EP 25 – Cisco CX Cloud CISO on the Language of Risk

[00:00:00.290] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in Identity Security.

[00:00:23.560] – David Puner
Risk, the world is bubbling in it. What’s your tolerance for risk and how can you and do you mitigate risk in your life? We could avoid driving. That’d shave a lot of risk from our day-to-day. We could never shower to remove the risk of slipping and falling while in it. We could cut our WiFi and cellular connections to sidestep cyber risk almost entirely.

[00:00:51.710] – David Puner
For the large part, we don’t and won’t because taking on risk is part of living, of functioning, really. We prioritize the risk we think are most important to mitigate. We all accept a certain degree of risk in our lives. That means that to varying degrees, we’re all operating to use the parlance of the cyber security world with an assumed breach mindset, meaning we accept that attacks are inevitable, and as such, we focus time and effort on protecting the assets that matter most. In short, we buckle up for safety.

[00:01:28.580] – David Puner
On the show today is Larry Lidz, who’s the CISO for Cisco’s CX Cloud. As you’ll hear, Larry’s path to Cisco, where he’s been for about two and a half years, was by way of the insurance industry so he’s well versed in, as he puts it, the language of risk. His perspective on risk and how it influences the decisions he makes in his role at Cisco is really insightful and interesting. Keep your hands at 10 and 2. Here’s my conversation with Larry Lidz.

[00:02:02.730] – David Puner
Larry Lidz, thank you very much for joining us today. We’re really excited to speak with you.

[00:02:07.510] – Larry Lidz
Yeah, thank you for having me. Really excited to be here.

[00:02:09.840] – David Puner
You’re the CISO for Cisco CX Cloud. What does that mean and what’s your job entail?

[00:02:16.110] – Larry Lidz
Ultimately, what I’m responsible for protecting is the systems that we make available for our customers and partners to interact with that are not associated with specific products. If you think about the things that cut across Cisco as a company, in particular, our CX Cloud is one of our key areas. It allows customers to get really solid, good visibility into the telemetry and the information they have around their Cisco products and so forth. Also, oversee the security for other small things like www.cisco.com and other things that cut across the company as a whole.

[00:02:51.960] – David Puner
You’ve been with Cisco for about three years now. How large is your team and what does the varied focus look like on different members of the team?

[00:03:02.430] – Larry Lidz
Yes, so when I joined Cisco just under three years ago, it was part of our journey to bring this cloud environment out and available to our customers. This solves a couple of different needs from the customer’s perspective. First and foremost, let’s them understand what they’re using of Cisco’s equipment and how they can get better value out of it. It also is essential to Cisco’s long-term strategic plans around driving more reocurring revenue and being able to enable customers to consume technologies as a service in the way that most customers want to in this day and age.

[00:03:39.780] – Larry Lidz
When I joined, CX Cloud had not yet been released. It was still in the development process. It was very clear to us that the security of this was going to be critical to the long term goals for Cisco. If you don’t trust the digital front door that you’re working with, you’re not going to trust any of the products that sit behind that front door.

[00:04:01.560] – Larry Lidz
When I started, I had a small team. It was a handful of people. We’ve grown in the 80 to 100 range, depending a little bit on how you slice the pie. Over the last two and a half, three years, we’ve been in a massive growth stage within this area to make sure that we get to the highest levels of trust, to make sure that we’ve got the right levels of protection out there to protect the data our customers and trust us with.

[00:04:26.320] – Larry Lidz
If you think about us from a broader organizational perspective, we’re what I would qualify as a low-risk, tolerant, high-verification environment. What I mean by that is that we want to make sure that we don’t have vulnerabilities and exposures out there that would put data at risk, and we want to be very good at trusting that our security controls work the way we want them to work.

[00:04:49.360] – Larry Lidz
From a broad perspective, what that means is in addition to standard security functions you would expect to have around like a SOC and security engineering functions and things along those lines. We also invest the time in making sure we’ve got dedicated pen testers and red team folks who are actually trying to break into our cloud environment on a continuous basis so that we can keep ahead of what the threat actors are doing to try to get into that environment. There’s a whole bunch of things along those lines that we put emphasis and time on.

[00:05:18.640] – Larry Lidz
What I don’t have in my organization that you would see in a traditional security team is people worrying about stuff that runs on premise and data centers or runs on people’s laptops or other folks at Cisco who handle those areas and do a wonderful job at it. We try not to duplicate work over things to run efficiently at the same time, but really to make sure that we’re able to grow this offering and this product and this environment that we’re working in while keeping it to the highest levels of security that we meet customers’ expectations.

[00:05:50.250] – Larry Lidz
The most important thing that I do on a daily basis is act as a virtual representative of the customer security teams when customers can’t be in the conversation because it’s an internal Cisco thing. I’m advocating on behalf of the Cisco customers to understand what do they expect when they’re interacting with a cloud environment, what do they expect level of protections, what features would they expect to have as a security team to make sure that we’re really meeting those expectations upfront.

[00:06:17.290] – David Puner
You are living and breathing in the cloud, a cloud within the cloud as it were.

[00:06:21.960] – Larry Lidz
Absolutely, but I think the change that we have as an industry to move to the cloud is as dramatic as moving off of the mainframe and onto Linux and Windows was back when that happened. It’s an exciting time to be doing this.

[00:06:37.570] – David Puner
You’ve been in the business for over 25 years and you came to Cisco by way of a pretty healthy run in insurance. Looks like about 15 years, maybe more. How’s that shaped your perspective in your role today and how you go about it?

[00:06:51.450] – Larry Lidz
Financial services need to prove that the things they do securely are being done securely. I think that’s a really helpful skill set to have. The insurance part of the industry is great fun because the language of insurance is the language of risk. The first thing that I did coming in here was bring that language of risk. How are we assessing and managing the risk in our environment? How are we making sure that we’re keeping in mind the risk tolerance of the organization and in particular of the area of the organization that I’m in to be able to set out both the short-term and long-term frameworks for how we build out our security program?

[00:07:28.060] – Larry Lidz
I’m very much a risk-based mindset as to how we do things. That doesn’t mean necessarily a quantify every risk and go to the nth degree trying to figure out how much what the annualized loss expectancy of various controls and attacks and so forth are. It really means taking that mindset of let’s always focus on what we need to do to make things more secure, but not lose track of the fact that by maturing our controls that we’re mitigating risk. There is also a risk tolerance that we have as an organization that allows us to move faster from an engineering perspective as well.

[00:08:09.440] – David Puner
Risk tolerance, which is seemingly inherent now in any business, really. At any point, do you feel like you’ve got folks who don’t want to live with any risk at all and you have to maybe bring them over to another perspective?

[00:08:24.780] – Larry Lidz
I find that there are folks in the security industry who have a tendency to think about security in absolute terms. When you’re thinking about how you invest your resources, whether that’s people, dollars, even just the focus and the priority on what you do, you are inherently making a risk decision. Which is more important, which are you going to be able to tackle first, A or B? Those decisions and those discussions are essential for the success of a security program. Being effective at knowing which risks are going to be most impactful to mitigate, that’s the heart of being a security person in this day and age, because we can’t protect against every single thing out there.

[00:09:06.010] – Larry Lidz
So for me, we’re creating a cloud environment that is extremely focused on our customers and so forth. That outside-in perspective environment through the eyes of a threat actor is absolutely essential. That’s not to say we don’t pay attention to back-end controls and what we need to do in that environment.

[00:09:24.930] – Larry Lidz
If I contrast that with my time in financial services, in financial services, we spent a lot of time working on making sure we had the right documentation in place to validate and prove to an auditor that control is working effectively. That’s important when you’re worried about regulators improving things to regulators, but that’s not as important if you’re thinking about something from a threat actor’s perspective because documentation of control efficiency isn’t exactly what the threat actors are most concerned about.

[00:09:55.160] – Larry Lidz
Now, as a security leader, understanding and having evidence that controls are working effectively is absolutely important to me. I’m not dismissing the importance of doing that, but that feeds into the calculus of how you prioritize, and particularly in an environment like mine where we’ve been in a ramp-up stage over the last couple of years.

[00:10:15.590] – David Puner
Threat actors, bad actors, there are lots of names for them. Is it possible to know what’s coming next from threat actors collectively?

[00:10:27.170] – Larry Lidz
Can we know absolutely what attacks are going to come next? No. We absolutely can’t know every potential attacks. What we can do is pay attention to what attacks other people are seeing and make sure that we’re mitigating against those attacks. Because if somebody else is seeing an attack, we can be confident that at some point in time that attack is likely to come against us as well.

[00:10:49.250] – Larry Lidz
That’s why investing in threat intelligence and making sure that we’re savvy and have a good understanding of what the threat actors do and have done both historically and recently helps us figure out those priorities. One of the great things about working at Cisco is we have the Talos team who spends all their time doing that. They do a phenomenal job helping us understand what those threats are and what the attacks are.

[00:11:15.450] – Larry Lidz
We also need to be cognizant of the unknown attacks that are potentially going to come out there. You can’t predict what those attacks are. There will be threat actors who are going to come up with new and different things that nobody’s thought of before. When it comes to how do we protect against those types of attacks, we pay attention to things like how do we minimize the attack surface of our environment, so have fewer places that can be attacked.

[00:11:44.780] – Larry Lidz
We spend a lot of time looking at the code that we have to make sure it’s appropriately protected. There’s been a lot of focus on over the last year and a half now around third party libraries. Log4j was a big deal in that. It was a third party library that created a lot of exposure to a number of people across the world. When we think about things like Log4j and the lessons learned from that, it’s not just, boy, we need to patch quickly, but we need to have fewer third party libraries and minimize the number of times. We’re using those sorts of things in order to minimize the attack surface so we can be better prepared against those unknown attacks.

[00:12:24.660] – Larry Lidz
The other thing that I would be remiss if I didn’t say, and I think maybe it’s the most important part of this conversation is that for us to be effective and to think about all of the different types of attacks that could come against us, we need to have some of that attacker mindset, and we need to realize that the threat actors out there are a really, really, really diverse community. They are global. They are people who think about all types of problems from all types of directions.

[00:12:53.930] – Larry Lidz
If we, as a security team, don’t try to replicate the diversity of thought that they have and the diversity of approach they have. If we have a whole bunch of people who come from the same background, who look all like, who have the same perspective, we’re not going to be as good at being able to predict those types of attacks.

[00:13:10.930] – David Puner
It feels like a lot of what you were just saying there ladders up in the innovation. What can we learn from threat actors?

[00:13:18.890] – Larry Lidz
If you go back through the history of modern cyber security, what you see is that by and large, innovation is driven by threat actors and we as a security industry respond to the threat actors’ innovation. They started doing network scanning, and then we said, “Oh, hey, they’re doing network scanning. We should do network scanning ourselves and find those vulnerabilities before they do.” They started at some point attacking applications. We’re like, “Oh, let’s figure out how to do secure coding and do web application firewalls.”

[00:13:49.260] – Larry Lidz
We’re very reactive as an industry. We need to figure out how we can keep ahead of the game. If you think about the things that threat actors do really well, they are really good at specializing and bringing in the right resources to solve the right problems at the right times. If you think about a standard phishing campaign and so forth, they’ve got people who all they do day in and day out is write emails that are compelling for people to click on.

[00:14:17.460] – Larry Lidz
Then they have somebody else who figures out, okay, how do we target this to the right audience to be able to do it? Who are the right people if you’re doing a whaling attack where you’re targeting executives at a company? Who are the right executives? How do we get those messages into those people’s mailbox, bypassing the email security protocols?

[00:14:35.290] – Larry Lidz
If you continue going down this thing, people who specialize in building malware that should be delivered for when somebody clicks on the link, that mindset, that approach, that perspective is something that we can learn from about bringing the right people in. Allowing them to be successful by having them do what they do really well and looking at leveraging the broader ecosystem.

[00:14:58.410] – Larry Lidz
They also have very much what I would articulate in Agile terms is an MVP mindset. A threat actor tries something, if it doesn’t work, they try something else. Then when they start having success, they grow on that. I think we, as security professionals, have a tendency to think still in big bang, large project rollouts.

[00:15:23.910] – Larry Lidz
We do this thing where we say, this is going to solve all sorts of problems. Let’s put together a three-year project. We’re going to roll this out across the company and we’re going to do A, B, C, D, E, and F. Then we get through all of that, and first of all, over three years, the threat actors have changed their targets and their methodologies and so forth. Probably, they’ve already figured out how to bypass whatever controls we are trying to put in place because they’re nimbler than we are.

[00:15:47.490] – Larry Lidz
How do we change our mindset to think smaller, faster, and then grow on that, incubate the ideas, see what’s working, and if it’s not working, stop and do something different? I think that mindset and that approach, the way they do things, is something we can learn an awful lot from.

[00:16:03.560] – David Puner
If you can adopt that mindset, it’s possible to stay ahead of threat actors if there’s no apparent known threat.

[00:16:11.380] – Larry Lidz
I think that helps us react faster. I don’t know that that will get us ahead of the threat actors. To get ahead of the threat actors, we need some very innovative ways of thinking about the world. Some of the methodologies and approaches that we now use in a DevSecOps methodology really meet that need a lot better than what we’ve done before. In that, we are reducing the number of holes in our overall program and process.

[00:16:44.220] – Larry Lidz
I’ll give you a good example on this. If you think about a traditional application security program where you may do a static code analysis to look for vulnerabilities in the code that’s being written by a developer, if you’re running them the old-school traditional way of doing this, the code gets written. It runs through the static vulnerability scanner. They come up with a list of issues. That list of issues gets handed back to the developer. Developer goes, hopefully, fixes them. Commits the code into the environment. It gets released into production, etc.

[00:17:16.680] – Larry Lidz
If you think about in a DevSecOps methodology, depending on how you put the controls into your pipeline, if there’s a security vulnerability that can get caught by a static code scanning tool, it never actually gets committed. You have more confidence this actually being fixed versus just relying on the developer doing things. Those types of mindsets allow us to be nimbler, allow us to find those types of issues.

[00:17:42.370] – Larry Lidz
One other thing I was thinking about on this is that 10, 12 years ago, my company got a new COO, the new COO came in and said, “You know what, we’re going to move everything we have over to the cloud.” This is back in the time period where I would say most security people’s perspective on the cloud was like, no way, no how, don’t want anything to do with it. Not in our data centers, we can’t be confident it’s being protected. I’m sure a number of people remember that mindset. Maybe some people still have that mindset.

[00:18:11.670] – Larry Lidz
I understood the business reasons for moving to cloud. We’re not going to say no to this. The thought process of how we go about building out good cloud protections and how can we create a cloud environment in order to meet our security objectives and make sure we’re being thoughtful and innovative around how we protect things. If you step back and say, what are the capabilities that we have to protect things when they sit in the data center? Those capabilities are capabilities that we need to have in the cloud.

[00:18:45.520] – Larry Lidz
That then pivots to the how do we go about tackling this problem? As we went down this path and started coming up with plans and so forth, what became apparent to me is there’s things about the cloud that allow us to protect things so much better than we could in a data center. You can do so much faster in a cloud environment than you can in an old data center, old school way of doing things.

[00:19:09.280] – Larry Lidz
The approaches that you take are so different, but I think the value that you get out of it is phenomenal. This is why I’m really excited about the cloud area. I think that there is a lot of good things that come from an innovation perspective that allow us to get to a different level of security than we have historically in data centers, which then I hope put the threat actors on their heels so that they need to come up with new, creative, innovative ways to attack us and change that balance. I want to make it so that the things they’ve done historically aren’t going to work anymore. I think we’re in a good path to make that happen, but there’s a lot of work ahead of us.

[00:19:48.600] – David Puner
You were talking about your team and diversity on the team and using that diversity in a way to get into the mindset of the varied attacker mindset. What are you looking for when you hire and you add to your team? What does your team look like?

[00:20:07.980] – Larry Lidz
I’m looking for a mix of things. Diversity helps also make it a more fun place to work and a better culture for the organization. There’s all sorts of reasons to lean into diversity. It’s interesting because I’ve never in my career hired as many people as quickly as I have here. I knew going in I was going to be ramping up the hiring quickly, which is great because I’m really a talent-first leader. Everyone’s got access to the same tools. They can use the same processes for things. What differentiates a bad security program from a good security program is the talent that you’ve got. I had a lot of preconceived notions about what it was going to be like trying to hire people quickly, and I was wrong. It was different than I expected, which was fun and interesting.

[00:20:54.770] – David Puner
Was most of this hiring going on over video?

[00:20:58.200] – Larry Lidz
Yeah. The great thing about this is Cisco is a company that really both values and understands hybrid work. It is incumbent on us as a company to enable our employees to be able to work effectively where they need to work from. This is not an environmental culture where people are told, “You need to be in the office, day, A, B, or C.” My team is spread globally around the world.

[00:21:27.690] – Larry Lidz
When it comes to hiring, I am a very big believer that candidate experience is the most important thing that we can focus on as security professionals. The job market is way too hot for us to think about it through any other lens. We have hiring standups where all of the hiring managers and recruiters go through all of the open positions that we have to make sure we’re moving quickly. I really, really have a strong hatred of keeping candidates warm. We interview candidates, we have a conversation about them. If they’re the right person, we hire them. If they’re not the right person, we let them know. If we’re not sure, we make the best decision we can. There’s no maybes. It’s a yes-or-no-type conversation with rare exceptions.

[00:22:13.060] – Larry Lidz
The idea being that a candidate applying for a job in my organization should feel that it is a really positive experience. They should be talking to people who have the diversity that we expect as an organization. It should be quick and simple and to the point when they do it. We should be just honest and direct around where things are. That’s very much front and center in my mind.

[00:22:38.290] – David Puner
It seems like you take a very philosophical approach to a lot of these aspects, which is really interesting.

[00:22:44.270] – Larry Lidz
I do think that it’s important for us to actually be thoughtful and intentional about how we do what we do as an organization, whether that’s hiring or whether that’s prioritizing what controls we need to improve next and get in the environment.

[00:22:56.960] – David Puner
Larry Lidz, thank you very much for coming on the Trust Issues. We will definitely be having you back on again if you’re willing to come back because there’s a lot more I’d like to talk to you about, but this has been really great. Thank you.

[00:23:09.400] – Larry Lidz
Wonderful. Thank you for having me. I really have enjoyed this conversation.

[00:23:21.340] – David Puner
Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If you have a question, comment, constructive comment, preferably, but it’s up to you, or an episode suggestion, please drop us an e-mail at [email protected]. Make sure you’re following us wherever you listen to podcasts.