User-Centric Security: Focusing on UX, Design, and Embedding Security in Daily Routine

Transcript

John Vecchi (00:24):

Well, hello everybody. You’re listening to the IoT Security Podcast, live on Phosphorus Radio. I’m John Vecchi.

Brian Contos (00:31):

I’m Brian Contos. We’ve got a fantastic guest today. Welcome to the show, Susan Peterson Sturm. How are you, Susan?

Susan Peterson Sturm (00:38):

I’m great. Thanks so much for having me.

John Vecchi (00:40):

Welcome, Susan. Great to have you.

Brian Contos (00:42):

Oh, we’re excited, so excited. Susan, before we get going, maybe you could give our listeners a little bit of background about you and how you came up in the industry and what it is you do today.

Susan Peterson Sturm (00:53):

Sure. I’ve spent most of my career in the energy industry, actually on working at both automation companies and energy companies that spent a lot of time wearing lightweight Nomex in Latin America, walking through power plants, trying to figure out this process, instrumentation, drawing, how does that tie to that tag and the data flows. I did asset optimization, a lot of cool stuff between trading. I love energy markets, super fun stuff. I got into OT security through product management and it’s been really fun. I feel like I’m growing up with folks in the industry over the past 15-ish years. They’ve done M&A, led product security at a $15 billion company. Worked on strategy and marketing initiatives, and then most recently I’m a recovering chief information security officer from an industrial data operations company.

Brian Contos (01:52):

Susan, you’re such an underachiever. I don’t know what we’re going to talk about. That’s fascinating. It’s so interesting too, hearing people that came up in OT because so many of the folks that we have on our program were transplants. They started on the IT side, then they kind of moved over a little bit to what’s SCADA, what’s a PLC? They learned that world, but a little bit flip-flopped. You actually came up in that, which must’ve been really interesting just because the dynamics of operational devices are so different at their core than IT.

Susan Peterson Sturm (02:30):

It’s been fun. At the same time, energy markets have liberalized in that time, and especially in power. The value of that data, even if it’s not to do control, but the value of that data to optimize is the economic positioning, the security of the grid. That’s what makes this super compelling to me. The more that we can securely adopt this end of visual technology, there’s so much under-utilization given current technology for energy resources and we need it right now. We’re really constrained. It’s a really cool time to be in this space and helping hopefully, enable it, the transition in a secure way.

John Vecchi (03:15):

It’s perfect timing. There’s so much focus on this. We just watch, I’m sure you see it similarly, Susan, every week CISA has another 5, 3, 4, 5 advisories, all targeting critical infrastructure, programmable logic controllers. All of that kind of stuff. It’s just crazy. One thing I’m dying to know is, what’s it like to be a CISO today in the energy sector? What’s that like and how is that different than your typical CISO and maybe other types of industries?

Susan Peterson Sturm (03:52):

I’m not currently a CISO, recovering one for a company that served a lot of the oil and gas majors in large power generation chemical companies. We’ve got CISO, which is giving us some great guidance. I really love econometrics. Thinking about value at risk. Because it’s very hard. We can’t make an argument with a compliance checkbox. We need to speak the language of business. It’s really challenging. There’s a lot of change management. I think CISOs of companies that have operational technology, especially with that new SEC ruling, being able to talk about how you quantify material cybersecurity risk. Those 10K statements aren’t only going to address data integrity, et cetera. They’re going to be talking about potential consequences around operational technology. If you’re a product company, if you’re a company at manufacturing company, view a lot, I think you could argue that you have material risk tied to those systems.

(05:16):

It’ll be interesting once we can have more of a dollar-based discussion how the culture might change from one where everybody needs to meet this minimum, which we haven’t gotten the progress we need frankly in our in our industries, to one that’s more risk-based and saying, you know what? I can accept that control. That’s within the zone of tolerance and I’m going to go really deploy more resources on this one, which is the big. That alignment with the business I think will be very helpful. It’s a stressful gig right now. There’s a lot of personal liability tied to the CISO rules. We’ve seen some CISOs get prosecuted. I’m not an expert in all of those cases, both in Europe and the US. It can feel like a lot of risk when you don’t have visibility in every aspect, especially if there’s more than IT scope.

Brian Contos (06:09):

Yeah, I was at Black Hat this year in Vegas, which at the time of this recording was just about a month or so ago. I was at an event where the former CISO or Uber was giving a talk to a room full of CISOs, talking about the court case and the prosecution. It was so interesting watching the other CISOs in the room just saying, “Okay, what are the things I need to do to avoid ever being in that situation?” Just the amount of liability that was put upon them and the responsibility that came up with that.

(06:43):

I’m wondering, given your past experience as a CISO in that role, and we’ve talked to CISOs for many other industries. Some of them tell us that the executive team, the rest of the executive team, the boards, other critical stakeholders, they get it. They get the cyber risk. In some verticals, we hear that it’s such an uphill battle. What do you think the current state is now? Do you think that these executives and board members and other critical stakeholders get it in the industrial side, or is there still a big gap?

Susan Peterson Sturm (07:17):

I think where your company is and its maturity is an important part of it too. If you’re in startup worlds, every dollar, and even for security companies, every dollar that you invest in, oh, here’s an accretive revenue generating feature. Oh, let’s go back and deal with our security technology that those are difficult discussions no matter what. They’re real, let’s be pragmatic. I think no one is going to say, “Nah, I don’t need security.” On the flip side, you can get into a lot of debate about what’s good enough. If you’re on the product side, there is so much work. These are safety critical industries. If it’s med tech, if it’s transportation, it doesn’t matter.

(08:06):

Then it’s embedding into these design practices that have treated security as a separate thing and getting visibility into those engineering processes, into those service processes where the current leadership has visibility to those tools when they’re monitoring quality and execution. I think that’s a challenge, is to be able to embed it, not treat it as something separate, embedded into existing processes, which takes a lot more time, but is way stickier. Then having a basis by which to say we’re not overbuilding here. We are building. That’s why I really like a value at risk type of approach. Because you’re aligning to the company’s enterprise risk management posture, and then you’re giving some additional context around security risk, which can become physical risk or compliance risk in critical infrastructure, OT security.

John Vecchi (09:09):

You said it, OT security. It’s a tough one and you’ve lived it. You still live it. Again, you just look at the history of this, and Brian and I talk about it all the time on this podcast. It’s not like they’re all alone in the state of these kinds of devices, but certainly, when you look at industrial ICS settings and energy and utilities and these, it’s a very, very difficult one. Looking at the state of these, we call it xIoT, which includes things like OT cyber-physical systems, industrial IoT cyber-physical systems. Again, there’s even some things that you’d classify as IoT that can be very critical in some of these settings. A camera can be a very critical device in some settings.

(09:58):

That’s why the xIoT, they overlap. You look at all of these, you look at the state of them, they’re a mess. They’re very old. No one wants to touch them. Then coupled with, like you said, the mindset used to be, “Oh, they’re isolated and they’re air gapped.” That’s so different now. We’re looking now at some of these things. We have 5G gateways. These things are more and more connected. It’s so different now. When your CISOs that are overseeing this, do they oversee this? There’s so many different groups, Susan, that might be touching these things or maybe don’t want you to touch them. It is just an incredible difficult thing. I would love to just hear what are your thoughts on some of those?

Susan Peterson Sturm (10:50):

There’s part of me, and this is like a mea culpa, so I’m part of the problem. Sometimes I think this perspective, and I’ll probably get some nasty comments about this, but this perspective that we’re so special in OT security and that nobody can touch our systems. It has not served us super well. I look at the OT security space where up until maybe two years ago, you could get 25 million bucks in that M&A, in private equity without having a beta product. To me, this reminds me, and I’m old enough to remember dot bomb. I really wanted to get a job at Enron, graduated from college. Good thing I didn’t, or the whole digital bubble. Nobody talks about digital now. They just talk about their teams developing software. This bubble that we’ve seen, it’s just all the macro and then kind of more micro. There’s still very few companies that are pure play OT security that are making more than $50 million a year.

(12:09):

Then you look at consistently these market surveys, and these are not expensive. These are the freemium ones that I’m looking. It’s an 18 billion market and you’re like, “This doesn’t square. This doesn’t make sense.” The thing that I care about frankly is we’re not really solving this problem. We have this pretend air gap where everyone knows that you pick up the end of the rug and it’s going to have worms and stuff under that and it’s going to be scary. We’ve kept it isolated. The biggest thing is I think we’ve forgotten the user. Gartner says we’re in the trough of disillusionment phase for OT security. There’s all these early pioneers, all this tech, but nothing is scaled yet. We don’t have major players.

(12:58):

The focus on the user isn’t there. This is a really hard market, because talk about change management, as a CISO and an organization, I’ve got my side. I’m being pitched. I was being pitched new security technologies. Then I probably am going to have to. If I’m a regular CISO in an energy company, then I’m going to bring in my OT security team that may or may not be reporting to me. Then the people who are going to have a significant hand, and maintaining it are the operations folks. The operations folks are people who really have expertise in those automation systems and the underlying process. They tend to spend a long time at one plant. We haven’t done a great job about that persona and making it easy for them. As a result, even when technology has been deployed at those sites, they’re not touching it. It’s not that they don’t care.

(13:59):

It’s that I think that we haven’t focused enough on who one of the really important end users are and how we can make that a part of their shift rounds, the way they’re walking through and looking at and doing visual inspection at equipment and taking readings for anything that’s not plugged in. Having the same kind of mentality about on patch management, on network detection, on software versioning, all of those kinds of things. If it’s not part of the day job and if it’s not designed for that user, we’re not really going to make material progress. It doesn’t matter how cool the tech is. I know we love the tech, but I would say we’ve got an empathy problem in OT security and we get excited about the tech. We get excited about how special we are a little bit, and we’re forgetting a little bit about our users, which I think we need to do a better job. I’m part of the problem. I’ve launched products, so I’m not pointing fingers at anybody.

Brian Contos (15:01):

That’s a great perspective because then that ties into processes and trying to ensure that you have optimized your processes effectively. Sometimes those cross that chasm. It might impact the PLC or maybe in the middle of the SCADA management console historian, something there, or on the IT side or on the IoT side. It might be the security cameras, the digital door locks and everything in between. We go into these organizations today and they have very little concrete evidence. Evidence-based data regarding where are my critical assets? Whether it’s a piece of hardware or virtual machine, a cloud-based asset, specific software applications and everything in between. Each one of those things is an asset. Few of them have that. Now, you take a step back and you look at almost every single framework and regulatory mandate in the world across NIST, across PCI, across SOCs. Things that have come from NERC. Pretty much everyone says, know what you’ve got and know where it is and hopefully, what it does and its dependencies and things like that.

(16:10):

We built all these other tools and processes to top that without actually addressing that one foundational piece. There’s other foundational pieces that we probably haven’t addressed, but that’s one of them. We try to keep on building it. It’s like this house of cards, and I’ve seen this multiply pretty extensively in oil and gas, power and energy. I see in chemical, both batch and discreet manufacturing. Anybody that has this really rich hybrid ecosystem, automated agriculture as well, or mechanized agriculture. I see this and they’re trying to say, “Oh, I’ve got a source solution and a SIM solution. I’ve got this and that.” How do you even know what you have and how do you know its state? Am I rotating passwords? Am I patching? Am I updating? Security from 1995, update your stuff, I have a good password. How do we move forward, I guess is where my question is hidden in that whole diatribe, but how do we move forward when some of those foundational pieces, they just seem to be skipped over the last couple of decades?

Susan Peterson Sturm (17:18):

I think that I agree with you and I think sometimes we lean on the heterogeneity of our tech stack as one of the reasons. If it’s age, if it’s vendor or whatever, we lean on that and say it’s impossible. Again, taking that risk-based view. There’s a couple of things. Like in these spaces, we’re really comfortable with reliability. If we can use that kind of paradigm to talk about criticality, that’s very helpful. It’s getting into probably, I’ve sat through a lot of risk reviews in that space and it’s getting into pretty prescriptive questions about what other systems, if this were breach, what other systems could be impacted? NIST provided actually some really good guidance, some really actionable guidance on doing that risk-centered framework.

(18:14):

Then I think translating into liability into a paradigm that’s probably more comfortable for a lot of the folks. In engineering, you’re going to come up with some counterintuitive things like, well, this thing is triple-module redundant and I can operate it in manual, so it’s not that critical. You’d be like, “This is the crown jewel.” That’s the insight that we certainly need. As security folks, we have to say, “Well, if they breach that system or they jack that sensor up, what are the secondary impacts?” I think it’s just having more diverse and equitable hiring. You start with a standardized set of interview questions. I think some of that, putting it in the right language.

(18:57):

Because I think a lot of times it’s, do you have this or not? Can you check this box or not? That’s part of the problem. I think the other part is I’ve looked also at a lot of specs from companies in critical infrastructure space. How are we defining requirements around users, around what we want there? What do we want the console for the operator to look at? How much time should they be able to do X, Y, Z tasks? What systems do they need to connect to? If we’re going to do something about scheduling, doing shift planning and putting that into their shift or putting it into maintenance, planning systems. I’d love to see more focused on the user from the customer side about what that should look like. Then the last piece is, we need to do more to embed security.

(19:57):

If I looked at the job descriptions, probably of those teams, even risk teams, how much would relate to security or on the regulatory side in those filings? I think we need to stop treating it like it’s special and put it into the for-job descriptions. Then it gets measured. These are very high-quality organizations that are focused on safety and repeatability. It’s like we just have to pivot and make it easier within their business process. I think it’s a normal maturation process, honestly. I don’t think there’s any bad intent, but it’s away from the, oh, here’s some cool technology. We bought it and we’ve got it. To, how are we doing with these steps in less time? How are we providing this data to more users that need it? I think it’s to be expected, frankly.

John Vecchi (20:54):

Do you see, Susan, the evolution of some of the new technologies we have can help with that? You think in terms of OTICS and we see that this phrase, it’s now, next, never. You’ve heard this, right? Specifically, again, relative to these cyber-physical systems that they’re all air gapped and they’re all isolated and you can’t touch them and don’t ever actively try to go find all those things.

Susan Peterson Sturm (21:23):

Just standing, no.

John Vecchi (21:24):

Oh, my God, yeah. It’s like, so here’s the now. Here’s what I’m doing now. Here’s what I’m maybe going to do next and here’s what I’m never going to do. Thinking, looking at the never, I think this is the crux of the foundation of we don’t ever touch this stuff, that ingrained mindset. When I look at the industry and I think of now, next, never, we tend to say it’s like 70% never, maybe. I don’t know what you see. That’s what we’re trying to move the needle on. Again, it’s more of and what we call, and Gartner even calls the more asset-centric maybe approach. I think in terms of these things as endpoints, and I talk about it all the time. It’s an endpoint. There just happens to be orders of magnitude more of them than the traditional endpoints you think of in your IT security today. More of an asset-centric approach where we might have technologies that can safely go find them.

(22:29):

As Brian said, visibility is a problem. I don’t even know. How do I know what I’m doing next and maybe what I’m really should be never if I don’t even know necessarily everything I have to tell you whether that should be in the now, next or never bucket? Some of the new technologies now, we can go maybe find them. As Brian said, we can address what we call table stakes. When is the last time you ever changed passwords on any of these devices? That’s a fair question. It’s kind of table stakes. Again, patching. We understand some you may never patch, but even monitoring, I think in terms of the never, I say, “Okay, I understand that maybe never.” Are you monitoring those? Are you managing them in any way? Are we moving the needle on any of that? Do you see that never bucket, maybe moving from 70% of it is today lower so we can maybe address, move those more into the now and next buckets or what do you see?

Susan Peterson Sturm (23:32):

If you look at the guidance from CISA, if you look at the whatever your entities’ regulator is, I don’t think you’re going to be able to continue to fly blind. I think that this administration has really tried to give more actionable guidance and bring more collaboration from stakeholders. You’ve got that coupled with the financial community, seeing security as a material risk. Then you’ve got two other market forces that I see. The median age of somebody working at a plant, an emission-critical types of plants. If it’s water treatment, chemicals is 55 in the US and Europe. There is a heck of a lot of gray matter that’s about to leave the building.

Brian Contos (24:27):

That’s a great point.

Susan Peterson Sturm (24:28):

You’ve got that. You’ve got a new generation of folks coming up that I get to mentor a group of really awesome recent cyber graduates through Women in Cybersecurity. Some of them are engineers, but they all know how to code. They’re going to come in with different tool sets. You have to think about how those folks or what their worldview is going to be. They didn’t have the experience with analog, going from analog to digital. Then you have this proliferation of devices and it’s not just, well, we’ve got this cool wireless sensor on this thing. If I look at the energy sector, think about this, how many more devices do I have? You have about one 400-megawatt combined cycle plant that has two gas turbines and a steam turbine, versus a PV farm. One farm has got five megawatts of capacity.

(25:27):

Just the number of devices, if they’re not connected. If you just say everything is fine behind the air gap, it becomes really untenable. Some of that lore about the relative strength of an air gap or not being able to do active scanning. I think what we’re seeing is more progressive companies, and it is really interesting to see in the renewable space. They have adopted containerization in a way that we haven’t seen as much in conventional, and it’s out of necessity. I think that’s where we’re going to end up. Especially, if you think about more localization in factories, et cetera. More smart devices.

(26:08):

There’s going to be no option but to make this easier. It wasn’t being done before because of some of the UX and the design pieces about where we were. Now it’s just like the magnitude of the security that we’re creating is just too material. I think that’s going to be the impetus, basically. Those forces are going to be the impetus for us to think about how to make this easier, how to automate more of it. I know that security automation, I’ve talked to folks in IT and they’re like, “Nah.” We need some of that on the basics to make that easy. Then Maslow hierarchy, then let’s have a discussion about advanced nation state attackers, et cetera. We all know we’ve got that debt, so how do we address that bottom tier? That’s like the oxygen equivalent for us.

Brian Contos (27:00):

My mind plays this out. I know there’s some companies out there pushing, and I’m not taking a stand right or wrong, but pushing this idea of having these very small, mobile, if you will, nuclear power plants that you could drop in the middle of some country that doesn’t have any infrastructure and it can power entire city and it doesn’t have any waste and it’s relatively safe and this and that. Then you multiply that. Well, now you’ve got a thousand of them or a million of these things spanning the globe. What are the potential risks there, if they’re not, to your point earlier, embedded with security, if they don’t come from the manufacturer with it baked in? Because what they deploy is probably what they’re going to have five years from now, 15 years from now or 20 years from now. They’re not going to be updated or you changed.

(27:43):

The thing that really sparked my interest in that conversation was you talking about working with some college students and some of the folks that have a lot of the brain share here. They’re retiring. They’re aging out of these categories. I can tell you, we’ve brought systems into our lab. We’ve got tons of PLCs and different types of equipment. We’ve got this one robot, and I won’t call it, who the manufacturer is. We said, “Hey, let’s play around with this thing and see what we can make this robot do.” It’s a pretty common industrial robot. You could use it for welding or painting and a million other things. We did what most people do when they get a robot in the lab. We made it poke holes in a pumpkin, crush Coke cans and do pushups, which I think is pretty much what everybody wants their robots to do.

(28:26):

What we found was really interesting, is yes, you could control it through a wired remote control. There was this nice interface and you had that, great. Yes, you could control it through a Siemens or a Rockwell PLC that you plugged in. Great. Set the ladder logic and do all that. What we quickly found out, and we didn’t realize that was going to be the case going in, it was running an anonymous FTP server. It was running a web server, which had a web interface that was right out of 1988, but it worked. It was very functional. It had a TCPIP stack, of course. You could tell that to it. It was really pretty robust in terms of how you could connect to it. On top of Modbus and DNP3 and serial over ethernet, it had everything else you had. You have these hyperconnected systems. When we brought our hackers into the group, our folks that are much more IT centric to play with these devices, what we found out was it was so eye-opening.

(29:26):

Not only that, it was really interesting to them. It was like, “Hey, this is something so new.” Because it’s a real-time operating system. It’s not Linux like I’ve been playing with or a Windows system, it’s a VxWorks or something like that. They got really engaged. What I thought was cool based on that as well as at Black Hat and Def Con and some of the B-sides, they’re bringing some of these devices out so young people can say or not so young people, can look at these devices, say, “Wow, this is pretty cool. What are people doing on security?” That was never even a thing a few years ago. Nobody ever brought this stuff out to the shows. Do you think the trade shows and things like that, are there some other grassroots movements or activities that are getting more people engaged in this world than maybe was the case just a few years ago so we can address that brain drain that we’re going to be experiencing pretty quickly?

Susan Peterson Sturm (30:19):

I think people are in security are really intrigued by, it’s not good if Spotify goes down, but you live, in contrast. I think it’s very compelling for folks. I think it’s got a natural draw. I think our challenge is giving that context in an inclusive way, giving that context. I really appreciate that Siemens had an apprenticeship program, which probably brought more people into energy around cybersecurity. I’m seeing the rise of apprenticeships, which I think is really awesome. Hackathons are awesome to get folks engaged. I really like that, robotics. I love french fries and there’s a robot called Flippy that would be for an automated fry cart, like you’d see in the Netherlands.

John Vecchi (31:13):

That’s awesome.

Susan Peterson Sturm (31:15):

There’s no end to the stuff you could probably do bad things with. It’s absolutely the reality if you look at the unemployment rate. If you look at the kinds of jobs that are getting automated. The next generation of those jobs are going to be people who are programming, maintaining all of these robotic and IoT devices. I think that’s the future technician work that we have to think about. That’s part of why it’s so important that we make this easy for those types of personas, as we think about how they’re going to interact and how they schedule those tasks into their day-to-day.

John Vecchi (31:52):

Real quickly, let’s talk about the threat. Again, you hear a lot and we see all the advisories. Again, back to the state of these things, when we see these CISA advisories, for example, if we talk to a customer, we’ll say, “Should you be concerned about that?” Of course. If your passwords are all default and I can look them up on Google, you’re probably looking over there when you should be looking over here. Nonetheless, there are threats. We’ve learned through things like the Vulcan Files, we see things like Pipe Dream, we see the Chinese, the Volt Typhoon. We talk a lot about Fronton, which could also be used for programmable logic controllers and the quiet exits and all of this stuff. When you look at all of these, there’s all kinds of very sophisticated, in many cases, nation state grade malware and attack kits out there. How do you see the threat to OTICS and maybe perhaps does that match perhaps what a lot of the energy utilities, oil and gas companies feel as well? How would you summarize it?

Susan Peterson Sturm (33:17):

I think they’ve got really great folks working their socks who are the associated ISAC. There’s a lot of energy and good focus there. I’ve had the privilege of doing IR exercises with some of the majors in oil and gas. They’re fantastic teams that are agile, made some really good friends. When they’ve had incidents at their sites, I spent 18 hours on the phone with them, and now we exchanged Christmas cards. I have seen enough to see the diligence that the industry puts into this. I think if you look at the process, if you think about secure by design, how quickly do things get exposed, how quickly can you identify where you have those vulnerabilities? Log4j was a wake-up call. What I’m hopeful about, frankly, is more in the SaaS world, being able to have more real-time security scorecards. Being able to really understand for your instance of software where the vendor is at. How many vulnerabilities are beyond X days? Having more real-time communication. Because it’s really not that helpful for me to sign, fill out a questionnaire once a year, maybe have you send an auditor.

(34:43):

It’s limiting liability to some extent, but it’s not really helping you be more agile. I think that’s what we need to get to is how can we seamlessly share that in a confidential way so people understand posture real-time. We don’t see vulnerabilities as necessarily an indicator that you aren’t diligent or don’t care about secure by design, like that mindset that it’s a defect that reflects negligence. Sometimes we’ve seen that. Sometimes when there is a hard-coded root password in there, okay. I think we have to have a view that we’re in this together. We need to be able to share information very quickly. How do we do that? For your instance, I think some of the software change managers or software management tools will make that easier. I’d love to see more of that in customer requirements. I would like to see more of that partnership. I love doing IR exercises with customers and vendors. I think that’s really critical to exercise that, to understand.

Brian Contos (35:48):

You hit such a key point there and I boiled it down to you can’t operate in a near real-time world with batch processes, this old way. I think one of the first times I saw this on the OT side was energy transmission. It was generation, it was transmission as well. When they have more than enough capacity, as you well know and know much better than me, they can trade, they can sell. They can sell the excess capacity. Well, that’s not done in a batch job once a week. That’s real-time. It’s moving around real-time.

(36:19):

If you don’t have tech and you don’t have processes, you don’t have people trained to operate in that way, you’re not going to be able to scale. That’s just one very small example of how everything bubbles up. Susan, as we wrap up here, the question I’d like to ask is, so for those CISOs that are listening and are working on the OT side and within critical infrastructure, what advice can you give them and they’re trying to get their arms around IT and cloud and IoT and OT and all these things? What are some words of wisdom you can pass along besides maybe just run?

Susan Peterson Sturm (36:58):

Make sure you take some downtime. Take care of yourself. Actually, because if you don’t do that, you will create a lot of burnout in your staff. Actually, just big picture CISO, make sure that it’s part of your job description and develop your staff so you have bandwidth to help grow them up. It is really expensive to replace people in those roles. It is really time-consuming for you as a CISO to do the salary benchmarking. Because probably your people organizations, unless you’re in a huge organization, don’t have those, especially OT security relevant benchmarks.

Brian Contos (37:36):

That’s such a great real life from the trenches, response to like, you’ve lived it. You’re like, Listen to this. I love that.

Susan Peterson Sturm (37:45):

Make sure that you can spend part of your time developing your staff. You’ll feel better about it because people did that for you, but selfishly, you will be working to retain them. The second thing I would say is how you show up, the hours you put in, the intensity. People observe that and they model themselves after you. Think about how much of that is public or not, how you convey that because you can burn people out in that way as well. Just on a personal level, thinking about those things to protect yourself and be able to be in a sustainable spot.

(38:22):

I think focusing on roles and responsibilities in working with your operations team, with your team, really without that kind of definition of the roles and those contact points in a really solid actionable way where you’re testing it out, a CISO can become a designated scapegoat. The breadth of this is being decent in a change management. Until five to 10 years from now, the security scope will be well understood and all of these other functions in the same way. These constituents know we have to change our passwords and be mindful of public networks, et cetera. We’re not quite there in the work context. I think being mindful of that, working to that in a really actionable way.

(39:14):

Not just on paper, but people understand that is really, really critical. I think that the other thing that I would say is invest in your network. For me to be able to contact people in med tech and understand how they look at product security risk, even though that’s not my industry, but that’s a place where it’s more mature, is very, very good. Those are the pieces that I would say if you can focus on those corollaries and really the way the street is going, the way most CISOs are going. It’s to be able to describe cyber risk in the context of dollars. Being able to speak that language of business. Those are the things that I think have to be in your survival kit.

John Vecchi (39:59):

I thought your perspective on this, Susan, was so spot on from your comments around focusing on the user and the end user in these organizations to help progress security in these organizations, what advice would you give to those security vendors who are building specifically what we’ll call cyber-physical system protection platforms? These kinds of technologies, focusing on these devices. What advice would you give them selling to the CISOs and these other groups?

Susan Peterson Sturm (40:37):

What I would say is just the budgets have been constrained. They’ve recently become more constrained. There is a mindset that we will invest resources where we can most impact material risk. If you can’t talk about what your solution will do at scale in the context of dollars, whatever it is. Talking about that as opposed to it can perform this technical function. When I listen to pitches, it’s way more about the tech than the impact of the organization. The CISO probably really loves the tech. That’s probably really fun for them. It’s tough being a CISO and then trying to get the money for what you want. Make it easy for them. Quantify it for them. Labor savings is totally valid. Because we’re always making challenging decisions about headcount.

(41:41):

We all know that there are as many people in security as there are open jobs right now. Sooner or later, folks are going to figure out that probably won’t get resolved quickly, and we probably have to figure out how to automate some stuff. I would say think about that CISO, but literally, if you don’t have a persona that’s going to be the end user who’s going to be interfacing with it at the plant, and you don’t know their user stories, you’re not helping yourself out. Because ultimately, if you have something and it is like a museum relic and people dust it occasionally, that’s not why you built that product. Going back, doing the net promoter score, the visibility, getting that user feedback, creating a user group of the actual field users, not just the OT security folks, I think is really critical.

(42:37):

I do know of a couple of companies that have done that, and it’s very few, but they have focused a lot. They’ve done things like it’s been abstractive. They’ve been like, “Oh, we had six features that were needed for this person.” Understanding that very crisply, you’re going to have to have different capabilities. Maybe for the SOC or for the compliance team, that’s okay. How much of each one can you cover? How much time can you save them? How can you help them materially do their jobs so you can create the business case? I just want to tell you, it is really, really hard for anyone in a leadership position who has to go justify that budget if you’re not giving that to them. I’ve had to do it because I haven’t had vendors be able to articulate it, but I’ve had to sell something. Just make everyone’s lives easier by focusing on the impact for those individual user types or persona types.

John Vecchi (43:37):

Great advice. I know we have those in the business of building these technologies as our listeners, and that’s very sound advice, I think. Appreciate that. It’s been great, Susan. We could just keep going. It’d be wonderful to keep track and keep close to you as this progresses. Because I feel that the security side, even though Gartner says we’re in the trough of disillusion, and I actually see some great things happening in this space. I see a lot of minds opening up. I see change for the better. It seems that you agree. We’d love to stay close to you as that change happens and for our listeners bring you back and talk about this because it’s a very important topic. I think it’s one that I know our listeners and people in this industry are very interested in. We’ll keep talking to you about that.

Susan Peterson Sturm (44:37):

Thanks so much for inviting me. I really appreciate it.

John Vecchi (44:40):

Well, we appreciate having you again. Thanks so much, Susan Peterson Sturm for coming with us today. Remember, everybody, the IoT Security Podcast is brought to you by Phosphorus, the leading provider of proactive, full scope security management, and breach prevention for the extended internet of things. Until we meet again, I’m John Vecchi.

Brian Contos (45:01):

I’m Brian Contos.

John Vecchi (45:03):

We’ll see you all next time on Phosphorus Radio.