Cybereason CISO Interview Series: Show the risks and how you’re addressing them

Security leaders shouldn’t shy away from using public information on enterprise breaches and hacks to help C-level executives and board members better understand why information security matters.

“As a security executive, you have to make the jump from technology to business. You have to present things from a financial point of view,” said Luis Torres, director of information security at RhythmOne, a digital advertising technology company.

But that doesn’t mean spreading fear, he added.

“It’s important to say that the risk exists. Unfortunately, these security incidents happen,” said Torres, who joined RhythmOne after it acquired Perk, a startup that developed a rewards program for mobile devices, where he served as vice president of information technology and security.

Equally important is telling the board and other leaders what measures the information security department is implementing to prevent those incidents from happening at their company, he said.

While people who work in security and technology aren’t know for their strong communication skills, Torres emphasized that finding common ground and engaging with other employees only helps an enterprise’s overall security.

“The reality is that you don’t work by yourself. You work with other departments. You have to find a way to interact in a professional way and in a way that’s efficient and helps the company,” he said.

You helped build Perk from the ground up. How did the company’s information security needs change as it grew?

Two things influenced Perk’s security changes. One was the company’s growth. We kept getting more users, so we had a bigger presence online. Just from the nature of what Perk does, it attracts a lot of fraud. It’s a rewards program and you can get some monetary prizes and there are some monetary incentives. As the company got more popular, we started getting more fraud attempts, more creative types of fraud and more complex fraud schemes. We also started getting more hacking attempts. We definitely had to evolve our security strategies and pay more attention to security based on what we were doing.

The other thing that made a difference was the few acquisitions Perk made in 2015. Once you start getting into mergers and acquisitions, things changed a lot because you’re doing due diligence on other companies, or some other companies are doing due diligence on you. You need to go from the startup mindset of let’s develop a service and build a product as soon as we can and as often as we can to a mindset where you have to consider more formal business practices. There’s more documentation and more formal plans of action. All that contributed to helping our team evolve from a security standpoint.

Also, in 2015, Perk introduced a product that’s related to financial services. It’s a debit card that you can load directly from the rewards program, and that required PCI certifications. That really changed how we did things, and again, we went with more formal processes with more documentation. And the company went public that year so you’re getting into financial, legal and operational regulations.You realize that you’re at a different level and need to mature your processes and practices. The risks are different and the requirements, both legal and operational, are different.

How did you the acquired companies on the same information security page as Perk?

You need to look at what’s already there, and you need to try to get to a set of practices that work for everybody. Each business unit can have their own specific requirements, but everybody needs to have a general base in common. You need to think of what are the best security practices from each business unit, and try to implement them at the corporate level and ensure that being applied in all business units. You need to collaborate with people so they don’t feel like the new guys in town are imposing their rules.

Security is a shared responsibility, or it’s something that requires a lot of teamwork. Each department, each business unit has their own attack vectors and risk profile. You have to work with everybody, you have to communicate and be humble when you’re trying to set up a process or implement something that’s going to help everybody ultimately.

You began your career in IT, took on security responsibilities at Perk and security is now the focus of your current role. Why did you decide to get into information security?

I’ve been in technology for a little over 20 years now. It’s mostly been in positions where I’m the main person responsible for the operation of all systems. Therefore, security has been always in my mind and it’s been something I always had to consider due to how a security incident can be very disruptive to normal operations. I’m the kind of person that needs to keep learning new things and security is an area where new things are coming out all the time. There are new systems, there are new programming languages, there are new vulnerabilities. Each new thing that comes out has its own security risks and characteristics that make it unique.

Working in startups forces you to divide your time between different areas of the business if you’re up to the challenge. I’ve spent time doing coding, database administration, systems administration, fraud detection, project management, compliance, security, IT and pretty much a little bit of everything. A few years ago, I started gravitating towards security mostly due to the requirements of the business environment I was operating in. It’s a fact that companies that have a larger online presence have a higher risk of being attacked. In the last few years security is something that businesses have been paying more attention to because it’s become critical. So it made sense to fully dedicate my time to it instead of being directly involved with the entire operation.

How do you balance innovation and security, especially going back to Perk’s startup days?

It’s always important to find a common ground on everything. There are definitely ways to find that with product departments, and I think one of the main things is communication. Communication is key, and that can be difficult in this industry. A lot of people in technology are not really what you’d call a people person.

The reality is that you don’t work by yourself. You work with other departments. You work with other personalities, and you have to find a way to interact in a professional way and in a way that’s efficient and helps the company.

It’s also important to involve yourself early in the [product development] process and to let the product departments know that as soon as there’s talk about a new project, security should be involved. Any architect or designs that are made can be reviewed by the security team early on, and the proper security measures can be in place. Again, there’s going to have to be some common ground and compromise. You can start with the basics, and as you progress, you can implement some other solutions that are going to give you better security all around.

How can security departments show ROI?

It’s hard to quantify the impact of security. In a way it depends on what side of the table you are on. If you’ve already been breached, then you’ll have data regarding financial impact. If you haven’t, there have been many security incidents in the news and plenty of financial information has been published. Real world examples of financial impact are something that everybody in security can use to support their initiatives.

If we go back, let’s say, 10 years, it was harder to prove a security breach or a data leak could happen, and it would have a financial, legal or PR impact. Now it’s really clear; executives see it and board members see it. That’s a big selling point for security departments. The data is out there and you can present it in a way that’s relevant to have a better impact versus just arguing you can get hacked. At the end of the day no business wants to be next in the long line of security breaches. Nobody wants the bad PR and negative business impact.

Can you offer any advice on how security executives should talk to the board about security?

It’s really important to take advantage of the data that’s already out there. You’re working for a business. The business needs resources like money and revenue to keep operating. As a security executive, you have to make the jump from technology to business. You have to present things from a financial point of view, from a legal point of view. That really helps people visualize things. That’s going to have a much bigger impact than just arguing for a certain technology or saying, “We should proceed this way because it’s best practices.”

There’s a lot of public information about hacks and there are some big PR disasters out there because of security incidents. It’s appropriate to point those out and make the connection between professional and personal life. It doesn’t matter what level you are professionally. Everybody has a personal life at the end of the day. If we apply a risk to our personal situation, it’s really helpful to make that connection and say, “Just like you don’t want somebody getting into your bank account and stealing money, we don’t want any intruders in our network. They access resources and move laterally to other assets and create issues that have a financial impact.”

How do inform the board and executives about risk without spreading fear, uncertainty and doubt?

It’s important to let them know the risk exists. Unfortunately, it’s something that happens and it’s out there. But it’s also important to let them know something is being done about it. They should know there are measures in place to prevent some of that and there are also plans being developed and implemented to further address potential problems. It’s also important to express how the work is not just being done from a technical perspective but there are also other factors involved like training. It’s beneficial to point out how culture is being created all across the company so anybody can ring the alarm in case they see anything out of the ordinary.

How can security and IT professionals better connect with their colleagues?

I think it’s important to adapt your language to your audience. Early in my career I was a college professor, and that made me understand you have to adapt to the type of people you’re communicating with. To me that’s a good starting point. It’s also important to customize the information you’re going to provide to each different group you’re working with because not all of us care about the same things, and not all of us work with the same terminologies. We also might have different priorities. I think it’s really important to be mindful of who we’re talking with, what their motivations are, and try to see things from their point of view. That way you can try to find a better way of communicating with them and to express things in a way they’re going to feel more familiar with. That’s going to give your message a bigger impact.

Describe your ideal security awareness training program.

The most important item is personalization. A training program has to be targeted and customized for different groups based on their user or risk profile. You cannot have the same security awareness training session with, let’s say, executives than with people in your marketing department. HR has their own risk and attack vectors while the legal department has a different profile and might need to worry about other threats.

While there’ll be a common base for an awareness training program, it’s important to customize not only content but also tone and outcome. The legal department is going to be more concerned about legal implications for a security breach while Finance will probably be more concerned about numbers. You just have to adapt things to each one of the groups, and communicate it in a way that’s relevant to them.

What should security executives know about working with their colleagues in the finance?

In terms of talks about budgets and allocating resources for security, it goes back to making sure you can communicate the impact of not taking action and not being proactive. Reinforce your points with visual aids, relevant numbers, relevant data, examples, and reinforce the idea that, if the company doesn’t invest in security there could be different complications down the road. Make them realize the impact could be operational, financial, or maybe even legal. By explaining the different possibilities, you have a better chance of getting your message across.

What else do security leaders need to know to be successful?

Having been involved in a lot of mergers and acquisitions, it’s important for security and engineering people to realize that, at the end the day, they need to work together. There are a lot of small companies without a dedicated security group and security and engineering are going to have to share knowledge.

If there’s an existing security group in one of the companies involved in the merger then they have to be really careful in how they communicate with their peers, engineers and product managers. You have to make them feel like you have a common goal and that you are there to help. Again, communication is often not a strong suit for technologists and being humble is something that can get difficult. It’s important to cultivate good relationships. Instead of making it seem like you’re trying to impose things, make people feel that you’re an ally and that you are there to help. If you do, people will be more open to collaboration and what’s most important is that people are open to contributing.

Something that I see a lot when speaking with people from an acquired company is that a lot of people are really closed up. They don’t offer information. A lot of knowledge gets lost in a merger and you don’t want that. By trying to forge a good relationship, there’s a better chance that you can work together, and you can use the knowledge that people already have. People know their company and systems and environment. They probably have an idea of their attack vectors, and that’s something really valuable that the new company should take advantage of.

[Institutional knowledge] can help the entire company grow.

Besides communication, what other soft skills do security leaders need to succeed?

Being good at planning and prioritizing. Presentation skills are really important. Like I said, I do a lot of training and in some cases, there are people who don’t have experience with presenting. In those cases, it gets difficult to explain concepts or get people to pay attention. Also, security executives need good negotiation skills because you’re going to have to try to sell your security program. Not just to the people who provide you with a budget but to the company as a whole.

And security should be a company-wide thing. That’s more cultural, and not just something that’s applied to products and services. That means you have to influence people. They realize that having good security practices is not just for systems and servers and databases, but also for workstations, mobile devices, documents on their desks, who they open the office door for. Make them an active part of your security program to make them really care about the outcome.

Fred O'Connor
About the Author

Fred O'Connor

Fred is a Senior Content Writer at Cybereason who writes a variety of content including blogs, case studies, ebooks and white papers to help position Cybereason as the market leader in endpoint security products.