Michael Sutton is the CISO of ZScaler. He has forged a long career working in information security and has seen many changes over the years. We spoke to him at AusCERT 2016 about his career, the changing role of the CISO and what he’s seeing in the world of infosec.
Tell us about your path to becoming a CISO
I’ve done start-ups for most of my career, running research teams. All of the start-ups have been early pioneers in this space. I’d run the malware team doing threat analysis. I’ve been with Zscaler for eight years and spent the first sin-and-a-half years of that as the VP of security research.
As a start-up you’re not going to have a CISO on day one but someone’s got to handle the internal security. It was logical that as I was running all the research that it involved into that role.
What attracted you to the security industry?
Going back, I was always a technology guy – we had the first Commodore 64 in the neighbourhood. When I got into my career and started working for start-ups, I was fascinated by the attack side of the equation.
When I look back, I unconsciously followed the path of the attackers. My first start-up was focussed on network security in the early 90s. Then I moved to web security and, at Zscaler, I’m focused on the client side.
It’s relatively easy to protect servers. They don’t move and limited people have access to them. It’s really hard to protect the end user – they’re mobile, using their own devices and the attackers recognise that. That’s where the challenge is.
What are the things you look at when recruiting security staff?
I find that recruiting for security is really unique. Someone’s educational background is less important to me than in other job descriptions. Some of the best and brightest I’ve had the pleasure of working with over my career have dropped out of school or didn’t go to university.
You tend to get the guy that loved security but didn’t love school. That’s not a bad thing. I look more for what have you done. Have you been involved in open source projects? Have you been involved in various industry initiatives? That tells me about who you are – that’s what attracts me.
What about former black hat security people?
I would have real hesitation in hiring someone with a criminal conviction. Not because I don’t think they can turn around but I start by looking at who is this person. If I’m convinced this person has turned the corner that’s fine. But you have to look at this from a risk perspective.
But I can think of one individual I hired. They had a little brush with the law when they were younger; they were a bit naïve and hacked into a website. As I got to know the individual I got to know this was a childhood mistake and not a reflection of who he truly was.
We’re now in this era when mega-breaches are part of the environment we live in. Are organisations changing their attitude to the protection of customer data? Are companies cavalier with how they are handling data?
When I think about that, my first question is why. Is it because it’s happening more or because we’re hearing about it more? The answer is both.
What is the impact? The most important impact is that security is now being a board-driven impact. Security is at least a quarterly, if not every month, board discussion. It’s also that they want the CISO in the room. CISOs need to adapt to that – they’re not back-room technologists anymore and they need to adapt.
That’s the positive thing – it’s brought security to the forefront.
What are you doing about the security skills shortage?
As a company, you need to ask what are you good at. If you’re a widget factory it will be hard to employ top-level security people. But there are ways to deal with that.
I’m going to start leverage resources that have better talent so they are an extension of my security team so I don’t have to hire ten of the best and the brightest.
I think it’s a good thing to be outsourcing components of your security.
For us, we have to go after the talent where it is. We have internships for people coming out of school, we need to be adaptive and flexible. I don’t care where they are – if they can deliver, that’s great.
What advice would you give to a new CISO standing in front of the board for the first time?
The CISOs that fail to make that transition are going to succeed.
You have to be able to translate your world into theirs. You’re in a world with technical risk – we had this many incidents and this many computers were infected. You need to translate that into language the board can understand.
For example – you had 20 infections on computers. What does that mean to them? But it’s straightforward to translate that. We had this many breaches that caused this much downtime and resulted in this much productivity loss. That’s something the board can understand.
I also find boards have members that are more technical in nature. Beyond security, that’s the nature of nay company. They have complex systems. Find those individuals to help you navigate that world.
We need to be seen as empowering and helping the organisations. For example, lots of people are storing things on Dropbox and that’s causing me a risk. But putting the brakes on that is the wrong way to approach it. There’s too much they can do to get around it. They’re not doing it because they are malicious. They are doing it because it’s helping them in their job.
Look at that and find ways to empower them so they can do what they want but mitigate the risk. Then you’re seen as someone helping employees. That’s what you have to do to be a successful CISO.
Are there particular sectors that are doing a better job at protecting their businesses? What are the lessons they can learn from each other?
There are conservative sectors such as banking and finance but that’s not going to be adaptable to all environments. But you can learn lessons.
Healthcare is an industry that’s getting beaten up and that’s not surprising. I think there are two reasons.
We’re seeing a shift from debit/credit card breaches to personally identifiable information (PII). There are reasons for that. In the US, we’re going to “chip and PIN” so it’s getting harder to do point of sale breaches. And there’s greater awareness in retail because of the breaches we’ve seen. The bad guys are adapting and shifting to the PII side and they’re very attractive to nation states – for example the OPM (Office of Personnel Management) breach in the United States.
But PII is really valuable – it’s more valuable that credit/debit card data.
That’s one reason healthcare has been in the crosshairs – they have really great PII.
Healthcare, traditionally, does not have security at a strong level. That’s why they’ve been hit with ransomware. The ransomware evolution is very interesting. They’re making a lot of money.
The bad guys, when they realise they haven’t infected Joe Blow’s PC but have infected an enterprise computer can ask for greater ransoms.
Watch here: Smashing @ AusCERT2016