As the prevalence of the CISO continues to grow we are seeing more and more individuals taking up the role in companies from varying sectors and fields, but particularly in cybersecurity firms who are perhaps best-paced to recognize the importance of having this dedicated, skilled security leader among their ranks.
This has proven to be the case for Australian-based intelligence, analytics and cybersecurity solutions company Nuix, who appointed Chris Pogue as their very first CISO nine months ago.
Also a member of the US Secret Service Electronic Crimes Task Force, Chris boasts an impressive 20-year career which includes working for the US military, a nine-year stint at IBM as a penetration tester before joining its incident response team and a move to Trustwave SpiderLabs, where he was based for six years, also finding the time to write two books along the way.
Almost three years ago Pogue took up the role of senior vice-president of cyber threat analysis at Nuix, a job that was a precursor to becoming CISO in mid-2016.
So, having investigated thousands of security breaches with some of the industry’s best professional security services and corporate security initiatives, I asked Pogue how he was now adopting to his CISO role at Nuix.
“I was the first [CISO at Nuix], so the biggest challenge was really standing everything up, which was both challenging and exciting because I feel like any ‘shmuck’ can take over something that’s already in place, but it’s a totally different skills set to build something from the ground up. It’s been about looking at everything we need in every capacity, from governance risk and compliance to information governance to audit, to internal security controls and training – a whole bandwidth of things, but at the same time I’m not inheriting somebody else’s mess.”
Moving the conversation on to ask him what he has seen in terms of evolutions in the threat landscape, Pogue explained that warfare in general has moved on from being fought the traditional four domains to the fifth, which is cyber, something that is impacting the information security industry as a whole.
“It’s interesting because historically warfare has been fought by trained soldiers in any of the previous four dimensions: land, sea, air and space. Now, when you add cyber it’s dominated by non-trained, non-military combatants – I say combatants because that’s actually what’s going on. We’re being attacked on a daily basis, and we’re expecting the same level of expertise that we would in any of the other four areas of warfare from un-trained combatants. If you think of the modern CISO, how many have military training and combat tactics/psychology? So, having that gap in knowledge is not insurmountable, but having the knowledge already is advantages, because how you defend yourself [in cyber] is stuff they’ve been doing in the military for two thousand years.”
In mentioning combat strategy and tactics, I wondered how much Pogue saw cyber-defense as being reactive, and whether ‘hacking back’ can ever be a good thing.
“Hacking back is still illegal, and I think it’s a terrible idea. It’s still too easy and you might end up kicking off an international incident. The bigger challenge is looking at defensive posture and calling it ‘aggressive defense’; I’m here to help us aggressively defend what we’ve worked so hard to build. It’s not passive; if you look at American football, the defense are not passively waiting for the offense to try to do something and then prevent them, they’re aggressively pursuing the ball, aggressively pursuing the opponent to not only stop them but to set them back. That same sort of mentality with our defense is to aggressively defend what we have and what we’ve been asked to defend, and doing that with hackers and professional penetration testers and with your staff and teaching them they’re in the fight whether they like it or not.”
So does that mean there is a real place for hiring hackers? How much of an impact can that hiring strategy have?
“From a professional standpoint we call them [hackers] offensive security professionals, a more palatable terminology, but yes there’s tremendous benefit in doing that because how would you ever truly know the efficacy of your countermeasures if somebody is not testing those in a way the enemy would.
“We need to get back to the roots of pen testing which is no kidding, gloves off, ‘come at me bro’, like a real attacker would so you can have an honest look at your security countermeasure to determine if it’s affective, and without that you’re just ticking a box.”
Lastly, I wanted to know how Pogue viewed the balance between the expertise of companies and their abilities to keep data safe and the evolving expertise of hackers who attempt to breach their walls.
“What’s interesting is that the size of the company is irrelevant – you’re still dealing with people and fingers on keyboards. You hope that they [companies] have more budget to throw at security and that they buy better tools and hire better people, but that’s not always the case. It all boils down to what the defenders are doing and how they are defending. If they have tools, are the tools tuned properly? Are they detecting the things they are supposed to detect? Are companies teaching their staff and using education? Our Nuix Black Report found that 66% [approximately] of attackers spend around 11 to 15 years [a week] getting better at their craft, studying and researching and honing their skills. By comparison, how many defenders are doing that? What we’ve seen is that offensive technologies have far outpaced defensive technologies, and offensive capabilities have far outpaced defensive capabilities. So we see this pretty dramatic imbalance.”