CISO Chat – Darran Rolls, Chief Technology and Chief Information Security Officer, SailPoint

Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.

To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.

We spoke with Darren Rolls, Chief Technology and Chief Information Security Officer at SailPoint, who believes that despite there always going to be new threats and vulnerabilities, the same old risks will remain.

As a CISO, what is your objective? What is the goal of information security within your organisation?

My key objectives are protecting company assets and customer data, continually improving internal security operations and staying ahead of the adversary. A lot of this comes down to striking the right balance between user convenience and operational efficiency for the business and protecting the sensitive data of our employees and customers. As a security software provider, we are very focused on all elements of our security posture from end-user awareness to compliance with our ISO/IEC 27001:2013 certification and SOC 2 Type 2 attestation. Taking a holistic approach is essential to our business as a security company. Being an identity governance provider means we also have a strong focus on using our own technology and best practices to achieve these goals.

What is more important for cybersecurity professionals to focus on, threats or vulnerabilities?

You have to consider both. A focus on vulnerability without an understanding of threat and risk can lead to an over-focus on noise. On the other side, an understanding of threats with poor processes for managing, detecting and mitigating vulnerability is again flawed. It’s essential to start from a strong threat modeling and assessment perspective to help understand a business risk posture. All of this comes together to create an assessment of where to focus. Once you know where to focus, then you can look more closely at potential vulnerabilities in the areas of highest risk.

What do you see being the biggest threats for 2018?

I don’t see a major change in the threat landscape for 2018. The reality is, new vulnerabilities are discovered and publicised on a daily basis. As we found out late last year with the Meltdown and Spectre vulnerabilities, even the CPU is vulnerable. We didn’t know that vulnerability existed, so who knows what will be next? There’s always going to be a new threat and a new vulnerability. The same old risks remain. Malware will increase in sophistication, more intelligent phishing campaigns will be carried out, and what we once thought was safe will become known to be vulnerable. Buckle up, batten down and get ready to respond!

How do you believe we can improve the cyber skills gap? What advice would you give to anyone wanting to go into the cybersecurity industry?

At SailPoint, we’re fortunate to be in the security industry, so all of our people see themselves as security professionals, no matter what their role. It’s difficult to find good security people, but fortunately for us, security professionals are excited to work for security companies. We love and believe in security, so we work to find people who fit that mold. We’re also working to help with education and certification in our own area of the security ecosystem, identity management. We’re proud to be founding members and sponsors of IDPro, a new association that is looking to establish a professional body for IAM professionals. We believe in supporting and advancing professional bodies that can create a known and understood standard for education and awareness in our industry. Internally we also try to make security fun and interesting for our staff across the board. This doesn’t mean corny motivational posters on the wall. It means hosting events like lock-picking happy hours, security book clubs and hackathons that make security top of mind for all our staff.

My advice to someone hoping to get into the cybersecurity industry is to become an enthusiast. Some of the best security professionals I know were hobbyists first. It’s imperative to gain an interest in security from the ground up. I’m a big advocate of events like Defcon that focus on engaging with a diverse community that together can learn and love cybersecurity. If you have an interest in cybersecurity, go hack something, and it doesn’t have to be plain old software. Go look at social engineering or lock picking or go hack a written procedure – break it down, understand how it works and look for a way around it. If you want to get into security, get into the mindset of a hacker.

Today, IoT and AI have become really big focus’ for organisations with almost every device, toy and appliance created having this technology built in. Worryingly, security seems to be an afterthought. Why is this the case and how can this be changed?

Security is an afterthought in most consumer devices because most people today don’t buy them for security. When someone buys a laptop, security takes a backseat to things like price, screen size or memory capacity. When someone purchases a video baby monitor, they’re most concerned with how the picture looks and whether or not they can see the footage on their phones. In order for security to gain prominence in consumer devices, it has to become a feature that people value and are willing to pay for. The only way we can change the lack of focus on security in consumer devices is by consumers demanding it.

With GDPR less than five months away, how prepared is your organisation? What is your biggest worry or concern regarding the regulation?

GDPR demands security by design, which is an approach we’ve long been advocating for in our products and solutions. We’re ready to help our customers address the challenges of GDPR by helping them govern access to sensitive data stored across their applications and in files.

 What’s your worst security nightmare? What would be your plan to prevent and mitigate it?

The life of a CISO is filled with fear, uncertainty and doubt. That’s the nature of the job. It’s the CISOs job to understand all of these threats and make actionable business decisions with them. This is a job of sleepless nights, but the best way to actually get some peace is to have a well-exercised incident response plan, because the reality is that something bad is going to happen eventually. Having the right technology, good people and well-defined and well-exercised procedures is the best you can do. Fires will start, and it’s our job to put them out. To do this effectively takes practice. It’s important to regularly ring the fire alarm, see how people respond and figure out if the hoses are long enough to reach the fire.

How often do you have to report to the boardroom level? In light of the major attacks in 2017, have they become more responsive and shown a better understanding of the work you and your team do?

We’re very fortunate as a security company, because cybersecurity truly is a board-level concern for us. This is not always the case. There is a growing awareness for the importance of cybersecurity, but many boards do not truly understand security risks in terms of business outcomes. Security operations are inherently technical and too many C-level cybersecurity professionals describe it that way to the board – all tech and all budget. But the conversation needs to be about managed risk. At SailPoint, our board is invested in our cybersecurity posture so I’m a lucky guy. I don’t have to rely on legislation to get the ear or the focus of the board.  Fortunately, many boards are now realising that the reputational risk and cost of security breaches are something that can be understood and managed like any other business risk in terms of investment and return.

Social media is everywhere. So how much of it is a security issue in the workplace? Have you had to run training exercise plans for employees within your organisation? 

Security is the principle of the weakest link, and social media can be just that. I can do a fantastic job of securing my internal systems, but if one of my employees posts something inappropriate, we’re in trouble. Of course, education is key, but this needs to be complemented with good governance and oversight. We have to view both employee and company-owned social media accounts as valuable assets that need to be protected. Controlling these accounts and their usage has to be seen as critical corporate governance, because reputational damage can be just 128 characters away.

What would be your no.1 piece of cyber security advice as we begin 2018?

Putting identity at the center of your organisation’s cybersecurity strategy. Yes, this is right out of our solutions play-book, but I really think that it’s the right thing to do. Moving toward an identity-centric view of cybersecurity should be a driving mandate for every organisation in 2018.

Darran Rolls directs the continued development and communication of SailPoint’s technology strategy and vision. His long history in information security has helped SailPoint emerge as a company with which to be reckoned in every area of identity management – from compliance and governance, to role management and role engineering, to user lifecycle management and provisioning. He believes the key to that success has been finding the balance between striving to be a market-leading innovator and acting pragmatically to make sure clients’ needs are met.