Cybereason CISO Interview Series: The case for an independent security department

Having information security initially fall under the purview of a CIO is a logical place to start. After all, a company is more likely to hire IT professionals whose duties include security than a dedicated security team. But at some point, information security needs to become an independent department, said Laura Louthan, who’s held information security leadership positions at Equifax, Bank of America and Sephora.

In this interview, Louthan, who recently started an information security consulting company focused on SMBs, also talks about why security is more than nation-state attacks launched by North Korea and why she pursued a career in security instead of IT.

How did you get into an IT security career? It may not seem like the natural career path for someone who has a biochemistry degree from Oxford.

Despite having a biochemistry degree from Oxford, nobody wanted to give me a job, so I did a lot of temping. I answered a lot of phones. I typed a lot of letters. But I was a terrible assistant.

I ended up getting into IT when I was working at a sales company. When the sales people’s laptops were broken they just threw them on my desk and disappeared. I had way more fun talking to the IT guy at the help desk about IP addresses and routing than I did dealing with sales paperwork. Quickly I just became much more of a technical person and it wasn’t very long before I was building my own PCs and hacking my TiVo.

Then I got a job where I was the office manager and they then made me the network manager, so as of about probably ’96 I was a full-time IT person. I was lucky enough to then work at MBNA, a huge credit card company, before it was bought by Bank of America. At one point, I was working as an operational IT person on security policies, which was really my first dive into information security. You’ve got to involve IT in the security policies as in most cases they’re the ones putting things in place. You can put things on a policy that aren’t in place yet but should be, but you can’t put things on there that just don’t make sense in the organization and are completely aspirational. It was a valuable experience to go into what a good security policy should look like and working with a mix of teams to achieve that shared goal.

The next role I got was director of IT a pretty big nonprofit also in the credit arena and security was one of the responsibilities that came along with that position. By the time I left that role, nearly 5 years later, I had convinced them they needed to hire a full-time security person, who was hired from Equifax and I then went to Equifax. From that time on I’ve been doing nothing but security – about six years now.

Why did you decide to pursue the security path? Why not just stay in IT?

There’s something interesting about security in that, if you’re going to do it right you must really work with the business. The business knows they have to have technology, right? For example, if they want to sell something online, they’re going to have to put up a website. With security, they know that they should have it, but they don’t really want it. You have to work to convince them of the need. You can’t just be the faceless info sec person saying no.

I personally feel like info sec can be a bit more of an intellectual opportunity than IT, though I’m not trying to demean IT in any way as I did it for years and loved it. I was just getting to the point to where my life involved things like processor speeds and hard drives and how many things I could fit in a rack. It just wasn’t as interesting to me anymore. The strategic pieces were interesting, though. I remember when a tornado came down the middle of downtown Atlanta, which is not supposed to happen. It was a Friday night, and there were still people in the call center. This tornado came right down the middle of downtown and hit a number of buildings, including ours, though we were incredibly lucky. The power stayed on so our 24/7 call center kept going. As a result, our three-year strategic plan was compressed into six months, which included moving everything to a data center and removing the legacy hub and spoke network topology. I loved working under pressure and making things happen quickly.

Generally speaking, security deals with scary things that could happen and working in that position involves trying to avoid them from happening. We’re going to talk about risk. We’re not going to talk about something tangible that you can measure clearly in many cases, such as with IT infrastructure capacity planning. We’re going to talk about these intangible things, and it’s a little bit harder. I find that fascinating. 

Why don’t people understand security?

You have to assume that your average business person is not directly involved with the security team and hopes never to be involved with the security team. Maybe they worked in the past with the faceless info sec people who everybody hated, or it’s just not part of their role and it only becomes part of their role when something bad happens. It’s a little bit like the emergency room doctor. You’re glad they’re there, but you never want to see them.

Then what they see on the news is that nation-state A attacked enterprise B. They think “That wouldn’t happen to me. A nation-state doesn’t want what I have” and they may be right. If you do have something a nation-state wants, you probably have a large security team already and they’ve been around for a long time and everyone at that organization gets it.

When you’re dealing with smaller companies, it just doesn’t seem real. However, the reality is that there’s an awful lot of people trying to get an awful lot of other people to do things they don’t want to, or shouldn’t do, or that will be bad for them. I have a friend who sells horses. She sold a horse, and someone hacked the customer’s e-mail and redirected the wire somewhere else. That was a ton of money that disappeared for an individual that would never get reported. She said, “Now I get what you do. I’ve never understood it before.”

Information security is just not something that people easily understand on a broad level. Everyone understands they’re supposed to have passwords, although good passwords are now becoming pointless. In the business the security industry is looked at as a line item expense. Executives say, “Well, why is their stuff so expensive, and where is my return on investment?” In many cases, you can’t clearly outline a return on investment against a theoretically bad thing happening, it’s like insurance.

The Target breach supports your point about security applying to every company. Using an HVAC vendor to attack Target didn’t seem like an obvious route.

I started my company to work with the smaller businesses. They don’t need a SOC monitoring every single alert, not at the beginning at least. They just need to get themselves off the easy-to-attack list by building up resilience and their ability to protect themselves. However, sometimes they don’t know what those things are.  

Things like third-party risk management is huge. The minute you give someone access to your networks or a credential on your system, you’ve lost a significant amount of control. The quandary is you can give them no access, and things won’t work, or you can give them access, and put your systems at risk. My job is to help them balance and mitigate that risk.

I tend to go and on about risk mitigation, but that’s what it boils down to. You’re never going to get rid of it entirely other than having things in a locked room with no network connection, which is one option, but let’s face it that will never happen. Even then, the HVAC guy has got to get in there at some point.

How can security leaders balance risk and innovation?

The main thing is you need to be extremely collaborative. If you’re always saying no, then they’re going to stop asking you. There needs to be a balance. You need to say “yes, but let’s change this, so this reduces some of the risk” or ”Let’s not do this method, but let’s do this instead.” You need to be able to turn around security reviews of what they want to do quickly and you can’t then move the goalposts.

I recently worked in a highly innovative company and during my nearly three years there I only said no to one thing. I said, “This is just a really bad idea” and it ended up being fine. It was a vendor bake off and they went with the other vendor they went with for multiple reasons, including mine. You lead the way. If the vendor or partner can’t meet any of the security requirements, they’re probably not meeting some of the functional ones either. For me, working with IT was about collaborating and saying we can do this.

What soft skills can help security executives collaborate better?

There was a great book that my previous CTO gave his team. It was called 12 Soft Skills of Being an Architect, and it could have been the 12 soft skills for being anything in IT. It talked about building political capital and not burning it, communicating well, transparency and so on. Security people, historically, haven’t had a great reputation. I think that’s changing. When I think of the security people I had worked with as an IT person in the distant past, they just were so inflexible. You should be recognized as part of the team that’s moving forward and not the Department of No.

I had a great CISO at Equifax. Working at Equifax, we had your data, my data, Beyoncé’s data, we had everyone’s data. In one of our town halls, he asked, “What is our role at Equifax?” Someone answered “To protect the data” and the CISO said, “No. Our job is to enable the business.”

That’s critical. You need to be seen as a business enabler. That means both being innovative, being flexible, being quick. You’ve got to be agile and being supportive of endeavors, even if you think they’re a bit pointless. If a marketing person says we want to do this, I might sit and mentally roll my eyes a little bit. But ultimately my job is to enable them to move forward in the way they want to without letting them fail on the security risk. Enabling the business has always been a really big driver for me in my job.

Security and marketing departments can disagree on tactics sometimes.

It’s like this makes no sense to me, but let’s go through with it. If people don’t see you as a blocker, they’re going to engage you much earlier on, and that used to happen to me. Co-workers have said “we’re going to do a security review for this in the next couple of weeks, but we want to give you a preview so that we can see if there’s anything we need to tweak so that we can get the thumbs up.” They really were engaging with me early on and considered me as part of the process, and not as someone who was going to be negative.

Do you think that most security executives understand that they have to enable the business and not serve as a roadblock?

Most of the ones that I’ve been talking to recently seem to and I don’t think they’d last in their role if they weren’t helpful with the business. Although the problem is, of course, there aren’t enough security people to hire, so if you’re going to get rid of the one you have, you’re going to be put in a tough spot.

I think it’s the best way to succeed and, also, the best way not to be miserable. You’re going to enjoy your work much better if you’re collaborating and feeling like you’re part of the bigger picture. If you feel like you’re there to be a traffic cop, you aren’t going to be a leader at that point. You’re going to be a doer, and you’re going to be buffered by your manager who is the between you and anybody else. A lot of security people and IT engineers aren’t great people personalities. They may do an excellent job, but they really don’t play well with others. They’re not going to succeed as leaders, ultimately, but there are always jobs for great engineers.

Also, as a leader talking to other people in the C-suite or anywhere in the business, throwing a bunch of technology terms at them is not helpful. Give them information in a way they can consume it. Start explaining it to them in ways they can understand because it’s going to make things more efficient for moving the needle in the right direction.

Angel Cybersecurity, the company you founded, is you focused on helping SMBs. What unique info sec challenges do SMBs face?

Some of their challenges can be around budget. If you’re a smaller company you’re possibly going to have less flexibility in your budget. For the most part, a security hire isn’t going to be the first hire; you need IT people, you need marketing, HR and so on. Having a full-time security person can be expensive and may not really be necessary. You may want to have someone that’s directing the efforts of an engineer type of person a little bit more strategically. You may need somebody that you can put in front of a board or customers, but you may not need any of that full-time, hence the “virtual CISO” role which is a reasonably new concept.

You need someone who can help be the voice of reason and the voice of the company with respect to security, and that, for a small company, can be hard to get to. You’re just simply not going to have a CISO very early on unless you’re a security company or unless you’re in a regulated industry, like financial services.

What can SMBs can learn from enterprises when it comes to security?

When you get to be a large organization, you’re going to have some formality around process, more in the way of governance. You’re going to have consistency. I think that helps with security because if you have those things, you have more of a known environment that you’re working in, which means that also you can protect in a more predictable way. You can identify anomalies a little bit more easily. If you’re a small organization and everyone’s brought their own laptop how do you know which one is going to cause the problem?

Just acting like a big company and trying to make everything consistent, that’s very helpful for small businesses and ultimately will be more efficient from a functional, IT support standpoint.

What can enterprises learn from SMBs about information security?

I think that they need to understand that security can be a little bit less predictable on what is the next problem. We all know on a broad basis that malware is a problem and it’s changing all the time, so there’s a need to react a little faster. Sometimes bureaucracy can get in the way of the ability to change. Larger organizations that can pivot quickly -- whether that’s just because there’s less bureaucracy or whether it’s because they’re built that way -- can get more things done in a short period of time.

Are there any common business roadblocks that prevent security practices from being implemented?

One is cost because the people and the tools cost a lot, and the other one is resources. Let’s say 90 percent of your security project work is going to be done in IT. If you can put technological controls in place it’s much more efficient than just asking people not to do something. So, you’re asking IT teams that are very busy to put everything down and to do something else and that can become hard. If they’ve got commitments to do a project for the business and then you say “I need 10 percent of your time to patch all of the servers,” they have to balance that time and it’s not easy.

For other security leaders who are considering starting a consulting firm what advice would you offer them?

Do it. An important thing when going out on your own is how are you going to get clients, obviously, but also figuring out “what is my strength. What is the thing that I would do to the most in security?” For me, I like to use security basics. I don’t want to get into massively complicated SOC environments and heavy engineering. It’s just not the thing that interests me because you get much, much further removed from the business at that point. I want to work more with the business, more with the C-suite, more with the non-security people. For others, it may be the complete opposite. Each person needs to figure out what it is that they think they can offer someone and try not to be everything to everybody. That’s unlikely to succeed in the same way.

You’ve held security roles at Hollywood Media, Bank of America, Equifax and Sephora. Based on your experiences at those companies, are there any common traits to what makes a successful security program?

The one that had the largest security program was Equifax and security was on the CEO’s top 10 list every year. To be a successful security program, you’ve got to get support from the top. I know everyone says this, but it’s so critical. If you don’t have the CEO thinking that security matters, you’re not going to get anything from anyone because they’re all going to believe that the info sec team is there just as a token gesture.

How can security executives get that buy-in from the top?

Thank goodness for Target because the Target CEO and CIO got fired which woke up the c-suite to understanding why they need to talk to security teams. I’m sad to say that it takes things like people being fired or personally sued to make people say “I don’t want that to be me. I need to take this seriously.” Fine. For whatever reason, they now think security matters and I’ll take it. I don’t care why or how they got there, I’ll take it.

Then you need to meet with them and get them to understand that you’re part of the solution and not part of the problem. Then help them understand where the highest risk is and how you can help mitigate it. You’ve really got to educate them, and you’ve got to do it in a way that is compelling and in a way that they’re going to feel like there’s hope without feeling like they’re ever going to be 100 percent secure, which is a false hope.

Is that hard to sell when you’re talking about risk mitigation instead of 100 percent protection?

They all want me to say we’re going to be 100 percent fine and I will never say that. It is hard for them to understand that it’s just not possible even though they’re throwing so much money on the problem. But having them really understand that you’re there and that you’re doing all this work is going to make them feel better. They need to know that someone is fixing the problem and staying on top of the problem. You’ve got to have periodic meetings with the CEO. Then, however many levels there are between you and the CEO, you must have more frequent meetings with them. Eventually, you become part of the furniture just like everyone else, which is good.

Are there any topics that that you would like to bring up?

I’m constantly harping on who security should report to. Initially, security is most likely to report into IT; it has to start somewhere and that’s the logical place because you’re going to have an IT leader sponsoring that role. You’re not necessarily going to bring in someone who’s a CISO from day one, rather you’re going to bring in someone that is a director or an engineer. What’s not logical is when they report to a sub-department under the CIO, like an infrastructure department or a development department. Then everybody thinks security is just around infrastructure or development when it’s part of everything, and ultimately, it’s got to move out of IT to avoid any conflict of interest.

In a previous role I asked during my job interview where the security position was going to report to and I was told the CIO. About six or eight months into the job the guy who interviewed me said “Now I understand why security shouldn’t report to IT.” He was an IT leader, and he got it. If you’ve got CIOs and they’re trying to decide on where to put resources between project A or security project B, picking security project B requires something that’s overwhelmingly convincing.

When does security get spun out?

That’s an interesting question. Is it when the budget gets to be a certain amount? Is it when they’ve encountered a certain number or type of issues? Did it become a problem that they’re not independent? I don’t know. I would imagine that it becomes a logical choice between the leadership team. Eventually, it’s going to grow up to be too big to live under IT, but it doesn’t necessarily happen with everybody.

Do you know a security executive who has great insights and would like to talk with us for this series? Email us at ciso.series@cybereason.com.