On today’s episode, Jeff Schilling, the CISO for Teleperformance, joins us today to discuss the transition from a security career in the military to the private sector, the importance of relationships, and security in relation to the Cloud.
Transition from the Army to Civilian Life
Jeff recounts his career in CISO, first discussing Teleperformance, which he joined this year. He then dives into the 24 years he spent in the military, which ended with his retirement as a Colonel in 2012 from US Army. Though his army career was very varied, he loved every part of it.
When he left the military, Jeff did a 180 and decided not to work in government, which proved a more difficult path. He learned early on that the threat profile is very different in the civilian sector than it is for the military, as well as how that threat is discussed. One of the hardest parts of the transition is the lack of basic security knowledge or awareness in the civilian sector. In the military, everyone is speaking that language and thinking about security and security operations center. Listen to the episode to hear more about the challenges that Jeff overcame, and the insights learned.
Thorough Examination
One of the other important lessons the Army taught Jeff was diligence. He approaches every potential threat or breach with a thorough process. He believes that while many security officers excel in stopping a crisis in the moment, they forget to step back and assess why that crisis occurred in the first place.
Jeff speaks on how after a breach, many SOCs place the work on the IT team. However, he believes that everyone involved should examine what actually went wrong and make an effort to document the incident correctly. If the incident is documented thoroughly and accurately, then leadership has a better chance of properly understanding what occurred and how to prevent similar breaches in the future
At the end of the day, Jeff says “it’s what you measure, and how you measure it.”
The Importance of Relationships
Jeff next speaks on how he has witnessed many CISOs and CIOs say they will never work for each other. He believes this is the wrong attitude because those are all people that can help close your security gaps and make your job and life easier. He acknowledges that you don’t need to be buddy-buddy, but you do need to have an understanding of how someone else’s goals intersect with your own.
Jeff touches on how this relates to viewing the SOC as a whole. He advocates for a normalization of data across all sector in the risk management. Data needs to be translated into a risk statement that makes sense for that risk officer in order to show the gravity of the situation in a way that is clear and understandable. Listen on to hear more of Jeff’s thoughts on why clear communication and respectful relationships affect security.
Elevated Privileges
One area of security that Jeff points out is currently weak is the protection around elevated privileges. He illuminates how many major breaches have been a result of a security issue with those that have elevated privileges. For example, the lack of a two-factor authentication code for execs because they don’t want the extra step of looking at their phone poses a threat to security that could easily be solved.
The Security Environment in The Cloud
Jeff recounts a funny story in which he wound up speaking at Cloud Security conference as the expert for the Department of Defense, when only a few weeks prior, he had to Google what the cloud was. Listen to the episode to hear how this assuming antic occurred.
In talking more seriously about the Cloud, Jeff asserts that it’s actually easier to defend on the Cloud, as he no longer has to wait for someone to go to a data center and make sure all the right wires are in the right places. Now, he could design strong architecture via the software, with lots of efficiency gains and less overhead. In focusing more on building security around the Cloud, he emphasizes communication and integration between developers and analysts after the initial building of the Cloud software.
On this story, he also reflects on the importance of public speaking. While he does iterate that it is a learned skill, he encourages our listeners to speak at events if asked. He specified to leave room at the end of your speech for Q&A, as that is the most valuable part of the event.
Adversary Behavior in the Cloud
In order to fight against persistent adversaries, Jeff believes you need to have a rapidly changing, healthy environment. Unfortunately, he states that elevated credentials are still weak points in the Cloud environment, in addition to development staff being particularly under threat. Listen to the episode to hear more about the significant changes in security as a result of the Cloud and how to tackle them properly.
Tips for Security in the Cloud
We also expand our discussion to cover specific tips for analysts and developers listening the podcast now. Jeff says that the mindset for the response, containment and eradication is different for the Cloud. Instead of just individually fixing all the infected machines, you’re now looking more for the root cause, which requires a different approach than before.
The New CISO
Jeff believes that the new CISO needs to nurture relationships within his or her team or department, especially if the relationship is particularly adversary. He thinks that building healthy and trusting relationships not only benefits you and those involved, but the effectiveness of the team. He references what he learned in the army: “the jackass policy.” Listen to the episode to hear more about this policy!
Links: