Most CISOs are responsible for the management of cyber-related risk within their own company. Some, however, must take a wider view. CISOs in cybersecurity product vendor companies also have a responsibility towards all the companies that buy or use their products.
For this edition of CISO Conversations, SecurityWeek talked to two vendor CISOs: Chris Morales, CISO at security and analytics firm Netenrich; and Laura Whitt-Winyard, CISO at EDR firm Malwarebytes. The purpose is to explore the differences introduced into the role of CISO when the business sells cybersecurity to other businesses.
A key function for all CISOs is to protect the brand reputation of their companies. For most CISOs, this focuses on protecting their own infrastructure against breaches, loss of data, ransomware etcetera. The vendor CISO has another dimension – protecting the firm’s customers from being breached through a flaw in the product they sell. This would rebound as brand damage to their own company.
Both CISOs point to their position as the supply chain for their customers. Supply chain attacks are increasing because of the ‘hack one, breach 100s or 1000s’ principle widely adopted by criminal gangs and nation state attackers. Morales pointed to SolarWinds and Kaseya; Whitt-Winyard pointed to Okta.
The Okta breach affected about 400 of its customers. The Kaseya incident affected an estimated 40 customers, but hundreds more downstream from them. Up to 18,000 customers could have been affected by the SolarWinds hack, although it is believed that less than 100 important companies and government offices were eventually breached. The SolarWinds incident demonstrates the brand damage that can ensue, with its stock falling 23% in a week after disclosure.
Both Morales and Whitt-Winyard – and most vendor CISOs – have the additional responsibility of not simply preventing their company from becoming a supply chain victim, but preventing it becoming a supply chain source. This requires a deep involvement with the product they sell – and this in turn has knock-on effects to their role that differentiate the vendor CISO from the non-vendor CISO.
The first and most obvious is that while business acumen is needed to manage risk against their own company, this cannot be at the expense of technical acumen to secure their products and help their customers. The vendor CISO cannot simply be a businessperson, but must also be a technical guru.
Whitt-Winyard goes further and believes all CISOs require technical skills. “Part of my CISO role,” she said, “is to mentor and coach my own team, to help elevate them into leadership or more appealing positions.” She gave the example of a team member who might currently be involved in governance but wants to become a pentester.
“If I don’t understand the technical details of what that person needs to learn,” she continued, “I’m not going to be able to coach them correctly into getting into something they’re passionate about. If my team is working on things that they’re passionate about, I will get exceptional results – but if they’re working on things they’re not passionate about, I’m only going to get exactly what I asked for and no more.”
Morales also has deep technical knowledge. “I’m fully versed in technology across the board,” he said, “and that’s important for most security people. I know networking, IT, databases, development – I understand all of it.”
Both companies – in the modern parlance – ‘drink our own champagne’. They are consumers as well as purveyors of their own products, and the CISOs are deeply embedded in the product development process.
While relationships are important for all CISOs, this has led to something extra for Morales: a unique relationship with the CTO. “We’ve become disrupters of our own company and are talking to patent lawyers over some of our developments. The company is pivoting from services to platform and into data analytics; and we have developed things to help this process.”
Bug bounty program
Bug bounties are another issue particularly relevant to a vendor CISO. Both CISOs believe in them. Morales doesn’t yet operate a bug bounty program, although he did so at his previous company (another cybersecurity vendor firm). “It’s not too relevant for us right now, because most of our customers are security companies who have their own arrangements. But as we pivot into new markets offering, for example, automation in operations, we’re going to need to consider bug bounties,” he said.
“I would tend to support security researchers instead of trying to fight them,” he added. “It’s better to give them an avenue to help you instead of hurt you, because either way they’re finding these things.”
Whitt-Winyard already operates a bug bounty program at Malwarebytes via HackerOne. “The cybersecurity team owns our bug bounty program,” she explained. “We review the different vulnerabilities that are found, determine if they’re legitimate, and determine their criticality. Obviously, the bounty varies depending on the nature of the vulnerability. So, we internally determine which product team owns the product and then we track that vulnerability to remediation. Then we have it retested and, if it works, we pay the hacker.”
Whit-Winyard is a strong believer in bug bounty programs. She believes every company that has any internet-facing assets should have one. “When you have a bug bounty program,” she said, “you encourage the security community to evaluate everything you have that’s Internet facing. Even if you hire a third party pentester, he may use automated tools that don’t pick up everything. So, you still need a bug bounty program to, well, to bridge that gap.”
While bug bounties may not be unique to vendor CISOs, a marketing role probably is. For Morales, it is a natural part of being a vendor CISO. “Many of our customers are other security firms, and their CISO must approve new product purchases. It’s only natural for the buying CISO to want to talk to the selling CISO because they both talk the same language. I guess that’s a marketing role.”
For Whitt-Winyard the role is more clearcut. “I do get involved on the marketing side. A good example is that I recently attended our sales kickoff where I met 158 people. I made it a point to meet every single person – and I did that.”
She also spent time with Malwarebyte’s own sales force. “I facilitated conversations between our salespeople and people more involved in the security community to ensure that the salespeople understand the security challenge that companies face.”
At the same event, she continued, “I spent a lot of time with our own marketing people, discussing the reality that many potential customers don’t realize we have an enterprise product. They just think, ‘Malwarebytes? Oh yeah, that fat-free product that you download. How do we overcome that preconception?
“I spoke with some of our senior product team on enhancements that I think would be important to our customers because ultimately, I’m the customer – not only because I work at Malwarebytes, but because I’m the CISO and have been in cybersecurity for over 20 years.”
Finally, she added, “And when we go to things like RSA Conference, Blackhat and DEF CON, I’ll be representing the company there. I’ll work the booths, and I’ll meet with some of our existing customers, as well as some of our prospects.”
CISOs often have ambivalent feelings towards compliance. Regulations cannot be ignored but they really exist to ensure other companies are secure. They apply to all companies, but mass-market vendors like Malwarebytes will have a large volume of third party (customer) data to protect.
For many CISOs, regulations can get in the way of security. “I hate this idea of compliance as the instigator of doing things,” said Morales. “Some of it is old-fashioned, and it contains ideas that simply didn’t execute well. It ends up making you do things you don’t like.”
Whitt-Winyard has a similar but succinct view. “One of the things I advocate to my team is that compliance doesn’t equal security – security equals compliance. If we do security the right way, it pretty much doesn’t matter what regulation we’re trying to comply with – we’ll be compliant.”
Regulations, she added, “are there for people who aren’t doing what they should have been doing in the first place.”
But what if, despite all precautions, a security vendor gets breached? A vendor is the supply chain to all its customers – just consider SolarWinds and Kaseya. A breach would affect the CISO’s own organization, but could also affect many of its customers.
“I’d get fired,” said Morales, only half-jokingly. But he uses that as a (somewhat) joking incentive to his security team. “If I get fired, I won’t be going alone.”
Whitt-Winyard said, “It would be devastating; to me as an individual, to my company, and to all our customers.” She describes security vendors as having a target painted on their backs. “We’re watched heavily by bad actors. We’re a cybersecurity company. We’re stopping them – so any time there’s a fault or a vulnerability within our product, they’re going to jump on it.”
She accepts she has a responsibility to her own company, but also to all her company’s customers. “Yes, we have our own brand issue. But from my perspective, I have a higher obligation, like a moral obligation, to the security community as a whole. It’s Malwarebytes’, and my, goal to secure the world one company at a time.”
As far as the product is concerned, she is aware that if she or her team doesn’t catch something or doesn’t report an issue to product development, her company could become another SolarWinds. “If there’s a backdoor or hole or leak in our product that puts people at risk, there’s a whole bunch of hackers out there ready to jump on it.”
Put simply, a breach to a security vendor is doubly devastating – and it’s the CISO that carries the can.
Security vendors often warn their prospects, ‘it’s not a question of if you get breached, but when you get breached’. On the basis of goose, gander and sauce, we asked our vendor CISOs what they consider to be the main threats we will all face over the next few years.
For Whitt-Winyard, the primary threat is extortionware – being the evolution of ransomware. “It’s not just ransomware anymore. Back in the day, it was, ‘Okay, we’ve encrypted your data. If you want to decrypt it, pay us money’. Well, now it is ‘We’ve encrypted your data, and we exfiltrated it, and by the way, we’re still in your network’.”
She gave an example. In one company, “Bad actors got into their environment. They lurked for quite some time; their dwell time was something like six months undetected. While they were undetected, they were slowly leaking tons of data and dropping logic bombs and time bombs all through the network.”
When the time was right, the attackers launched the ransomware and encrypted the victim’s system. “The victim paid the ransom and decrypted the systems,” she continued. “But then the attacker said, ‘You know what? We’ve got your data, so pay us some more’. After that, it was, ‘By the way, we’ve dropped logic bombs and time bombs in your network, and we’ll detonate them if you don’t pay us again’.” It just went on and on: ‘We also have domain admin credentials for your environment…’. Once extortion starts, it never ends.”
For Morales, the threat is more internal than external. “Internal negligence,” he said. “I truly think that scares me more than Russia. I fear we are going to hurt ourselves if we’re not careful.” The problem is the required speed of modern innovation and development.
“We’ve had pretty solid growth over the last few years,” he continued, “and that growth creates a need for more and faster developments. More and faster always leads to mistakes. But I cannot be the one slowing us down. I must keep up with the pace, and there’s a lot of room to trip and fall.”
He thinks this is a problem that affects most companies. “The business won’t slow down just so that security can keep up. You’ll never meet a CEO who’ll say, ‘You know what? We should slow down now’. That’s not how corporate America works.”
CISOs versus vendor CISOs
The big difference between security vendor CISOs and non-vendor CISOs is that the former must look in two directions simultaneously. They have a responsibility toward their own company infrastructure but also have a responsibility – through the products they sell – toward all their customers.
This has two primary effects. The CISO must have high technical knowledge and get deeply involved in the product. The vendor CISO will need a much closer relationship with product development than is usually necessary. The second effect is the vendor CISO must be comfortable with wearing a marketing hat. Customers who buy security products want to talk to security people.
In short, the vendor CISO is effectively a CISO+.
Related CISO Conversations: