Episode Summary
In this episode of CISO IT, host Jason Kikta and guest Rich Castleberry discuss the challenges of security and how to make better risk decisions. They explore the difficulty of proving a negative in security and the lack of obvious metrics of success. They emphasize the importance of balancing risk and finding the right level of security for the organization. They also discuss the need for reputation management and building trust within the company. The conversation highlights the value of security automation tools and the need for ongoing evaluation and improvement in security practices. They conclude with advice for new security practitioners, encouraging them to find a path to yes and be a trusted partner to the organization.
Episode Transcript
Jason Kikta: Hey, welcome back, everyone, to the CISO IT podcast. I'm your host, Jason Kikta. I am the CISO at Automox. I've been here for about 18 months. And they don't actually give me a choice as to whether or not I want to do this podcast. With me today, I have a very special guest, our first guest on the CISO IT podcast. And his name is Rich Casselberry. And Rich, why don't you introduce yourself to the audience.
Rich Casselberry: Yeah, cool. Thanks. So I did have a choice to be here. So people watching this can decide which one of us is smarter. Yeah, my name is Rich Casselberry. I am the VP of IT security for a company called ATN International. ATN is an international company that owns telcos. So we've got a bunch of telcos in the Caribbean, US Virgin Islands, Bermuda, Guyana, as well as some properties inside of the US.
Gosh, coming up on four and a half years. Before that, I worked at Liberty Mutual as a security architect doing emerging technology, which is kind of a cool gig. And then I ran network infrastructure and security for a bunch of companies that built network infrastructure and security. So yeah, been doing this since we thought routers were security devices. So I've definitely been playing in this space for a while. So excited to be talking to you, man.
Jason Kikta: Hahaha I mean, routers can be security devices, but you know, they're not necessarily adding to your security. Sometimes with BGP tricks and other things that maybe take away from your security a little bit. And I think that's a great segue. You know, you and I were talking before the show, and I think really our theme today is going to be, you know, why is security hard and how do we get to better risk decisions.
And, you know, I think that, you know, one of the most unappreciated aspects of security and why it's so hard for practitioners, everyone from, you know, very junior analysts all the way up to directors of security, CISOs, is that, you know, it's, you're essentially trying to prove a negative and you don't have the same sort of obvious metrics of success. A lot of metrics of failure, but less so the metrics of success of other disciplines, such as finance or sales. And I'm curious, Rich, is that how you see it, or do you think that maybe I'm missing something there?
Rich Casselberry: No, I think you're right, right? I mean, it's literally looking for that proverbial needle in a haystack, right? And looking for a needle in a haystack is hard on a good day, but it's a really big haystack, right? We get a billion log entries a day, right? 30 billion a month. That's a lot of hay to go through to find the one or more needles. And kind of jokingly, the barn is still running, so there's fans going to keep people cool and the hay's blowing all around and there's more hay coming in. There's extra bales…
Jason Kikta: Mm-hmm.
Rich Casselberry: sitting out back, you know, just in case we want people to come in and sit down. Um, you know, the technology debt stuff, not following process, right? You've got people throwing hay through the windows, not going through the front door and it's, it's tricky. And to your point, you could be doing great and then not right in sales, you know, if your quarter's going good or it's not, and if you're on your third quarter in a row where it hasn't gone good, like you sort of know how to read those tea leaves, right? Security. You can be great.
And then all of a sudden you're not. And it changes like that, right? So it's not a gradual decline. It's pretty instantaneous. So yeah, it's definitely tricky. And it's a newish industry or term for a lot of people, right? Finance has been around for a long time. Sales has been around for a long time. Security is still relatively new. We haven't figured out all of the metrics that matter yet. We're trying and we're getting there, but knowing that you stopped 85 billion attacks at your firewall, I'm not sure anybody cares. It's the one that gets through that really matters. And how do you pick out the right metrics that really matter and show that you're doing the right things?
Jason Kikta: Right.
Yeah. I like analogies and I use a lot of them for security. And so the two analogies that you sort of touched on there, that always seem to help people orient themselves. One was the Maytag man of, like the old Maytag man commercials where he's just sitting around his board all the time.
And so security is a lot like the Maytag man of, you stopped 85 billion potentially malicious events in your firewall, nobody cares. It's the one that got through. And so it's very, very boring, right up until it's exciting. And you know, it's the other analogy that's the ties off of that is sort of the Titanic one of, you know, the old Titanic movie is like, I'm on top of the world. And then, you know, short while later, like, oh, we're hitting an iceberg and I'm dead. And, and that's how I can feel.
And that's why, you know, I think that you know, people don't appreciate, you know, security practitioners, I think, don't fully appreciate that. Um, you know, it's, it's about balancing risk and balancing the things that you focus upon. Right. And, and a great example that is, is indicators of compromise. You know, those IOCs, the signatures of maliciousness that we develop in house that we get from vendors that we put into various products.
People get this very sort of Pokemon mindset of I gotta catch them all. I got to have them all. I got to have the very best and the mostest. And they don't stop to think about actually, you know, I can only, I can only load so many in the more that I have the slower the response time is going to be the more false positives I'm going to have.
And so, you know, just equally as important as are you getting them from the right sources and are you putting them in the appropriate tools is also, are you tuning them? How much time do you take to tune them to tune out all that noise so you can focus on what's truly malicious and get to it? And I think that approach of balance is where we are right now as a discipline, is trying to find that balance on everything from threat signatures to patching. Would you agree with that? You think that we've we've, you know, sort of that we're in sort of the balancing phase of development here?
Rich Casselberry: Yeah, I mean definitely, right? I think, you know, for 99% of us, like, we don't get points for being the world's most secure anything, right? NSA, FBI, CIA, right? Security is the most important to them. For the rest of us, we have to balance profitability, right, or operational efficiency with security, right? And so you've got to be careful not to be too overbearing, right? And it's hard because it's a blurry line.
It's a half a mile wide, right? It's not a fine line. Like there's a bunch of gray here between too secure and not secure enough. It's a fuzzy line. It curves all the time. And sometimes you're gonna be too secure or sometimes not secure enough. And it's really, really tricky to get it right. And then the other thing you said that I thought was really interesting, and it's one of the things that I've thought about a lot is if you're really good at it, it looks easy, right?
Jason Kikta:
Mm-hmm.
Rich Casselberry: And that's IT and security. You always have the conversations with the finance folks, like why do we have so many people in IT? The systems run themselves. No, they don't run themselves. There's a ton of work that goes into it that people don't see. One of the things that I tell people in IT and security in general is, you got to make sure you expose all of the things that you do that otherwise go unnoticed. That can be security patching that nobody knows about because it goes on in the back end.
Jason Kikta: Yeah. Hahaha! Mm-hmm.
Rich Casselberry: Replacing the failed power supply on a Saturday morning at 2 a.m. before the device goes down, right? Because nobody knows you did it, but it's a ton of work. And I think really making sure to tease out those metrics, let people know that you're doing stuff is great. Then when you're a little bit overbearing, you sort of have credit in the bank, right? So, yeah, maybe we accidentally turned off a website that I wanted to get to, but look at all of the patching that they did over the weekend and look at all the security things that they've protected us from. And, you know, making sure you get credit before you need it to make up for the mistakes you make.
Jason Kikta: Yeah, no, I think that's, you know, reputation management within the company is something that I think too many IT and security teams don't put enough emphasis on and don't think enough about because, you know, it's that political capital of, hey, I was flexible and took a common sense, reasonable approach on this thing that was a pain for someone else or, you know, I lean forward and, you know, we, we took care of this issue proactively, or we replaced this hardware a little bit early because it was getting painful for the user, whatever it is, you know, building that up really helps you when the dark days come and, you know, IT is going haywire security's got has an incident and, you know, that sort of stuff is what can see you through to the other side, because no team is perfect and going to have a perfect track record, but you know, working with your users, working with your, uh, you know, other constituents within the company to, you know, try and make their experience as pleasant as possible and show them that you're taking reasonable decisions is what's, you know, really separates you and, and make sure that they that they have your back. Uh, and I just, you know, it's, it's one of those soft skills that I think in very technical fields, it can be easy to overlook.
Rich Casselberry: Yeah, totally agree. And one thing we've started doing a lot of, and it kind of ties back to that, is making sure that the security tools automatically take action. And the reason I think that's important is then the security team isn't there to tell you what you're doing wrong. It's to help you get unstuck from the automation that the security tool did, right? So it flips you from being the security's calling me, I must be in trouble, to a good security called me, they can help me get this fixed, right?
Jason Kikta: Right. Right.
Rich Casselberry: And again, it seems like a small thing, but from a culture perspective, it's huge.
Jason Kikta: Yeah, you know, automation and being able to do automated responses to things, you know, what do we build computers for if not to automate, you know, automate a lot of tasks. And, and I think that, you know, the hesitation of, of teams to use them is just something that still surprises me a bit to this day, but I think a lot of it's a matter of, you know, trust in the more trust that they have in a tool, the more they can.
Rich Casselberry: What
Jason Kikta: Be sure that it's going to, that they've given it the proper inputs to produce the expected outputs, that goes a long way to being able to make that somewhat of a leap of faith. But it's really critical because if you are relying solely on human response times or human work speed times to accomplish any task, you're just not going to get there.
The efficiency of the industry is such that like, we just don't have the human scale anymore to be able to lean in and just power our way through it. Like you have to be able to use your automated systems and, and make some of those decisions in real time or do something, uh, you know, at, at a scale that just humans aren't capable of. Uh, and I think that that's, you know, like trying to better, um, better plan for that, I think is something that, you know, we're starting to see more in the industry of, you know, how do I, you know, it's, it's okay to do it once, how do I do it right 1000 times, how do I do it right, you know, in disparate network segments. You know, how do I, you know, do it in a more clever, more efficient way than I've done in the past.
And so I think some of that foundational thinking is really overdue and overdue for and I guess the point I'm trying to get at here in a very long winded way is, I think people too often like they sort of set and forget it and they don't want to come back to it and it's not about you know, it's nothing is ever truly set and forget. It's something that you need to go back to that well, you know, again and again over time.
I think the true test is, you know, do I need to do that on and hourly basis or do I need to do that on a monthly or an annually basis? Does that make any sense? I think I got it going there.
Rich Casselberry: No, no, it does, right? And when I think about security, right? I mean, security, there's a lot of security tools, right? You've got IDSs and vulnerability and patching and, you know, DLP and CSPM. And I think it's a new acronym every day that I lose track of all of them, but there's a lot of tools. It's really complicated to get it right. It reminds me of, you know, wireless 20 years ago, right? Wireless was really hard. There were a bunch of things you had to tune and, you know, eventually people figured out how to make it easy for...
Jason Kikta: Yeah. Yep.
Rich Casselberry: 90% of the people. And I think security needs to get the same way. And in my head, I sort of think about a couple of different dials and knobs that you can turn. One of them is who can you talk to? Who can talk to you? Pretty easy ones. If people can't talk to you, they can't attack you. Vulnerabilities don't matter quite as much. They still do, obviously. But if you can limit that exposure, great. How quickly you patch, obviously important.
And then the fourth one is sort of how aggressively do you do automation, right? And I think if you get those knobs and you integrate all of your tools in a point where you can turn those knobs up and turn them down based on risk, um, or integrate it with your threat feed so that, you know, if China is attacking critical infrastructure, hypothetically, right? Um, you know, maybe you want to turn those knobs a little bit higher, be a little bit more secure. Or, you know, maybe you…
Jason Kikta: Yeah.
Rich Casselberry:
have different levels, right? Here's your high-risk users, here's your low-risk users. Low-risk users have all of the security tools on them. They consistently pass their phishing test, right? They don't click on random links that show up in a Teams channel just to see if they really did win a prize, right? You know, maybe give them a little bit more flexibility. The people that click on any link that comes their way and haven't installed patches or, you know, constantly defer patching until they get, you know, pushed into doing it.
Jason Kikta: Mm-hmm.
Rich Casselberry: you know, maybe you lock them down and they can talk to sanctioned business applications, but maybe they can't go to random websites in Sri Lanka. Right. And being able to be granular with stuff like that, I think makes it better for the good users and maybe a little bit more painful for the ones that needed to be a little more painful.
Jason Kikta: Oh yeah.
Oh, that's brilliant. I couldn't have said it better myself, Rich. So before we wrap up here, being our inaugural guest, I'm going to let you close it. And I think probably, what security or sorry, what advice would you have for any new security practitioner or person who's either. entering the space for the first time, pretty new to the space, maybe thinking about moving into this discipline, you know, what would you tell them that they should focus on or think about or keep in mind as they move through there.
Rich Casselberry: I kind of thought we're going to end with a softball. That's not a softball throw there. That's a tricky question. But I would say the answer is probably never no. Right? And I think too many security people, like their default answer is no, you can't do it. And I'll share a story with you now. I'll share this one with you yet or not. But earlier in my security career, we had a new CIO and his answer was, you can't say no to anybody. If the answer is no, you need to come to me and explain why the answer is no.
Jason Kikta: Hahaha!
Rich Casselberry: And I will go to them and tell them why the answer is no, which is a pretty hard line in the sand, right? Not too surprising, a couple of days later, a friend of mine who was in engineering came up to me and said, Rich, I have an idea. You're gonna think this is a stupid idea, but hear me out. He's like, we're getting ready to deploy, we're trying to build our network management platform on this thing called an iPad, right? Clearly back a couple of years ago when iPads were new. He says, it doesn't have an ethernet port, it's only wireless and so.
Jason Kikta: Yeah.
Rich Casselberry: I want to put an access point in the lab that I can connect to that just doesn't do any security stuff, just lets me connect right in because I guess at the time you couldn't put security on the iPads or something. And in my head I'm screaming, yeah, that's the stupidest thing ever. Like, there's no way I'm doing that. But I let him finish. And instead of saying no, he walked me through what they were doing and why they were doing it. And I said, you know, how about if we do it a different way? How about if instead of letting you connect…
Jason Kikta: Hahaha!
Rich Casselberry: directly to the lab, how about we let you VPN in using this iPad? We'll give you a lockdown profile so you can only talk to things in the lab, but you can do it from anywhere. And he's like, oh, that would be amazing because this isn't a funded project. It's a Skunk Works project that we're playing with. So it's, it's work plus, right? And it would be nice to not have to come into the lab on a Saturday and Sunday. I could literally do it at home at the kids baseball game, like, and still be part of the family. That would be awesome.
Jason Kikta: Right.
Rich Casselberry:
And so instead of him honestly going off and just buying the access point and doing it anyway, because we were a networking company, right? And hating IT for making him do it, he became a huge evangelist, right? And his comment to people was, go talk to the security team. Like they're not going to say no, they'll help you find a good way to do it. And so if you start with no, you end up being the obstacle to be avoided. If you start listening, you become that trusted partner and they'll come to you.
Jason Kikta: Yep.
Rich Casselberry:
even doing what they're doing maybe a little outside the norm, which is really what you want.
Jason Kikta: Yeah, I love that story because I've always been telling my teams, you know, find a path to yes and there are shades of yes, but don't say no. No is not the answer, right? It might be a different yes than they were expecting, but try every which way you can to find a yes that will work for them because our job is to support them. So awesome. Well, thank you so much for being here today, Rich. Really appreciate it. I know the listeners do too. It's been really fascinating to talk to you and in you and I chat all the time. So I'll see you out there and thanks everybody for listening today. And I will see you next time on the Automox CISO IT podcast. We're out. Thanks.
Rich Casselberry: Awesome. Thanks, all.
Start your free trial now.
By submitting this form you agree to our Master Services Agreement and Privacy Policy