Episode #57 Risk-based vulnerability management scoring with Gary Jackson
“You need to know every device you have in your network, and what is the potential of those being exposed so you can take some practical action”.
- Gary Jackson
Gary Jackson is Vice President for Asia Pacific at Tenable — the Cyber Exposure company helping 30,000 organisations around the globe understand and reduce cyber risk. Gary joined Tenable to lead the Asia Pacific region and build the reputation and coverage of Tenable in the risk-based vulnerability management space. His career spans more than 40 years in the technology industry. Prior to joining Tenable, Gary held various regional vice president roles with Cisco Systems, EMC and Aruba Networks.
Links:
Transcript
CP: Hello and welcome to The Security Collective podcast. I'm your host Claire Pales and today's guest is Gary Jackson. Gary is the Vice President for Asia Pacific at Tenable, the cyber exposure company helping 30,000 organisations around the globe understand and reduce cyber risk. Gary joined Tenable to lead the Asia Pacific region and build the reputation and coverage of tenable in the risk based vulnerability management space. His career spans more than 40 years in the technology industry. And prior to joining tenable, Gary held various regional vice president roles with Cisco, EMC and Aruba networks. Gary, thanks so much for joining me on the podcast today.
GJ: Pleasure Claire, happy to be here.
CP: We're now in an era where organisations are part of an absolutely interconnected value chain, where behaviors of one organisation impact the security of another. I thought it might be a good place to start in talking about what's been your experience in influencing behavior between different organisations, senior stakeholders, given that you're working for a software vendor, you know, you must have these conversations all the time?
GJ: Yes, well, I mean, the attack surfaces have grown substantially, obviously, in recent times. Just the sheer breadth of the recent cyber attacks, you know, the stakes are pretty high for CISOs and their teams. The boards are nervous, and CEOs are nervous. And, you know, it's interesting in the year 2020, there were about 18,000, new vulnerabilities. The year before, it was about 17,000. So, you know, there's over 100,000, and it's really hard for organisations to manage all that. It's also a real challenge, if they are looking at things like acquisitions or expansions of their business. We're a good example too. You know, we've got a lot of interconnects ourselves. Our CISO, and our internal folks running business platforms, they've got massive issues in terms of do we take on this particular application? What's it going to do for us? What's their profile? We're getting a lot of questions now when we are, before we can even make submissions to some companies, they send us a very detailed risk profile. You have to fill in that, I mean, you never had to do that. Right? You would, you would sometimes sign a nondisclosure and make certain agreements under an NDA. But some of these are very, very detailed. We just had a very detailed one from a Japan organisation, we've had a very detailed one, in the last couple of weeks from one of the big banks in Australia. So the interconnects are really serious as well. And you know, why we have focused a lot on enabling vulnerability management to be a risk based assessment is because there's just too many of them. And it's very, very hard to have to enable CISOs and their teams, what are they going to focus on? Where do they make the decisions to focus?
CP:And when CISOs are choosing tools like Tenable, or any of the security tools that they want to use to assess or protect their organisation's, you know, they usually have to go to the powers that be like the board and the executives and ask for, you know, some serious investment that can often be hard to quantify, I suppose. How do you go about designing some of the right metrics for CISOs so that they can go back to the decision makers around investment, and help them to understand the effectiveness of you know, putting some money in place to make sure that they've got the right tools to protect the organisation's.
GJ: Yes, metrics. Obviously, you know, return on investment, where are the numbers? And they're perfectly valid questions, you know, before you spend money on anything. We go through the same thing, you know, our CISO has to justify things to our biz platforms folks, for the same reasons. You know, why should we spend that money? What are we going to get out of it? And I think that's one of the areas we focus really strongly on, why we're very well regarded as the number one in risk-based vulnerability management, not just VM. Because metrics do matter, you know, you have to be able to show some kind of numerical value I think to justify it, it just makes it a lot easier for CISO. You know, the old red, amber, green. I mean when you look at last year where there were 18,000 new vulnerabilities and under the CDSS scoring, which a lot of people you know use to define their red amber green, just under 60% of those 18,000 were classed as high or critical. That's 10,000, in just one year. The year before it was pretty much the same on the 17,000 there. So obviously, you declare critical as red, you obviously declare low as green, because they have low, medium, high, critical, that's kind of the brax. Low is only 2% of the number. So there's not a lot of green. If that's how you decide to do it. And how do you decide where medium or high sits between amber and red? And it's going to be an incredibly long list of reds. So you know, the boards and they say, what does this mean? Where am I supposed to, you're asking for a lot of money, there's not a lot of clarity. And the CDSS scores are just too general, they are. And this is where we've created the cyber exposure score. This is why we're doing so well in this space. The cyber exposure score is, we generate it by combining our vulnerability priority rating with our asset criticality rating. The vulnerability priority rating is predictive, it's based use out of our data science AI group. So we have a substantial data science group that's very AI driven in terms of analysing the data. And the sort of VPR score is it's a predictive prioritization that's based on the probability that that particular vulnerability will be attacked, which is based on history, based on where it is, based on what devices etc. The asset criticality rating, which is the other component of the cyber exposures score that we actually give, that values an asset based on where is it in the network? What kind of asset is it? What's the functionality of that asset, that all goes into a kind of an AI assessment. How critical is that particular asset combined with the VPR rating, that gives us or gives our customers a cyber exposure score. The other thing about that, once they've got that, and so they can go, and by the way what we wind up defining as what would be called critical is more like 3 to 5%, not 60%. So there's a very defined, you know, list that they can go and say, these are the ones we got to worry about. And it's really worth us spending the money, because we've got a very, very clear defined score, a defined group to focus on for all the right reasons, for a mathematical assessment as to why we should and to go and remediate those. And then to compare that as we go, because that's the other thing they can do. Once they have that is, each month they can say, well, that's our cyber exposure score a month ago, this is what it is now, is it any better is it hopefully not any worse? And also, they can get to compare it because we've got so much data against peers in that vertical organisation. So they can say, well, compared to other FSIs in Australia, we're at the top, we're in the middle, etc. So it's a very detailed analysis. And more importantly, it's a metric that they can go to their execs with. And that's getting a heck of a lot of traction from the market. With our risk based vulnerability management scoring.
CP: I think one of the challenges with that type of scoring is that you are trying to explain the risk to a business audience or to an executive audience. And you know, at the end of the day cyber is a business risk, it's not just for the technology team to be managing. And I've got a lot of clients who are in the FinTech space or in, you know, smaller organisations that might be making acquisitions. And, you know, they're going through these huge amounts of growth and constant innovation. And, you know, that level of scale and complexity brings even more risk. So how do you sort of balance this, you know, growing businesses with the implications of making decisions around vulnerabilities and what you remediate and what you don't? I mean, just the conversation that we just had around the complex nature of even scoring these vulnerabilities to then, you know, attach a new business that brings with it so much risk as well. I mean, how are we explaining this to businesses in a language that they understand?
GJ: It's not easy. I mean, and I think, obviously, just giving them a score is I think that it's a great metric, but it also enables it, there's backing behind that. You know, one of the points we make is whether you're a fairly static organisation, or you're an expanding one, either way, you have to be able to see what you've got. So, you know, we kind of do the three step thing, see what you've got, which means everything. Now, if you're looking to acquire somebody, you've got to be able to have some conversations in the, in the non disclosure period, in the actual due diligence of what their profile looks like. That's going to get a lot harder and a lot more specific. I've got some interesting little stats in a minute. But so our first thing is, you have to be able to see everything you've got, whatever the asset is, wherever it is. And that's the first thing. So you know, the point we make is, we enable you to identify and see every device wherever it is, because the network has expanded dramatically. It's not, you can't just do a firewall on the other side of switches and routers anymore, right? I mean, that's obviously still important. But the network perimeter is just everywhere. And work from home, just expanded network perimeters even more significantly. So you know, the remote workforce is just a really important thing for people to understand. So our first bit is see everything you've got. And you might be surprised what you have, but you don't know is there. And the fact is, if you can go and show to the business leaders we know what we've got, I mean, that's important, guys, right, agreed. We've got a predictive, an accurate predictive assessment as to where we need to go and take action. And we've got the ability to go and take that action, because it's a much more defined approach for us to take. I mean, you know, you can't you can't fix 60%, you can't patch 60 or figure out what the priorities are 60% of 18,000. You know, which was, you know, I mean, how I need another 40 people, by the way to do that. So not only do I need to spend money on the software, I need another 40 people. So I think we're getting a lot of traction in the fact that you can, you can go through that see, predict, act, as a kind of a piece of logic that a business person can get their head around, I think and that you're backing it up with some metrics. A couple of interesting things I saw as I was reading through, do you know that when Verizon acquired Yahoo they then belatedly found out that Yahoo had 2 serious attacks, and they reduced their offer by $350 million, which was 7% of their offer. So I mean, there is a very quantifiable example of you not only have to have some comfort, because they discovered that very late in the piece. And part of that was the parts of Yahoo that they didn't buy still have a 50% liability should subsequent attacks occur in that area. So, you know, it's really interesting, there's going to be monetary penalties that I think are going to become part of mergers and acquisitions decisions. So yeah, I do think that the expansion, it's just true, no matter what you're doing, whether you are a relatively stable organisation that's not acquiring, you still need to know everything you've got. You still need to know every device, and what is the potential of those being exposed so you can take some practical action. You know, we are finding that CISOs, it gives them a much better, I think business approach. It also helps to be far more efficient with the team. I mean, you don't need as many people and as many hours in the day, if you've got a more focused approach to take.
CP: I think just you know, coming back to that due diligence in mergers and acquisitions, one of my concerns is that a lot of that activity can be taken through a compliance lens. So you know, if an organisation is compliant with certain standards, or with certain regulations, then it's seen that they would have or assumed that they would therefore have appropriate security. And, you know, we all know that compliance doesn't equal security, or certainly not effective security. So, you know, how can security leaders start to talk about this? Not from a compliance perspective or a security perspective, but from a risk based approach? And you know, you mentioned earlier in the in the chat, but I know you're really passionate about this risk based approach, and I'd love to hear some of your thoughts around how do we move away from compliance and security in isolation and really sort of be thinking about what does effective risk management or a risk based approach look like?
GJ: Yeah, well, I mean, absolutely. It's the very reason we came up with a cyber exposure scoring and risk based VM. I think certainly at the CISO level, I think, absolutely that's getting, they really understand the difference between a not very well defined bunch of stuff, to a metric that has some logic behind it. I do think that's more explainable, it's obviously a very fundamental part of our go to market that, guys, we're the leader in risk based vulnerability management, this does matter. It should matter to you. And it should matter to your organisation. And I absolutely agree about compliance. I mean, we've got, you know, Australia has the IRAP, Japan has a thing called IS map. FedRAMP, in the USA, which you have to comply with, I mean it takes real work from a product and a company structure point of view to actually get the FedRAMP tick. And of course, federal, or government is a huge vertical for us. I mean, the Australian Government we're very strong, the US government, Singapore government. So you have to meet those standards or compliance requirements. Some of them are more aggressive and tougher than others. GDPR in Europe, of course, which has the ENISA thing underneath it. So yes, I think obviously, compliance is important. But that's not going to tell you the whole story. And I think if we can continue to push the point that it's all about risk guys. And risk is about what you've got, how you've deployed. The other interesting stat I just remembered from Price Waterhouse security incidents, they found that 56% were from existing or past employees, which is interesting. 23% unknown hackers. 20% competitors, which also surprised me, and 19% third parties, which gets back to that, who am I linking to? Right? And we all have, I would say, most medium to large organisations would have to have 50 apps they use regularly, at least, if not more. So that interconnection is a big issue.
CP: And so given all of that, how can people start with a risk based approach? You know, for many years, maybe a CISO hasn't been taking that approach, and they've been taking a much more sort of literal, you know, there are 60,000 things or 60% of things for me to resolve, because they're high in critical. Where's the best place to start if you want to narrow down, you know, what's essential, and what's important? And what's going to reduce or minimise our risk?
GJ: Right. Well, you know, obviously, it's very dependent on the size of the organisation. Do they have internal expertise or not that you can work with? Are they outsourced? Do they rely on a service provider? And then they have very, very important questions they should be asking of the service provider. Is that an outsource? Is it a managed service? I think it's important to try and help them understand that it's a critical adoption and measurement process, no matter how big they are. I've heard the question sometimes, you know, should we be selling it as an enabler? I think you should avoid that word. Because that just puts too, I'm not sure I call things enablers. I call them critical in terms of being a more secure organisation, that's how I see it. And it does, it does still surprise/sometimes frustrate me that as we go through this, that there's a kind of toe in the water approach. Well, you know, we'll do an RBVA (risk-based vulnerability assessment) for the desktop. So we'll do an RBVA for the main data centers. And what we'll look at the rest later see how it goes. You know, I always feel like it's me ringing up the insurance company to say, look, I'm in a flood zone, I want to have flood protection on my main bedroom, but not the rest of the house, and I'll see how that goes. So you know, I think it's important that we kind of tailor the discussion and the approach, depending on the expertise. We are going to base it around risk-based vulnerability assessment, absolutely. And it's a responsibility. I think it's more trying to get clear that it's a responsibility. Whether you've got a CISO or not, however, be your internal organisation. This is a real responsibility.
CP: Just going back to something that you just mentioned around, you know, security being a business enabler. I'm absolutely with you. I've talked about this on another podcast this season already that I don't see security as an enabler, either. I think it doesn't enable what the business is trying to do. It certainly supports the business strategy and should support where the business is trying to go and innovation. But I certainly wouldn't suggest it's an enabler and, you know, an enabler can have two different definitions. One very positive and, and one very negative. But, you know, I guess from your perspective, something that I've grappled with, and I see my peers grapple with, is this, you know, positioning of cyber with fear, uncertainty and doubt, you know, you don't want to come to your executives and your board, and, you know, paint this doomsday picture for them. But I guess what with your approach, you're, you're sort of coming to them and saying, okay, this is the, this is the ultimate stuff that needs to be resolved. We're not bringing you everything, you know, we're taking an approach that says, this is really what could get us into trouble. How can people articulate that without the fear, uncertainty and doubt without the FUD factor? Because you're still coming to them with sort of the real critical ones at the end of the day. What's your advice in that perspective?
GJ: You know, I mean, having been in the industry as long as I have, you know, when CIOs started, and yes, I was around when they started. You know, they were this weird techos as well, right. And took quite a long while for them to be genuine. Now, they are typically on the executive staff, I mean the CIO is, right. The CISO in general is still not there yet. Which I think is, this is an important intellectual decision that large companies in particular need to make. That person is as much a part of the business future of this company. The CIO is important, absolutely. There's a lot of infrastructure stuff that's critical. Risk of being attacked is a critical business issue. You have to care about this. And you have to, we have to, it's our responsibility to try and make it as explainable as possible. And absolutely going in there and saying, you know, we're going to get hacked any day, and you have to spend all this money, you're crazy, if you don't. That's just kind of an insulting approach to pretty smart people, if they're CEOs and on boards, right? I think that the CISOs need to be getting to be good at internal selling. That means they need to be able to be business people themselves. They need to, they just need to get better. I think the approach for them to take is, guys, we need to be industry leading. We're an industry leading brand, you know, this is a brand by the way, I'm big on brands. You'll remember the brand, how you see the brand will depend on how well I've got on because it will be a good or a bad brand, right? That's true in life for companies and individuals. And that and that CISO needs to have a brand that's respected. And I think if the CISOs are able to say guys, we're in the top four banks in Australia, we have to be industry leading in our comparative cyber risk analysis. This is a way that we can be better at this. And I think, then you can leave the word enabler out altogether. To me that would get my backup, if I was on the board, frankly. But I think if we, if you can focus on the fact that we need to be an industry leader, we are an industry leader, we've got a great brand, we need to protect that brand. That's kind of the approach they have to take.
CP: I couldn't agree more. And you know, certainly the reputation of brands can come and go very, very quickly, especially if trust is lost. And so certainly coming at it from a positive perspective, but also, you know, you're talking the language of your audience around, not around the technical aspects of security and not around the fear of a cyber attack. But more around, you know, as you said, being an industry leader and protecting the organisation's good faith that people have in them and trust that inherent trust that people have in household name brands, you know, I think that's a really great approach.
Gary, I want to thank you for joining me. So I've really enjoyed the conversation. I do want to tell my listeners, this is not a sponsored post. This is absolutely a chat that I wanted to have with Gary and to share his knowledge with you. So please, head to the show notes if you want any more information about Gary. And I hope you've enjoyed the chat today. So thanks again for your time.
GJ: My pleasure. Thanks very much, Claire.