Nate Hartman describes a six-month stint as an acting CISO or virtual CISO (vCISO) at a fast-paced Silicon Valley tech company.
In 2021, I performed a six-month stint as a cybersecurity consultant and acting CISO for a fast-growing Silicon Valley technology company. They had lost their previous CISO and needed to back-fill the position while searching for a new one. There had recently been an incident involving one of their many 3rd party network appliance vendors.
The breach was a result of a well-publicized supply chain vulnerability. As part of the supply chain vulnerability, a 4th party had been hacked and pushed infected source code to the 3rd party appliances on the company network. Due to the questions of liability, I attended several high-tension meetings with legal counsel for all parties.
Publicly, the company promoted a strong enterprise security posture. Its’ product portfolio includes advanced network services. Without providing specifics, there was boardroom consensus for advocating a robust internal cybersecurity program. It was time to get to work.
The organization faced several cybersecurity challenges not atypical to many large Silicon Valley tech companies. We found ‘shadow IT’ across business units. Business units embroiled in product development did not always report subnet infrastructure details to the IT head. There was a patchwork of non-unified cloud security services like VPNs and anti-malware. The business was in the process of unifying hundreds of HW and SW security vendors.
Admin accounts on endpoints exacerbate ‘shadow IT’ problems. Thousands of employees work remotely on home networks, often on their own devices. There’s no accounting for all the downloaded apps and the malware that comes with them.
It is good to have a cybersecurity air cover from the board as a starting point. The reality is that as priorities filter down through the organization, product time-to-market always takes precedence. Security teams have a tough time getting resources and SDLC is not always prioritized.
The organization had not done a proper risk assessment in some time. There was a lot of BU infighting over priorities and resources, with cybersecurity teams playing the red-headed stepchild.
I reported to the CIO and the General Counsel. In this case, the CIO was security conscious, great to work with, and it turned out well. In general, I believe the CISO should not report to the CIO. There are natural conflicts between getting products quickly out the door and building a security program. The CISO or security team should report directly to the CEO or General Counsel to ensure independent operation.
During the six months, we initiated and tracked 35 individual cybersecurity projects. We conducted a company-wide password cleanup initiative and removed unnecessary admin access from many endpoints.
The first month we pushed to eradicate the known virus from the network. Months later, we were still finding hidden remnants demonstrating its persistence.
We inventoried thousands of HW and SW assets, including SW versions and licensing. Inventorying SW is a heavy lift project for most organizations. It is not uncommon for managers to underestimate this task.
I wrote up a full disclosure to help the incoming CISO. I included all the gory details lack of risk assessment, BU infighting, shadow IT, disjointed cloud initiatives, inconsistent SDLC. I created a high-level security playbook for the new CISO. One of the fun things about consulting is that you’re free to describe the ugly details without fear of political backlash.
In cybersecurity, you rarely solve every vulnerability that you find. It’s vital to remember that security is a journey. Every exposure that you do mitigate is an improvement. If only 3 of 35 cybersecurity projects proceed to fruition, that’s good progress and leaves the company more resilient.
In the end, this engagement turned out to be a good project, and the company remains a client. I felt we made solid progress on the cybersecurity program and was thanked by company stakeholders. We were able to fix many fundamental issues and raise awareness on more. Those primary efforts can mitigate 80% of the threats.
The selection of a new CISO turned out well. The company went with my top pick of the final ten candidates. With the help of my complete disclosure playbook, he was able to go into the position with full awareness of the situation and a game plan.
I’ve spent many years working on cybersecurity inside large Silicon Valley tech companies. Unfortunately, it is not unusual to find Swiss cheese-like holes in cybersecurity defenses. Vulnerabilities naturally occur in business as networks are busily merged, and fast time-to-market of products is the overriding concern.
There’s always a way forward to improve cyber-governance, risk mitigation, and corporate resilience. Your business situation and cybersecurity requirements are unique. Tell us about them.
At Truvantis, our vCISO service is not a one-size-fits-all solution. We take a personalized approach to your unique business situation and cybersecurity requirements.
CISSP, CCSP, CRISC, CEH, DCHA
Nate S. Hartman is CISO and VP of Professional Services at Truvantis with more than 20 years of Information Systems Security experience, anticipating threat trends and delivering preemptive responses. He is an Internet technologist, ethical hacker, cloud security business risk practitioner, and cybersecurity generalist with expertise ranging from secure network design to security program governance, risk management, and compliance