Cybereason CISO Interview Series: Taking acceptable risk for acceptable return

A CISO’s job duties don’t include serving as Dr. No and stifling innovation. Security leaders need to highlight the risk in each situation and provide colleagues with enough information to choose the right risk. After all, businesses exist to take acceptable risk for acceptable return. That advice comes from Sam Curry, a three-time CISO who’s now Cybereason’s Chief Product Officer. In this interview, Curry, whose career has also included stints as a CTO, talks about why security leaders need empathy and why you shouldn’t expect to follow a formal path to a security career.

Where did you start your career and how did you end up in security?

I began my career in cryptography and in doc writing and QA of engineering, originally for two startups. Aside from government work, there were two startups. In 1999, early 2000 I went to Network Associates and then McAfee because it was a subsidiary. I was the Chief Security Architect for Network Associates.

Network Associates was the parent company. It had four divisions in those days, including McAfee. When McAfee spun out as an independent entity, that's when I ran product management.

I obviously did some security prior to it being a career because I went back to college. I originally studied physics and math and did cryptography, but then I went back to school and did an English degree with a minor in philosophy. I have two bachelor's in effect. I went out right away, '96, started back in security as a career at that point.

I actually wanted to go into biomedical, but I had skills in writing and programming and some basic security skills. It kind of made sense to follow the path of most value. That meant that my career sort of got set for the next 21 years.

Is there one path to becoming a security leader or are there many different routes a person can take?

There's this myth that we should have our future planned out. Most of the narratives we tell about ourselves and our career are post facto justifications or rationalizations. The world's far more random than we think. If you really want to do something, you'll find a way. It doesn't matter what setbacks you have. You can do it.

We're all supposed to have the perfect plan, and then follow the perfect plan, which is really boring. Life is very random. It will throw things your way, and you adapt. I'll say product management first, which has been a big part of my career, there's no training for it in college. If there is, it's a course or two.

People come from different walks of life and happen to be renaissance people, and that's how they do it. The same is true of security. You can take a formal path, but most of them don't have much respect. They're too theoretical. You will probably get to this because you like to play and break things and understand how things work.

If you're the sort of person who got a bicycle and tried to take the wheel off and play with the chain, you're probably going to do that when you get to the IT world. In my case, I've just always had a talent for security. As with any talent, if you feed it, it will grow. No, there's no formula for it.

Is there a security mindset that a person needs?

You need to have either a trained or natural sense of empathy. The security mindset is one of understanding what it's like to walk in the shoes of another people. The other people you've got to do that for aren't just customers, as with most businesses. You've also got to be able to say I know what it's like for that hacker. Close your eyes if you have to, watch Mr. Robot. Get the firsthand experience. Live it yourself or see it and be able to say if “I'm in those shoes, and I'm trying not to get caught and I'm looking for the seam and I'm the ghost in the machine, how do I get there?”

The other personality is if I'm the person who has to stop that, what is my life really like? Most of us have this baseline that we like to get to where we're comfortable. I think the only other criteria aside from empathy is that you have to be willing to be uncomfortable. Everybody's afraid of change. Anyone who says they aren't is lying. 

Is there a way to make people in security more comfortable with change?

People have an emotional reaction to change because it immediately instills a what-does-this-mean response. A fight or flight instinct can take place. Change, no matter how small and no matter how small the emotional reaction, always engenders it. Fight or flight is a fear thing. It's a should I be here? What does it mean to me? Can I still do the things that I care about? It's an intensely emotional thing.

The answer, I think, is no, but you can become emotionally quite mature. You can develop patience. You can learn to not just say the first thing that comes to mind. Avoid being defensive. Try to take things as feedback, not criticism.

I talk with some of my folks about the difference between what I call world blocks versus personal blocks. World blocks feel like things you can't control. There's this sense that a hurricane is coming. I can't change the path of the hurricane. That's a world block. I can turn it into a personal block that I can deal with. I can get out of the path of the hurricane.

Life will send a lot of world blocks our way. How can you recast them to be personal blocks and cope with those? I think that's a very useful skill to have.

At Cybereason, you talk a lot about balancing risk and reward. Could you expand on that topic?

Businesses exist to take acceptable risk for acceptable return. Once you start to take risk on in exchange for some opportunity and a chance at failure, then you want to start taking the right kinds of risk. IT itself is a risk. You're going to stand up something that is fundamentally breakable. Why? You want to do more transactions with more people for more profit. The purpose of IT is really to connect users, whether they're employees or partners or customers, with some services in a very rapid, efficient, scalable way that will blow away anything we've done before. You want the right people to connect to the right things.

What is security? Down in the middle, you can split it in two. The first half is enabling the good, so making sure that you can access this app and do your work. That is what we traditionally refer to as IAM, identify and access management. How do we make sure that this confidentiality, integrity, availability, or CIA, is there for you to do your job?

The flip side is how do you stop the bad? That is, how do I prevent the wrong people from accessing this or disrupting it or seeing things? That's typically seen as threat management and its derivatives, things like SIEM. I would say that in that bucket there's really two kinds of approaches. One is how do you build the theoretically perfect system with best practices and some cadence and some operational cadence to it that effectively establishes the wall?

The last part is how do you man the wall? How do you look for the human being that's trying to find the ways over and under and around it? Those bad guys, the ones who find those seams to go in, they're constantly at it. They're the most dangerous source of risk, the most adaptable one, and the hardest to stop.                              

The job from a security perspective is we can enable good with some long-term projects, we can set up some good hygiene, and we can try to set some processes that fundamentally are disruptive. They're always going to be looking for the thing that we missed. They're always going to be moving things around or embracing change to some degree.

As a CISO, how do you balance keeping the company secure with allowing the business to innovate?

The business wants to innovate in terms of new services and new ways to roll out more transactions for more people for more profit. Your job is not to be Dr. No. You job is to, in fact, provide boundaries. Another analogy is the brakes on a car are not to stop the car but to go fast. If you do your job well, you can actually be seen as a source to embrace new things.

I'll give you an example. When I was at MicroStrategy, I'd been there for a month. Somebody was asking about moving to Amazon. I said here are the risks with moving from a private cloud to a public cloud. An email went out that said Sam Curry says we can't move to Amazon. I said “No. That is not, in fact, what I did. There are risks in every step you take. I didn't say it was better or worse risk. I want you to look at the risks and accept it.”

My job is to highlight them so that you can choose the right risk, and then you can embrace it. If there are risks that you can't take, let's put compensating controls in place. Let's make sure that the customers understand what those risks are. Suddenly a light bulb went on. It wasn't a do we do it or are you on board or not. It was a how do we do it and why do we do it? What's the risk compensation?

I'd say at the C-suite level, fundamentally that means the core of the business, there are six things that people care about; revenue, cost, risk, employee efficiency, customer satisfaction and then a big bucket of strategic things. Do you have a growth strategy? Do you have some big thing you want to do like an acquisition?

If you ever find yourself in the elevator with a C-level person, you've got to talk about those six things. Don't talk about anything else except things those six things. Why do I care? The seat at the table for the CISO is I am the risk person. It may impact others, but I'm the risk person, and I can't just be seen as a special IT risk. I'm risk just like legal, finance, operations, other forms of risk. That's my right to be at the table.

When that's really understood, the rest of the company flips around and says I can focus on the other five. I can innovate to achieve those. You can also do innovation yourself. It's that balance that really has to be understood. The biggest problem CISOs have right now in bridging the gap is where's my seat at the table. How do I stay both the security person and become a business person? This is a problem CIOs had 15 years ago, and they've solved it. It's the CISOs turn now.

How do the CISOs bridge that gap?

Poorly. We are in a discipline that has a lot of esoteric detailed knowledge that isn't accessible to everybody. You only get it by living and doing it. You've got to maintain it for street credit. At the same time, you'll be seen as a hobbyist if that's your focus.

You've kind of got to learn a lot like people who are bilingual. There's a way I talk to one group of people. There's another way I talk to another group of people.

Frankly, it's going to be easier to have the security department re-gear itself from a triage perspective and become more business oriented than it's going to be to expect the vast majority of the company to care about security languages that they're only going to encounter once a quarter max. I think you have to be able to be both a security person and a business person in one body. If that's not for you, pick a side of the line to live on and go do the business side.

Some companies do. They put people through rotations and they get opportunities to do other things or really get good at the discipline. CISO isn't the ultimate goal in every security department. It's not just climbing the greasy pole or climbing the ladder for the sake of climbing the ladder. There are many other options for fulfilling careers in security. Most of them have a business context now, though.

How do you stay calm under pressure?

It's hard sometimes when you look too calm and other people panic. That's where that empathy comes in. There have been times in my career where we had a breach of a security incident and I thought this is it. Not only is my company done, but my career could be done.

You don't think there's an exit. You don't think there's some recovery. In that moment you're going to ask yourself, I believe, what's the right thing to do? If you don't, this is not the job for you. It strengthens you. You do come out stronger.

Early in my run at the CISO part of my career, I had a horrendous incident that happened. We thought the company was going to close. We thought we were dead. We said what's the right thing to do for the customers and the shareholders? We bravely went public and in those days, there wasn't even regulation about how to do that. We did this because it was the right thing to do.

Later when I ran into lesser challenges, lesser breaches, lesser incidents, it's still serious. It still compromises customer data, but there was no question about what to do. I had found my temper in that moment of it's over. Life did come back.

When you're at the bottom of the well and someone starts to talk to you about what it's like walking around outside, you can't imagine it. You've got to inch your way out of the well, and then you can see out and you can start thinking about other things. It took months to get past that, years ultimately to get back to normal. Some of these things are like doomsday scenarios. I hope nobody goes through it, but it does make you stronger.

How do you come back from a breach or catastrophic event?

The first thing is prepare ahead of time. Know who the risk decision making bodies are and formally bring them together. Prepare your crisis and communication strategies. Get everything ready for war, if you will, and you'll do much better in the crunch. Then you have to flip and become expedient, you have to become very director like.

In a crisis, people need clear direction. It's a bad mode to be in all the time. It's a good mode to be in in those situations. Amazing things can be accomplished. I think the hardest thing to do is you can't be ready for the moment of crisis. I imagine it's a lot like what being in a combat zone versus training. It is the crux of what we do. When those moments happen, we have to respond well. Make the best decisions you can. Make sure you're prepared to make decisions to take actions, and then play it out.

Afterwards, you must be able to do a postmortem. You must be able to go back and say what really happened and didn't happen and look at hard truths and make corrections based on that and be able to leave the ego at the door. It's a lot like doing retrospectives, or code reviews or architectural reviews. You have to get better at the practice of security, and the place you're going to learn that is very often under fire.

Do companies have a reason to be optimistic about the future of information security?

If they're sitting around waiting for information security to just solve itself, no. It's like saying am I optimistic about health, but I'm not willing to go run a race or train or eat healthy. At the end of the day, security is a thing you have to be able to do as a process. It's almost like a lifestyle. There's no one recommendable security solution that you can do and just forget about it.

I was asked by a reporter once when will we finally solve the security problem? I said when will we solve world hunger? When will we finally solve cancer? When we will finally solve world peace? These are noble goals we all have to pursue, but we also have to be realistic and realize that it's not going to happen by itself.

There's no pill for health. Just take this and you'll be good and you'll live forever. It's kind of a naive, childish dream. Our idealism still makes us aim for it. The journey is very important. I would say that yes, there's reasons to be optimistic, but there's a lot we can do. We can make things resilient. We can make them anti-fragile. We can make things recoverable. We can make the cost to break things very high. We can get very good on the cyber side at finding the bad guys.

I would not be pessimistic unless you're sitting on your heels waiting for the one new recommendable device. Build a practice, make it about risk, make it about business risk and work at getting better at it. It's like training for anything. Innovation comes from conflict. It comes from pain. Don't turn away from it and don't avoid change.

Frankly, try to solve of these huge things even if you know you're not going to solve them. You've got to start working away at it. Incremental improvement is vital. That is probably bigger than the more important, breathtaking breakthroughs that the industry touts and screams about.