Voices in Cloud – Episode 10: A Conversation with Wendy Nather of CISCO

Guest

Wendy Nather has been around the block as a security professional. She has led security teams in the private and public sectors, at UBS and the Texas Education Agency. She also served as a research director at 451 Research and at the Retail ISAC. Now, Nather is the director of advisory CISOs at Duo Security.

As a “recovering” CISO, Nather discusses the most overwhelming challenges for security leaders today, as well as what it takes to design security to be user-friendly. She says that users recognize the importance of security, but can feel stuck in the “patchwork” of practices and services deemed necessary to keep things locked down online.

Transcript

David Linthicum: Hey guys, welcome to the GigaOm Voices in Cloud Podcast. This is the one place where you will hear from industry thought leaders, providing no-nonsense advice on how to succeed with cloud computing, IoT edge computing and cognitive computing. I'm Dave Linthicum, bestselling author, speaker, executive and B-list geek, and your host here for the podcast.

Joining me today is a special guest, Wendy Nather: strategist, research director, former industry analyst and a former CISO, and we’re going to talk more about that. [She has] 30+ years' technical experience in IT operations and security—she’s rivaling me on that—including 12 years in the financial services industry and 5 years in state government. Specializes in security program management, threat intelligence, risk analytics, identity and access management, security operations, incident response, application security and security services. Did I leave anything out, Wendy?

Wendy Nather: No, I can’t carry a tune, so, no, I think you’ve covered everything.

So you’re at CISCO now, and tell us how you got to CISCO, and a 30-year career, that’s pretty epic. What are some of the highlights of it? What are some of the things that you found were kind of difficult, and some of the things you found very pleasing?

Well, first of all, my dad taught me how to program when I was 12, on a computer at the astronomy department at the University of Tel Aviv. So that’s where he got me started on this career. And actually, I was in liberal arts in college, but I found that doing things on the computer, especially typing things for other people and formatting them by hand, paid more money, so I ended up becoming a technical writer and then a system administrator.

And I got into security when the private options trading firm I was working on was acquired by a Swiss bank. And since I had a background in French in German, I volunteered to move to Switzerland, and I joined their Unix system administration team there, and then I drifted into security from that point onward. I’ve done a lot of other things, including working for state government, as you mentioned, and then I became an industry analyst for five years and talked to hundreds of vendors, and I helped to stand up the retail ISAC—the Intelligence Sharing and Analysis Center. Finally came to join Duo [Security], and then we were acquired by CISCO last October. So it’s been a very tortuous path.

Got it. And so, as an industry analyst, were you independent, or did you work for a firm?

I worked for 451 Research.

I remember them. Are they still around?

Yeah, yeah, absolutely.

Cool. Yeah, I remember them doing some cool stuff and very much was a blog fodder when I was blogging about particular issues, things like that. So tell us about your role as a CISO, and what a CISO is, and tell us what you did specifically. [We’re] probably more interested in what your day-to-day activities are than the general description of the job.

Well, when I was a Chief Information Security Officer, I did a lot of things that people usually think of when you talk about a CISO. I spent a lot of time negotiating building better security into the programs of the organizations. And that either involved having a lot of money when I was working for a Swiss bank, or having no money at all when I was working for state government.

So my work has run the gamut from being able to buy whatever I wanted to having to be very creative about how we accomplished putting in better security controls.

Now that I work for Duo, which is a part of CISCO, I lead a team of former CISOs, including myself, and part of what we do day to day is represent the perspective of the CISO, both internally and externally. So I will work with the salespeople, and say: ‘Don’t ever say this to a CISO,’ and externally, talk about the things CISOs wish they could say but are not allowed to say on the public stage.

So what are, say, the top two or three things that are on the minds of CISOs these days in terms of security?

Depending on which vertical they’re in and how much ability they have to control their environment and implement things—a lot of it is portfolio management. There are so many vendors out there and so many tools, and trying to figure out what is the minimum they need to buy and can they get it to work together. I talk to a lot of CISOs who are trying to think about, ‘Well, this tool sounds really good, but it will increase the load on us if we add it. Do we really need it? How can we consolidate?’ And I don’t know of anybody who’s really able to consolidate what they have and keep simplifying. I think that’s something everybody would like to do and nobody has time to do.

Yeah, I think it goes to the fact that I talk to a lot of CISOs, and they tell me their biggest enemy is complexity. Ultimately, the amount of systems that are coming into their organization is increasing in volume. I guess we can thank cloud for that. It’s nice that we can provision things almost on demand, but also we can make things complex fairly quickly, and we have to secure these things. So does the CISO have a seat at the table in terms of dealing with these portfolio issues, and if so, do they have influence typically?

Again, it really depends on the culture of the organization that they’re working with and how old it is. So you’re right, cloud is making things more complex, but it’s also creating a very long tail of technology that CISOs have to work with. A lot of them still have to figure out how to continue securing mainframes and older technologies in spite of what’s being added to their plates every day with newer technologies. So that tail just gets longer and longer and longer and managing all of it, figuring out what they have...I just talked to a CISO the other day who told me about how he discovered through a contract that his organization had two acres worth of data center that they didn’t even remember they had.

Oh, my gosh.

So there are very basic struggles the CISO has to deal with, and as technology extends, it is not getting any easier because the old stuff isn’t going away.

So who does the CISO typically report to, the CIO?

A lot of times they do, or they might report to somebody who manages risk, if that is a very robust function: a chief risk officer, or even a CFO; it really depends on where their risk management functions are housed in that organization.

So moving forward, what are the top two best practices that you see CISOs probably not practicing, and they should be?

You know, there’s such a wide variety of things that you can do. I found that what worked for me a lot is: you have to spend a lot of time doing social engineering. You really have to do a lot of influencing, both at the top and at the bottom of your organization. If you’re finding and identifying the linchpins of your organization—the people who can influence other people—and winning them over to your side, to your mission to build better security, they will help you so much and inform you on things you need to know about.

So one thing I would definitely recommend for CISOs is: Don’t just spend time with your management trying to convince them; also work from the bottom up, because the grassroots push toward security can help a lot.

Yeah, I think it is really a ‘people problem’ when you get into the end of it, which I think is what we struggle with as technologists; you’re probably better at it than I am, but ultimately you can have the best security in place, and if people aren’t educated and trained on how to leverage the system in a secure way, in a purposeful way, then ultimately that’s where the breaches occur.

A lot of times, when I did triage in the past on major breaches that occurred, typically newsmaking stuff, it was very simple. Someone called and gave the password: “I’m here from the international security computer industry and I need your password right away ‘cause we’re showing a breach,’” and they pass it out, and suddenly gobs and gobs of data are stolen. Are we getting better at that, or is this going to get worse as things get more complex?

We are getting better, and we can tell we are getting better because the attackers are moving to different things. It’s kind of like squeezing a balloon: once you squeeze one end, the breaches move to the other end of the balloon. So yes, there’s still credential theft going on, but for example, as you implement more two-factor authentication, especially phone-based 2FA, you’re seeing some more attackers trying to do SIEM swapping. They’re trying to steal the phone numbers, because those are being used as additional authentication factors. So we are making progress, but that doesn’t necessarily mean that we’ve wiped everything out.

No, I don’t think we’ll ever wipe anything out; it’s very much like whack-a-mole. And as I tell people, there’s never systems that are 100 percent secure. And ultimately, you’re going to have to make a tradeoff between your ability to eliminate risk and how much money you want to spend. Is that a good way of looking at it?

Absolutely. That’s it. Managing risk is, at the end of the day, a business decision, and a lot of the time the business doesn’t make the decisions that we wish they would, but often they have a different view, and they know more than we do about the tradeoffs that are being made.

Absolutely. Moving forward, where do security trends seem to be taking us, and I’ll go ahead and complicate the question by saying, how does cloud influence that?

Well, cloud makes all sorts of things much more convenient, much faster, more agile, more complicated. We both remember back when you could assume a location as part of your authentication when you were trying to give somebody access to something. Either you saw their IP addresses and you assumed that that meant that they were at home, or they were in the building, and you can’t do that with cloud anymore.

The other trend that I’ve noticed is that when you were at work, you used very different software from what you used at home. But now, people are using the same cloud application personally as they are for work. So for example, when I log in to Gmail, I can either log in with my personal account, or I can log in as Wendy at Duo. And Duo doesn’t care at all if I log in to Gmail with my personal account, but as soon as I put in my username in that field (Wendy at Duo), Duo cares a whole lot about the security conditions under which I’m using that.

And so the only difference there—the only place where you’re making a distinction—is the identity, which is what is leading people to say identity is the new perimeter. In some cases it is; in some cases it isn’t. But I think it’s a very interesting thing that we are all using the same software all the time, and we need different ways to distinguish business work from personal work.

So are we blurring the lines there? Should we be distinguishing business and personal if we’re using the utmost in security? Should we have common security things that wrap around the person? Or is this typically going to be company domain-dependent?

It’s definitely company domain-dependent. I mean, at any time or day, no matter where I am, no matter what device I’m using, I could be doing business work or personal work, and the only difference is which identity I’m using at that particular moment. And am I using Wendy the person or Wendy the head of advisory CISOs at Duo, now CISCO? So I don’t think we’re going to be changing that very much, but we do have to adapt to it in our cloud solutions.

So moving forward, we had a series of breaches a couple of years ago that seem to have died down. But what are some of the common mistakes that companies are making that could lead to outright breaches that really could take down a company in the next few years? And don’t mention any particular names, but what are you seeing in the field right now that kind of scares you to death?

I try not to get scared to death; it’s really bad for my digestion. But what I notice is, it’s not so much the organizations. I think we need to stop blaming the victims for so much. I think we need to improve the technology they’re using so it cannot be misused. I think we could make technology decisions much easier to take; we could improve the user experience and the administration of this technology.

If you just think about passwords, back at the beginning, somebody thought it was a really good idea to use fallible, organic storage for primary credentials. And clearly we know that’s not the case anymore, and we really shouldn’t be blaming users for re-using passwords because they can’t remember the ones that they have. So there’s a lot that we as technologists need to fix so that we don’t have to keep—we should not keep blaming the victims because they’re working with very difficult technology.

Yeah. And speaking of blaming the victims, a common complaint I hear from enterprises out there—and Global 2000 enterprises, to that end—is that they don’t think they’re getting the love as much as the cloud is in terms of their on-premise security stuff. And so what I mean is, if you look at the R&D spending, in terms of what the public cloud is doing, the large three—and I’m not going to mention them here, but we all know who they are—are just going by leaps and bounds, and the ecosystems around them, including the security providers, are investing more R&D in making their stuff localized on the particular cloud platforms out there and leaving not a lot of room, not a lot of money, in terms of R&D spend with the traditional on premise systems. And so, [a] few enterprises are starting to feel the squeeze. Do you concur with that, and what can they do about it?

Well, I think that over time and over the decades, we see the trends going back and forth between localized data storage and processing and remote data storage and processing. You know, we’ve had diskless before, and it kind of waxes and wanes with how much bandwidth we have available. I think today bandwidth has gotten really good, and that’s why we’re storing so many things in the cloud, but we could see a turn in the trend in the future where we have outgrown the bandwidth capabilities that we have, and we might start bringing things back locally. So I’d be really interested in what you think, David, whether you think the pendulum is going to swing the other way at some point.

Yeah, I think—and I drew this conclusion in an InfoWorld blog a couple of months ago—I think this is a forced march that we’re dealing with right now. And so it’s not just management by magazine or management by blog post, which has been occurring for the last 30 years in my career, and I’m sure you’ve seen that as well, where you kind of chase the shiny objects. Ultimately, this is our ability to, in essence, look at where the investments are being made, look where the trends are going, and in essence build off in those directions.

And so, in many instances I think people are moving into the cloud because they feel there’s no choice. Obviously, you know, you can’t go against the cloud, or else it’s a good way to get fired in some instances. But ultimately, they consider this as where everything is going, and they’re probably moving a little too fast.They feel that the industry is forcing them in that direction, specifically less aggressive industries: manufacturing, retail, things like that. And they’re not necessarily having the time to create the understanding and security and requirements and architectures they need to be successful, and so that’s kind of a common complaint. So in essence, they’re victims of the market. Are you seeing the same thing?

I do see a lot of pressure to move with the cloud. I also see a lot of opportunity in that some organizations are sitting on top of such jerry-rigged and duct-taped legacy infrastructure that the only way they can get out of it is to move to the cloud. So I do see it as a really good opportunity, for example, for IT-poor organizations that really are barely managing what they have today to be able to move to something that is cleaner, is newer, is better managed for them and simply be able to abandon the stuff that is just too costly to redo. Like non-profit organizations and other groups like that, where you could have a pretty well-defined set of infrastructure for their non-core business applications, simply moving them over there would help a lot. So I think some of it may be a forced march, but some of it is a really good opportunity.

Yeah. So it could come to the conclusion that the cloud is in many instances more secure than the traditional on-premise systems, mainly because we’re paying more attention to security and investing more in security as we’re moving into the cloud.

Right, and you have fewer constraints than you do in a legacy environment in the cloud. If they’ve already been set up to upgrade regularly, for example, you’re going to get the benefit of that immediately when you move over.

So what do CISOs wish they could say out loud but don’t?

Lots of things. One of the things I probably wish that everybody knew is that patching is just not that easy in their environments. I hear everybody in security saying, ‘Just patch!’ and there is no ‘just’ in security. If there were, we would be doing it already. It’s not a matter of awareness; it’s a matter of constraints in a very complex real-world business environment. So patching is not as easy as you would think.

So what are the best practices that are going to be apparent in the security space? Let’s go forward three or four years: What are we going to be talking about? If we were going to do this podcast in three or four years, what are going to be the topics of the day in terms of security?

Oh, boy. If I could see three or four years ahead, I would already be investing in some things right now. I think we are going to get better at management, which means a drive towards more centralization than we do have today. I think we’re going to see some better practices around authentication, and that may sound a little self-serving given the company I work for, but we definitely are seeing leaders in the high-tech space adopting things like multi-factor authentication and seeing the benefits right away. I think we are going to see some other standards emerging to solve some problems, including, hopefully, killing off the password—I think everybody would love to see that.

No passwords: are we going to just biometrics, things like that? Are we just going to default to them?

I don’t think we will be completely password-free, but with standards like WebAuthn, we are going to see a better experience for the end user where they can authenticate once to the secure storage in their device, and have the rest of the negotiations performed in the background so that they don’t have to be involved in them anymore.

Yeah, I think that will be the final destination we need to move to in security. I think, ultimately, we’re just having a lot of issues with the traditional way of doing things, and it’s really about the traditional ways of doing things. We try to fix it with technology… and it really is about practicing security a bit differently. Am I oversimplifying the issue?

I don’t think so. I think it’s in how you do it, and we have exposed a lot of technology to users that maybe they really didn’t need to see and didn’t have to be responsible for. But if you recall, 30 years ago we were all writing the systems for one another, and we all had the same backgrounds and same level of knowledge. But today we write for the world, and it’s unfair for us to expect them to have the same level of knowledge and capability that we do. So I think we’re going to be ‘consumerifying’—or ‘consumerizing,’ or something like that—everything that we do about technology in recognition of that fact—or else we’re going to see a revolution on the part of our users, who are saying, ‘We’re not going to take this anymore.’

Have a revolution of sorts, what do you think?

I really think so. I think they’re going to come back to us and say, ‘You know, you’re blaming us for these security breaches, but how is this our fault? You’re the ones who built this stuff, and it’s pretty lousy. So what are you going to do about it?’

Yeah, I couldn’t agree with that more. I do think that ultimately we have to serve the users better and become better at doing security. Anyway, please pick up a copy of my book, Cloud Computing and SOA Convergence, available on Amazon and other places books are sold. And make sure to follow me on Twitter, @DaveLinthicum, as well as LinkedIn, where I have several cloud computing courses on LinkedIn Learning. And you can find Wendy at duo.com, cisco.com, and @WendyNather on Twitter. Any other places you can be found, Wendy?

Uh, I’d rather not say, actually.

We’ll leave it at that. So until next time, best of luck in building your cloud computing architectures; we’ll talk to you in about a week. Cheers, guys.