CISO Program Manager, Amber Pedroncelli, sat down with Bobby Dominguez, a finalist for the CISO of the Year Award for the 2016 InfoSec Tech & Exec Awards.
Bobby Dominguez is the chief strategy and security officer for Lynx Technology Partners Incorporated and he is nominated for CISO of the Year at the upcoming Info Sec, Tech and Exec awards that EC Council Foundation is hosting. Welcome Bobby.
Bobby: Thank you for having me. I appreciate you inviting me to speak with everyone.
Amber Pedroncelli: Absolutely. Congratulations on being nominated and on being a finalist for the award. We are pretty excited to see your nomination.
Bobby: Thank you. I’m very honored and excited about the opportunity. The chance to claim the award, hopefully.
Amber Pedroncelli: So reading your nomination, you’ve been in information technology for over 30 years. Tell us how you got started in that.
Bobby: Yeah. I studied in college aero-space engineering and electrical engineering. Computers in the 80’s were just a hobby for me. That hobby actually turned out to be my career because I was actually making money doing that. And so I started with the early computers and learning how to program and learning how to manage data bases. And then in the 90’s I worked on projects doing product management, program management for a variety of consulting companies. And did a bunch of work for the Office of Naval Intelligence, a couple of nuclear power plants and their disaster recovery plans. So all of that was building towards my career in security. But mostly it’s been a pretty deep dive into almost every aspect of information technology. From the technology, from the technical side, network servers all the way to the management and business side financing and strategic planning. Things like that.
Amber Pedroncelli: So how did you make the jump from being kind of an IT guy to full time security?
Bobby: So in the 90’s I was responsible for me and 5 others starting up a dot com and I would call it one of the first social networks out there. And as part of that process of setting up the dot com we received attacks from the early days of the Internet and the world wide web.
So I had to put in programs. And I had learned how to do some of these things both with my contracting work for government agencies as well as other private sector companies. And I applied that over to the matchmaker side. Matchmaker.com was the site that I set up. From that environment, from those lessons learned in my career in IT, I was able to apply and create a security program that I didn’t really understand what we had in place until we were acquired in 2000 by Lycos, if you can remember the old search engine. And when they acquired us, Lycos didn’t have a security program in place and they saw what we had in the Match Maker world and were very excited and had asked me to do the same thing for them. So that was really the beginning of my official career in security although I’d always done an aspect of it, throughout my IT career.
Amber Pedroncelli: Wow. So you might be one of the very first security practitioners then.
Bobby: Well I wouldn’t say the first but I was definitely at the front of the race with a lot of other people early on in the program. When we built Match Maker back in the late 80’s it was …we were on the Internet before the World Wide Web. That’s how we exchanged mail in our distributive database and things like that. Back then we didn’t have consideration for authentication and encryption and all the things you see today that are normal in the security program.
Those are things that we had to do because we were dealing with people’s personal information. Again there were no regulatory constraints. It was very, very early Internet. No World Wide Web. Text was used to send data around and we would encrypt that wherever possible, with the technology allowed because people were putting in their personal information for online social network. Basically, what we call today a dating site. So it was early. It was fun. It was the Wild West back then.
Amber Pedroncelli: That’s really cool. So something that pops to mind, you mentioned getting your start in the dot com era and that bubble eventually burst. Do you see any parallels to the way security…there’s more security products than ever. There’s more security services than ever. Do you feel like we’re in a bubble that could potentially burst as far as security minded applications and products?
Bobby: Well if it’s a bubble it’s a very different kind of bubble because it’s not one that’s influenced by it’s own internal dynamics. If you looked at the way the Internet bubble was created it was the people who were doing the Internet and creating the Internet that were just constantly creating new products and new services. So that was a bubble and it burst a couple times.
When you look at security, security is being driven by outside influences. You have the threat landscape, the threat actors. Nation states coming in. It’s folks who are looking…the old fraud threat actors. The people who would steal your money by using your credit card and not stealing your entire identity. So that’s an external influence also. You have nation states, you have hacktivists, you have people who have financial interests to get access into the system.
On the nation states I’ll break that up into two pieces. You have the cyber warfare which we’ve seen plenty evidence of that from other countries but we also have espionage which is not just corp to corp but you see a lot of countries trying to establish footholds inside of other companies that might have some new intellectual property that they want to steal or they want to duplicate. The outside influences are driving a lot of the security demand today. I think that’s also coupled with the regulatory environment. If you look at how many regulations have come into play, that just continues to escalate. The more events that occur, the more things that happen are in the news, the more governments feel they need to step in and try to do something to stop the problem. It’s those two combinations that are really driving this, fueling this bubble. Really I do not see a stop in that bubble.
Where I do see a change though will be in the focus. It’s a strong focus right now and the latest and greatest technology. I think we’re finally starting to see technology moving to an area that truly addresses the security problem. Because ultimately a security problem is a people problem. Technology isn’t an enabler but it really is a people problem. Whether that is a person that enables the hacker to get in by inadvertently clicking on an email, phishing: the attacks that come in through an email that look legitimate but are fake. Whether that is a person that picks up the USB drive they found in the parking lot. And we use that as an overused example but it really does happen and it still happens today.
So we have the people on that side and then we have the people who just make mistakes because technology has gotten so complex and so diverse. I see this as continuing. Its face may change. The focus may not be on technology itself; it may actually get into more technologies that focus on behavioral analytics, data centric security. Things that are a little harder to analyze and protect against but that’s where it’s heading.
Amber Pedroncelli: OK so you see some of the…maybe the advances in big data, behavior analytics, those kinds of things as moving away from just nifty technology products and really focusing on, like you said, the big problem in security which is people, the weakest link.
Bobby: Yeah and to clarify, when I talk about technology, the focus is when we see a lot of security professionals and a lot of companies are trying to address the traditional infrastructure issues with insecure protocols or applications. That’s all fine. It’s still necessary but that’s becoming a norm now. It’s commoditized. It’s something that every company does from the beginning and if they don’t they’re not going to stay in business very long.
The evolution that we’re starting to see, and I saw this at RSA as well as most recently at Black Hat is a lot of attention being paid to behavioral analytics. What people do when they’re online. What is normal behavior for a particular individual in a particular application or a particular job function? When does that behavior deviate?
Because if you look at the attack that you see in the news, most of these attacks occur from a compromised account, a legitimately authorized user who had their credentials compromised. And the technology we’re putting in place today only look for changes in the structure that may not be normal but if it’s a user who has access that will key almost to the existing detection and intrusion prevention system.
For the firewall, they’re doing what they’re supposed to do according to the infrastructure. But if you look at the actual people behavior, not to get too complex, but moving up the OSI stack to layer 7 or the data layer, right? The most complex thing you’re trying to handle and the most dynamic thing: people and data. To start focusing your technology to analyze that and develop baselines and then alert when you have deviation from those baselines, you’ll be able to tell when an individual is actually doing what they’re supposed to be doing or it’s a compromised account that now has moved laterally in the system or laterally within the network to access information they shouldn’t have accessed. That’s the kind of thing that we should be alerting on and be more cognizant of and when security programs start moving in that direction you’re going to see hopefully a better handle on the security situation. But as long as we stay very technology centric, very infrastructure centric, the bad guys are going to stay one step ahead of us.
Amber Pedroncelli: So that kind of brings us to your role right now at Lynx Technology Partners. In your nomination a lot of it was about being extremely risk focused with their security services. Focusing on the business impact and understanding business specific risks but also focusing on costs of course, because we all live in the real world. And one of the reasons that yours was chosen as a finalist is because it really talks about the epitome of a good CISO. Which is the junction between business, business knowledge, and technological savvy, obviously. Just tell us a little bit about what you’ve been doing at Lynx Technology Partners since you haven’t actually been there that long. Didn’t you just start in 2015?
Bobby: Yes. Recently started there. I was given an opportunity to really apply some of the theories and some of the things I’d been applying in private companies over the last few years. By coming over to Lynx, creating new strategy and the approach for their security program and their risk program I was given an opportunity not to just do it for one employee but for lots of companies. For me that was a really great challenge.
If you look at the evolution I’ve been saying about security, that’s also happening in the CISO role. And security leaders. Their focus is becoming less IT and more business enabler. And again these are clichés that are used a lot but when you look at the ability of employees to deploy their own technology that is available now as a consumer product and rival the capabilities of the IT department, you need to change the approach you’re taking to secure that environment.
That means you no longer are dealing with static infrastructure. You’re dealing with very dynamic, distributed, de-centralized environments and that requires you to align very closely with the business. By doing that you’re able to partner with them and help enable them rather than tell them no they can’t go to the cloud. Let’s figure out how they could do it. Let’s figure out how you enable bring your own device. How we could accommodate the “Internet of Things” into the environment because the marketing department thinks that’s going to help sells. Those are all valid reasons to partner with the business and you’re starting to see that evolution of the CISO to become more of a business partner rather than an enforcer of policy.
And in order to do that you need to talk the language of business. I’ll say the language of business is risk and others say it’s finance, it’s money. But in it’s purest state, risk is about money. How much do you want to spend for protection versus how much are you willing to risk by not protecting? That is a pretty simplistic perspective. It’s difficult to get there because how do you translate I have 1,000 vulnerabilities this month and next month I have only 750. Does that make you 25% better? More secure? What is that doing for the business? You’ve got to change your way of thinking in terms of business and finance rather than just technology and incidents.
Amber Pedroncelli: Right. So also in your nomination it talks about how you created the delivery model for some of those security services like vulnerability and penetration assessments. Do you want to talk a little bit about how Lynx does that now that it’s been re-vamped by you?
Bobby: Sure. So one of the things we wanted to do is provide what I would call tiered services. Not every customer is the same. Not all the needs are the same but we wanted to have a repeatable process. It’s important that your giving the customer as customized an approach as possible because that’s what they’re paying for. They’re paying for you to deal with their problem. Not to give a cookie cutter set of responses to their problem.
Part of our effort is to understand the business. Understand the model the customer uses to communicate their vulnerabilities, to communicate their initiatives related to perhaps pen testing. What is their key motivator? Is it compliance driven? Is it just following a particular standard because that’s what they do and they don’t have any compliance regulations holding them down? They just want to do the right thing?
All of those will influence how you assess as well as how you report on what you find. And everybody does a good assessment. It doesn’t really matter what tools you use for the assessment. The key is when you look at what you find, you have to be able to translate that into what the customer understands and if you go in there with a set of vulnerabilities or a set of issues that need to be repaired, that’s great. That’s wonderful but the first thing the developer we’re going to ask is can you just tell me which patch I need to apply? What do I need to do to fix this? They don’t want to necessarily know all the details of the vulnerabilities so you have to look at it from presenting them with a set of solutions versus a set of problems. You’re there to find the problems and help them achieve those solutions.
That is the key differentiator in what Lynx does. We try to, yes we’ll go in and do the traditional vulnerability scans and your traditional penetration testing but when we present that information we present that in the context of here is what you can do to fix that and what are your plans? Then we’ll help them adjust that. We’ll come back 30 days, 90 days later and actually look and see what their progress has been. And that’s part of the program. It’s not just go in scan, leaving a report and walking away. That extra little bit of value that I think makes the difference.
Amber Pedroncelli: So do you work closely with the CISOs of the companies you’re working for?
Bobby: Absolutely. You have to understand their perspective. The tone that they’ve set and what their expectations are. And you want to be aligned with that, otherwise you’re speaking in generalities and you’re trying to do things according to best practices. And the first thing you discover is that best practices are never implemented in a vacuum. They’re implemented with the culture and the influence of that particular business model and you need to learn that. So the CISOs provide that level of insight. And I’ll tell you, I’ve also been with CISOs who may not have that same level of maturity or they haven’t evolved to that state where they’re aligned with the business very closely. You could spot that pretty quickly and we try to address their specific and immediate needs. But ultimately it’s up to them to understand how to present what they do in terms of the business. How to justify their remediation plans. We’ll help to a certain extent but we’re not replacing the CISO in the company. We’re really enabling them to make informed decisions.
Amber Pedroncelli: Do you find yourself giving the same kind of advice to CISOs over and over again? If there were one thing you find yourself saying a lot, what would that be?
Bobby: I would say if you can learn how to speak to a board of directors, you’ve pretty much learned how to speak to anyone. And the reason I say that is no insult to board of directors. But when you have an opportunity to speak to a board, typically you’re one of many people who will be speaking. You have 5 maybe 10 minutes to make your point and then maybe follow on 5 more minutes of questions so you have to have your story very succinct and not detailed. The detail comes in your answers to questions. You need to do your homework and know it. And then you have to figure out how to be very brief.
I will tell you it is…no matter how many times I’ve done it, it’s always a challenge. You end up with too much material and you just have to try to figure out what am I trying to say? If there’s one thing I need to say to these folks and they’re going to approve a budget or approve a particular action, what is that one thing? And I’d focus on that. Even though there’s a thousand things that need to be done. Focus on that and address that particular problem. If you can learn to do that you’re making a huge stride forward because you’ll be able to talk to anyone at that point. Without the constrain of 5 to 10 minutes to be succinct.
Amber Pedroncelli: Yes so it sounds like you’ve dealt with some CISOs that get a little bogged down in the details and want to present every angle and explain the technical aspects of vulnerabilities or really get into the weeds with the board of directors. I assume that doesn’t go over very well from what you’ve just said.
Bobby: No it doesn’t and in all fairness to them, different organizations have different attention spans right? One of the things I see, it’s strange but I see it a lot. You look at a lot of insurance companies and you think they have a lot of regulation in place. You think they have a lot of motivation to secure the information from some of the regulations. But you don’t necessarily see the same level of diligence that you see in a financial services company. I don’t like making all of these generalizations like this and I’m being very general. There are insurance companies that are very secure but the folks who are running the security programs in those environments are dealing with legacy culture, legacy technology and they are doing the best they can in those environments.
And at that point, when you’re in that kind of position you have to hone in to your own perspective. What is the highest risk that I’m going to be dealing with and what can I do with what I’ve got? You’re never going to have infinite resources to deal with every problem. The CISOs that are in that situation , I feel for them. I guess they’re paying and the whole idea is to thrive in adversity. To thrive in a challenging environment because if you don’t then anybody could do the job. That’s the way I look at it.
Amber Pedroncelli: Right. So there’s been this kind of trend. We’ve talked about it on the podcast before with CISOs going back to school and getting their MBA. I don’t know if you have yours but is that something that you’d be interested in? Or do you see that as a trend that’s going to continue?
Bobby: So I don’t have mine and I will say that yes it is probably important. One of the things I’m seeing, and I get asked on a lot of cases about education, about training, about certifications. When I go speaking I’m constantly asked, how do I get into this career? How do I make the most out of my career. I believe education is the foundation. It’s very important to have a very broad education but also to have a specialty.
But that’s not the total picture because I literally have gotten resumes from PhD’s that have spent the majority of their time in school and brilliant people but have never had a hands on moment. So if you’re not getting that exposure, having a skill is one thing, having experience is a completely different thing. And when we talk about the shortage of security folks it isn’t because there aren’t people who are learning things and getting education, it’s because they don’t have the experience.
And the only way you’re going to get that experience is if you intern, if you did a job doing the IT work. In the process of doing the IT work you’re going to learn the security work. If you can’t get into the security department because they only want experienced people. The idea is though to get as much time. It’s like flying an airplane. The more time you have flying in the air, the better you’ll be and the different types of planes you’ll be able to fly the more hours you put in. Well, it’s the same way with security. You need to have some hands on experience.
Even if you’re going on a management track you should at least know the technology that you’re managing and the team that’s managing that technology for you. If you’re leading that team and you’re only on the business side, that’s great but you need to be able to understand and translate and bridge the two worlds. The technology world and the business world.
So that’s where the MBA comes in. That’s where the soft skills come in. It’s truly about collaboration and partnership with other interests, other constituencies within a company. Everybody has their own motivator. You need to figure out what those are. I know I’m sounding real touchy feeley here but this is the part of security that a lot of folks don’t seem to get. Is they think it’s only a technology issue, it’s a people issue. You need to understand how to make your case, present that case and influence change within an organization because that influence that you exert is going to be the determining factor of your success within an organization. To be able to get them to modify the behaviors that put them at risk and they don’t even know it.
Amber Pedroncelli: Right so in your dealings with CISOs or managements do you see more a lack of technology skills or more a lack of the leadership skills?
Bobby: From a CISO I see the lack of the leadership skills. It’s interesting, some of the best CISOs I’ve seen, it came directly out of the IT world because the security world wasn’t really a career path. It sort of just evolved that way. The folks who’ve been there are mature now and you see them getting into the CISO role and they took a path very similar to mine.
What you’re seeing today though is that people are coming into security as a discipline and they’re learning all the theory of security and they don’t necessarily know the technology piece and they may not have the soft skills well honed. I really do believe it’s a little bit of both. They have to learn both sides.
That’s where things like certifications come into play because certifications are going to test your competence in a particular technology. But there are certifications out there that also test your ability and concepts that talk about leading a project and how do you lead a team and how do you have situational awareness so that you know how to approach a particular subject within your organization? All of these things can be taught and really until you’ve experienced it a few times you’re really not going to be good at it.
The crop of CISOs that are coming out, I am optimistic in that I do see there is an evolution but I’m not sure a lot of the folks are there yet. I think they’re getting bogged down in a lot of things that aren’t really serious threats today.
Let me pull that back just a little bit. There continue to be threats, the cloud and the Internet of things. All these things continue to be environments but they’re bogged down in the specifics of that versus the bigger picture. That goes in thinking of changing yourself from tactical to strategic. If you look at things in a more strategic way you’ll discover that some of the solutions can be applied that are broad and that effect something very broadly versus a solution that solves a very specific point problem but doesn’t solve anything else.
A case in point, so you’ve got anti-virus everywhere that’s great but you don’t control any of the end points. And the end points are the mobile phones and the laptops that people are working from home on that don’t necessarily belong to the company. The kiosk at the store. There’s all sorts of areas where you don’t control the end point so what good is anti-virus going to do for you? You’re trying to solve one specific problem rather than a broader problem That’s the difference between tactical and strategic.
Amber Pedroncelli: That’s a really good point. I like that tactical versus strategic. That’s a good way of looking at it. And I think because your nomination showed that you had that strategic thing nailed.