Implementing common security practices isn’t enough to protect your organization. You need to understand what your business does and develop security practices that are tailored to your company’s unique requirements, said Jonathan Kamens, CISO of Boston financial tech startup Quantopian. In this interview, Kamens also talks about how IT experience (he was previously the company’s vice president of operations) prepared him for the role of CISO. And be sure to read part one of his interview.
How does having an IT background prepare you for the role of the CISO?
At Quantopian, we're too small for me to be a middle manager. I'm not just making recommendations and decisions about what we need security wise; I'm helping to build it and to maintain it.
My IT experience plays right into that. If we decide we're going to deploy product X, Y or Z to help with our security posture, I can do that. I can be the one who downloads the software, and installs it, deploys it or plugs the box into the rack. Where we are as a company right now, that's important. I have high hopes that Quantopian is going to get much bigger and that eventually, I will have a team of people working for me doing that stuff, as opposed to the one guy I have working for me now. Then I will not be doing as much hands-on work. I will be doing more management and decision making and being bit of a visionary instead of standing at my keyboard typing commands into a shell. Without that IT background, I wouldn't be able to understand what technologies we need, and I wouldn't be able to build them.
Do you think CISOs or security executives with IT backgrounds approach security differently from those who have strict security backgrounds?
I think it's a false dichotomy. I think IT and security are inexplicably linked. Good IT people understand that security is part of their job just like good software engineers understand that it's their responsibility to pay attention to security when they're designing and implementing their code.
If you've got an IT department that thinks it's not their job to worry about security, or it's not their job to understand security, then that's not a good IT department. Do we approach it differently? As someone who came from a strong engineering background, I tend to focus more on security technology than on the soft aspects of security, like managing people to practice security better. That’s one difference, but I'm not saying that's necessarily a good thing. I'm saying that's just my particular focus.
Our chief compliance officer has been a great help with the people management aspects of security because he came from a hedge fund that had a cyber-security policy. For example, as a result of a recommendation he made, we do periodic phishing tests. We send out emails to see if people will click on things. We do education with our employees about good practices, and it's been a great help to have to have him and me work as a team where I can focus primarily on technological aspects of security and he can focus primarily on the people management aspects. I still have to do some people management, and certainly I'll do more of that over time, but he's helped me ramp up.
Quantopian CISO Jonathan Kamens
How do you convey to others at Quantopian that information security doesn’t mean stifling innovation?
We have a security culture at Quantopian where everyone understands that if our application and our business practices were not sufficiently secure, we would not succeed as a company.
If you’re a new CISO and security isn't already taken seriously by your superiors from the CEO down, if there isn't a security culture, then that's probably not going to change. And you're going to spend a lot of your time fighting for resources and buy-in rather than fighting the bad guys.
My advice to anyone in that role would be to seriously consider if that's what you want to do. Rarely do companies without a security culture, especially once they're big companies, change their culture. It's very, very hard to be successful in an environment where there isn't an understanding of the need for security throughout the organization.
Does being a successful CISO also mean understanding the needs of your business?
Absolutely. Every business has unique security needs. There are certainly a lot of common security practices that make sense anywhere. If that's all you do, then you haven't really done enough to secure your business. You have to understand specifically what your business does and what's unique about it.
As an example, we're in fintech. Within the next few months, we intend to register as an investment advisor with the SEC. At that point, there are additional security best practices that we want to implement. I clearly need to understand those, which means understanding what our business is in order to be able to implement them properly.
The other reason why it's important to understand the business is you need to be able to make the case, not just for security in general, but also for the specific security precautions and protocols that you think are necessary to ensure your company's information security. You can't do that if you don't understand the business. You can't make a convincing case to the CEO or the CFO or the CIO or whoever about why you're recommending that we do X, Y and Z if you can't link that to the business and why what you're recommending is going to be right for the business.
How do you explain technical topics to people who lack a technical background?
The best strategy, I think, for educating non-technical people about security is not to reinvent the wheel. For any aspect of security, somebody has already done the work and created appropriate, accessible content. For example, you should never need to start from scratch if you're explaining any of the 20 critical security controls to somebody because there's oodles of people who have already done that work. They have non-technical explanations and diagrams with circles and arrows that you can put into PowerPoint slides. Google is your friend. Go out, find what's out there and use it. Don't try to rewrite everything yourself.
At Quantopian, the challenge is actually the opposite. It’s how do I keep our extremely technically-oriented staff engaged when I need to educate them about non-technical aspects of security? A good example of that is we use videos produced by a third-party vendor to educate people about phishing, and quite a few of our people find those videos to be very basic and much too slow for them. The challenge for me is how do I educate these technical people and keep them interested when I'm trying to teach them what they need to know for security.
Check back next week for our final interview with Jonathan Kamens. He'll talk about the mindset that's needed to succeed as a security leader and balancing what's needed for security versus what's done for optics.
The Cybereason series Stories from the Front Lines of Security Leadership presents insights from CISOs, security leaders and IT executives on topics including what’s required to succeed as a security executive, how to convey the importance of security to an organization and how security leaders can advance their careers. Do you know a security executive who has great insights and would like to talk with us for this series? Email us at ciso.series@cybereason.com.