With Transformational CISO only a month away, Digital Diary had the opportunity to sit down with Michael Coates, CEO and Co-Founder of Altitude Networks (and former CISO at Twitter!) leading up to our highly anticipated event in Miami.
Thanks, Michael, for sharing your expertise with us and our readers!
In your recently published article on LinkedIn, you note that the security community should bring the security conversation to a more practical level for average users and companies. That being said, in your opinion, how should executives in cybersecurity shift their mindset to meet the needs of their users?
There are two areas that need to be given much more attention – threat modeling and usability of security, both consumer and enterprise facing. The natural approach of many security professionals is to design the most secure solution against all potential threats leaving elements such as usability as an afterthought. As a result, we end up with solutions such as PGP and complex password requirements. Both of these may “provide academically correct security” but from a practical perspective, they are failures. They are just not usable. Instead, it is critical that we define the threat model we are designing for and provide controls that are intuitive, enabled by default, and ideally seamless from the user’s perspective. Security is not a one size fits all field and consequently, it is crucial that we consider the threat model of our users. The amount of friction and impact to usability in the name of security is quite different for a journalist with anonymous sources, versus a bank employee, versus an everyday users looking to share photos. We also must realize that the “user” is not just the individual consumer purchasing a product. It is also the enterprise employee beholden to security policies and systems or the security professional attempting to understand and use security tools. We must realize that security is not what users want to think about, it’s what they expect, and ideally, they want it to be seamless. Until we adopt the priorities and mindset of our users we’ll keep creating security that works in theory, but not in practice.
You led Twitter’s security program across all elements of information security for 3 years. Reflecting back on your time there, how were you as a CISO able to change the way the company defended itself against modern application attacks?
The field of security is clouded by newspaper headlines, misinformation, and far too many ‘the sky is falling’ security individuals. One of the best activities we can drive as CISOs is a return to an ordered and logical evaluation of security as a function of risk management. The details, controls, and technologies will for sure be technical and require deep security expertise, but what elements are prioritized is very much a risk management decision. Along these lines, one of my main focus areas was bringing visibility to the highest risks facing the company and ensuring that senior leadership understood that action, or inaction, was a business risk decision owned by leadership. This distinction of ‘ownership by leadership’ may seem subtle, but it is an important evolution for security programs to establish that a security team alone can’t be responsible for all risks. The security team spans all activities of a company, but we do not write every line of code or maintain every system. Therefore it is crucial for the company to understand their role and ownership of security.
This way of thinking enabled the security team to tackle security while working closely with the expert engineers that did build and own the technology. In the end, the creation of security controls and processes that were appropriate for the massive user base and real-time nature of Twitter was an exciting challenge. It certainly instilled a respect for solving security problems with scale and speed.
During my time at Twitter, I also strove to break down the outdated thinking that strongly delineated internal and external attackers. This false sense of security implies that internal systems face less attacks by nature of only being accessible to those inside the company. This thinking fails for two reasons. One, the enterprises of today are filled with BYOD, cloud service connections, contractors, wireless networks, acquisitions and more. There is no notion of a general protected internal network. Second, an external attacker becomes an internal attacker the moment they breach a single public facing machine. Therefore, if the internal network is not treated as a hostile environment it won’t be long before external attackers gain access to crucial systems and data within the company.
You left Twitter this year to start your own security company, Altitude Networks. What expertise did you find most helpful in your transition from an established global platform to the startup culture?
Scrappiness and grit. At the end of the day, you just have to get it done. Tackling large and complex challenges on a global platform drives home the reality that you will be in new and uncomfortable realities on a regular basis. The key is the principles you believe in, the team you have around you, and the shared vision to drive through the challenges.
What are the biggest mistakes a company can make when preparing for the inevitable security attack?
The biggest mistake would be to assume that you aren’t a target or it won’t happen. Every company has information that is valuable, can be monetized, or is a target for someone looking to make a statement. In addition, opportunistic automated attacks are rampant. It is irresponsible to not realize that every company is a target.
Second, is to not prepare for what will happen when an attack or breach occurs. “War games” or “tabletop security exercises” are fantastic activities that quickly highlight breakdowns in expectations or capabilities. I highly recommend companies hold these activities on a regular basis, even quarterly. In a “war game” the company creates a mock breach scenario and brings together stakeholders to role-play what would happen. An attacker just pasted usernames and passwords on Pastebin claiming they are from your web app. The New York Times is asking your press team for comment. The story will run in 2 hours. What happens next? Who does press notify? What teams are involved? What tools and runbooks exist to investigate the issue? Is there a plan?
I lead an exercise such as this early in my time at Twitter. We even created a fake scenario and didn’t inform many people ahead of time to see how the situation would play out. This was a fantastic learning opportunity that enabled us to identify procedures and technologies we could bolster – all before a real attack occurred.
What are some helpful resources for companies that want to improve web security?
Basic application security knowledge for all developers is crucial. Fundamentally, most web security issues are a breakdown in the expectations held by the developer about trust boundaries. Many of these issues are simply due to a lack of education on the underlying technology and the practical knowledge of what information can be accessed and edited by an attacker. Fundamental application security knowledge, such as what is covered in OWASP Top 10 trainings, can dramatically help level the playing field for developers.
Next, it’s crucial for security teams to abstract away as much application security from engineers as possible. The secure path should be the easiest path. Time spent strengthening the web framework and developer design patterns to adopt security by default is great. Don’t require developers to remember security, do it for them.
After developer education and securing the development process, look towards security validation tools such as static/dynamic analysis or automated security testing. After the security program has stabilized and matured then consider an external security bug bounty program. When done correctly and at the right time, a bug bounty program is a great part of an overall web security program.
What advice would you offer to CISOs as more and more people, especially attackers, become more connected and digitally fluent?
Remember that all elements are on the table for an attacker and the technology footprint of a company is dramatically increased in today’s distributed environment. For example, what is the risk to the company with non-managed personal technology? How could the compromise of an executive’s personal email account impact corporate data security? Should an employee be able to travel to any part of the world with their company laptop and have full access to corporate systems? Single sign-on may simplify access to the growing wealth of third-party web applications, but how do you off-board the collaborators of shared documents? These types of scenarios all present risks to the organization and must be considered within the security program.
As a well-known leader in the cyberspace, you are aware of all the ins-and-outs of trends impacting cybersecurity. What trends are you keeping your eye on?
The future of enterprise security is autonomous defense systems. Humans are simply too slow and inefficient to be relied upon to be in the critical path for defending technology. Humans must use our expertise, creativity, and skills to build, connect, and tune enterprise security defenses. But the age of security tools generating thousands of alerts for humans to parse through amongst a massive log dump are coming to a close. We see these trends beginning in areas such as security orchestration, behavioral analytics (UEBA) and, of course, machine learning. However, I believe many of these areas are in their infancy and will serve as a stepping stone to more effective autonomous defense systems in the future.
We are very excited you are attending and keynoting our Transformational CISO Assembly this November in Miami. Can you give us a sneak preview as to what you will be speaking on?
I thoroughly enjoy the opportunity to chat with other CISOs. We have a very unique role and as technology becomes even more ingrained in our lives the importance of security will only increase. Throughout my security career, I’ve had the opportunity to work at several large technology companies with hundreds of millions of users. These experiences have forced me to think differently about tackling security challenges. From these experiences, there are three things I’d like to talk about at the Transformational CISO Assembly. First, usability is the new priority for security and a shift in our thinking is required. Second, the future of security defense is operating at massive scale and speed. How does this change our tools and techniques? And third, with competing priorities and budgets how does security influence change within an organization?
What do you think are the benefits are for a C-Level executive in attending a small, intimate assembly such as ours?
The main reason to attend an event is to be presented with new ideas to challenge and inspire your thinking and to make connections to other brilliant individuals in your field that can foster new relationships. The small gathering of the top minds at the Transformational CISO Assembly is the perfect space to accomplish this goal.
ABOUT THE TRANSFORMATIONAL CISO ASSEMBLY
In a new digital world, driven by data, businesses of all sizes are working tirelessly to secure their networks, devices, and of course, their data. CISOs need to plan for worst-case scenarios, stay ahead of latest IT Security transformation technology, and maintain their company’s information assets without losing sight of the corporate culture.
This November, the 6th edition of our Transformational CISO Assembly will bring together industry leaders to discuss the latest strategies and innovations in cybersecurity in Miami. Join us today, the assembly is now open for application!