Global CISO Forum Podcast – Awards Series: Jared Carstensen

In this Podcast:
Welcome to a special series of the Global CISO Forum Podcast honoring the EC-Council Foundation Infosec Tech & Exec Awards Finalist! For the next three weeks we will be interviewing the best and brightest in infosec who have been named finalists for the CISO of the Year, Certified CISO of the Year, Most Improved Security Program of the Year, and Most Innovative Security Project of the Year. Learn more about our finalists here.

Listen

Download this Podcast

Transcript

Amber:
Welcome to a special series of the Global CISO Forum podcast, honoring the EC Council Foundation InfoSec Tech & Exec Awards finalists. For the next three weeks, we will be interviewing the best and brightest in InfoSec, who have been named finalists for the CISO of the year, Certified CISO of the year, Most Improved Security Program of the year and Most Innovative Security Project of the year.

Announcer:
Welcome to the Global CISO Forum. The podcast for information security executives.

Amber:
With me today is Jared Carstensen he is the Chief Information Security Officer for CRH PLC, but perhaps more importantly he’s a finalist for the CISO of the Year, the InfoSec Tech and Exec Awards are happening next week in Atlanta at the taping of this show. He will be among the finalists there hopefully one of the winners. Welcome to the show.

Jared:
Thanks for having me guys, privileged to be here.

Amber:
So congratulations on being named a finalist. You and I were talking a little bit beforehand about how you’re in a very tough category. The panel had a hard time narrowing down even to get the finalists list which was supposed to be five but is much more than that. So it’s a competitive one this year.

Jared:
Yeah absolutely but I think it’s great for the industry, I think it’s great for so many strong people are being put forward, being nominated by their peers. Really I think that’s what our industry needs at the moment I think it needs strong people operating across numerous areas. Ultimately I’m looking forward to meeting everybody next week because I think it’s a great opportunity for me to learn from many of those people who’ve been nominated too.

Amber:
Yeah we have an interesting group of people. It’s a lot more diverse than other years so that’s something we’re pretty proud of. You of course are one of those interesting people.

So in your nomination it mentions that you are the youngest CISO across FTCSE one hundred companies so tell us about that.

Jared:
It’s obviously great and fantastic that I’m seen as above the youngest across the FTCSE one hundred companies. I don’t think there’s anything inherently different about the way that I joined the security industry. I think it’s something that I’ve always been passionate about. One thing I’m really lucky to do is as I go around and working for a truly global company I get to meet so many forward thinking proactive security people that I think learning from their experiences learning from their insight has really helped me along the journey.

Working globally around the world, working around all different cultures, industries, different languages, different approaches to security I think has really helped me in my career so you never stop learning in the security industry.

Amber:
Well at EC council we agree obviously. So tell us a little bit about CRH PLC. It just sounds like a bunch of letters but … Global consulting company?

Jared:
No not a consulting company at all. We are the leading building and materials firm in North America, and the second largest building and materials firm globally. We have three thousand nine hundred operating locations, eighty nine thousand staff.

I suppose in everybody’s daily lives as you go along the place where there’s the roads you drive on, to the buildings that you stay in, or the houses that have been built, or the shopping mall that you’re in, pretty much all of those products is exactly what we do.

So it’s an extremely extensive company portfolio of products that we do offer, and I suppose what makes it really interesting from my perspective is we’re not just a financial services company where all of the environment is critically important and largely standardized. We have three thousand nine hundred operating locations so that’s a mixture of industrial controls systems, manufacturing, processing, editing, your HR, your marketing, your PR, through the finance teams, through the IT functions.

So it’s incredibly diverse and incredibly exciting and it’s a fantastic forward thinking company where I think people really now get what the value of security is and why it’s so critically important. If you look at it from an industrial control system that’s making cement or asphalt or any of those. The risks associated with that are really different. If you speed up that machinery you can cause physical damage and people can die. So that’s really different from your typical financial sales company or anything like that. Being across that many locations is something that we really need to work closely with every part of the business to ensure that they’re adequately prepared and adequately equipped firmly.

Capability and the maturity perspective to meet the needs of the company from a cyber security perspective.

Amber:
It sounds like it’s kind of a sprawling company, sort of all over the place. We were talking a little bit about your travel. What’s that like, trying to get your arms around all the various components of this gigantic company and then trying to secure it? How have you been able to do that?

Jared:
It’s been such an exciting journey. We’re in thirty one countries. I suppose we’ve grown over the years largely through acquisitions and then the interesting part of the integration and the on boarding of those businesses. Getting out and more so than anything it’s about the people. Getting into the businesses, helping work with them.

I think often in the security industry many people are seen as the “No” guy, or the “No” person, when they say, “No you can’t do that”. I don’t think security can continue to function in that mindset I think it’s working with people, helping them understand, bringing them along as part of the journey. I think as a security program we’re very much people first, and helping them solve complex business problems as opposed to saying,”No you can’t do that,” from a security perspective.

Amber:
Something that the panel really highlighted with your nomination was just one simple sentence. That you’re an advocate of making security simple and actionable for all. Something he practices throughout his daily interactions and activities.

I haven’t heard it put that way but simplifying and making it actionable as opposed to just giving people a bunch of information that maybe goes over their head, that’s got to be extremely helpful as your ruling out security policies for brand new companies and they have employees that all of a sudden work for a new company now. That’s got to be very helpful to have that perspective.

Jared:
You know it’s funny I have often been left scratching my head at … You kind of walk out of security sessions in other companies and you see how people approach it. Many people take the hard line approach when it comes to security. You know,”This is the way it needs to be done,” and,”Policy states this,” and those sorts of things.

I often think that this is an area that everybody is interested in at the moment. I don’t think that there’s anybody you mention cyber security to or information security to and they’re not intrigued and being willing to listen. Then I think the owner’s fall back on to people in the security industry to make that stick, make it relate to them. I think the ability to tell stories and use analogies can never be underestimated. When you can explain in simple terms to someone why something needs to be done, and use real life examples, I think that’s incredibly powerful.

I was part of a meeting the other day where an external party was trying to explain the benefits of VLAN, segregation, fire walling off, and I could kind of see people in the room didn’t really get what that meant. By using an analogy where you talk about a house and the internal walls protecting from fire damage and those sorts of things, suddenly you could see people going,”Ah, I get it now.” I think really using analogies and story telling and simplifying it for people is really where it’s at. I think that’s something I will continue to do and I think it really helps people and brings them along.

If you go into a room with a bunch of scientists and they’re talking about chemical components, that’s not really going to be easy for you to understand if you don’t know the subject. The more people can interpret the more they can use stories and the more they can use analogies and make it relatable. I think that’s really important. We often describe our security program as promoting the benefits of wearing seat belts rather than being seen as the hand brake.

Amber:
That’s interesting too. It seems incredible that we’re still having to say this. You have to know your audience, speak at their level, without being patronizing of course. It just seems like that’s something that CISO still struggles with? Just going in and talking technology to people and not modulating for who they’re talking to? So it’s nice that that was part of your nomination.

Another thing that stood out to the committee when they named you a finalist was your volunteer work. You volunteer as part of the Safe and Secure Initiative, tell us about what that’s all about.

Jared:
It’s something that I’m pretty passionate about. I’m pretty fortunate that I’m surrounded by many people who share that passion. Growing up information or cyber security was never a career path, really. IT was probably one that most people could recognize with, but obviously information and cyber security has now become a formalized career path that many people are working towards.

Back to the real world every child now from age probably two and up is using technology quite extensively. My own daughter, she gets her hands on my Ipad and wow watch her go type of thing. You can kind of see from that young age kids are immediately drawn to technology and now they’re using it so extensively throughout as they grow up. The big challenge obviously is that the internet is one of the greatest inventions of our time, but the dangers that lurk around with that are here for everyone to see. Spending time educating children as part of being safe online.

Interestingly enough in our own business we held a couple of lunch sessions where we did the same for parents, because many parents don’t know what to do to keep their children safe online. So the Safe and Secure Initiative is fantastic and there’s many great volunteers that work with us locally here and out to deliver to school children. You know the kids love it. They absolutely love it and it’s fantastic. They have a little bit of fun along the way and they can learn. It’s all the better. If we can make the internet a safer place for them, well that’s fantastic too.

The one thing I would say it is very terrifying standing up in front of a bunch of schoolkids talking about the internet and what they should and shouldn’t be doing because I tell you one thing most kids are so smart and they know exactly what to do nowadays, it’s incredible.

Amber:
That’s interesting, just watching the next generation and how far ahead they are of previous generations as far as knowing how to use technology. It’s going to be interesting to see how the industry will change as they hit the job market.

Another part of your nomination that really stood out … You’ve got a volunteer role and also written a book in 2014 about cloud computing and the risks involved. Tell us about your book.

Jared:
That was my first book. I co-wrote it with a German by the name of Bernard Golden. They brought some great experiences into it too and really I suppose probably about 2011, 2012 I started doing a couple of talks around cloud computing and how it needs to be done right. Obviously the countless benefits that it brings are fantastic. In sharing when it’s gone about in the right way and the transparency around some of the risks that are associated with it and allowing companies to mitigate that and make informed decisions before moving to cloud based services.

We sat down and we sketched that out. It took us about ten or twelve months between us. It was a really interesting and really exciting opportunity, and one that I suppose is … It’s been great. People that you never would have spoken to in any part of the world will just reach out, drop you a message and say,”Hey I read your book I love how you mention this,” or,”Do you have any tips on this?” That’s really fantastic. I’m in the middle of writing my next one, which is around running large scale cyber security programs.

Again touching on really simple areas. From an inexperienced person’s perspective, how to run successful cyber programs, and indeed from an intermediate or an advanced person to see some tweaks that could be made, getting successful security programs implemented and delivered within organizations. It’s something I enjoyed doing and it’s something that I’m quite passionate about.

Amber:
Yeah that’s evident from your nomination. You had several supporting nominations that came from different people, and they talked about how you’ve been a transformative force for the culture of security in your current company. In fact it seems like Joe Davies, is that your direct boss? Is that who you report to?

Jared:
Yes.

Amber:
Okay. So he wrote a glowing nomination for you. It seems like you’re getting a very good performance review this year if you haven’t already. He’s very happy with what you’ve been able to accomplish, but really talks about how you’ve transformed the culture and it’s led to better outcomes for everybody. So it seems like your enthusiasm and your well roundedness is great. It’s doing nothing but good for securing your workplace.

Jared:
Those are obviously fantastic to get and it’s great to get the recognition from your peers. I think like anything we rely on every single person. I often describe cyber security or information security as the ultimate team sport. It’s something that if you look at the leading sports franchises or teams in the world and how they do things well. The parallels and the comparisons between security are there.

It’s everything from making sure you have your sponsors, you have your endorsements, you have your people, your backroom staff who are working with the people on the front lines to deliver it. It’s all about bringing in part of the strategy. Having all the supporters on board and buying into it. I often speak of security starting at the front door, from the receptionist all the way up to the CEO. We’re only ever one click away from an issue. Getting out there and working with the people as part of the team sport that security is I think is critically important.

It’s always great to get the support as well as the endorsements of your colleagues and your peers but everyday is another fresh day and we need to go on that journey again and bring everybody along with us. The more we can reach out and get to those people within the companies and the more we can help every single one of them. I often think every person that we train in terms of security and to be aware, becomes an extension of our security team, because they’ll help us along the journey.

Amber:
Really your nomination seems to highlight your focus on people and how they are resources to making everything better for the whole company. Another area of the nomination that stood out was that you’ve helped develop a multi year security strategy using buy in from stakeholders from all over the different areas of your company, and you’ve been able to implement this strategy. Can you tell us a little bit about that?

Jared:
Yeah absolutely. I think like most security strategies they’re based on an understanding of what matters most for the company. Being able to prioritize and focus in areas that are most critical to us plays a core component of our security strategy. The key thing that our security strategy is that it’s linked closely to our business goals alignments and our business strategy. I think that’s echoed throughout the document. For people to get it and to understand it, we can’t be seen as a function that’s going on a solo run or somebody that’s going through to push a technology agenda or security agenda.

We work for the business, and we are there to support the business outcomes and allow them to realize their goals. We spend a lot of time with various departments across our organization. Understand where they’re going, understand how they needed to get there, and how we could shape our security activities to make a safer environment for everybody working in our company to support those outcomes and those goals. So never losing sight of the fact that we work for the business and we want to ensure that the business is successful. That’s probably one of the biggest things regarding our security strategy.

Amber:
That’s very interesting. Obviously this is glowing from start to finish you have a lot of different people chiming in about how great you’ve been for the company. Tell us how you got started in information security.

Jared:
You know it was a really interesting journey. I kind of look back and I look through the various stages of my life. When I grew up my dad was a fire fighter and I kind of always looked up to my dad. The idea of going in and saving people and putting out fires and helping people that had been in accidents was always something that I kind of looked up to him to do.

As I got older I flirted with the idea of …. Being a policemen would be so great you know you get to uphold the laws, the values, save people in danger. I was incredibly fortunate at the time that I was growing up that Nelson Mandela became president of South Africa. He was making a significant number of changes to the country for the better from a leadership perspective.

Looking back it’s kind of ironic because there was never a career path for information security or cyber security but looking at each of those things, they’re exactly what security is all about now a days. It is having that leadership, it is making positive changes in the environments around you, it is protecting people, the assets of the company, the environment that you’re in, making that safer. You know, look into security so that the odd fireman, the odd accident or two that we need to respond to and help those people too.

To look back it’s interesting to see how the three things that I really looked up to and really admired led me to the career path that I’m in today.

Amber:
That’s really interesting. I like the story about your dad. There are parallels I hadn’t thought about. That’s very cool. So you’ve been in the industry for quite a while, even though you are young for a CISO. How have you seen it change? How have you seen executive leadership in information security evolve?

Jared:
I think it’s changed a lot. I think for many years there were people doubling up as CIO’s with the responsibility for security. There were people acting in ordered capacities that had responsible for security. There was compliance functions and people that were taught with elements of security. Then there was the clear IT security team.

I think many of those now have moved on to the next level. Quite rightly so because the world that we live in has changed quite significantly. Definitely seeing less of the IT security reference, because clearly that’s only the one part so if we’re focusing only on the technology piece well we’re missing out on probably the most important one, which is the people too. It’s probably been a significant transformation for many companies.

I think the leadership side of security has dramatically changed too. Many of us now are reporting straight into order committees, straight into board. It’s a topic that they’re really interested in and I suppose within our own organization they’re very forward thinking they want to know a lot of things in terms of where security’s at and what’s coming over the horizon. Which is fantastic, and it’s great to have that level of support around the topic.

I think it’s less of the compliance focus, kind of checkbox security, now to well okay, what does good security look like for a company? So I think there’s been a significant transformation, I think there still needs to be a lot of transformation in the industry. More often than not if you communicate in a manner that people can understand it’s easier to get that transformation than talking about IT problems or IT solutions or IT security.

Amber:
Right that makes sense. Looking into your crystal ball, what do you think the trends, the challenges, how is the role of the CISO going to change in the next five, ten years?

Jared:
It’s an interesting one. I need to get that crystal ball, I don’t know where that’s at. It’s definitely going to be far more public position and in terms of far more visibility within an organization. The days of the security person being buried two or three layers below and then going through somebody else to report the updates. They’re probably changing quite dramatically. I think people want straight answers to straight questions now and from a board and an order committee prospective these people now need to know about the challenges.

For the most part people are now getting to understand through education and through engagement that you cannot stop every cyber security attack. You cannot stop every breach. Back to the thing, one click away. We’re one click away from an email of having issues. It’s now shifting that focus from,”Okay, stop everything,” all the time, which we know simply doesn’t work, to actually,”How equipped are we now to respond and stop the bleeding and to recover?”

I think that journey is going to continue to take some time and I think the most forward thinking and proactive people in the security industry will be able to communicate that and bring those people along with that journey when they show how they can increase the capability and maturity across the areas of being prepared, being able to respond, having plans in place, and really being in a position where that maturity is there to support the business in the event of a breach or an issue.

Amber:
That’s a reasonable guess for the next crystal ball, ten years in the future.

Jared:
There is no sign of attacks slowing down so we’re only going to be busier and busier.

Amber:
Yeah that’s for sure. No sign of attacks slowing down and also it seems like from every new direction. It used to just be … Well I don’t know you can speak more intelligently about that. It just seems like there’s so many more vectors, so many more motives. There’s crime, there’s terrorism, it’s just a lot of different things happening all the time and probably more will develop.

Jared:
Being truthful with ourselves as an industry we still haven’t solved many of the problems that have been around for many years. Social engineering, phishing, you know there’ still right up there still with some of the biggest threats that we’re dealing with on a daily basis. Those old historical problems have never gone away they’re only increasing and amplifying and in truth they’re now far more well thought out, well planned out, and well executed.

Gone are the days of the really bad spelling e-mails on the phishing stuff, and the grammatical errors. Now they’re becoming far more crafted and difficult to identify. That means that we need to raise our game and we need to help our users to be prepared to deal with that. It’s a challenging environment, it definitely is.

Amber:
CISOs have crazy hard jobs. That’s all I’ll say. I don’t know how you do it.

Jared:
I think if you love something and you’re passionate about it … There’s not a single day I haven’t gone into work and been excited about what lies ahead. I think cyber security really presents an opportunity from a career perspective and from the perspective of people getting in to doing genuinely interesting and challenging jobs that have massive job satisfaction. No two days are the same in cyber security.

I think if you’re keen and you’re willing to solve problems and challenges and work with people, and you’re passionate about the area, I don’t think there’s a better place to be than working in security at the moment.

Amber:
Agreed. That’s very cool. Well thank you so much for taking the time to come and talk to us and I look forward to seeing you next week in Atlanta.

Jared:
My pleasure. Thanks for having me Amber.

Amber:
Thanks Jared. That’ll do it for this episode of the Global CISO Forum podcast. The show is produced by Saba Mohammad, edited by Shandiin Tome. You can help the show by subscribing on Itunes or Stitcher, and if you would leave a review for us that would help other people find the show. Until next time, this is Amber Pedroncelli.

Announcer:
Thank you for tuning in to another edition of the Global CISO Forum. The podcast for information security executives.