We’re in a crazy, complex, almost alternate reality now. We see hacking from nation-states, hacking from criminals, hacking for fun, hacking for profit … and there’s probably worse that we don’t see.
In that context, how does a Chief Information Security Officer function? in the latest TechFirst with John Koetsier we chat with Twitter’s CISO Rinki Sethi and Info-Tech Research Group analyst Frank Sargent about information security in 2021.
What we chat about …
- A CISO’s job
- Russia
- SolarWinds Orion and Supernova hacks
- Big tech
- Social engineering
- US elections
- How the role of CISO is changing
Most importantly, we talk about the stakes if we don’t get this right … to our power systems, to our government processes, to our military secrets, and to the companies that run the infrastructure that our lives depend on.
And keep scrolling for full audio, video, plus — of course — a complete transcript …
Subscribe to TechFirst: infosec is the new war
Apple Podcasts
Spotify
Google Podcasts
Overcast
Other podcasting platforms
Watch: Big tech is ground zero for information security battles of the future
(Subscribe to my YouTube channel so you’ll get notified when I go live with future guests, or see the videos later.)
Read: Chatting with Twitter’s chief information security officer Rinki Sethi
(This transcript has been lightly edited for length and clarity.)
John Koetsier: Information security sounds like a horrifically boring topic. But is it possible that given what we’ve seen in 2020, information security is the root of all security in 2021? Welcome to TechFirst with John Koetsier.
So, I want to have a pretty wide-ranging chat today. It’s a pretty crazy moment in world history; lots going on. Cybersecurity is really in the very middle of it. We’ve seen lots of election questions lately in the U.S. We’ve seen over the past few years, huge hacks exposing hundreds of millions of people. And we’ve just seen potentially evidence of perhaps the biggest hack in history: SolarWinds and Supernova, which exposed much of the United States government, potentially.
So how important is information security in 2021? What are the key challenges we’ll face? And we’re going to chat about all these different things. To chat through them, we’re joined by Rinki Sethi, who’s the chief information security officer at Twitter, and Frank Sargent, who leads security, risk, and compliance at Info-Tech Research Group. Welcome, Rinki and Frank!
Frank Sargent: Thanks, John.
Rinki Sethi: Thanks for having me.
John Koetsier: Hey, such a pleasure to have both of you. Especially you Frank, it’s a holiday for you and it’s a holiday for me as well, we’re in Canada. Rinki, I’m assuming you’re in San Francisco.
Rinki Sethi: That’s right. I’m in the Bay Area.
John Koetsier: Excellent. Excellent. Well, thank you. I think we need to start here Rinki, with you … what is a CISO? What is a chief information security officer? What does a normal day look like for you?
Rinki Sethi, VP & CISO at Twitter
Rinki Sethi: I don’t know that I’ve seen a normal day for the last, gosh … decade.
So, you know, to me, a chief information security officer is really somebody who helps represent the best interest of a company as it relates to protecting data, protecting the company’s assets, and driving accountability around security risk.
When you talk to me about my day-to-day, it varies. Some days are just one-on-ones with people on my team and making sure that I’m helping develop careers. Other days, I’m the woman in high heels — well, today I guess the woman in little fuzzy slippers at home — working and driving security incidents, and working closely with the team in ensuring that we’re containing security incidents that we might see on platform.
Other days, it’s working strategically with different partners across Twitter to ensure that we’ve got good thought leadership in how we’re building security into the product and just different parts of the business. So every day is a little bit different, which is what makes the role exciting.
At the end of the day, I’m here to help protect the business at Twitter.
John Koetsier: And I’m guessing the less exciting a day is, the better the day is for you, most likely. And I’m guessing everything has changed for you over the past year, just like all the rest of us working in different places, not necessarily in offices.
You’ve got a long history in cybersecurity — a decade at least. Why did you take the role at Twitter? It’s a pretty tempting target, one would think.
Rinki Sethi: It is, and I interviewed at Twitter at a very interesting time, right before the election when Twitter was in the spotlight, I would say.
And actually that’s what drew me to Twitter, was just their mission around protecting the public conversation. And it was such an important time, and it still continues to be, around making sure that the public is getting the right information, the information that they want, they need, and that it’s accurate.
And so Twitter’s mission of protecting the public conversation is exactly where I wanted to be, was to defend that. And some of the choices they had made, how they were leading best practices in this space, I thought were very core and aligned to my values, and I couldn’t think of a better challenge to go and take on, so that’s why I chose Twitter.
John Koetsier: That’s a good segue, and I know that you’re not going to speak specifically today to your role at Twitter and what you’re going to do there, and you’re just pretty new in the role as well so you’ve got a lot to explore and go on … but if you look at the year ahead perhaps, 2021, and you think about the key challenges that we’re going to face in cybersecurity, what comes to mind?
Rinki Sethi: Yeah, I think one is what I just shared — especially platforms like Twitter, we’re going to have to focus on how do you protect the public conversation and ensure that cybersecurity doesn’t become a disruptor or interruption to that. We saw that happen earlier in the year with the breach at Twitter, and so I think we can’t see things like that.
And so I think that’s going to be a continued target and we’re going to continue to see as a protection of the public conversation.
The other is, I think just folks are getting settled into working remotely, and I think companies are still focusing on how do you continue to make sure that the remote workforce is protected in the right way. And, you know, you’re no longer protecting just your own perimeter, but you’re protecting home perimeters, and trying to teach your employees on security hygiene where you don’t have the visibility that you used to from a central security perspective.
So I think that’s going to be a continued area of focus as well. And companies are going to, I think also — not are going to, but are starting to already — migrate to the cloud, and I think that’s going to be a big thing we see is a continued shift and focus on cloud security. So I think those are the three big areas I see.
John Koetsier: What a huge challenge, right? I mean, Frank, it’s been a long time since an enterprise has been just a building or a series of buildings to protect a perimeter from, but now, I mean, the membrane is so diverse.
There is no membrane, right?
We’re in a thousand different locations, especially a big company the size of Twitter, big enterprises with tens of thousands of employees in tens of thousands of locations, with potentially thousands of different configurations of technology and everything else. It’s a challenging 2021 going forward, isn’t it?
Frank Sargent, Senior Director, Practice Lead – Security, Privacy, Risk and Compliance at Info-Tech Research Group
Frank Sargent: Well, it certainly is. When you start to consider all of this ‘new normal’ that we’ve been forced into in the last year.
We’ve started to bring in some of those concepts of zero trust networking and so forth of … where is that perimeter? Where does it even exist, at all, in any way? Right?
Used to be a real old school, you’re behind the firewall and you’re protected. But now … yeah, that’s gone by sideway, and you know, it’s a whole new reality now about defining that perimeter, defining those risks, understanding what that looks like to an organization.
John Koetsier: Yeah. I want to bring this a little bit general here, because we know that — we have this phrase ‘software is eating the world,’ right?
And I’m looking at information security, and I’m thinking that’s becoming more and more equivalent to security in general, I mean, for companies and for nations. And the lack of it, or even perceived lack of it in case of the recent U.S. elections, has real implications for physical security and physical well-being, as well as well-being of your data and everything like that. Talk a little bit about how that evolution has happened for the survival of companies and even nations.
Frank Sargent: Well, to kind of get on that whole thought of security and information security kind of merging, when you see how everything has evolved over the last several years, you know, you think about 5G and its enablement of the internet of things.
But now you’re starting to see the merge of internet — or IT and OT, operational technologies as well as ICS, industrial control systems. And these sort of things all coming together under one governance, one standard, one way to look after things.
You know, it used to be that there was air gap situations where the security was such that we want to keep this gap in this place. Well, that gap doesn’t actually exist anymore. If there’s a wire, if there’s a port open, there’s an attack vector there, right? And we’re bringing all this stuff together, and what those OT and ICS environments were protecting and doing if you — you know, in the news in the last several years of looking after water quality, even holding back water from dams and other infrastructures, our power infrastructure, any of these types of situations, even if you get into medical devices.
So when you think about your own personal safety, you know, when you think of all the different systems that are here to look after you, provide that water, provide that heat, provide that food … all of those systems are all managed now by all of the multitude of connected devices that are now at risk.
You need to have that type of a security program to manage into that sort of thing. So, physical safety has been drawn right in, kicking and screaming in a certain sort of way.
And now these types of security program measures are just now getting implemented in there, and they’re struggling to catch up.
John Koetsier: And we see that internationally as well, right? I mean, and we’ll get into this a little bit with Rinki in a bit, but Frank, I’m going to stick with you for just a second.
We’ve seen SolarWinds, right? We’ve seen that massive hack. We really don’t know how bad it is yet. We really don’t know how deep that went, how much people got from that, who exactly was responsible — it looks like Russia, I’m not sure that’s a hundred percent guaranteed or not, you know, but there’s been multiple others as well.
I mean, what are your thoughts when you see something like SolarWinds and Supernova which was discovered just recently?
Frank Sargent: It’s certainly a wake-up call.
You think about it almost as a single point of failure, you know, if you think about the U.S. government and how many different departments and organizations have been affected by this. It doesn’t just happen in the U.S., as well. I think yesterday in the news I think it was, was the government of Vietnam has been impacted and it could potentially be that.
And you don’t even know what we could characterize this as, right? SolarWinds was just the door, you know, there’s just all sorts of other avenues that this kind of breach and this kind of attack could manifest itself as, right? And so, we really still — like you were just saying — we don’t know what is really to come yet of this. There’s been major outages from other large vendors where is there speculation, was that SolarWinds? Right?
And it’s certainly that wake-up call. As I talked to many of our members, it’s about understanding risk. Are we going to be able to actually stop this? Can I vet every single vendor that I deal with to the level that needs to be to protect my organization? We’ve got to start to understand and use this as that wake-up call to understand risk, flex and mature our incident response capabilities, that sort of thing.
Just from a high level, you know, I’m still very interested to see — I’ve seen a lot of the technical tidbits, talked to even some of our defense contractors and others that are really, really interested in what is going on, what those impacts are. It’s still gonna, you know, the story is still playing out here most certainly.
John Koetsier: Rinki, it’s got to make you think about what vendors you work with, right? And again, speaking in general, what vendors you choose to work with, how you evaluate them, how you evaluate their technology, how you evaluate SDKs you might put in your app, other things like that.
That’s got to make you pretty scared about working with a vendor. Am I wrong?
Rinki Sethi: You know, I think you’ve got to have a good third-party risk assessment program at your company. And things like this happen. I think that it’s one of the things that companies have to look at, what kind of data you’re sharing with those companies.
I think, in my opinion, when things like this happen it’s more how are you going to react and are you ready? And do you have the information right away to go and respond to this, and contain it quickly, and follow up with those companies that you have close relationships with because a security incident can happen.
It is getting scary, and again, I think that it’s really important to be prepared because any company can be affected by something like this.
John Koetsier: That’s a good segue. Let’s talk a little bit about you personally. You’re a CISO, chief information security officer, and you know we’re often told things like ‘there’s no such thing as a fully secure system,’ which means that a system — if that’s true, and I’m going to ask you that question as well — but if that’s true, that means that there’s a hole or there’s 10 holes that any CISO doesn’t yet know about that are there, right?
I mean, a) how do you live with that? And b) what are the implications of that in terms of how you do your job?
Rinki Sethi: Yeah, I mean, I think there’s two aspects to this, right? Many times I think in security … security’s always playing catch up. And so you’re behind, you know, it’s rare that you’re in front of the problem and you’re designing right from the beginning. And if you’re not, then you’re constantly playing catch up, even in the security industry.
Take cloud as an example.
The cloud industry boomed, everyone started adopting AWS and GCP and Azure. Even they didn’t build in the right security controls and a lot of the security vendors popped up because we needed to build the right security, because technology and innovation was being adopted so quickly.
And so I think there’s two aspects to it. You do have to work and play the catch up and make sure you’re preventing security issues as these new technologies are evolving and building that security platform in. On the flip side, I think you also have to be prepared to detect and contain incidents for when they happen. You have to have a good way to get visibility so that, you know, let’s say there’s a new technol— or your company is developing something new that you have a way of catching that, and hopefully a chance to monitor that and be able to detect, oh, something new popped up, we’re going to go take a look, even if it happens later in the design cycle.
John Koetsier: Frank, I want to ping in with you on that one real brief, because there are vendors that are building technology using AI to just look for anomalies, look for things that are unusual, look for things that might be a hack.
And we know that the U.S. government for instance, invested billions of dollars in Einstein, right? Some technology to hopefully stop everything, anything like SolarWinds from ever happening. Do you see — is that path fruitful? And what do you see as the best options there?
Frank Sargent: Certainly is fruitful. When you think about organizations and their security budgets, if you will, AI is certainly enabling far more visibility with less staff, with less bodies in front of screen, so to speak, right? So there is that angle to it, of creating that automation and so forth, and that ability to see things, and see things far quicker and so forth.
You know, some of the downside, I guess, is if you don’t know how long SolarWinds and any kind of hack has been in your environment, it’s looking for, as you were saying, deltas and so forth.
John Koetsier: That looks normal, right? That’s — yeah, you wouldn’t see that.
Frank Sargent: Normally he’s already there, you know, the attacker’s already in your environment, so hey, it still looks good.
So there is that whole seeding, there’s that whole, that AI learning of what is normal, what is the standard, even as organizations are trying to restore — or if they’ve had Orion in their environment, of what is a good restoration point? How do I get back to a known good? What is that, right?
And then, you know, where is that going to land, right? So that AI has got that bit of a thought there that it’s just looking at what it can see right now in a certain sort of way. But it certainly has a lot of good upside, in a lot of different ways, for a lot of different organizations that are handcuffed in certain sort of ways of hiring and having the skill sets around and so forth. So it really does and from many perspectives, but then there’s some of the limitations as well that you need to understand.
John Koetsier: Rinki, when we think about information security, we — at least I do, maybe it’s just me — gravitate to code, to technology, to devices. Often security fails in social engineering attacks, right? In ways that people make a phone call, get some information from Facebook and worm their way into an organization somehow. How do you protect from that?
Rinki Sethi: Yeah, I mean, I think, again, technology has a play here and there’s a lot technology can do to prevent social engineering attacks. Companies are behind in adopting that, and so I think that’s really important.
Things like YubiKey or any type of second, third, plus-plus factors you can put in place that make it really difficult for attackers to get in — even if they’re starting to see success in a social engineering attack — is important.
I also think continuing to educate your employees is super important. And the more that you can do it in the moment, you know, I like to say that training is interesting, that a lot of times we have these check-the-box annual security trainings that everybody does to meet some kind of compliance requirement, and absolutely people take it, they don’t even listen to it, they check the box and they move on.
That is not what I consider security education.
I think vendors are getting more savvy on how can you train users in the moment that they’re doing something that maybe they shouldn’t be. I think that’s the most impactful kind of training. One example of that is when someone maybe is putting something into a public shared folder that’s accessible to the world, that they get a flag saying, ‘Hey, did you mean to do that? Because what you just did is going to make whatever file you’re sharing accessible to the whole world. Maybe you want to go back and change the settings on this.’ And the more that we can push training in the moment, I think as users are doing something that either intentionally or unintentionally is bad, that’s how folks are going to get trained.
And I think it’s really important to focus on training that’s changing actual user behavior and you have data to measure that that’s happening. So I think continuing to do user education is going to be more critical even as folks are at home, and then I think they can take those tips to their kids and their significant others as they learn them, to make sure that they’re securing beyond just the workplace.
John Koetsier: I almost think I need to do two-factor authorization, you know, if I get an email from somebody, message them on Slack and ‘Did you actually send that?’ if it’s something dangerous or challenging.
Frank, I want to turn back to you, and we’re in this crazy, complex reality right here, right? Ten days ago, a month ago, we thought everything was fine. All of a sudden, we find out that the U.S. government, the DOD, every component of the U.S. military was potentially compromised while we are all happily, you know, you had Thanksgiving, we had Christmas, we had all this was going on. So we’re in this crazy, complex reality where there’s hacking from nation-states, there’s hacking from criminals, there’s hacking just for fun and just to see what I can do, and there’s hacking for profit. This is a really challenging reality to be in.
What are the stakes here? And how do we win this?
Frank Sargent: Well, the stakes like we were just, you know, we were alluding to them and we mentioned earlier, right? Like there’s huge stakes here.
When we talk about the critical infrastructure that many of the departments are trying to protect, the weapon systems, you name it, like, it could have just ridiculous ramifications on all of us. So the stakes are quite high when you consider what is going on at a nation-state level. It’s kind of a scary, scary type of a situation when you get right down into what some of this stuff — what could actually happen here.
When you say, ‘could we win?’ Uh, that’s an interesting kind of a concept, I guess. I don’t know that there’s a win. You know, I guess we’d have to define what winning is and that’s just, you know, keeping afloat, right?
John Koetsier: Hahaha.
Frank Sargent: In a certain sort of way, right?
In that good is not going to defeat evil here in a way, and that we’re getting more and more and more complex, and we’ve got to learn and understand and prioritize what these threats and risks are.
We’ve really got to get our arms around what this stuff looks like and what we can do something about. What we can do with our limited budgets, our limited staffing, our limited — so many limited things in security that CISOs have got to fight upstream about, and still try to provide that. So we’ve got to prioritize. We’ve got to understand what makes the most sense. What can we actually do something about. Not worry about the things that we can’t … period. But, you know, kind of define winning by keeping up with that sort of thing, I guess, is the best way I could put it.
John Koetsier: Excellent. Rinki, I want to turn back to you.
TechFirst is a podcast about people who are shaping the future, technology that’s changing the world. We see cybersecurity and, frankly, most of the time when you do your job, nobody knows. When you are successful, nothing happens. This is a challenging job to be in, because it’s only when you fail or somebody in your organization fails, or some technology that you rely on in some way, shape, or form fails … all of a sudden you get thrust into the limelight. How do you do your work in that way? And how will your work in information security shape the future?
Rinki Sethi: It’s funny that you say that. I always used to use this analogy, that security is a back office job, you know, and nobody knows. But I think … things are changing. Security is in the news every day, and I think it’s really important.
And the CISO’s role has morphed and changed too, that you used to see two camps of CISOs. One that were really technical, more like architects, and then another that was very business savvy, really good at communications. And I think those are merging together, and it’s really important for CISOs to communicate really well across their different stakeholders and partners in a company, such that it’s not that back office job and it’s in the forefront on a day-to-day basis.
And that everybody understands that it’s not just the CISO’s job to carry the weight and the stress of security on their shoulders, but it’s a shared responsibility for everybody in the company. And that top-down championship is super critical to be successful at security. So, I think that you can’t just wait for a security incident, then security is in the spotlight, then something’s not right. And that I see as a major part of my job is to make sure security is being thought of every day, in every decision that’s being made by folks in the company, and so that it doesn’t stay as that back office job.
And that’s what I hope to accomplish here at Twitter, and in any future CISO role that I take on.
John Koetsier: Frank, let’s turn to you. Same sort of question, basically. You are in — you’re an analyst, you’re a consultant, you advise people on technology, you advise them, you write reports, other things like that. What are you hoping to achieve?
Frank Sargent: My personal mission in life? Well, you know, for being in security, I’ve kind of hinted at it over and all — it’s just understanding risk. Whether it’s personally with some of these things, worry about what you can and do something about those things that you can, and not worry about things that you can’t … but still acknowledge them, right? Like, and I sit and talk for many years now with a lot of our Info-Tech members in trying to get their arms around that risk, understanding what risk is.
You know, it’s great to be able to have all these technologies and so forth, but again, you’re still in this limited kind of ability to look after things, and you gotta be able to prioritize. So it’s talking about that, prioritizing what you can do, prioritizing the risk, understanding what all of those different threats are. And trying to get that out to everyone, you know, we’re doing a lot of different research in that space at Info-Tech right now. I’m trying to get that message out in a few different ways, and certainly the thing I’m taking out of SolarWinds and a lot of what goes on this year with the move to the cloud and all that, is really getting organizations and individuals arms around risk, and the understanding of this new order, this new world, so to speak.
John Koetsier: Excellent. Well, thank you so much, Rinki. Thank you so much, Frank. I really do appreciate your time.
Frank Sargent: Thank you, John.
Rinki Sethi: Thank you so much.
John Koetsier: For everybody else, thank you for joining us on TechFirst. My name is John Koetsier, I appreciate you being along for the show. You’ll be able to get a full transcript of this in about a week at JohnKoetsier.com, and the story will come up at Forbes shortly thereafter. Full video is available on my YouTube channel. Thank you for joining.
Until next time … this is John Koetsier with TechFirst.
Subscribe for free
Made it all the way down here? Wow. You’re dedicated 🙂
The TechFirst with John Koetsier podcast is about tech that is changing the world, and innovators who are shaping the future. Guests include former Apple CEO John Scully. The head of Facebook gaming. Amazon’s head of robotics. GitHub’s CTO. Twitter’s chief information security officer (yeah, that’s this one!). Scientists inventing smart contact lenses. Startup entrepreneurs. Google executives. Former Microsoft CTO Nathan Myhrvold. And much, much more.
Subscribe on your podcast platform of choice: