Host: Hi everyone. Thanks for tuning into our Scale to Zero show. I’m Purusottam, Co-founder and CTO of Cloudanix. Scale to Zero is a forum where we collect questions from various security professionals, and we invite security experts to learn about their journey and also to get these questions answered.
Our goal is simple. We want to build a community where we learn about security together and we leave no questions, security questions unanswered.
With that, let’s get started. So for today’s episode, we have Chris Niggel. Chris is the Regional Chief Security Officer for Americas at Okta, where he is responsible for building customer trust, providing thought leadership around cloud security, and responding to customer security inquiries. Prior to Okta, Chris spent like six years leading the adoption of Cloud technologies at LinkedIn, helping them grow from 350 to over 6800 employees. He started his career designing, developing, and delivering content management, system administration and messaging solutions to customers such as Nestle, Cisco, AMD, Telus, and US. Department of Defense. During the winter, Chris has almost 15 years of experience as a ski patroller, search and rescue, and teaching skiing, mountaineering and outdoor survival. He also is an advisor to many startups.
Chris, welcome to the show, and it’s my pleasure to have you here.
Chris: Thank you very much. It’s great to be here.
Host: Thank you. So with that, let’s get started into the questions. Right.
So, at Okta, you have built the Information Security Compliance program from ground up. So what’s your take on certifications? Is getting certified enough from an overall security standpoint, or there is more to do? Like, is it a foundation for setting the organization in the right track to improve the overall security, or the foundation should be set even before certifications are a goal?
Chris: Yeah, I think that’s kind of an older way of thinking about it. Certifications should be used not as a goal right. As a target, but as a measuring tool. It’s something that you can use as a security team or some organization to demonstrate that your security program is designed using industry best practices and is operating in an effective manner.
When we set certifications as a target, that creates the opportunity for us to use it as checkbox compliance. Let’s make sure that we have this control in place, but doesn’t give us the opportunity to think about how that control really works in our environment and if it’s appropriate for our environment. So when we use certification as a measuring tool, as a demonstration, then that allows us to approach security from what is needed for our organization and then use the certifications to demonstrate that to our customers and to our prospects.
Host: Makes sense. So it’s more around setting it as a measurement and using it effectively. Okay, that makes a lot of sense.
Chris: Yeah, exactly. And on top of that, these programs really do create a good baseline to ensure that the security system that you’re developing or security program, you’re developing are aligned with industry best practices and is always moving forwards. ISO 27001 is a great example of this is that framework requires that an organization demonstrate continuous improvement. It’s a core tenant of that certification. So it enables you as a security leader to work with your CEO and your chief technical officer and the rest of your executive team to ensure that security is built into all of the programs and the processes that you have as an organization.
And you’re able to demonstrate that continuous improvement. Again, we’re not trying to just check a box and make sure controls in place, but that we’re instead using security as an enabler, as a core function built into everything that the organization does. And that’s how you turn compliance into really enabling the business to be secure.
Host: Makes a lot of sense. Right, so one of the things that you mentioned is working with other teams in the organization, working with the leadership. Right. So for startups or fast growing startups, security is often seen as a roadblock to business growth, right, because business growth is the first priority, always.
So what methods like when you were at LinkedIn or at Okta, what methods did you follow? And you would recommend to bring like awareness and develop a security centric culture and mindset from day one?
Chris: Yeah, you really hit the nail on the head. Organizations, especially startups, are focused on growth. Everything that the business does needs to be dedicated to that task and that includes security. As you mentioned in the past, security is really seen as a roadblock. And when we approach compliance from that checkbox perspective, then security becomes a roadblock because we’re seen as implementing changes that are slowing down development. We’re getting in the way of employees doing their work and with cloud technology now that’s just not something that the business is willing to accept, that individuals are willing to accept. We have to be able to use security as an enabler and not a roadblock.
So I’ll give you an example. When I was at a previous organization, we were developing IAM identity and access management was that it was going to become a roadblock. When a new employee joined, they were going to have to wait for it to sign applications and inevitably they sign the application incorrectly because it didn’t understand how that data was being used. Right. So what we did is we implemented a process that allowed the business customer, in this case sales, to continue to own the application, to continue to own salesforce and marke to and all of the other tools that they use. So the business customer could still control application assignment and ensure that their sales team or new sales hires got access to the services and the systems they needed to be productive from day one. But because we had centralized identity management security and it still had the visibility that we needed to make sure that company data was safe.
And that when those team members either changed roles or left the company, we were able to immediately disable the access to the company data, whether that be inside of salesforce or inside of other tools, webex, email, or anything else that the business use. So it gave us the best of both worlds. It gave us the ability for the sales team and the business customers to continue to feel like they own their data. But it gave security and it the visibility and the control that we needed to both stay secure and stay compliant.
Host:I love that example. It’s very clever that you sort of gave the ownership of onboarding and stuff like that to the business teams and not have the security team the single point of contact for everything, for minimum needs, basic needs, they can be self-sufficient rather than being blocked by other teams. That’s very clever, actually.
Chris: It’s super important because we don’t have it and security, right; we don’t have the budget and the resources that we need to own everything. So let’s hand that ownership off to the parts of the organization that both want it and understand how to manage it and allow us to focus on keeping the data secure.
Host: Yeah, makes a lot of sense. So one of the areas that you touched on was IAM, right? Because that is like the key ingredient for connecting the whole organization together.
So I’m curious, When it comes to IAM, what are the five key questions that should be considered when setting it up properly?
Chris: So I think it’s less around the five key questions around setting up IAM as it’s more around what’s the types of data being used in your organization and how do teams use it. In the past, security has always stayed on the sidelines and tried to implement controls without understanding how they impact the business. And as we talked about before, organizations won’t accept that anymore.
It’s far too easy for an individual to purchase a new cloud application using their credit card or using discretionary funds. Then it used to be we used to have pretty heavy roadblocks in the deployment of new ERP systems or communication systems. And now with cloud computing, all those roadblocks have gone away. So the questions I think that we need to be asking is an IT team or a security team are do we understand how the business is using this information? Do we understand how they need to gain access to it, when they should be accessing it, and what the risk is associated with that? And then working with the business units to implement appropriate controls to give the right people access to the right information at the right time. Now this concept is really starting to be codified under the idea of a zero trust networking. And so as we begin looking at a zero trust strategy for organizations, you’ll find, and certainly our peers in the industry including Susa, the Cybersecurity and Infrastructure Security Agency have identified that identity is the first step towards a zero trust architecture.
Host:Yeah, I totally agree. Like, identity, it’s a joint effort from the entire organization, right? Like setting it properly and setting the goals and stuff like that. Makes sense. So I want to sort of pivot a little bit.
So nowadays, we hear like a lot about data breaches or ransomware attacks and many forms of attacks, right? So most organizations do prepare, plan, and budget and put processes in place, right. Infrastructure and processes in place for any potential data breaches or ransomware attacks.
So suppose even with all of these preparations and planning in place, there is still a data breach or a ransomware attack.
What should the response plan look like in that case? Like, from many perspective, right? Like internal communication, external communication, how to repair the damage to the reputation of the organization, rebuild the trust, improving improvement so that you avoid such attacks in future, etc,etc,… Like, there are several impacts of it. Right. How do you respond to these events?
Chris: Yeah, we could talk about that all day. It’s important to remember that every incident and every organization is different. So instead of providing specific guidance, your goal really needs to be to develop a process and a standard organizational chain of command rather than focus on those specific tactics. Because again, every incident is going to be different.
But what is consistent is ensuring that you have the right people trained on your process and your communication process so that everyone from your executive team down to the folks who are working the front lines of that event are in lockstep. Now, we talked a little bit about Scissa just a minute ago. They actually recently released new guidance aimed at small and medium businesses, including guidance and a really nice white paper on how to set up an incident response program and ensure that that program is effective and is being tested. Because any program that isn’t being tested isn’t really going to be in place and going to be effective. So take a look at their website, those white papers. They have detailed actions for key roles, including the CEO, It leaders, and Security Program Manager, and see how you can apply that to your organization. This really is an area where an ounce of prevention is worth a pound of cure.
Host: Okay, we’ll definitely look at CISA and we’d love to learn about the guidelines put forward. Right? That is helpful. So you spoke about setting the chain of command and setting up the internal external communication, all of that together. Right.
So as a security leader, what metrics do you report to your leadership or CEO or board of directors? And how do you communicate? Like your overall security posture, like gaps or plans to improvements to these?
Chris: Yeah. So the specific metrics that you use are going to be different for every organization depending on your risk posture. What we do, we first do a risk assessment to understand what are the highest risks for our company and then create specific metrics that track those.
And those metrics change over time as we are able to implement controls and reduce risk. Then new ones come up to the top, and we need to monitor and track those.
Happily, as we talked about compliance, the beginning of the call, the SOC2 and ISO 27,001 both offer risk management and reporting frameworks that you can use to help develop that program. ISO 27,001, in particular, has a monthly or quarterly reporting process as a requirement. Now, another thing that you may need to look at, especially in your example as a financial tech startup, there are regulatory concerns that must be covered and reported on. So as you’re going through this risk assessment, look at both. What are the risks that you have right within your organization, but ensure that you expand that across and address? Are there other regulatory or compliance risks, whether domestic or international, that are appropriate for your organization and ensure that those are covered as well?
Host: Okay, yeah, that makes a lot of sense. One of the questions I always love to ask to security leaders (CISOs), like
What keeps you up at night?
What do you feel nervous about? Like,
How do you manage those? Right?
How do you manage the risks associated with all the vendors? You might be working with many vendors, or you might be using open source or in housing tools. So how do you manage risk around all of these?
Chris: Yeah, so the biggest threat to organizations and ours is no different, our identity based attacks. It’s the largest cybersecurity threat. And that’s not my words. You can see that in the Verizon Data Breach Report that comes out every year. And this is because identity based attacks work.
Look no further than Azure Active Directory, where more than three quarters of organizations do not employ multi factor authentication for their user accounts. And that’s according to Microsoft’s own cyber signals report with centralized identity. I know that our organization is protected using strong multi factor authentication, and that makes phishing very difficult. Even if a password is lost, the attacker doesn’t have that second factor. Here at Octa, we’ve recently rolled out a fully passwordless approach where we use device trust. So we take signals from our endpoints to ensure that they’re managed that they have up to date any virus, any malware. And it’s a machine that we know in cooperation with information about the user biometrics, for example.
So we have very strong authentication, which is very low impact. When I need to authenticate, I just touch the fingerprint scanner on my machine, don’t have to remember a password, don’t have to pull out my phone, and I’m right into the information that I need access to immediately. So when we protect our identity, we’re able to protect against the largest cyber securitys threat right. That face our organizations. And it really enables me to be able to sleep soundly as opposed to worrying and staying up all night.
Host: Yeah, I mean, multi-factor authentication, everybody stresses on that, right. You cannot go wrong there.
That is the bare minimum that anyone should do and must do to avoid any attacks or phishing attacks in particular. So yeah, that makes a lot of sense as well.
Chris: Yeah. As security people, we really like to focus on the zero days, on the new threats that come out every day. But the reality is that organizations who face security breaches such as ransomware, it typically comes through an identity based attack. Focus on the core tenets of security, focus on identity, multi factor authentication and patching and you will protect yourself against the bulk of the threats that are out there.
Host: Yeah, that’s lovely. That makes a lot of sense. Thank you for sharing these insights.
There are many things to learn here, right? Like multi-factor authentication, having centralized IAM or security is not just a checkbox, right, compliance and all of that. It’s just a measurement, should be used as a measurement and there are many more. Right. So love that you shared all of that with us.
Host: Now let’s switch gears a little bit and move to the rapid fail section. So the first question is,
What’s your persona animal?
Chris:I have to say the owl, because they’re always watching and they’re always asking questions, right.
Host: Very in line with security. Right. So assuming you are hiring, What stands out in a candidate for you? What do you specifically look for?
Chris: It’s not a specific thing that I look for, but what I like to see is to understand what their path was to secure the route into information security is rarely straight. I find it very interesting to understand the paths, the previous work history of candidates because security is really a way of thinking. And when we bring individuals who have very broad and diverse backgrounds into information security, it allows us to look at problems from multiple perspectives and I think makes organizations more secure as a result.
Host: Makes sense. What’s the biggest lie you have heard in cybersecurity?
Chris: That’s an easy one. Our product has no vulnerabilities, everything’s got vulnerability. So if you show me a pen test, it’s completely clean. I know you’re lying.
Host: Yeah, all of us can relate to that. So the next one is
What advice would you give to your 25-year-old self starting in security and why?
Chris: Yeah, that would be to get involved with all the areas of your business, as we talked about at the beginning of this conversation, for security to be successful, we have to understand how the business uses data and how the business operates. So get involved in all the different projects you can with all the different teams that you can learn about how your organization works and listen to those team members. And that’s really going to set you up to be able to provide good security that also enables the business and makes that growth successful.
Host: Love that!
One liner quote that keeps you going?
Chris: Yeah. So I’m steal this from a Warren Miller films. I’m a big skier, and if you don’t do it this year, you’ll just be one year older when you do!
Host: Make sense. So one of the things this is more like a reading material for other sites.
How do you stay up to date on current events or the new threads or the current trends in the security domain?
Chris: Yes, there are a number of really good resources. We’ve talked about CISA, which provides threat feeds. There’s other websites such as Dark Reading, which provides up to date information.
It’s also really helpful to build a network, go to conferences, talk to people. We’re all very friendly in security. We want to make sure that everyone is successful because that’s what lifts security for everyone. And so my network provides me with a great deal of information and partnership. So just talk with folks, get involved with local groups. ISC Square Cloud security alliance in that network will really pay dividends. Yeah, that’s lovely.
Host: Thank you so much, Chris. It was very insightful to speak with you. I learned a lot. I hope viewers will also get to learn something new and looking forward to learning more from you in future.
Chris: Thank you very much.
Host: And to our viewers, thanks for watching. Hope you have learned something new. If you have any questions around sick security, share those at scaletozero.com. We’ll get those answered by an expert in the security space. See you in the next episode. Thank you.