The belief that a company can win the information security fight means assuming that a security team can handle constantly evolving threats from adversaries who are always evolving. This outlook means fighting every threat that's out there, an approach that's unrealistic, said John Knights, a security professional whose career has included serving as information security officer at Wentworth Institute of Technology in Boston. In the second part of his interview with Cybereason, Knights explains why he takes a pragmatic attitude toward defeating adversaries. And don't forget to read the first part of his interview.
What skills are needed for success as a security leader if you’re background is in IT?
Focus on the soft skills. No one ever teaches that. That’s the important part that a lot of IT folks lack because the folks who get into IT are usually introverts who usually want to sit in cubicles and code and wear headphones be in their own world. That doesn’t work in security. You spend a third of your time in your cubicle and the rest of it is talking to other people. Especially in a leadership role, in a CISO or ISO role, most of the time you’re trying to understand what people’s jobs are and how to communicate these very complicated things in smaller bite-sized pieces and in ways that they can understand it. It’s telling stories rather than just explaining technology.
It’s how to communicate with folks that aren’t just in IT. And that’s tough. It take time and training. It’s allowing yourself to fail, but to fail forward. Allow yourself to be a little vulnerable and let folks know that you don’t understand their business so they need to teach you. When you take the arrogance of out an IT person in front of a business unit, they just want to then have you as part of a conversation. When you assume they you know everything about what they do, then people shut off.
You have to allow yourself to be okay with not knowing it all. You know it all on the security side. That job is guaranteed. But you don’t know what they know. So you need to work together - and this is where I’ve seen people get stuck - to understand their job a bit better and the business more holistically.
What advice can you offer people looking to get into security but may not have the ideal background?
Don’t be afraid of pursuing security if you don’t feel like you don’t come from the right background. If there’s a place that says we really want someone that’s been a network administrator for 20 years then it may not be the right fit if that’s not your background. But there are plenty of other opportunities out there if you really like it. That’s what this field needs; people who really like what they do. If you don’t really like what you do, you’re going to be frustrated from day one. For me I would have never guessed this is the route I would have taken with security, but it’s the one that worked for me. And not one I could have planned.
The security talent shortage has lead companies to grow their own security talent. What are some ways to achieve that goal?
If they have the right attitude, if they’re eager to learn, a lot of the technical aspects can be taught. The soft skill are what you want to focus on. Can they communicate and if they don’t know the subject, can they say, “I don’t know but I’m eager to find out.”
We hired an individual who said, “I might not be as strong in security as you might want.” But we started talking about what he was willing to learn and he said, “Anything.” I said “What do you do to actually learn?” He said, “Well, I have a small network at home.”
From that conversation I saw there was an eagerness to learn and he proved he how he was learning. He’s not just saying that he wants to learn. That was key for me to hiring this person. He had the basic technical skills for networking and we could expand on that. It was just tweaking. It’s more of saying, “Let’s do this on the egress and ingress side,” and him saying, “Okay. I didn’t know that. Thanks.” It’s looking for this kind of traffic versus that kind of traffic. He already knew the technology and understood what we were talking about. I’m just guiding him. It depends on the job, but you don’t necessarily have to hire a security person.
Security isn’t a separate field or a separate discipline. It’s just how you do whatever the specific technical discipline differently. It’s how do you do system administration differently, how do you do network administration differently, how do you do programming differently? Even for managers that you are working with it’s how do they do project management differently. With every project we want data flow diagrams, we want process control diagrams. It’s something maybe they’ve never thought of before but it’s important to know where does the data sit, how does it get to the user, how does the user access it?
Are there any infosec issues that keep you up at night?
I guess I’m odd in that way. I don’t let this kind of stuff keep me up at night because letting it keep you up at night implies that you can actually stop something. Yes, you can do better security and you can stop some attacks. But you have an entire Internet you’re fighting at all times. That’s overwhelming. You have to focus on what you can do. Things besides security keep me up at night, things like what’s the attitude going to be on the budget that I’m asking for. You’re never going to win so do the best you can and take things as they come.
Is the attitude of you’re never going to win defeatist or pragmatic?
Pragmatic. The only way to truly combat this is to use a pragmatic approach and say, “Look. This is what we’re dealing with. It’s something that we’re never going to win. We just have to do to the best we can.” The mentality of you’re going to win this fight means that you’re going to have everything understood and it’s an assumption that you can tackle an ever-evolving threat and an ever increasing number of threat actors. To me, that’s just unrealistic. But understanding the highest risk you have and what has the potential to have the most impact and the highest probability for exploiting a vulnerability, that to me is more realistic and easier to tackle. All vulnerabilities are bad. But the vulnerabilities that are out there are not always the ones that people are using. They’re using zero days that they’ve been renting for a $10,000 a month subscription. No vulnerability scans can find that.
How do you hire the right people for your team?
As far as I dedicated security team, I haven’t because we weren’t that big. We hired right when we had the opportunity to replace positions and we hired people with an interest in security. So a network admin, for example. To me, security is part of everyone’s function. If we actually have separate security teams that are actually doing a dedicated function then we never done what we’ve been teaching, which is to integrate security in all the disciplines. If you’re not teaching programmers to program securely then you’re going to be patching later on. This is probably the most unrealistic things I’ve ever said but there’s some odd truth to it. I want to basically put myself out of a job. Now, it will never happen but what I mean is that I’m teaching anyone and everyone willing to listen on how to do things more securely. It’s not about having a separate security function. It’s also about not just managing your resources. It’s helping guide and influence everyone’s teams.
The Cybereason series Stories from the Front Lines of Security Leadership will present insights from CISOs, security leaders and IT executives on topics including what’s required to succeed as a security executive, how to convey the importance of security to an organization and how security leaders can advance their careers. Do you know a security executive who has great insights and would like to talk with us for this series? Email us at ciso.series@cybereason.com.