Essential CISO Skills and Strategies with Dr. Sly Cotton

[00:00:01] Get ready to discover some of the most actionable DevOps techniques and tooling, including performance and reliability for some of the world's smartest engineers. Hey, I'm Joe Colantonio, host of the DevOps Toolchain Podcast and my goal is to help you create DevOps toolchain awesomeness.

[00:00:19] Joe Colantonio Hey, imagine waking up to find your organization's data compromised. What could you have done to prevent it? Well, joining us, we have Sly Cotton, who reveals the secret to robust cyber security and the indispensable role of the chief information security officer. Today we'll be talking with Doctor Sly all about essential CISO skills and strategies, which are all covered in his book Cyber Space Guardians A Comprehensive Guide for Choosing the Right CISO. Really excited about this episode. You don't want to miss it. Check it out.

[00:00:50] Hey, if your app is slow, it could be worse than an error. It could be frustrating. And one thing I've learned over my 25 years in industry is that frustrated users don't last long. But since slow performance isn't sudden, it's hard for standard error monitoring tools to catch. That's why I think you should check out BugSnag, an all in one observability solution that has a way to automatically watch for these issues real user monitoring. It checks and reports real user performance data in real time so you can quickly identify lags. Plus, you can get the context of where the lags are and how to fix them. Don't rely on frustrated user feedback. Find out for yourself. Go to bugsnag.com and try for free. No credit card required. Check it out. Let me know what you think.

[00:01:42] Joe Colantonio Hey, Sly. Welcome to The Guild.

[00:01:45] Sly Cotton Hey. Great. Thanks for having me here, Joe

[00:01:48] Joe Colantonio Yeah. Awesome to have you. I think you have a really cool background. So I thought before we jump into it, maybe you give us a little more info like how did you get into cyber security?

[00:01:55] Sly Cotton So, Joe, that's a great question. I've been working in cyber security now for roughly 30 years. I started out in the military and it was all about protecting the network from the enemy, making sure they don't get access to information that could cause grave damage to the U.S. or to the operation that we were executing. And then from there, it just fascinated me how we could protect the most critical assets of the organization in the U.S. and then from there, it just blossomed into something I just couldn't get enough of. Especially with the proliferation of everything going to the internet and AI. It just became one of those topics that was critical for organizations and individuals.

[00:02:38] Joe Colantonio Absolutely. Now I'm already off script. With your background with cyber security intelligence, how critical is it nowadays, especially with an election? Do we have foreign actors actually still trying to break into things in the U.S all the time? Is that something that a normal company needs to worry about? That like they could be being hacked by another country?

[00:02:57] Sly Cotton Oh, yes. Even more so now than ever before. Do you remember the last election? There were screams of voter fraud. Someone had hacked the voting machine, and they kept voting over and over and over. And it was coming from an outside adversary. So with the protection of this election, you have to have those networks and infrastructure that are using those automated voting machine, it has to be 100% secured where even the supply chain, the people that provide the computer chips, all of those have to be protected and ensure it is 100% safeguarded from vulnerability from the outside sources.

[00:03:38] Joe Colantonio How likely is that then? That's a like something we should be concerned about because like you said, you don't even know. Maybe the chip could be designed somewhere that actually has code in it that can kind of be like a backdoor for folks, I guess.

[00:03:50] Sly Cotton Yes. I think is highly unlikely, primarily because we have this thing called a supply chain risk management which means every chip that goes into a voting machine, or every chip that goes into a piece of the network infrastructure, every hardware part that goes into that whole infrastructure, it's been ran through a security check at some point in time. It takes more than just hardware. So you got to protect the software that runs on that hardware as well. That's all part of the network infrastructure.

[00:04:23] Joe Colantonio All right. So how likely is it that someone is an expert in both hardware and software then when it comes to security, is that a dual role?

[00:04:29] Sly Cotton It is. But I think I would tell you, the only safe network is one is not connected to the network. It is very likely every time you come up with a defense mechanism that will protect against the hardware or the software, the threat actors, they're coming up with a new way to get into that network to get around those are secure area that you just basically barricaded.

[00:04:54] Joe Colantonio I'm sure there's some best practices. What are one of the reasons that inspired you to write then Cyberspace Gardens?

[00:05:00] Sly Cotton It was primarily because a lot of organizations would getting hit and they were getting hacked, and they were getting exposed to ransomware. And primarily because they had, I won't say the incorrect individual, but an individual that didn't have all the skills and capabilities to protect that network. A lot of times, what organization will do, you have a great technician, understand cyber security, the individual been working with the organization 15, 20 years and someone will go, hey, let's make this guy part of the C-suite. So they make him the CISO or the the chief data privacy officer or whatever you want to label the individual. But the individual may have been great at the technical proficiency, but he didn't have the right skill set to be a visionary, to think over the hill, to see what's next that the adversary could be presenting for that organization. That's kind of what drove me to go, well, we gotta make sure we're hiring the right people. And here's some of the characteristics of those right people that should be looking at this stuff from an organization perspective.

[00:06:04] Joe Colantonio Absolutely. I also think that with this particular role, you need to constantly be informed and constantly learning, relearning. So, I mean, I'm older, so I'm just curious to know if someone my age how if I had a CISO role, how is it evolved over the years, and how do people keep up with the evolution as it goes along?

[00:06:22] Sly Cotton That's a great question because I would tell you, the role of the CISO has evolved over the years because protecting the network used to be, okay, you're in the C-suite. That's not my problem, give it to the IT department, and that's where it is. But now, the I.T. strategy has to align with the organization's strategy. The IT guys can't be in a corner somewhere doing their own thing, protecting the network. And then the C-suite guys are narrow their corner doing the business strategy, those who have to align. And so today, the CISO is part of that mesh. We're in the past, Okay IT department go protect us, make sure nobody gets into our network or get access to our proprietary data. So that's where the role of the CISO has emerged. The big thing is if you're not in the old school, they use the term lifelong learner. If you're not continuously learning about the threat and then where AI is going and things like that, you might get left behind. And you may not be up to date on the best practices for protecting the network and infrastructure for an organization. So you have to continuously study this stuff.

[00:07:31] Joe Colantonio Absolutely. I mean, I guess because people don't know, why is it critical to protect data and systems now more than ever? We had one example of, the elections are coming up, and I'm sure there's more common examples that are probably around now, especially with all the countries passing new regulations about data. Is that another reason why maybe protecting your data would be more important now than before?

[00:07:51] Sly Cotton Oh yes. And I would tell you some of the big thing is your reputation for an organization. If you don't protect the data, then you could be PII data on an individual or proprietary information for the organization. The first time you get hit with a security threat incident or whatever. If your customer base lose, lose faith in your organization to protect their private data, they're going to walk away. Once you lose the trust and confidence in your customer base, whether it be businesses or individuals that your organization is going to have a tough time trying to rebuild. But if so, if you don't protect that data, it's not only the reputation. You're subject to financial loss. And you've got to understand, if you don't protect it, you may be violating laws that you may not even know you violating, like things like HIPAA, the Health Insurance Portability and Accountability Act, or the GDPR like the General Data Protection Regulation. If you don't protect it, you could be violated those regulations. And that could be reason for the government to come in and shut you down based on whatever operation you're running.

[00:08:59] Joe Colantonio I would think it's a hard gig because you can only set, I guess, standards, right. Like how do you know the people that are actually doing, the developers and testers in your organization are not leaking data or releasing passwords to GitHub and all that. Like how do you get it in place that you're accountable, yet you also have everyone underneath you informed of what they need to do?

[00:09:22] Sly Cotton That's a continuous thing also because that insider threat thing is real. So if I'm developing a piece of software for you and if I'm putting backdoor channels in there, so if something happened, if I want to get into that network after you kick boot at me or something like that, you have to defend against vulnerabilities like that. Insider threat actions that's a real thing. But the way you get around that is you just have to continuously train the workforce. Here are some things you got to look out for. Here are the vulnerabilities that could potentially increase the risk of us getting an attack. I mean, you got to make sure that the people that are developing the software, the hardware and installing your infrastructure, there are people that you can trust for one. And two, it has to be individual that you know that they're putting in the right stuff, and once the right stuff goes in the network, you have to test it. You got to validate and you got to run it through security. What we call key performance, parameters, KPPs and indicators. But that's how you get around the I don't like term insider threat on any end user can be an insider threat but that's how you protect yourself against those guys.

[00:10:30] Joe Colantonio Yeah, that's a good point. When I read books on, like real big hacks, a lot of times it's just someone talking to a real person and getting that trust. It's not even like a technical thing. And I don't even know how you overcome that a lot of times.

[00:10:42] Sly Cotton Oh, yeah. Because, I mean, there's always the big threat to organization now is still fishing opportunities. You get an individual that, hey, look, I know this is my bank. I bank with those guys all the time. But as soon as you click that link, they got access to your inside your network. But again, you got to train the individual. And when you do that, you have those phishing exercises after you train people, you sit down and you do those lunch and learn and say, hey, look, here's what a bad URL look like. You see something like this and it's broken or bad English in the phishing link. Those are the kind of thing you do not want to click on a link from places and things that and items that look just like that. And I would tell you, especially with in the age of social media, anybody see things that, hey, I'm familiar with this link, don't click on it in a heartbeat. And that's what the adversary want you to do. As soon as they click on it, they got access to what they need.

[00:11:37] Joe Colantonio Absolutely. I mean, this is can't related. I saw something on TikTok where someone booked a cruise, a year in advance, and they kept talking about on social media, and they posted a picture and they didn't know in that picture had their number, their number for the cruise. And someone was able to go in and cancel the trip without them knowing, because they didn't know they actually gave that information to someone to kind of hack them.

[00:11:57] Sly Cotton It happens all the time. The other thing that people don't get is they'll post a picture on TikTok and they don't understand all the data around that picture. The location it was taken at, the time it was taken, all of that stuff, it's because they want to get that information and data onto the TikTok platform instantly without thinking through all the ramifications of all the other strapped on data and information is attached to that video or to that picture.

[00:12:24] Joe Colantonio Absolutely. I guess we've already determined you definitely need someone to be in charge of this. I guess I should start off with this question. How do you define what is a chief information security officer?

[00:12:35] Sly Cotton So the chief information security officer that's an individual is all about threat mitigation, protecting the data, things like they have to understand things like regulatory compliance, reputation management, and they have to be able to work with a security team. But again, I go back to the whole thing about you can develop the strategy and vision for information and technology protection, the security of the organization. But if it's not linked to the operational goals and objective of the organization, you're building an expensive network that's not going to protect anybody. So that individual has to be someone that's passionate about protecting the data, threat mitigation, looking forward and forward, thinking about what could be the next potential threat to that organization. So that's kind of the role of the CISO and what they do on a day to day basis.

[00:13:28] Joe Colantonio What do you mean by the goal of the organization then? It's not like a cookie cutter approach. Then I assume it's like each organization would have their own potential risk areas, I guess. I mean, I guess I assume that's true, but I'm not sure what are the goals that they need alignment?

[00:13:42] Sly Cotton If a standard civilian organization, their goal is to grow the business. For example, they want to turn a 15% year over year profit. Here's our strategic goals and objectives. Okay, Mr. Security Guy, what network and infrastructure do you think we need to have in place to reach these goals and objectives? First thing this guy might say, hey, let's get rid of these big data centers that we have at the basement of our building. Let's put all this stuff in a cloud and you go from that perspective. If you a DoD or Department of Defense organization is totally separate in what I just described, you gotta have a security clearance, either secret, top secret or whatever, some of them GSSCI to just access the network that we're going to be operating on. If you're in the medical field, you got to understand all those HIPAA regulations, and your network may be have to be structured where everything that you do has to be super high definition cameras and all of that good stuff because you may have to operate via Teladoc on an individual, and they need a network that is super high def to do that, where a standard organization means, yeah, we don't need all that stuff, I just need voice capability. The role of the CISO is you have to understand the operational environment he's operating in order to build a network and that infrastructure that's got design that is designed to support that specific type of business.

[00:15:13] Joe Colantonio All right. Nowadays, does everyone have this role a CISO or is this something that you think companies are just starting to realize oh boy we've got to get a competent CISO here.

[00:15:23] Sly Cotton They are now coming to that realization because like I said, most of the organizations are like I have an IT department, consist of 5 or 6 guys, but those 5 or 6 guys in IT department, they're concerned with making sure you can connect to the network or the software is operating properly if you forget your password, you can reset the password. They're not thinking about how the business is going to grow and what do we need to help that business achieve its goals and objective. The realization that you need a CISO, it is definitely coming to fruition in this day and time, especially with the proliferation of AI and all the other things that are moving to the network and to the cloud.

[00:16:04] Joe Colantonio It's a good point about AI. How do you pivot then? Yeah, like you said, you have an attack and then you have a way to get around it and someone comes up with a new attack constantly. Now AI, do you see AI helping then with security to help kind of avoid these in the future, or is it just going to be like it is now, just quicker and faster now with AI?

[00:16:23] Sly Cotton It is, but what I always tell people with AI you got to take the good pieces and you got to be able to recognize the bad pieces of AI. AI can help you design a network, build a network, come up with the best optimal strategy to put in place. But the thing about with AI, when you start dealing with AI, there's so many bad things about AI like deepfake AI. Or you can take the sampling of my voice and take my picture, and you can make my lips say whatever you wanted to say, and you can post it, and it looks just like I'm saying it, which. And I could be totally oblivious to what you're posting out there. As part of the bad side of AI, but the good part about it is you can ask AI to act as a cybersecurity expert and give us some context. Help me design this infrastructure, whatever, and it can assist you with doing it. But I always tell people, you still need that human in the loop to go back, check what AI spit out, and then you validate. A lot of people will go, hey, AI did this, which sounds great, but there are times when AI because it uses open source information, it takes everything that's on the web. And if you're not validating it, AI could spit some things out there that may not be 100% accurate.

[00:17:39] Joe Colantonio Interesting use case about deepfakes. How much does a CISO need to be sure about that? Because I could assume someone could kind of generate a a deepfake of a CEO saying something that could either tank their stock or do something that could be detrimental to the brand, or have them say something that is going to hurt the brand as well. Is that something they need to be aware of?

[00:18:00] Sly Cotton Oh yeah, that's part of the whole skill validation of a CISO. They can understand that, hey, if this is AI or this is real, and then there's tools that can help you do this stuff, that's part of their whole skill validation. That's why he says a CISO has to be a seasoned guy. Can't be an individual that just graduated college. Hey, I got this IT certification. No, this is someone with experience and knowledge that have kind of been around that can understand what's real and what's fake and goes back to the real validation process. If you think this is a little bit off. You have to validate it.

[00:18:34] Joe Colantonio All right. So that's a good point. This is actually a chapter in your book. The quiet hard and soft skills for a CISO. I guess what are some hard skills that are essential you see for a successful CISO?

[00:18:47] Sly Cotton The hard skill, it kind of goes to that thing about you're validating the knowledge of the individual in that position. If someone have something like a CISSP, this the information security professional certification, that certification is globally recognized. When you see someone with that certification, this individual understand has a deep understanding of security. When you have the hard skills, that's a validation that this individual knows what they are talking about. Those skills kind of give the individual the expertise they need to handle those incident and complex security challenges, if you will, when they happen. Because part of those hard skills are designed, what they're designed to do is when you have an incident, it helps the individual understand here the priority for me to restore, I got to protect this data. I got to get this particular network back online, and then we worry about the rest of the stuff as we make time. But those hard skills prepare an individual to help bounce back from an incident response.

[00:19:48] Joe Colantonio How about domain knowledge? I assume that, like you give a few examples already, health care is completely different than if someone's in.

[00:19:54] Sly Cotton Yeah.

[00:19:54] Joe Colantonio I don't know the Department of Defense or something.

[00:19:57] Sly Cotton Yeah, the domain knowledge is critical. You got to understand the organization that you're working for because if you don't, you may apply a health care organization rules, which doesn't apply to the organization that you're the CISO for. You manufacturing shoe heels the lack of a better term. But you got to understand the organization, what the organization does and what the vision of the organization is. And then you have that that is your security infrastructure, your network, your defense of the network, all of that based on the environment of the organization. It's not a cookie cutter approach. It is definitely based on your organization. It's your support.

[00:20:40] Joe Colantonio All right. How about soft skills? Everyone think soft skills just communication. Are there any specific soft skills you need?

[00:20:47] Sly Cotton I tell people communication is a great one. But if you can't be a leader where you got to manage a security team, you're doomed to fail. You got to have some leadership qualities. You got to understand risk management. And I would tell you, when it comes to communication, funding drives everything. If you're a tech head and if you can't communicate your need to the C-suite, you're not going to get anywhere as a leader. What will happen is the technical guy, the IT guy will go into the C-suite boardroom meeting and go, he had 40 slides. And they'll go, hey, this is what we need. This is the security infrastructure we need to put in place. And a C-suite team is sitting there go and he has 40 slides. I'm not going to sit here and listen to this. You got to be able to take the half of slide or one slide back home and you get your point across. If you're a bad communicator, you're doomed to fail. If you're a poor leader, you're doomed to fail. If you don't understand the requirements of the individual you're supporting, you're doomed to fail. I always tell people to take a look at those thing that they call emotional intelligence, and make sure you build those into your leadership skills. You have the quality, the it takes a really serve that position well. They would call in CISO.

[00:22:07] Joe Colantonio Nice. So if someone wants to be a CISO, how do they develop some of these skills? I know for some reason this more than others certifications really do matter. In some roles not so much. So maybe like I know certification is probably one way or there in other ways that someone can develop these skills?

[00:22:23] Sly Cotton Oh yeah, so education is a big part. Most people now graduate college with a degree in cybersecurity, which didn't exist a few years ago. There were degrees in computer sciences. That was the big sexy thing. But now, you actually can get degrees in cybersecurity. The bachelors, the Masters and some PhDs in cybersecurity. That's a great start right there. So once you get that education seek out the training and experience that's broad brush. Don't just stick to one field, the cybersecurity field is expensive. It's massive. So try to learn as much as you can about all the areas when it come to protecting a network and infrastructure. And don't pigeonhole yourself.

[00:23:10] Joe Colantonio Love it. You have a lot of experience. I know you must have some real world stories are examples of maybe where a CISO made a big impact on the organization's cyber security posture, or something like that. You have any examples of that?

[00:23:23] Sly Cotton There's a few examples. And on our organization, we primarily support the Department of Defense. Most of the time, the leadership or the C-suite, they typically call them, they have little faith in the IT department to protect a large network. We went in, we kind of looked at the as infrastructure on some of these organization. And then we talked to the C-suite about their expectation. What do you want out of this? out of your IT department? We sit down with those guys and they're like, wait, we don't have the faith and confident. They can protect us because CEOs talk to other CEOs and they go, hey, look, this is what I did. This is what I did. And whatever they get together and they go back and assess their own organization. But we went in and we talked to the CISOs and saying, hey, this is what your CEO expect. And those guys, they kind of redefine their strategy. And at the end of that strategy, they went in and briefed the C-suite on how the IT strategy aligned with the organizational strategy and the confidence that the CEO had in that IT department went through the roof. And it was just the confidence that they knew. These guys now understand the infrastructure because I've heard other CEOs, if that is what they implement and they understand what the best practice is to protect our organization love it.

[00:24:43] Joe Colantonio It sounds like with AI, you said it is the good and bad. So a lot of times with certain careers with AI, they're like, oh, this is going to be replaced. That's going to be replaced. What future trends do you see in the field of maybe cyber security in the role of a CISO? Is it going to be more and more tech heavy with AI or like do you see as a role that's going to be more in demand, less in demand? Same.

[00:25:06] Sly Cotton AI is not designed to replace people. It is designed to help facilitate processes and procedures. It's designed to help people do their job more efficiently and effectively. It's not designed to replace people. People will go, hey, I can reduce my workforce based on having these two set, and AI is one of them. I personally think it's going to remain about the same. And if people take AI for what it was designed to do to assist people in doing their job, you will see a reduction in the requirements to have an individual sitting there at the terminal to validate threats and watch for vulnerabilities and attacks and things like that. With the advent of AI, you will see a huge reduction in the IT force.

[00:25:53] Joe Colantonio Okay, Sly, before we go, is there one piece of actionable advice you give to someone to help them with their CISO cyber security efforts, and what's the best way to find or contact you or get our hands on your book on cyber security and CISO?

[00:26:05] Sly Cotton Okay, the one thing I would tell all this guy is continuously learn and improve yourself about all the ever changing challenges going in the IT cyber security landscape. Got to be a lifelong learner. You just have to continuously stay on top of that thing. And I would tell you right now is a great time to get the book Cyber Space Guardian, because it's on sale for $0.99 for audible version, the paperback is significantly discount all you have to do to go to Amazon.com and search for a Cyber Space Guardian or search for Doctor Sly Cotton, and it will pop up and you'll have the latest and greatest access to what we know as of today.

[00:26:51] Remember, latency is the silent killer of your app. Don't rely on frustrated user feedback. You can know exactly what's happening and how to fix it with BugSnag from SmartBear. See it for yourself. Go to BugSnag.com and try it for free. No credit card is required. Check it out. Let me know what you think.

[00:27:12] For links of everything of value we covered in this DevOps Toolchain Show. Head on over to Testguild.com/p156. So that's it for this episode of the DevOps Toolchain Show. I'm Joe, my mission is to help you succeed in creating end--to-end full stack DevOps toolchain awesomeness. As always, test everything and keep the good. Cheers!

[00:27:34] Hey, thanks again for listening. If you're not already part of our awesome community of 27,000 of the smartest testers, DevOps, and automation professionals in the world, we'd love to have you join the FAM at Testguild.com and if you're in the DevOps automation software testing space or you're a test tool provider and want to offer real-world value that can improve the skills or solve a problem for the Guild community. I love to hear from you head on over to testguild.info And let's make it happen.