108. People-centric security with Yvette Lejins
Claire is joined by Yvette Lejins as they discuss what people centric security means to her, what boards need from their CISO communications and the very real risk of insider threat. Claire was also curious to ask a bit about Yvette’s transition from CISO at Jetstar in house to being residency CISO for a security vendor.
Yvette joined Proofpoint from Qantas Airline Group in 2021, where she was the CISO for the Jetstar Group of Airline companies (Jetstar Aus/NZ, Jetstar Asia, Jetstar Japan and Jetstar Vietnam). Prior to Qantas she was the CISO at Australia's largest freight and logistic company Asciano, as well as having built up the security function at Atlassian before they went to IPO. She is a Fellow of the Australian Information Security Association.
In her role as Resident CISO, APJ, Yvette focusses on driving Proofpoint’s people-centric security vision, strategy, and initiatives amongst its customer base. Her hands on experience, knowledge, and perspective in managing risk and improving cyber security posture across complex enterprises is extensive. She provides trusted cyber advice and insight advisory services for Proofpoint customers.
Links:
The Security Collective podcast is proudly brought to you in partnership with LastPass, the leading password manager.
Transcript
CP: Hello, and welcome to The Security Collective podcast. I'm Claire Pales and today's guest is Yvette Lejins. Based in Sydney, Australia, Yvette joined Proofpoint from Qantas airline group in 2021, where she was the CISO for the Jetstar group of airline companies. Prior to Qantas, she was the CISO at Australia's largest freight and logistics company Asciano, as well as having built up the security function at Atlassian before they went to IPO. Yvette is a fellow of the Australian Information Security Association and in her role as resident CISO, APJ, Yvette focuses on driving Proofpoint's people centric security vision and initiatives amongst its customer base. Yvette and I discussed what people centric security means to her, what boards need from their CISO communications and the very real risk of insider threat. I was also curious to ask a bit about her transition from CISO at Jetstar in house to being residency CISO for a security vendor Yvette is someone I have hoped to bring on the podcast for a while now. So I'm wrapped to be sharing this conversation with you today. So please enjoy my chat with Yvette Lejins.
So Yvette, it's great to have you on The Security Collective podcast today.
YL: I couldn't be more delighted Claire. Great to be here and thank you so much for inviting me.
CP: Pleasure. I've wanted to have you on the podcast for a while. So episode 100 and something it will be but we've got you finally. And now you're with Proofpoint brilliant that we can have a chat. And since you joined Proofpoint, I guess your remit is slightly different to where you were before. You've been charged with driving this people centric security vision strategy. What does this mean? What does this type or this style of strategy mean? And why does it resonate with you so much?
YL: We're dealing in cyber with, fundamentally a people problem. What we do know is that attackers aren't necessarily focusing on network diagrams anymore, of your company, in order to attack you, they're actually focusing on your people. So they're on your LinkedIn profile, they're on your social media platforms, and they're working, on their website, they're looking for ways in order to use you as their vector into the company. So when we flip this around from the traditional way of thinking, it actually makes a lot of sense, particularly as we know, so many cyber incidents, start with people. So you're going to have every bit of technology deployed, robust processes in place, but the people that we really need to focus on. So it absolutely resonates with me, when you look at the root cause of how cyber incidents happen, you know, attackers are people, but they're attacking people. So as this continues to evolve, this constant, the threat landscape might change, and more that people are always going to be the core of your cybersecurity incidents and data breaches. Not in every case. But generally, that'll be the case. So we've got to remember that they're not looking at infrastructure, they're looking at that last. So this human centric approach is really important with your defence. So if you think about it, it's much easier for a cyber adversary to not actually understand your network, but to craft a phishing email, or add a malicious attachment for you to click on. So I guess why does it resonate with me? That was your initial question. We all need to think about crafting cyber strategies to uplift ourselves, but protect people first, rather than the technology that's used within a company. And this will be key to seeing further catastrophic losses of data and access to information.
CP: So I guess off the back of the idea that people are being attacked, not systems as there is a person on the end of every system, as you say. I'm hearing this term very attacked people, which sounds a bit violent, but who are very attacked people, what does this mean to you? How would you break down this term that we're hearing now?
YL: It's a really, really great question, a ‘very attacked person’. Often people when they think about who's at risk within their company, they really only focusing on say, the VIPs, you know, the executives, or whoever it might be, but a very attacked person, actually is a combination of things. And it's a super set of people that actually are the greatest risk to your company. So if we think about who these people might be, and how this might play out, is a very attacked people might be, the person might be a very vulnerable person. They're the person that is constantly clicking on everything that comes through to the organisation, or opening that zip file or whatever it might be. And when you look at say someone with privileged access or in a role that would have privileged access, this is another you know, risk profile. So If you sort of look at the intersection of all these sort of different things, you're going to come up with this super set of people that are actually the highest risk to your organisation. With a company like Proofpoint, we can actually understand who the threat actors are that are targeting things, and we give them a weighting as well. So it's really important to understand who this super set of people are, because not all users are equal, you know, they don't have the same weight or could cause the same damage to the organisation if they say click on a link. You've got a system admin that has access to many accounts, and they click on something, it's going to cause a whole lot more damage and someone that might just have access to, I don't know, the internal phonebook. So this is really fundamental. And when you think about how you might roll out your programme, because if you're going to have any kind of waiting on things, you want to understand who these very attacked people are, because that way you can craft a programme that is going to address your highest risk users.
CP: So in that way, you're talking about very specific, John Smith, Sarah Smith, these real people in the organisation whose identity profile makes them potentially a higher target, as opposed to well, all users with admin are going to be very attack people. It's more down to the individuals, I suppose, who are vulnerable because of the roles that they play within the business and the access that they have.
YL: And also to, as I said before, they might just be a user that gets a large volume of emails, perhaps they're on every spam list in their country, and they have big clickers. So it's a variety of factors. So we're looking at the problem in a different way. We don't have endless resources. But if we focus on those people, we can have better outcomes for our company, not saying that you ignore everyone else. But these are people that probably need a special set of focus on.
CP: I think that's a really interesting point because we talk big picture about how from an awareness perspective, you know, HR needs different types of security awareness than the salespeople or the developers or marketing. And I think that high level approach is good. But I love this idea of channelling right down to an individual in the same way that for customers who might be VIPs, or sensitive people that we would tune into the needs of protecting their information, we should be doing that for our staff as well.
YL: Absolutely. I mean, that there is always the well known people that you know, the CFO whose name is out there, or the financial controller or the payroll person, but perhaps your payroll person doesn't have a LinkedIn profile, they've got no way for adversaries to know who they are, they're new to the company. So it is a really good way of looking at things. And it means that we're far more focused on our efforts, and therefore more successful in driving the right change with the right people.
CP: And do you think there's some myths around security awareness with people in the organisation that it might be good for you to break?
YL: Oh, yeah, well, look, I've only just touched on it then. Right. And that is not all our users are equal, right? They've got different privileges, they've got different focuses, they have different responsibilities. So when we think about crafting our programme, we need to address those highest risk users first, and remember that they are the ones that can cause the most damage to the organisation, whether it's intentional or not. So I've talked about the payroll person or it could be your Chief Research Scientist or your financial services person. So when we think about the myth, often security and cyber training is driven out of the cyber team, where there is technical people that are driving the awareness campaign, and they use the wrong people. Because if you talk to learning and development people, they're going to tell you a different way of crafting messages, and what's going to resonate with people. So it has to be multifaceted, because not everyone learns and changes their behaviours in the same way. So we need to think about all these different types of ways of learning, whether that's video, quizzes, face to face, Microlink, some people only want to learn or can learn in one minute snippets. Also, too, I think it's really important to understand cultural differences and awareness’s as well, another myth. For example, in a previous role I had I had 1000 users in Japan. Now, they acted very differently from say, my users in Australia, New Zealand, or even Singapore. So the learnings in the way that I had to tailor a programme for them had to be different. I couldn't just translate, say phishing simulations just into Japanese or the posters from English to Japanese because it didn't actually resonate with that culture. A phish is not a phish in Japan, right? To be clear, there's no such thing as phishing. So you know, it doesn't translate well. But that's also true about roles within the company to. Your messaging say for you might work for a tracking company. So the way a trucker might interact with their IT devices is going to be very different from the corporate person. So the way you might have to teach them, they probably just doing things on their phone, is going to be different from a corporate person that's sitting on a PC day in day out. So you know, I think there's some myths there, but it's not so much myth, but it's really a lot of people don't deep dive down into that next level to really understand what nuances there are, and really how to make and change and drive a difference. Ultimately drive that behavioural change that we all need.
CP: I definitely had a similar experience working in Asia, and really making sure that we talked to the right people about how messages would be best delivered, and how messages would best land. And we had engineers who would never log into a computer. And so you know, our ideas of screensavers for Cyber Awareness Month in anything that required them to be exposed to a computer for more than, you know, checking their pay slip or anything like that, we were never going to get through to those people. And they were also in remote locations, where often the internet wouldn't have been that strong, and it just wasn't part of their roles. So totally agree with you that having an awareness of how people learn and what information they can even get access to, makes a huge amount of difference. And even if we're getting the awareness right, what do you think we're still challenged with in terms of getting the right protections for people and data inside an organisation?
YL: It's a really good question, Claire, in my role of Proofpoint, it means I really see a lot of different customers who have a lot of different complexities in the environment that they're trying to protect. One thing, the challenges I see is a lot of cyber programmes sometimes are driven by the sexy products, they're focusing on the latest and greatest whiz tool that's going to do whatever. But what they're not doing is they're not functioning and focusing on the basics, like I've seen an organisation that spent trillions of dollars on stuff, but yet they're not patching, or they don't have MFA on critical systems, or they don't even educate their people how to how to spot a phish you know, how to be wary of attachments that might come through, or even to report it as well. So, you know, I've seen SOCs that aren't doing the right thing with the right focus. So I think the biggest challenge is a cyber transformation has to be around threats and risks that are unique to the organisation. And it's costly, time consuming. But I really feel that organisations need some of the more methodical approach as well, you know. Where's my data, what data is important to my company, where's it going, who's got access to it? And unfortunately, a lot of companies that are doing it out of compliance, rather than actually what's right for the company and the risk their company is exposed by.
CP: The point around, where is my data is of greatest concern, because we can't always be 100% clear on where our data is,. And our internal staff, you know, it's the age old, I sent it to my Gmail so I could get my work done. It just it poses just as greater risk as the bad guys. How do organisations defend themselves from this? Or how do we educate staff? Or how do we know where our data is at any given time?
YL: Yeah, it's a very good observation. Because we know that data doesn't just exist in the core systems. There's a lot of unstructured data, a lot of exfiltration out of a system that ends up in a spreadsheet and Excel spreadsheets somewhere that, you know, might contain identity documentation, or whatever it might be. Understanding where your insider threats are coming from is probably a great starting point. You know, there's been lots of analysis done about what types of insider threats there are. And to be clear, it's not all malicious, although malicious users insiders are obviously one element on it. There's also your careless insiders, but also those that have they had their credentials compromised as well. And they've got interesting stats in relation to understanding where this all sits. And interestingly, only 25% of insider threats are actually malicious users, the majority are actually careless users. So you know, understanding what they're doing. And as you said, the great example of they've emailed something to their Gmail, which isn't great. But it's far more encompassing, that they can miss then emails, they can send stuff to distribution lists, often the careless user might say have the same password across multiple platforms, you know, and it can result in unauthorised access. They're endless what can happen, they can download work information to their personal device, hand it to their child, or sell their phone on. So it's really, you know, the careless user is really quite scary. You know, with a malicious user, though it's a little bit different. Their drive is a financial gain or, or there's an outside influence that's driving what their activities might be, or they might feel they've got an entitlement. Or the great resignation is another great one, people are shoving in the USB if they've got USB access and taking out realms of data. They don't understand that there's probably a confidentiality agreement with their company that they don't own that data, even if they may have created it. But there's a sense of ownership that that will be useful at the next company. It's a good question and sort of trying to defend yourself from that is as to be a programme in itself. But understanding who those types of users are is a great starting point, right. Because then you can think about, number one, you can educate your careless users, stuff you can put in place to identify malicious users. There's behavioural elements there as well. So it's a complex problem. We know that insider threats, we did some research, the voice of a CISO, and interestingly, ransomware wasn't the number one concern for CISOs, it was actually insider threat. Ransomware was number three, and we know how bad ransomware is. So we know that the CISO community are really understanding that it is a big problem and that they need to get on top of it as well, because it is actually having a grave impact on companies, particularly, you know, more compliance drivers as well with legislation and regulations and so forth.
CP: Yeah, I would definitely agree that insider threat, even for users who aren't privileged, they're already inside your organisation, and, you know, shared accounts. And just that type of, I don't think it's that they're even malicious or even careless. Yeah, they're just getting their job done and it may be a cop out, but yes, well meaning, I think is a better way of putting it. I mean, that's a very damaging type of threat that insider threat, because they do often potentially have keys to the kingdom. Are there other types of attacks? You mentioned, ransomware was third on the list. What else out there do you think should be keeping CISOs or boards for that matter awake at night?
YL: Well, it's ended October 2022 at the moment, just to put it in timeline here. And in Australia, we've seen over the last month such a huge spike of cyber attacks that have impacted huge Australian companies, and had resulted in a large loss of Australians data. You know, personally sensitive data that can be used for identity theft and other things. I think the number one concern for actually board members, and this has come out in our board perspective, this board report, is actually data exfiltration. And I'd have to agree and we think about what's happened with telcos and health insurance so forth, it's that exfiltration of the data that is really concerning. Because there's compliance, you know, nobody wants to lose sensitive data for our customers. It's bad for brand, then share prices plummet. You know, a ransomware attack might happen and that's not great. And a business might holt, your operations might stop or whatever, but there is some kind of recovery often, but once data is out there, it's gone. And you know, then you're at the whim of say the privacy Commission, the OIAC or ASIC or APRA as well. So yes there is devastating things with ransomware. But I think, you know, data exfiltration is really concerning as well. And that goes back to where's my data, where's it going?
CP: Well, also, someone told me this week that in the wake of what's been going on, they tried to have their driver's licence replaced. And the VicRoads said we're overwhelmed. We can't print any more new licences, we're doing our best. But you know, and it's an absolutely no slight on them., but they've got a lot of work on their hands. Now, this flow on effect of these attacks is that there are other service providers that are now helping with the mop up. So you know, we think about what an organisation is going through to mop up. And we know from case studies that this can take nine months, 12 months, two years, sometimes for the mop up. But it's these satellite companies that are also having to do the work to put organisations back together and to put community like, people in the communities lives back together as well.
YL: And it's a really good point, like, so many people have been impacted. And you know, we sort of think of the first sphere of Vic Roads. But imagine how smashed the OIAC are at the moment. They've got enormous investigations that they have to play out. And, yeah, it's not, you know, an act of an adversary, who's managed to do this. This has caused huge, huge impact to so many people and so many individuals, and there's so much of it at the moment, it feels like everyone's involved.
CP: I want to come back to what you're just saying about boards, saying that they're kind of number one concern is data exfiltration. How should CISOs be communicating into boards about this risk? Because I mean, data exfiltration on its own is, I guess, a term that we don't talk about every day, I suppose. So how can the CISOs give the board some level of comfort around this or talk to them about the very real risk of it? Is there a better way that security leaders should be leading into this topic?
YL: It's a great question. We deliver the board perspectives papers, the first really intense research of its kind Claire, at Proofpoint. We teamed up with MIT in the States, I don't know if you've had a chance to look at it. But I know you write phenomenal stuff in your books and stuff on board reporting. But one thing that stood out for me and I could talk about that report for hours, and we could we could just talk about the board perspectives if you like. But we interviewed 600 board directors globally. 50 actually within Australia, and of those 50, they had to be in an organisation, on a board, of 5000 people or more. But what we were seeing across the board was this massive disconnect in what the CISO thought the problems were and the issues, and what the board saw. So what's wrong here, how can that be? How is it that the CISO is not communicating properly to the board, because you would hope that the CISO is the one that really understands that landscape more. Or aren't they understanding the perspective of the board, whereby a board member is worried about data exfiltration because of the huge compliance obligations and brand damage and share portfolios, whereas maybe the CISO is a little bit more worried about disruption to business. So I think when we educate, you know, this is a really good piece of research because it shows that we have to talk differently to our boards about what's going on, and perhaps the education piece there. You know, and I help coach people like yourself in talking to boards and what needs to be done. And one thing that comes out is the lack of business language. You know, you can't talk about specific vulnerabilities at that level, you know, and it's presenting it is the business problem and not the technical problem. So I think there's a lot of work that needs to be done there. So we need to close that gap, we really need to make sure that there's not that huge disconnect. It's really interesting research.
CP: We found exactly the same thing in writing 'The Secure Board'. Anna (Leibel) and I did heaps of research to talk to CISOs and directors. And we, I mean, this is going back a couple of years now, we've found exactly the same thing, that the directors and the CISOs had two very different ideas about what the major problems were. Interestingly, though, both directors and CISOs came up with the fact that it was a lack of confidence of the board in this topic, that was one of the major issues. But I think that for a CISO, often they're not getting enough time in front of the board. It does matter who speaks to the board about security, but as long as the board is getting the message, I've kind of come to think if it's the CIO or the CISO, as long as somebody's taking the message to the board, but they often get a very short period of time in front of the board. So it has to be a very pointed discussion. They're not having a general conversation. And you know, one of the things we talk about in the book is, is the board asking the CISO what's keeping them awake at night. Because if the board is laying awake at night thinking about data exfiltration, but the CISO is lying awake at night thinking about insider threat, not from a third party through an API, but inside the organisation. They're both lying awake, thinking about kind of cyber risk, but from two very different perspectives. And you know, we want to see them come together and recognise what each other has the most concern about. And as you said, then talk about it in a language that makes sense. And if directors are really concerned about this stuff, starting to have out of session conversations with the CISO to uplift their literacy around cyber in their own organisation. Because you can do courses, and you can read books, and you can read the media, and you can be part of surveys, and I think your research was brilliant. But this conversation around cyber inside the business has to be ongoing, it can't be point in time. And I think they need to start understanding each other better than just the CISO bringing up the metrics and the board asking, you know, what's happening with all of our API's? Are they all secure? You know that's not a joined up conversation, that's directors building a bridge from one side and security leaders building a bridge from the other side, and they're not coming together.
YL: And you know, the metrics are really important, right. And you're right, it's a conversation, it's the art of storytelling to make sure that the storytelling is correct and resonates. Yeah, you know, more research in board perspectives papers, really alluded to the fact that there's not a lot of cyber specialty on boards as well. So as you say, they've got a learning journey. And it's up to the CISO community to bring them along. An interesting point you also made there was in relation to who's talking to the board. Often the conversations I'm having aren't with a CISO because they're an IT security manager, they're very downward facing. So I'm often having my conversations with the CIOs or CTOs, because they're the ones that are actually delivering that message, because they understand the business language. And they try to gather that out of the person that has been identified as their cyber expert. So it's interesting that there's an education piece there that also is happening with that CTO/CIO community as well, because they're trying to be that conduit until you know, make making sure that the education comes across well.
CP: Which is a good point because a lot of CIOs and CTOs don't have a cyber background. So they're going to boards trying to translate and articulate and interpret the cyber board papers for the board audience, when it's not their subject matter expertise themselves. And the number of CISOs I speak to who say they've never met the board really worries me. Because in the face of a crisis, they're going to meet for the first time potentially, there's no trust built, there's no knowledge of you know, who's this person that's been looking after cyber all this time. And I know what you're saying around them being information security managers can often mean that they're a little bit more sunk in the organisation. They might not have been exposed to boards before, they might have never written their own board paper before. But just helping them to evolve as a leader, giving them that exposure, allowing them to observe how the CIO talks about cyber in the boardroom, even if they just observe, getting them that experience so that in the future, or if in the face of a crisis, they can have a conversation with what is often seen as a scary group of people.
YL: Couldn't be truer and it's music to my ears. And I know we've landed in the same area and the space on this and feel the same way. So you're right, even a seat at the table sitting next to the person that's delivering the message. And perhaps it's one question that they might be asked, but at least they're getting a little bit of exposure initially. I couldn't agree more.
CP: Yeah. And just understanding what goes on behind the closed doors of the boardroom, because I don't think enough security leaders get that understanding until often they're thrown into that position.
YL: Exactly.
CP: I wanted to shift directions a little bit. Because I didn't want to have you on the podcast without talking to you about the fact that for many years you worked in house, and you now work out house, out of house in I guess, a security vendor. I've loved hearing your perspective, because I know that you didn't just come up with this since you joined Proofpoint, this is obviously you know, your values and how you felt for a long time. But your transition from in house to having a role in a vendor, how's that gone? Because we've seen a lot of people do that transition in the last 12 months similar to what you've done. What's it been like?
YL: Look, I have to say it's been amazing. And everyone knows, I absolutely loved my job and working in aviation for Jetstar, it was such a phenomenal job. So it was always going to have to be something super phenomenal that was going to lure me away and being an advisory CISO really ticked so many boxes for me. And what I love most about Proofpoint is I really get to help so many different people. For me, the attraction was the fact that we're a people centric cyber company, we focus on the people and our products are delivered that way. So it all resonated well with me. So the journey has been different, because it's a lot less stressful than being an operational CISO. The day to day work is a lot different. I don't have obviously a big team that I'm managing anymore, but it's incredibly satisfying and rewarding. And actually, ironically, you miss things like a good incident and a good problem. Thinking on your feet being woken up at 11pm at night, maybe not so much. But yeah, it's been a rewarding satisfying experience. So I'm really hoping that my experiences in the past, particularly last year in Asciano, Jetstar, can hopefully help people on their cyber journey as well. So it is a very privileged position, I feel like I'm in to be able to offer my support to our customers. So yeah.
CP: So is there something that I guess one key thing that you've learned through the process of going from in house to being this advisory CISO that others might benefit from hearing about but also that surprised you about, you know, that shift?
YL: Yeah, it has been a very interesting transition, I have worked for a vendor in the past. But that was Atlassian, which was a lot different from, say, you know, a vendor per se. What I've probably learned most is that there's so many passionate people in cyber, you know, the team at Proofpoint, I'm always in awe of like, they're wanting to help, right. I think people join cyber companies or work in organisations in cyber, because it's actually inherent to them that they want to help, they want to make a difference. It's very, very satisfying. So I've been very fortunate to be able to help so many people. And it's been a great transition. And you know, at some point, I'm sure back in my career further again, I'll jump back into an operational role, because there's nothing like the pace of it, the adrenaline of it. But at the moment, I'm just couldn't be more excited about what I do and the help I provide other people.
CP: On the flip side of that, what do you miss about operational? Because obviously, nobody misses calls at 11pm. But what are you missing about not being in the trenches, I suppose, of an operational role?
YL: My role is definitely a lot less stressful. It's not less busy, but it's less stressful. I guess there's I'm still very accountable, but it's a different kind of accountability. I was so super lucky, I brought up this incredible team at Jetstar who worked so hard, who were really focused, I couldn't have had a better group of individuals that delivered for me. And they all worked so hard. And we all went through COVID together, which was horrible working for an airline. But it's bizarre being a one person show, so to speak, and not having the team behind me. But it's a different type of work, but it's actually equally rewarding. I'm very pleased in my role and what I do.
CP: Well, Yvette, thank you so much for coming and chatting with us today. We do have very aligned values on InfoSec. And I've got to say I am in the industry because I like helping people. But for anyone who's a long-time listener of this podcast, they also know I'm in this industry because I love rules and structure. But definitely I think no matter where you work, the security community is strong and is there to support each other and it's awesome to see you in an advisory role helping so many organisations and thank you so much for coming today. And I'm sure we'll talk again.
YL: Claire, it's been really great. Thank you so much.