Telling Hard Truths to Impact Change in Cybersecurity

Posted on in Presentations

Compelling truths revealed by new workforce models and the heightened sophistication of breaches provide security leaders an unprecedented opportunity to be truth-tellers and take action. Teams that feel empowered to impact change are more engaged, effective, and resilient. Angela Weinman, Head of Global Governance, Risk, and Compliance at VMware, and Jimmy Sanders, Information Security at Netflix DVD, share why and how they believe that taking responsibility for telling hard truths can impact change.

Video Transcript

- [Announcer] Welcome to our keynote conversation for RSA Conference 2021. Please welcome Angela Weinman, Head of Global Governance Risk and Compliance for VMware, and Jimmy Sanders, Information Security for Netflix.

- Hello and welcome. It's great to be here with you today, and to be joined by Jimmy to cover some hard truths. Both of us have a passion for driving change in security, and being just a little bit disruptive.

- Just a little bit disruptive. Oh, that's a little understatement, Angela. It is an honor to be here alongside you. I remember the often used quote, "May you live in interesting times." I'm sure our colleagues watching this can agree that we've all experienced dynamic revelations. Angela and I don't presume to have the answers, but we have some ideas. Thus, the hard truth should not be a surprise. We're here together in support of the idea of empowering one another, and maybe some of you. Our shared goals are not to patronize you, but to hopefully motivate you to embrace emerging ideas to make things better in cybersecurity. Angela and I, I feel as though we're partnering together on this ambitious journey.

- Agreed, and with that in mind together, we're gonna cover three hard truths about security, with suggestions on how to address these more effectively, in light of the past year shared experience. There's a lot to cover, but our overall goal is to increase security resilience going forward. Let's jump right in. Jimmy, can you please take us to the first hard truth?

- Yes, hard truth number one is that the security risk picture is out of focus. This is directly linked to greater resilience, since if we can't accurately determine risk, it becomes difficult to rapidly recover from impacts. We have to acknowledge this, considering the last year that we've all experienced. Angela, what are your thoughts?

- Well, if we don't get this one right, we're initiating projects, we're investing resources, using the wrong priorities. It's essential, that risk drives what we do, because security is after all, one big risk management program. So what's the hard truth here? We're not managing our risks well enough. This reflects directly at the business level, of course. In a study we just did with MIT recently, less than half of top executives said, they were happy with how their resiliency risk plans were executed last year.

- Less than half? That's not even a passing grade.

- Exactly, so what's the observation here? It's that our desire as security professionals, to be accurate can cause us to be too conservative when predicting risks, and impacts, and necessary treatment. Maybe we should be zooming out. Trying a wide angle lens instead. Thinking in terms of a spectrum of impact, rather than a narrowly defined scenario. As an example with the pandemic, it wasn't enough to plan for critical staff working from an alternate location, or from home for a period of time.

- I could not agree more. That's the crazy thing. Many of us focus our plans for who is critical. And as it turns out, last year that meant everybody in your organization.

- Looking back, virtually no one anticipated things correctly. Turns out the business need was for almost everyone to be remote for a year or two, not a few folks for a month or two. If we'd look back a hundred years to the 1918 flu, and used a spectrum of impact to help consider more of the edge cases, it might have helped. It turns out those who could pivot fastest, last year were the ones who had the broadest plans, or who could mitigate by being the furthest along their digital transformation journey.

- So Angela, if there is a struggle currently today, with the credibility that we have in the way our companies view our current risk strategy, how can we handle presenting broader and bolder risk views?

- Well, the best way is not to struggle, to make decisions alone, but lay it all out. Present the spectrum views to your CISO, risk committee, executives, your audit committee, the board, wherever you normally do your readouts. Let the business drive agreement on where on the spectrum predicted impact should go, just as similar dialogues drive risk posture decisions today. So Jimmy, apart from the pandemic. Wow, did I just say that sentence? It's kind of an odd one, but what else did we see over the past year that shows us that the risk picture is out of focus?

- Focus is a matter of deciding what things you're not going to do. And what we've seen, is we've been protecting our security environment like pieces on a checkers board, where every piece is valued the same. We must broaden our views, and prioritize environments, so we ensure that not all environments are protected and viewed the same. In chess speak, we must see the entire board. We must ensure we build resilience into our environments where the taking of a symbolic pawn, or even a rook doesn't mean it's game over, or a total disaster for our entire environment. So let's zoom out as Angela was saying, and see the entire board.

- Thanks, Jimmy. Great analogy. There's so much more we could cover on the risk front, but let's leave this one here, with the suggestion to shift our risk perspective, and zoom out. That leads to our second takeaway. We have to throw out some of our old ways of doing things because second hard truth, legacy security practices are slowing us down. This is a big one. We might ruffle some feathers here, Jimmy. So where should we start?

- And so ruffling feathers is something that I'm very comfortable with, because I spend my time railing against legacy security practices, and the lack of diverse voices within our security community. Witnessing the rise and fall of companies, products, and best business practices throughout my career, it is an imprinted, a deep belief within my psyche. That belief is that we, the collective we, must create an environment where the best ideas win. And what happens is this improves our security posture overall. These diverse thoughts stem from allowing competing ideas and viewpoints to be voiced without the fear of ridicule and condemnation. My current company, they do a great job, an amazing job, at diversity and inclusion. We work toward the goals of freedom and responsibility. That is a great starting point. But diversity and inclusion is not about any one person or company. What I am championing are the many intelligent minority voices that do not get heard within the security community. People, get the diversity aspect. Diversity is about getting various cultural groups and individuals a seat at the table. Inclusion is about being intentional, and allowing every voice at the table to be heard.

- I love that, Jimmy. Inclusion is about being intentional. Such a great perspective, thank you. Allowing all voices, in fact requiring all voices to be heard is tremendously empowering. It's also a great tie back to our first hard truth about the risk picture. We can get better risk management and inputs, if we have more points of view.

- My truth is that I realized my company and peers could not be great at security by sticking to outdated security practices. Thus, what I started to do was continually reach out to various peers, and ask them questions, and to stand on the shoulders of thought leaders in our industry. This pushed our team to start doing a proof of concept, of a tool, or a technique on a monthly basis. What transpired from that, is our team developed a resilient and nimble mindset that does not get worried when change happens. Change is just a matter of course. Angela, similar to me, I know that this is an important topic for you. What are the other ideas on this hard truth about legacy security practices do you have?

- Well, let's shake the trees a little bit regarding security processes. Driven by the need to be deemed mature, we've built, and often automated a lot of processes, layer upon layer, almost like a geological formation, hard and inflexible, weighing us down. And not only us, the business units we work with day to day. How many things exist, so that we can check a box with some long forgotten reason? Is everything we're doing value add to our security posture? If not, why are we doing it? Again, more support for thought diversity here too.

- I love that idea of thought diversity, because it's often the employees in new positions that provide a new perspective on what might be redundant work. They can question without having been involved in the history, or ingrained into the thinking of this is how we like to do it.

- Yes, new team members are great at this. Also, someone on rotation from another group, or anyone frankly, who's had a long break. There's so much opportunity to throw things out. Let's just go ahead, get them out of there, maybe replace with something better. Even with compliance, continue to question, and throw out things that have changed. Cross questions off questionnaires, make them shorter. Everything should be open to be legitimately challenged, and potentially thrown out.

- Well, but for many of those, those are fighting words, Angela. And so my question to you is what do you think about how we decide what to throw out?

- It's going to depend on what we're looking at for sure. But as long as we actively map efforts back to cyber hygiene fundamentals and business goals, and find the areas of concentration, are they, what we'd expect? We can validate these decisions. Also, it's going to take a bit of negotiation with those around us, but going to be well worth it. It's not just a good idea to throw things out. It's a survival tactic, in order to scale and to move faster. Let's constantly challenge the how, as well as the why, and to be brave. There's plenty of security work to do, be bold. Throw things out. Lastly, we have to be willing to reach out. Jimmy, please bring us home with the third and last of our hard truths.

- Certainly, the last hard truth is very relevant to the past year. The last hard truth is that security is not a solo sport. It's been a tough year and let's be honest, being able to talk to each other has helped us, especially me, get through it. You may be a super security person at your current technology company. Whatever stage you are in your current career cycle, we, the security community, we need your ideas. We need your effort. We need your collaboration. I think of the term snowball effect, because of all the great ideas build upon each other. We, the security community needs to ensure that the best security practices are accessible to everyone. Similar again to great chess players. All the moves of all the great chess players, in the great matches were out in the public for masters, and beginners like to study from. Instead of chess terms, I view us as heroes. We are the heroes protecting our companies and employees from the threats that we face on a day-to-day basis. However, a single entity can't curb the overall rise in security breaches, regardless of how amazing their individual security structure may be. But together, us, the security superhero group, sharing knowledge and effective techniques, can achieve what a single company can't. And that is, achieve greater security resilience. With that, I wanna pass to my partner, and superhero Angela, for her ideas.

- Thanks, Jimmy. This one is close to my heart, literally, because relationships and connections are table stakes for success in security. This applies at all stages of having a career in security. It can be a common misconception, but because of what we do, we must work in individual secrecy. It doesn't need to be lonely to tread a new path. Of course we have to stay within what's legally allowed, but it's as if we never graduate from security school. It's always good to join a study group. Personally, I wouldn't be anywhere near as successful without the help of others. I still vividly remember the first help I got from reaching out to a vendor, very early in my career. It was an eye-opener.

- Angela, I wholeheartedly agree. My journey started out as I was the only security person at my company, where I would threaten my company that if we didn't buy this tool, or buy this silver bullet item, we wouldn't pass an audit. But what ended up happening was my rapid learning curve occurred, once I started joining organizations, and I worked on my professional network. And what I see currently is that the most rapid growth in many security practices happens, when they start sharing what went right, but also what went wrong. I lead the emerging technology group for ISSA International, and our charter is to explore, document, and distribute information to the security community. We wanna do that so that we can illuminate leading edge, and effective security practices and controls. I welcome you to join this expedition that we're going on, or find other like-minded groups that are readily available to join.

- There were so many options, sometimes too many options. Back to our earlier takeaway, maybe keep some, throw others out, make our own new groups. Security is such a great community, and supports reaching out. We just have to be willing to give, as well as to take along the way, and be prepared for the fact the answer will sometimes be no, and that's okay too. Back to our community. There's a concept called community resilience, where a community works together with creativity and flexibility to solve problems. This sounds just like us, reaching out to drive greater resilience overall. Well we've certainly reached out to each other today. Thanks, Jimmy. Any final thoughts?

- I've had such an amazing experience that I know that Angela and I will be continuing this conversation offline. I encourage you to reach out to me with any questions, or anything, because for us working together, we can make security better. Personally, I'm excited about the current and future generation of visionary security leaders that are driving the industry with their amazing ideas. The technology community has shown amazing resilience in these trying times. We hope that all of you are as optimistic is Angela and I, because together we've looked at these hard truths, and taken actions to make things better. We understand that shared accountability, increased diversity, as well as embracing innovative, scientifically effective techniques will allow us together, to impact amazing progress, and change within our industry. However, the ultimate lesson that I want you to take home with this, is that we need each other now, more than ever in these exciting times.

- To wrap things up, there are three takeaways from today. How do we become more resilient? We've got to zoom out, throw out, and reach out. To zoom out, try a wide angle lens for viewing risks and the spectrum of impact. Throw out those old ways of doing things, and reach out. We're more resilient and better at security when we leverage our relationships and collective knowledge. Jimmy, it was a real pleasure working through these truths with you. Thanks everyone for joining us, and to moving forward and being more resilient together. Please stay safe, and enjoy the rest of the conference.

- Hi, Mom.

Jimmy Sanders


Information Security, Netflix DVD

Angela Weinman


Head of Global Governance, Risk, and Compliance, VMware

Share With Your Community