Security Boulevard Exclusive Series: What I Learned About Being a CISO After I Stopped Being a CISO
In this series we’re talking with former CISOs to collect the lessons they’ve learned about the job after they left―either to work as start-up founders, consultants or vendor executives. The goal is to take the wisdom they’ve gained from broader exposure to other security and business leaders and deliver those lessons back to CISOs who are still in the hot seat. We hope the current crop of CISOs can take some insight from their former compatriots and use it to up their game while they’re still on the job. Read more about the serieshere.
Recent Articles By Author
3 Ways CISOs Can Boost Their Credibility Within the Enterprise 2018 Sees API Breaches Surge With No Relief in Sight ‘Tis the Season―for a Phishing Frenzy
Lessons From Erkang Zheng, Head of Product for JupiterOne at Healthcare Tech Company LifeOmic/CISO
When most CISOs are faced with the task of doling out their energy and efforts between organizational culture problems and technological problems, nine times out of 10 they’re going to look to solve those technical problems first.
“It’s easier to focus on the latter,” said Erkang Zheng, a longtime CISO who now devotes most of his time to building security products. But this natural gravitation toward quick technological fixes actually tend to exacerbate long-term culture problems and reduce security program effectiveness. “Companies add tools and complexity to the point where the amount of noise coming through makes it nearly impossible to understand what is going on.”
If CISOs are going to take their security programs to the next level, they’re going to have to devote more time to the cultural blockers and process problems standing in their way, and work to simplify their technology stack rather than piling more on.
Zheng has come to this perspective over a career in which he has bounced between the vendor world and the CISO’s desk. He’s worked for IBM security, as a CISO advisor for other organizations and, most recently, headed up security at Fidelity Investing. In his time there he helped guide the company’s largest business unit through a digital transformation, which shifted security from an enterprise IT function to a core business function.
“Using a software-defined model within the product development teams (DevSecOps), it was a successful shift and a tremendous win for the organization,” he said.
Nowadays Zheng works for healthcare technology company LifeOmic. He pulls double duty at the company―he still works as a CISO in this position, but he’s also more prominently the head of product for one of the firm’s SaaS product lines.
“The majority of my time and energy is spent building a security product: JupiterOne,” he said.
This latest role has further crystalized his belief that “building a product is hard,” and that security leaders can greatly jeopardize their goals to reduce risks if they’re constantly seen as blockers to the innovation process.
“Security gets the bad rap for being a necessary evil, but it doesn’t have to be,” he said. The following are three ways security leaders can start breaking away from that perception of their department.
Don’t be a ‘Control Freak’One of the biggest pieces of advice Zheng has is to stop being a “control freak,” which starts by recognizing that not everything has to be centrally controlled.
“Decentralized controls can be a good thing, as long as you have visibility to them,” he said, noting that this has an added benefit of reducing the risk of concentrating privileges and giving attackers the chance to steal the keys to the kingdom. “Don’t create a ‘god mode’ for your attackers. Be distributed and focus on keep things simple. Be as granular as you can to create granular access and small blast radius. Rely on automation.”
Unclenching a bit also opens up great opportunities for improved processes. For example, Zheng is a big proponent of public bug bounties―if attackers are going after these flaws anyway, he noted, then why not take advantage of the power of crowds and find those flaws faster?
Most importantly, stop saying “no” so much. This is a huge perception-changer.
“Resist the urge to say ‘no’ and stop operating behind closed doors,” he said. “Once security is viewed as a blocker, your users will just find ways to get around you, giving you a false sense of security.”
Get Devs and Security Engineers Talking the Same LanguageApplication security is so incredibly important these days, but if CISOs are going to get a word in edgewise with developers who are elbow-deep in innovation, then they need to make sure their security team is communicating on the same plane.
“Working with developers and engineers, I’ve learned you need to speak their language. Their perspective is critical to success all around so something I think is important is put yourself in their positions―literally,” Zheng said. “Security team members need to become developers and developers need to have security responsibilities.”
This is one of the reasons why Zheng believes CISOs need to insist that security engineers learn to code. The other reason is that it can greatly help them improve security operations and automation.
“We live in a software-defined world now,” he said. “We need to learn to operate security-as-code.”
Keep User Experience Top-of-Mind“Security and compliance are the anti-user experience,” Zheng said. “They are inherently rigid and the tools for managing and enforcing them are worse.”
The worst part about it, though, is all of this rigidity isn’t keeping the breaches at bay. The constant breach announcements on the news are an all-too-stark reminder of that. The more CISOs can do to streamline their processes and technology, making things seamless for users, the better.
“What security and compliance need to be is simple, contextual and flexible,” Zheng said. “Day-to-day security operations should be logical and straightforward.”
Read the previous article in this serieshere andhere, and more about the serieshere.