Roshan Popal is a technology and security executive with a proven track record of customer service delivery and information security risk mitigation. Roshan is known for building, developing, and leading high-performance cloud, IT, and security teams on a global scale. Utilizing his strong business acumen and broad technical knowledge, he strategically aligns IT and security services for organizational success.
Roshan currently serves as the SVP of Cloud Operations and Chief Information Security Officer (CISO) at MicroStrategy, a business intelligence and analytics firm with headquarters in the D.C. metro area. Prior to MicroStrategy, he led the global IT and information security functions for Cigital, Inc.
One of the major challenges CISOs, like myself, face today is finding balance between keeping a business running efficiently versus the security controls implemented. It is an ongoing challenge that takes time to figure out. But, as we all know, time is not something that is readily available to CISOs.
To help, Nabil Hannan, NetSPI Managing Director and a former colleague of mine, invited me to share insights on his Agent of Influence podcast. From the conversation, here are my top tips for achieving balance and, in turn, eliminating friction between business and cyber security.
Create realistic security awareness campaigns – and learn from them
Phishing engagements are a great opportunity to keep people on their toes while garnering awareness around email security. One particular engagement I coordinated was so effective, it fooled our security team. Our phishing emails were deployed at the same time as our real security awareness training and tricked people into clicking on a “malicious” link to confirm they had completed the company-wide training. Over 70 percent of people in the company fell for it.
We learned a few lessons from this engagement.
First, security practitioners are not immune to phishing attacks. There is a misconception that security teams are immune to being hacked or compromised. It is important to find curious and creative methods of security awareness training to challenge not only your general employees, but also your security teams.
Second, someone had said to me, “I will never trust an email from you again.” And I thought about that for a long time - and still do to this day. How do we as security practitioners create effective training campaigns without losing some level of trust? Well, it's not necessarily a bad thing for people to be skeptical. People can be easily tricked when their guard is down. When we receive an email from an outside source nowadays we are much more cautious when opening attachments or clicking on links. But if an email appears to come from your friendly HR team, manager, or CEO, we are much more comfortable clicking on a link or opening an attachment.
Third, cybercriminals are getting more creative, and our security awareness engagements should too. More now than ever we need to imitate real-world attacks using the latest attack tactics, techniques, and procedures (TTPs). Had this been a real attack, if somebody had access to our email system, they would have known that the real security training email had gone out that day. And they could have easily distributed the exact email and captured many usernames and passwords. Our engagement was not far from how an advanced persistent threat (APT) would work.
Finally, as with many things in life, security is circumstantial. From a business perspective, it is important to understand your user base and change your security approach accordingly. Every company’s user base is different. Your security offerings, penetration testing, and training are all circumstantial based on the type of users you have. Account for organizational cultural norms when making security decisions.
Prioritize risk – while also moving the business forward
In my first three months as a CISO, there were outstanding tasks and projects to complete. To prioritize my focus, I took a step back and looked at what the risks to the business were. By prioritizing my tasks based on the biggest business risks, securing the business came naturally.
Every CISO should ask themselves, “How can I help make the business move faster, while staying secure?” This is an interesting question because security is almost inverse of being able to go fast. However, we have made great strides over the past 10 to 15 years where we can now have a level of transparency, while maintaining an adequate level of security. This allows for a frictionless experience where things happen fast in an organization, such as DevOps.
During my conversation with Nabil, he explained this well. He said, “Recently, I read something that really resonated with me. It took me back to the early days where we would say, ‘security is just a subset of quality.’ If you think about it that way, if we are doing quality correctly, security goes along hand in hand. Similarly, I think if you're doing DevOps correctly, you shouldn't need DevSecOps. If you're doing DevOps correctly, security should be part of that process already. Security really needs to be frictionless and needs to focus on how to be secure while still enabling the business and enabling people to move ahead.”
Understand the business – and how it makes money
When I first became a CISO, the most valuable advice I received was, “you need to understand how the business makes money, that's the most important job of a CISO.” If you can understand how the business makes money, then you're able to protect the business's critical assets and transactions.
And that's exactly what I did when I came to MicroStrategy. I followed the guidance of my mentors. CISOs, especially first time CISOs, should have mentors to help them understand their role formally, hear real-world experiences, and learn what others have gained from being in a similar position. One book I recommend to any CISO is CISO Leadership: Essential Principles for Success from ISC². It digests the thought process behind the CISO role. The first half of the book explains the role of the CISO and the second provides real scenarios and examples of how CISOs dealt with different technology and security challenges.
The CISO role is really a business position, a leadership position. It is not about the tooling or the firewalls – your job is to reduce company risk. Different organizations have different appetites for risk. Once you understand that, everything else will fall into place.
[post_title] => How To Eliminate Friction Between Business and Cyber Security
[post_excerpt] => Top tips for keeping a business running efficiently while also implementing security controls, from MicroStrategy CISO Roshan Popal.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => eliminate-friction-business-cyber-security
[to_ping] =>
[pinged] =>
[post_modified] => 2022-12-16 10:50:59
[post_modified_gmt] => 2022-12-16 16:50:59
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=21295
[menu_order] => 366
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
)
[post_count] => 1
[current_post] => -1
[before_loop] => 1
[in_the_loop] =>
[post] => WP_Post Object
(
[ID] => 21295
[post_author] => 81
[post_date] => 2021-02-16 07:00:33
[post_date_gmt] => 2021-02-16 07:00:33
[post_content] =>
One of the major challenges CISOs, like myself, face today is finding balance between keeping a business running efficiently versus the security controls implemented. It is an ongoing challenge that takes time to figure out. But, as we all know, time is not something that is readily available to CISOs.
To help, Nabil Hannan, NetSPI Managing Director and a former colleague of mine, invited me to share insights on his Agent of Influence podcast. From the conversation, here are my top tips for achieving balance and, in turn, eliminating friction between business and cyber security.
Create realistic security awareness campaigns – and learn from them
Phishing engagements are a great opportunity to keep people on their toes while garnering awareness around email security. One particular engagement I coordinated was so effective, it fooled our security team. Our phishing emails were deployed at the same time as our real security awareness training and tricked people into clicking on a “malicious” link to confirm they had completed the company-wide training. Over 70 percent of people in the company fell for it.
We learned a few lessons from this engagement.
First, security practitioners are not immune to phishing attacks. There is a misconception that security teams are immune to being hacked or compromised. It is important to find curious and creative methods of security awareness training to challenge not only your general employees, but also your security teams.
Second, someone had said to me, “I will never trust an email from you again.” And I thought about that for a long time - and still do to this day. How do we as security practitioners create effective training campaigns without losing some level of trust? Well, it's not necessarily a bad thing for people to be skeptical. People can be easily tricked when their guard is down. When we receive an email from an outside source nowadays we are much more cautious when opening attachments or clicking on links. But if an email appears to come from your friendly HR team, manager, or CEO, we are much more comfortable clicking on a link or opening an attachment.
Third, cybercriminals are getting more creative, and our security awareness engagements should too. More now than ever we need to imitate real-world attacks using the latest attack tactics, techniques, and procedures (TTPs). Had this been a real attack, if somebody had access to our email system, they would have known that the real security training email had gone out that day. And they could have easily distributed the exact email and captured many usernames and passwords. Our engagement was not far from how an advanced persistent threat (APT) would work.
Finally, as with many things in life, security is circumstantial. From a business perspective, it is important to understand your user base and change your security approach accordingly. Every company’s user base is different. Your security offerings, penetration testing, and training are all circumstantial based on the type of users you have. Account for organizational cultural norms when making security decisions.
Prioritize risk – while also moving the business forward
In my first three months as a CISO, there were outstanding tasks and projects to complete. To prioritize my focus, I took a step back and looked at what the risks to the business were. By prioritizing my tasks based on the biggest business risks, securing the business came naturally.
Every CISO should ask themselves, “How can I help make the business move faster, while staying secure?” This is an interesting question because security is almost inverse of being able to go fast. However, we have made great strides over the past 10 to 15 years where we can now have a level of transparency, while maintaining an adequate level of security. This allows for a frictionless experience where things happen fast in an organization, such as DevOps.
During my conversation with Nabil, he explained this well. He said, “Recently, I read something that really resonated with me. It took me back to the early days where we would say, ‘security is just a subset of quality.’ If you think about it that way, if we are doing quality correctly, security goes along hand in hand. Similarly, I think if you're doing DevOps correctly, you shouldn't need DevSecOps. If you're doing DevOps correctly, security should be part of that process already. Security really needs to be frictionless and needs to focus on how to be secure while still enabling the business and enabling people to move ahead.”
Understand the business – and how it makes money
When I first became a CISO, the most valuable advice I received was, “you need to understand how the business makes money, that's the most important job of a CISO.” If you can understand how the business makes money, then you're able to protect the business's critical assets and transactions.
And that's exactly what I did when I came to MicroStrategy. I followed the guidance of my mentors. CISOs, especially first time CISOs, should have mentors to help them understand their role formally, hear real-world experiences, and learn what others have gained from being in a similar position. One book I recommend to any CISO is CISO Leadership: Essential Principles for Success from ISC². It digests the thought process behind the CISO role. The first half of the book explains the role of the CISO and the second provides real scenarios and examples of how CISOs dealt with different technology and security challenges.
The CISO role is really a business position, a leadership position. It is not about the tooling or the firewalls – your job is to reduce company risk. Different organizations have different appetites for risk. Once you understand that, everything else will fall into place.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Name
Domain
Purpose
Expiry
Type
YSC
youtube.com
YouTube session cookie.
52 years
HTTP
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Name
Domain
Purpose
Expiry
Type
VISITOR_INFO1_LIVE
youtube.com
YouTube cookie.
6 months
HTTP
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We do not use cookies of this type.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
We do not use cookies of this type.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
We do not use cookies of this type.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Cookie Settings
Discover why security operations teams choose NetSPI.
