LAST UPDATED February 3, 2022
Welcome to ThreatX Security XChange – our blog series featuring security practitioners and leaders doing the day-to-day hard work of keeping our systems and data safe from cybercriminals. We started this series simply to shine a light on those in the trenches, fighting one of the most important and least-understood battles of this generation. We want to not only highlight their work, but understand a little more about their pains, priorities, passions, and pet peeves. We hope you enjoy these profiles; let us know if you’d like us to tell your story!
For this Security XChange, we sat down with Jeff Gardner, CISO at Germantown Technologies, who has extensive security expertise and experience, including leadership positions at Rapid7 and Landmark Health.
ThreatX: You’ve had a varied career in the security industry. What role have you enjoyed the most?
Jeff: I would say the CISO role. It’s one of those unique positions where you need enough technical acumen to be a leader for your operational people, but you also have to be a storyteller, part-time psychologist, and fluent in the language of business. Suddenly, you have to be able to talk about things like EBITDA and market cap because part of your team is technical, and the other part doesn’t understand anything technical; they just understand risk and finances. So, it’s this weird, blended role, which is challenging, and I like that.
ThreatX: As a CISO, what would you say are your core responsibilities to the organization?
Jeff: The first core responsibility is obviously keeping the organization safe. It’s not just necessarily keeping data safe, but also the organization’s reputation. In addition, there’s a responsibility to ensure that security is not a hindrance, but rather is built into the fabric of the organization and can move at the speed of business. And part of that is making sure that everybody’s aware of the challenges at all levels — from user to boardroom. Security leaders often take the boardroom more seriously, and we don’t go down to the user level and ask, “What’s your experience been with security? What are the roadblocks? What do you like? What do you not like? How can we work better with you?”
Bottom line: User experience matters. So, if you’re not taking into account the user experience in making security decisions, it doesn’t really matter if it’s making you more secure. If people hate it, it’s not going to work.
ThreatX: What are the first 3 things you look for when evaluating a security vendor?
Jeff: The first step should always be to ask, why are we looking at a new technology in the first place? A lot of people will jump to a technological solution when it may be a people or process issue, or something else. When a security analyst or engineer comes to me and says, “We should go look at this vendor. They have a really cool X.” I always recommend taking a step back. Why are we looking at this? What’s the problem? Why is that a problem? Can we arrive at a root cause? And once we have a root cause, let’s figure out what the best solution is for this root cause. And if it happens to be a vendor, great. How will this vendor meet that use case? Is it a product? Is it a service? Is it professional services? And how does this fit into our overall scheme? Because I’m not a fan of buying point solutions. If we have a problem, can one of our existing solutions meet this need, even if it may not be a perfect fit? Because now, we’re going to add another agent, or another API connection, or more complexity to my stack.
ThreatX: As a CISO, what metrics do you care about?
Jeff: I don’t like to motivate people out of fear, but I do like to give executives the real picture of what we actually deal with on a day-to-day basis. Percent alerts generated vs. investigated is one of my favorite metrics. Because it’s typically something like, we have a million alerts in a day, but we fully investigate only this tiny percentage. And then there’s the realization that we have 900,000 alerts that we’re not looking at every day, and there could be potential attacks in there. That starts translating into risk. Any metric that I can use to actually show the business risk, I love it.
Dwell time is another metric I like, which is our mean time to detect, mean time to respond, mean time to contain, and mean time to remediate. If the time is really high, we can ask why. Is it a people problem? Is it a process issue? Is it a technology issue?
I would say, with metrics, always come with a solution. If you know you’re presenting executives a metric that has an issue behind it, come prepared with a solution. I made this mistake early in my career. I was making statements like, “We’ve got all these alerts. We need more people.” And that was met with, “Do we really need more people? Have you really thought this through?” Now I provide the evidence, the business case, the justification, the effect on risk, the cost, and the three-year plan. When you proactively answer all the questions that they could possibly ask, then it’s usually “okay, sounds good. Go ahead.”
ThreatX: On the subject of dealing with a mountain of security alerts, how do practitioners, like the SOC analysts, begin to think about triaging alerts or prioritizing them?
Jeff: It’s going back to the basics of asset management, software management, network baselining, and user baselining. You have to know what’s critical, and what’s supposed to happen in your environment, and then you can very easily identify what’s normal, and what’s not. And if the not normal things are happening on critical systems, critical users, or critical processes, they warrant further investigation. But the injection of automation and threat intel into that mix also greatly helps.
I always say, if you’re doing something more than once — if you’re doing it twice in a week, or three times in a month – you need to stop and say, how do we automate this? I want my team dealing with edge cases. Anything that’s standard, what can we automate out? And if we can’t automate the whole thing, how much can we do so that it makes your lives easier? Can we automate 50%, 80%, 10%? What can we do to make this easier on you so you’re not spending your time spinning your wheels on this nonsense?
ThreatX: What do you wish more organizations knew about detecting and responding to breaches?
Jeff: I would say, the dynamic nature of threats. It’s one of those issues that I have with compliance and regulations. Most people will think if we’re PCI compliant, we’re secure. The reality is, we’re just starting. This is the ground floor. There’s often a misconception that once we get a security tech stack in place, it should just work. There are inevitable questions like, why are you requesting more budget, or why are you switching vendors? Or why are you doing X or Y? It’s because it’s very dynamic. And I wish they understood the dynamic nature of the threat landscape.
ThreatX: Speaking of the dynamic nature of the tech landscape, what do you think is next, what’s the next big security hurdle?
Jeff: We’re still working on the last big digital transformation. In fact, we haven’t even started tackling that one yet. We’re not even at the starting line; we’re prepping for the race to get started with the whole digital transformation and the move to the cloud. There are all these new facets. You’re used to dealing with internal calls? Now, you’ve got to open up APIs to the Internet. Now, you’ve got identities that spin up for seconds and then go away. You’ve got Lambda, you’ve got software, you’ve got infrastructure as code. How do you scan code for vulnerabilities when it’s not actually a system that ever executes? We’re just getting started figuring out and catching up with the current digital transformation.
Our thanks to Jeff for sharing his insights and practitioner perspective with us.
Want to be featured in a ThreatX Security XChange? We’d love to hear your story – contact us!