First 90 Days as a CISO | Seat at the Table

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] [Music] [Music] so [Music] welcome to seat at the table where we believe your technical skills will get you on the road but your soft skills and business acumen will earn you a seat at the table my name is eric beason and i'm the host we're seeking to have candid conversations with leaders across all verticals and industries diving into topics that will prepare and equip cyber security leaders by extracting hard-earned lessons from the years of experience our guests bring to the show and today's guest is tyler farrar new cso at exobeam tyler welcome to the show uh good to be here jerick thank you no problem no problem if you don't mind can you share your background with our audience yeah like you said i'm the cso at exa beam focused both on enterprise cyber security and product security but before that i was working at max our technologies their satellite manufacturing satellite imagery company ran security operations infrastructure governance cyber assurance a lot of usg program excuse me u.s government program protection functions but before that i worked at kpmg worked a lot of client engagements on things like next gen security operations and fed ramp atos and vulnerability management programs and threat intelligence programs and then lastly majority of all that experience in cyber security comes from the military i was a naval officer a cryptologic warfare officer worked at fort meade maryland managed a lot of projects that were in the uh cyber operations realm both offensive and defensive uh within u.s cyber command thank you thank you for that background we also uh share some big foreign government experience i think this is going to be a good one guys so today's show is about the first 90 days as a cso just about every profession transitioning into a new role is one of the more disruptive parts of anybody's career and studies have shown that the first 90 days set the tone for just about everything you will do in this new role and with the added weight and responsibility and quite frankly the expectations that come with a new security executive this 90-day window carries extra significance the president of the united states if i'm correct has like 100 days to show value so we get you know 10 less i guess our job is 10 uh not as hard but let's hop right on in so tyler the first 30 days for me is more important than you know anything as the first fourier into leadership at a new organization it's the really first time you get to make an impression you only get a chance to make one first impression so as a new cso what does your first 30 days look like what did you prioritize yeah i so i came into the role or i come into any role and you already have a mindset for how you want to and how you like to establish your program and i'll talk about how that is for me but you want to bring that in but also feel out and balance what's already happening within the organization and what they're already what type of objectives they're already executing against and so that's how i kind of came in the first few days to feel it out um i didn't want to rock the boat too much i wanted to be in discovery mode i wanted to listen but i also wanted to hit the ground running i i got a little fortunate i'd say in my current role um a big piece of that cyber assurance part that i talked about earlier with my experience was um with an iso 27001 uh pursuit and we were uh happy to announce and we just got certified just a couple weeks ago um so great news for us but that was that was just starting to evolve when i started um it was perfect for me i i was able to automatically and on almost day one set the information security objectives and those information security objectives were nice not only for the audit but they were also nice for me to start to build out the foundations of my program and i'd like to really quickly tell you what those are just if any anybody's wondering i set four objectives i i said number one is we need to reduce our cyber attack surface number two we need to identify and block potential cyber security threats when they do attempt to come in number three we have to provide that cyber assurance to our customers and number four um you have to continuously enable employee productivity and balance through a risk-based approach uh security right with business velocity and so i took those objectives and i applied them to iso 27001 thus automatically moving the you know some of the stage one audit forward while also setting up my foundational objectives for my program so um was again a little lucky of the timing but being able to set value very very quickly and then pivoting off of that and actually applying policies for isms scope and policy statements and moving uh further into the iso 27001 certification so pause those objectives were really nice because then i could pivot and start to build out what my objectives and milestones were for the remainder of the quarter and balance with what was actually are again already happening and applying those into the current quarterly plan so that was a that was a huge piece of that uh and so what else was going on right i talked about iso another big one was around dmarc enablement and the the company had really done i'd say the hardest work uh so far to get us to that point um and so it was me identifying you know first 30 days what's left what's the change management involved to actually flip the switch and start to enforce um but again huge as part of that xbm trusted email program was to enable uh to enable dmarc so that those first 30 days was a lot of just um finishing at finishing out the uh the program excuse me that project to to get us to the to that point um what else uh we we were going towards a big partnership with uh the google cloud marketplace and and being put onto the marketplace there and so we were really happy to announce that uh back in uh when i first started however that was a big you know there's back and forth with contracts negotiations and making sure that we're meeting everything making sure we can meet everything etc so that was a big piece and another big value add was getting us there from a security perspective in order to be on google marketplace um and i want to pivot back to program establishment uh how did i do that right first 30 days how did i do that i set my objectives via the iso 27001 program and so now i want to establish my program i sat down i sat down with my team and i started to formulate from those objectives what are some of the key outcomes that we want to achieve for the remainder of this quarter and what are the milestones that are going to get us there and then what's going to happen the following quarter we were already about 30 days and in the quarter so i wanted to start thinking about what does the next quarter look like um so we consolidated a lot of our road map and tried to streamline a lot of it to this to this new um way of thought which was me coming in um i also had to when i was building that program think about what was i hired to do not just what i want or what i'm seeing and a lot of that was around coordinated control for our product and our corporate infrastructure right product security enterprise security uh so i i immediately set up a i call it a tiger team um where we focus more with product and engineering and cloud operations on hey how do we uh implement more of a cloud security center of excellence that's really was the end goal with this and in order to do so another another big dependency was we need to make sure that we're speaking the same language and how we did that was through a common security control framework um i mentioned you know iso was a big thing nist was hanging around here there but we needed to standardize on a framework which we did we standardized on nist 853 as a company but then i knew that applying all nissan 153 controls to a what i'll call commercial or public offering some of it's overkill versus what we would apply for fedramp offering um so we we kind of i'd say consolidated some of those controls and established what we called an x-beam common control framework they were the controls that we as a company would align to we would implement and how we would speak with each other across different functional areas um i'm going to keep going if you have any other questions uh let me know but that was first of all it's a big one go ahead you have sufficiently freaked out a bunch of new csos that are hearing this is your first 30 days this is the first 30 days i've had a first 30 that we're very busy i've had a first 30 where within the internet first 30 we had a full strategy but even that it's just a plan to do something you did stuff i'm going to just recap some of the things i wrote down i was viciously taking notes iso compliance dmarc enablement contract negotiations with some small company called google set objectives via your iso program started q2 planning established a tiger team for a cloud security center of excellence oh you know by the way we just created our own framework as well right that was your first 30 days now i got i got to find out like so in your interview process i'm throwing all my questions i had all kind of questions planned for you we're this is done we're going to dig in on some of the things you said out of all the questions of all the things that you got accomplished how much were you aware of you were going to need to do before you actually started was this part of the interview process you knew you would have to get in and really start going or did you figure this out pretty quickly i i knew as part of the interview process that a big piece of this was again that coordinated control where we're partnering with our product teams and being able to ensure that the appropriate amount of security is going into particularly the product and we were able to effectively provide that cyber assurance to our customers that was probably the biggest one i was a little bit um it was a little bit of a uh like a not a shocker but a more of a heads up that was in a tighter timeline for the iso piece um but having experience with that and and understanding the framework that one was not done through the interview but to answer your question the big piece of it was around that cloud security piece and and getting those common control frameworks set up so i knew going in there that that was going to be a big part of my responsibilities so one of the benefits to working for a security product company is you don't have to fully champion security right because it's built into what the company is and what they do so that's going to differ from you know many of the people in the audience but my experience i'm curious about yours is even if i move really fast even if i come in with a ton of credibility you still have to build those relationships to really move the needle but it sounds like you had things already in motion before can you talk about about that because most of which you talked about is not something done fully within the security org you need it dmarc you need it contract negotiations you need legal and i.t and third-party teams objectives for iso you need executive buy-in q2 planning you need the finance team involved because there's probably going to be some level of budget spend and so forth cloud security that's i.t more than security right all these things require so many other parties but you were able to make progress i'm curious to what that chicken and egg relation chicken and egg you know relationship was like yeah that that's a really good question um there so there's several answers to that first one is uh my director of infosec here is outstanding and so he's been around you know much longer than i have and so i i did leverage a lot of uh him and his relationships to be able to get in front of the right people to talk to that's that's kind of number one tactically um from an iso compliance perspective we have a a compliance team that's within our product organization and so a major partnership with with that team in order to drive that forward so we had full buy-in uh from that team to to really champion uh what's what was required of iso throughout the product throughout the organization from a from a legal perspective our grc function our lead of that team is is heavily partnered with legal i mean they work every single contract every single customer security questionnaire every single vendor risk assessment there was a lot of partnership there so i did leverage that partnership to to work through that and then the last thing i'd say is i'm a little bit in a fortunate position here so not only do i own cyber security i also own what we call your infrastructure operations or another way to put it if you're going to talk about the osi model is basically hardware up to the application layer i don't own the application layer but i do um own our our enterprise it infrastructure and i do manage that infrastructure so i i am always number one trying to balance the the confidentiality integrity and availability triad um because i am responsible for making sure ones and zeros pass the network i do have a network team etc but i also have the ability to to patch and right and you know apply other mitigations for risk so i have that um fortunate position to also be a lot of i.t as well that makes that makes a lot of sense uh i've started to see the merger of traditional i.t functions and security patching is a good example um one day i i put out a post and i think i forgot what it was but i effectively said stop blaming security leaders when patching isn't done right so you see security team getting crucified because of a missing patch all they can do is ring their fists put together a nice risk report you know tell as many people but most of the time security teams don't patch but with you it's a little bit different so we can blame tyler yeah yeah and that's the that's the fortunate piece where a team member can come in they can run a full scan run you know basically a risk assessment right conduct a risk assessment and then based off of those findings if any remediate right there off the spot right you're you're a system administrator as well apply the patch and and move on um it's we're yeah it's i know that there's more uh organizations that are taking that approach it's definitely more responsibility it does require the cso to think more about availability than they probably do on a on a regular basis but if you can balance not saying they're equal but if you can balance those three out it is it is extremely uh valuable uh for the cso to be in that type of role makes a lot of sense so we haven't talked about this but um i think it'd be helpful because it would help me understand how you establish influence as fast as you did what is your reporting structure who do you report up to i report to the cio and uh that was the other piece you asked me about for finance and so yeah we reported in the cfo organization so so there's heavy and close partnership there as well to um be able to speak about hey these are the risks these are this is the investment that i need to in order to fix this right uh so that's that's another big partnership there okay all right so let's fast forward to your 30 days in you've done this mountain of work already um you look back on that first 30 days like a lot of people do at least at what point did you realize okay i made a good decision coming here because you were comfortable you were where you were you were making progress at maxar you know no issues and then you decided to jump into the exit beam data lake pun intended um and and start a whole new career there's always a little bit of trepidation i've made multiple career changes and you don't really know you made a good decision until you know you've been in there for a while how long was it before you realized all right this was the right thing i honestly was in a few days i i already knew like i was a customer of exam i really loved the product i really loved all the team members that we worked with when i was at max r from exebeam and i just knew the culture was there i knew that and part of that culture was that security you know mindedness um and coming into it and starting to move these really big initiatives forward no blockers like never did anybody say i can't do that or i don't want to do that um it was you know there was questions at times but i i'd say within the first few days first you know maybe two weeks tops i knew that it was the right decision just based on um i'm here to do a job and they're they're not blocking me from doing that job it's just a great culture to work in that's awesome man i think we talk a lot about building a security culture we're probably gonna have an entire episode on it one day there are other cultural aspects of an organization that impact your ability to succeed as well uh things like you know is it a process oriented organization or are there you know certain key relationships that are necessary from a political perspective what did you do to just understand how things work at exiting how things get done how decisions are made what type of steps did you take or how did you go about that process um yeah that's another good question so from from like a purchasing perspective that's a huge one right like we don't want um you know products purchase vendors purchased event you know contracted with etc uh without a formal risk review right we want to conduct due diligence do third party risk management etc that was a big piece of how do we buy things here um and understanding that now again good news and fortunate for me uh i.t thus cyber security is fully baked into the the procurement process right it's an automated flow we see every single one of those and require those vendor risk assessments but understanding that process was extremely important that was a big one how do we buy things another big one was how do we destroy things or delete things or you know get rid of things right hardware being a big example or data that was another big one retention and working with legal understand our retention policies and disposal policies etc and processes there that was a big uh piece that i worked with legal and my other uh my counterpart and i t on from a hardware perspective um how you know how the the product works um not the front end right what what every customer of xbm sees including my own security operation center but the back end how does how does data flow how does this thing work what are we really selling to our customers so partnering with product our engineering teams our cloud operations teams to understand just how everything works and then i think lastly is how do we support the business within it um and being you know owning a portion of i.t infrastructure um sitting down with my team and walk me through what our enterprise infrastructure looks like and how are we enabling productivity for our employees i know that that all makes a lot of sense i'm glad you talked about understanding the businesses ultimately you can't secure a business you don't truly understand um the show is called seat at the table and what i love about this explanation is you did not talk about the vertical relationships right you didn't talk about all the people above you talked about the horizontal relationships and and that's what i typically emphasize and i i'm of the belief that if you have strong horizontal relationships is going to immediately give you the strong vertical relationships is is that something that you just did organically or that's something you did intentionally i think it was more organically i mean i one one other area that i would note for the first 30 days is set up a stakeholder list all right figure out um you know where they're at in the in the you know leveling of the organization and then in my stakeholder list i have obviously roles and who they are and contact information but also what's our meeting cadence um and so when i initially came on and was onboarded and had my you know my ex being buddy to introduce me to a few folks at least virtually um setting up i set up you know calls with these folks and introduce myself and then says let's you know let's figure out how we can partner and how often do we need to meet is this a recurring thing or is this just an ad hoc so i establish all those meeting cadences with everybody and uh a lot of those are the the vertical leaders right so it might be once a month or once a quarter but we're staying plugged in we're keeping the the line of communication open however the majority of reporting is is coming from within their own functional area up because we are working more horizontally right all right so let's fast forward to the the 90-day point uh i think i know this answer based off your first 30 but i'm curious to hear uh typically a strategy is either being formulated or starting to be formulated uh where were you with establishing your official cyber security strategy by the 90-day point uh pretty much it was it was baked um i had those like i mentioned those key objectives really they don't they don't change they're so high level that we really put a foundation around them and then started to to layer out in a road map what what the outcomes were for each quarter and and milestones i i don't want to plan too far out um i i discourage a lot of that especially with a smaller company things change so frequently and risk could come up you know like on a dime so um planning just a couple quarters out just to keep focus on what is the long long term plan but uh i don't i don't plan any farther out in that but to answer your question it was pretty much baked uh we at that point obviously had completely implemented dmarc and now we're thinking about what are those those key uh objectives and excuse me key outcomes that we're going to start to strive for that are probably more multi-quarter based on how big of the project is and so examples being and i don't want to give you too much buzzwords here but a lot of it was around like zero trust principles um we're formally establishing more of a trusted access program but um you know we have this amazing product and so we we have a lot of the detection uh capabilities already done with and so that a lot of the advanced pieces are are complete but some of the foundational elements we're still um working on and we'll always be working on working on i think every company will always be working on and those are around just ongoing um you know hygiene of infrastructure for a big one um particularly you're talking about uh access control and trust um with our endpoints and so constantly monitoring and being able to monitor that endpoint hygiene um and then being able to say you know yay or nay to to access both from a an infrastructure perspective as well as um more like infrastructure services example being you know octa or maybe uh you know another infrastructure wi-fi vpn yeah i mean that was a big piece of our program is being able to consistently monitor and then enforce device access user access um so that was that's fully baked into our plan now we're going to continuously do that i mentioned first 30 days what is the business needs and another big one is around you know others secure certifications security certifications um i don't think i'll name that at this time but there's another big one that we're going to start pushing on and so that's fully baked into our our plan at this point to execute against and obtain that certification um another big one outside of trusted access and cyber assurance is cyber risk management you said or asked me about culture earlier a big piece of of culture for security is at least being able to provide the the data necessary for somebody to make it an informed decision and in this case it's a risk decision right so establishing that foundational cyber risk management program you know cyber risk reporting a form a risk register a poem tracker plans of action and milestones um establishing some security champions throughout those functional areas and then communicating it all we have that all baked in so now we're we're at is starting to discuss when new risks come in it's much easier to make a decision right because you actually have all the data to say this or that or both but i might need further investment in money or people um so those are some of the big things that we baked in yeah to answer your question a lot of it at this point is is ready to roll and we're just moving through those big key outcomes thank you for for sharing that information i think people are starting new jobs at security execs all the time and being able to hear directly from someone that just went through that start albeit your start was a little bit more fortuitous as you said yourself there's still a lot of parallels and similarities that we're gonna um face in in our new start and and this is actually personal for me because i'm starting a new security role at a another organization in a couple weeks right so this is uh this has really been helpful so we're coming up on our my favorite part of the show where we talk about an analogy or a metaphor just something that you use to explain a security concept to someone that's not very technical and doesn't necessarily in our industry what do you have for us yeah the word breach used way too frequently and it's a very very strong word i heard a an executive say it once on a meeting and uh my i won't say what company but my boss was on that call and got extremely freaked out about it uh after this person reached out to me and said we have a breach i said no we have a security incident and those those happen right and so the metaphor is if you think of a security incident like a pesky cold it happens right events happen all the time things happen all the time there's attackers knocking at the door all the time those are security events a security incident is where maybe they they get and violate a couple of your defense and depth uh controls that's gonna happen but it's a cold you'll get over it um security breach it's a flu it's a cancer it's bad right they don't happen that often um if at all for many of us they're obviously happening more nowadays but that's how i you know put that metaphor together an incident's a cold a breach is a flu a cancer just disastrous and so really be careful when you use the word breach versus incident i completely agree and i've had to talk to the lawyers about that as well uh because it holds very different meanings in connotation and reporting requirements and the list goes on and on uh so so thank you for that tyler farrar cecil at actually beam i appreciate you coming on the show and giving some people some uh of your insights on how you uh earned your seat at the table and the things that you've done since you've had it thank you thanks thanks for having me jared [Music] you
Info
Channel: SANS Institute
Views: 3,296
Rating: undefined out of 5
Keywords:
Id: bFMNvhROzqQ
Channel Id: undefined
Length: 32min 28sec (1948 seconds)
Published: Thu Mar 10 2022
Related Videos
Solid on the Basics
SANS Institute
1.3K
A New CIO's Blueprint for a Successful First 90 Days on the Job
Digital Transformation with Eric Kimberling
3.8K
How do you show up as a CISO?
Dr Eric Cole
787
Cyberwar | Amy Zegart | TEDxStanford
TEDx Talks
160K
How to be a Better CISO: Thoughts on Successful Security Leadership | Amazon Web Services
Amazon Web Services
615
The First 90 Days
EPM
275K
The CISO Checklist
Dr Eric Cole
1.9K
3 ways to create a work culture that brings out the best in employees | Chris White | TEDxAtlanta
TEDx Talks
1M
How the role of a CISO has changed | Cyber Work Podcast
Infosec
1.1K
2024 Cybersecurity Trends
IBM Technology
147K
A CISO’s Guide to an Effective Cybersecurity Metrics Program
Cyber Risk Collaborative - A CRA Resource
3.4K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.