And then bringing this all back. Right? “What is the—what is the view of the humans in this new normal operations mode?” 

Newfield: Yes. And make sure they’re efficient. How am I going to ensure they’re happy and successful?” And even one of the things that we’ve run into, “how am I going to recruit? How am I going to do internships? How am I going to bring new people in?”

Shimel: I got an answer for you on that, but I can’t tell you right now. [Laughs]

Ashley: To that point, though, Mat, is—you’re taking about the folks that may not be comfortable working at home or weren’t set up to do that. There’s also a generation of folks entering the workforce in the workforce who are scary-good at learning stuff that is technical, but they aren’t technical people. And so, we really got a diverse work population that we’re trying to serve. And to Alan’s point, it’s almost like it isn’t, “How do we achieve a steady state with what we’re doing now?” It’s, “What is work going to look like in 6 or 12 or 24 months?” And we don’t know. But there’s probably one, two or three scenarios we can build some strategies around and say, “Okay. Let’s try to, you know, be under where one of those balls is going to be thrown and be able to adjust if we miss it.” And that’s-

Rothman: By the way. This is not eBET. And this actually isn’t anything close to a technical discussion. Right? This gets back to culture.

Ashley: Mm-hmm.

Rothman: Right? Your organization has got to have a culture that allows people to do what they do where they need to do it under any kind of other circumstance. You know, as we’re building out DisruptOps, we’re going to have people all over the place. So we’re starting to think about these things of, “How does meetings look?” We already had people in Asia. Right? “What do meetings look like when it’s really difficult to get everybody on the phone at the same time?” Right?

I’m up until 10:00 o’clock at night. My guys in Kansas City are 9:00 o’clock at night. My folks in the Philippines are at, you know, 11:00 o’clock in the morning. And my guy in Singapore, it’s 9:00 o’clock in the morning. Right? That’s brutal. I’m up until 10:00 o’clock at night doing a meeting, that’s not what I want to be doing. Right? But we do it for a little while until we can start to shift that culture to, “What do meetings look like? How do we document things?” I read this white paper from a company called GitLab. Alan, I’m sure you’re very familiar. 

Shimel: Mm-hmm.

Rothman: And Mitchell with these guys. But basically, you know, they’re this company that is built to be remote from day one. And they’ve got, you know, basically a bible—

Shimel: It’s not a white paper. There’s a book on it.

Rothman: It’s a book. Right. So I read part of the book. And—

Shimel: Great guy.

Rothman: It’s fascinating to me because all of their—everything is asynchronous in that kind of world. And by the way. When everything is asynchronous, that has a huge impact on your attack surface because you’ve got content out there that is perpetual. Right? It’s out there. It’s digitized. And I’m having people consume that, “How do I protect that content,” changes things. Right? “What systems do I get them to look at,” changes things. So when we talk about this idea of, “Go fast,” versus, “Do it right,” the problem is—us security professionals—we’ve been in, “Go fast,” for 20 years. 

Shimel: Mm-hmm. Amen.

Rothman: We’ve been responding to shit for 20 years. 

Shimel: Going up-

Rothman: Now we have to—we have to—take a step back and figure out, “What does ‘do it right’ look like? What are the cultural aspects of that? How do we partner up with the rest of kind of the business to understand what these cultural changes are going to be?” And then, “how do we build a program and a control set that works in that environment—back to Mitchell’s point—”so we can allow humans to be humans?” Right? Teach them to make them the right decisions but ultimately have a backstop when they screw things up, and they will.

Newfield: And to your point, you understand that culture. If you—when you’re building al this, we need to stop as technologists starting at the technical side, and we have to start at the culture side. “What is it we’re trying to do? Where are we trying to go? What does our footprint look like?” You know, it’s—we used to be, “Hey. Don’t get on public Wi-Fi,” scary, scary, scary. And now, you’re like, “Don’t get on your own Wi-Fi. I mean—

Shimel: That one’s hard.

Newfield: Right? Because if you think about it—I say when we first sent people home, I was like, “You know we’re sending people to the most hostile networks on the planet. And that’s their home network.” Right? You get that speech of, “You allow the stranger in your house. I’m assuming they put a bunch of black boxes in there. And the only testing you did is, you could surf the internet, your TV turned on and you got a dial tone.

Did you patch it? Did you change the default passwords? Do you know how to configure it?” The answer is, no. So now that we understand the human, the cultural side of things, we can start building real programs—again—to help them when they make mistakes. ’cause they’re going to make them. Every—not every. Most of the incidents I’ve dealt with either internally or helping other companies since the move from home have been attacks that originated from home networks. 

Shimel: Yeah. So, Mike, you brought up Git—I’m sorry. Go ahead, Mitch.

Ashley: I just—quickly, briefly, you mentioned GitLab. I think part of a good thing to ask Mat is, as people are starting to figure out new ways of working is getting that information back. It’s not just what tools are working for you but, “How are you changing your work?” To expose to some companies like GitLab and others. It’s really this—yes. It’s interacting in real-time on things like this; on Zoom or whatever. But also with digital tools that we’re in the middle of editing and conversing while we’re editing and working on a Google Doc or a sheet or something. It’s sort of this all happening at once. But also—as you mentioned, Mike—it can also happen asynchronous. It doesn’t have to happen together. It’s kind of both. It’s really fascinating to me. So we kind of need to become anthropologists or whatever about studying people and, “How are they working?” 

Shimel: No. But it is cultural. It’s cultural. Mike, your point, I think of Sid Sijbrandij, the GitLab CEO—and I forget the fellow who wrote the book. But he’s like their Chief Remote Work Officer or whatever. And, you know, it’s a fascinating study. But here’s one of the lessons that they preach. And it’s counterintuitive. “The more open you are—the more open you are, the less of a detect surface at some level you have.” Right? But by having that open book, “Go ahead. Have at it. It’s open.” Right? Where is the real crown jewels of GitLab?

Right? “All of this is open, and that’s great. But where are the real crown jewels of GitLab?” And, Mike, I’ve spoken to the GitLab security folks about it, and I don’t want to—I can’t really discuss it on here, Mitchell. You have too. I mean, but it’s almost like the more open you are, it’ll set you free. Right? And to a certain extent. And, you know, they’re fascinating. I mean, they’re 1,200 people in 1,200 offices, and they always have been. Always will be. And Sid has great reasons why, and I buy into it. Took me a long time. I’m from—yeah.

Newfield: I’m sorry. One of the things that Mike said that I really love here is, I also cannot stand the having to stay up till midnight, being up at 4:00 in the morning. And I know if it’s exhausting for me what it must be like for everybody else. It’s got to be way, way worse. Because at least in a lot of those scenarios, we’re the boss. So we are the one driving that. But, you know, it goes back—you know, again. We do a lot of full circles here.

It goes back to that culture of, “Maybe we have to change our mentality that having a Live meeting is not always a requirement.” If we provide the tools and the guidance that I’m going to Send, “What are my expectations so that we can have meetings that span a 24-hour period to give people the freedom where I’m not feeling the need to call my team in on a Sunday because it happens to be Monday morning in Australia”—you can start thinking differently about how you want to manage your business. But you—

Shimel: But that’s an American privilege view of things, guys. I’ll tell you the honest truth. With MediaOps, our audience is global. So I’ve had a chance to really play globally now for five, six, seven years. Do you realize the rest of—in India, there are people who take jobs on US time? They sign up for it ’cause that’s where the jobs are, and they know they have to be on US time. And big companies like IBM and HP and stuff and Microsoft hire them, as do small companies.

It’s the same thing if that call center in the Philippines that you call 9:00 to 5:00 hour time, it’s not 9:00 to 5:00 in Manila or wherever the call center is. The rest of the world has been on this clock, this 24-hour clock, for a long time. Suck it up, pansy, snowflake or whatever the term is. Right? “We’re going to—we need to get on that. We’re humans. They’re humans. We’re all humans.” 

Ashley: There’s a balance. Right? I mean, you know, as—I mean, you have a global team, you have to talk to them at some point. You have to build the rapport. And now that we can, you know, kind of get together in group meetings, we have to do things and that will become uncomfortable from a time zone standpoint. My point is to re-examine the business processes and really understand, “What is required?” Right? There are a lot of companies who are based upon these, you know, five or six-meeting cadences a week. Right? “I’ve got to meet with this guy,” or do daily standups. Right? My team’s global, I’m not doing a daily standup. That’s stupid. Right?

So again. I think a lot of it is not, you know, coming at it with the standpoint of, “This is how we’ve always done things,” but to really start to re-engineer your business. And isn’t that what all business transformation is about? Right? Isn’t that what we’ve been trying to do the whole time and what options we have because we don’t have to manage, you know, kind of all that crap in our data center anymore; that we can get other people to do front-office applications so we don’t have to spend time reprogramming our general ledger? Right? And that we can have somebody else upgrade the load balancers so we don’t have to be there in the data center in the middle of the night, to not impact availability on our stuff?” So again. It really is requiring a significant amount of cultural shift. 

Newfield: Absolutely agree. And again. I don’t want to harp on it, but I have to continue to harp on it. The point, again, that you’re saying and that I am just in violent agreement and have been for a very long time is that if we taken into consideration the culture of our organization and the needs of our people and we stop constantly worrying about, “Well, we’ve always done it this way,” or, “Well, I hired them to work these crazy off-hour shifts,” and we start to think about the human side, your people will be happier; they’ll be more productive.

And I believe, and I’d seen evidence of this in our own organization. They’ll be more secure. They’ll feel like their company’s looking out for them. We’re looking out for—they’ll look out for us, and they’ll be more inclined to pay attention to what they’re doing because they’ll feel a part of something that—that culture. Instead of, “Yeah. I’m in India, and I got hired, and I start my day at 2:00 in the morning because I have to work Est Coast.” I mean, it doesn’t even need to be a non-American thing. I’ve got West Coast friends that are used to waking up at 2:30, 3:00 in the morning. So they’re working when their boss does on the East Coast. And that’s asinine. 

Shimel: I have a question for you guys; digital transformation, business strategies are pivoting, shifting, accelerating. In many cases, more money getting thrown at—getting sucked under respond to the economy or whatever it is, new behaviors, contact in services. Are we going to get thrown right back into the same rat race of trying to catch up and never really get to this, what we’re talking about doing? Are we in danger of that? It seems to me that—

Newfield: That’s why—

Shimel: What a dilemma we’re in, isn’t it?

Newfield: That’s why we’re having the conversation. That’s why we’re hoping to get the message out. Because if people don’t take the time now to do this and now to make that change, that cultural change in their organization, then yeah; we’re all going to get back in the rat race, and it won’t be very long until you start having the conversation of, “You know what? We’re going to close a bunch of offices because we think it’s going to save us money,” or, “I don’t believe that tools that I was using in my office—we shoved them home. I don’t see the efficiencies. I don’t see the productivity.” Everybody back in the office. And you can see it’s almost cyclical. Not every year, but every few years you’ll read some paper of some major Fortune 50 that’s like, “Everybody in our office because, you know, blah-blah-blah.” And they look at your badge and badge out, “When did you leave for lunch?” And you could fall down that rat hole if you’re not careful. Mike?

Rothman: Let me be very clear. Business is going to transform. Security has a choice about whether we get ahead of it and work with the teams and understand how our world has to shift, or we will be dragged along kicking and screaming. So, Mitch, your point, I mean, that cat is out of the bag. There is no going back to, “You know what? I’m going to go buy Siebel.” There’s no Siebel to run CRM on Prem anymore. There’s not—that’s not an option. Right? So that cat has left the bag. Nobody’s going to go back and say, “I think I’m going to build my own data center now.” Said nobody. Right? So these things are happening. Oh, hey. How about this one? This is great. Right? Your audience will love this. Right? ‘Hey. Let’s go back and do Waterfall.” Right? I mean, right. Nobody’s doing that. 

Shimel: But you know what? There are places where Waterfall still makes tents.

Rothman: And, you know, actually I had one guy at an event I did who, you know—he was actually a hell of a lot funnier than me. But he said to me. He goes, “Hey, Mike.” You know, ’cause I was talking about DevOps and all this other stuff and, you know, kind of set of ops. And I’m, “Oh, how exciting it is.” He goes, “Hey, Mike. You know what we call DevOps in our show?” I said, “What?” He said—

Shimel: Fast Waterfall. Fast Waterfall. [Laughs] To a certain degree, it’s true.

Rothman: Yeah.

Shimel: That’s a great place—hey, guys. I got to call it a wrap here. That’s a great way to end it. Okay. Fast Waterfall. You know, we’re supposed to go 40 minutes. I think we’re 50. Imagine going long with Mike Rothman on your show. I don’t think it’s ever happened before.

Rothman: Oh, it’s happened. I think it’s happened twice.

Shimel: Guys, can I tell you? This is one of the most fun, inspiring, great conversations I’ve had on this issue in a really, really long time. It’s great to have old friends all here. You know? And who knew Mike and Mat knew each other so long? But it’s 6 degrees of separation in the cyber world. What can I say? Yep. Well, let’s do it again. I’m Shimmy. Yeah. We will have—well, Mat, you and I are on every other week. Mitchell’s a regular join. Mike, you know there’s always an open invitation anytime you want to come on.

And whatever we’re talking about, it’s always great. But we’re going to—we’re going to wrap this one up. Right? This is a great CISO Talk, episode two. We’ll be back in about two weeks with episode three. We’ll be publicizing it here a little bit on DevOps.com, Security Boulevard, around our MediaOps neighborhoods. But until then, Mike Rothman, Secure Op—Securosis and DisruptOps. Thanks for being here. Mitchell Ashley, Accelerated Strategies Group. Always a pleasure, Mitchell. And Mat Newfield, our CISO in residence from Unisys. This is Alan Shimel from MediaOps. We’ll talk to you real soon.

Avatar photo

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 75 posts and counting.See all posts by alan