Bryan Willett, CISO at Lexmark, talks about why a “silver bullet” doesn’t exist in security and what he describes as a “multi-pronged” approach to building out a security program. Below is a transcribed version of the interview, which is part of a series of conversations by Decipher with CISOs across the security industry.
Lindsey O’Donnell-Welch: How did you get into cybersecurity from the start and specifically into this CISO role?
Bryan Willett: I have an electrical engineering degree, I started in the industry as a firmware developer, I had that role for about four or five years, and quickly got into management. Around 2008, I took a role within product development as the network and security manager. So I managed a team that handled both networking on our firmware and security on our firmware, which took me down interesting paths that I had not been down before; everything from dealing with ISO committees to certifications on products to a very focused effort on hardening of products, building out the security development lifecycle. So [looking at] how you teach developers how to develop something securely, and how do you keep that top of mind for them, as well as owning product roadmaps around security. I did that for a while. And one of the things that became sort of an accidental responsibility was really answering customer request-for-pricing type questions; they came in with extensive questions around security and the posture of the organization. And owning that, I realized that there were concerns coming up from customers that were much broader than just the product. It was focused on the holistic environment of the corporation, and the risks that the corporation could present to a product that the customer was buying. And through that, I realized that we needed to go and look at ways to have third parties help, to some extent, attest that Lexmark had the right processes and controls in place to protect the product. So from that, we went off and looked at several paths, we chose going down ISO 27001 as a path, and I was leading that within my development product security manager role. Right around the time that I really started to pick that up, our CIO at the time realized that he needed to make a bigger investment in security within the IT organization, and he opened a position for a head of security. And I interviewed for it. And we both agreed it needed to be a CISO role. And so we established it as the CISO office and started developing an overall program around securing our IT infrastructure. But then that quickly expanded beyond just securing IT infrastructure, it still had tentacles back into product security, it got into supply-chain security, and it ended up taking on a much broader role as well with a customer facing role, in talking with our customers regularly about our security program, and in bridging much of what I just described to you, how the security program leads to delivering secure products.
Lindsey O’Donnell-Welch: Can you talk about some of the top challenges that you've faced as a CISO?
Bryan Willett: Probably the first one I would say is gaining user confidence in your program. But let's go back to when I first started in this, I was really working on changing the culture of the organization as a whole, the corporation as a whole, in terms of security and what people should and shouldn't do on their workstations and what they even have the permissions to do. You're only going to be successful doing that, if you've gained the confidence of your user base. And I did that through a lot of town halls, a lot of department meetings, senior staff meetings, to help them understand what the risks are, what we're doing and why we're doing it. So that's probably first and foremost. The second part would be that you have to recognize that risk is throughout your organization. And you cannot solely view that this role is an IT system role only. You have partners throughout the business who are - well, I say partners, friends of IT, right - business areas who are developing business applications, I have R&D organizations that are developing products and SAS offerings, and I have salespeople out there who are trying to do anything they can to satisfy a customer. All of those more than likely involve data or services or something moving around that requires some eyes on it from a security lens. And building the relationships with those business areas, such that they are ready to engage you as they start on new projects and seek your team's input and incorporate that input into their process, that is an ongoing effort, it is not a one time and forget. You're constantly having to do that.
“Building the relationships with those business areas, such that they are ready to engage you as they start on new projects… that is an ongoing effort.”
Lindsey O’Donnell-Welch: As part of this “ongoing effort” of building a security culture in a business, what are the first steps there and who needs to be involved?
Bryan Willett: I think it's a multi-pronged approach there. So first is, of course, myself and my team getting out there and being visible to the business. I think it's important that we are transparent to the business and helping them understand what we're seeing, so it explains why we're doing what we're doing, but also to raise awareness. I also think it's important to do things like phish testing with your employees, helping them realize that the attacker, that person phishing your organization, can be extremely crafty, and giving them snippets of what that feels like. I think that's important for them to live it firsthand and realize, "oh, man, you got me, you got me." But thankfully, I got them with a test. And they can recognize that they need to be more aware. So the next part is trying to build champions out in the community. And I approach that in multiple ways. We have things like lunch and learns, where we invite people who are interested to come in and talk on topics. But secondly, my hiring approach is one where I try to find people who have an interest in security that are from areas of the business, bring them into my team to actually work within the business or the security practice, let them have that role for a couple of years, so they can gain the experience and understand our perspective, but then for their own career development, send them on out, get them back into the business and let them become advocates for us within the business.
Lindsey O’Donnell-Welch: What are some of the top challenges that businesses are facing currently when it comes to cybersecurity?
Bryan Willett: The attackers are getting better. We've all heard it, the fact that many of the attack tools have become either open source or as a service, that just enhances the ability of - I don't want to say lay people - but people with less skills that can now quickly get into the hacking business. So that's one part of it. The second part is, I'm going to say the economy. So when we look at the economy, there is a headwind coming in for a lot of companies right now in terms of revenue, which results in expense challenges. And so a lot of organizations are going to have to look carefully at where they're spending their expense funding they have available, and making sure that is in the most impactful areas for the risks that are present to that organization. And then talent. Getting good talent is hard. We have taken a bit of a hybrid approach. And you've heard me describe it a little before, of getting people out of the business and bringing them up into the security space and raising their security IQ, but also finding people external who have high IQ, bringing them in so that they can they can help; one, with our mission, but two, help with that broader security IQ in the organization.
“In reality, if you focus on those fundamentals, you're going to be in a much better position than spending all your money on the latest amazing tool.”
Lindsey O’Donnell-Welch: In your experience, how have you seen the CISO job change over time, either in responsibilities or in relationships with others across the organization?
Bryan Willett: I remember the conversation very, very clearly, when I first was considering taking this role, I had a conversation with the vice president of R&D, because I owned product security at the time, and I still wanted some influence, but I was going into an IT security role. And he very clearly said, “you're going into IT security, you don't own product security when you take that role.” What I have seen evolve from that mentality, though, is a recognition that security risk is much broader than that. And I hit on it earlier, that if an attacker gained access to my environment, they have the potential for getting into our products, getting into our source code and manipulating that, or they have the potential of getting into maybe our manufacturing process and manipulating that. And when you start to look at that overall risk matrix or perspective, you realize that it's not just the data, it's also the potential collateral damage that could happen if somebody got in your environment, and you have to holistically look across all areas of the business. So that's probably the first is, as a CISO, if you're limiting yourself to just IT security and your aperture isn't wider than that, you're setting yourself up for a tough day in the future. So that's one. Two, and I hit on this a little bit earlier, but supply-chain security is becoming huge. It is a huge concern for anybody buying software or hardware. And it's important for an organization to have a champion somewhere that is driving that mission forward. For me, I found it important that we do that, we being the security organization. The reason that we took that banner and ran with it is we're probably in the best position looking both at third-party risk, because we look at that regularly. We also work with customers on their concerns around security, and holistically looking between that and the certifications we have to get anywhere in our products, we were well positioned to start looking into the supply-chain side, and where are the risks both on the development side, and the manufacturing and then the logistics side of delivering a product. So that was a key area. The third area for me would be that as a CISO, it started as a very technical role, it really was someone who was an IT practitioner who got elevated into a CISO type title. Where I see it going, though, is definitely someone with a lot more business acumen, understanding what the business strategy is, understanding what the security organization's impact on that strategy could be, and figuring out how to be an enabler for that. I see that as being a big part of the security role in the future.
Lindsey O’Donnell-Welch: What top security advice would you have for organizations?
Bryan Willett: First and foremost would be focusing on just fundamental security hygiene, cyber hygiene. If you look at something like the CIS 18 framework, they do a very nice job of laying out what your priorities in an organization should be in order to further better secure your environment. And they've done such a nice job that when you go look at your fundamental cyber hygiene, you should really be prioritizing those in order. You need to know what assets are on your network, you need to make sure that you have developed hardening standards for those, you need to measure that, you are compliant to those hardening standards. You need to be able to patch those systems, you need to be able to monitor those systems, you need to be able to manage identity. So many times, I think individuals or organizations think there's a silver bullet out there to solve all your security problems. In reality, if you focus on those fundamentals, you're going to be in a much better position than spending all your money on the latest amazing tool.