Identity in Cybersecurity Ep. 3 — The Never-ending Chain

Ian L. Paterson talks to Josh Stabiner of General Atlantic about the shift from tech-driven cybersecurity to business-driven cybersecurity, intra-party risk and relationships, mentorship and diversity, and more.

What are we missing in the bigger cybersecurity picture—beyond the systems, technologies, best practices, and zero-day exploits that occupy so much of our time?

In this episode, Plurilock CEO Ian L.Paterson talks with Josh Stabiner, CISO at General Atlantic, about critical non-technical realities in cybersecurity that are often forgotten.

Host:      Ian L. Paterson
Guest:      Josh Stabiner
Length:      35 minutes, 49 seconds

Ready to listen in? Click play below.

 

Transcript

Ian: Welcome to the Identity in Cybersecurity podcast. I am your host, Ian L. Paterson, and today I’m speaking with Josh Stabiner, Chief Security Officer at General Atlantic. Josh’s career has included providing cybersecurity to financial institutions such as Pine River Capital and Ernst & Young. In this episode we discuss third-party risk, the importance of mentorship, understanding the business, and sticking to a framework.

Ian: Josh, welcome to the program.

Josh: Thank you, Ian.

Ian: So, to kick off, how did you actually get started in cyber?

Josh: Oh man. It’s actually funny, I’ve been having this conversation a lot in recent days because I do alumni interviews for my Alma Mater, and all the young students want to know, how’d you get into your career?

Josh: And it’s interesting. Only because when I went to school, cybersecurity was not a discipline that you could elect to study. You studied computer science—that’s what was offered. And to get into security, I think the closest I could get was working in the PKI lab, which is cryptography related. And security was kind of a hobby, for me—reading about security, playing with things myself, like, trying to crash sequel injections and, those types of things in your free time. And when I was a junior or senior, one of the grad students in the PKI lab moved on to take a job as a pen tester and that’s when I realized like, “Wow, you can study computer science and you don’t have to become a software developer—there are many other jobs in the field of technology and CS.” And so that’s what I did, I got my masters in the PKI lab in computer science, and then I went on to become a pen tester. And it was really, it was a great place to start my career to really learn to think like a bad guy.

Ian: And how did you go from there to financial services, which is where you’ve spent most of your career?

If you don’t understand the process flow and the data flow and you just focus on the technology, you’re never going to keep up with the bad guys.”—Josh

Josh: When I started pen testing, our largest clients were the big banks. It’s just, those were the firms that were most focused on cyber back in those days. I would say they weren’t checking any compliance boxes– the banks were focused on securing their apps because malicious actors were starting to leverage mostly input validation flaws to steal. Again, it was your sequence action as your cross-site scripting, using cross request forgery, those types of things. and so, I got used to working with those types of clients and when I started expanding the scope of the services I would participate in, to things like incident response investigations security awareness training, it was natural to expand those services at those same clients, which is what we did. And then as cybersecurity started to permeate the rest of the world or other industries, we started taking on more clients and other spaces, and I started traveling around, a lot as you do as a consultant. And I think there must’ve been something in me that realized, look, I’m a New Yorker. I love being in New York—I don’t really want to leave the New York area, and if that’s the case, I’m going to have to focus on the industries that are in New York. And financial services were obviously the most prominent of those.

Josh: Interestingly, that backfired a little bit because although all the major financial services organizations, the biggest banks, insurance companies, et cetera, all have a presence in New York, the security teams typically aren’t here. They are all out around the United States. So, I had to continue traveling for a while. But one day on a Sunday night, I put my daughter to bed, and she said, “I’ll see you Thursday, daddy.” And I said, “All right, that’s the sign from the universe. It’s time for me to get off the road and move into a job that doesn’t have me traveling so much.” And so, because I had so much financial services experience, it was natural to move into a financial services firm, and that’s when I left consulting and took my first CISO job at a hedge fund, Pine River Capital.

Ian: How has the industry changed? I mean, you’ve been in the game for quite a few years. And to your point, have seen the evolution from, really addressing things that we would consider commonplace and SQL injections, buffer overflows, that type of thing to a much more compliance driven, operation. What are some of the things that you’ve seen that have changed over the last little while? And do you have any thoughts or predictions on what change we’re going to see in the coming years?

The bad guys are going to take the path of least resistance and more and more that is not on the technology side, is social engineering going after people and it’s breaking processes.”—Josh

Josh: I mean, from a macro perspective, I think the major changes have really been not in the types of vulnerabilities that are discovered and published, but in that cybersecurity has gone from really a technology-focused discipline to a business-focused discipline. And it’s not sufficient anymore to be the smartest technologist—to be able to find zero days and to write the best code and the most secure code—you really have to understand the business that you’re working in, the company that you work for, how they make money, the processes involved because the bad guys are starting to get a better understanding of process and how our ecosystem is interconnected between financial services firms and the law firms that we work with and our customers, our investors, it’s really the world is becoming so connected that if you don’t understand the process flow and the data flow and you just focus on the technology you’re never going to keep up with the bad guys because the bad guys are going to take the path of least resistance and more and more that is not on the technology side, is social engineering going after people and it’s breaking processes.

Ian: So as a CSO, how do you think about those entities that you may not have control over? So, you mentioned customers, vendors, I mean, these are, these are entities or people that are not necessarily within the confines of what you can require—you can’t necessarily require the customers you work with have all the right controls in place—what are some things that you can do to deal with that reality in this interconnected ecosystem?

Josh: Yeah, I mean, third-party risk management has been a major part of any cyber screening program for at least 20 years, maybe longer. To really have a good understanding of the control environment at your third parties, to understand which of your third parties present the most risk—who’s most important to you? And again, this is not just from the how you share data, but who’s most significant with respect to your business? In other words, if they go down, do I go down? So really getting a handle on that, understanding their control environment and being comfortable with it, that they’re good stewards of your data and the processes that they’re supposed to be involved in and then more and more now you have to look at fourth-party risk. So, are they doing the same due diligence on their third parties that I’m doing on them? Because this is almost like a never-ending chain where everyone’s relying on somebody else. And if there’s one weak link in the chain that can have cascading effects all the way up to my organization.

More and more now you have to look at fourth-party risk. So, are they doing the same due diligence on their third parties that I’m doing on them? Because this is almost like a never-ending chain where everyone’s relying on somebody else.”—Josh

Josh: So, we try to put third-parties through the ringer when it comes to cybersecurity along with a host of other important considerations during the due diligence process. And I think, or at least I hope that process will become more standardized. And one of the questions you asked me before that I didn’t answer is, “what do I see changing in the future?” I do see a more cohesive view from an organization standpoint, from a regulator standpoint on what obligations should be enforced at various organizations. And so just like GDPR did for privacy across all of Europe, Here in the United States, we have a lot of different laws and a lot of different States, I foresee that or I hope that that will become a one large federal regulation that we can all agree on and we can hold each other to, and I think that’ll third-parties management will be a definite part of that.

Ian: How do you balance the needs of the business itself? I mean, you’re working now at a private equity firm or potentially a hedge fund or, something whose, whose mission is to go out and, and do something. And then you also have the rules and obligation by potentially a government regulator or an industry association, I’m thinking like in the payments industry, PCI, DSS. But then you’re also trying to balance the usability of users who actually have to live with the stuff on a regular basis. And, and you have all three of these stakeholders that all have an important role. If you over-index on one, if you make something to secure, users aren’t going to do anything about it. How have you found navigating those different obligations or requirements, and are there tools or techniques that you found that are helpful when faced with those trade-offs?

It’s your job to recognize that they’ve accepted that risk and to implement whatever mitigating controls you can to minimize that risk and make the residual risk as small as possible.”—Josh

Josh: Going back to what I said before, it’s so important to understand the business and the word you used—I really like the mission, what is the mission of the firm? I can secure any company by shutting it down and it’ll never get hacked, but that’s just not realistic. One thing I’ve learned as a CISO over the years is saying no should be the last resort. If somebody in the business asks for something to engage with a particular third-party to use some particular piece of software, or to send data from point A to point B, in general there’s a safe way to do that. It’s my job to educate the business on the risks involved, make sure they understand it, offer up whatever mitigating controls I can to address those risks but in the end, it’s a business decision. If you’re a CISO who’s constantly saying, no, you’re really not doing your job. Your job is to make sure your stakeholders are risk informed, and then the decisions that they make—they may want to do something that you find extremely risky. It’s your job to recognize that they’ve accepted that risk and to implement whatever mitigating controls you can to minimize that risk and make the residual risk as small as possible. It’s not really balancing the needs of these different individuals—they guide me—and it’s my job just to make sure that they’re seeing the whole picture.

Ian: Have you found that the new flavors of technology that are coming out now better enable you to do that? And I’m thinking specifically around identity and access management. It used to be if you wanted everything locked up, you needed hardware and it was only hardware that could really do the job for you. I think now we’re moving to a paradigm where it’s more probabilistic or risk-based approach to having access to certain data or certain systems . Are there any examples you can think of where there’s a new class of tool or there’s a new capability that allows you to fine tune some of those trade-offs?

Josh: Technology gets better and better. Certainly, being able to have visibility across my entire infrastructure gives me comfort that even when I’m not preventing things from happening, I can still see when they happen, and I can react very quickly. So, some of the automation tools certainly the SIEMs have gotten better and better. Threat intelligence has gotten better and better. And so it makes it such that if there’s something that you absolutely refuse to allow in the past, I’m going to date myself here, but, thinking back to when mobile devices first became really prevalent the stock answer was “No, you can’t use them. You can’t get your email on an iPhone, you can only use a Blackberry. the tablets are a definite no, no.” And et cetera, et cetera. That’s just not sustainable, right.? And we saw that the executives who wanted iPhones and tablets and eventually Android devices and all kinds of apps that they got them. And it was our job to figure out how to secure them. And now the technology on mobile devices is so mature that you can have encrypted containers and you can deploy MDMs that restrict what apps folks use and you can get telemetry from those devices and a whole host of other nifty tools to help make you as a CISO or security professional, more comfortable that these devices are in use and your sensitive data resides on them. And that happens a lot in security, right? The technology gets better and therefore we can kind of open doors here and there. and we get nice little wins out of it because of course, the average user is very excited when you enable new features that you had previously restricted.

Saying no should be the last resort. If somebody in the business asks for something to engage with a particular third-party to use some particular piece of software, or to send data from point A to point B, in general there’s a safe way to do that.”—Josh

Josh: But the counter argument to this is, I think in cybersecurity we focus on the shiny new toy, far too much and in reality, just basic security hygiene, right? Will cover the vast majority of the threats that we’re concerned about. You patch all of your devices, you have multi-factor authentication, you follow the right principle of least privilege throughout your organization. If you do these things the, the coolest new tool is only gonna provide a marginal benefit on top of it, because now you’re getting to the point where the adversary you’re combating is much more advanced, less opportunistic and more targeted. So, while I agree that the new tools, new software does allow us to be more granular with how we implement our controls it doesn’t change—we’re still solving some problems that are many years old.

Ian: So switching gears a little bit, you, you mentioned that, that you are in New York and not necessarily all the cybersecurity teams are headquartered alongside the financial institutions. How do you think about hiring in that type of market? Because cybersecurity in and of itself is quite difficult to hire for. I think the last stat I saw, there’s a million jobs unfilled for 2020. And then you take a larger metropolis like New York where it must be very competitive anyway, just in the overall labor market. How, do you think about, and how have you found success in building out a team there?

Josh: I personally don’t don’t have a hard requirement that folks on my team be here in the office with me. In fact, I do have, resources in some of our remote offices. Now, I don’t have remote work, which a lot of companies in New York do. You have the support people working from home and, Nebraska or Oklahoma or some of those places. I don’t have that on my team, but I do have folks in our remote offices overseas and that doesn’t bother me. I think it’s actually good to have a team that’s distributed across different geographies and the diversity is very important. but your other question about is hiring very competitive —it absolutely is. And what’s interesting about it is there are different skillsets that are important for different types of organizations. So, for example, if you’re in a very large bank, you can be highly specialized in one particular area of cybersecurity, call it security monitoring, or security awareness, or third party risk-management and you can build an entire career in that one domain in cybersecurity.

Being able to have visibility across my entire infrastructure gives me comfort that even when I’m not preventing things from happening, I can still see when they happen, and I can react very quickly.”—Josh

Josh: When you’re at a smaller firm, like a growth equity firm, where I am now at General Atlantic, we only small team and I can’t afford to hire a resource that is so specialized in one particular domain of cybersecurity. I need resources who have a breadth of knowledge across a lot of different areas and who can contribute to engineering projects, security operations, governance and compliance and risk management, and these are not things that you would expect one person to have developed, or studied even, right? This is something that you gain with experience working at different places and taking on different types of projects. So yeah, absolutely, it is extremely hard to find that diamond in the rough, if you will, or a needle in a haystack when it comes to them. (Sorry, I’m using all these cliches, but it really is truly like that.)

Josh: What’s also very tough is getting over personal bias, right? We tend to like people who have similar experiences to ourselves. It took me a long time after I left consulting and I was looking to hire, I was looking to hire folks who were in consulting, who started their careers pen testers, because that’s how I started my career, and it worked really well for me. And security hasn’t been around that long as a discipline as we were talking about before, and so that was my bias. But some of the best people I’ve hired have not come from that background. And it’s important to branch out, especially because our discipline is so young, we have a lot of folks who followed very similar paths, and to appreciate now that there is a huge education curriculum out there for cybersecurity, a lot of universities have programs dedicated to it, and people will study, a variety of different areas and they’ll jump into their first career as a SOC analyst, not as a pen tester. Or doing, SOC2 audits and, and other types of risk assessments—there are a lot of different ways to get into cyber security and those help you to grow. They help you to be well rounded and if you’re going to be on a small security team, being well rounded, is very important.

Ian: So, talking about a small security team, is there a spot for somebody straight out of school?

Josh: I think the answer is yes. I don’t have anyone on my team, but the answer is definitely yes. Partially because, as you mentioned before, there’s such a shortage of talent. There’s a spot for anybody there. There’s a spot for someone who studied to be a software developer and decided that, ‘Hey, I want to give security a go.”I think attitude and motivation is, is far more important than having all the answers. I’d much rather hire someone who knows how to solve a problem by researching and learning and putting in the effort than someone who just expects to have all the answers at, at his or her fingertips.

I think attitude and motivation is, is far more important than having all the answers. I’d much rather hire someone who knows how to solve a problem by researching and learning and putting in the effort than someone who just expects to have all the answers at, at his or her fingertips.”—Josh

Josh: So, yeah, absolutely, there’s room for someone straight out of school and I encourage those people to seek out small security teams where they’ll have a good mentor. If you’re starting out in cybersecurity, and this is something that I really benefited from when I was at Ernst and Young and I was consulting—it’s having good mentors someone who will take you under their wing a little bit, show you the ropes, not just from a technical point of view. And one of the nice things about starting my career in consulting was I had a lot of different mentors, some who are highly technical and showed me all those zeros and ones and related things. And then others who were more high level who taught me how to give a good presentation and translate those zeros and ones into actual English that a non-technical person can understand. So, having those mentors, having them close by so you can sit with them face-to-face, I think it’s tremendously valuable. It’s really important. Being on a smaller team affords you a better opportunity to have a mentor who can spend some more time with you, rather than if you’re one of 50 or one of a 100 on a really, really large team. That’s my personal view, I’ve no science or data to back that up.

Ian: So, one of the things I find interesting is that people that we got in contact with maybe a year or two years ago, they were at one firm a sort of mid-level or maybe operational working with us to actually deploy our software. And then you open up LinkedIn one day and 18 months later, boom, they’re CISO at some larger organization. And I think it speaks to the skill shortage of Hey, if you have any experience, like even if it’s two to four years, great, fantastic—you’re now in charge of this place. So as, somebody who’s been around the block a couple times now, if you were that person—if you were the intermediate security specialist who got thrust into mid-sized financial institution as CISO to help right the ship, what would that 30, 60, 90 day plan look like?

Pick a framework, map your existing controls so you have a good view of where those gaps are.”—Josh

Josh: I hate to repeat myself, but first things first, learn the business—learn the lingo. The first 30 days should be all about meeting people, the people you’re going to be working with and understanding what it is they do, understanding what the firm does. And just my two CISO roles after leaving consulting—and when I was consulting, I worked with CISOs at large banks, tiny credit unions, big insurance companies, et cetera. And when I left, I took a CISO job at a hedge fund, and now I’m CISO at a growth equity firm. They’re both alternative investors. They’re both looked at as very, very similar, but in reality, they’re very, very different firms. The types of problems that we have, the types of risks that we face, the way we use technology and how we achieve our overall firm objective is totally different. And if I approach the CISO role here at General Atlantic in the same way that I did at Pine River, which was a hedge fund it’d be a huge failure! So, you really have to understand the landscape. That’s step one—understand the landscape.

Josh: Within, the 60 day side of that, (and by the way, these are arbitrary timeframes, 30, 60, 90, but you know, within the, next step) step two, whether it’s day 31 to 60, or, day 60 to 90, whatever it happens to be. After you’ve learned the business, you’ve, met everyone. Now it’s time to understand your gaps, right? What do you want your end goal to look like and what’s missing from that end goal? And so it could be, you’re lacking any security whatsoever and you need to start from square one, and you pull out the top 20 controls and you start banging them out, you know, 1 to 20.

Josh:It could be that you have a bunch of technology in place already. Maybe you have good firewalls, good email firewall and but nothing on the endpoints, so you want to deploy some, tools to give you some telemetry and visibility into what’s going on in your endpoints. Perhaps it’s, you know, encryption and my data at rest is not encrypted or whatever it happens to be. You got to understand where the gaps are and plot it according to some framework. I dunno if I’m gonna roughly anyone’s feathers here, but it doesn’t matter what framework, just choose one and stick to it. If you like NIST, use NIST. If you like ISO, use ISO. Modify it as appropriate for your organization and for the way that you think, so it becomes something easy for you to use and reference. But, pick a framework, map your existing controls so you have a good view of where those gaps are, right?

So you have to be careful you don’t lock yourself in to a particular vendor. Yeah, that can be tough, especially when you’re treating them like an extension of your team. So it’s a balance. ”—Josh

Josh: And then step three is to prepare the roadmap, right? How am I going to fill those gaps? What’s the priority order? What budget do I need? How long is it going to take? What resources staffing wise do I need? How is it going to affect the business and what process changes might we need to implement? For that roadmap, one of the pneumonics I really like, it comes from the US military. It’s called METTC: so, it’s Mission, Enemy, Terrain, Time, Troops, and Civilians, right? So these are all the things I need to consider when I’m embarking upon any initiative, right? What’s the mission? What am I trying to accomplish? Sometimes a little too specific there—rolling out a new tool —that’s not the mission, right? The mission is what is that tool going to accomplish and how is it going to make my security or my business better? The enemy is what I am protecting against. The terrain is “where does this fit within my infrastructure from a people process, technology perspective”, the troops is “who’s going to operate this, right? And who’s going to help deploy it?” The time is “how long is it going to take to do it?” And the civilians is “what’s the impact of the business? What’s the impact to my users, my customers, my investors?” If you think about all of those considerations and build that into your road map you’ll have a really good document to execute on.

Josh: And then after phase three, after day 90, that’s what you do. You execute on that roadmap.

Ian: So, one of the things that’s been coming up a lot in conversations that we’ve been having so far is the split between, owned and operated security product solutions and services versus outsourcing—whether that’s outsourcing the entirety of the security stack, or just working with specialists. You might have like a VCISO who’s an advisor to the actual retained CISO. And then on the other side, you might also have a Managed Service Provider or managed detection and response capability and outsource that 24/7 hunt capability. Particularly within the mid-market or organizations that haven’t staffed up to the level where they’ll have everything in house—how do you think about working with providers like that in a managed capacity?

Diversity in the team is a real benefit. It actually makes you more secure to have that different perspective.”—Josh

Josh: Really, whatever works for your organization, right? It depends more on your corporate culture than depends on the arbitrary distinction between the team is outsourced or insourced. Obviously when you’re working with an outsource provider, particularly for major proceeds like SOC, for example, you want them to feel like an extension of your team. It’s rare that you want to outsource to party that’s just a black box, that you send inputs too, and you get outputs from. You know, that said, that may work for certain organizations, but that it’s not the way I operate. I prefer to have a vendor that works with me, where I feel like they’re part of my team, where they’re trying to help me achieve the mission that’s laid out for this particular initiative. Again, if it’s SOC, third-party risk management or data protection or incident response or whatever it happens to be you want—I want—a relationship.

Josh: I also want it to be easy to fire that vendor. And this is what I think a lot of us overlook when we onboard new vendors, is we get all excited about the services they’re going to provide. But things change, organizations change, you grow, you want to insource certain things. Perhaps you want to change the vendor cause you don’t think they’re doing a good job. You want to change the technologies that they’re using. And a lot of the outsource providers right now have what you call like the iTunes Model, right? You have this piece of software, you buy all your music and then when you want to switch to Google Music or different service, Spotify or whatever, and it’s too hard to do it because I just invested so much in building up this previous solution. So you have to be careful you don’t lock yourself into a particular vendor. Yeah, that can be tough, especially when you’re treating them like an extension of your team. So it’s a balance. You need to do a lot of due diligence upfront. Pick the right vendor. Don’t make your decision based on price alone—you know, you tend to get what you pay for.

Cyber can rise to the CEO level, even CEO at a major top bank.”—Josh

Josh: Yeah, but I don’t have a negative view of outsourcing. And in particular, one of the things I think has, has been taboo is outsourcing overseas. And I don’t have a negative view of that either. I’ve worked with fantastic vendors from a variety of different countries. There’s great security talent across the globe and we should capitalize on that, like you said earlier, there’s a major shortage of resources, so you have to expand your horizons there. And again, diversity in the team is a real benefit. It actually makes you more secure to have that different perspective. So, in that sense, I’m in favor.

Ian: So the last question I’ll ask you, I’ll give you a little bit of air cover for. So the question is, what is the highest stress cybersecurity incident that you’ve been involved with or, and here’s the air cover heard from somebody else, and what were some of the lessons learned from that incident?

Josh: Right. I’ll have to think back to my days as a consultant just because that’s where most of the major stuff I was exposed to occurred. So I can’t get into details on, on who the clients were, but I remember vividly the DDoSs attacks from the Al-Qassam cyber fighters, towards the end—I think it was the end of 2011. One of the banks that I was working with, I mean, it was just 48 hours of nonstop—everyone’s in the conference room trying to figure out, where the next, wave of, of packets is going to be coming from.

Josh: What hit home most for me there was, my role was actually not a tactical role at all. My role was helping to translate what was going on in that conference room into presentations that the CISO could take to his boss and his boss’, boss, and the CEO of the bank to explain what was happening. To explain, why we thought Iran was behind the attacks, to explain, what we were doing about it, what we thought the impacts would be, what firms you bringing on at the time, at the time we were bringing on a bunch of, DDoS mitigation providers who I think probably had a great boost in business after that particular event—why that was important. I think that’s when it hit home for me where, okay, cyber can rise to the CEO level, even CEO at a major top bank. Again, I’m not gonna divulge who, but being able to translate those zeros and ones into something meaningful was important. That taught me how to move to the next step in my career. How to become less of a tactical focus security resource and more of a strategic focus security executive.

Ian: Well, Josh, super appreciate the time and the advice, and look forward to doing this again.

Josh: Right. Thank you so much Ian. It was a pleasure. ■