Being a CISO is Hard with Alan Levine, former CISO of Alcoa

Show Notes

In this episode:

00:00 — Welcome

01:36 — Introductions

01:39 — Surprises When Building A Cybersecurity Program

03:32 — Dealing With An Audit As A New CISO

04:56 — No Credit For Successes, Credit For Failure

06:17 — Making Friends And Allies

08:09 — Effective Actions And Controls

10:17 — User Awareness and BYOD

13:24 — Building Trust With Your Users

16:07 — The Most Misunderstood Part Of Being A CISO

20:04 — Sign Off

Alan Levine:

LinkedIn — https://www.linkedin.com/in/alan-levine-43a226a

CISO Street — https://www.cisostreet.com/alan-levine/

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/004-being-a-ciso-is-hard-with-alan-levine

Transcript

[00:01:21] Introductions

[00:01:21] Earl Crane: Alan welcome to the program.

[00:01:22] Alan Levine: Thank you. Good to be here, Earl.

[00:01:24] Surprises When Building A Cybersecurity Program

[00:01:24] Earl Crane: When you were needing to build a security program, anything that ever surprised you as something that was either harder than you expected when you got started or easier once you got things rolling, then you thought?

[00:01:36] Everything that I got into, certainly when I had my chance to create a global program for Alcoa beginning in 1997. Everything was hard, nothing was easy. I was on the job three weeks and suddenly the audit department, internal audit, delivered a report to me. It was their annual infrastructure audit of Alcoa's IT function worldwide. It had 21 major findings, including 17 in security.

[00:02:07] Alan Levine: And so I was three weeks on the job and I knew that the organization had just dug a hole for me that was likely deeper than I was ever going to be able to crawl out of.

[00:02:16] Earl Crane: That sounds hard

[00:02:17] Alan Levine: Everything that I have ever done in cybersecurity has been hard.

[00:02:21] Alan Levine: Finding the right technology to fill a particular gap in a stack, hard. Keeping up with the technologies so that I would know what the next gen looks like, hard. Dealing with staffing in our organization and then maintaining it, sustaining those people in their personal lives in a cybersecurity world where the demands are 24 by 7, but I know that they need to be people too, hard. Developing and enforcing policy at the corporate level, very hard.

[00:02:50] Alan Levine: In my case I had the additional accountability at Alcoa. I wasn't just CISO, I was the chief privacy officer as well, which meant I spent most nights arguing with myself, hard. Everything about cybersecurity for me was always hard. And frankly, if I went out and became a new CISO today from scratch for a new organization, it would be hard all over again.

[00:03:17] Dealing With An Audit As A New CISO

[00:03:17] Earl Crane: Let's wind that back a minute for someone who's new in a CISO position, put yourself back where you came in three weeks on the job. You just got 17 findings for information security. How did you deal with it then, and more importantly, if you had to do it a second time for a new CISO that just had that dropped on there lap, how should they deal with that?

[00:03:37] Alan Levine: Yeah. Well, I'd start off by taking your chief internal auditor to lunch. Right? And make sure you pick up the tab. I didn't the first time around, I would do it the next time. I'd probably take them out for a nice steak dinner.

[00:03:49] Alan Levine: The internal audit often seems like the adversary, and we get confused about that. We have to remember that our internal audit function is our friend. They are our partner. It is our cooperation through our work and their inspection, they're assessment, that combined create what I hope will be an ongoing in control and capable environment.

[00:04:13] Earl Crane: What do you mean by in control?

[00:04:14] Alan Levine: In control, meaning we've established the controls, we believe are important. The audit department is a system and yes, they make sense. And yeah, we seem to be mostly adhering to them. And capable meaning that we're capable of doing the things that cybersecurity people need to do in order to sustain themselves, the program and the company. I always said that you could boil down a CISOs job description to three words, protect the organization.

[00:04:41] No Credit For Successes, Credit For Failure

[00:04:41] Earl Crane: A cartoon from a while back on the Washington Post, things you never hear in the office. Boy, I feel secure today. Everyone's feeling very secure today. Isn't the security great today.

[00:04:52] Alan Levine: Exactly right. It never happens exactly. That's it. Although, I I rarely had a situation, where I ever got credit for winning, because the threats were never going to lessen. I believe to this day that we will never be more secure than we are today. More cyber secure than we are today. The risks will continue. The solutions will try to defend.

[00:05:14] Earl Crane: That isn't a very optimistic picture.

[00:05:16] If you've ever played sports, you know, offense is better than defense.

[00:05:19] Alan Levine: The bad guys get to play offense. All we can do is play defense. Some of us do it well and still lose. Some of us do it poorly, and by the grace of who knows what don't get in trouble.

[00:05:31] Alan Levine: They say the average tenure of a CISO now is about two years. I think there's a reason for that. And it's not just because they burn out or because they move on for better comp, and I've heard those excuses.

[00:05:42] Alan Levine: No, I think it's because they fail. They may fail personally to the point where they don't think they can do the job well. They may fail organizationally to the point where the organization decides it's time for them to go. But failure when it comes to cybersecurity is absolutely an option. And if you're going to be a CISO, Part of the program.

[00:05:59] Alan Levine: It's part of the program.

[00:06:00] Earl Crane: Yes it's part of the package that you signed up for.

[00:06:02] Making Friends And Allies

[00:06:02] Earl Crane: You said earlier that one of the things that works is making friends, allies with your internal audit.

[00:06:09] Alan Levine: Sure, in the audit department, the legal department, the procurement department, in your executive council, you should know your general counsel, and he should know you. I do not recommend ever that a CISO report to a CEO because he, or she, will never have time for you.

[00:06:23] Alan Levine: They're running a very large operation and cybersecurity is a subset. Additionally, if you have an enterprise risk manager or officer, you want to get very close with that person. If you have a physical security operation in your company, short of convergence between cybersecurity and physical security, you want to make sure that you work very closely with those folks. They're putting in swipe card readers, which are feeding over your network in order to get to computers that you are accountable for securing.

[00:06:50] Earl Crane: That's a lot of different parties to work with. How did you do it?

[00:06:53] In my case, I thought it was critically important to get as close as I could to as many users as I could, starting at the supervisory level and working my way down.

[00:07:03] Alan Levine: And at zenith Alcoa, it was a company of over 300,000 FTEs. That's a lot. Add on another 75,000 or so contractors and consultants. And you're at a small city. And my goal was over time to meet or speak with as many of those individuals as I could.

[00:07:25] Alan Levine: Either on the phone, in a colloquy where I was addressing a group, on a trip, or I would meet them, whether it was in Székesfehérvár, Hungary, or whether it was in Perth, Australia, or Pocos de Caldas Brazil. I might not speak their language. They might not understand everything I was saying, but the fact that I would show up meant a lot to them.

[00:07:46] Alan Levine: And they became not obstacles to what I wanted to get done in cybersecurity. They became facilitators, because of that.

[00:07:54] Effective Actions And Controls

[00:07:54] Earl Crane: As you look past at some of the things that have worked, what actions or controls have had a greater effect than you expected? What can you look back on and say that was a really smart one?

[00:08:05] Alan Levine: Yeah, I would say number one top of the list for me would be end-user education. Awareness training. I missed the boat on that the first two times I could have grabbed that brass ring and I didn't bite. And I paid for it. We were not doing annual phish testing. I wasn't going out of my way to train my users.

[00:08:23] Alan Levine: So I considered every one of my users gullible, envious, sometimes half brained. They were easily distracted. An Amazon gift card was always going to get their attention and an offer even if it was for $5. And so, the French philosopher Sartre had a definition of hell. His definition of hell was hell is other people. I had 300,000 other people, and they were all my hell, there's a lot of hell.

[00:08:51] Alan Levine: And so, I think the first brass ring that I finally grabbed after two failed attempts was in a formal awareness program. I think that the more you can do to train your users to identify a phish, to identify a suspicious website, to think before they click. At that level, it's all about binary choices. Open the email or don't, open the attachment or don't, click on the link or don't, there is no third choice.

[00:09:17] Alan Levine: Over time I learned the value of helping my users make the right choices.

[00:09:22] Help users make better decisions.

[00:09:24] Alan Levine: I would reinforce awareness training, which doesn't cost that much, but has an amazingly high value rate of return if you do it right. Your user is truly your last line of defense. That's when all of your technology has failed, all of your policy has failed. The email somehow made it through all of your SMTP filters.

[00:09:46] Alan Levine: And now it's sitting in a user's Outlook inbox, and now they have to make that choice that I talked about earlier. The more you educate them, the better off they'll be, and the better off your program will be as a result. Bang for the buck. I'm not sure that you can spend your money more wisely than on your users.

[00:10:02] User Awareness and BYOD

[00:10:02] Earl Crane: So to reinforce your user awareness. One of my favorite stories, I had an old boss who we did not know it was him for the first year, but if you ever left your laptop unlocked, and you got up and walked away, and he walked by, he would reply all to the entire organization For the longest time, people couldn't figure out who it was, but people did make sure to lock their screens One of the places where I really always wanted to do something more than we could, and I tried and tried, had to do with managing USB's, because everybody's got a thumb drive and everybody has their, I don't know, their kid's high school graduation pictures on it, and they want to bring it in and plug it into their laptop and show it to all their colleagues. But you don't know what else might be on that thumb drive.

[00:10:49] Alan Levine: So we actually put a program in place where we got 500 thumb drives. On them, we put one file, just one. The name of it was executive compensation. And then we took those 500 thumb drives and distributed them throughout our company's world. We left them in coffee rooms primarily. We left them in some cases, right on folks' desks or underneath their chair on the carpet. We had 500 of them just to do it.

[00:11:19] Earl Crane: Dropping little digital grenades. And because each one of those would then phone back home as soon as they plugged it in.

[00:11:26] Alan Levine: We had them all set up so they would phone back.

[00:11:29] Earl Crane: I ran this exact same program using CDs because USB's weren't there enough and the auto run feature that was built in, it's very effective for the cost of a couple of thumb drives because you find the name of the people that plugged it in the computer, you get their IP address, where they were. And next thing you can do is you can call them up.

[00:11:47] Alan Levine: Yeah. But But then you go back to that conversation about trust and confidence, which is again, I firmly believe the key to all of this, not technology, not processes, people. This is all about people trusting people.

[00:11:59] Alan Levine: The number of folks who, even when we now knew they had the thumb drive, they had plugged it into their company asset. They had opened the file that said executive compensation, and then they closed it. To a man and woman, everyone that we confronted said I didn't do it. I don't know what you're talking about, I didn't do it. Your data's wrong.

[00:12:23] Alan Levine: Invariably, in most cases, if they found it in a coffee room after they opened it up and a message came up saying basically you've been caught. Why did you do this? Don't you know the dangers of USB's. They shut down their laptop, and they ran back to the coffee room and put the USB back where they found it. They had some plausible but not really viable deniability. Right. They lied to me. And so I walked away from that exercise believing maybe that wasn't the right thing to do because to have so many of my users lie to me means they don't trust me. And if they don't trust me, were back to the original problem, aren't we? Right.

[00:13:00] Alan Levine: They won't do what I want them to do, and they won't be my last line of defense after all else fails if they don't trust me.

[00:13:09] Building Trust With Your Users

[00:13:09] Earl Crane: And that leads into maybe not even user education, but how do you increase the level of trust with your users?

[00:13:16] Alan Levine: And I think you increase it, A, by not surprising them, not playing tricks on them. I think you can do a phish test. I think people are wise enough to the risks of email and phishing and SMS vishing right.

[00:13:30] Alan Levine: That they will understand when and why you're testing them. But as you begin to blow that out to USB's and all the other ways that we can test their behavior. We had this conversation with some of the folks that I work with in the industry, we call it the carrot and stick, right.

[00:13:48] Alan Levine: So if someone fails to behave the way you really wanted them to, whether they were trained or not. Let's say they were trained. And because of that, you bring the stick down on them. You tell their boss, it affects their comp, they get three days without pay, anything's possible. Companies can do nefarious stuff to their employees.

[00:14:07] Alan Levine: I think that ends up being sour talk at the water cooler. And invariably, everybody is now saying, boy, you know our real villain is Alan, and it has the exact opposite effect of what I was hoping to get out of it. I was hoping to bring more folks into the tent and instead all I got was angry.

[00:14:27] Earl Crane: So something to take away for a new CISO, one that's looking at security awareness programs that they're considering is that a number of them may blow back in ways that they did not anticipate. And it might actually be, if not more dangerous, at least maybe more damaging.

[00:14:44] Alan Levine: Sure. What is it, I mean in part, does a CISO really have to have an advanced degree in psychology? I mean, in order to do his or her job? Maybe, because if it's true as I believe that at the end of the day it's all about people. Well, then you better know a lot about what motivates people.

[00:14:58] Earl Crane: You're trying to socially engineer your employees to have better behavior. So yeah, you do need to be a psychologist as well.

[00:15:06] Alan Levine: You want to teach them to do the right thing. That's all, it sounds so simple, but people are people and the right thing is hard.

[00:15:13] Alan Levine: And that was an ongoing struggle for me till the last day. What am I going to do? Replace my entire population of users because they have now gotten to the point where they have no trust in me?

[00:15:24] Alan Levine: No, I think it's really important to build that trust in every way that you can. And so I actually went out of my way to embrace BYOD once I learned that most of our users wanted it and then worked with our lawyers to try and craft a EUA that was benevolent. Instead of malignant. Right. And that was very difficult with our lawyers because they wanted a much harder line. And then I didn't do things like USB tricking again.

[00:15:52] The Most Misunderstood Part Of Being A CISO

[00:15:52] Earl Crane: One of the last questions I had for you is, what's one of the most misunderstood things about being a CISO, but I think you've actually started to answer it already as needing to be a psychologist as well.

[00:16:03] Alan Levine: Yeah. Yeah. But you need to be more than. What is a CISO, he's a psychologist because he or she needs to understand people. He's an anthropologist or an archaeologist because he's constantly referring to history, right? A CISO needs to be able to look back in order to find out what happened in order to figure out what to do now or in the future. Not just in terms of having lessons learned from events, but even in terms of how much data you're collecting in your SIEM right.

[00:16:30] Alan Levine: It's history, but it's valuable history. When we set up our SIEM in the beginning, we put it in a cloud and I remember the vendor, the supplier's saying to me, well, you know, the average customer is keeping two weeks worth of data.

[00:16:42] Alan Levine: I said, I want to keep a year. They said, why do you want to keep a year? I said, because you'll frown on me. If I say 10 years. So we'll just keep a year. A CISO will always have one less days data than they really needed. That is the truth of forensics, right, of cybersecurity forensics. I only wish I had Tuesday.

[00:17:01] I think invariably we are, all of us in the cybersecurity profession, archaeologists and anthropologists as well. We're studying the culture and that's the anthropology part. And we're digging the dirt of what may have happened 10 months ago on some part of our network or some part of a cloud that we're related to in order to find some evidence of something that is impacting us now. I mean, you invariably you get the call from government, and they tell you that Houston, you have a problem. They're not going to say you have a problem now. They're going to, it's going to be past tense. You've had a problem. I think that a CISO also needs to be a finance expert in order to manage the budget. And frankly that means that at the end of the day, they better be a combination of Harry Houdini as a magician and an amazingly Nobel Prize worthy mathematician. And, I think in some organizations you have folks who are really good technologists to CISOs, but don't know how to manage money. In other organizations, you have folks who are really good at managing money, but aren't really good technologists.

[00:17:58] Alan Levine: I think you want to be as good as you can at all of that. I'm not sure that there is a category psychologist, anthropologist, archaeologist, mathematician. I'm not sure that there's a category of CISO doesn't need to be. I have, I have had the situation where, one of my users was having the first outbreak of a devastating personal cyberattack on her and her family and her home. And, I and a member of my team got in a car and drove, I don't know, close to 80 miles, one way, in order to get to her in order to see physically what was going on. And so now what was I? Now I'm making house calls. So I'm a doctor, right. So, and maybe

[00:18:41] Earl Crane: Doctor, nurse and therapist.

[00:18:43] Alan Levine: That leads me maybe to the last notion, if we're wrapping up Earl, which is That, in a sense we are, CISOs are doctors. But we have a very specialized problem as doctors. Which is that our job is to sell medicine, a solution, to our population, to our organization, that tastes bad. So it's going to be disruptive. It's going to be a real yuck in the organization to have to do this. Burdensome. That is painful in some cases, think about a horse pill that you might have to take that a doctor prescribes for you.

[00:19:19] That is too expensive and everything in medicine today, especially pharmaceuticals, too expensive. And most importantly, for a condition we may not even believe we have.

[00:19:30] Alan Levine: So I'm trying to sell you.

[00:19:31] Earl Crane: The diagnosis might even be wrong.

[00:19:32] Alan Levine: That's right. So a CISO is trying, in some cases, it may be apparent to an organization if not to him or her. It's too painful. It doesn't taste good. It costs too much, and it may not work anyway. And by the way, that is the definition of most cybersecurity defense programs.

[00:19:49] Sign Off

[00:19:49] Earl Crane: Alan, thank you so much for sharing your insights, your experience, and wisdom, some hard stories and some personal stories here on the CISOWise podcast.

[00:19:58] Alan Levine: Thank you.