In a recent episode of Agent of Influence, I talked with Miles Edmundson, a 30-year veteran in the IT and Information Security space. Miles started as a security consultant, was Carlson Company’s first global Information Security Manager, worked for the largest crop insurance company in the world, and served as both the CISO for Ceridian as well as the US CISO for Equinity. His last 12 to 14 years have been in the financial services industry. I wanted to share some of his insights in a blog post, but you can also listen to our interview here, on Spotify, Apple Music, or wherever you listen to podcasts.

“Exploring” the Network Neighborhood

To start, Miles shared an interesting story about how he first stumbled into and became interested in cyber security.

He was curious about how networks worked and saw an icon on his desktop that said, “network neighborhood.” He clicked on that and it took a while to populate, but he started to see over 2500 different systems. As he was looking at them, he realized he was seeing the entire client server system for all of Weyerhaeuser, his employer at the time. It became clear to him that there was a consistent naming convention by location, job title, etc., and so, within about 30 minutes, he was able to find the CFO’s machine and access sensitive information, including executive salaries. He reported the finding to their IT team, but this was the beginning of his career in cyber security.

Miles shared this as a lesson to security teams everywhere that exposing sensitive information doesn’t always require having a very high degree of skill. There’s a misconception that you have to be super skilled to break into systems, but in many cases, there are simple misconfigurations that can cause a lot of these problems and don’t require a lot of skill for someone to break.

Where to Focus When Starting a New Senior Level Position

In the early 2000s, Miles made the transition from consulting to being a practitioner, first joining Carlson Company as the Global Information Security Manager. He was the only person on this team in a brand new role and his budget the first year was $100k, which was already earmarked for a specific project. He was at Carlson for three years and by the time he left, the department budget had increased to $3.5M.

I’m always curious to ask CISOs and senior cyber security leaders about how they start in a role and prioritize areas of focus. Miles has two key areas of focus when he starts new senior level positions, which are obviously dependent on audit findings, regulatory issues, number of employees, budget, and more:

1. He always wants to see org charts to know who’s who and how to reach out to different people so he can start trying to build relationships with people.
2. He also wants to see any audit reports or regulatory reports to understand the underlying issues the organization needed to focus on.

Keys to Relationship Building

Relationship building is extremely important, not only for your personal success, but also the success of your team and entire company.

Miles shared a story from the book, Good to Great by Jim Collins about people who are excellent in their field. One of the people highlighted was a hotel housekeeper, who when interviewed, didn’t say she was a housekeeping person at a hotel chain, but rather that she was a representative of her company, and she wanted to ensure that people were having a wonderful time at her facility – and she was doing all she could to make that happen.

When Miles was asked what he did at Carlson Company, he would often say that he helped promote world understanding, because Carlson was a leading player in international travel and he thought it was critically important for people to know that the world is much bigger than his local area.

Miles also cultivated relationships by asking questions – and listening to the answers. He didn’t tell.

He was very conscious to be a good representative of his organization, his company, his state, and his country.

Biggest Challenge Facing CISOs Today

Keeping up.

Miles believes the biggest challenge facing CISOs is simply keeping up with all the requirements. In many respects, the role is responsible for juggling a number of different items all at the same time, and receiving constant requests from regulators, compliance teams, auditors, and customers. And CISOs have to meet these requests all while being constrained by budgets, personnel, talent, and more.

In addition, CISOs are effectively on call 24/7/365.

Advice for CISOs

Over the years, Miles has subscribed to a couple quotes that he shared that could be good advice for many things.

The first was from Teddy Roosevelt, President of the United States from 1901 to 1909, and he said, “Do what you can where you are with what you have.” Miles noted that you can only do so much with what you have – and so, do that.

The next quote is from Winston Churchill during World War II, and the paraphrased quote is, “Never, never, never give up.” This served Miles well in his career and he passed it along as advise to senior leaders.

To listen to the full podcast, click here, or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.

Nabil Hannan

Starting and Growing a Cyber Security Program

When joining any new company and trying to build the security program, it’s important to listen and seek to understand the business’ goals and objectives. At the end of the day, we’re not doing security for security’s sake or because it’s cool or because somebody told us to. We’re implementing security controls and policies in a commercial setting – or in any setting – for a purpose. We want to support the business. We want to drive more business. We want to grow the company. We want to create a reputation with customers of trustworthiness.

Fully understanding the business motivators for the company is critical. You need to understand and embrace the corporate organizational goals, mission, and the short- and long-term objectives the organization wants to achieve. It’s with this information at hand, you can then develop your own strategy to support these initiatives.

For example, when I joined Demandware, the company had just gone public a few months prior pushing for a shift in priorities and strategy – one of which was the desire to provide the SOC2 report to customers. The ask (and need) was urgent, leaving my first order of business to make sure we were able to fulfill these contractual obligations and support the goals of the business. First, I assessed their security organization and determined I needed someone who could help organize all the compliance-related work and audit enablement that goes into a project of that scale. So that’s where we started. We built the organization and team as we moved forward and took note to other areas we needed to work on, and hiring the right talent to fulfill the need.

As you build out your security program, start from the core deliverables that you need to focus on first, identify and prioritize your gaps, and you can fill those as you go.

The Criticality of Aligning Stakeholders

Companies are starting to realize that skimping on security will eventually get you into trouble. However, I think people generally can’t properly assess the likelihood of risky events. The typical response, or mentality almost innate to most human beings is: “This would never happen to me/us.”. We either overestimate the risk by orders of magnitude or completely underestimate the probability. People have a hard time properly predicting the likelihood of something happening, and that is a challenge that still gets in the way today in security organizations.

Today, many of the more mature security programs are focused on driving security from a risk-based perspective. Understanding where you shine, where you’re not so good, the overall risk to your company, and alignment to business strategies, gives you a much better chance to be heard and given the resources to build a security program that is meaningful to your stakeholders.

An old adage that I think fits the industry well is that “a good compromise means all sides are equally unhappy,” and I think that’s really what we need to strive for. We cannot have perfect security; it would either not be supportive of corporate goals, be too expensive, or both. In parallel, we cannot completely ignore some of the risks and threats we are seeing in today’s environment. Finding the right middle ground is the key here. Modern day risk-based analysis tools can give make it much easier to make some of these calls.

The Ultimate Security Challenge: Malicious Insiders

An important distinction should be made between the unintentional insider, the complacent insider, and the malicious insider. The unintentional person is someone who accidentally clicks on a phishing email and makes a mistake. The complacent person isn’t necessarily working within the framework that everyone agreed to but isn’t necessarily intentionally working against it.

Then there is the malicious insider, which is one of the hardest problems to solve for in security. Solving this problem is incredibly difficult – you essentially have to go into the psychology of people to understand if you’re dealing with a disgruntled employee or someone who lost loyalty to the company and wants to capitalize on the opportunity.

Determining the right level of technical and security awareness, monitoring, and controls your organization will spend for depends on how you define your threat profile and what you want to protect against. If you truly want to protect against a motivated attacker with sufficient funds and deep insight into your organization, then you’re going to need to spend a lot of money on tools, put forth a lot of effort on developing proper processes, and most importantly, provide rigorous training for your employees to help identify and report anything they deem suspicious. You’ll also need to check your employees’ activity, intentions, running baseline analysis, and effectively doing background checks to figure out their true motivations. This is incredibly challenging and goes way beyond what most small and medium businesses would ever consider. Even for larger enterprises and governments, it can be quite difficult to manage and defend against malicious insiders.

As you think about your threat landscape, understanding who the threat actors are that you want to protect yourself against should be the input into what kind of control mechanisms you decide to put in place.

Is Anything Internal Anymore?

I don’t think there’s anything purely internal anymore. Especially during COVID-19 and the various lockdowns and restrictions that we have in place. For example, at LogMeIn, we have 4,000 offices now ­– every single employee home office – and there really isn’t an internal network that could provide an adequate level of protection. Employees have to be able to connect from anywhere at any given point in time (circling back to business goals and objectives). Back in March, Security leaders who thought that VPN was the best solution for everything have seen the scalability limits of that approach. I think companies that have been more aggressive in terms of adopting SAS and zero trust approaches have had a somewhat easier time adjusting their business processes to a rapidly changing environment.

As long as you rely on the special privilege associated with the presence on a particular network or physical presence in a particular area, your scalability and agility suffer a lot. I think the right approach to solving these kinds of problems is to treat every network as a hostile network. There is no inside protection.

Obviously, you have firewalls around your environment and don’t let everybody in, but this only slows down the adversary – doesn’t stop it. The appropriate protection against adversarial activity requires that your sensors, tools, and Sec Ops teams are capable of detecting noise made by the adversary and eradicating them. Just relying on firewalls as the only way to protect yourself is a dangerous and slippery slope. At the end of the day, if somebody does sneak through the front or side door, and establishes a beachhead within your perimeter, a lateral movement becomes incredibly easy.

The line between internal and external assets has been blurred over time, especially with connectivity and mobility. Employees are now bringing their laptops home and have access to VPN on their personal tablets and smartphones. Accepting the change in how we work will only benefit organizations in the long term, and leaders need to think critically about how they’re going to approach this change.

There is no internal network that is special – or truly internal anymore.

Words of Advice

In closing, below are some words of advice that I live by in our industry.

1. Communication starts with listening,
2. Context matters a lot.
3. Building durable relationships with stakeholders is the most important thing you can possibly do if you want to be successful in our line of business.

Gerald Beuchelt