1월 18, 2023

EP 19 – The Cybersecurity Gridiron

In this episode of the Trust Issues podcast, host David Puner interviews Nigel Miller, Director of Security Operations and Engineering at Maximus, a company that provides process management and tech solutions to help governments improve their health and human service programs. Nigel discusses his role in keeping the company’s nearly 40,000 employees cyber-trained and secure. And, as you’ll hear, Nigel highlights the similarities between football and cybersecurity and that understanding one’s opponent and environment is crucial to success in both. 

[00:00:00.150] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in Identity Security.

[00:00:23.560] – David Puner
Welcome to another episode of Trust Issues. On today’s show, I talk with Nigel Miller who’s the Director of Security Operations and Engineering at Maximus. Maximus helps governments across the globe improve their health and human service programs with process management and tech solutions that help public sector agencies operate more efficiently.

[00:00:44.840] – David Puner
The company has nearly 40,000 employees, and part of Nigel’s job is to keep them cyber-trained and secure. Foundational to his role, as you’ll hear him tell it, Nigel spends a lot of time thinking about risk. Not foundational to his role, Nigel also thinks a lot about football, which he points out has a lot in common with cybersecurity. As he sees it, he’s the equivalent of a defensive coordinator on his team.

[00:01:12.380] – David Puner
To succeed in both football and cybersecurity, you need to understand your opponent, AKA think like an attacker. You need to understand your environment and understand what everyone else on the team is doing at any given moment.

[00:01:25.240] – David Puner
In the cyber world, a large swath of security concerns, risks can be handled with basic blocking and tackling. When that basic blocking and tackling fails, big problems typically follow—highly visible, big problems.

[00:01:41.760] – David Puner
Like cyber, in football, there are all these different pieces of the puzzle: offense, defense, special teams. They all need to work together in concert. As a subset of those larger pieces, you’ve got the individual players and their supporting staff. Just like when fundamentals fail in football, in the cyber world, if identity isn’t being managed appropriately, if the controls that allow people to move from place to place aren’t enabled to do their thing, things tend to collapse. That’s maybe where the similarities to football end because cyber is, of course, not a game, and it’s a never-ending season.

[00:02:19.510] – David Puner
Thanks, Nigel Miller, Director of Security Operations and Engineering for Maximus with us today. How are you?

[00:02:27.680] – Nigel Miller
I’m very good. How are you?

[00:02:29.660] – David Puner
Doing great. Thank you very much. Wanted to just say at the top that notes I have on Maximus are that it’s health and human services and it’s a company that provides IT for federal, state, and local governments. Anything you’d like to add to that?

[00:02:48.160] – Nigel Miller
There are services along with all of that at Maximus. It’s a significantly large company with lots of different opportunities to be engaged with different areas.

[00:03:00.930] – David Puner
Excellent. By large company, as far as employees go, I’m seeing 39,000 plus employees with offices in 10 countries. Of those 39,000 employees, how many are on your team?

[00:03:14.810] – Nigel Miller
I have 12 people on my team report up to me. We have within that, there are two different managers that I have some direct reports as well.

[00:03:25.470] – David Puner
What do you and your team, what are you charged with overall and what’s your purview?

[00:03:31.160] – Nigel Miller
Oh, yeah, sure thing. We’re charged with the incident response security operation, the SOC-type function, the identity and access management, and security engineering aspects of the company.

[00:03:47.820] – David Puner
We should point out that most of what you’re overseeing is internal. It isn’t necessarily related to the projects.

[00:03:56.500] – Nigel Miller
That’s right. There are some project things that come through that bring us in to the discussions on how to do certain things and how to go in the direction to meeting certain requirements.

[00:04:09.520] – David Puner
We talk to protectors here on the podcast. In your role, who and what are you protecting?

[00:04:18.980] – Nigel Miller
We protect. We’re part of the corporate entity; we’re enterprise security, so we protect multiple areas, so it’s within our controls. We’re monitoring. We’re protecting our internal employees, for the most part, from themselves in some cases, and in some cases, from the external areas that are trying to break in, those types of things.

[00:04:48.420] – David Puner
Protecting them from themselves. I think I know what you mean by that, but can you give me an example?

[00:04:55.240] – Nigel Miller
There’s accidental things that can happen that you just have to monitor and protect against. Some people need some guardrails up, and those guardrails are controlled by my team.

[00:05:08.740] – David Puner
You’re talking about clicking on the wrong things and just basic cyber hygiene, that kind of stuff?

[00:05:14.680] – Nigel Miller
That’s right.

[00:05:16.200] – David Puner
I guess since the dawn of the work-from-anywhere era, how have those internal security challenges maybe ramped up?

[00:05:26.380] – Nigel Miller
It certainly shifts the protection from the perimeter defenses to more so you have lots more perimeter that you have to account for. You pretty much have to have more workstation controls and those types of things to prevent. There’s multiple things that can be done and that we do to prevent the new risks that have been introduced, bringing people in to our network in different ways so they can do their job.

[00:05:56.620] – David Puner
Do you find that in your role, you need to think like an attacker? If you do, how do you do that? Is it difficult to get into that mindset?

[00:06:07.820] – Nigel Miller
Absolutely. When we’re going down the path of trying to mitigate risk, we really look at what are the bad guys doing. We try to keep our fingers on the pulse for the environment, what the bad guys are after, what their vectors of attack are, those types of things. We have to really apply how we can mitigate those risks.

[00:06:28.960] – Nigel Miller
I always think about, you believe your house is secure until you get locked out. Then you start having to think, “Well, how would I get in my house when I’m locked out?” That’s the point that you find the most security vulnerabilities in your own personal things is that type of thing. So yes, you do have to think like an attacker and you do have to think about even if not just the attacker, but what your users may do, intentionally or by mistake.

[00:06:55.740] – David Puner
Any particular example, recent, that you can think of?

[00:06:59.500] – Nigel Miller
I’d say in general, with so many employees, one of the hardest things is just making sure that your employees are trained appropriately and that they understand that the easier attacks don’t work, phishing and those kinds of things.

[00:07:14.440] – David Puner
What are the top security challenges you face?

[00:07:17.890] – Nigel Miller
Well, I’d say that the top three for me are really mainly the phishing-type things, those come through; thousands of emails coming out. That’s one that I consider to be one of the top threat. Another might be misconfigurations. When you’re moving things to the cloud and you have lots of cloud exposure, you really have to keep your finger on the pulse of all the things that are stood up. There’s a lot of controls that you can have, a lot of visibility you have to have to make sure that those things are appropriately locked down.

[00:07:53.200] – Nigel Miller
Then when you introduce different areas like DevOps and things like that into the environment, you have to make sure that those guardrails are very tight as people have more control to do more things within the environment. That’s just another area that is what I consider to be potential for threats or risks.

[00:08:17.040] – David Puner
How do you keep your finger on the pulse of all this?

[00:08:19.900] – Nigel Miller
Depending on what the particular risk is, I’d say that you have to just have visibility and visibility and visibility to what’s going on in the environment. You have to clean out the things that are not as high of a risk so you can focus on those things that are the highest risk. You look at things like testing your security controls and having external parties come in and test them out. That’s another opportunity to discover those things of where your risks really lie within your company.

[00:08:49.580] – David Puner
Totally keep this anonymous. But do you have a cyber war story? It could be your career; it can be from now; it can be from whenever that you’d be willing to share about a threat your team has mitigated?

[00:09:00.860] – Nigel Miller
I do. In our career, we get to experience some of the brightest minds in our penetration testing areas. Those are the things that… And this isn’t necessarily where I work now, but you get to experience some certain types of threats that feel more advanced with if you hire some more advanced pen-testers, and you get to experience what those attacks look like. Of course, it’ll give you a scare and all that.

[00:09:27.300] – Nigel Miller
But some of the basic block and tackling have made some of our pen-testing friends’ jobs more difficult. Those are the things that I really enjoy. One time, we caught a pen-tester in an environment and locked them out, and they basically had to say, “Well, we need that in order to continue what we’re doing.” That was a good story for me. I just enjoy the back-and-forth that we can have with those red teams.

[00:09:58.420] – David Puner
You’re the Director of Security Operations and Engineering. What’s your career path been and how’s your role evolved over time?

[00:10:05.930] – Nigel Miller
My role has evolved significantly. I was a developer for a few years at a financial institution. I went from there to working as a help desk manager, which was a very interesting opportunity to develop some customer service skills.

[00:10:18.260] – Nigel Miller
Then from there, I was a DBA, and then I went into information security after that. Even information security, my career path has been a mixed bag here. I’ve started out in information security risk assessment, the governance-type role but with some technical flair to it. That role has really geared me towards understanding project-level risk and company enterprise risk. That was a pretty significant help in my career moving forward.

[00:10:47.040] – Nigel Miller
Then I took on a security engineering position. Then I took a leadership role on after that, leadership of cybersecurity, then leadership of identity and access management. Now I’m the Director of Security Operations and Engineering.

[00:11:01.800] – David Puner
Change is perhaps one of the only constants in life, some philosopher must have said at some point, and that holds especially true in the cybersecurity space. How have you adapted to the constantly changing cyber threat landscape?

[00:11:17.560] – Nigel Miller
Change is absolutely… That’s one of the things that you have to stay abreast of. You have to understand what new techs are out there and what things are being exploited. It is a constant change. I’d say that things are constantly changing, but there’s a lot that’s still the same. Me, personally, I like to attend local events where we talk about the current environment and what’s changing in the environment and what to focus on and learn the new technologies as well.

[00:11:49.140] – Nigel Miller
AWS is a good example of something that it was just different. At some point in my career, things changed. You have to learn it. You have to jump on board. You have to learn it. I’d say that in security, you’re forced into that a lot of the time. Because your IT teams are moving so fast, you’ve got to make sure that you’re constantly engaged with those technology teams and implementation and technology environment, but also what the bad guys are using.

[00:12:16.060] – David Puner
Then shifting to organizational change for a second, can you describe your approach to managing the human side of organizational change? For instance, during your recent PAM deployment, how did you gain stakeholder trust and acceptance and manage expectations or change effectively throughout the process?

[00:12:33.560] – Nigel Miller
The changes that are coming from information security are very, very difficult. I had one of the CISOs in my past say this, and it’s just stuck with me, “It doesn’t do any good pushing rope.” You have to have people on the other side pulling. You have to explain it in the context that whoever you’re working with is going to understand.

[00:12:54.740] – Nigel Miller
I’d say that the changes that we’ve implemented, and if you’re looking at privileged access, for example, that’s one of those things that most areas understand there’s a risk, so you have to explain it in that context. Then you have to explain what’s going to change if you want to go best practice with those types of things.

[00:13:16.400] – Nigel Miller
I’d say that as long as you have a good open communication and understanding that a business has to be able to be done, and they have an understanding and trust that you’re going to do whatever it takes to make sure they can still do their job. Open communications and helping them understand so they can help pull that rope in.

[00:13:37.660] – Nigel Miller
Privileged access management is one of those that it does feel very impactful to the users who are going down the path of using it. But if you can build that trust up, you can actually make it so they understand that not only is it something that they can benefit from when it comes from a security perspective, but they can also benefit from it in a single place to go, and you can offer them changes that would impact them in a positive way. But you just have to really explain it and then work hard to make sure that you understand their use cases and to build that trust.

[00:14:12.580] – David Puner
Great. Thank you. After talking to a lot of cybersecurity professionals on this podcast, we found that sensational hero or villain stories make good drama but are usually the outliers. It seems rather that it’s the repetition of basic best practices that provide stability and protection for a company. How important are basics and repetition in your job?

[00:14:35.580] – Nigel Miller
They’re absolutely important. In a lot of cases, what I’ve seen, the basic block and tackling, the things that don’t feel very fancy, the things that don’t feel like they’re really moving the ball forward. They’re almost like the logistics piece of it. If those basic block and tackling things are not done correctly, consistently, then you’ll find yourself in a worse position than implementing a fancy tool, you really need the basic block and tackling, and that’s going to cover a lot of the potential issues or risks that you could encounter.

[00:15:11.880] – Nigel Miller
I look specifically at the identity and access management area. That’s one of those things. Access controls are absolutely important. That is an area that if it’s not managed consistently and appropriately across the board, it could lead to significant risk. But that is an absolute must.

[00:15:31.370] – David Puner
How does risk figure into how you execute in your role? How has it been a recurring theme throughout your career in security? How do you determine at any given time what your biggest risks are?

[00:15:43.760] – Nigel Miller
It’s very important to understand what the end results will be of whatever you’re spending your time on. I’ve seen many organizations go into a direction of something that is important, but it may not be at the top of the most important things to work on. Like maybe there’s a software list that is really out of compliance, but that doesn’t necessarily mean it’s high risk.

[00:16:12.840] – Nigel Miller
So you look at the end result of, Could this lead to an attack? Could this lead to something that puts us in a worse place? Yeah, we don’t like necessarily having certain things on our machines, but spending your time on the most important things is… It’s a difficult thing, a difficult thing to focus on. From my perspective, you really have to think what those end results are going to be and how much time you spent on it.

[00:16:37.620] – David Puner
Can you talk about how you’re tackling risk in highly privileged areas of your business? What’s your current focus area? What does your roadmap look like?

[00:16:49.100] – Nigel Miller
Not specific to where I currently work, I’ll just say that when you’re going down the path of reviewing high-risk-access-type things, it needs to be treated as a program. It’s not just a one tool, one initiative thing. It needs to be approached in a way that you’re bringing in more than just that tool. That tool is certainly a very helpful thing that you could use, but a lot of times, there are the actual systems that accounts are in.

[00:17:19.780] – Nigel Miller
I like to throw Active Directory as an example. Privileged access and Active Directory, if you can put something on top of that, like a CyberArk or a tool that is controlling and rotating credentials and that type of thing, that’s a fantastic way to protect certain accounts. There are certain accounts that you cannot bring into those types of tools because there’s not an integration.

[00:17:43.160] – Nigel Miller
In those cases, you can use something like an Active Directory, additional features like protected users and things that Microsoft has put in that are also helpful in conjunction with that. You have to treat it like a program, and then you have a tool that is helping with the user portion of it or rotating credentials that can be rotated wherever possible. Then you have that additional layer in your program that can mitigate risk of those accounts being accessed inappropriately.

[00:18:14.580] – David Puner
When we spoke earlier, prior to this interview, football came up quite a bit, comparing it to certain aspects of your role. Is football something that you think about as you go about your day-to-day?

[00:18:27.360] – Nigel Miller
Not every day, but I’m a big fan. One of the things I like to point out is you can be on the sideline and you can tell when a team is doing bad, but you don’t necessarily know exactly what it is that’s causing it unless you’re that coach or you’re really big into football. I think that really in cybersecurity, it’s the same way that from the outside in, you can say, “Yeah, that receiver didn’t catch the ball,” but you may not have a good understanding of what led to that, that receiver not catching the ball. Does he have the wrong gloves? Did he get blocked? Is he rattled?

[00:19:03.670] – Nigel Miller
When you’re in cybersecurity, you should have a good understanding of what are the components. A lot of times, I mentioned this earlier, but the things that are not as fancy tend to be the things that really help out. For example, if you have a bad offensive line and your quarterback keeps getting sacked, it may not be the thing that sticks out when you’re watching football. But if you have a good offensive line, your quarterback may have time to make those big plays.

[00:19:33.920] – Nigel Miller
Maybe your running backs can open up a hole, and your running backs can get through. That may not be something that sticks out from somebody outside looking in. I’d say that in a lot of cases, cybersecurity is like that, too. You have the areas that are doing a lot of that block-and-tackling-type situation, and they may not be on the cusp of really fancy things, but those are those processes that are in place; those are those people that are doing things that have to be done to make sure that access is appropriately done, patching is done, and managing tools that would detect something and prevent it from going any further.

[00:20:14.620] – Nigel Miller
Those are the kind of things that may not necessarily be on the forefront of people’s mind when they think cybersecurity, but that is super important for the success of an organization.

[00:20:24.700] – David Puner
How so?

[00:20:26.380] – Nigel Miller
If you don’t know what you have, it’s very difficult to protect it. If you don’t know what you have, you don’t necessarily know all the risks that are going to be associated with your environment. It’s good to know what it is that you have on your environment so you can adjust and you can recognize where your risk is.

[00:20:43.800] – David Puner
If we’re continuing with the football metaphor for a moment, are you a player coach, or are you the quarterback? Are you special teams coach? What’s your role?

[00:20:54.460] – Nigel Miller
It’s a tough one. The coach is what I would call the CISO. He’s the one in charge. He’s the one making sure that the right plays are called. He’s the one that gets fed the information. I may be more like a defensive coordinator.

[00:21:08.580] – David Puner
All right.

[00:21:09.900] – Nigel Miller
I may be the one who’s seeing the things that are happening and trying to prevent those big plays from happening. I may be the one who’s aware of what protections we have in place and filling the coach in on the details of where I’m seeing potential weaknesses. Then he makes the play on what exactly is going to happen in the environment.

[00:21:31.780] – David Puner
Of course, it’s a never-ending season.

[00:21:33.940] – Nigel Miller
It is a never-ending season, that is for sure.

[00:21:37.360] – David Puner
Excitement year round. How does the balancing of security and usability figure into what you do?

[00:21:45.240] – Nigel Miller
That’s an absolute must. There’s always going to be things that people feel that as they get more secure, the user experience may degrade a bit. There are some areas that the user experience can actually get better along with security. One of the things I’ll throw out there that has been a fantastic thing in the industry is the MFA piece. When you start introducing the SSO providers that contain all the things that are needed to authenticate somebody, that takes a lot of the pain out of people’s daily life.

[00:22:18.520] – Nigel Miller
I like to use CyberArk as an example of something that can raise your ability to control that just-in-time-access type of access. You can also add multifactor on top of it so you can have that single choke point of where you need to go to get access. When somebody says, “Go make a change in this domain,” that’s where you go. You don’t have to go to somewhere and get an account or use a different account to get into it; you can just go into CyberArk and click Connect.

[00:22:47.730] – Nigel Miller
I see opportunities like that in the security realm that we can have squeeze points to not only monitor the security aspect of it, but we can make it so that people don’t have to go to as many places. SSO, privileged access, those types of things can improve people’s user experience.

[00:23:07.550] – David Puner
Somewhat along those lines, how is Identity Security a business accelerator?

[00:23:14.800] – Nigel Miller
From my perspective, when you’re working with big companies, they generally want to know what your security program looks like. They want to understand what you consider to be important in your security program. I know from when I used to do risk assessments of other companies, I went out and broke out exactly how they manage their security. That’s one piece of it. If you have a good security program and a good mature way of doing things, I feel like that’s a great way to enable the business to say, “Hey, look, we’re a company that you should work with because we have these types of things.”

[00:23:49.800] – Nigel Miller
Another method of advancing your security program is if you have things in a way that they’re automated, and security is built into all of the processes. When people deploy things, they can just be deployed in a secure manner. That enables them to continue doing what they’re doing. If you have a less mature security program, you may end up with some manual processes and all that. I’d say investing in cybersecurity and those types of things to integrate them with your IT processes enables you to get things deployed without having to apply the breaks as often.

[00:24:25.240] – David Puner
Like many modern digital businesses, Maximus relies heavily on infrastructure as a service and SaaS solutions. But this, of course, presents many new identity-related challenges for you and your team. Based on your experience on this front, what tips can you offer other organizations looking to embrace the cloud securely?

[00:24:44.680] – Nigel Miller
I’d say that consistent deployment is one piece of it, integration of your security functions in the middle of it all. It’s a tough part, but you have to have experts in those areas, hiring the right talent to be able to understand that, having the appropriate guardrails set up to detect things that may not be configured in the best way so they can be remediated quickly. It does change the scope a bit.

[00:25:10.890] – Nigel Miller
Basically, you have people who can make changes at a different level. When you’re talking on-prem organizations, firewall rule changes, those things are a little bit easier to monitor. Go to AWS, you can stand up external-facing gateways, those types of things. You really have to keep a tight grip on those types of things. It’s a different focus. Understanding, building that skill set up, and having the appropriate guardrails are significant help.

[00:25:40.180] – David Puner
Your protector, bottom line. Based on that, do you have a favorite superhero or other fictitious or even real protector you model yourself after or feel some an affinity toward?

[00:25:54.760] – Nigel Miller
Professor X, I guess, where you have a lot of the visibility and you can see things that are going on in your environment. Doesn’t necessarily mean you can control things. It just means that you’re seeing things and maybe you can react a little better. I guess that’s the realm that I would go. I don’t know if you consider him a superhero, but Professor X has the visibility and the inside knowledge. But with all of the consolidation of information that we have, it’s certainly not a bad place to be. Maybe that’s what we’re striving to be as a Professor X and making the appropriate decisions on how to make our next steps.

[00:26:34.900] – David Puner
Is there anything that we haven’t touched upon that you want to bring up?

[00:26:38.860] – Nigel Miller
I have thoroughly enjoyed being in information security. We have seen just a significant explosion in the types of tools and the innovation within our environment. It’s been pretty amazing. Seeing companies catch up in some aspects and then surpass other companies, and the visibility aspect of it has just been fantastic. I’d say that in information security, I feel like it’s one of those fields that it’s constantly entertaining. You got to be careful not to get burned out, but it’s always an entertaining field to be in.

[00:27:14.570] – David Puner
How do you avoid the burnout?

[00:27:16.380] – Nigel Miller
I’d say a lot of times, it’s pacing yourself, knowing what the most important things are, understanding what those end results could be could really help you tailor your time so that you don’t get burned out.

[00:27:29.540] – David Puner
Nigel, thank you very much for coming on to the podcast. Really appreciate your time. Thanks much for coming here to talk to us, and we’ll talk to you down the road.

[00:27:38.880] – Nigel Miller
Thank you very much for having me. I really appreciate the opportunity.

[00:27:52.160] – David Puner
Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If you have a question, comment—constructive comment, preferably, but it’s up to you—or an episode suggestion, please drop us an email at [email protected]. Make sure you’re following us wherever you listen to podcasts.