CISO CORNER: Interview w/ Ryan Davis
Welcome to my CISO CORNER feature for paid subscribers. Below is my exclusive interview, conducted by video call, with NS1 CISO Ryan Davis about the challenges CISOs face on a daily basis. [The interview has been edited for readability and length.]
Inside Security: What do you consider to be key attributes of a CISO?
Ryan Davis: The single most important attribute of CISO is the ability to communicate effectively. And that communication has to transcend disciplines. You can't just have the ability to speak technically with the developer. You have to be able to take a concern that your developer has and translate that to the business. You have to take a risk that's been identified from a security perspective and translate that back to your CFO and communicate what that means. I spend much of my time being a translator from one side of the business to the other. Being able to communicate things with analogies and make it meaningful to the other side of the house are vital skills.
In conjunction with that, it is important to communicate risk in business terms. So much of my job is taking a very technical concept or looking at a very specific vulnerability and making it meaningful in business terms. Here's what the potential impact to revenue is. When I look at a vulnerability, I have to know what damage that can do to the business. And I need to be able to make sure that when I go back and I relay that to the stakeholders, they get what that impact is in business terms, not just the security risk.
So many people have this negative perception of security. They see it as an adversarial thing or as an inhibitor to being able to get business done. For me, it is crucial to have the patience to understand the problem, get to the why of what they're trying to do, and then figure out a path forward, so that we can still do those things but do them securely. That is really tough sometimes and having that patience to be the bad guy. At the end of the day, my job is to make sure that we're keeping the company secure, but also ensure that people understand I'm not doing that because I want to have this adversarial relationship with them. I want to make sure that the prosperity of the business and our mutual success are assured by not making the staff susceptible to undue risk.
IS: What would you say are the most significant security threats that you're facing these days?
Davis: The specific threats that every company faces are dependent on their vertical, the space that they operate in. Different threats arise in different verticals. For us, DDoS attacks are commonplace because we're a service provider. One of the easiest ways to disrupt the workflow for us is a distributed denial-of-service attack.
You can take a step back and look at the entire threat landscape across all industries. The most topical threat over the last six months is the threat from third parties. Every company today relies on third parties to operate its business. SaaS is a great thing. You don't have to go and learn how to run all of these things on your own. But the reality is you are not in direct control over SaaS applications; now you have distributed your attack surface over dozens, if not hundreds, of systems, depending on the size of your organization. How third parties incorporate into your environment is a huge threat vector, depending on who you are as a business and what you do.
In line with that, insider threats are a big problem, not just from the trusted insider who has malicious intent but also somebody like a negligent system administrator who forgets to change the default password on whatever system. That threat is real. I don't care what organization you go to, the human element is always there. You're always going to have somebody who's willing to click that phishing email no matter how much security education you give them. It's one of those things that you have to address constantly. It's through education, it's through detection, but you're never going to eliminate the risk from the human element. This is a threat that transcends industries.
The final one, which relates back to the third-party threat, is cloud security. We have made a very rapid transition to the cloud because what happened in 2020 has forced us to make these rapid changes to how we operate. Pretty much every company at this point has a public or private cloud that is a part of their environments. We're only now realizing how big that threat is. We were very used to having our four walls that we could put firewalls on the edge of and being able to detect everything that's happening inside of our network. Well, that's not true anymore. Things operate outside of our four walls, and we now have to deal with the security impact to our business of a cloud environment.
IS: What mistakes have you learned from while working as a CISO?
Davis: Everybody throughout their career has missteps. For me, one of the biggest challenges is being able to look forward and say what is it that we're going to need to address six months from now, a year from now, 18 months from now. The rapid adoption of the cloud is something that I underestimated. I remember five or ten years ago developers saying, "We're going to test out this AWS thing. But don't worry about it. We're just going to do some testing." It felt like overnight the adoption of cloud went from zero to a thousand. Once engineers and developers realized how quickly they could spin up resources, it was like the Wild West. To be completely honest, the security guard rails five or ten years ago just weren't there right. You could set a basic IAM policy. Okay, cool. But you have developers interconnecting all of these things. The levels of controls that we had inside our environment were not mirrored out there in the cloud. As a security professional, I really just underestimated how quickly that was going to be adopted and how it could go from such a nominal part of our business to such a huge part of our business in a short period of time. I've really learned from that not to underestimate how quickly the adoption of new technology can happen.
IS: Do you have advice for someone looking to start a career in cybersecurity?
Davis: I would say, never stop thinking about what's next. You can't predict what the new technology is going to be. I mean that not just in terms of the industry but in terms of yourself. What is the next goal you, as an individual, are trying to achieve, but also how does that align with the business? What are the things that you can do as an individual to help the business grow? Often as security practitioners, we let the business inform us, rather than the other way around. It's really important for people who are getting a start in cybersecurity to say, "Do I want to be a CISO? Do I really like compliance?" You should look at what the next step is for you and how your career might progress. You don't have to know what job you're going to have in five or ten years from now, but you need to think about what the stepping stones are to get there.
The other bit that goes directly with that is, never stop learning. Security specifically is a field where if you don't continue to invest in your own education, the industry is just going to pass you by. There have definitely been times in my career where I felt like, I'm behind the eight ball here. Make sure that you continue to invest in your education and find somebody that can help guide you along the way. Finding a strong mentor is a really important thing.
IS: How do you see the role of the CCO evolving over time?
Davis: I think it's evolving every day at this point. In 2020 we went through a pretty rapid evolution. Many businesses had to go from most employees going to the office every day to being fully remote. From the operational perspective, the role of the CISO is always going to evolve with the business.
Companies now have chief risk officers; 10 years ago that wasn't a thing. You now have people who are responsible for looking at not just cybersecurity risk, but overall risk to the organization. The importance of the CISO is going to continue to grow in terms of how risk impacts the business, drives the business. Security is no longer a luxury. At this point, it's paramount to almost all businesses' success. Having the ability to demonstrate how your company is doing in terms of security is no longer just a cost of doing business, it's actually a driver of business and a differentiator in many cases. So the CISO is no longer taking a back-of-the-house role of making sure that the company is secure. I have been brought into sales conversations very regularly because security is a huge concern to our customers. So being able to have those conversations not just from a technical perspective, but being able to translate that to the business is where we're going to continue to see that evolution become more and more important.