Cybersecurity is essential. It also too often makes people’s jobs hard.
That’s why we need new paradigms for security support, which is becoming unmanageable according HP. I had a chance to interview HP’s chief information security officer Joanna Burkey and Siemens CISO Kurt John recently for TechFirst with John Koetsier about security, risks, and what we can do to avoid another Solar Winds disaster.
Watch the video:
(Subscribe to my YouTube channel)
Or, listen to the podcast: HP & Siemens CISOs on cybersecurity
Apple Podcasts
Spotify
Google Podcasts
Overcast
Other podcasting platforms
And, of course, the finished story is on Forbes: Get the full story in my post at Forbes …
Transcript: HP CISO Joanna Burkey and Siemens USA CISO Kurt John on cybersecurity in 2022
(This transcript has been lightly edited for length and clarity.)
Joanna Burkey: We found that over 30% of workers aged 18 to 24 admitted to actively bypassing security controls because it was making their job hard.
John Koetsier: Everyone hates it when IT starts talking about security — you can’t install this, don’t click on that — but especially now that we’re all working at home, cybersecurity risks have increased exponentially. The massive SolarWinds hack impacted 18,000 organizations, leading to serious breaches in at least 50 different companies and organizations. And it’s not just personal computers that we’re talking about, it’s some of the largest corporations on the planet and multiple IT systems of the U.S. Government, if not other governments as well. So how big is our problem? And what can we do about it? Today we’re chatting with two chief information security officers: HP CISO, Joanna Burkey and Siemens USA CISO, Kurt John. Welcome, both of you!
Joanna Burkey: Thank you.
Kurt John: Thank you, John.
Joanna Burkey: Happy to be here.
John Koetsier: Hey, super pumped to be here. Joanna, let’s start with you. How much trouble are we in?
Joanna Burkey, CISO at HP
Joanna Burkey: You know, for a while we’ve all been in a lot of trouble with cyber threats. We certainly saw things change and certainly a few different types of threats accelerate during the pandemic. I don’t believe though, we haven’t seen — we haven’t all jumped off some massive cliff. We’re constantly getting more tools, more practices, more methodologies to deal with the threat. But we need to be clear-eyed that there is a real threat out there. It is growing and it is serious.
John Koetsier: Kurt, what are you seeing out there? How deep is the trouble that we’re in?
Kurt John: You know, I’m going to have to echo what Joanna said … it’s precarious, but not all hope is lost. And so, particularly with the pandemic and a lot of investments post pandemic into digitalization, for example, at Siemens our customers, we’re seeing them spend more money to digitalize their infrastructure, their manufacturing locations. I’m sure it’s the same for people who depend on IT. Our digital supply chains are becoming more complex. The applications we use and the way they communicate with each other are becoming more complex. And as you know, our job is to just plug all the holes or as many as possible. The bad guys’ job is just to find one hole and that’s it. And so it’s accelerating — the threats are, the way we have to protect our infrastructure is accelerating. But I don’t think all hope is lost. I think there’s some things that we can do.
John Koetsier: I’m glad there’s still some hope. That’s comforting. You did a report looking at some of the unique challenges that we’re facing and going through right now, Joanna, what did you learn?
Joanna Burkey: We did. HP over the last year has issued a series of reports. Our very latest one is called ‘Out of Sight, Out of Mind,’ and it builds on the more recent report before that, which was ‘Blurred Lines and Blind Spots.’ And you can tell from these titles what our observations were. There really has been a massive change in visibility and control with the change in the ways of working, primarily. We saw a lot of people dramatically change how they worked, where they worked, what equipment they worked from. A couple of statistics, for example, is we see over 70% of people admitting that they’re using work equipment for personal use. That can include not only just checking your personal email, but maybe having a child take an online test, installing test proctoring software on a piece of company equipment, all kinds of different use that we really didn’t think of before. And the biggest takeaway to me as a practitioner, from these three reports now, has been a lot of the things we did before were predicated on certain assumptions … that simply aren’t there anymore. Many of the things we did still hold, and are great, but we definitely all need to take a look at our cyber strategies to uncover some of those places that were nicely layered before, but have definitely had some gaps open up in them now.
John Koetsier: Kurt, what’s that look like? We’re all working from home. I’m in my home office in my basement. You guys look like you’re in similar circumstances, although maybe your offices are just cool like that, I don’t know [laughter]. But you’ve increased the threat envelope 1000 X maybe, I don’t know. You’ve increased the number of devices we’re going on. I’m on my home wifi here, right? Now that’s not supplied by some corporation. It’s not managed, really, necessarily. What’s that threat multiple look like when we’re spread apart like we are?
Kurt John, CISO, Siemens USA
Kurt John: You know, I love Joanna’s use of the term strategy. I think home or office used to be the question, and the answer is yes. And what I mean by that is we need a cultural change and the organization needs to decide, or acknowledge, what the human condition is like. So it’s not just home or office, it’s office after just coming out of college because I’m excited to meet new people and learn new things. It’s home, because I just got a family; I have a newborn and I need to help out at home. It’s the office again, because I just got married and have a newborn and I need adult interaction. You know, and/or maybe a family member is sick and I need to do work a couple of states over for a few weeks to help take care of their family member. If we recognize that the human condition requires us to be in different places at different times, I think ultimately our business strategy, or IT strategy, or cyber strategy would adjust. It’s just in this case, the pandemic sort of catapulted us and pushed us into this scenario before we were prepared to do so. And so the threats right now — to expound on what Joanna mentioned — really is … people or employees who were used to the company doing a lot of the heavy lifting when it comes to security, now they’ve had a lot of security actions be offloaded onto them. How do they keep their home routers, as you just mentioned, updated? If you do go buy something because you needed it to work with it, then what’s the right way to configure it? How have you communicated with IT or cybersecurity? Is cybersecurity prepared to communicate to you how best to protect yourself while at home? And so I think what we’re faced with is a cultural decision, an adjustment in strategy for how we facilitate that culture, and then finally some education for our users. And then perhaps after that, some technologies we can deploy to help protect that entire life cycle.
John Koetsier: Mm-hmm. Maybe talk about those technologies for a moment, because we’re going to have the education, hopefully — we’ll see how much good it does because we still click on stuff, right? We still do stupid things, right? What kind of tools are out there that are going to help us, now, as we face increased threats?
Kurt John: I am biased. I think the predominant risk for employee population typically is the endpoint device, so I think very strong EDR is an absolute necessity. There’s some brilliant organizations that also have fantastic managed services which I think are also good for that. And so the EDR would be some of the best things you can implement right now until we can get to that next state.
John Koetsier: Mm-hmm. Joanna, let’s turn back to you, and much of what we see in cybersecurity, intrusions, hacking, that sort of thing is … I don’t want to say script kiddie level, but somebody’s bought a kit. Somebody’s bought some software, maybe they’re even renting some software somewhere. It’s a business, they’re sending it out to thousands, tens of thousands of organizations very, very cheaply and they’re just waiting for somebody to get trapped. And that’s a risk. And that’s the problem. And we see malware like that, we see hospital systems that get caught in things like that. But there’s also nation state level stuff as we saw in the SolarWinds thing. How do you protect yourself from something like that? Because you are protecting not just the 100 person organization, not just the 50 person, but the 1,000, the 10,000, the 20,000 person organization that has real infrastructure, real-world significance — maybe it is a hospital system, maybe it’s a manufacturing company with multiple locations. Maybe it’s a national security type of issue, a company that deals with national security, defense, those sorts of things. How do you protect against a nation state targeting you?
Joanna Burkey: You’re exactly right that the level of the tools has really lowered the bar for successful attack. When, you know, 10 years ago it took a lot more skill to craft a successful attack and now can easily be purchased. You pointed out it’s a business. It is, Ransomware as a service absolutely is a booming business. One of the good things about cyber resilience and cyber defense is that a lot of the best tools will work against a whole spectrum of threats. So, to build on what Kurt pointed out about how the endpoint is really becoming ascendant — and it is — and the endpoint can be things we don’t even think about. You know, printers are endpoints. Phones are endpoints. PCs, obviously, are end points. There’s a lot of tools, a much expanded set of tools that are available for the endpoint now, many of them transparent to the user, which is huge. We want to, as much as possible, not impact the user experience when we’re increasing our resilience and our cybersecurity. And another tool that’s really advanced a lot over the last years and is very operationalizable now, is containerization. And I feel like then these are great tools at the endpoint as well. So I bring these up to say they not only can help with that commodity fishing attack, where the attacker on the other end is just hoping to get lucky, these things can and do assist against the more sophisticated threat as well. So that’s the good news: the ROI on a lot of cyber tools can be multi-pronged. And I would also say that in addition to this attention and focus on the endpoint, our attention on identity is growing for a very good reason. There are a lot of methodologies now available to strengthen who is doing what, where, with what information, that not only is a powerful tool in this hybrid workforce, but we’ve also seen a lot of nation state attacks taking advantage of systems that don’t have MFA, multi-factor authentication, or don’t have strong protections against lateral movement, like privileged access management. So by both being conscious of that entry point and the edge, as well as who is moving around how, you can really lay some solid foundations there against that entire spectrum of attacks, including nation states.
John Koetsier: And I assume you’re also talking about a Zero Trust approach to security and access to systems there, right?
Joanna Burkey: Absolutely. A good identity framework is key to really having a solid Zero Trust strategy. And we at HP, not only internally for our own strategy within the tools that we make as well, are really focusing on enabling people on that Zero Trust journey over the couple of years to come.
John Koetsier: I’m going to turn this question to Kurt here, because I asked the same question to Rinki Sethi, who’s the CISO at Twitter, and I said, ‘How on earth do you sleep at night as a CISO?’ I mean, like, you just know you are a target. You just know that there are thousands of people out there who are probing, testing, attacking at any given moment of any given day. How do you sleep at night?
Kurt John: I don’t.
John Koetsier: [Laughing] I don’t believe you. You must sleep a little bit.
Kurt John: But not for the reason that you would think … last night my daughters were kicking me in the face. So that’s why I didn’t sleep last night. But no, as a CISO … I sleep at night and I’ll tell you why. Of course you don’t want something bad to happen. However, a few things … so first and foremost, I mean this is going to be security 101. You identify what’s most critical and you deploy the security controls commensurate with its importance for the organization’s mission. There are some things you’re just not going to be able to do because you don’t have unlimited time or budget. What becomes incredibly critical is … expecting to fail. You’re not planning to fail, you’re planning to succeed, but you expect that something’s going to go awry at some point. And what you want to do is fail as quickly as you can so that you can recover as quickly as you can. You need to, and that’s part of being cyber resilient. It’s not that you never get attacked, you know, you hope you don’t, and you plan that you don’t. But what you do is you orchestrate your ecosystem so that if you do get impacted, you have the ability to recover as quickly as possible. And once your organization is in that place, I think you’ll be able to sleep a little bit better at night.
John Koetsier: I like that. I don’t know how it works in the brochure, but ‘plan to fail’ [laughing]…
Kurt John: Yep.
John Koetsier: You know, that’s honest, right? I mean, look, you’re going to get targeted. Somebody’s going to have something — the fish tank in the office or the smart thermostat that you know is routable…
Kurt John: Or the coffee machine. Funny story, let me tell you this really quickly. I remember seeing an article where some researchers compromised a coffee machine and displayed like this little pixelized evil face. And the thought popped into my head, and I said, ‘I wonder how powerful this coffee machine is?’ And so I asked one of my team members to go compare the vacuum tube room-sized computer from the 1960s, I think — either fifties or sixties, the first computer — to that coffee machine. And don’t hold me to this, it was either the memory or the processing power, or maybe it was both, but the coffee machine was more powerful in either one or both of those than that room-sized vacuum tube computer. Yeah, so we have more powerful computers now making coffee than the entirety of an average sized room. So that gives you an idea of just the threat spread that we have to deal with.
John Koetsier: Well, and I guess how important coffee is to some of us, correct? [laughter]
Kurt John: I see your machine in the background right there, so yes.
John Koetsier: Yes, absolutely. Joanna, maybe let’s go back to you here. We’ve talked about COVID. We’ve talked about working at home that’s expanded the threat envelope. And Kurt has said, ‘Hey, this is life.’ This is life now, but realistically it was life for a while, right? We moved. We came into different organizations. We used different technology. We did some work email on the home machine, you know, other things like that. We went shopping on the work machine. How do you see that evolving? How do you see that continuing? Do you see that growing even more? And as we have to manage devices that we don’t manage … as we have to control for devices that we don’t own. What’s that look like? Are there AI solutions in place to see, hey, I don’t expect to see this kind of traffic from a coffee machine, you know, I don’t expect to see that kind of — those packets being passed over this network, or going to those places and highlighting some of those weirdnesses and alerting somebody?
Joanna Burkey: Mm-hmm. I agree, completely, that this has changed and it will stay and grow. I don’t see a way that we go back to this idea of — and even at the time, I think, before the pandemic, the boundaries and the perimeters were really porous. But not everyone really was recognizing that as it happened, and then all of a sudden it was accelerated and now it’s here. And I do believe that this world where we not only have the changes brought by the pandemic — where many, many more things became more digital all of a sudden, and it became possible to do a lot more remotely than it ever had been before — we also have a generation of people growing up that expect seamless native digital experiences. You know, I definitely, you can tell from the gray hair, I am not a digital native … and I do find myself having more patience and tolerance for technology that doesn’t work, because I didn’t grow up necessarily with technology that worked. That’s not the case now. And we see a lot of young workers, in fact, in one of our HP studies we found that over 30% of workers aged 18 to 24 admitted to actively bypassing security controls because it was making their job hard.
John Koetsier: Yes.
Joanna Burkey: And I think that is a fascinating observation we must pay attention to. It is not saying that young people don’t care about security. It is saying that we need to design and implement strategies that are seamless and that work, because that is now the world that a lot of people are used to. So I think, John, to your point about, well, what do we do about that? There absolutely are technologies here that help. I mentioned earlier that we see containerization and isolation becoming more critical. I agree fully with this because, done well, that is transparent to the user, but it is a great tool right at the start of an attack. I do believe we also, we are seeing more now occur in the cloud and at the edge, where there can be a greater amount of configuration control, for example. But then your R & D engineer at home still accesses everything that they need just like it was sitting there locally with them. I think we will see, we’ve seen this now for some years, the emergence of anomaly detection and behavioral detection tools. Those obviously will continue to grow, especially with more processing power available to them. Even the, clearly the processor in a coffee pot would be enough [inaudible & laughter]. So absolutely, we see a role for technology and I really see a world coming forward where the technology is the enabler, it is not the focus. For a while we’ve been so focused on, oh, how cool is it that technology can do this? Yeah, that’s great, but what really matters now is operationalizable, transparent, usable security that, number one, helps your CISO and your IT decision-makers sleep at night, because they don’t have to constantly stay awake glued to the monitor. And number two, you give users and employees this more seamless experience that they are expecting, and that will help keep the resiliency of your entire footprint more robust.
John Koetsier: Love that. And Joanna, we can’t go a whole call without talking about what’s behind you. I mean, like seriously, very cool stuff. What are we looking at back there?
Joanna Burkey: This is my yarn collection, and it would be a lot more entertaining if I told you I had never picked up a knitting needle before the pandemic … that’s not true. You’re looking at about a 10 year hoarding here. But it’s just remarkable the number of people I talk to who think I collect Beanie Babies.
John Koetsier: Yeah, yeah, yeah. That was a thought that came to mind [laughing], but excellent, wonderful. Kurt gonna give you and Joanna kind of last hits on maybe the advice to give the CISO in a mid-size organization, you know, small IT team, overburdened, don’t really know how they can manage all the flood of stuff — but I love your office as well, and I got a comment on that. And I love your comments [on a sign] behind there: Family First. Respect All. Break…?
Kurt John: Boxes and Build Teams?
John Koetsier: Break Boxes. Build Teams. Okay, I’ve got that, excellent. Boxes in the organization, excellent … and Have Fun. Awesome.
Kurt John: That’s right.
John Koetsier: I think we’re having some fun here. Hopefully we’re breaking a couple boxes. Respecting … and guess what? Family is sleeping up above and [laughter] it’s early in the morning for me, so there you go. Wonderful. But maybe let’s end here for you and we’ll go to Joanna with the same question. Talk to that CISO … it’s a couple thousand people, maybe it’s 500 people, who knows. There’s a couple IT people, it’s a really lean team, not a lot of time for education, not a lot of time to do much besides swap out machines or whatever. What does this CISO need to do?
Kurt John: First and foremost, you want to spend those limited resources as well as possible. So what I would do is … check your data. Tie your data to systems. Your systems are tied to processes. Your processes are tied to people who use those processes. And all of that, all of those are tied to a particular business objective. Essentially, what you’re trying to do is you’re trying to work backwards from that business objective so that you could spend those limited resources on the data systems, processes, and people that matter the most in achieving those business outcomes. That’s the best way to spend limited resources. The next is data. Be intentional about your data strategy and not data in terms of what the business is using — your data, cybersecurity data. You want to capture and leverage data as much as possible so you can get insights. So that you could, again, spend those resources as well as possible. The third thing I would say is that it’s a very competitive technology ecosystem out there, and managed services and other tools are becoming cheaper and cheaper as more competition enters the market. So don’t be afraid to do your due diligence on a third party you might use, but don’t be afraid to leverage third parties in your strategy to achieve your mission. And then the fourth is also a little bit tied to the first, which is understand the mission of the business. If you can deeply ingrain the mission of the business into you and your team, then you can understand how you fit into the overall value chain of that business and what matters most. And so, again, you spend the resources well.
John Koetsier: Wonderful. Wow. You surprise a guy with a question out of the blue and he gives you a detailed four point plan of how to deal with it. I love it. Not too bad, not too bad. Joanna, he set the bar pretty high here [laughter]. What’s your advice? Is there anything left?
Joanna Burkey: You know, I love it. There’s only one thing left, but there’s one thing I would love to underline is Kurt’s observation about the mission of the business. I think it’s easy sitting in the CISO’s seat to get overwhelmed with capability maturity, and here’s this compliance checklist, and here’s this compliance checklist, where fundamentally everything we do plugs into that company mission. And it’s not only great to look at things through that filter because it can really help you prioritize and really help you make risk-based decisions, it also helps you and your team with that sense of purpose. And having that sense of purpose is a big tool against the mental health effects of this job, sometimes that ability to not sleep at night. Tying to that mission, I think is really great not only for the cyber strategy, but for the health of the practitioners doing it. The one thing I would add to that is: use your community and use your partners. It’s really tempting, especially sitting in that CISO seat, to think ‘It’s all on me. I’ve got to do it all, end to end.’ And the reality is you have technology partners, you have vendors who are there and want to help. They are probably investing much more than you are in threat intel, in understanding the threat landscape. Use them. Use their knowledge. Use your community. Find some fellow CISOs that, at a minimum, they’re a good therapy, but also too can be great for best practice sharing. Kurt and I actually talk, we talk a lot … and it’s great to have people that you can bounce things off of and get ideas from. So, don’t think that it’s all on you. Follow those four points from Kurt and I think, even if you’ve got a three person organization, you can have some resilient foundations.
John Koetsier: Which is hard to wade through and find the important parts so you don’t have a myriad of false positives or false negatives. And then having a partner, I think, honestly, I love that idea to connect to the mission because I have this impression of many of these CISOs that just feel bombarded, just feel pummeled by an unceasing flow of attacks, an unceasing flow of requests, an unceasing flow of data. It’s really challenging to do it alone as a small team and you need to have some help. I want to thank you, Joanna. I want to thank you, Kurt. This has been fun. This has been worth getting up at five in the morning for. Thank you for your time. Thank you for your questions. I really do appreciate it.
Joanna Burkey: Thank you so much, John, a lot of fun.
Kurt John: Thanks, John.
Like TechFirst? So do I. It’s all about smart matter … drones, AI, robotics … other cutting-edge tech
Made it all the way down here? Wow!
The TechFirst with John Koetsier podcast is about tech that is changing the world, including wearable tech, and innovators who are shaping the future. Guests include former Apple CEO John Scully. The head of Facebook gaming. Amazon’s head of robotics. GitHub’s CTO. Twitter’s chief information security officer, and much more. Scientists inventing smart contact lenses. Startup entrepreneurs. Google executives. Former Microsoft CTO Nathan Myhrvold. And much, much more.
Consider supporting TechFirst by becoming a $SMRT stakeholder, and subscribe on your podcast platform of choice: