Security in a Remote-First World; How Have Enterprises Adapted?
Six Takeaways from Boldstart CXO Connect:
On July 8th we held our second Boldstart CXO Connect in partnership with Silicon Valley Bank (”Security in a Remote-First World; How Have Enterprises Adapted?”) where we had the privilege of hosting three visionary security executives to discuss if, and how their approaches to security had been transformed by the demands of a fully-remote workforce. Moderated by Boldstart principal, Shomik Ghosh, attendees were given a window into the security approaches, priorities and practices of CVS, HBO Max and SVB by the Executives that architected them. Paying special attention to how enterprises are working with security startups, here are the six takeaways from this intriguing discussion:
1.Enterprise security teams were “locked and loaded” well before workforces went 100% remote. Security concerns were certainly elevated but by having already invested in strong security architectures, enterprises were able to respond swiftly and even adjust their roadmaps in response to changing priorities.
David Hahn, CISO, SVB reflected, “The initial ‘going home’ was not a major issue because I felt like we had the protections in place. Certainly, the attack surface in terms of people increased, and people’s home Wi-Fi is not always the most secure. . .but because we’re cloud-first, there was very little transition.”
CVS had a similar flip-of-the-switch experience with going 100% remote noted Brian Heemsoth, Executive Director, Head of Security Operations, but there were some large-scale roadmap changes due to the increase in digital utilization. “We now have mobile test scheduling and I guarantee that was not on any roadmap prior to March. Now it’s one of the most heavily used features of our app. And on the security front, it’s driving a lot of great conversation around continuing to enable these digital functions but doing so in a way that limits account takeover risk and improves the fraud resilience of our app.”
HBO Max CISO, Brain Lozada weighed in “We actually started working remotely in the beginning of March and the product, HBO Max, launched May 27. So for the final few months of actually finalizing the product and getting it ready to launch, we were all remote. Warner Media had a great plan and that seamless transition of the workforce was there and I don’t think we had too much of a hiccup.”
2. Security becomes the “enabler” rather than the bottleneck. “Look, when you’re building security into the product, that’s about culture. You’re talking about DevSecOps and DevOps. . .get yourself out there, make yourself visible and a partner to the business; offer yourself as a service to the business. Brain Lozada said “On my team we actually have a DevSecOps lead and then he has two cloud security engineers underneath him. So they actually work with the SRE team. They put things right into the pipeline and take that thought process away from the developers. You have to get in at the ground level, go to war with them and really understand what their processes are and then align security to that so that you don’t slow them down. So get involved early, be a partner early, understand the requirements early so that you can be part of the build process. . .the security function now is a business enabler. It is no longer that you go to security when you have a problem. It’s “go to security to do it right, or to help get it out right.”
Brain Heemsoth of CVS agreed, reminiscing about old CISO stereotypes “like a traffic cop CISO, who says, ‘I only care if it’s secure, I don’t care if the business objectives are met.’ And that’s a quick way to be unsuccessful and a quick way to get yourself run out of town.Tighter integration between the security function, the business and the I.T. teams means everyone below you will enjoy that same benefit. The products that get delivered will be at a higher level of security.”
3. Data privacy is still on the minds of enterprise security execs and partnership between security and data teams is essential. “You need to be a partner to your chief data officer and really understand how to democratize data responsibly and collaboratively. Brian Lozada, CISO of HBO Max says. “It needs to be done in a way that doesn’t slow down the business, but that gives us a level of responsibility from a security perspective, so that you’re not opening yourself up to risk. You really have to have that partnership. And taking it even farther back, understanding your data lifecycle. You can’t protect or really put any guidelines or visibility around data, if you don’t know it exists. So really do that diligence and find out how your products are consuming, storing, processing, and transmitting that data. Where’s the persistent layer? How is that data being used? How is it being deleted? Do that so that you can put support behind it and support the business. Nowadays, every company in the world is a data company, whether they want to accept that or not. You’re going to make decisions based on the data. You’re going to innovate based on data. So it makes sense for security to be very much involved in the lifecycle and the protection of that data.”
David Hahn, CISO at SVB doubled down “I focus on the technical controls and they (the data teams) work more in terms of understanding all of the business enablement issues. It’s important to be close to that because ultimately, you’ve got to protect the data, it’s all about the data. You’ve got to know where it is and you have to have a good inventory system. Your ability to know where all the data is on a real-time basis, is crucial. You’ve got to find those good partners to get through that”
4. Zero Trust security is the name of the game. Brian Heemsoth noted “we’ve got, perhaps a longer tail than some organizations on our path to being 100% zero trust. Just based on decades of old legacy applications and mainframe devices and such, that a lot of our employees still use.” He followed by saying “but, you know, we do have certain subsets of employees that only use productivity tools. And that’s a number measured in the tens of 1000’s. And we’ve had a very serious movement to bring those folks to a direct-to-cloud model where we’re not hair pinning on the VPN and we’re removing access for those users and going to the zero trust model for them.”
Brian Lozada followed by saying “on the workforce side we are continuing to focus on employees living in the browser. Most of our applications are SaaS-based or browser based. So continuing to focus the security efforts in the browser and then, zero trust, or treating everything as hostile doesn’t become that much of an issue because you’re focused so much on the interface of the user.” Lozada clarified “it does depend on where your infrastructure is. If you were born in the cloud, moving to a zero trust model is a lot easier than if you have some data center infrastructure or a bare metal infrastructure that you have to migrate. It really does depend on that.”
David Hahn noted “Banks still have a traditional set of mainframes and AS 400’s. So it’s a security strategy that has to incorporate taking advantage of zero trust capabilities with laptops. But you’ve still got the tried and true network segmentation and being able to break up the risk there”.
5. Security Execs have a line item for unplanned and unfunded expenditures and emergencies, baked into their budgets. Brain Heemsoth jumped in ”So one thing that we’ve found to be very successful over the years is to have a quarterly exercise where we look across all of our different business units, retail, mail order, pharmacy, our insurance division, and quantify all of the top risks that exist in those business units and then put together an enterprise-wide list. We talk about that with the board and with the audit committee and the other groups that we interface with. So we have that continual education about, ‘hey, these are the things that really matter for CVS health and these are the risks that we need to be aware of.’ So if we run into a situation where we don’t have discretionary money and we need something, hopefully it’s more of an exercise in, ‘hey, remember that thing that we’ve been talking about every month? Well, you know, X, Y, Z just happened and the risk is ratcheting up a little bit and we’re a little bit naked here in our defenses.’ Instead of trying to go through the whole song and dance of teaching net-new.”
David Hahn agreed “I usually try to have a discretionary budget line in my budget every year and then I’ll tap into it. But you really have to make sure that there’s consistent reporting back to the audit or risk committees.”
“As I build out the budget, I always have contingency funds in there in the event of an unknown risk or compromise.” said Brian Lozada
6. Advice to security startups looking to work with enterprises: Define entry points, know our business before you pitch, no point solutions and for the love of everything sacred, NO ALERT TOOLS. David Hahn, CISO at SVB explains “too many companies have single point functions. It’s not a platform, it’s not some ecosystem. It’s a feature, it’s a function. Really try to explain “here’s how I can compliment what you already have.”
Brian Heemsoth of CVS agrees “I always admire the companies that come in and they have a defined problem. And it’s actually a problem that exists for me and for others. And they’re looking to solve it and are looking to do it better than anyone else” he said. “When you have a company that comes in and says, ‘well, I can do everything, I’ll cure COVID, I’ll be your authentication solution, oh, you need an IDS, I’ll be your IDS.’ You’re like, ‘well, what do you actually do?’”
“We all have vendor fatigue. Every new security vendor out there can solve all of our problems and they can do everything. They’re the silver bullet” said Brian Lozada, CISO at HBO Max. “Be particular and be specific to the industry. Be specific to me. Make me feel like I’m valued and solve my problem. Don’t come in and sell me bells and whistles and buttons and bright colors. None of that shit matters to me. Solve my problem. And the other thing is, if you’re a startup security vendor and you’re an alerting tool, don’t call me. This is 2020. If you are not automating remediation, don’t call me, forget that I exist”
David Hahn shared one final word (or perhaps an unsolicited endorsement?!) on the role of venture capital in sourcing enterprise vendors “many firms work through venture partners like Boldstart. Work with these guys! I certainly feel comfortable having a conversation with Boldstart, because you guys have skin in the game. You’re obviously invested and there’s a reason for it, so it’s not just a sales pitch. It’s because all of the venture partners have done hundreds and hundreds of hours of research into companies,” said Hahn. “So those are the types of things that I rely on because I need some kind of vetting and filtering process to figure out what is valuable to look at. I cannot answer every phone call. It’s not possible.”
Thank you to David Hahn, CISO at Silicon Valley Bank (who was not compensated for his remarks on Boldstart!), Brian Lozada, CISO HBO Max and Brian Heemsoth, Executive Director, Head of Security Ops at CVS for the interesting deep-dive and for giving us a window into the mind of Enterprise Security Execs in a remote-first world.
If you didn’t get a chance to attend, the video of the event can be found here: https://youtu.be/NxY1HVq3b-o
