We launched the CISO-to-CISO section of F5 Labs in January 2017, with a welcome message from then F5 CISO, Mike Convertino, talking about how we want to encourage security leaders to share and openly discuss ideas on how they protect their organizations. It’s all about security leaders sharing advice for other security leaders. Well, three years and nearly 150 articles later, I think we’re doing pretty well. And this past June, we launched CISO-to-CISO 2.0 with our new CISO, Mary Gardner.
In the spirit of that openness, let’s take a look at our guest CISO bloggers and what they had to share. Guest bloggers are defined as anyone who wrote or contributed to a CISO article who was not employed by F5. Of that group, we’re happy to point out that 27% of our CISO guest bloggers were female. By the way, if we include the F5 bloggers in that calculation, the percentage jumps to 36%.
Let’s take a look at the major topics covered by our guest bloggers, as well as a bit about the guest bloggers themselves.
One of the top headaches for CISOs is compliance. So, who better to answer your compliance questions than a seasoned auditor with decades of experience in the tech industry? Kyle Robinson gave us The Six Most Common Audit Failures, which he detailed some the more common flubs he’d seen in his years of SSAE-16/18, PCI DSS, and SOX audits. He notes, "I’ve seen a lot of audit failures, and there are some common themes to them from which other companies can learn."
From the other side, how does a CISO build a security strategy to deal with compliance? By focusing on the business, says Kip Boyle, a veteran CISO and current CEO of Cyber Risk Opportunities. In Managing Compliance Issues within the Value Chain, Kip tell us that "By aligning your compliance requirements with your other business requirements, you can distinguish what has to be done from what would be nice to do and then prioritize accordingly. It also provides the momentum for business value to drive your compliance needs."
Architecture and Design
Building a technological infrastructure that is both resistant to attack as well as beneficial to the business is a real challenge. We consulted some heavyweight experts who provided new insights into the process of design. Mike Simon, CTO of CI Security, raises the question, Can Engineers Build Networks Too Complicated for Humans to Operate? He points out the demanding paradox of security monitoring, “For most systems, most of the time, the activities are 99.999% benign and you really don’t need to capture and know the details.” Fortunately, he helps answer that question in his follow-up, Making Sense of Network Activities and System Behaviors.
On a much grander scale, long-time security leader Ravila White, talks about control design across the enterprise tying in all aspects of the business and information flows. She presented us with a five-part series called Multidimensional Security Through Info Modeling, covering an introduction to information modeling, building the master enterprise model, threat modeling, control usage, and using inversion modeling/system parametrization. This is full course on control design! The key, she notes, is “The business model is the system we used to quantify organization priorities, then apply deductive logic to derive the possible conduits of access, types of access, mandatory directives, and threat landscape.”
Things don’t seem to get any easier given the fast pace of technological change. Jared Reimer is the CTO of Cascadeo, an architecture and services firm specializing in large-scale distributed systems, cloud architecture and migration projects. He looks at designing an architecture when you embrace the assume breach principle in Everything Is Compromised—Now What? He notes, "If you fully accept that you cannot keep the most high-value data secure, you begin to think differently about where, how, and when you store and share that data."
Zero trust design is a powerful security technique. Security superstar, Wendy Nather of Duo, lays out how it’s done in Wait, Don’t Throw Out Your Firewalls! As is her style, she drops some wisdom bombs, "Plenty of cloud-first organizations don’t have a classic network perimeter because they never had to build one, but if you asked them to identify what was theirs, they could still tell you their perimeter is enforced by a combination of logins, encrypted network connections, and whatever tenancy controls their providers have in place."
We’ve had a whole series of in-depth guest blogs from Mike Levin, former Deputy Director of the National Cyber Security Division at DHS and before that, cybercop for the U.S. Secret Service. In his current role as CEO of Center for Information Security Awareness, Mike lays down one the most basic but essential security controls in A CISO Landmine: No Security Awareness Training. He also adds physical security training with Twelve Tips to Help Employees Keep Devices Secure When Away from the Office. With thirty-year career in law enforcement, Mike’s seen his share of scams and fraud. He shares some of the latest with us, including virtual kidnapping, executive impersonation, and phishing. Always topical, Mike also gives us Five Steps Users Can Take to Inoculate Themselves Against Fake News.
Sometimes it seems like being a CISO is the toughest job in tech. It doesn’t help when the CISO is a magnet for blame, as Masako Long of DefenseStorm explores in Fire the CISO! Her advice? “Let us help you, CISOs! It is not all on you to save the organization from the security woes of the world. "
CISOs come in all kinds and flavors. Veteran tech leader Bill Hughes provides us with a hilarious but insightful CISO Field Guide, adding, "There’s such a wide variety of CISO in the wild that you might have a hard time believing they are all part of the same species."
It’s not all pain, though. Todd Plesco, CISO at PrescribeWellness, says he’s heard "colleagues wax poetic on the disdain their directors and managers have towards the mission of cyber security. " So he gives us, How I Learned to Love Cyber Security.
Mike Levin, ex-cybercop, reminds us that, "As security professionals, whether we know it or not, we all have a role to play in protecting the critical infrastructure." and asks all CISOs, What Are You Doing to Protect Critical Infrastructure?
Lastly, we ran a great series in which we asked security leaders about their past failures and the lessons they want to pass on to others. Erik Pierson of Slalom and Mike Hamilton of CI Security contributed to If I Had to Do It Over Again, Part 1. Mike Simon, Todd Plesco, and Kate Wakefield of Landmark Health, helped us with If I Had to Do It Over Again, Part 2. And rounding it out, Paul Farrall, CISO of Skytap and Taeil Goh CTO and head of IT at OPSWAT weighed in with their tales in If I Had to Do It Over Again, Part 3.
More to Come
It’s been a great time and we’re looking forward to new guest CISO authors as well as returning favorites. Hey, here’s an idea! If you have an interesting and informative perspective on the security industry, we’d be interested in hearing about it. You can get in touch with us at F5LabsTeam@f5.com. Here’s to a future of more great, open discussions!