Mario Duarte, VP of Security at Snowflake Computing, a cloud-based data-warehousing startup, learned the importance of aligning security and the business very early in his career. As a 20-something new to security, he thought his keen technical skills would be enough to help him thrive.
Then the dotcom bubble burst.
“I faced a pretty harsh reality. I learned that I couldn't just rely on my technical chops anymore. I needed to understand how business works. So I went back to school and got a degree in applied economics to gain a more complete view of how organizations operate. My economics degree has definitely helped me as a security executive,” he said.
In addition to understanding the way a business runs, security professionals need to be well-rounded in other ways too, Duarte said. For instance, many security practitioners who have been performing the same tasks for years lack knowledge in other areas of security, including basic areas like encryption. To avoid this, Duarte encourages people to read, test and play around to become more educated about security.
“When I'm hiring people for my team, I want to see the passion. You may not have every skill, but if you have the basic elements and the drive -- and you can demonstrate it -- that's the person I want,” he said.
In this interview, he talks about how a classic 1980s movie piqued his interest in security, how what the public remembers about a security event is impacted by how organizations handle the incident and why security incidents that hurt brand perception can prove more harmful than ones with financial ramifications.
Whether its developing products or adopting technology, organizations usually like to innovate and move fast, especially startups like Snowflake. Security departments, though, have a reputation for moving a bit slower and being more cautious, sometimes at the detriment of speed. How can security leaders balance security with the fast pace of innovation?
My approach comes from a book I read called Complexity: The Emerging Science at the Edge of Order and Chaos. The idea is that there’s a happy medium in the middle.
Consider water: When there’s too much chaos and atoms are bouncing all over the place, water evaporates. When things are not moving fast enough, or not moving at all, the result is an undrinkable solid, like ice. To get water, you need to strike a balance, where atoms are moving fast enough to move, but not so fast that the environment becomes unstable.
Applying this to security: there are some areas where security is at the heart of the business and security practitioners need to align themselves with what the company is doing as closely as possible and stay up to speed on everything that’s happening, as it happens. At Snowflake, for instance, we deploy micro-changes weekly to keep our core systems as secure as possible.
At the same time, there are other areas where security can (and sometimes should) operate at slower speeds. For instance, at Snowflake we tend to be more conservative when upgrading to newer operating system versions for endpoints and servers. Likewise, we are conservative about adopting newer SaaS products. Sure, there are lots of great products out there that are innovative and look great, but are not ready to be integrated into our company because they are not mature enough from a security perspective.
Do you have any advice on how security leaders can better align security with an organization’s business needs?
There’s an eye-opening book called The Phoenix Project that I’d recommend to any security practitioner. It looks at technology as an assembly line and helps you understand modern business operations and how products get built, which is really important for anyone in security.
For instance, security practitioners need to understand how code is created, moved and deployed across the programming assembly line. It’s the best way to understand where bugs and other vulnerabilities come from.
It’s also important to understand your customers. Specifically, what are their greatest asset risks? In some companies, maybe the data or services they’re providing a customer is not considered critical. In those cases, you don’t necessarily need the same rigorous controls that you would see in an organization that’s providing more critical products or services. The context matters.
The point is that security is a central part of any business. It’s like a wheel on a car: If the other wheels are round but the security one is square, that car is not going very far. Eventually, there’s a point when the driver pulls over and says that the security wheel doesn’t go with the business. Then they get another wheel that’s more in line with the rest of the wheels on the car.
When you talk to other executives and the board, how do you show them that security matters to the company?
I’m fortunate to have a very engaged, knowledgeable and forward-thinking board. I don’t struggle with explaining our security story or our needs. In fact, they push for information. They want to hear about what we’re doing.
I think this is becoming a trend. Across industries, security is starting to resonate with a lot of boards these days. Maybe it’s because enough people have lost jobs over security failures -- and not just CISOs, but CEOs too. I think security resonates with boards now, and that’s a good thing.
You mentioned that the board asks how you’re handling certain security issues. What are their concerns?
They want to understand the risks. They want to understand the biggest risk impact to Snowflake, what the challenges are, and how we are handling them.
What business metrics do you use to answer those questions?
I don’t have to explain the costs associated with a particular risk. We talk more about brand. The brand is what’s important. At Snowflake, we’re dealing with data. Brand is vital when it comes to people trusting you with their data. And it’s not just a numbers thing -- it’s who we are as a company.
No company, especially a startup, wants their image tarnished.
Exactly. I talked to a fellow CISO last week about this very topic. I mentioned that there’s a perception that their services are not as secure as their competitors’. And the CISO knew it. The company had a breach several years ago and has since built so much more security into the product. But perceptions about the company not being as secure as the competition still exists. Where did they go wrong?
If you ask me, it wasn’t the security event that was the problem, but rather a poor communication strategy. It was the way they managed the event and the way it was communicated to the community. Ultimately, what people remember is the way you respond to a security event -- how quickly you communicate and how direct you are with customers and the public.
Where do companies go wrong in handling a breach?
You have to prepare for a breach -- and that means practice, practice, practice. This is one of the things that I’ve proposed to my board. Every board, CEO and key members of their leadership should be accepting of the fact that there will be likely a breach at some point in a company's lifetime. It's not a matter of if; it's a matter of when.
What's really important is developing the right playbooks and processes to address the specific type of breach. Is it in your production environment? Is it in your office? Those are different scenarios with different implications, and so they require different playbooks -- both of which you should have. When I say playbooks, I literally mean scripts of what you need to do. And you need to test those playbooks -- and often -- because the last thing you want is to be surprised in the middle of a beach scenario when they actually don’t work.
I would also argue that a company needs to have a retainer for forensics. If you think you have a breach, then you need to bring in a third party to assess what happened -- and quickly. That's why it's important to have a retainer, because every minute counts and you don’t want to be wasting valuable time having to search a forensic company during a breach.
How did the board react when you tell them that suffering breach is only a question of when. Some boards still practice security by only building higher walls.
I've been at a companies that are not nearly as forward-thinking as the Snowflake board. With this board, it wasn't a matter of being surprised that there could be a breach. With them, it was, “Okay, and so what are we doing about it? How are we preparing? How are we minimizing risk?”
We performed tabletops exercises with the executive team and with other applicable parties.
We have also documented our breach notification template in the event of a security incident because we don’t want to be wasting valuable time writing it if a breach occurs.
Why are we so adamant about preparations for expedient communication to our customers and to the public? It largely comes from one of our corporate values of putting the customers first. By notifying our customers early, we in turn allow them to take action to reduce any potential damage to their data. The closer you can align your organization’s security program to your company values, the easier it is to bring your board onboard.
Your have a degree in applied economics but have a career in security. What attracted you to the industry?
I fell in love with security when I was a kid back in the '80s. I watched War Games and I wanted to get into security. In my early years, I dropped out of school and went into technology. In those years, I heavily relied on my technical expertise, and that treated me well until the dotcom bust. We were all so excited and full of bravado thinking that we were going to change the world and become rich -- we drank the Kool-Aid. Then the bubble burst.
I was in my 20s when that occurred. I learned that I couldn't just rely on my technical chops anymore. I also needed to understand how businesses run. So I went back to school and got a degree in applied economics after realizing I needed to have a complete view of an organization.
When I was in my 20s, I was a pretty arrogant kid. I thought I knew everything and that you rely on your technical chops and that business was not important. I faced a pretty harsh reality. My economics degree has helped me as a security executive.
You have nearly two decades of security experience. What has changed the most?
When I first got into security, it was all about firewalls and protecting servers. Since then, it has expanded outward at a remarkable pace. Nowadays, we don't have any servers in Snowflake’s offices, for instance. Everything is in the cloud. It’s either running in our virtual private cloud, or we're using a SaaS provider for everything that we do.
There is also a heightened sense of security awareness. For instance, at Snowflake we treat our offices as if we are in a coffee shop with free Wi-Fi. We are always mindful and cautious about security, even at our home base.
In general, there’s also less reliance on traditional enterprise systems and devices, like network devices, firewalls, intrusion prevention systems. Instead, there's much more emphasis on the cloud and people who have more of a development background and very, very deep knowledge of cloud operating systems, even more than before. It's always been there, but it's even more emphasized now.
When we are looking for new talent for security to join my team, we look for folks who have a developer background and also understand the operating system. That's really what's becoming important in the world of the cloud. I think that's what's been a significant shift.
What advice can you offer people who are considering a career in security?
When I'm interviewing people who have been in the industry for four or five years, I often see they’ve been pigeonholed into an activity or a particular repetitive task. They don't have the breadth of knowledge today’s security environment really demands. For instance, many are missing core pillars like encryption, which every security practitioner needs to understand at some level to be successful.
At Snowflake, the big challenge we face (along with everyone else) is the ongoing talent shortage in the security market. It’s a matter of basic supply and demand economics. There's a lot of need for good security people, but there aren’t a lot of people who have the skill set to come in and work in a security team. For people who want to get into security, the most important thing they can do for themselves is to have breadth of knowledge, especially of the basics.
I encourage anyone in security -- whether they are just getting started or have been in the industry for four or five years -- to dedicate time outside of work to educate themself on more security topics. Read, test, play around and become more educated.
Security is not a job. For anyone who’s going to be in this industry for a long time, it should be a passion - it should be something you live and breathe over the entire course of your career.
When I'm hiring people for my team, I want to see the passion. You may not have every skill, but if you have the basic elements and the drive, and you demonstrate it, that's the person I want.