In this Digital CxO Leadership Insights series video, Mike Vizard speaks with George Gerchow, Chief Security Officer for Sumo Logic, about the relationship between IT and security.

 

Transcript Text

Mike Vizard: Hey, guys. Welcome to the latest Digital CxO videocast. I’m your host, Mike Vizard. Today we’re with George Gerchow, who is the Chief Security Officer for Sumo Logic, provider of an observability platform. He’s got some radical ideas about the relationship between IT and security. George, welcome to the show.

George Gerchow: Thank you so much for having me, Mike. I’m super-excited to be here.

Mike Vizard: So you are actually an advocate for folding the IT organization into the security organization, which is kind of the opposite of what we’ve been doing for the last three decades. So how did you come to that conclusion? It sounds like you’ve actually tried it yourself.

George Gerchow: Yeah, absolutely. Taking a step back, like you just did, IT folks always came up around security, always came up sort of reporting to IT when that was formed, because IT was always kind of around first. The idea was always availability is absolutely everything. Which it still is, but what we’re seeing with supply chain attacks, everything you and I just talked about with LogJ4 and everything else is: if you have availability, but you don’t have seamless security built in, what’s the point?

Someone is going to ransomware attack your organization, take over. You can’t just continue to bolt security onto IT services and availability. So we made a bold move a while back and brought IT into security.

Mike Vizard: What was the reaction of the IT folks to that? Have they adjusted? For that matter, were the security people, who have their own culture, equally impacted?

George Gerchow: The security team embraced it and they were really excited about it. The IT team did too on the IT offsites. So let’s break this down a little bit.

There’s usually two different teams within IT, one that handles ops, which is Zoom rooms, laptop configurations, rolling out specific things like maybe Slack or SSO or MFA along with security. So you’re already tightly coupled there, but then you have IT business apps. So this is more on the SOC side. So teams that handle things like Paylocity, NetSuite, Salesforce, HRS, systems like Workday.

That team was a little nervy coming into the whole thing, because they were like, “Oh my gosh. We have this whole business app side, and now security is going to stop us from doing what we need to do.”

What we did was we said, look, let’s take 60 days and really get to know each other. Let’s figure out what things we could automate and start working together, but then start embedding security into your best practices, just like we did with the developers back in the day at Sumo.

By seeing how they worked and not putting stoppers or blockers or forcing them into the way we think, but more like thinking the way they think with having security built in with guardrails, really helped cross that chasm for us. So overall, I’d say it’s been a pretty good success.

Mike Vizard: Do you think that we’re making too much noise about best practices for DevOps and DevSecOps and this other stuff, when it really is about the people and we need to kind of, I don’t know, gently push them into a room somewhere and let them rationally figure out what’s the right play here, versus always adding yet another overlay of management onto another overlay of management in the hopes that something good happens?

George Gerchow: You nailed it. It’s always about the people. This is why, even when it comes to security talent, a lot of times I’ll go after DevOps people, go after IT people, and this is before we integrated our organization this way. Security belongs to everyone. It’s everyone’s responsibility. You do it.

So like when you go home at night, you make sure you close your garage door. You lock your front door. We’ve got to get people into these same habits when it comes to their digital DNA or virtual cybersecurity world.

My hope is that in 10 years, 15 years, there’s not even a security department anymore. There’s not even an IT department anymore. It’s some sort of support to take it to the next level, where people are just so engrained to have these best practices, putting on a seatbelt, for example.

Mike Vizard: Do you think this shift to digital business transformation may be the catalyst for this issue? Because a lot of organizations are reevaluating how the entire business operates, and then the whole support role of IT and security gets subsumed into that conversation.

George Gerchow: A hundred percent. What’s happening, too, with digital transformation and the movement to cloud, which is leading that through innovation, is the footprint of where IT plays is being reduced. If you think about it, ten years ago we were all working out of Exchange. There was an on-premise offering by Microsoft. We had infrastructure to support where IT was deeply involved and these Exchange administrators.

Now it’s Office 365 and Google Docs. So without infrastructure, what is really the role of IT at that point? Well, it’s to handle the data that is now being hosted with an e-mail somewhere else to stop phishing and all those types of things.

So this convergence is naturally happening because of what you just said: digital transformation, innovation, cloud movement. That’s really what’s driving it.

Mike Vizard: Do you think we have the processes or the understanding to secure the cloud these days? Because you hear a lot about misconfigurations all the time. It’s not the platform itself that is insecure, but it feels like the way we go about employing that platform is somewhat problematic. People are using infrastructure as code tools that don’t have a lot of security background, and the opportunities for errors is high.

George Gerchow: You’re exactly correct. It’s an educational type thing. This is why I believe that security should lead this, because we’ve understood the shared responsibility model for a long time. Without understanding that, you’re really going to set yourself up in a bad position.

Let’s take what happened with AWS a few years ago with the S3 data leakage. That was not AWS’ fault as far as the technical requirements to stop that, logging and monitoring, client and service side encryption. It was consumers who didn’t have enough education.

So at that point, it could pivot a little bit to the cloud service providers and say you should have educated people more, but things were moving so rapidly that it really is up to organizations to understand what that relationship looks like, and do their part on top of what the cloud service providers are doing.

Mike Vizard: Do you think that issue is also going to be forced? Because as I look at things today, we’re never going to have enough cybersecurity people out there, and I don’t care about how much AI there’s going to be. But if that’s the issue, we need to get IT operations people more involved in security, because that’s the only way we’re going to solve this issue.

George Gerchow: Agreed. Then again, that’s why it makes natural sense to put IT with security, because we don’t discriminate and we never have, whether it’s development platforms, assembly chain, CI/CD pipeline, SDOC. We’re always involved. So now we need to get IT involved as well, too. So what I think you’re going to start seeing is it’s going to be one big department, but it’s not just going to be about, again, availability.

Back in the past, we had this hard shell, soft center, perimeter-based security approach, and IT and everyone else worked within it and we had datacenters. We don’t have datacenters anymore. Now it’s the center of data. Data can be anywhere, SaaS-based apps, cloud service providers. So that’s where we all need to focus, to the accessibility to that data, but with controls around it for those that need it. And then to be able to really disseminate that, to be able to progress the offerings that we have to our customers in a secure fashion.

Mike Vizard: Do you think the bad guys are starting to look for these newly minted digital processes, and maybe they’re advertising their existence, because they’re written in these new cloud native technologies and it makes it easier for them to be discovered? What’s your sense of how much awareness is there among the cyber criminals, that there are these digital processes out there and they’re going to hunting for those specifically?

George Gerchow: They’re going to. You nailed it again. You just mentioned something about serverless type environments. The mentality behind serverless environments and even container stacks sometimes is these are going to be stateless systems. Therefore, I shouldn’t put the same rigor of security around them.

I argue it the other way. Because they are stateless systems and because the rigor is not there, a bad actor knows, hey, someone is going to go to this public repo, grab this code, push it into production. It’s going to be stateless for 48 hours. What a perfect opportunity to open up an attack vector, two things that are stateful.

So we need to have that same mindset of security rigor for these stateless systems and these new emerging technologies, but then also not overwhelm them with services that are no longer needed. So it is a fine line and a fine game, but the bad actors are way ahead of the curve once again.

Mike Vizard: It seems to me everything that is stateless eventually becomes stateful somewhere. So maybe that’s a faulty line of reasoning.

George Gerchow: It really does, right? Because this is the argument that we always have with our developers as well, too, which we’ve reached some consensus on. The minute you deploy and say that it’s only going to be out there for 48 hours, guess what, it sticks around for a week, two weeks. Then all of a sudden it gets built upon, and then again we get into this habit of bolting on security.

So what we’ve done is just really, again, look closely at the developer’s process. We’ve gotten ourselves out of the way by using things like templates, for example, whether it’s Terraform and other things like that as well, to make sure that our requirements are being met through their process. It doesn’t stop agility and it doesn’t stop innovation.

Mike Vizard: What is your best advice to digital CXOs, who are often in charge of the processes that people are trying to build and modernize, but are intimidated somewhat by security at least frequently? So how should they be approaching this, so they can have a relevant, intelligent conversation with all the security and IT people about what needs to happen and what they should be doing to help them?

George Gerchow: I think this needs to go back to security more, Mike, because when we came up – and I think you’ll agree with this – you saw a security person coming and people ran. They were like, “Oh my gosh. Here comes the naysayer. I’m going to get in trouble.”

Security folks now in leadership positions are becoming more transparent. They’re able to evangelize what security is actually doing, get seats at the table as well, too. So I think by listening and learning due processes with other sides of the lines of business, we’re not going to force things in that are going to possibly slow down and break things.

We’re also not going to create this environment where people are scared to self-report, because that is actually the best security mechanism on the planet, is, “Hey, I made a mistake. I’m going to bring it to you,” and I should be able to do it in a safe place because everyone makes mistakes, and that starts with leadership.

So for myself, I know that when I’ve made a mistake, I have gotten the company together and said, “Hey, I did this. This is the action I took,” and it’s made me vulnerable, and by making myself vulnerable, it’s made the whole culture vulnerable.

So it has to actually start with a security professional, but then when we have these CEOs as well, they’ve also got to realize that they’ve got to give security a seat at the table and empower them a bit more, as long as it’s maintained with that attitude of transparency, collaboration, and self-reporting.

Mike Vizard: I could argue if you’re not making mistakes you’re not really trying hard enough. Do we need to augment with AI? I joked about AI earlier, but does it play a role in this going forward and we need to also think about that, because we need more automation and we need more AI to secure the IT environment, or do you think that we’re ahead of ourselves and maybe the tech really isn’t there yet?

George Gerchow: I think we’re somewhere in the middle of that statement. I make fun of it as well sometimes, because everyone is just like, “AI and ML is gonna solve world hunger and everything else.” In reality, it’s baby steps, because the machines are the new users and they are the consumers of data, and there’s a lot you can leverage there to look for anomalies and patterns that you may not have asked before.

Here’s where traditional sim breaks down. It’s all based off of if-then scenarios. If this happens, then we should do this. Well, what if I’m not smart enough to think of the if? So the machines could tell us something that we haven’t seen before, and then lead to SOAR and some kind of automation, but it has to be done in baby steps first and then automate at a larger scale. Because the last thing you want to do is automate the wrong things, and then all of a sudden introduce new vulnerabilities or new surface layers of attack out there.

So I think it’s still somewhere in its infancy, but we’re already starting to see evidence of how machines can gather data and quickly point to something that goes, “Hey, we’ve never seen this before. We’ve never asked the question.” So it’s going to take a while. I’d say a two to three-year journey to really start getting this mature in our space.

Mike Vizard: There was a book written many decades ago. It was called Unsafe at Any Speed. Are we rolling out applications too fast to secure them? Are we creating a problem or can we keep the pace we’re on and make things better?

George Gerchow: I’d say we keep the pace that we’re on and make things better, because the minute that you start slowing down innovation, stopping progress, that’s where frustration is going to take place, and then people are really going to forget about best practices. So I think we need to keep this innovation agility going, but then again, make sure that we have the right folks involved, a seat at the table to make sure it’s being done in the right way.

And their mindset has to change and I’m speaking about me in particular. As a security person, we never think about velocity. It’s always caution, caution, caution. We need to get ourselves in this place of velocity. How can we further interject and collaborate, and make sure that these guardrails are being provided? It’s really by listening and communication. Like you stated in the beginning, if I’m talking to developers, if understand their processes and how they work, it’s going to allow me to have a position to where I can fill these gaps and work with them.

The last thing I’ll say around that too is tool selection. In the past we’d always say, “Hey, Mr. Developer, this is what you’re going to use for dynamic code scanning. This is what you’re going to use for static code scanning.” It just doesn’t work that way. Let them select the tools, come out of your budget. Then that way you can both collaborate on it, because when you try to force things on people they’re not going to use it or they’re going to try to find everything wrong with it. So, again, communication, collaboration, transparency, that’s everything.

Mike Vizard: All right, guys, you heard it here first. All we need to do is get out of each other’s way, and we can collaborate better and we’ll have much better outcomes. How hard can it be?

George, thanks for being on the show.

George Gerchow: Mike, thank you so much for having me and great questions. I appreciate it.