Later this month, Cybersecurity executives from across North America will come together in Nashville, TN for our Transformational CISO Assembly. In anticipation, we had a chance to sit down with our Keynote Speaker, Michael Coates. Michael is the Co-Founder & CEO at Altitude Networks and former CISO at Twitter. we are honored to have Michael as a member of the Millennium Alliance Advisory Board.
Michael shared his insights on the changing role of cybersecurity executives, the biggest challenges in the industry and his role as an industry leader. Read on!
Despite what may be said in Hollywood’s portrayal of cybersecurity or even the marketing from some security vendors, you have to tackle the “basics” of security first. While this may seem easy from an academic perspective, achieving these core security tenants in any large organization, with numerous employees, constant deployments and a variety of technologies is actually quite complex.
This understanding of tackling core security challenges through automation is a key principle in how we’re designing our solutions at Altitude Networks. Security teams want to adopt tools that provide solutions to problems, not tools that require more work from the security analysts. As a result, we are striving to build a security solution for core data security challenges that works out of the box and does not require extensive configuration or “hand-holding” by the security team.
What expertise and knowledge did you carry over from your three years at Twitter to your new start-up, Altitude Networks? What knowledge has been key in leading both of these organizations through changes in the cybersecurity landscape?
A major piece of knowledge I took from my experience at Twitter was a great appreciation for tackling security from a first principles perspective and designing security for automation and scale. Second, it was a realization that in order to protect the most important element that a company contains, company data, you must move security as close to the asset as possible.
This “data first security approach” realization is an inversion of the “strong perimeter” defense we saw in the early 2000s. With the rise of outsourced workers, integrated business partners, and the adoption of cloud services and SaaS, the perimeter is no longer a trust boundary. Instead, security controls must be positioned wherever data lives with the assumption that an adversary could be someone in the world, or in control of a workstation inside your office. Further, security controls that require heavy amounts of human involvement don’t scale. Therefore, wherever possible security must be designed for accuracy and automation so we can build systems of automated defenses running continuously.
At Altitude Networks we’ve adopted the principles of “data first security” and “leveraging automation for scale” into the design of our security solutions. The reality is that massive amounts of sensitive enterprise data now lives in SaaS applications like GDrive, Box, Dropbox, Office365 etc. and security must be integrated into these applications to prevent security breaches like data loss, accidental sharing, or incorrect access permissions. As we tackle this problem we are aware of the necessity to leverage automation and minimize the amount of human interaction needed to provide continuous security across a massive amount of information.
Digital transformation is something businesses, organizations and institutions cannot ignore. Cutting-edge network technology like 5G is the next generation of tech, so what technology developments are you keeping your eye on and looking to implement into your cyber-strategy this year?
The continued dissolution of the enterprise perimeter is a key focus that changes security risk models and assumptions. This is driven by the transformation from pure on-prem data centers to cloud hybrid deployments via cloud platforms like AWS, GCP and Azure and also the adoption of SaaS applications. As a result, we see the efficacy of security solutions that were designed for a previous set of on-prem assumptions quickly failing. The next generation of security solutions will be cloud-first to tackle core security tenants as they manifest in the cloud stacks.
My advice for CISOs and heads of security is to reexamine your existing security controls and question whether they will still provide value if/when your company adopts IaaS, PaaS, or SaaS.
Digital technology has been driving cybersecurity practice over the past few years. As we find ourselves deeper and deeper in the era of digital transformation, what advice do you have for leaders to stay one step ahead of transformation?
The reason technology has been driving cybersecurity practices is that while the basic objectives of cybersecurity are unchanged, how these objectives are achieved does change dramatically based on the specific technology involved.
My advice for security leaders is to lean heavily on risk-based frameworks for determining where to focus your team’s attention. It’s easy to be caught up by flashy potential risk scenarios, but they might not be the best use of time from a risk reduction ROI perspective. Second, to stay ahead of the changing technology build relationships throughout your organization and share first principles of security with partner teams. By building strong relationships and focusing on core security principles, your partner teams can be advocates for effective and scalable security approaches that achieve your security goals without an overly cumbersome approach. Third, continue to evaluate security partners that are focusing on research and solutions on the new technology that, through your risk models, are high-risk areas for your business. It’s clear that for companies to succeed they must find ways to safely embrace new technologies without slowing or stifling the business.
In your experience, how has the role of a cybersecurity executive changed since you first began in the industry?
It’s changed dramatically in the fifteen plus years I’ve been in information security. For many years the concept of a cybersecurity “executive” did not exist. Security leadership was relegated to a team manager that was buried deep in the organization. Today, cybersecurity executives report to executive leadership, the CEO, or the board directly. The focus of the cybersecurity leader has also evolved. Previously, this role was tactical and very focused on specific technical issues. To be successful today a cybersecurity executive must drive strategy that is based on sound risk management concepts, understand changing technology to adopt and integrate the appropriate security controls, and also be an influencer across the organization to surface and escalate dangerous risks so partner teams drive them to resolution.
You have incredible knowledge of this industry. What do you think are the biggest challenges facing the industry and how can leaders overcome these challenges?
Security breaches can happen from a failure in any number of places in networks, operating systems, applications, purchased software or even people. When you think about it, the number of potential failure points is quite staggering and no one is impressed if 98% of them are secure, all the focus is on why 2% was vulnerable and led to a breach. Further, it’s not possible, or desirable to have 100% security. Instead, our goal is the appropriate levels of risk mitigation.
Therefore, the biggest challenge in security is where to focus attention and how to appropriately mitigate security risks. For the first, we must keep maturing as an industry to focus on the real problems that present a large risk based on risk modeling – not just flashy security topics we see in the headlines. Second, we must also realize that we are facing a massive scale problem. Security must rely on accurate automation whenever possible and security processes must be distributed by design. Gone are the days of security choke points or operations that can only be performed by a small number of security experts – it just doesn’t scale.
What makes a CISO successful in the modern world?
That’s a tough one. There are several traits that will greatly help a CISO be successful. First, a CISO must realize that they alone won’t be solving the organization’s security challenges. The CISO must obtain executive leadership’s support for security and establish a culture of security across the company. Second, the CISO must realize that they won’t, and shouldn’t, attempt to eliminate all risks. Risk is inherent in business and the ability for business leaders to make risk-based decisions can determine the time to market, tackling a challenging market opportunity, or even whether to enter a particular space at all.
As a result, a primary focus of the CISO should be to build tools, systems, and processes that systematically lower security risks across the company. Almost equally important is for these processes to surface high levels of unaddressed risks to business leaders, along with the appropriate context and understanding, so a risk decision can be made by the business leader.
The notion of ‘risk ownership’ by business leaders is still a new way of thinking with cybersecurity leaders, but I think it’s a key approach for a successful CISO. We must realize that business decisions involve risk tradeoffs every day and the appropriate business leaders must have the information to make those decisions – and also own the rewards or repercussions of the outcomes.
We are very excited you are attending and keynoting our Transformational CISO Assembly this April in Nashville. What are you looking forward to at the assembly?
The field of cybersecurity is very challenging due to the unique overlap of technical, business and human behavior impacts. It’s also an ever-changing field where the path to success is not always clearly defined. As such, I am excited to interact with other security leaders that are tackling similar problems across challenging and diverse organization across the country. I’m looking forward to sharing successful stories, approaches and even the challenges that we all face.
The cybersecurity industry is growing rapidly, yet still a small community, especially at the C-Suite level. Why is it so valuable for cyber executives to attend intimate assemblies like ours?
Building a strong network of security leaders is incredibly important for an executive to be successful in the field of cybersecurity. You can leverage this network to stay abreast of trends in security, to understand key security partners, or to aid in specific techniques or approaches to security problems. The best way to build this kind of network is through a small setting where you get face to face interaction with other security leaders. The Transformational CISO Assembly is a great opportunity to talk with other security leaders and build those connections that will help you throughout your career.
As a member of the Millennium Alliance Advisory Board, what excites you most about 2019?
Although the cybersecurity industry often focuses on our shortcomings, I’m excited about all of the progress we’re making as an industry. I believe 2019 will continue to show us that organizations who are bold and embrace new technology with integrated security can provide powerful products and technology to their users.
My hope is that one day soon security will no longer be seen as a cost center or ‘business drag’. Instead, it will be the catalyst that enables a company to safely embrace new technologies to deliver amazing products.
What is your favorite part of partnering with The Millennium Alliance?
Dedicated time with an amazing group of cybersecurity leaders from all over the country who are ready to share and learn from each other.
Thank you for joining us Michael, we are looking forward to your Keynote later this month.
About the Transformational CISO Assembly:
The Millennium Alliance is thrilled to present our bi-annual Transformational CISO Assembly, taking place in Nashville, TN.With the instances of cyber attacks increasing, businesses of all sizes are working tirelessly to secure their networks, devices, and data. Fortune 500 organizations are especially vulnerable as they have big data pools and thousands of people who need access. CISOs need to plan for worst-case scenarios, stay ahead of the latest IT Security transformation technology, and maintain their company’s information assets, all without losing sight of the corporate culture.
Are you interested in becoming a sponsor for this event? Click here today to learn more >>
Are you a CISO interested in attending this event? Inquire here today to find out if you qualify for Millennium Membership >>