In this edition of CISO Conversations, SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at Lacework (a data-driven security platform for the cloud).
Getting started and progressing in cybersecurity
“I got into cybersecurity by accident,” says Billy Spears. “When I started, cybersecurity was not a recognized job – we were all in either IT or software development. Figuring out ways to better protect and enable the business while providing some semblance of trust is what attracted me to cybersecurity. I was given an opportunity, I took it, and everything grew from there.”
Kissner’s route was very different, doing experimental robotics in college and then switching to cryptography. “Someday, the solder fumes are going to eat my brain, but someday my brain will come in handy.” In switching to cryptography, Kissner left behind the fumes but kept the interesting bit: math; eventually getting a PhD in cryptography.
From college Kissner joined BBN. “They’re lovely people, but I just didn’t have anything to work on.” Then Google came calling with an invitation. “I said, ‘Well, am I going to be bored?’ And they said, ‘No. The other way sometimes, but you’re not going to be bored.’ I said ‘sold’.”
While at Google, Kissner worked on cryptography, logs and optimization, and the first production authentication system. “I ended up having to rewrite a lot of the RPC system. Then I just kept turning over new rocks.” Other project teams would trade project information for a security review, sometimes getting both system and security improvements while Kissner learned to work with different teams.
The reason this worked for Kissner is threefold: an underlying intense curiosity combined with deep technical knowledge (the ability to speak math) and innate soft skills (the ability to speak English).
Kissner was at Google for 12 years and left as global lead of privacy technology. After that came a move through some of the biggest firms in technology: HUMU (chief privacy officer), Zoom (security and privacy consultant), Apple (director of engineering), Twitter (starting as head of privacy engineering and becoming CISO), and now the current role as CISO at Lacework.
The making of a leader
While the ability to lead may be innate, the practice of leadership is usually learned through the process of career progression. For Spears, curiosity was the driving force behind progression. “As I got curious about data, it led me through a journey of learning how to better protect it technically, through architecture or engineering or configuration. That led on to GRC considerations. What are the relevant laws, rules, regulations – and how can the company ensure that the protections you put in place are working as designed. Over time, it all comes together in one big package, and I think that’s what a CISO does today.”
For Spears, leadership naturally grows along the path of this journey. Kissner’s route was similar – as the role grew, so did leadership skills. The process started from the propensity to take on new projects and acquire existing projects at Google.
“I ended up running larger and larger teams sometimes because a team was on fire. and they wanted to hand it to me. One team had 100% staff turnover – and that’s just not acceptable in Google, so it was handed to me. At one point, I went from managing 15 people to 80 people overnight. I ended up with teams coming to me and saying can we please report to you now?”
Kissner honed leadership skills through managing more and more people, but always with one people management rule: “Don’t be a jerk.”
Business leader or technical leader
The role of the CISO is continuously evolving. Over the last decade, the realization that security is not a silo but a function of business, has come to the fore. The CISO now needs business acumen as well as technical skills – and a new question has arisen: should a CISO be more business-focused or technology-focused?
Both Spears and Kissner believe the CISO must lead with technology but be conversant with business. Spears describes himself as a technical business leader. “You must know how to read a balance sheet; you must understand the objectives of the company. You must know how to manage your area of responsibility in line with the expectations of the company, while preventing big risk from spiraling out of control.”
Kissner agrees with the hybrid nature of the position, adding, “I don’t think you can be a very senior technical person without having a really good understanding of the business;” but is adamant that the CISO role must be rooted in deep technical or engineering expertise.
There’s a side issue here. Technical CISOs are more likely to report to the CIO, while business CISOs might have a more direct route to business leadership. If a CISO reports to the CIO there is a likely conflict of interest between the best IT solution and the most secure solution. It’s not a problem for Kissner. “Actually, I also run IT.”
It was the same at Twitter. “I had security engineering, privacy engineering and IT. Now, shortly after starting at Lacework. I’ve also taken on IT. So that’s one way of solving any IT/security conflict.” It is similar in effect to, but the reverse of, the CIO owning cybersecurity – the situation described by Ann Dunkin at the Department of Energy in DOE CIO Talks to SecurityWeek About Cybersecurity, Digital Transformation. But CISOs taking on the role of the CIO is no longer unique.
Gathering and keeping a strong security team
Recruiting a strong security team is one of the hardest and most essential tasks for a CISO. CISOs are only as good as their team. Keeping that team is also difficult, but largely dependent on how the team is treated within an incredibly complex and pressured environment.
“You have to be creative,” said Spears. “I’m always recruiting. Even if I don’t have any open roles, I’m looking for future superstars to add their talent to the team. I don’t recruit ready-made leaders; I look, for example, for people fresh out of university or after their first job that I can bring on in the discipline.” His intention is to bring in people and train and mentor them so they can become future managers. “Eventually some of them even become executives or CISOs in their own right.”
The moral here is to seek potential and then encourage that potential.
“One underutilized hiring technique is being known not to be a jerk,” says Kissner. “If people turn up for an interview, I will treat them with respect. Security people are motivated by getting things done. I tell them, this is how we’ll get things done, and this is how I’ll help you grow.”
Like Spears, Kissner tends to be creative. “To a certain extent, I’m looking for what people can do now – but we’re going to end up with a lot of problems nobody knows how to solve.” The ability to think and solve problems that may be outside current expertise is the driving criterion. “For example, I hired a guy who used to be a social worker and then became a lawyer – I hired him to be a privacy engineer and taught him how to be a privacy engineer. I hired somebody who was a tech journalist. She became one of the first privacy penetration testers that ever existed and is very good at it. I’ve hired a lot of people who are a little, sometimes very, unusual.”
But whatever interviewing techniques a CISO may employ, there is still the problem of getting candidates to the interview desk. Here Kissner has a strong advantage. “I am reasonably well known in the field. So, I am very lucky that there are a bunch of people who tend to want to work with me or will work with me. I think recruitment may be a little easier for me.”
The moral this time is, be visible, be respected, and don’t be a jerk.
Diversity and burnout
There are further complications in building and retaining the best possible security team – such as the need for, and issues arising from, diversity – and the need to manage mental health and prevent burnout.
Diversity. “Diversity is a must,” said Spears. “If you have a single point of view or a single perception based on a single background type, then you have blind spots. And that’s not great for anyone. It’s not great for the company. It’s not great for the customers, and it’s not great for the product.”
Kissner agrees with this and provides an example. “Much of the problems we need to solve involve understanding the problems of people.” Take identity systems. At times of housing instability, home addresses will change, phone details for 2FA will change – and for trans people, almost everything changes (name, passport, official documentation, etcetera).
Having diversity in the security team means having people with different perspectives and more understanding of such problems. “People are different,” said Kissner. “If we’re going to solve the problems for them, we have to start from understanding their problems.” Diversity helps predict and solve these issues before they become a problem.
But there’s an additional complication. Achieving diversity will almost certainly involve recruiting from minorities, and minorities often suffer from discrimination. This can occur both within the team and from outside the team, but must be countered for a harmonious operation of the team. This is the responsibility of both the CISO and each member of the team.
Spears has relatives who are neurodiverse. “I understand the space and would absolutely hire ADHD and ASD people. I’ve learned a lot from their problems, and frankly it’s made me a better human, a better mentor, and a better leader and colleague. I don’t assume anything. I try to anticipate when someone is uncomfortable, so that I can make them more confident – whether it’s caused by frustration or a lack of understanding.”
Kissner also recognizes the problem, and projects the philosophy of not being a jerk into the team. “I’m trans. I understand discrimination. I don’t want to work with people who are going to be a jerk about it. I just want to work with people who want to solve problems, and I run a team in a way that works for everyone.”
For Kissner, the key is injecting mutual respect into and between the team. It’s difficult, “because people make different implicit assumptions about things and can accidentally offend each other, or be unclear about something – the assumptions in my brain are going to be different than the assumptions in your brain.” The solution is to be open and to talk about everything, and to understand that people are different, not inferior. And the result is a diverse team that works harmoniously, and can be very powerful.
Burnout. Burnout is an increasing problem within cybersecurity, and one that must be managed to prevent the loss of team members through mental health problems. Burnout is extreme mental and emotional fatigue leading to an inability to function. It can affect any industry but is particularly common in cybersecurity with its always-on culture.
Spears believes it is exacerbated by the growth of remote working and the ‘work from anywhere, anytime’ lifestyle. “People generally don’t pack up their things and travel to or from their office anymore,” he said. “There’s not that clock in people’s head that says it’s time to stop working and it’s time to be with the family.” The result is that security people have less and less genuine downtime.
“We make an effort to ensure that the team takes time off when they feel they want or need it. I’m overly cautious on this, because if people don’t say anything, and I don’t see it, then burnout and fatigue becomes a problem. I reinforce this message by very publicly taking my own time off.”
For Spears, burnout is a symptom of a poor working culture — it means the company isn’t providing enough resources in manpower and support to prevent excessive stress and fatigue.
Burnout has a related condition known as rust-out. It is similar in effect to burnout, but caused by the pressure to engage in long periods of repetitive and ultimately boring tasks. The sufferer feels disengaged from his work and lacks a feeling of self-worth. A possible solution again comes from increased resources – perhaps greater use of automation for repetitive tasks.
Advice received and advice given is a treasure trove of useful tips on how to succeed in any career.
The best advice Kissner ever received was to go for promotion, if only because not seeking promotion reflects badly on the organization – that is, it suggests the company is unsupportive of its workforce.
“People who are from under-represented or marginalized backgrounds will, on average, tend to be a little more hesitant about stepping up for a promotion. But it’s important that everybody understands that organizations promote on impact. They promote people who do good work, not on their background.”
Spears advice is simple to describe, but hard to achieve. “Trust other leaders,” he said. “If you want to be a great leader, you have to trust those around you – and it’s a hard thing to do.”
The advice Kissner offers is to beware of perverse metrics. “More than anything else, I have seen people make bad decisions about security and privacy because of perverse metrics.” An example of ‘perverse metrics’ can be found in seeking the monetary impact of a vulnerability. “First you must ask what is the probability that the vulnerability will be exploited. And if you tell me you know what that is, I’m going to ask you how you know which hacker teams are taking vacations? And what other mitigations do you have, and which people in your company are going to accidentally push the wrong button?” In all security questions, there’s high variability in any answer.
Even if you know the probability of exploitation, then you must translate this into a monetary effect to allow a comparison between the cost of mitigating the risk versus the possible or probable cost of accepting the risk. What if the exploitation happens on a holiday rather than a working day. What if the media picks up a breach? What will be the cost of brand impact? What if a local or even global regulatory authority gets involved? How much will the lawyers you need cost you? If there are regulatory fines, how large will they be?
“There’s such high variance,” said Kissner, “that if you multiply these together, you tend to end up with either this tiny number — which means nothing — or this incredibly large number — which means nothing — and sometimes it looks like it’s a reasonable number, but it still means nothing. There’s a whole variety of ways that these issues show up when people try to use numbers to make decisions. You’ve got to be careful about your use of metrics.” The problem with misusing metrics is the likelihood of wrongly using resources.
Spears believes future threats will be similar to existing threats, but will be more sophisticated. “So, social engineering, phishing, smishing, configuration errors will be the threats. And then we’ll always have the zero day compromises that occur over time. These are the threats, but with more serious exploitation potential.”
Kissner also sees similar but more sophisticated attacks. “Firstly, AI is introducing a complexity that is going to be hard to block using traditional methods. These attacks will be far more variable and frequent.” Phishing is a prime example, especially where the MFA token is also phishable. “I’m expecting that we’ll see more and more of these attacks until folks shift over to a more resilient MFA such as FIDO2.”