An internship with the Secret Service helped Tom Pageler embark on security career that’s included protecting the President as well leading security teams at Visa (director of fraud control), JP Morgan Chase (deputy CISO), DocuSign (CISO and chief risk officer) and Neustar (CSO and chief risk officer). Pageler’s diverse resume is matched with an equally diverse education: he has a bachelor’s degree, two master’s degrees and an MBA. Pageler’s now using this background to secure bitcoin wallets as the CSO of blockchain security company BitGo.
“I know it sounds weird to have this background, but it’s actually a great background because it gives you the business acumen, it gives you the insight into the regulators and the standards bodies and, ultimately, information security, physical security and logical security,” said Pageler, who became BitGo’s CSO in June.
At BitGo, Pageler handles physical and cybersecurity, a setup he prefers since the two areas of often overlap and, by handling both, “you have a much better ability to prevent threats and possible vulnerabilities.”
In this interview, which has been edited and condensed for clarity, Pageler talks about how security teams can get employees outside of security to bring potential issues to them (“Encourage people to come to you -- even if they come to you with something that’s not a good thing -- and reward that behavior.”), why enterprises may want to rethink competing with startups (“You start to get in it, and you realize, this area is not our number one priority, so even though we might have more people, more money, more experience, it’s not our daily business so it’s a distraction.”) and how getting an MBA helped his security career (“If you want to be successful, you’ve really got to understand the business. It really helped me understand how to articulate my needs.”).
As the CSO of a blockchain security startup, how do you balance innovation and security? On one hand, you're safeguarding currency, a task that doesn't necessarily square with the startup concept of failing fast. On the other, you're in the rapidly evolving bitcoin space, so product innovation and moving quickly is essential for your business.
It’s a pretty healthy balance here, because we’re a security startup and the engineers here have security in their DNA. A lot of them use cryptocurrency and they’re always trying to perfect it to make sure their assets are securely stored. It’s just the way the company’s been built because we’re a security company. And what’s interesting is the security team and the engineering team work really well together. They’ll come to us and ask for input. We’ll run things by them. We have regular meetings where we whiteboard out better security approaches to all of our processes. We run through hypotheticals about how each of us would try to defeat every step of our process, and not just in the engineering and product area, but even in our internal security processes. We are always pushing each other to be more secure with everything we do.
You just described what most security leaders would probably like at their companies: engineers coming to them when they have a security concern. For your peers who aren’t in situations like that, how can they get people outside of security to bring potential issues to the security team?
In past experiences, when I wasn’t at a security-focused company, I focused on integrating security with the engineering and product leads. That takes sitting on the floor with them, making sure that we’re part of the process, and making them part of the team. It’s interesting at BitGo, because everybody here has a security background, but in past experiences, I’ve had security champions within groups, in many cases engineers who have an interest in it.
Then I’d have someone on my team with more of a security background basically sit in the staff meetings and team outings for the engineering development team. And the ones who are deputized security experts in engineering or devops would sit in on my meetings. I think it’s really important for the head of technology, product engineering to have a very good relationship with the CSO, CISO or whoever heads security.
That means making sure that you meet regularly, that you talk about the product roadmap, where they’re heading, and where you can their support. If you think about it from a security perspective, you’re supporting them, making sure we get a secure product out, and when they attend your strategy meetings and you attend theirs, it just starts to integrate.
I also found that sponsoring a hackathon can be really effective. In the past I’ve had ones to specifically enhance security around the products, and they become kind of competitive. I assign security leaders to engineering teams, so my security team will then be divided up, and then they’re competing against each other. It builds comradery. It also gives people the space to think about how can they take security to the next level and actually do something security-related with their products.
So the trick is to build some collaboration between teams.
Yes, and you also can deputize people to check each other’s work. Engineers tend to work off of trying to do something better than others. My code is less buggy than yours. That’s healthy competition. When you have them check each other’s work, they start finding flaws in each other’s work. It becomes a competition. You found 10 of my flaws, but I only found five of yours. The more you can get them into the fold, the more you can make it part of what they want to do. If you’re approach is I’m here, you will follow my rules and by the way I’m not reachable. That’s not good.
Encourage people to come to you -- even with something that’s not a good thing -- and reward that behavior. People have come to me with what they thought was a phishing email that turned out to be legitimate. We usually say, “Hey, that’s great. This really looked like it could’ve been real. It isn’t, but I really appreciate you coming to me.”
In the past, security teams would sit in a closet or in the basement working behind a closed door. You didn’t get near them. You weren’t sure what they were doing. And you wouldn’t talk to them. That’s not healthy. Security people need to be out there. We have to be visible. And when people come to me, I want to be able to say: “Great. This is what we were able to do with the information you provided.” Regardless of whether it was a good or bad outcome, they realize you are taking their information and doing something with it.
You’ve held security leadership roles at DocuSign, JP Morgan Chase, Neustar, and Visa. When you were presenting to the board of directors and other executives, how did you convey cybersecurity risks in a way that resonated with them?
Taking a business approach is the best way to understand risk. You’ve got to take security and quantify it. You say, “Here is the risk that we’ve identified. Here’s the likelihood of impact. Here’s the likelihood of it happening.” Show the costs associated with the risk if it were to happen.
A manager says, “I want to invest in a product, here’s the cost, and here are the sales it will generate.” With that information, the decision can be made pretty easily. With security you need to do the same thing. You need to say, “Here’s the risk we’ve identified. Pretty likely, it would cost a million dollars to mitigate this risk, even though it’s likely impact will only be $50,000 of damage.” We wouldn’t do it, right? We would incur the $50,000. That’s not taking into account brand reputation.
But if I find a risk that’s likely to happen and the impact would be a million dollars’ worth of damage and it’s going to cost $50,000 dollars to mitigate it, that makes sense. Paying $50,000 to mitigate will save us from a million-dollar hit, and we save $950,000. That math really works.
I do that through a very formalized risk, compliance, security, and privacy counsel. You have a risk register that everyone’s logging the risks that are found throughout the company. You have all the business leaders attend -- HR, finance, engineering, marketing, sales, legal -- so they all understand what the risk are. You align into a framework like ISO 31000, then you go through and say, “Here are the risks. Here’s how we equate them across the board. Here are the owners.” In many cases, the risks are owned by a business owner, and they can choose to accept the risk or mitigate it. They make the choice and we’re there to assist and make sure that they address them properly.
Then that information is communicated very transparently. It’s shared across the company. It’s goes to executives and it can go up to the CEO or the board. It very clearly shows how you made that decision at that time. If things change, or it turns out you got it wrong, at least then you can look back and say, “This is why we made that decision at that time.” Maybe there was a zero day that wasn’t known, so the likelihood of impact was very low. Then the zero day comes out. Now, the likelihood of impact goes up so we have to go reevaluate. Taking a risk-based approach, including everybody in the process, and following industry best practices like ISO really helps.
Why did a security leadership role at a startup appeal to you?
I like startups because they’re innovative and fast, but BitGo appealed to me specifically because we guard crypto assets. This is definitely the future of where things are going. BitGo is a security company so we’re a hundred percent focused on security. I was at Visa, and Visa was pretty awesome, but it was all about the payment system and moving transactions. This is kind of like a Visa but a six-year Visa. It’s literally the same idea. There’s all this currency going around, and we want to be the wallet that institutional investors choose for security. Coming from JP Morgan Chase and Visa, I understand how large the opportunities in financial services are. We process fifteen percent of all on-chain bitcoin transactions per month. That’s pretty significant.
On a personal note, I just love building things. I loved being at DocuSign because that was a completely new, fresh build. There was pretty much nothing there. Some of my other jobs were fixing things, like at Neustar, which was going from public to private. This is just such a fresh area, and building BitGo, and working in a new industry is very exciting. The talent here is amazing, because it’s the people who are the leaders in a new industry.
What can startups learn from established companies about conducting cybersecurity?
The value of using a risk-based framework. A lot of established companies have one. With startups, you find they’re usually very good firefighters. If something flares up, they can analyze it, figure out where it is, and put it out. Startups typically won’t document things well in the beginning, so the firefighting has to be repeated.
There is a point where taking a little bit of time to document processes and procedures can save you time in the long run. Also, getting a repeatable process in place also helps. With startups, I think a fear of bureaucracy keeps this from happening because they see it as the antithesis of being nimble - and that’s their advantage. But you can find a healthy balance. Develop a repeatable process. As you grow, the easier it will be to take care of something once and ensure that same process can happen over and over. Repeatable processes help you close large customers, and it’s easier to obtain certifications like a SOC report, which BitGo just did.
What can established companies learn from startups about conducting cybersecurity?
Established companies are always going to look at startups because they’re nimble, and they’re in new spaces. Startups are the first usually to go into a space, so you see how they approach an issue. Some companies make the mistake of looking at startups, decide that what they’re doing is cool, and saying, “I can do it better because we have more resources and experience.” Then they start to get into it, and realize, this area is not our number one priority, so even though we have more people, more money, and more experience, because it’s not our daily business, it’s a distraction. A better approach can be to find a startup doing something interesting and growing, investing in them, and bring them into the fold. You can benefit from their expertise because they’re focused solely on that area.
For example, at BitGo, we’re focused on securing digital assets. Aas a startup, we have our ear to the rail better than an enterprise does. In my roles at Chase and Visa I was doing a lot of things and I appreciated working with startups that were experts in their field.
A good example of that was when AWS came out.
Amazon’s not a startup anymore, but when they launched AWS they were the experts in the cloud space. They were the ones who said, “The data says we can we can move to the cloud. We can do this.” And a lot of companies tried to do it themselves and many of them realized they were better off outsourcing it to Amazon. I think there is a point where enterprises need to ask themselves, “Do we really want to be in this space, or do we want to just go with the startup that’s the expert, and put our efforts into evaluating them to make sure they meet our security requirements and use best practices?
You were a special agent with the U.S. Secret Service and protected the President and Vice President. Do you see a connection between cybersecurity and physical security?
Absolutely. As a Secret Service agent I protected the President, Vice President, their families, and heads of state. I also started the electronic crimes task force in Silicon Valley. I tracked Russian organized crime bosses, arrested them overseas, and extradited them to the U.S. It was physical security and logical security and they really do play into each other. We dealt with counterfeit IDs, insider threats, issues with physical access, and communication devices. Are your radios secured? Do you have encrypted communications? Are the cameras secure? There’s a real overlap. I’ve owned physical and logical security in my career, and it’s better that way because you have a holistic picture.
For example, with my employees, I know what offices they have access to, what physical devices they have access to, what logical segregation they should have. It’s all one thing. If you can think of it as assets that are both physical and logical, and follow it across both platforms, you have a much better ability to prevent threats and vulnerabilities. If physical security is owned by one person and logical is owned by another, you might have one badge that gets you into the building, and a different one to get access to corporate resources a device. If someone is terminated or changes roles, you could have a situation where one badge has been disabled but the other hasn’t. What if one badge works to get and the other works on the device?
The Secret Service had a very good process. We were constantly rotating agents, making sure they were doing both investigations and physical security. To do an investigation, you had to be documenting, preparing, getting ready for court. Physical security works the same way. When the President’s going somewhere, it’s all planned beforehand. You know the route of the motorcade, the hard rooms, where the fire department is, where the first response is, where the local threats are. I believe that the more you can integrate both physical and logical security, the better you do in the security world.
You have an undergraduate and master’s degree in public administration and an MBA. How did you get into security?
I actually have a master’s in public admin as well, so I have two master’s. I was originally going into management information systems (MIS) at the University of Arizona then I decided I wanted to go into law enforcement. I did an internship with the Secret Service and decided that’s what I wanted to do. When I did the internship, I got a scholarship, but I was required to change my major to criminal justice. I changed from business to public administration but both were in the same college. All my electives were MIS, but I graduated with a degree in criminal justice.
I went to the Chicago Police Department briefly, then into the Secret Service. When I got to the Secret Service, I demonstrated an aptitude for computers and, at that time, there weren’t many agents coming in with technical backgrounds. We were just starting the forensics programs and electronic crimes task forces, and going after everything going on online. I was a perfect fit because of my technology background and interest in law enforcement.
When I left the Secret Service, I took a job at Visa. Most of the processes back then were manual so we started automating a lot of things. Visa went from manual processes where you use a machine to swipe a card to automation kind of overnight, but their tools were way behind. We were starting to see data breaches that were difficult to identify and we wanted to get in front of potential compromises. We took one of the breaches, and we said, “Let’s just go back six months and see if we can find it. We know historically the day it happened, so we started doing different analytics.” Ultimately, we found it.
Then, we started applying that approach to future risks, and we started finding more merchants and process risks. My manager said, “Hey, why don’t you take on more?” and gave me a new department called emerging risk, where we just tried to identify and mitigate new and emerging risk. My manager also said, “You’re doing well, but you would do better with a business degree.” So I they paid for me to go back to school and get my MBA to understand the business more.
To be successful, you’ve really got to understand the business. My MBA studies really helped me understand my role in the context of the larger business. When I was at JP Morgan Chase, we were dealing with regulators frequently, so they recommended I go back and get a master’s of public administration.
I went to the Harvard Kennedy School and I got a master’s there focused on regulatory issues. It’s a great background because it gives you the business acumen, the insight into the regulators and the standards bodies and, a foundation in information security, physical security and logical security. As weird as it sounds, it’s really an ideal background for my current role because I have government, business and info sec experience.
You teach at Carnegie Mellon University. What do you want future security leaders to know about how to succeed in the industry?
I tell them to approach security from the bigger business picture by taking a risk-based approach and working with business partners. Come in and say, “What’s the business? How does the business operate? What are the essentials that we have to protect or else it will be game over? Where is the flexibility for us?” Don’t start with tactical details like tools or playbooks.
It’s critical to figure out how to empower the business because you don’t want to be the security team that stunts growth. You want to be supportive and say, “I understand the mission. Here are the areas where I really can’t be flexible, but here’s where I can. Here’s how I can help you.” Then you can be very powerful because you have basically become an executive of the company who’s helping to grow the business.”
Read more from the Cybereason CISO Interview Series
Why security leaders need more than technical skills
It’s only information security (but I like it)
The end of the CISO?
Security’s appeal lies in the challenge