https://cisoseries.com/stir-in-a-little-merger-and-acquisition-and-voila-youre-a-target/
There is a lot unknown before, during, and after a merger and that can make employees very susceptible to phishing attacks. But, at the same time, the due diligence that goes into an M&A can often open up signs of previous or active compromise, noted Rich Mason of Critical Infrastructure.
What does a proposed merger do to a security program?”
This week’s episode is hosted by David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Nicole Ford (@nicoledgray), global vp and CISO, Rockwell Automation.
Full transcript
[Voiceover] Best advice for a CISO. Go!
[Nicole Ford] The best advice I have for a CISO is hope for the best but prepare for the worst. The cyber threat landscape continues to change, and we have to do tests, training, and exercise repeatedly to make sure that we can meet the need when the time comes.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. My co-host is the one, the fascinating, the talented Andy Ellis. He’s also the operating partner of YL Ventures. Andy, let everyone know you’re here.
[Andy Ellis] I am here and apparently, I’m fascinating too.
[David Spark] Yes, very fascinating. We’re available at CISOseries.com where this show and all of our shows on the network are available. If you haven’t explored them, please do so. And actually, if you haven’t checked out our Events page, all our in-person and virtual events are there. In fact, the day this drops, January 10th, I will be in Clearwater, Florida, and I will be doing a live show in Clearwater, Florida. Soif you’re hearing this today, and you live in Clearwater, Florida, it’s a Convene Conference at the Sheraton there, so please come join us.
[Andy Ellis] But if you think nobody’s in San Diego, I’ll be there keeping an eye on things while David’s not around.
[David Spark] Thank you. Yes. But I will be, actually the day after this, you and I will be meeting up for a lunch.
[Andy Ellis] Yeah, I’m looking forward to it.
[David Spark] Looking forward to it as well. Our sponsor for today’s episode is Pentera – assure security readiness across your complete attack surface. How is that done? More about that later in the show. Andy, here’s my question. We are now not even a full two weeks into January…
[Andy Ellis] Yep.
[David Spark] …when this airs. And we will have received many at the end of 2022 and many at the beginning of 2023 telling us what their predictions are for the year. Do you know what I literally never see an article about is, “Hey, here were our predictions last year, let’s see how they worked out,” do you ever see that article?
[Andy Ellis] I have seen that article. I’ve written that article, I should go dig it up for you.
[David Spark] Oh! Well, then that’s impressive.
[Andy Ellis] But mostly it’s the “We wrote some predictions, and we were really careful to write predictions that were non-falsifiable. Sothey all worked out, and in fact, we’re just rerunning that.” In fact, you should see dropping momentarily I’ve got a blog post which are my advice for 2023 because I didn’t want to do predictions. And we did some anti-predictions for 2022, and I just pointed at it and said, “Look, just go read that again, the anti-predictions still work for 2023.”
[David Spark] The thing is most of these predictions are, “Well, there’s going to be more attacks on IoT, there’ll be attacks on this,” or “There’ll be attacks on this,” and my prediction last year which is my prediction for this year is just the word “more.”
[Andy Ellis] More. Yes.
[David Spark] It’s just going to be more.
[Andy Ellis] There will be more more.
[David Spark] Yes. A lot of more. Because I think you can’t go wrong with more, sadly, in this industry.
[Andy Ellis] No. Especially not when you can have more s’more.
[David Spark] Oh. Everyone in security would prefer that.
[Andy Ellis] Yes.
[David Spark] Including our guest, who I would like to introduce right now. I got a chance to meet her in person when we did a live show in Chicago, thrilled to meet her, have wanted to get her on for quite some time. And guess what? It’s happening! Today! Right now! She is the global VP and CISO for Rockwell Automation. The one, the talented as well, Nicole Ford. Nicole, thank you for joining us.
[Nicole Ford] Super excited to join you today.
What’s a CISO to do?
3:47.471
[David Spark] Critical infrastructure, manufacturing, and anything that operates in the supply chain are targets. Over this past year, Microsoft actually doubled their number of nation-state notifications to critical infrastructure, noted Rob Lemos in an article on DarkReading. “You don’t have one uniform threat – it changes by business vertical and geo-location,” said Adam Meyers of CrowdStrike, “You don’t have a malware problem, you have an adversary problem. And if you think about who those adversaries are, what they are after, and how they operate, then you will be in a much better position to defend against them.” So, here’s my question for you, Andy. As a security leader, how does your security posture change when you know, given your assets, you are a specific target versus just an opportunity? How does that change?
[Andy Ellis] So, hopefully, it doesn’t need to change a lot because you should assume that you are a target even if you don’t know that you’re a target. But the interesting thing here is you should understand how the adversaries operate so that you can apply that thinking to your current infrastructure. Because what you really have is not a malware problem or an adversary problem, you have an infrastructure problem, and you have to be able to see your infrastructure through the eyes of an adversary so that you can remediate your infrastructure problem. Because once you eliminate the infrastructure problem, then you don’t have an adversary problem.
[David Spark] That all makes perfect sense, but let me just quickly follow up on that in that if you fall into these categories, like criticalinfrastructure or a critical element in the supply chain, doesn’t that really play into your development?
[Andy Ellis] Well, what it really plays into is how easy it is to sell security to your peer executives. Because when you can just walk in and say, “Oh, look. Russia’s decided they’re attacking infrastructure today, and we’reinfrastructure,” like, nobody’s going to argue with you. It’s a lot harder if you have to walk in and say, “Well, there’s nebulous attackers out there who might come after us.” Then you sound like Chicken Little.
[David Spark] All right. So, that is an extremely good answer, it’s a lot easier to sell through. Nicole is nodding her head. Do you agree with that?
[Andy Ellis] Oh, I totally agree. Listen – it’s hard to sell something that people have never seen. But when the news is kind of hyping it up, and you’re starting to see attacks specifically in your sector or your industry, then it’s easier to say, “Hey. Look what XYZ said,” or “Look what LMNOP said.” Right? Then you have information and data to go back and use, right? You’re not Chicken Little, as Andy stated. It’s real, right? And the question is not if, it’s when. And that’s so much easier to sell than telling them about pie in the sky threats that have never happened to anyone.
[David Spark] Let me ask you – have you worked in security for industries that were not necessarily critical infrastructure and part of the supply chain. Yes?
[Nicole Ford] Yes.
[David Spark] Okay.
[Nicole Ford] Absolutely.
[David Spark] What would you say is the big difference between working for those kind of companies and where you are now? Because you are kind of part of the supply chain now, yes?
[Nicole Ford] I am, and I think the biggest difference is being a part of the supply chain and understanding your customers’ challenges. We get to talk to our customers all the time, and we get to see what type of incidents they’re having. And that really changes the game for us because not only do I see it, but our sales team and our executive leadership understands the impact that our products or other products may have on our customers. And that really changes the game as well, right?You don’t have to explain to them things like what’s an adversary, you don’t have to explain what an incident or an attack looks like because our customers are describing it to our sales teams and our business teams all the time. And so it really helps as you’re making the case.
[David Spark] You bring up a really good point in that we talk so much about third parties and looking downstream, but you’re looking upstream and seeing, and you’re able to improve your situation because you can see upstream.
[Nicole Ford] Yes. And because we’re there, think about it. We’re at the front line. If you’re like in battle, that’s where we are. And so it really helps us because we’re setting the stage, we understand what the attacks look like, we understand even what the adversaries are doing, and we’re able to articulate that to our customers. But I would say Andy made a great point about tech debt and the infrastructure. Theinfrastructure’s huge. And so our customers are fighting an uphill battle, and frankly, we are, right? When it comes to managing our tech debt and the ability for an attacker to exploit a vulnerability is real.
What’s the best way to handle this?
8:33.549
[David Spark] Could similar critical infrastructure agencies be grouped together and therefore share cybersecurity resources,suggested Tony Anscombe of ESET in an article on DarkReading.Such a move would deliver financial resources, communication, compliance, and policy benefits,said Anscombe, likening the arrangement that schools have when they’re grouped together in one district. Now, we’re not having that much success with individual agencies doing it on their own, according to an article by Christopher Burgess on CSO Online. The GAO or General Accounting Office here in the US made more than 90 recommendations in its public reports back in 2010 and more than 50 still have not been implemented as of June 2022. And by the way, I should mention many of those are still critical. So, we talk about grouping together resources in cyber in the private sector, and some work is done, but not that aggressively. Nicole, in the public sector where there’s really no competition and mutual benefit, could this actually work?
[Nicole Ford] I think it’s necessary. So, we know there’s power in numbers, and we know that we get more done when we work together. So, using that same adage around bringing like-minded departments together to really kind of solve a problem makes a difference. And you know in the federal government, things are a little slower, right? It takes a lot more time. And so as a result, we’ve seen success – and again, I used to be in the federal government, that’s why I can speak to this – is we’ve seen more success whenthere’s interagency collaboration, and we’re working together to solve the problem together. And I can certainly tell you that that was something that happened during the 9/11. We saw a lot of interagency collaboration around information sharing, and it really became an effective way to work together. And I think that that makes sense when you’re talking about the private or the public sector.
[David Spark] Andy, what’s your thought? And maybe you could offer some details where you think the collaboration would work the easiest.
[Andy Ellis] Yep. So, the first question I’d have, and it is an extreme question, and it’s meant as a straw man, which is if the critical infrastructure agencies are truly similar, maybe we should think about consolidating the agencies.
[Nicole Ford] Ooh. Andy.
[Andy Ellis] Now, that’s a crazy proposal that isn’t going nowhere. But now work down within the agency because I think asking the cyber question is too low. Like, move it up. Why do they have separate IT organizations? Consider the fact that every agency has its own IT function that is doing the same thing, and we don’t have a federal IT function. Maybe that’s a place for consolidation and we could do it modularly, start federating and growing, and that forces you to then consolidate cyber because you’ve consolidated IT.
[David Spark] I think that shared service model matters. That’s something to think about.
[Andy Ellis] And so that’s where I would go. I’d say let’s take DHS which has everybody underneath it and say, “How do you start to consolidate and share the services, consolidate the CIO functions,so that we can consolidate the CISO functions as well?”
[David Spark] Can you point to any one area where you think that could work the easiest, the fastest? And literally just you could pick a sliver here. Like, “This would be the easiest thing to consolidate quickly.”
[Andy Ellis] Ooh. The easiest thing to consolidate quickly – email.
[Nicole Ford] That’s a great point. I mean, email is a really good point. Maybe network support, right, when you think about kind of your perimeter defense, and that’s pretty standard. That would be a great opportunity as well.
[David Spark] Nicole – are you hiring over at Rockwell?
[Nicole Ford] Oh, I’m always hiring.
[David Spark] What makes an amazing candidate for you? And I’m going to start at the most green level. What makes a great green level candidate?
[Nicole Ford] So, it’s somebody who questions, right? I think you have to really think through and question all decisions. I think good problem solver is very important, right? How do you critically think about a problem, and then how do you approach solving it because I think many of the issues that we deal with are things we have never seen. And so as a result, we need people who are really good thinkers, critical thinkers, as well as problem solvers. I also look for people who have a positive attitude because a lot of the things we do can be tough, right?
[David Spark] Mm-hmm.
[Nicole Ford] But a person with a positive attitude is always going to look for the bright side. And then I look for people who are good collaborators. If you collaborate well, if you work well together with people to solve problems, that is really important. Again, you think about the common person who goes into cyber. We talk about people who are more introverted and more tech focused. I think you have to really work on your soft skills because soft skills matter and really help drive change in the space. And so we look for people who have those additional skills. Of course, we need the technical skills, but we want people who are open to collaborating and working with others.
[David Spark] All of that is amazing and we hear that a lot, that’s great that you look for it. Is there any way a candidate could demonstrate any of those things on either a resume or a way to present it? How could I show that to you?
[Nicole Ford] It’s hard, right? I’m certainly going to tell you it doesn’t necessarily come out in a resume.
[David Spark] Or something like I can show you in my history or like a personal project I’ve done.
[Nicole Ford] Maybe a project.
[David Spark] Yeah.
[Nicole Ford] So, project work is helpful too because it demonstrates that you’re a risk taker, you take chances, and you try to solve hard problems. And so I look for that as well, right? I also look just for interesting facts that are in a resume. I know that’s so untraditional, but people who take chances on their resume and it doesn’t look like the normal resume, or they tell you something about themselves. A little personal information sometimes helps too because it gives you a sense of who the person is.
[David Spark] Well, I appreciate that. And before we go on any further, I do want to mention our sponsor today, and that is Pentera. Remember I mentioned them earlier – assure security readiness across your complete attack surface. Well, this episodeis made possible by them, and so we greatly appreciate them supporting us. Today, over 60% of cyber-attacks involve the use of exposed credentials. And, oh, geez, we’ve seen this report again and again and again.
Now, for the first time, security teams can address this critical threat head-on. Pentera actually collects an organization’s leaked credentials and automatically tests their exploitability across the external and internal attack surface. So, if you want to know like, hey, if the attackers are seeing this, what can they actually do? Pentera automates the moves of an attacker in the live IT environment and dynamically maps out complete attack kill chains, helping to prioritize remediation actions according to their context in realtime. Pentera’s customers find that leveraging the platform as part of their exposure management strategy increases their ability to identify security gaps, improves the efficiency of remediation processes, reduces expenses, and enables them to better benchmark their cyber resilience over time. Ultimately, what does it do? It maximizes their security readiness, and that’s what you want to do. I mean, heck, that’s what we talk about endlessly on this show. So, to learn more on how you can do this and get ready, go to their site. It’s Pentera.io.
It’s time to play “What’s Worse?”
16:27.496
[David Spark] Nicole, we were chatting just the other day, and I was setting you up and Andy for this. I know you know how to play this because actually, you were at our live show too. Andy, I’m going to just say this again. We did one from this contributor before that I have to keep anonymous, and it kills me to keep this person anonymous because their “What’s Worse?” scenarios are so darn good. And he said to me – I’ve already let out that it is a he – he said to me that one day maybe when I’m at a different job, I’ll feel more comfortable letting you know who I am. But for now, this person’s going to be anonymous.
[Andy Ellis] Well, you know, whoever it is who’s submitting these, make sure when you are looking for another job, that you put this as your interesting thing on your resume, and anybody who’s a listener here who’s a hiring CISO will be like, “Oh, you’re that person.”
[David Spark] You’re that person. Yes.
[Nicole Ford] I like it. I like it.
[David Spark] Yes. I would seriously consider this person. Here we go. And Nicole, I always make Andy answer first. You move to a new town where all trash pickup is handled by two private contractors that control the market.
[Andy Ellis] Okay. That’s where I live right now.
[David Spark] There, you go. Contractor number one – by the way, this guy, he put price amounts, but price doesn’t matter here, it’s really the story behind both of these. And this is long, I’m just going to warn you. This takes a little time to tell this story, but it’s good. Contractor number one – this is a family-owned business that has been around for nearly 50 years. The most technologically advanced thing they use is the answering machine at their business office. That’s if you don’t count the smartphonestheir sketchy drivers are observed texting on while driving their loud stinky trucks around the neighborhood. There are frequent billing mistakes, missed pickups, and you can never reach anyone at their office. You have also heard rumors that their drivers are connected to organized crime rings that case houses for robberies. But generally, your garbage is taken away reliably when it’s supposed to be. All right. That sounds pretty bad, right?
[Andy Ellis] That sounds like that could be problematic, although I wonder if those rumors are being spread by the other trash pickup handler.
[David Spark] It’s possible. But get ready. Let’s hear the other one. Contractor number two – this is a brand-new, ultra-high tech, environmentally friendly trash processing service. They provide specially tagged garbage bins you place all your trash into, and an electric self-driving truck picks it up every week. An AI-enabled, high resolution scanning system catalogs your trash content, auto sorts it according to whether it’s recyclable, compostable, etc., and then sends you an automatic report each month about your trash content, your carbon footprint, and some other feel-good info on how you are helping save the planet. All right, this all sounds good. Here’s where it turns bad.
However, the trash provider also keeps a detailed database about your trash that it mines for data. It’s about your trash, which has no reasonable expectation of privacy, so the data is completely unregulated. Plus you signed away all the rights andterms of service away. The company provides detailed marketing analytics to advertisers about your consumer trends, so you start receiving super creepy targeted ads. It also comes to light that the data is being provided to law enforcement for use in ongoing investigations without all those complications with the Fourth Amendment. Finally, in a huge data breach, their entire database is dumped online, and all the detailed private info mined from people’s trash is made completely public for anyone to see. A figurative dumpster fire ensues. All right, Andy. Which one of these is worse?
[Andy Ellis] So, I’m going to actually go with the second one is worse but probably not for the reason most people are thinking.
[David Spark] Okay.
[Andy Ellis] Which is I live in New England and the fiction of a self-driving vehicle picking up my trash on a snowy day is entertaining to think about. So, yeah, they’re not actually picking up my trash because self-driving cars and snow don’t interact real well yet. So, just on that, they are going to fail at actually doing trash pickup. Now, the reality is, I’m probably going to use whoever my neighbors are using, which is how we went with our trash pickup here was we went to our neighbors and said, “Who do you use?” and the reason for that is so that if we forget to take out our trash in the morning, we can quickly glance out our door, see if our neighbor’s trash has been picked up, and if not, get ours and take it out.
[David Spark] By the way, that is always the reminder when I see other people’s cans are there. But now the thing is, you said this, but you haven’t explained why you think this is worse.
[Andy Ellis] Well, so I’m going to go with the simple one of in my neighborhood, the second one would completely fail at trash pickup, which is the core responsibility. So, that alone is sufficient.
[David Spark] Okay. That’s not all the other stuff.
[Andy Ellis] Not all the other stuff.
[David Spark] So, I didn’t realize. So, that’s really your argument. I could have not even read the second half of the story.
[Andy Ellis] Yeah. You got to electric self-driving, and I was like, “I’m out of here. Like, I know that I’m going to have to deal with a disaster.” So, that said, all the other stuff.
[David Spark] So, you would prefer the sketchy one that could be casing your house and robbing you?
[Andy Ellis] It’s probably casing everybody else’s house in the neighborhood too, and it’s probably already casing my house when they’re driving by. My incremental risk isn’t very high.
[David Spark] That’s your argument. All right, Nicole, what do you say? Which one’s worse?
[Nicole Ford] First of all, let me say that this was hilarious, right?[Laughter] Just listening to this scenario is like, “What?!”
[David Spark] “What?” And again, enormous kudos to this listener.
[Andy Ellis] Well, I think what’s really hilarious about it, Nicole, is it’s plausible.
[Nicole Ford] It is!
[Andy Ellis] Like trash sorting is doable.
[Nicole Ford] This is like the Big Brother of trash, right? Trash sorting. I was like, “Hold on.” Of course, as a techie, I want the latter one, right? I want the automated AI. I love all of that together, right? And I’m sure that there’s some insights that I can get. But the fact that my data was stolen and all of the things that could go wrong with that, people learned things about me and the products that I use, could be a little scary. I don’t know. That’s a little Big Brother to me. I probably want to go low tech on this one. And I think what’s worse is the latter, and I’d prefer, as Andy said, I’m the same type of person, I will forget trash day, or my husband will forget. And we look over at the neighbor’s to say, “Hey, was the trash picked up?” We do it at the last minute. I mean, I prefer number one in that. You know what? There’s still something to say about being able to go and figure out if the guy has come, the slimy guy who’s in the car checking his cellphone. That is so true. I mean, it actually happens. But at least it’s low tech and it’s something that’s still dependable so I’m okay with option one.
[David Spark] Even though they may be robbing you?
[Nicole Ford] Well, but they can rob me… The second one is going to rob me too. They already robbed me of my data, right? So, I lost my data already, so that’s essentially the same thing, right? Just in the virtual world.
[Andy Ellis] And I will point out that if it’s private trash, then you likely do have a town transfer station where if you wanted to, you could deliver your own trash to the transfer station.
[David Spark] Nobody wants to do that.
[Nicole Ford] Kudos to the contributor who put that together because, again, that really got me thinking, and now I’m going to watch my trash people.
[David Spark] If you’re looking for a job, contributor, please contact Nicole.
[Nicole Ford] [Laughter] Please give me a call.
[Andy Ellis] So, the one thing I want to highlight that the contributor really got right that everybody should be thinking about is that second option is where trash is headed. And I don’t actually mean the Big Brother analytics, but single stream trash is where we ought to be. Like this whole separate and tag your recycling and do everything is to make people feel good and it’s actually not the right thing we should be doing. So, we need to figure out how do we get our trash systems to actually do sorting and recycling inside the whole waste management system rather than trying to do it at the consumer which is of negative value.
What’s broken about cybersecurity hiring?
24:49.175
[David Spark] On the cybersecurity subreddit, a redditor asked, “Why is there a cybersecurity skills gap?” We addressed this greater issue on Defense in Depth, but I want to isolate one response to this question by redditor fabledparable who provided a long popular answer with the following summary, “There’s a controversy over what constitutes ‘entry-level’ in InfoSec work. There’s employer conflicts with onboarding unskilled/inexperienced staff. There’s business conflicts with dedicating large budgets to InfoSec teams. And there’s a mismatch in the development of emerging professionals.” So, the rest of this thread is a lot of complaining by individuals frustrated by the lack of grooming talent into the industry. Do you agree with these complaints that this redditor made? And I know, Andy, you think the whole hiring system is broken. Where would you first tackle this?
[Andy Ellis] So, I’m going to try something new. I’m going to say there’s no such thing as an entry level job in InfoSec. Almost every job requires some depth, either technically that you need to understand how computer systems work, or depth from a project management perspective, like you need to be a skilled project manager or a skilled people manager. And by “skilled” I don’t mean you need 50 years of experience, but InfoSec feels more like a second job than a first job. And I think the biggest challenge is we don’t think of these positions as insertion level. Which is you’re coming over from a different career field into InfoSec, and so that feels like entry level because you’re entering at the bottom of our field, but we’re already one step up.
And so that’s a big creation of the mismatch, which is employers say, “Oh, it’s entry level, so we should be able to pay nothing,” but the manager is like, “But I need somebody who has all of these skills already so that they can contribute.” I also think there’s a big mismatch that people do not want to develop talent and they have to get over that. If you want to hire people to do job X, guess what? You don’t get to hire people who have already done job X. You hire people who are ready to learn to do job X, and you will teach them that, and then you will either have a position for them to do job X+1, or they will go somewhere else. That’s the reality. But I think those are some core mismatches right there.
[David Spark] That’s a good point. And this, by the way, the number one complaint was the poor education and training through this whole thread. Nicole, where would you tackle this problem?
[Nicole Ford] Oh, my gosh. This is such a big problem. But I agree with Andy. In order to get an InfoSec job, let’s just say 10 years ago, you were coming from IT, right? And specific areas within IT. Whether you had a networking background or AppDev background, it wasn’t your first job. And remember, cybersecurity professionals have to learn disciplines across the board in order to be effective cybersecurity professionals. When you look at some of our jobs, you need to know multiple skills, not one. And because of that, it isn’t an entry-level job. And so Andy makes such an amazing point in saying that. Like, they need to come from some other part of the organization, or they have to come with some experience in order to be an effective cybersecurity professional.
I do think that the collegiate world is now just catching up with, “Hey. Oh, by the way, we want to start to offer degrees. We got to figure out what to offer.” Not just certifications, right? It all started with certs, but certs really don’t ensure that a person’s going to gain the skills necessary to do the job, it just means that they’re able to understand and articulate information and regurgitate it back while they’re taking a test. That’s not practical hands-on experience that’s needed to do the job. And remember, I mean, we’re doing critical things, right? We’re shutting things down, we’re closing ports, I can name a whole lot of other things that we’re asking people to do. Those aren’t necessarily entry-level tasks, right? You can shut off a network if you do something wrong. So, we need people to have the skills.
So, as a CISO, I’m always cognizant of how do I build the right pipelines, and we all have to be ready to invest in talent. If we’re not, we’re in the wrong game, period. Because this is such a new industry and a new field, and the skills continuously evolve, that we have to develop those pipelines, or we have to work with organizations that are willing to support that as well. And so I’m very vocal with schools, colleges about what should be in their curriculum, especially if they want to introduce potential students to get a job within my organization. This is what you need to teach, and here’s some of the opportunities you need to provide to students so that they’re prepared to take on a role with me. Or here’s the first step. And it’s a career ladder that requires that they go and do specific rotations in specific parts of the org so that they can come and work on the cyber team and be effective.
Well that didn’t work out the way that we expected
30:14.732
[David Spark] Do companies publicly announcing M&A or partnership activity experience more attacks? This question was posed by Michael Santarcangelo of Security Catalyst on LinkedIn, it elicited a lot of reactions. Much of it was there is a lot unknown before, during, and after a merger, and that can make employees very susceptible to phishing attacks. But at the same time, the due diligence that goes into an M&A can often open up signs of previous or active compromise, noted Rich Mason of Critical Infrastructure. I’ll start with you, Nicole, on this one. What does a proposed merger do to a security program?
[Nicole Ford] Ooh. That’s tough, right? So, I’m in an organization and have been in organizations where mergers and acquisitions are happening quite frequently. And what we see is that a proposed merger, it kind of shines a lens on the current cybersecurity program – what’s working, what’s not, right? What are the shortcomings? And you have to think about it. It becomes one organization. If the other organization or company has a cybersecurityprogram and another one does too, it’s almost a comparison. And that sometimes can be a little counterproductive because at the end of the day, it’s going to be one cybersecurity organization.
The reality is what’s working in one area and what’s not working in another or what the strengths and weaknesses are needs to be considered, right? So, you can kind of think about how do you merge them together, and you can achieve economies of scale. That’s the challenge. But I can tell you there’s a lot of noise and a lot of chatter up front, and people get very uncomfortable about it. But I think, again, we have to think about change. And the reality is we’re in this constant cycle of change which means that there are going to be some areas that we merge, and it makes sense to carry the incumbents, or that whatever their discipline is may be much better. We bring that forward, we incorporate it. But it’s a lot. I mean, there’s so many factors and it’s so complicated at times. I think reducing the noise and just focusing on the basics and just making sure you’re able to bring people together and recognize that we’re all here for a common purpose is very important.
[David Spark] So, don’t be distracted by the noise says Nicole. Andy? Because that can make you more susceptible if you do get distracted.
[Nicole Ford] Yes.
[Andy Ellis] I absolutely agree with that. And I think both Michael and Rich had great points which is, yes, you’re going to see a lot of attacks happening. Certainly, there’s no reason for there to be a reduction in attacks because your names are in the press, so you should assume, A, they’re going to go up, and B, you get an opportunity to look at them. I was fortunate when I was at Akamai that we never did a merger, we only did acquisitions, and the best, best security program I had from an acquisition perspective, which I’d held the line on early on and then it became our routine, was that all acquisitions, we basically threw out all IT infrastructure of the acquired company. Day one, you got brand new laptops that were already configured with an Akamai image or an Akamai employee now. Your old laptop, we’ll collect once you’re done getting everything off of it. But there was no merging.
[Nicole Ford] I agree with Andy in that there are some non-negotiables, so your playbook has to cover those non-negotiables up front. Whether it’s a merger or whether it’s an acquisition. So, there’s some things that we already know need to happen day 1 or day 0, number 1, day 1, day 2, day 30, day 60. And sticking to those non-negotiables is very, very important because from a cybersecurity perspective, cyber hygiene is the most critical thing when we’re talking about a merger or an acquisition.
[David Spark] Excellent point. Now, let me come back to something you said, Andy. Because I think what’s interesting is that you made the decision of whatever it is, we’re wiping. Walk me through what you eliminate when you make that decision. Because I can kind of already see what’s happening, but by doing that, you don’t have to do what, what, and what?
[Andy Ellis] So, you don’t have to think about, “Oh, now I have two email infrastructures. How do we make them talk to each other?” “Oh, I have two ticketing infrastructures for customer services teams.” All of the back-end IT infrastructure, which if you look at a lot of big corporations, and Nicole, I’m not going to make you look at your own to figure this, like, what did you inherit. But there’s a lot of companies, like we had customers that had like 47 learning management systems. Not because they had 47 different problems but because they had acquired that many different entities in the exact same line of business, and there was never an incentive to merge these. And so for us, it was, “Nope, there’s one IT infrastructure, there’s one CIO, there’s one everything.”And we’d had a merger during a rough time and people were like, “Well, can we just this one time not do it?” And the CIO had folded, was like, “Well, I can’t really afford it.” And I said, “No, no, no. You have to afford it. The cost of those laptops, they’ve got to be given fresh laptops.”
[Nicole Ford] I agree with Andy. I think he makes some good points. And so it goes back to, like I said, those non-negotiables. We can’t have 47learning management systems though, Andy. So, we’re going to have to figure out how to do the collaboration or consolidation. And it becomes very, very important because we can’t carry those additional costs. It’s a complicated scenario and situation. I think it really goes back to a playbook that you think you can execute, and you have to be relentlessly focused on making the right decisions.
[David Spark] And I will tell a very quick story that isn’tcybersecurity-related, but it has to do with many different companies being acquired. I many years ago was hired to completely rewrite Sprint’s website, and Sprint had acquired many, many telcos. And they had not just sprint.com but they had sprintpcs.com and sprintcommunications.com and sprintmobile.com. They had all these different various dotcoms that they were just like a Frankenstein monster, and all of them had information that was similar, not the same, all this stuff. They were like, “We got to scrap this and start over.” And the way I describe what we did is we took something that was horrible, and we made it crappy.
[Andy Ellis] There you go.
[David Spark] Because we couldn’t. There was just so much we could do to it. And sometimes you’re like, “Well, at least it’s not horrible anymore.”
[Laughter]
Closing
37:08.478
[David Spark] All right. That brings us to the end of the show. I want to thank our guest Nicole Ford who is the global VP CISO over at Rockwell Automations, and callout to our anonymous listener. In fact, I will send this person a message to let them know how much we appreciate them and let me know if we can use a pseudonym for the future. And yes, Andy, it was the three. I looked at our history. It was one that was three different candidates and you had to pick which of the horrible candidates.
[Andy Ellis] Yeah. I remember that one. That was a really brutal one.
[David Spark] Yeah. That was a good one as well. So, kudos to this person who one day will reveal themself, and we will be able to give them the appreciation they so deserve. If you’re looking for an amazing job, I know that Nicole has great positions open. And also at many of the companies under YL Ventures, I’m sure plenty are hiring, yes?
[Andy Ellis] Absolutely and we’ve got a job site on our website, so you just go to ylventures.com and click on Careers.
[David Spark] And I want to say a huge thanks to our sponsor, Pentera. They have been a spectacular sponsor of the CISO Series. Remember – assure security readiness across your complete attack surface, that’s pentera.io. Please go check them out for automated pentesting. And thanks to our audience. We need more “What’s Worse?” scenarios. Please send them in. We greatly appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.