Close

August 16, 2021 • RBS

Categories: Videos

Mathew Newfield, Chief Security Infrastructure Officer at Unisys, joins Jake Kouns, CEO and CISO at Risk Based Security to talk about how organizations should understand risk, prioritize resources, and how to effectively communicate security to leadership, employees, and vendors.

In an environment where one person’s mistake can result in a serious incident, it is essential that everyone within the organization knows what the risks are and what they can do to mitigate it. Mat gives golden advice on how to communicate complex concerns to the Board of Directors, how to build a deep security culture that employees will practice in their personal lives, and how to demand excellence from external vendors. You definitely don’t want to miss this episode of The Right Security!

The Right Security

In The Right Security, join leaders and veterans in the security industry, as we tackle the biggest issues impacting organizations today.

Check out The Right Security series on YouTube, and subscribe to the Risk Based Security channel to see new episodes in your feed.

Show Notes

0:00 – Welcome and speaker introductions
0:51 – Getting into security
2:44 – How to understand risk and the priorities of a CISO
6:28 – Brain games
8:00 – Minimizing security risk
13:00 – How to speak the language of the Board
18:13 – Ransomware misconceptions
24:04 – Security training and awareness
27:30 – How to deal with constant security sale pitches
29:56 – How to convince leadership to get the product you need
33:52 – How to deal with security vendors that underdeliver
37:30 – The importance of executive leadership and levels of support
38:50 – Risk, risk scores, risk-based security, and asset inventory
42:38 – Supply chain security
44:03 – Attack surface management (ASM)
44:50 – Deception technology and honeypots
45:55 – Zero-trust security
48:25 – How struggling organizations can start risk-based security programs
51:11 – Staffing problems in the security industry
55:25 – Closing thoughts

Further Reading

Cyber Security Leadership and Strategy – Episode Transcript

JAKE

Hi I’m Jake Kouns, CEO at Risk Based Security. Welcome to this edition of The Right Security, the show in which we spend time talking with leaders and veterans in the security space, tackling the issues of the day… Today I’m joined by Mathew Newfield. Currently the Chief Security Infrastructure Officer at Unisys. Prior to this role, he was the Corporate Chief Information Security Officer. Before joining Unisys, he’s held several positions in the security industry, companies including IBM, RSA, cyber trust, and others, Mat’s an experienced executive, he’s been building effective security strategies and teams that minimized corporate risk exposure. Mat, welcome to the show.

MATHEW

Jake. It’s great to be here. Thanks so much for the invite.

JAKE

I’m looking forward to it. So today, I want to cover as many topics as we can jam into this episode related to cyber security leadership and strategy. So before we get too far into things, maybe, can you get a little background on yourself? How you got into cyber security leadership, and maybe for those that are interested, what more specifically, what was your path to CISO?

MATHEW

So I love the question because I think a lot of people feel like if you don’t go to school for security or IT or technology that, you know, by the time you’re in your twenties, maybe early thirties, you’ve missed the boat. Actually, I wanted to be a psychologist and that’s what I was trained to do. I have my degree in psychology and I ran restaurants for a living. I was actually a general manager for Chili’s early… early into my career and decided that… that was not the role for me. And I got into it and actually worked towards a networking path and really focused on, you know, becoming a network engineer. And then one day this guy walked into the bullpen where the network engineers sat. When at this company I was with and said, I hear you have domain admin privileges, I need access. And I looked at him and I said why? And he’s like I’m the new security guy because CISOs didn’t exist back then. And he’s like I’m testing password strength. And I looked at him and I said I… I have a deal for you. I’ll give you access if you show me how to do it. And he became my mentor and brought me into security and just helped me build a love and passion for this field. And, you know, I worked my way up through the ranks doing everything from physical break-ins, pentesting, you know, security design up to where I am today.

JAKE

That’s awesome. Yeah, that’s you know, it’s unique when you hear about people’s journeys because for many people security wasn’t just a, hey, I’m going to get a security job. You know, it didn’t kind of exist, right? So, sorry, I have one question for you. One of the jokes I told for years about the security industry is that a quote 10 cyber security experts and I am air quoting “experts”, what’s the most important thing and organizations are focused on? You should be prepared for 10 different answers. Of course, you’re going to get the answer, what their product focuses on. How do you approach understanding the risk that faces your organization, then defining priorities as a CISO?

MATHEW

You know, it’s a great question and it’s actually something that is very hard to come up with a specific answer because not only does it change for different companies with different experiences in different industries and different parts of the world, but it can change week to week, month to month depending on what’s going on in the world and those things that are happening. You know, I change the… the concept of what I actually do for a living and we really focus it around risk. It’s why I love so much what you do for a living in the company you have, because for us, we’re about risk. I’m not about prevention and that is a big difference for a lot of people in the cyber world. You know, I was on calls earlier today with a vendor and all they talked about was prevention… prevention. They can stop these things from happening in different areas of your infrastructure. They can stop things from happening at different points in a kill chain. And for me, you know, when I’m asked about what is my role as a CISO not as the CSIO, but just as a CISO. So it’s really about building an organization that can rude out risk and give options to the business on what to do with that risk. And I’ve got a concept that I’m a big believer in called the olympic method. You know, business people don’t like to be told what to do. And, you know, if you ever do research on YC, so’s fail, it’s because they come into the room thinking the… the smartest person in the room and they’re going to tell a business what to do and that generally does not go well. So I like to give options. You give a gold option, you give a silver option, you give a bronze option, knowing the people, the psychology of people is data like choices because it makes you feel like you’re in power and you’re in control in… in, you know, the… the outcome is really determined by you. And as a cyber professional, you always try to TUNE your options. So that’s silver that middle of the hello gets you where you need to be. And, you know, I always tell people if you go with the gold option that’s your Ferrari, you… you should probably do that only if you want to do a public release. And if you don’t want to do silver, bronze is good enough. But there’s some risk and you just need to understand that risk. And that’s how we really focus our day to day is really rooting out risk, having a lot of risk conversations, what’s going on in the world? What intel are? We getting into the environment, you know, what are we seeing that’s nuanced? And… and I try to shy away from, you know, block… block… block prevent… prevent… prevent because you’ll never… never get out of that fire drill. And I also try to get away from always, you know, these organizations that are always looking for a needle in the haystack because let’s be blunt.

MATHEW

I know it’s really cheesy what happens when you find the needle in the haystack you bleed. So let’s focus on looking at the risk around that needle instead of just, you know, jumping your hands looking for something bad.

JAKE

I love your… your approached offering options. And for anyone that knows me, I’m a huge fan of the old school brain games episodes and, you know, they’re now re streaming on disney plus if you haven’t watched it. But there’s some really amazing episodes out there about the brain and making choices. And… and sometimes too many choices is really… really bad. And other cases, simplistic choke choices makes sense. But some people will even, you know, gain certain choices, right? Like you think about before the… the pandemic, everyone go into the movie theater, the sizes of the born in the cost, then where do you want to go? And all… all those sorts of things. Like I can only imagine you sitting there trying to figure out some of these… these options that… that you’re… you’re presenting to folks and how they can, you know, look at that.

MATHEW

It’s a lot of fun and we’ve seen the same episodes because I always like to tell people there’s a method and there’s a reason people like you and I come up with these things and I think too many people think we sit in a room and we… we pontificate great ideas and then we throw them into the world. And instead, you know, I’ll be sitting on the couch and I love brain games. It’s where I came up with a lot of this is from those kinds of shows and it’s being able to take things and adapt them to your needs. So, yes, the popcorn episode is a great one for those that have not seen it.

JAKE

Right. Exactly. We’ll put loads of links in the… in the show knows what the drop that one in there. Alright. Hey, in 2019, you were featured in a video and it was called minimizing security risk, shared responsibility. And you mentioned sort of when people are S, you know, who is responsible for security, that everyone’s I guess been sort of train that the… the canned answers what everyone is. But that’s kinda the easy way out because you’ve everyone’s responsible. Then. Yeah, kinda no one’s responsible. So, can you give us sort of a quick recap when your thoughts on security responsibility and a little bit of a caveat there, you still think that’s the case and 2021 given the state of the world?

MATHEW

You know, things change and, you know, what was said a year ago, what said six months ago may not be apropos anymore. But the nuance of that I think is still the same if… if you come at it from, and… and what I was trying to say is if you come at it from everybody’s responsibility like his sales is another great example. You always hear people who’re in sales, everybody’s in sales. But if everybody’s in sales and you don’t have people that are focused on sales that’s neat. You’re never going to make a sale. And it’s the same for cyber for me. If everybody’s responsible for cyber security, you’re now putting responsibility and people’s hands that are not trained that don’t understand that are focused on cyber every single day. I believe is everybody’s responsible for good hygiene. Everybody’s responsible for learning and becoming better, taking the lessons that are taught by the security organization. You’re it to your organization, what’s going on outside of your organization? And, you know, internalizing it. And, you know, I… I think that it has become even more important now because in the past 2019, 2018, when we were teaching cyber security, we’re really focused for the majority of the staff when they’re sitting in our office. When you come to work, this is what we expect from you. The real big change for us with cyber is that… that delineation is gone. It’s when you’re in your house, this is what we expected. As you can see, I’m in my house right now and I generally stuck in this chair, you know, 10 days, 10 hours a day in my house with cyber needs that are now really different than, right that machine behind me, my personal email, you know, those, you know, personal devices on this network. Now could potentially have a much greater impact on the corporation that I work for and that you work for them. They did two years ago. So a lot of it is, yes, it’s more important that you take this and make it a holistic review of your cyber hygiene overall. But the bigger point is that the cyber security organization and your company has a bigger role to play in training you and making sure they’re making their lessons relevant to not just when you come into the four walls of an office, but when you’re looking at the world and that’s something we’ve tried to do. We… We train people to make it personal and personnel is important. And I’ll… I’ll give you an example, you know, a lot of companies talk about passwords and password strength and blah blah. Blah, this is what you need to do when you’re in the company. And for a lot of employees, they don’t really take that seriously. They’ll do it but they put it on a stick and they only do it for work or the latter exclamation at the end. And, you know, they just don’t care as much because for a lot of people, the psychology behind it is I can get another job. It’s someone else’s responsibility. But we’ve tried to switch that entire concept around to say, don’t take the lessons we teach you about phishing for passwords, about good cyber hygiene and patching, and just worry about that machine that you were given for work. Let’s talk about your personal life because you’re right? If your corporate machine gets smacked. Yeah, corporate email gets smacked. There’s an entire team that works for me that can help you recover. But what happens if your personal email gets smacked? What happens if your… your bank account gets owned, or your retirement account, or that of your family, your friends, et cetera. Would that be much greater of an impact because I can’t help you in those scenarios? So we’ve changed all of our lessons to really focus on your entire life, your personal life, your work life, your family life, all of those different components to help make you better. And I still believe that not everybody’s responsible for cyber that’s my responsibility, but everybody’s responsible for listening, learning, getting better, improving, asking questions et cetera. That answers the question.

JAKE

That’s spot on. I appreciate it. So in that same time frame in 2019, you publish that another article that you called Be Secure. Speak the Language of the Board now early in my career and I would assume you probably agree with me. It was really hard to get the board to care about anything. Security related, security was more seen as a nuisance. We were just slowing things down even if we, you know, spoke a nice language and presented options. It was kind of like you’ll get your time, get outta here now. I think we would probably also agree that most boards understand that… that cyber security is critical. It’s a top priority. But I’d argue that they’re still super confused on what the real risks were to actually focus efforts, you know, thinking about some of the things we talked about now. And then that article about the language and you had a really great, you know, lots of sections of things to consider what’s your current recommendations for working with the board?

MATHEW

So the problem I think with a lot of cyber security is we grew out of being firewall admins or, you know, Penn testers, physical security up to these executive roles, but they don’t have a lot of the systems, don’t have a business background. And I think the fault of this is… is you can’t only have your mentors, be cyber or technology executives. You have got to get business executive privacy executives, internal audit executives to help mentor you and board executives. And for a lot of people, they… they spend time in the world, the funds when they’re talking to boards because they think it’s important to, I don’t know, make them feel like their job is key and you can’t do without. And I think it has the absolute opposite impact on you because it’s confusing and it’s threatening and it’s you know, it’s what we’ve been talking about just a few minutes ago, that gold silver bronze, it’s… it’s dictating instead of talking. So, I spent a significant amount of my time as I was growing into the ranks, finding mentors that were CFOs, that word CEO’S… CEO’S, to help me better understand how I translate risk that is cyber specific to a business need? How do I make it so that I’m not telling them what to do? I’m just exposing risk and giving plans and options and explaining things to the board at a very simplistic level, then it’s not because board members, you know, I get a cue sometimes that, you know, you’re… you’re talking down to a board member? No, I’m not. But if a C sat on a call with me right now and only hit me up with, you know, stuff that requires a cpa to understand. I would get wide eyed I would be confused. And if they, because I’m doing it to myself that they dumped down a little bit more, brought it down to layman’s terms. I would better understand. And that’s all this as needed to talk about risk, talk about those things that are important. And I think an example I used in that… that conversation was when I showed up to a board meeting. And before the pandemic, I would drive. So I would drive to a board meeting, let’s say it took me two hours to get there. But a lot of services would do it if they would talk to the board about how many times to hit the brakes, how many times they were almost in an accident? How many times the light turned red, right? As they were going through, how many times they saw someone Jaywalking, and all of these things that are security related but irrelevant to a business executive. What they care about is, did you make it? Did you make it on time? Did you make it on cost, right? And what were the high risks? And what are you gonna do about it? And a high risk would be, you know, on my way here, I noticed my breaks. We’re squeaking. So I have a choice. I’m going to go with regular or ceramic brakes. One costs a dollar, one costs 50 cents, and you can walk through those risks and what you’re going to do about it as an exit. I noticed a light was out on my way here. So, and again, you can hear non flood, very business level conversation with options at the end. So they understand and the story has to remain the same if you’re… if you’re using a CRM, see a framework. If you’re using a CI S framework, if you’re using nist framework, you maintain that framework the entire time.

MATHEW

Because what you’re really doing over the course of the year is you’re training them, you train them on your framework. You’re training them on your vernacular. You’re training them on the… the way you speak, and you’re being trained by their questions. And if you keep it at a level, they’ll actually engage with you, then you’re in good shape. And finally, I always tell people in board meetings. If you get no questions, you’re… you’re in trouble, right? That is a problem. No matter if you have bad or good things to say, that’s a problem because generally means they don’t really get what you’re saying and you’ve got to reroute it that.

JAKE

No, I… I completely agree. If you’re not getting engagements or… or engagement or… or questions, sultans subs, quite right? So conversational, you know, questions are… is good and you shouldn’t be scared of those. That should be a… a real discussion. Alright. Hey, let’s talk about rates of where it’s at ransomware for a moment here. I mean, how can we not, right earlier this year, you published an article about running somewhere on the ROI of being prepared ransomware to be probably the hottest topic right now. In fact, there’s a few hot takes that are going on right now that seriously make my it’s which, you know, the first one, you know, fresh off coming off of Black at which is first conference. I’ve been to anything for a year and a half and there were a lot of vendors out there marketing that they stop ransomware. So that was a nice moment? And then the second one that I see all the time is we should just regulate cryptocurrency and ransomware. We’ll just go away as a CISO, does that make your eyes twitch as well? Or is that just me?

MATHEW

You know, not only twitch, but I hope it didn’t come across too badly. They roll into the back of my head. Anybody who thinks that ransomware didn’t exist before cryptocurrency just doesn’t know the history of ransomware. Yes, it made it a lot easier. It has made it a lot more lucrative. But getting rid of cryptocurrency does not get rid of ransomware. And, you know, I don’t want to belittle any company that’s out there, but nobody can stop running somewhere that’s… that’s not the way it works because ultimately, what you’re saying is you can stop people in the joke I always tell people is click, keep clicking, right? People love to click links and they love to work very fast. They… they love to feel like they’re being responsive, right? It’s in our nature to quickly respond. And, you know, adversaries play off to me, it is not about stopping ransomware. It Is not about stopping viruses. It is not about stopping breaches. Again, the whole conversation here. It’s about, okay, it’s happened. How do you make it a non newsworthy event? How do you make it so that the company does not have mass impact because someone acted like a human being? And there are many ways to do that depending on the industry you’re in, you know, what controls you can put in place, et cetera. I mean, and some of the more basic ones are multi factor authentication, msa, segmentation, to help contain in real segmentation. I’m not talking IP based segment or protocol based segments that you… you see people doing with legacy firewalls, kinds of segmentation which is kind of useless. And training is a big one. You know, when I joined this corporation, I made a mistake that I was gonna make every associate in this corporation paranoid. And… and that’s important because I wanted them to… to really think about those emails they were getting. I wanted them to really think before they click before they respond to that one to understand that, you know, I would never send an email out to a large group of people or to an individual going, hey be great. If you could go get some gift cards for me or hey would be great if you could bypass this process and let’s go ahead and transfer 1,000,000 dollars to this company. Or I’m going to communicate via text or whatsapp and get you to go do this thing or that thing.

MATHEW

I’m never going to do that. And that’s all training and it’s not a once a year thing. It is a constant every month, every quarter, every six, months, you know, constant training that you have to do to get people to the level where they understand that it’s inevitable that someone is going to click that link. And… and now I have to throw in here. Even thinking about training, I think people have that wrong as well. You know, I talked to too many systems and CEOs that have this weird goal, right? And I’m going to make these numbers up but, you know, they’ll go, Mat, you know, 25 percent of our population fail our phishing tests and our goal is to get that down to 10 percent. And I looked around ago. That’s a strange goal that makes no sense to me. How many people does it take? Failing a real phish Devon impact to your company in the answers? One person at one percent. And you’re never gonna get to zero. You’re never gonna get to zero. I mean, not, it’s never gonna happen. So stop focusing on nonsensical things. And this goes back to, I don’t know how to detect when to respond to kinds of conversations in the past, but stopped talking about nonsensical things and started focusing on making a program. That part I designed for our program here. Our phishing program, I want people to fail. I want them to fail every single time. I’m not gonna make it so that my goal is to get to a five percent or two percent failure rate because I mean, I could do that. I could send phishing tests out that are written in gray on and say, you know, I want all your… your passwords, give them to me. And then nobody clicks on him and I can go to the board and go, yeah. And then I might have a problem. What I wanna do is put phishing tests out there that are so difficult that are real, that are things we’re seeing and market. Because again, I want people to be paranoid, I want them to really look and not want to click on anything. And then we gave it a fight, we… We pit organizations against each other for fun, right? Which percentage is, you know, which group has higher percentage is a failure and it becomes a game because, you know, nobody wants their group to be at the top of the list. So they spend a lotta time reinforcing these messages all the way down the leadership chain and we’ve seen great improvements. I mean, great.

JAKE

I love that you still have a passion for security awareness because I have to admit that I’ve talked to a ton of… CISOs that just sort of gave up on awareness, right? It’s you know, the sort of joke is that, you know, when we were all traveling, you go to the airport and you hear the announcement over and over on the loudspeaker. Don’t leave your bank on the tab that doesn’t leave your bank on attending a couple of seconds later. What bags do you see? So matter how many you tell you, how many times you tell us, want you train them, whatever the… the end of the approaches is that you’re… you’re gonna have that people problem, right? So, I’ve seen so many security professionals that kinda just throw in their hands up on awareness and training because they’re you know, and I guess some of your point is that there is going to be a failure rate. So if you’re trying to not have those problems, you gotta look at the other control. So, I love the fact that you haven’t thrown in the towel or awareness and you’re passionate about it because I think a lot of people it’s like they’ve given up, you know.

MATHEW

Yeah, they gave up. And… and again, I think if… if I was solely focused on a personal goal, I would have given up a long time ago because they’d be massively frustrating. You know, you’d be seeing this kind of thing where you’re here. You’re like, well, who’s everybody’s doing great? Then it goes back up and it would just be a nightmare, but we use our awareness as actual training. And to me, I don’t worry about reporting to the board. What percent will we talk about? What tests we did, why we did them? You know, what groups are more susceptible versus others? And what that allows us to do is really focus. Okay? Is this group really susceptible to this type of phishing? So I can put additional controls in place so that group, it reduces our costs. And it… it also makes it so that staff or not constantly feel like we’re doing something against the entirety of the corporation, and we can really focus where we put additional technical controls in place and let’s be honest. Awareness does give you, as a cyber professional, some defense ability, right? You have to give awareness. You can’t… you can’t hold people accountable to that. What you’ve never trained them. I mean, we’re not the government, you know, it’s not the government’s responsibility to train you on laws. It’s yours. We’re not that right. You have to give people that training and you have to do it in a way that is consumable. And I’ve always found that if you test people, the test itself is the training, right? Don’t make people suffer through three hours of listening to someone like you Babylon about, you know, phishing or, you know, some X industry expert. We joked about at the beginning babbling on about phishing and, you know, hit them with all this flooded. Because people zone… zone out, they don’t listen, they don’t care. So you get a test and you test and you play a game of five. And you know, it… it takes a long time but you will see a change and it will be significant to your organization. If you think about it differently, And, you know, one of the other areas, I focused a lot before the pandemic, and right at the pandemic was around the human side of cyber. And if you take the mentality of the human side of cyber in your training in what you’re doing and think about what it is the people are experiencing, then I think you’ll get a much better result.

JAKE

As a leader of what I can only assume is a decently large security organization, how do you deal with, you know, your staff, your direct reports that constantly want to pitch you on buying new products to solve all the security issues?

MATHEW

Yeah. So it can be pretty brutal because everybody’s got a, I mean with my new role is not only security but now it’s just pure it as well. Everybody’s got the next best thing. Everybody’s got the greatest thing. So to stop that, I moved into a model that I call the imperative model here. So I’m at the end of the year, I… I pull my direct together and we come up with imperatives and everything must fall into those imperatives with budget and everything else for the year. And there is nothing outside of those imperatives. I don’t… I don’t want to have discussions unless we’re talking about the next year or there’s a major event in the world that’s going to require us to shift one of those. I like the number 12. I like music a little bit. So the way I structured it with my group is those 12 imperatives or an album and you can have an album of 10 songs and five songs if you started with 12. So at the end of the year, we’re going to have this great album made up of our imperatives made up of all the sub projects, you know, the… the, versus the course, the licks, the lock down the chain. And that’s how I stopped a lot of the, you know, mid year, hit me in the head with, hey, any way we could find X number of dollars, you know, I really want to do something different or I don’t have enough to do because those 12 imperatives or enough to keep my organization busy for the year plus all of our others. And it gives structure and it gives a team as well. Again. And my head of security operations, even if he got all of his stuff done for the year, if my head of app management does not get all of his stuff done for the year, neither of them are more successful. So they really bring people together. And again, it stops a lot of the extra time I’ve got extra time. Let me go ahead and buy more products. I have extra time. Let me go help this other executive get their stuff done securely obviously so that we can all be successful.

JAKE

So, what advice you know, or your reaction to this question, maybe to share for practitioners, more technical practitioners, what can they do or think about when they’re pitching new and they’re pitching management to get that support. When there is that legit need for a product or that legit need to maybe get you to consider the next impair, the, you know, the next album? What… What are some things that they should consider doing that… that you like?

MATHEW

So it’s a great question and something a lot of people fail at. And just like you would do with your board, don’t fund me. Don’t… don’t come in with the sky’s falling or why Bill, your Suzy or Bobby are bad. And, you know, they may be bad, stop at the fun. Show me what, you know, what it’s… it’s a pretty typical scenario. But show me what the problem is. You can think of those fun TV commercials in the middle of the night. Show me what the problem is. Show me where we should be. Show me how you would get us there. That’s start there, forget the product, right? Because the product is relevant to me. If you start off with, I think you should buy this product. I’m not interested. I don’t need another pain. I don’t need another kitchen guide and I have a lot of kitchen gadgets. Tell me what the problem is. Tell me where we’re going to go and tell me how to get there. And then we can start talking about you’ve got a company that provides a service intelligence products. Then we’re in good shape and even better if you worked with that organization. And… and… and I don’t mean in the past, but I mean you’ve spent some time and you can clearly articulate without them having to be on the phone. What they can do, could even show me, you know, a technical demo, you know, something that shows that you’ve put some effort into it is important. And then finally, you have to talk about why they made the cut versus someone else. So if you’re taught, if there are 10 vendors in the world that do this particular thing. And you’re hit with a vendor, you have to be ready right then and there to talk about why the other vendors make otherwise, don’t talk to me about vendors, just talk about those three beginning things. And… and I’m surprised how many people do it backwards. They come from the vendor that’s where they hit. And then towards the end of the conversation, they want to talk about what problem it fixes. And to me that is massively backwards. I want to talk about the problems, and wanna talk about business outcomes. I wanna talk about the past. And then we can talk about products. And finally I would throw, well, don’t… don’t sell me on the north star. Too many people will sell me on the outcome of two two three years out, which is, you know, I have no clue where cyber will be into no clue. I mean, I have a thought process but that can change day in and day out mean, who knew last year would end the way last year ended? Let’s be quite honest about it. You know, we all thought about it. We’ve all talked about it, but we never thought it would come that quick when it did. So talk to me about milestones and talk to me about phases, talk to me about where we should go in chunks that I can consume so that I have something where I can say, I will talk to the rest of the cell, to your senior leadership team, or I can talk to the board about this without worrying about, hey, if you spend money today, I’ll be somewhere in three years, which again, like we did earlier makes you want to roll your eyes. So let me tell you where I can get us today tomorrow. And eventually.

JAKE

So for all you security folks out there and lots of them that I’ve talked to that are super frustrated that management doesn’t listen to you. There was some great advice right there, rewind it and watch it again. And that was awesome. I appreciate that. Alright, I’m gonna keep moving. I got more to do. So at security conferences, we typically hand out these risk based security fly slaughters, I don’t know if I’ve shown you one of those yet. And depending on the mood, you know, when we hand them out, we make these really bad jokes about splashing, bugs, flashing bowls, and one of my more favorite jokes even smacking security vendors. And… and, you know, you can kinda call that. There’s so many security vendors right now and it makes it really hard to deal with. So how do you deal with managing security vendors and particularly the ones that over promise and under deliver?

MATHEW

Yeah. And unfortunately, that happens a lot and it’s not only you’ll have security vendors that over promise and under deliver, but you also have these security vendors that are like, they… they still have this mentality of, you know, don’t go for best of breed, bring it to me because I do a ton of stuff as an organization but I don’t do any of it really well. And, you know, there’s this one throat to choke concept out there that’s still prevalent. You know, I believe that… everybody that does work here from a cyber perspective, has to have skin in the game. They have to really be part of my organization. And that’s what we look at first. And I’ll give you an easy example. I’m always shocked when you go to buy a product or a service from a vendor and they don’t do all of the implementation they expect me to. And I have this conversation way too often with sales executive CR owes and even CEO’S from like, so let me get this straight. You’ve been in business for let’s just say a decade because it’s an easy number to remember, been in business for 10 years. You’ve developed this product from nothing you’ve implemented or you have 1,000 customers, 10,000 customers, 100,000 plus. And yet you think it’s appropriate to call me to sell me that thing and walk away with all the lessons or do you have, how was my team going to be successful? The answers. Now, if you don’t start as a vendor with me where you do the implementation, we will watch and learn and we will become experts over time right? Then. I am not interested at all because too many times in the past, you’ve probably X, hi, is this, you buy a thing and it sits in a room because you never have time to implement. I don’t know of any C so’s or CEO’S that have staff sitting around that are ready for that next big implementation project and they’re always rife with problems because your team is not truly the vendor expert that they are. So I hold them accountable. And the way I like to structure my contracts is you have a time box to get this implemented to, you know, these agreed upon points or it’s a breach of contract. And I’m out… and it’s you know, a full me once shame on me kind of a thing. But I don’t do it twice. And if you fail, we’re never going to do business again no matter where I am because trust it… is, you know, is a huge thing. And the cyber 90 world because I put a lot of faith in my vendor partners. So that’s the big thing we require is they have to do the.

JAKE

And station… that’s… that’s great. And then for any of our viewers that our founding companies are in the startup world, it was less than that took us a long time. The… the learning that support is just as important if not more important than having the best products and implementation is it… is, it is a huge part of that… that… that is that’s great to hear that’s important to you. All right. So look at how you got it? Alright, please?

MATHEW

I have to jump in Jake. One of the great things even about your organization is you can get support from you, right? It doesn’t require an engineer. And… and to me, that’s the other piece that I just had to throw out and give you some kudos when you can talk to executive leadership and they know as much about their product as any engineer in their organization and maybe not down to code level, let’s say, but they have that passion that puts a lot of faith in people like me and my team where they… they don’t feel like 42 people have to show up to a meeting because it’s a bunch of executives or like, can we heard this up? I have coffee and champagne coming up and the one engineer talks when… when you’re able to have the conversation up and down the stack at an organization. I have to throw out that, that’s also very important and something you do very much.

JAKE

Well… I appreciate the feedback and that is, it’s super important to us that I recommend anyone in the security industry, you know, no, you know, your own product, be able to, you know, sell your product and make sure it’s delivered the way it is. And I think as well and organizations get bigger, they… they tend to lose that in the security industry. So it’s sort of a core principle for us. But, you know, you and I, we started really when we first met, we were talking a lot about risk and risk scores and risk based security. And, you know, we define risk scores as asset value, times likelihood times vulnerability exposure. And that gives you a risk score. And some people, you know, I’ve gotten great arguments with them or let’s call them debates about how that’s too simplistic and it needs to be a lot more in depth than whether it’s fair or this or that. But… but we believe firmly that… that approach gives the ability to have that conversation at an organization in a… in a way that makes sense. So where I’m leading to a question is… is really about those assets, understanding your assets, right? Because, you know, without understanding your own assets, it’s really hard to really understand risk and then prioritize those remediation actions. So, what are your thoughts on large organizations? And I’m not trying to get any super secret stuff to call out what you’re doing at Unisys. But what are your thoughts of large organizations that are struggling with asset inventory? Or they just say?

MATHEW

Well, hopefully nobody out there ever says I have no clue and that’s good enough. So let’s go with what you were saying. Really simple is better. You could always make these formulas way complex, right? You’re not trying to do cryptography here. You’re trying to make this nice and simple because simple is something that’s standard and repeatable, right, a bit overly complex than the nuances are going to be a disaster, but you cannot have a cyber program. You cannot have a security program without knowing what you have on top of knowing what you have… you have to know what it’s supposed to do, not what it’s doing at the start, right? What is it supposed to be doing? Then you can map to what it’s doing and then who’s responsible? And it’s that third piece. A lot of companies forget an asset may act wrong, and we’ll just hi, who’s this simple term wrong? But if you don’t know who to call, if you don’t know how to get in touch with someone, they information is useless because you don’t have one day, you know, two days, one week, one month to find someone, you have generally seconds or minutes in the best case scenario to do something about it. So it… it requires you to really spend a lotta your time on your CMDB and understanding all the flavors around it. I think the other thing a lot of companies are struggling with… and there is no one answer to it. They’re… they’re just simply not, is that CMDB can’t be an annual exercise. It’s gotta be in real time. It’s gotta be updated automatically or a lot of companies would say auto magically, right? It’s gotta be able to pull in information all of the time because we know this stuff changes and it changes on a pretty regular basis. And it takes a large company to have this problem. Even small companies can have problems depending on how you define that small company. You may have 50 employees and thousands of assets. Depending on what you do for a living, it’s still run into those same problems. If you’re international like we are, and you have people all over the world with different divisions. You know, having that CMT be is very important. They think on top of it… it also goes back to something we said earlier. We’re segmentation is so important, right? You don’t want one group who’s doing it very… very well to be negatively impacted by another group that is not right? And you’ve gotta be able to… to discern these things and just turn them quickly. So, yeah, CMDB will be number one. It is base. It is prime. It is if you don’t have it, that should be your number one focus because you cannot secure that. Would you not know?

JAKE

Alright. I wanted to do a quick lightning round with you. So I’ve got a few sort of… security technologies or categories. Let’s call them. So I’ll say the buzzword security category and perhaps maybe then you can give us your take on how you view it. You think you can actually help maybe any gut reaction. Alright? Sounds fair. Alright. Sure. Alright. First one is supply chain security.

MATHEW

Man. I think this is third party risk management. I am always shocked how poorly people do this. You know, you’re putting your… your crown jewels and other people’s hands and you’re doing no risk assessment on them. I think it’s crazy. But I think the number one thing done wrong is they treat everybody the same to me. You have to break them up into categories, you know, have tier one tier, two tier, three different, six, associated different audits associated with different requirements associated. And I’ll give one little trick of the trade. If you think the cleaning crew is the lowest tier, you’ve got that backwards as well. Cleaning crews and my world and in your world should be treated just like you treat people who actually have access to your crown jewels because they do, they’re in your offices every day.

JAKE

Attack surface management. This is being called now.

MATHEW

I still haven’t figured out would attack surface management means and why it’s there because let’s be blunt, everything whether it’s exposed to the internet or inside of firewalls, using writable, using non rideable IP space, you know, is using system or operating systems that have had never had a vulnerability or using one that’s had massive vulnerabilities that all the tax services. And the other problem I have with a SM is most companies that are talking about it tight to assets and forget that Jake, you’re in a tax, your NSM, you… you, your body, your… your mind, you in yourself or a massive attack surface and they seem to forget… alright?

JAKE

Here’s, the next one and you and I and the old, you know, what’s… what’s all those new again and rebranded. So this is the rebranded version of honey pots deception technology.

MATHEW

There’s a dangerous world. I mean, honey pots in themselves are boring and dangerous, and there’s a real good value for honey pots. And I… I know a lot of organizations including us that… that use them for certain things. But deception today is something I would not spend my money on. There are plenty of other things that I think organizations should be doing with their resources, with their money than trying to trick adversaries. Why expose yourself to risk that is not needed? Why are you trying to put something out there that makes it look like you’re doing something? You’re not to me. You should be focusing your efforts and your money and your time on doing the basics and doing them well, not trying to see if people.

JAKE

Alright. Last one, this one’s a doozy, zero trust.

MATHEW

I love zero trust. I’ve given nobody’s pages on this. I love… I love it but I hate it when it’s tied specifically to tack because again, I think you’re coming at it wrong. Zero trust to me is mindset. It’s a mindset. It is changing how we think about the world and actually it’s not new. It’s changing it to go back to the way things were early on. If you think about some of the old lattice models capabilities, some of the… the way cyber was originally created. And you start in a place where we don’t trust anybody, even an authenticated user. And if you change it and stop worrying about the text that is sold alongside or the companies that brand themselves as your trust. And you worry about the psychology of it against a psychological background. I think it can be very powerful and you could start doing things like, you know, dynamic provisioning inside of an environment. I’ll give him a simple use case, you know, five years ago, 10 years ago, if you showed up to an office, if you had access to 100 computers on your network and 20 applications when you logged in… in the morning, and, you know, put your username and password in, you had access to everything at that time. And everything you did was considered a known good, right? You’re a known good because you authenticated your system was a known good because a valid credential was used with it. And, you know, let’s say I tied it to your badging system was a known good because we saw you, Jake come into the office for me, take an, everything else aside. Zero trust is simply getting rid of all of those known goods. Yes, you authenticated but it needs to be continual. Yes, you’re doing what you normally do every day but it needs to be scrutinized to make sure there’s no variance to it. And, you know, again, without, I mean, we could spend an hour on this one topic. But if you start to look at it from this, the psychological side and the human side, zero trust can be very powerful. If you come at it from my product and you will have zero trust, people like you, people like me, we’re probably sitting off to the side laughing hysterically and wondering how you’re going to figure out the ROI on that?

JAKE

All right. I got two final questions and I’m gonna try to be a gentleman here because this is pure gold. I appreciate all your… your thoughts you’re sharing. So, for companies that are struggling with too much work, too many assets, too many vulnerabilities, and they’re listening to you and they’re gone, but he’s got an army of people and massive budgets. What… what… What do you say? The folks that, you know, maybe don’t have the resources or they’re just feeling overwhelmed, how should they get started with the risk based security program that we’ve been talking about?

MATHEW

Look at the end of the day, if anybody thinks any organization has enough money and there’s enough people no matter how size, how big or a company is. You’re wrong, right? I know the outside looking in always makes it look like you have plenty of people, plenty of money, but you never… you never do. So you have to start with that foundation. And to me that’s why the imperative model is so important. I could probably list out a 1,000 imperatives that we should be focused on, but you have to focus on the top ones and the ones that your team and leadership agree on. And for me it was 12 for you, what maybe three or you may be in a larger organization. We’re 12 isn’t enough. And you need 30 or 40. But if you can limit yourself to a set of programs and projects that you will complete any time box one year, six, one quarter. It does not matter what your imperative schedule is. It takes a lot of that stress off because, you know, as we’ve talked about in this conversation, you could be hit every single day. What they, you know, the problem. Is your, the risk is yours, the thing that’s going on? And if you… if you couple that with stop worrying about prevention and constant prevention. I mean, even the name of your organization, you focus on risk based security. You focus on the risks associated, build your imperatives from those risks. I think you’ll get a lot of that relief that you’re looking for and finally stop thinking that you and your organization or the expert. It drives me nuts when I have conversations when I used to work for product companies where they would not take our help. I’ve got the best and brightest people in my company. I don’t need your help and it’s like stop feeling like we’re here to, you know, unseat you or the throne you, or make you feel dumb. We happened to be experts because it’s our product. Let me help you. And you are the cyber should be eliciting that help as well. Because a lot of the stress we feel is when we buy these products that we can’t get them implemented or we get them implemented incorrectly, or 50 percent or 80 percent or even 90 percent.

MATHEW

And now you have a problem. So let’s let those companies that we are partnering with help us bring them in, make them work with you even to the point we had situations here and… and other companies where if you have a security operations center, one of my requirements was that our major vendor partners would have people sitting in my saw the, to be there with us. We gave him a desk. We gave him a queue. We gave him an office, it does not matter, but they were there so that they can work with the team and that should get a lot of pressure off your shoulder and then finally stop going out alone. Cyber. We are all on the same side. We are not in competition. You and I are not in competition, even if we sold competing products, we are not in competition. So join all of the different programs that are in your region with COVID there. Now, internationally, it’s no longer at a restaurant, somewhere to the library or a bar, there on Zoom calls, they’re on vimeo calls, they’re on all of these different platforms. Join them, listen, learn, provide your expertise because you’d be surprised how many times people want to help each other and help you with problems you’re dealing with.

JAKE

So, my final question is about staffing, security, staffing, and then with… which kind of have an angle of folks that are looking to make a career change to get into cyber security. One of the big challenges is that while there’s open jobs, a lot of organizations want to hire folks that have experience that have been there and done that. You know, we’re not… we’re not seeing a lot of folks that are super excited about being in brand new folks and training them from… from scratch. So do you have any thoughts or recommendations for both companies, but also for candidates on maybe how to overcome this lack of experience issue on the resume that might be slow and then down or holding them back?

MATHEW

Yeah. Look at the end of the day, I think companies are where we should start and they’re doing it wrong. Finding C, so with 15 years of experience or 20 years of experience, you’re… you’re limiting yourself to a candidate pool in the hundreds, not in the thousands or millions. And that to me is insane. Your company should be looking for people with very diverse backgrounds. You know, again psychologists, I’ve had people who I’ve had join me that are amazing because they come from a political background. They come from all sorts of places… that… that are… non cyber related. And they bring a very interesting perspective that I think is really… really important. And you gotta know that when you’re looking for cyber people, you… you have to think outside the box and that’s not just a regional thing. So looking at different sources via retired military to government to, you know, hiring people in your organization that may have an HR background, may have psychology background, may have an accounting background can really bring some interesting perspective into your group. That a lot of people I think are missing when it comes to candidates, stop trying to go at companies that are demanding these kinds of requirements, is probably the wrong company for you because they’re going to have it insight into something that, or a desire for something that you’re just not going to be able to give. And the biggest thing you can do in my opinion is get a mentor. If you want to get into the cyber world, there are plenty. LinkedIn is a great place. Your friend groups are a great place. The company you work for could be a great place, find the mentor in that world. Fortunately or unfortunately, depending on your perspective, a lot of the hires that are done in the cyber world or not about what, you know, it’s about who, you know, because trust is one of the foundational things that we need in this world. I have to trust all of my people. I have to trust that what they’re doing is correct and that they have the right mindset and right passion and right ethics on their day to day. And I can get a lot of that trust quickly. If someone I already trust balances for them. So mentors are very… very important.

JAKE

All right there we have it. Thank you for letting me jams so many questions. And Mathew Newfield, Chief Security Infrastructure Officer at Unisys really appreciate you taking your time and… and sharing valuable insights with us today.

MATHEW

Yeah, it was a pleasure. I wish you the best and thank you for everything that you do and what your company does. And I look forward to talking to you soon.

Our products
The Platform
Risk Based Intelligence
Learn more
VulnDB
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
YourCISO
Risk Management
Learn more