EPISODE 065 – New Year, New Role: 3 Key Strategies for Cyber Leaders

Together, they explore the Golden Triangle approach for navigating the first steps of cybersecurity when entering a new company, including critical strategies such as asset discovery, defining acceptable risk, and fostering a collaborative cybersecurity culture.

Show Notes: 

• 00:51 – Golden Triangle in Cybersecurity
• 04:16 – Asset Inventory
• 08:50 – Managing Crypto Assets
• 11:35 – Quantum Computing in Crypto
• 15:19 – Risk Acceptance
• 20:18 – Collaborative Risk Management
• 23:24 – Fostering Trust Outside of Cyber
• 27:00 – Tips to Get into Cybersecurity

Transcript between Nabil and Bindi

Topics covered: Golden Triangle in cybersecurity, first steps to take for security when joining a new company, attracting diverse skill sets to cyber

This transcript has been edited for clarity and readability. 

Nabil Hannan: Today, Bindi Davé joins us to talk about how to enhance cybersecurity in an organization when you newly join as a cybersecurity leader. Bindi, so nice to have you; thanks for being here. 

Bindi Davé: Thanks for having me.  

Nabil: Why don’t you start by maybe telling us a little bit about yourself, and where you are today professionally? 

Bindi: I am at DigiCert, which you can think of as the leading provider of digital trust across the internet. I think 80% of our customers are Fortune 500 or so organizations, and I lead our security function internally.

00:51: What is the Golden Triangle and how does it relate to cybersecurity? 

Nabil: Excellent, and you have a diverse background. You’ve been to a lot of different places and played different pivotal roles across the industry from a cyber perspective, so I’m looking forward to learning more about that today. Let’s start by talking about the concept you had mentioned to us before about the Golden Triangle and how that relates to cybersecurity. Do you mind diving in on that and elaborating? 

Bindi: Throughout my career in cybersecurity, I started out in project management and program management, and I’ve had the privilege of working in many different industries, both in house and in consulting capacities at various size organizations, and this concept of the Golden Triangle really helps round out that conversation because it looks at the three legs of a triangle: your people, your process, and your technologies.  

When either of those legs of the triangle are askew, you start noticing problems in, I’ll say the organization, because when we look at security, it should be really considered a platform, as it should be considered in each vertical of the business. It’s not just a silo or pillar, so those being in balance is pretty critical. 

Nabil: Would you say, then, when you come into a new organization as a cybersecurity leader, there’s obviously some considerations you have to factor in, in order to ensure that what you’re building out as the security journey evolves, for that organization is pretty well robust, would you say that the Golden Triangle has helped you from that perspective to ensure that you’re not only focusing on one area per se, but also focusing on building out a program that’s more well-rounded across all of those domains? 

Bindi: Yeah, absolutely. So if you think about our different programs and security, such as identity and access management, or such as your infrastructure security, or your endpoints, and how you’re securing them, there are going to be technologies that you’re going to need to use to automate your understanding and visibility of those assets, whatever term we want to use assets for here. And then that technology needs to be supported by processes, which you also have to understand and have visibility into, then your people. You have to have an understanding and visibility of those.  

So I think that helps paint a broader picture, and for organizations that heavily rely on a cybersecurity framework, I’ll call NIST again, or National Institute of Standards and Technologies, to build their security program, it cannot happen without that Golden Triangle.

04:16: How do you recommend approaching asset inventory, especially when starting at a new organization?

Nabil: So, Bindi, I wanted to dig a little deeper into each of those components of the Golden Triangle, and let’s start with technology first. So a big challenge a lot of the leaders I talk to today, especially when they start in a new organization is around asset inventory. They often find that organizations don’t have a lot of the basics in place to have a true picture of what types of assets they have that are current and that are being maintained in a systemic way to give them the confidence that they have what they need to determine criticality of assets and where to focus their efforts on testing, and automation, and investment, etc. 

What do you typically think about when it comes to asset inventory, and how do you approach this challenge, especially when you start at a new organization? 

Bindi: I akin this back to one of the offerings that DigiCert has on the DigiCert One platform. Essentially what that goes out and does is, it has many different solutions in the platform, one being the trust life cycle manager. So for crypto assets, not only does it go out and discover and identify those assets, but it also manages those systems.  

How amazing would it be if there was a singular solution to do that for configuration items? So we look at leveraging technologies so that we can have a firm understanding of what we are trying to protect. Because you can’t protect what you don’t know about, so first you have to know about the thing, and continuously, so it also can’t be a point-in-time assessment. 

But understanding what that CI is in a continuous discovery, continuous monitoring space, and then applying business context to it. And that is the other piece that gives businesses the ability to prioritize. In an environment where everyone’s running lean, and there’s more noise and alerts, and vulnerabilities, etc., than probably there are humans available, how do we apply business context to that CI and continuously evaluate the cyber risks against that? What are the vulnerabilities? Which of those vulnerabilities are actively being exploited in the wild? And then what is the priority of that CI to the business, however the business wants to define that. So it could be revenue affected, that could be compliance affected, that could be, let’s say, your organization leverages a Zero Trust architecture, there are certain applications and software that are a critical path to that.  

Applying that business context and then ensuring that it is continuously automated. And you have SOPs or standard operating procedures behind it. What I mean by that is, if you have a Tier Zero system that has a critical vulnerability on it, then maybe your organization has a zero-risk tolerance to that, and they’re going to drive auto remediation and have technology on the endpoint to patch that. Or maybe they can’t do that, and so their SOP is to not do an auto remediation as opposed to Tier 3 or 4.  

Not only does it allow the business to prioritize and apply business context. But if there’s an incident, whether it’s a security incident or an operational incident, you can leverage that same methodology to again prioritize. Do all the teams need to stop what they’re working on and dive in? Or can we wait till the sprint is over? Is this really a test system or a demo system? Having that understanding and that baseline so that you can also continuously track metrics to improve. 

08:50: What are the unique challenges with managing crypto assets? And how do you use automation to aid the process? 

Nabil: So when it comes to your business, there’s a lot of cryptographic assets that you guys also have to manage beyond just regular assets that most normal businesses manage. What role does automation play in helping you manage that effectively? And are there any unique challenges that come with crypto assets that are different from traditional assets out there? 

Bindi: I think crypto assets – we’d be surprised at how prevalent they are in everything we do. When you go and log into your banking application, you want to trust that when you’re putting in your credentials that it is for your account. Or that you’re going to go to the doctor and you’re going to have an MRI scan done, you just innately trust that. Oh, your doctor is going to do this scan, and off you go, and you’re going to get the results from it, right?  

So these things are everywhere, and the life cycle of managing these certificates so that we can have that trust gets shorter and shorter. So how long will they stay valid, and if you don’t have automation to manage those where, if that cert expires, then you have the ability to auto-renew, to auto-update, to cycle out. There’s a new industry standard requirement, and you’ll be non-compliant if you don’t address it by that date. You need automation to make sure that all of that is updated.  

In a super connected world, where we have to innately trust these things from your software to your devices, to everything that’s connected and goes across the internet. Organizations can have hundreds of thousands of certs. And maybe they don’t even know about all of them. That’s where the discovery mechanism comes into. We’re in a unique position at DigiCert, because not only do we provide solutions for organizations to manage their crypto assets, but we drink our own champagne because just like any other organization, we have to provide that digital trust internally, as well. So without automation and without the people and the processes, coming back to the triangle, it would be almost impossible.

11:35: What are your thoughts on the impact of quantum computing on traditional cryptographic algorithms?

Nabil: You talked a lot about the certificates. And you know, we understand there’s SSL and TLS technologies that are protecting our world today and making sure we securely connect and authenticate and transfer data in a secure fashion.  

A lot of those are concepts that work today because they’re difficult computationally. So if you think of today’s cryptographic algorithms and things that we’re doing to encrypt data and transfer data, the reason they work is because it would take too long to try and brute force and decipher. The math is hard, and it’s hard for a computer to do right now.  

We’ve talked about this before where there’s the concept of quantum computing, even though it’s in its very, very early infancy, that potentially may change what the outlook looks like for traditional cryptographic algorithms as they are today.  

What are your thoughts on that? And looking forward, how do you think that’s going to impact everything that we’re doing today on the internet?  

Bindi: I was actually chatting with a few folks about this at Black Hat earlier this week, and the analogy that they put out there was, Hackers, the movie, it’s here. But no, we call it post quantum computing. When those quantum computers are out and those algorithms, they can be broken. You need to be prepared for a world like that, just like we talked about. We need that digital trust and everything is super interconnected. How can we trust it if that encryption is the mechanism in which we are gaining that confidence? That text that I sent to you is actually from me, and you’re receiving it as I intended, and we’re not playing that grade school game of telephone where the message alters down the pipe.  

So, it’s something that we need to be cognizant of, and make sure again that we have that automation in place, so that when those crypto assets, those certs update, and when that position is available, you are getting the latest and greatest technology. Otherwise, you’re going to have to go and find all of your assets and see which versions you’re using, and then try to manually go through and update them. And I imagine a world where outages are inevitable if there isn’t automation and security implications, and breaches, because now you’re talking about the loss of encryption.  

It’s something that we should be cognizant of, but similar to your asset question earlier, of what do I do when you go into an organization? You baseline the maturity of the organization, you or I, put in a risk acceptance process to gain an understanding of the types of iterations that we need to look at for the security program and various risk decisions so that they can get tracked. But also the technology to now discover all of those things. It’s the same thing on that side, just a different lens. So you need to make sure that you have an understanding of it, where it’s located. When that day inevitably comes, you have the ability to recover from it quickly.

15:19: How do you guide decision-makers of an organization on risk acceptance?  

Nabil: I think that gives a perfect pivot point for us to then start talking about the process side of things, since you bring up the risk acceptance. From your perspective, are there certain heuristics or frameworks you’re using that help you determine when and what type of risk is okay to accept? And more importantly, you may not be the one accepting the risk. It may be the business accepting the risk, but you’re actually guiding them on what the risk is, and informing them on what the risk is.  

How do you approach that challenge? And how do you ensure that people who may not be security savvy, but they make risk-based decisions, and sign off on risk in a way, and have the right understanding of what that risk really means? 

Bindi: Sure, so we’re talking about earlier in an organization, right? And it takes a little while to get into the groove and fully understand the mechanics of an organization. It cannot be a siloed process, and this is where the people portion of it comes in. When I build a risk acceptance process, cybersecurity frameworks and standards are a great starting point, but we have to take the practicality of it, the practical approach. 

In many organizations, I haven’t seen very successful models of, hey, fill out this robust form. This one person on this one team is going to make decisions. And they’re gonna put it in a risk register. And they’re going to create Jira tickets to track.

With that, that baseline also helps drive an automated approach as a step three or four into the overall automation process.

When you have those SLAs in place, let’s say you’re going to find a vulnerability, and you’re driving remediation, the SLAs should drive your tolerance levels. We’re not in a world of the sky is falling. Security practitioners need to be realistic where the priority and the business contact of that asset also matters when you’re talking about this vulnerability example. So with it, if they cannot do the thing within the timeframe that they’re asked to do it, this is where they file for a risk exception. But it should be a joined discussion.

But ultimately, if at that line, the security organization says, with all of these other factors weighed in, we do accept the risk on behalf of the business for this period of time, then that also gets documented.  

But if they don’t, then it has to go to the president of that BU or the top-line leader to accept that risk. And not only does that help, I’ve found, force accountability, so your level one engineer can’t file for an exception, because they don’t have the time to apply the patch on a critical system – it’s a critical patch needed – because their leadership will not sponsor that, so to speak. It also puts in a continuous improvement feedback loop to where our policies need to iterate in order to make sure that security is also supporting the business.  

It’s not just NIST. It’s not just ISO. It’s not just whatever comes out of the vulnerability scanners. It is a collaborative approach that looks at each of the scenarios and helps tie an organization together in making that decision. 

20:18: How can you foster trust within an organization to promote seamless collaboration in managing risk? 

Nabil: This then, leads to the whole third part of the triangle, which is the people piece. Now, when we talked about certificates and authentication, we have trust that gets built because we have things like certificates, so you know that you’re trusting the party you’re talking to. When it comes to the people side, you have to build trust again to actually collaborate and manage these risk management frameworks and processes, etc.  

How have you found that you are able to build trust, especially when you’re new in an organization, so you can actually start collaborating on how to manage risk across the firm? 

Bindi: I’m a firm believer that it’s important to be an active listener, especially when you are in your learning phase, and you’re learning about the organization. I have worked for and with a broad range of leaders, directly and indirectly. And there have been folks that have come in and wanted to drive a lot of change very early without having an understanding of why some of the things that are in place, are in place.  

And that sends a message, especially in established organizations, where everything that you did before this sucked. And here I am. I’m here to save the day. I can’t believe you lived life without me, goodness! What do you think those people are thinking? Like, check out the ego on that one. Right? We were here before you, and we’ll be here after you.  

So, having an understanding of how the business operates, why it operates the way that it does, and joining forces to set a goal and then work towards that goal, whatever it is. I see a lot of security teams, or I have seen a lot of security teams, want to go in and say, I’m gonna deploy this. We’re going to do DevSecOps – and great! 

But they don’t even talk to the architects, or the developers, or the engineers, and the CTO organization. Not great, right? Because they’re the ones that are living and breathing the programs that we put in place. So that collaboration is incredibly important, but also coming in and listening, having lots of conversations. Don’t just stick to your team or your security organization. Meet everyone, talk to everyone in all different levels and start baselining where you are and where the business wants to go, and how security can be leveraged to enable the business to get there safely, securely, and efficiently.

23:24: How does building trust differ between leaders who work in the cybersecurity program versus ones who don’t? 

Nabil: I’m very curious to understand from your experiences, are there certain differences when it comes to building trust and collaboration with leaders who work in the cybersecurity program versus leaders who don’t work in the cybersecurity program? And if there are, how do you manage that, and how do you bridge that gap? 

Bindi: I’m going to answer the second part first. So, I go back to my program management, project management, and leverage this thing called a DACI decision-making model. So I like to gain metrics of the teams, and understand their velocity, and work in sprints to do that. But DACI is an interesting concept.  

Nabil: Is that an acronym? I’ve not heard that before. 

Bindi: It is.  

The “D” stands for “Driver,” your “A” are your “Approvers,” your “C” are your “Contributors,” and your “I” is your “Informed.”  

If you were going to connect it to the more tactical, RACI for project delivery, which is more common as a responsibility matrix, your “A” in your RACI, who’s “Accountable,” is your “D” in DACI, who’s your “Driver?”. 

So that puts some context there. When we’re building these programs or establishing the business requirements of my IM program, and I’m going to put in a Zero Trust architecture, how am I going to go about doing that? It’s interesting to use this conflict resolution model, because we say security will be the driver for this, because this is a common security program, or pillar, or whatever – it’s so interconnected.  

But your “Approvers,” depending on the level of impact for the program are going to be multiple approvers. You can only have one Driver, though. So here’s your CTO and your CISO, let’s have a conversation about how we want to put these programs together. It helps bring that infusion and relationship together. 

Where in older models or different types of models, security would be delivering something, and then you’d get a bulletin or a notice that this was done, and now you have to use it. It just helps that shared pain and faith for lack of better words. But it helps remove the conflict in those decisions. 

Nabil: What would you say is the key difference between a cybersecurity leader versus a non-cybersecurity leader?  

Bindi: I think it’s brass tacks. It’s as different as saying yes and no.

Nabil: I think that’s true, I think I meet more and more security leaders who understand that security has to be an enabler for the business, not a blocker. And how do you do that effectively? I think that cultural shift is coming, which is nice to see.

27:00: What advice would you have for anyone who wants to get into cybersecurity? 

Nabil: Another thing I would love your perspective on is understanding what you think, for people who may not be in the cybersecurity or a technical field today, given we understand there’s a talent shortage in cybersecurity, what advice would you have for them if they wanted to change directions in their career path and pursue something in the cyber space? 

Bindi: Do it – simple!  

Nabil: Nike. 

Bindi: Yeah, just do it, right? You don’t have to be overly technical, but you need to have an understanding of the goal you’re working towards.  

Nabil: Is there a certain mindset of people that you think thrive or do better in cybersecurity versus others?  

Bindi: I do – the people that are infinitely curious. You have to be a lifelong learner in this field. You don’t need to understand necessarily all of the intricacies of the technology, but you need to understand the why and the what, and bringing even the softer skills to that forefront. But if you’re not curious, you don’t want to live and breathe it, and you don’t want to get that call on the weekend or at night that there’s an event that you need to go and triage, then I would moderate what type of role you want in security. But I think there’s enough space for all different types of skill sets. As long as, you’re going to get out what you put in.  

Nabil: We’ll end with that mantra, then, just do it.  

Bindi: Just do it. That’s the mantra.

Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence. If you want to be a guest or want to recommend someone, please reach out to us at podcast@netspi.com.