Episode details:
Meet Lee Vorthman, a seasoned Chief Security Officer (CSO) known for his expertise in cybersecurity program maturity and team leadership. Throughout his career, Lee has navigated the intricate phases of security program maturity, a journey he reflects on during this episode of Agent of Influence.
From establishing robust frameworks to optimizing existing controls, he explains the progression of security programs at any stage of maturity. Moreover, Lee emphasizes the significance of fostering a mindset of continuous improvement, both professionally and personally, a philosophy that has propelled his success in the field.
Get to know Lee as he discusses how to respond to security events no matter what stage of maturity you’re at.
Show notes:
- 09:50 – Phases of security program maturity
- 20:29 – Building a mindset for continuous improvement
- 23:25 – Metrics to measure the efficacy of security controls
- 28:48 – Handling breaches based on security program maturity
- 32:36 – Activities outside of work for success as a CSO
How do you define the phases of security program maturity and what framework do you use to understand the program’s maturity?
This can be simplified into three main phases.
- Entering a new environment: The Chief Security Officer (CSO) has the freedom to establish the program from scratch.
- Joining a company with an existing program: This is the most common situation where the security program needs to be matured or adjusted to align with changing business needs or industry standards.
- Existing company facing challenges: This is an uncommon situation where the company is facing decline due to factors like budget cuts, layoffs, or mergers.
It’s important to assess the situation and implement a suitable security framework, such as NIST or ISO, to establish a baseline analysis. Keep the approach simple, starting with actionable steps and iterating on them. Regardless of the phase, it’s important to have a repeatable process that can be justified, especially in the face of audits or legal challenges.
In the subsequent phases, the focus shifts from establishing controls to filling gaps and maturing the program, or in the case of decline, reassessing priorities and managing risks effectively. In declining scenarios, difficult decisions may arise regarding what actions to take or risks to accept.
“I personally like to keep it very simple. You can go super deep if you want, but I keep it simple just to get going and then iterate on it going forward. Once you have a decent picture, you can then start to inform a plan, make a strategy, and figure out how you want to move forward. Whatever you do, make sure that it’s repeatable.”
Are there certain skills or helpful mentalities that build momentum for continuous improvement on a security team?
Continuous training for staying updated on technologies and obtaining certifications are great ways to stay up to date. Additionally, evaluating control implementation and optimizing metrics within a security program’s lifecycle are ways teams can push themselves to evolve.
Initially, when establishing a program, the focus may be on confirming the presence of controls. As the program matures, attention shifts to enhancing efficiency, such as reducing incident response time. Lee shared his leadership approach of consistently encouraging teams to pursue improvement, acknowledging the rapid evolution of technology and the need for constant optimization.
“For me as a leader, I’m continuously pushing my teams. When they come to me and they’re like, we did this thing or I got this certification or we improved this, or we automated this process, or we have better reports. I’m like, “Cool, what’s next?” I’m not doing that to be mean. Let’s celebrate the win, but what’s next? You want to be continually pushing yourself because to your point, windows of vulnerability are super short. When a new patch is released, it’s hours before there’s an exploit created from that vulnerability.”
There’s no one-size-fits-all, but what metrics have helped you understand the efficacy of various security controls?
Fundamental metrics used in evaluating security programs can start with the binary assessment of control implementation and then ladder up to verification of implementation.
As programs mature, metrics evolve to measure efficacy, such as incident response time, reduction, and automation levels. It’s challenging to define metrics initially, but adopting an iterative refinement process is key. At the beginning of each year, Lee sets high-level goals, breaking them down into actionable metrics and key performance indicators (KPIs) with his team leaders.
While it’s difficult to accurately measure metrics due to data collection challenges and the presence of unknown factors, Lee stressed the importance of ongoing measurement to ensure the effectiveness of technical implementations.
“I feel like it’s easy to say, yes, we want 100% asset inventory, but it’s really hard to verify that you have 100% asset inventory. There’s shadow IT and there’s people doing stuff that they shouldn’t be doing. How do you actually measure the unknown unknowns? The work of technical implementation is not when the project is done. The project is done when you’ve met your metric of doing the work. You’ve established and are reporting and pulling out evidence that you are meeting the KPI or the metric that you set. If you’re not doing that, then you don’t know whether or not the technical work that you did is effective.”
If a breach happens, especially for a program that’s at a novice level of maturity, what advice would you give that CISO on how to deal with it and what next steps to take?
In situations where you’re still establishing or building out your security program and haven’t fully developed capabilities like playbooks or a dedicated security operations team, it’s crucial to be ready to roll up your sleeves and get to work. In these early stages, you might find yourself on calls guiding decision-making without all the formal processes or well-established teams in place.
Leading the team at this point involves helping them make decisions and managing expectations, both internally and with key stakeholders. Externally, you’ll need to provide regular updates to executives, informing them of the situation and its potential impacts on the business. Internally, you’ll assist your team in prioritizing tasks and managing the chaos that often accompanies incidents or breaches when essential processes are still being developed.
If you’re in the early phases of your program and haven’t yet ironed out all the details or even hired key personnel, that’s all part of the process. It can be both challenging and stressful, but it’s also an opportunity to draw on past experiences to guide your team through these events.
“If you’re in the early phases of your program and you haven’t quite gotten everything as well-oiled as you want, or you haven’t even established some of these things, maybe you haven’t even hired your leader for security operations or DART or whatever it is — that’s you. Welcome to the show! Those are fun, but they’re also stressful. You look back on those and you’re like, wow, what were we doing? But at the same time, that’s your job, and hopefully you’re pulling in on past experience that you have to be able to help the company and your team navigate those kinds of events.”
What activities do you do outside of work that set you up for success as a CSO?
Considering some prevalent topics like CSO burnout and imposter syndrome circulating online, this is a relevant topic to a lot of people today. Many of the life choices Lee makes outside of work are aimed at enhancing his performance at work.
For instance, he prioritizes mental performance, not just for work tasks but also for managing stress, anxiety, and decision-making during emergencies. This skill isn’t commonly honed, despite the emphasis on physical fitness. Thus, he advocates for activities like meditation and mental performance training to strengthen and coach the mind as much as we do our bodies.
Outside of work, you’ll likely find him exercising or engaging in activities to decompress the mind, such as reading books or listening to podcasts. He’s particularly drawn to content that offers insights into self-improvement, like the Huberman Lab Podcast, which explores various ways to enhance performance.
“You can touch all your fingers together, you can maybe wiggle your ears, you can operate your body physically. But how many people spend that much activity, training their minds? The answer is probably not a lot. That’s why meditation and mental performance is such a big booming industry, because people — in my belief and I’m a huge proponent of it — should spend as much time on trying to strengthen, train, and coach their minds as they do on their bodies.”
Lee Vorthman is a U.S. Navy Veteran with more than two decades in the technology sector. Lee is the CSO for Oracle Advertising, responsible for overseeing the security strategy and operations for one of the world’s largest digital marketing and advertising platforms. His experience lends to a wealth of expertise that he shares through his blog called 370 Security and a weekly Q&A series called CISO Question Of The Week where he shares his perspective on the most important topics on CISO’s minds today.
Explore more podcasts
EPISODE 063 – API Security for Everyone
Listen to Agent of Influence with Buchi Reddy of Levo.ai to dive deep into proactive API security measures and how to simplify API inventory.
EPISODE 062 – Let’s Talk Automated Red Teaming
Watch the latest Agent of Influence episode with Ryan Hays from Citi about the buzzwords, “automated red teaming”, and how to foster effective red and blue team collaboration.
EPISODE 061 – Leveraging IT Hygiene to Build a Culture of Security
Gain tactical insights on third-party risk, IT hygiene, security culture, and gender equality in cybersecurity with Nabil Hannan and Dawn Armstrong.