Having held multiple senior-level positions within the information security industry, Andy Ulrich, Head of Security, North America at Ericsson, reflects on what it takes to be a CISO in today’s world, what training is essential for all employees in an organization, and best practices with regards to presenting risk and potential threats to corporate executives.
Can you tell us a bit about your background before Ericsson?
My previous job was the CISO for MoneyGram, here in Dallas. The financial services sector is a very interesting area for information security because there is such a strong correlation between attacks and revenue loss; it’s also attractive for attackers, who can very easily turn successful attacks into cash. Before that, I spent 24 years in the Army, with the last 7 years or so focused on information security. Between the government and financial sectors, I think that’s where much of the innovation in defense is taking place.
In your opinion, what sort of experience and skills does a CISO need to have?
It’s great to know IT — otherwise it’s difficult to understand and explain attacks — and it’s also essential to be able to approach things as an attacker. The IT department is usually about asking how to deliver a solution quickly and efficiently, or how to improve a product; information security is about asking how to break things. But by far the most important skill a CISO needs is the ability to communicate. He has to be able to communicate across the company’s employee base about the dangers of, say, phishing or removable media.
“A CISO has to be able to explain overall risk and complex ideas like attack methods to boards and senior leadership; at the same time she must be able to discuss incidents in detail with IT and the security operations team.”
How do you approach presenting risk and potential threats to corporate executives? What has worked best for you?
This is an area that CISOs have to balance correctly. On the one hand it’s easy for a CISO to describe the situation as dire and that a breach will destroy the company; the other extreme is to assert that all is secure and there’s no attack scenario that would be successful. Avoid the ends of that spectrum because the board knows enough about information security to understand that neither is probably true. It’s important to have a board’s trust, and that means being open and frank. It’s helpful to acknowledge that a company can overinvest in security; boards are about risk management and they don’t want to eliminate every single information security risk. Tell them what the biggest risks are today, and what you would do with another $1M or $10M and what risk that would address; tell them what additional risk a similar budget cut would open, if necessary. Be well-versed in your business and its risks as well as past attacks and breaches, both against your company and against others.
What training is essential for security employees? And what training should ALL employees receive in regards to security management?
I don’t have a go-to training course for the security team because I think a good team blends so many skills, and individual job requirements are so different; we need experts in information security policy and compliance as well as engineers who know port numbers and protocols and can talk in depth about firewall rules. I support getting our team members certified in the programs of their choice. Certifications are controversial — it’s easy to argue that putting some letters after your name in your signature doesn’t mean you’re good at anything but test-taking — but they tend to demonstrate a certain commitment to our profession, and so often they’re a job requirement. I strongly believe we should prepare our team members for future jobs.
For all employees I’m a big fan of phishing training, that is, using an external service to deliver phishing emails to employees and tracking the results. Communicated correctly, it’s a fun exercise that actually increases “herd immunity” by developing skeptical skills in the workforce. It’s not that good at showing trends, because you can always get more or fewer people to click your fake phishes by making them better or worse, but employees tend to enjoy getting the feedback on how well the company did during the last “attack.” Not surprisingly, auditors looking at, say, SOX or PCI compliance also like this training. It allows us to tell auditors and customers we’re doing training, but I think it has little actual impact.
“I also like to use real-world attacks as training opportunities, although you have to proceed with caution here because this can be a sensitive area. On the other hand, I have little confidence in the usual annual online slide show training that we tend to do to ‘check the box.'”
In terms of cost assessment what is your strategy in potential loss due to breach and money spent to prevent that from happening?
This is a difficult problem that’s at the top of any CISO’s list of things to get right. I don’t believe it’s possible to predict the cost of a breach with any kind of accuracy today. It’s easy to find methodologies that try to quantify the cost of loss, and it’s tempting to try to do this because loss numbers in dollars are a good way to show security ROI (and the CFO always likes to see numbers). It’s not necessarily a bad place to start but the margin for error in these estimates is several orders of magnitude. I think even the companies that have experienced a major breach can’t accurately estimate how much the breach cost because there are too many variables. The good news is that, today, boards and executives tend to understand this. They know that a breach can be very, very expensive and can be an existential threat to the company. It’s useful to use the publicly-available sources that specify a breach cost per record as a starting point, but I always make clear that the margin for error is massive, and that a worst case scenario would probably be much worse.
About Andy Ulrich:
As a young child, Andy Ulrich discovered and was delighted by the fact that, by simply pushing buttons on a telephone keypad, he could nearly instantly cause a random person half a world away to stand up and walk to their telephone. (His parents were not amused.) Thus began a lifelong interest in telecommunications and IT. His nearly 30 years of experience includes a career in the US Army, culminating in a role as the operations chief of NATO’s information security organization, and his most recent previous job as the CISO for MoneyGram. He currently heads the security program for Ericsson in North America from its headquarters in Plano, TX.