Dec 4, 2024

The CISO's Dilemma: Balancing Security, Innovation, and Burnout with Ross Young

TLDR;

Cross-training is key for CISOs. CISOs specializing in AppSec should also focus on other areas like Incident Management, GRC, and People Management to name a few areas. And remember Perfection is the enemy of good.
Communication is an essential skill for CISOs & Security Leaders. 2 Pro Tips.
1. Tailor your message according to the Team.
2. Similar to Security Champions in Engineering, Socialize and build champions in Leadership or Exec Level so that they become your voice to promote CyberSecurity Programs.
Before implementing a new Security Program, gauge the effectiveness of the program in a year's time. Check if it’s Cheaper, Faster, and better than the current program. This is where hiring/surrounding yourself with experts/smart people will help.

Transcript

Host: Hi everyone, this is Purusottam, and thanks for tuning into the Scale To Zero podcast. Today's episode is with Ross Young.

Ross is the CISO in residence for Team8. Prior to this, he served as CISO of Caterpillar Financial and he was also a divisional CISO at Capital One. He has over a decade of experience with the CIA, NSA, and Federal Reserve Board. I definitely want to ask a question about that. Then, Additionally, Ross has been an instructor at Johns Hopkins University and created the OWASP Threat and Safeguard Matrix. He's also designated as a boardroom-certified qualified technology expert and CISSP as well. Ross, thank you so much for joining me in the podcast today.

Ross Young: You're welcome. It's my pleasure to be here.

Host: Thank you. Before we kick off, I just briefly did your intro. Anything you want to add from your journey as a security leader and as a CISO?

Ross Young: Yeah, you know, I was one of those fortunate people who always knew he wanted to do cybersecurity. You know, I grew up in Las Vegas and here we're famous for having all these magicians do things. And I was just always excited by learning about how they do these things. And if you know how the trick is done, it's really easy. But if you don't, you're just like, wow, that's like magic. It's so cool.

And I always found the same thing about cybersecurity. Once you knew, It's very simple, but if you didn't, it was kind of magic and it was something special to do and you could provide for a family very well. So I liked that and I liked leadership roles where I could kind of lead and determine my own fit. So choosing to be a CISO seemed to be a pretty easy way career path for me to go forward. And I've had the luxury of doing it at Caterpillar over the last four years. And now I'm the CISO in residence at Team A where I get to help lots of CISOs.

Host: I like how you drew parallels between magic and also into cybersecurity and being in the CSO role. And how also you related it to Vegas, right? Like, yeah, there are so many magic shows and things like that happening in Vegas. So love that. So today, let's say while working at Team8,

What does your day look like? We generally ask this question to all of our guests and we get unique answers. What does a day in your life look like?

Ross Young: Yeah, so what I spend my time is meeting and talking to hundreds of CISOs, right? So my goal is to talk to as many CISOs out there to understand what the current marketplace looks like, understand where their frustrations are, what they're working and focused on for this year, and then also to understand what all the emerging technologies are.

So looking at, you know, cutting edge companies and the Israeli ecosystem and the San Francisco ecosystems to see, hey, this is new in DLP, this is new in cloud and all these other different areas. And then using those two things, what we do is we build companies.

We're a venture capital company. So saying, hey, I talked to a bunch of CISOs. They all said this is a problem. Maybe it's AI security, for example. And then I went and I looked at all the vendors on the Black Hat, RSA showroom floor and they're all doing this. I think there's an opportunity to do this other area that nobody's tapping into.

And so Once we kind of figure out those ideas and then socialize them, going back to the CISOs to say, hey, is this something of interest? Would you look at this doing this product market fit? That's really my role.

The other big thing that I do a lot of is generating content for CISOs. So a lot of times, you know, as a CISO, you may had to pay, you know, $30 ,000 for a Gartner account or go to these expensive conferences. We give away all that stuff for free. So we have a huge CISO WhatsApp group.

a CISO Slack group where you can talk to hundreds of other CISOs. We have monthly webinars where we bring in the best and the brightest to share those lessons learned with others. And so I put together all of that content to help CISOs in their roles. And I just think about, you know, how would I do third-party risk management? Well, let me go talk to some of the biggest, best companies who do that and then share those best practices with others. So I'm learning, I'm having fun, and I'm helping to improve the lives and influence other CISOs.

Host: That's an amazing role to be in because you are not only working with CISOs, but you are also looking at the market trends. Sort of you are acting as a liaison between CISOs and also the market so that you sort of educate the market. You also educate the CISOs. Yeah, that's a lovely role to be in.

And one of the things that you highlighted on frustration. So we'll maybe talk about that to kick it off. But yeah, today's focus is around security leadership and vulnerability management. So before we kick off, like one of the things that was highlighted in Gartner Security Conference this year,is that around 73 % of the CSOs and security leaders in the US feel burnout at some level in their work life. What's your take on this? And if you have any tips on how do you handle stress and burnout and in tips you have for security leaders?

Ross Young: Yeah, so there's often two things in burnout that I see. The first is resources are always tough. know, sometimes your company doesn't pay the best prices. Sometimes your star employees leave to go to other companies and take better opportunities. Sometimes you have reductions in force and you're lowering the headcount in your current department because you know, we're in this post-COVID lower sales environments than maybe before.

And so each of those things, when you have less resources, puts more burden on the remaining resources to include the CISO. So I think that's a huge area.

The second thing that I would also say is the regulatory pressures are higher than we've ever seen before. So if you were to go back five years ago, you never saw a CISO getting personally sued and held liable. And now we have two different examples of that that have happened. And so I think those are things where we just really say, Okay, I'm taking a lot more risk. Maybe my salary went up by 3 % but it didn't really go up to cover all this D &O insurance and liability and other things. And by the way, they just passed these new laws and New York Department of Financial Services and Europeans passed DORA and all these other things that I now have to show compliance for and put my name in writing.

And so now you have all of these complexities and it just kind of wears on you because if you're an honest and upright person, You want to give the most factual information that's there and you want to help your companies. But if you don't have the resources, it's a tough spot to be in.

Host: Yeah, you touched on a very key aspect, Like budget resources and also regulatory pressure, which are external, right? Which is not something that you can manage. So

What would you recommend to the CISOs to do so that they can manage their burnout in these situations?

Ross Young: So I feel like as CISOs, we're trying to be perfect and perfect is the enemy of good. Right? If somebody expects me to have perfect cybersecurity, I got to tell you they have the wrong expectations. I can improve the organization. I can do lots of really good things, but I can't at any possible company stop every possible attack from every possible threat actor. It is impossible. There is no company that can truly stop everything.

And so I think we have to step back from that perfect security and being the enemy of good to say, well, what does really good security look like? And what would I do to do that? And you may go back and say, well, this year I'm really worried about the Verizon data breach report. And they said, these are the top five attacks. Okay. I'm going to build a program that makes sure we can defend those five attacks better than anything else. Cause those are the most common attacks that I'm likely to experience in the next six months. I can do that.

And then I can go back and I can say, well, hey, Mr. Chief General Counsel in my organization, what laws or do I need to comply with? Because if you don't tell me a law, I'm not going to comply with it. Not that I would just go and break it, but I'm not going to get the evidence to show that we met all the requirements of this law.

So you got to tell me upfront and then I'm going to collect the evidence and make you look good. But if you don't tell me, don't surprise me like two months in before the law certification and evidence is submitted saying, hey, you got to sign off on this when I don't even know if we're doing those activities. So stepping back and not letting enemy or perfect be the enemy of good, and then really focusing on what is it you're going to deliver upfront and then meeting that, I think that's the key.

Host: And I love the code because that applies to every area, right? Not just security, but it's more important than security. Like you cannot, as you rightly highlighted, you cannot fix everything. You have to find out what's your risk tolerance and based on that, you plan and prioritize your, what's the top most critical risk that you need to address. Love that. Now let's get into some of the security questions.

So you have spoken a lot about training next-generation CISOs and security leaders. And in your experience, what do you see? Where do you see a gap in the next -generation CSOs? What do they lack so that you need to focus and educate people on this front?

Ross Young: So the problem is there is no one typical CISO, right? CISOs come from different specialties and different backgrounds, and they're all beneficial, right? So you may have grown up in the SOC doing incident response, and you're really good at that. Or maybe you grew up on the pen test, offensive security, knowing how to hack in applications. Or maybe you grew up on the non-techie side in governance compliance and risk management.

Each of those backgrounds bring strengths and weaknesses, but what I find is, are you well enough cross -trained in the other disciplines so you become a complete CISO? So maybe if you grew up in the incident response, you just never learned all the laws, regulations that you need to do, and you gotta plus up in those skills and understand that. Or maybe if you're on the AppSec side, you know, maybe you've just never really grown to understand how to manage people and what happens when you can't control resources.

They're the business developers, not your people, and you have to influence and change those. So I think the hardest thing about being a CISO is there's so many different things you have to up level your skills and you got to go technical, you got to go managerial, you have to learn leadership skills.

And then at the highest level, when you're in that CISO role, You have to understand politics and political skills in order to succeed. And so if somebody told you that, if you wanted to be a CISO, you had to learn how to do all those different areas, you know, that was a little big of a surprise for me. And just figuring out how much I had to grow as a person and grow as a leader and grow as an executive.

Host: Like it's not like one thing that you highlighted, which I didn't like this, that let's say at the end of the day, security team will find some of the gaps, but they will have to work with other teams. need to influence or you need to have that relationship with other teams so that they do the work, right? In a way.

Other than let's say having the influence, any other essential leadership qualities that you generally recommend or generally ask folks to train on?

Ross Young: I really think it's the communication skills. And I'll just give you a couple examples of where I struggled in my career so that maybe you can help some of the listeners. A lot of times I would ask questions and I didn't understand the questions I was asking were not the right questions to ask. So if somebody made a mistake, you might say, hey, why'd you do this mistake? And you think that's a harmless question and you're just trying to learn and help. And they feel attacked.

They feel like, you must call me an idiot. Of course, only idiots make mistakes, right? And that's not the case. And so I had to learn to change my language and my communication skills to say, hey, I don't know if you intended this, but when you did this action, here was the consequence of this action. And I'm just trying to understand why you made that decision. And now it's an observation. You're not attacking. You're just trying to learn. It's a very different conversation, but it has the same outcome of being something that can really help you learn and it's not with the negative side.

The other piece that was really, really key on the communication skills is sometimes I would be in a meeting and they would ask a question and I would give this idea that I thought was absolutely brilliant. And then everybody like, and then they just moved on. And I was like, man, you know, they asked a question and even carred listened and they pooh-poohed my idea and I just didn't feel effective.

And what I realized was the way I communicated had to change a little bit. So if I really believed in an idea, I didn't really want to just throw that out in a meeting because it may not have that lasting change and impact that I wanted. So what I would do is if there were five people in the meeting, how do I socialize that same idea with the five people in one-on-ones before the meeting and say, here's what I'm thinking about. I think this would be really good, but I really want to get your perspective. I wanted to help this. How can we partner together to champion this idea?

And now after I did this with five people, then we go into the meeting, we're just signing meeting minutes and all agreeing to what's already been agreed to in those one-on-one conversations. And now I became so much more effective as a leader because I understood that communication didn't just happen in this meeting, it happened in the pre -meetings, it happened in the one -on -ones and all of those things that I had to do to really up -level my communication skills with asking the right questions and building the right communication styles.

Host: Yeah, I love both of those like communication and socializing the idea before just presenting it in front of everyone when they do not have maybe the context. One thing, like as human psychologically, if somebody on your first point like on communication, how do you communicate? Well, like psychologically as humans, if somebody says something which contradicts with our presentation or beliefs or something like that, we shut down immediately, right?

Because it feels like a personal attack. So I love how you gave an example of how you can give feedback, but in a constructive way, rather than making the other person feel like you are attacking them, right? And they accept it as well. So you highlighted two strategies for better communication.

When it comes to, let's say, technical, concepts or anything, any complex security concepts that maybe you need to socialize with leadership or socialize with your peers or even your team, any recommendations that you have?

Ross Young: So the first thing is you need to be smart on the technologies. And you're not going to know everything. But if I was going to oversee cloud security, maybe I might do personal training to get the Cloud Security Solutions Architect training under my belt.

I don't have to pass the cert. But if I took the 40 hours of training, I'd be a lot smarter because I did that. And then once I actually have, you know, that understanding of what we're trying to do under my belt and in my head, the next thing is how do I socialize things that are going to work?

And usually what I find is if you want something to succeed, it needs to be cheaper, needs to be faster, and it needs to be better. And I like to use this kind of problem-framing approach that says, okay, what's our current solution? And do we agree that this is going to get better or worse if we do nothing and we'll just wait for a year?

And most people are like, it's probably getting worse. OK, so we don't like what we're doing on the cloud in our cloud security strategy. We think this is going to get worse because we're going to stand up new applications. We're have no insight in the governance around those things. Well, what should we be doing? We should do xyz. And then if we're going to do xyz, how do we measure success on that? Well, what is our end outcome to say, hey, we know this is done. We're very happy with the results.

And you need to have those clear definitions of done that you can agree to in the group consensus. And once you have those things, you say, so this is what we want as our end state. And you told me maybe we buy this tool or we adopt this practice or we hire these people. Can we get there? And you just say, let's just wave a magic wand and say we did these things in a year from now. How might we complete everything we said we're going to do but still miss out on the objective?

Maybe we buy this tool, we spend all this time setting up the tool, but nobody ever uses it. Well, you didn't really change your cloud security posture if your developers never used the tool.

So there's things like that that you have to think things through to say, how can it go wrong before it happens? And then when you do that, you start to say, well, what would we do to mitigate that? How would we make this more effective?

And when you go through these kind of problem framing strategy discussion ideas, You get smarter, you think things through, you have clear definitions of done, you get that consensus, you analyze your alternatives, and you get to solutions that can really work well for your organization.

Host: I like the tip where you see one year down the line, will be the value that you will get if you bring in a tool or if you implement a new process or if you bring in a new technology. So that way you are sort of re-evaluating, even though maybe the idea came from you, you are still re-evaluating or trying to see the value that you will get one year down the line before you make

come to a decision. And that can be applied.

Ross Young: Yeah, and cost you anything other than a quick meeting to discuss it. But if you didn't do that and you built the technology and then it failed a year down the road, how expensive is that?

Host: Mm -hmm. Yeah, totally. So you spoke about having good understanding of the technology. Now, let's say I'm a CISO and I come from incident management and I need to implement cloud security in my organization. What approach should I take to get familiar with cloud security? To develop that skill and to stay up to date with that skill. Any recommendations here?

Ross Young: Yeah, so the first thing is, I would always just say, you're never going to know everything. So always surround yourself with smart people who are going to know more than you. So I would not expect the CISO to be the cloud security expert. Hopefully you have someone on your team who does cloud security, unless you're a team of one.

And then once you have those people, listen to them. The second thing that I will say is, you want to go on a road show of cloud security vendors. So in cloud security, you might go talk to Wiz, you might go talk to Orca, you might go talk to Palo Alto and see their Prisma solution.

And you're going to see there's different things in each of the tools that you like and you dislike. But you're not going to know unless you go talk to all of them. And the more you talk to the vendors, the smarter you get on, hey, this vendor has this one capability that's really cool. Or this other one has this interface that's a little kludgy. Maybe the price is cheaper, but… I could just see how it would be harder for our developers to remediate these items because the actions they're telling are a little tricky. Or this one already integrates with our 10 existing tools and our ticketing systems and things like that. So you're going to start to figure out what you like and what you don't like.

But until you're looking at the latest, greatest state of the art of what the tools are, you're going to miss out on what you should be thinking about. So talk to the people. And then ask them for referrals. Say like, who are other CISOs who are using your tool? And I'd love to have a one-on -one with them. And then get the dirt on the company, right? You want to talk to them and say, hey, how's this gone for you? What did your developers like about it? What was hard? You know, the salesman, he's going to tell me it's only roses. What was something hard for you for this tool that you wish you would have known before you bought it? Things like that can always be just really good observations so that you figure out where the landmines are before you step on them.

Host: Yeah, that makes a lot of sense. double clicking on that. Earlier you highlighted that CISOs, if they are coming from one area, they should cross -train. Would you recommend the same thing that you highlighted for technical aspects for non -technical aspects as well? Let's say risk management or business operations or having strong understanding of financial metrics or do you have a different recommendation?

Ross Young: Yeah, so I think CISOs have to be lifelong learners because the role is always changing. The new technologies are changing, new laws are being passed, new people you're managing, all those things are happening at the same time. But the one thing I will say that's different about the CISO role than every other cybersecurity role is you will report to non-technical people. At best, you report to the CIO or CTO who is the most technical person beside you in the leadership team.

But often that's not the case. You're going to be working with the Chief Legal, you're going to be working with the Chief Finance Officer and all these other people.

And so I think one of the biggest things to do is to get the broader perspective from what they're focused and interested in.

So if you're going to Chief Legal and you're like, well, here's all the cybersecurity mumbo jumbo. Yeah, mean, they'll listen to you, but they're focused on legal problems. That's what their kung fu is, that's what they specialize in, that's what they're paid to bring value on. So your goal is to learn enough legal to know what they're interested in, know how to help them with legal and be that partner from cyber where it overlaps, right?

Maybe the big risk is third parties and how do we build contracts from our standard language and what we're going to accept for indemnification, for patching and other things that work across both organizations. Or maybe you're a bank and you have to meet Dodd-Frank compliance and your chief risk officer and show how you're doing a risk committee and other things. Well, how is cyber being a major contributor to the risk committees?

Things like that where you understand their perspective and get that mentoring. The same could go for finance officers. Like, do you understand Sarbanes -Oxley because you're probably a publicly traded company that has to meet SOX compliance?

Do you understand how you do budgets? because you're gonna ask for people, money, resources, and the more you know from them, when there's free money around, you snatch that up and you build out this cyber initiative because someone wasn't spending their money. Like those little things where you learn those other non-cyber disciplines, I think that's a really important thing in the CISO role, because you're not typically reporting to cyber professionals.

Host: Yeah, that's really smart. Figure out maybe which domain you are in and get your hands dirty and get yourself familiar with that domain so that you are not only speaking the cybersecurity terms, but also when you are communicating with, let's say, CFO or illegal, you use language which they understand rather than just using cybersecurity terms, which they have no idea what you're talking about.

Ross Young: And remember the goal is these political plays in some ways. And I don't want to think everything's politics, but think of it this way. If the CISO goes to the CEO and says, hey, I need more money, or if you go to the CFO, ofcourse, everybody's going to come begging for more money for their own program.

But what if the chief finance officer and the chief legal go to the CEO saying, we need to spend more money on cybersecurity? Like. Now he's got three people telling him to do that, right? That's the change. That's the influence. That's the politics you want working in your favor. When you talk about what are the highest risks to the company and number two and number three are cyber. And are we even spending enough on those? Like when you get that shift, that's when you know you're doing really, really well as the CISO.

Host: So in a way, you have converted them to your champions, right? They see the value in building a cybersecurity program. They are becoming your voice to the leadership so that you can get your budget or your resources and things like that.

Ross Young: Yeah, it's the same skills that you learned before. So if you were in AppSec, you're getting all those security champions on the dev teams. But if you're the CSO, you're getting all the C suites to be your security champions on the leadership team, right?

Host: Mm -hmm. Yeah, yeah. That's smart, yeah. So we talked about that there are many areas that CISOs need to, or security leaders need to know.

So one of the questions that we got from Yotam Perkal is, as team8 CISO in residence, you must have seen a lot of different, like a lot of different startups trying to tackle different issues in cybersecurity. What do you feel are the major pain points for CISOs and security organizations?

Ross Young: Yeah, there's a few that are out there. The first I will say is the number of tools is becoming problematic. Like if you were to go back, you know, 10 years ago, you might've had 15, 20 tools as a large company.

And now you go to a Fortune 500 company and you say, how many security tools are you running? 60 to 80 is probably that right number these days. So now it's tricky because you have to play integration person, right? Does the SAS plus the DAS plus the RAS plus the cloud security plus the container tool all actually converge into one dashboard where I can see how many volumes per application and assign that out to the team.

And not only do I have to assign it out, I have to fricking rank everything by priority because they don't want to fix everything overnight. So I got to tell them which ones to fix first. That problem I think is very, very difficult because there's so many tools and so many systems and that we're just trying to pull that data in and we have to do that smarter.

So application security posture management, I think is going to be a really, really big focus for companies if you're building lots of custom code and custom applications.

Host: Following up on that, like we all have heard about generative AI and we all use that as well. How do you feel about the current gen AI boom and how will it help or impact the cybersecurity?

Ross Young: So GenAI is really, really good. And then it's also, in some ways, a generic buzzword where I wonder if we're paying too much attention to it and not focusing on the other real problems we have in cyber. So how is it helping us?

The first thing is it can really help with language. So imagine you write a long paper. And maybe you're not a native English speaker. Maybe you're not an English person who got the A pluses in all your English college classes. Using it to just say, rephrase this to be catchy, to be professionally and grammically correct.

I find a lot of value in those statements because the language it use to be like, this is beautiful. Especially if you're writing something where you're very worried about the tone and the sentiment of what you're writing because maybe it's a difficult conversation you're having or performance approvals or other things that you have to get just very, very accurate tones. That's a huge win.

The second thing that I'll say is the ability for it to think of outside ideas and analysis is really, really key. So one of my favorite things to do with Claude or chat GPT is ask it for things and then it influences my mind, ways I hadn't considered. And so let's say I ask it a question like,

What are the top 10 things I need to do to secure generative AI? And then I go and I ask the three different platforms. ask Notebook, LLM from Google, I ask Claude, and then I also go and I ask a chat GPT. And then I get answers from each of those. And then I take all three of those and I asked another query that says analyzing the three answers from the three different things, what are the common trends? And now I have something where I did consensus on various chatbots to figure out what are the next generation security threats I got to focus on. And the things that comes up with, like, I feel like I'm just having really, really good discussions with subject matter experts. And it puts things that I might not have thought about. So that's a huge value for me as a CISO to constantly being able to have these thoughtful discussions with chat and GPT engines on next-generation concepts.

Host: Yeah, you're absolutely right. When it comes to writing or even for coding, it helps a lot to use like GenAI tools. I like how you use three different tools and then you also sort of, in a way, get that information and summarize that further to find out what is the top three areas that you should focus on.

Ross Young: Yeah, and it's super helpful because the truth is sometimes chat GPT is better, sometimes Anthropic, Claude is better, but why not just ask all three and then figure out which one you like? And if you don't like all three, maybe you steal the best parts from each of their answers, right?

Host: Yeah, yeah, absolutely. So far we have been speaking about non-functional or non -technical aspects. Let's get into maybe some of the technical aspects. So one of the things that you highlighted is around vulnerabilities like every CSO thinks about how am I vulnerable? How can I address that? Which one should I address and things like that?

And nowadays, most enterprises use open source for their software stack. And with that, the challenge that we face is the supply chain security, right? We have had issues of like attacks with SolarWinds, Twilio, PyPy, OpenSSL, and there are many more. So I've received this question from a first-time security leader.

How should they design their vulnerability management program so that they can sort of… They cannot remit it all of them, but at least they can tackle some of the challenges that comes with supply chain security.

Ross Young: Yeah, so supply chain security is a tough beast, but I'll give you a couple things that are really, really helpful. The first thing is you're going to have so many open-source components hitting your web applications if you're a large company. You need an inventory around it. You need to be able to say, our only source code repository is in GitHub. So that way, if we have to say who has open SSL bad version that has a known compromise and exploit against it, we can search one place to figure it out how many applications have that specific code.

The second thing is, realize that even if you know where your applications are vulnerable, you want to give yourself some time. And the way you give yourself some time is you add two different types of technology. The first is a web application firewall, right? Because if you have a SQL injection in your open-source library, either you have to modify that code or the open-source developer has to modify that code. Both of which take time, which you may not have, right? If there's a known exploit and vulnerability going around.

But if I put a WAF in front of it and it blocks that vulnerability from being attacked, now I can kind of sit back knowing I have a week or a month for my developers to go and patch that fix. And in addition to a web application firewall, runtime application self-protection tools like contrast security are another good example of something you could apply that would give you these runtime defenses.

So putting barriers upfront where you have two different vendors and now you have two different ways of where the bad actor actually has to get through these protection tools I think are really, really key. And then having a clear understanding of where you're vulnerable and your systems is also very, very important.

Host: Make sense, So is there a framework that you follow when thinking about vulnerability management?

Ross Young: So I don't know if there's any particular framework, but I'm going to give you two things that I've done that have been really, really helpful for me. The first thing I would tell you is I've open-sourced this framework called the OWASP Threat and Safeguard Matrix. And I call it the TASM for short, Threat and Safeguard Matrix. And if you go and you read in there, you will actually see how I looked at vulnerabilities and focused on them.

What you want to do is you want to tell a story to your leadership team that says, here's where I'm at today. Here's how things are trending. And here's the goal to know when we're done. These status trends and goals are really, important. So what you do is you start out with your organization. And you have some arbitrary timeline that says, we want to patch all internet-facing systems in 30 or 15 days. And you're going to make some number like that.

And then afterward, what you need to do is you need to have dashboards and things where you can hold teams accountable.

John is the head of the CRM team and his average day of patching is this. And here's the number of vulnerabilities he has, which are greater than 30 days, which is our target SLA for our organization. And not only do I just tell him what's wrong, but you want to go one step deeper to say, if John takes these three remediation recommendations, this is how he can most improve his numbers. And doing that holds clear accountability, gives clear recommendations, and then the manager of John, who might be the CIO, would be the one to really hold that person accountable. Right?

And so if you can get organizations to do things like saying, hey, we're going to put patching requirements in our performance goals. And you will not get your bonus if you do not hit these things, or maybe you'll get the minimum bonus instead of the two-time exceptional superior bonus. When you do those things and you put the motivations and incentives, you have that clear accountability and tracking, and you have that data from your tools, you can really move the needle on vuln management.

You just do that month over month and you watch these metrics moving in the right direction. So that's a huge thing by reading the OWASP Threat and Safeguard Matrix.

And the one other thing I'm going to switch to is what I would call improving the process. As a CISO, you don't want to spend all of your time on individual vulnerabilities. There's just too many and it's too down in the weeds for you. You need to come up. And so what I would say is look at your vulnerability management process.

There's probably 15 different steps that have to occur. The vulnerability has to be found. It can't be a false positive. It has to be a sign of the right team. Somebody has to actually figure out if a patch is available and all the other steps till you release code in a prod. And now what you need to do when you look at that process is consider process improvement opportunities. Which of the 15 steps is the slowest? And if the slowest step is, you know, maybe you need automated change tests.

So you can say, well, this pushing the new version break our code. You can write those scripts and that saves you 30 days. Well, that's how you get faster. So focus on improving the process, not always on the individual volume in that piece. And then also focus on driving clear accountability. Those two things, if you build those into your volume management program, you're going to have amazing success.

Host: So I think it goes back to one of the things that you highlighted earlier, which is you cannot be an expert on everything. You need to hire smart people so that they can own some of these areas. Not that you don't understand, but at the same time, you should not be in the weeds all the time. That helps you with managing your stress and also improving your overall security program.

Ross Young: Yeah, yeah, totally agree.

Host: And two things that you highlighted around defining SLAs, like internal SLAs around how quickly you might want to fix, let's say, critical vulnerabilities versus high vulnerabilities, and also tying them to the execs' incentives, which sort of gives them a push that if I want that bonus, then I need to make sure I push my team, or I prioritize them properly so that I move the needle in the right direction.

Ross Young: Yeah, that's right. And a lot of that came from the lessons learned when I was a segment CISO over at Capital One. If I go over to a team and say, hey, look, you got all these vulnerabilities, why don't you fix them? And then we dig behind the data and we just figure out, the data, all those phones just came out yesterday. They're going to be like, why are you wasting my time? I haven't even had a chance to look at this.

But if the phones are past 90 days and nobody's fixing them, now I need to understand why is nobody even looking at this. Those are two totally different conversations.

And so it starts with what is the organizational risk tolerance around patching? And you probably need to set some clear policies or directives that say, here's our patch timelines. And then once you have that, let's not bother people with anything that's within an SLA. We only care for the outliers of what's past the 30, and 60 days of our target goals. And then we give recommendations of where to prioritize and focus efforts. So they can improve their numbers and then we celebrate those successes when they do.

Host: Absolutely. So double-click on that, like there are different types of vulnerabilities. It could be cloud misconfiguration, zero days, insider thread. How should CISOs look at whether they are focusing on the right and the highest priority vulnerability? Do you follow a framework? Any recommendations on that?

Ross Young: So this is something I think we're seeing the value of ASPM tools really, really helping. So what did we do before, and why does it need to change? What we would do before is we say, look at all of our Volums from all of our tools. We're going to filter on highs and criticals because those are most important to patch first. And we're also going to add two other filters. Is it internet-facing or not? And the second one, or the last one, be, is there a known exploit around those things?

That's probably your tier one things of what you're looking to patch and fix because it's the highest likelihood of being exploited. And what we might find is we're going to go down rabbit holes of chasing things which are false positives or time wasters.

And I'll just give you a simple example. A lot of the software composition analysis tools look at your SBOM, your software bill of material, and say you have these old libraries that need to be fixed. And all they're doing is just checking a version. They don't actually check to see if that code is called in exercise. So if you go and spend all the time to update from version six to version 10 and that code never is called, you just wasted developer time.

And so you're tackling the wrong things. So what ASPM tools will do is they'll look in aggregate of all of your findings from the SCA, from the DAS, from all of these things to say, Here's where we believe the prioritized focused is, because we can see which vulns are there. And not only that, but you probably care about where the vulns get to your crown jewels more than the vulns that get to your dumb apps that nobody cares about, right? And there's no production data or this is a dev system and do you really care if there's all these things and no, you care about… where your core banking systems are. You care about where your customer PII and PHI data is.

So getting that context of where the crown jewels in it are, getting that context across the ASPM tools like Aux would provide are so valuable so that you can prioritize where to focus and save the… the time that it takes every developer to go and fix all of these things. Because if every volume takes an hour to fix and you got 10,000 moments, that's one full-time headcount.

Host: And even with that one person, you won't be able to get to 10 ,000. By the time you get to those 10,000, there would be 5 ,000 more, right? So it's never-ending race in a way.

Ross Young: Yeah, yeah.

Host: So last question on the vulnerability management. So every day we hear about new vulnerabilities coming up. How should, as a security leader, how should I stay on top of it?

Ross Young: So the first thing that I would say is if you go back to my earlier comments, surround yourself with smart people. And the best thing that I have found for me is joining a bunch of CISO Slack groups. So if you're a CISO, reach out to me. We'd love to have you in the team8 CISO Slack.

Because when you get invited into those, in our Slack or other slacks, there's usually a threat intel sharing one where everybody will say, hey, what are you doing on this CrowdStrike incident that's happening? And what should we be doing? And usually, I find that is one of the first places I hear threat Intel data.

One of their teams may say, hey, we just found this thing and we're going to go to the vendor, but hey, take a heads up on this. And now I can share that with my team. And that's really, really powerful, right? Because I find a lot of threats Intel tends to be noise. here's this vulnerability. Okay, but what's the CVE? well, the Chinese actors or Russian actors are attacking CVE 2022 something.

Well, why do I care? I thought my vuln management program was patching everything in 30, 60 days. You're talking at something from two years ago, because the CBE begins with 22. So I can kind of ignore those unless for some reason somebody always violated our patching and never got around to it for two freaking years. So I find that noise to be what I hate in the threat intel space.

Absolutely. If there's a vuln and it's less than 90 days and there's exploits and it's going around, that's the threat Intel I want to know, because I got to tell my teams like, hey, you can't just take the weekend. We need you to work on Saturday and patch this overnight, right? So when you get that actionable feedback from your threat Intel and you have your pen test team go say, hey, let's test this through our WAF, through our RASP, is it getting through and I can actually wait an extra week or do I need to make people work on a Saturday, which sucks, right?

So having that understanding is really, really key.

Host: Makes sense. So one of the things that we spoke about at the beginning of the intro is you have worked at the government and you have worked in many private sector companies and you are now helping the CISOs as well. One of the questions that we got from Matt Tesauro is what is the most surprising difference you have seen in doing cybersecurity at the CIA government level versus the private sector?

Ross Young: biggest difference that I will say is the amount of regulation and oversight. And I'm a little bit jaded because I mostly spent my career in the banking sector. And I don't think there's a more regulated sector than the banking sector, unless maybe I was handling nuclear material or something weird like that, which I just haven't done.

And that is such a big thing. Like I have to sign off on attestations. I have to do all the Sarbanes -Oxley compliance. I have to do NYDFS, New York Department of Financial Services, and other things. And so I spend all my time doing compliance. And the biggest problem with compliance is compliance often lags behind the real risks. So there may have been a real risk about password security 10 years ago.

And we wrote standards that says everybody needs complex passwords. Totally get it. But in this world where I have MFA and I get, you know, six-digit changing codes on my Authy or my, you know, changing MFA application tool on my phone, I don't really care that much about the password because these other things are my second factor. And not only that, but I also have other things like conditional policies that say has to come from a trusted computer owned by my organization.

So these old standards that I find myself spending time on dealing with auditors and regulators about, do I care about test data? Do I really care about all these legacy things when I'm like, I just need MFA everywhere. I just need, you know, things where I have really, really good backups. How can I focus on that and do the minimum amount of time on GRC that's taking away from where the real risks are and where I need to prioritize my risk my team to focus on those endeavors? So that's probably the hardest thing is the amount of regulation and how much it steals your time away from where you want to focus.

Host: Makes sense. So one follow-up question to that is like you highlighted that when you are in a regulated industry, compliance is one of the biggest factors, right? You have to focus on compliance.

How do you strike a balance between compliance and the real risks that you highlighted?

Ross Young: So I think a good cybersecurity program is always going to be broken down into at least these three areas. One is, how do I stop all the real risks that cause harm to my company? And this could be business email compromise, can be fraud risks where people are trying to do something on the things we're selling or gift cards. It can be USB attacks. It can be whatever it is.

You need to focus on that and you need to spend time and effort and looking at where the bad actors are focusing by reviewing things like the Verizon Data Breach Report is really key. Because you're going to figure out that, hey, it's not just cloud attacks, it's identity attacks. And do we actually have a robust identity cloud program?

Huh, never thought about that. I had other things, but I never did that thing. So I got to focus. The second area is the CISO you have to focus is on the compliance. I'm probably getting a little bit of hot water, but I'm going say it anyway. You need to do enough compliance so that your auditors and regulators are happy and no more.

Most of compliance activities is a cost, right? And your goal is to keep those people happy, but anything else on compliance is probably not winning business and money to the revenue side of the company. So you want to minimize those, but make sure you do enough to keep them happy. And then the third piece of what you have to have in a program is really the human awareness and education piece.

So training all the humans not to click the phishing, training all the developers to build secure applications and all of that human centric processes to make an organization really defendable.

You absolutely have to have those three things and how you split out your budget. There's probably a thousand different ways to do it, but you just need to really think about how do I build something that's consistent, that's adequate, that's reasonable and really meets the expectations of my leadership team, of my regulators, and of my litigators if they're going to sue me for negligence in some way.

Host: Yeah, I totally understand when you say you want to be careful about what you say about compliance versus security, because that's often a challenge, right? And CISOs are trying to strike a balance between both of them. yeah, so with that, we come to the end of the security questions. There are many nuggets of wisdom starting from like, having champions like clear communication with other teams to even hiring smarter people, like surrounding yourself with smarter people.

And another thing that you highlighted is like CISOs are all about community, right? Like you guys have Slack channels or other WhatsApp, let's say communities where you can get help from each other or you can help each other as well.

But before I let you go, one last question that I would like to ask is, any reading recommendation that you have for our guests. It can be a blog or a book or a podcast or anything like

Ross Young: So I'm going to be a little bit selfish here and I'm going to say take a look at the CISO Tradecraft podcast. You can go to cisotradecraft.com. On there you would see a link to our GitHub site and that is really, really powerful. We can put it out in the show notes here for this show, but it has a collection of over four years of knowledge. So if you're like, hey, what do I do to improve my detection capabilities? Listen to the 15 shows on that.

Hey, what do I do to improve my soft skills? I want to be a better communicator. We've got dozens of shows on that. So a lot of really, really good information is in that, that I've just tried to share over the last four years as I've grown and I've tried to mentor people at scale by building it into the podcast. So happy to give links to any of that and just thanks again for letting me come to speak on your show. I really appreciate it and And hopefully we can all just help each other have better cybersecurity.

Host: Yeah, thank you so much for coming to the podcast and sharing your insights and knowledge. I hope that our audience can get benefit out of it.

Ross Young: Perfect. And one last comment, if anybody is listening to this show and it's like, hey, I'd love to learn more, please reach out to me. I'm on LinkedIn, Ross Young, spelled exactly as it sounds. I'm happy to help mentor, especially anybody who's a CISO. We have a CISO community that's amazing, a teammate, and I'm happy to get you connected and help you in any way.

Host: Yeah, that's amazing. Thank you so much. Thank you so much, Ross, again, for coming to the podcast and sharing your insights.

Ross Young: Awesome. Well, thank you.