The RISE of the CISO with Merike Kaeo

Hello everyone. Welcome back to another episode of the 401 Access Denied Podcast. I'm the host of the episode, Joe Carson, and it's a pleasure to be here with you. I'm always excited to really meet awesome people and talk about really interesting topics. I'm sure that for you, they get a lot of value and a lot of direction and some of your careers and some of the things that you're interested in. This time we are welcomed with another awesome guest onto the episode, and today I'm welcomed with Merike. Merike, do you want to give us the audience a little bit of background about yourself, what you do and some interesting fun facts?

Merike Kaeo:

Absolutely. Thank you, Joe, for having me on this particular podcast. My name is Merike Kaeo. I have stopped thinking and questioning why I love cybersecurity so much, but I've been in the industry for over 25 years. I started first with building networks and backbones, and then back in the late nineties I instigated the first security initiative at Cisco Systems, and that started my foray into my 20, 25 year career into cybersecurity. I used to travel the world teaching vendors and organizations about security, creating security strategies. In recent years, I've been a CISO in some companies or a CTO of cybersecurity companies. I don't just sit in the front of the computer all the time, I actually in the winter, I love downhill snow skiing and I love to be at the beach and just also hike a lot, so just to get outdoors and actually get away from technology at times.

Joseph Carson:

Fantastic. Excellent. Downhill snow skiing, I mean, that's not something you probably got from Estonia because there's definitely no hills in Estonia to do it, so it's probably one of the reasons why you did leave at some point. The interesting fact for the audience as well is that we have actually done the same role in a particular company in some time in the past, which is an interesting segue. But one of the most important things, so for today's episode, it's really all about your role as a CISO. We have a lot of people in the industry who's really aspiring to be a CISO and they're really looking to direct their careers in that path. One of the things is how important has the CISOs role become, and especially in today's digital era where every business is very dependent on digitalization, how important is the role today?

Merike Kaeo:

I think that the role of either a Chief Information Security Officer or a Chief Security Officer is absolutely critical to every organization, I would say as critical as a Chief Financial Officer because over the last two decades, as every organization has digitized most of its business environment, there are many, many security threats that really you have to be knowledgeable about. I think from a business operation perspective, cybersecurity touches absolutely everything. I think it's critical and I also think that it should be more of an executive role.

Joseph Carson:

Absolutely. This is really one of the things is that we always think about whether the CFO is more of that person who's making sure that the financials of the organization are positive and heading the right direction, but in many cases, the CISO role is the chief revenue protector to make sure that no one's coming in and stealing it. Just like you do in the old bank days, where you've got somebody who's there to make sure that the bank's making money and the other person to make sure that no one's stealing it, and that's really how critical that role has become. One of the things that's really interesting, what types of skills is needed? A lot of times historically, the CISOs come from a very technical background, but what's the important skillset of the CISO today? How has it evolved and what should be some of the skill sets, for example, moving into the future as well?

Merike Kaeo:

Yeah, that's a really good question. I think you're absolutely right where probably 20 years ago the skillset was mostly on a technical focus because people were trying to figure out, "Okay, how do you actually instantiate the security controls," which were very much on a technical level. But today you really have to have business acumen, especially if you're trying to create business risk strategies that enable the business. I think another really critical skill is that you need to handle crisis situations. I don't think that a CISO necessarily has to have a technical background. If they have some very good team members that report to them, that can be the sanity check of what you're instantiating in terms of technical controls, I think it's more important that they stay calm, focused, and logical when a critical incident happens and becomes a crisis for the company. I think that along with having business acumen so that you can be able to discuss with the board what are the business risks and how the organization is mitigating them to make the board feel comfortable with its overall governance role, I think that is really important these days.

Joseph Carson:

Absolutely. For me, I think we really have come to the pinnacle change and segue where we need to... We talk about focusing about cybersecurity, but I think we probably need to talk more about changing that and adapting it into really focusing about business security because ultimately it's about securing the business, not about securing cyber. Sometimes the terminology misleads us into what we're really trying to do and what our role is in the business, and really we're there as business protectors and we should start really focusing on it. We're not there to secure and protect technology. That's just one aspect of it. We're really there to protect and make sure that we're protecting the business, the services, the functions, and the role that the business plays in the industry.

That's where there are... Sometimes I find that sometimes the use of cyber is a little bit of misleading. Yes, it's the space that we live in and the space that we're there to protect, but ultimately the focus should be on the business, it should be on the people, it should be in the data. That's some of the times the misleading understanding about the importance of the role. What things in that regard is how can the business really help the CISO be successful, because a lot of times is that the CISO needs to have the support, needs to have the structure in the organization to support them? What can the business do to make sure that they are making it possible for the CISO to be successful?

Merike Kaeo:

Yeah, I think the very important part is that the CISO actually has the collaboration amongst the other executives of the organization. I think many organizations do have that. Some that may be more immature in how they look at cybersecurity issues within the organization. They may still have the CISO say, "Hey, you're responsible for all of security and it's your problem," but I think that in today's business needs, that just doesn't cut it. For the business to be supportive, I think also the CISO has to have not only the responsibility but also the authority to make certain decisions, take actions, and not be the owner of all the responsibility, but then really have no authority to take action.

Joseph Carson:

Absolutely, because they really are... It's rather than one silo by itself, it's really a cross-functional role that they're there to make sure that the finance team is doing the right controls and security implementations, the sales teams are doing it. In many cases where historically IT was that single silo, it was there to take care of technology and applications that supported the needs of other parts of the business, today the CISO is that cross-functional across all of those. You're absolutely right, it's so important to have autonomy and authority to be able to make sure they're able to implement, to collaborate, and understand the needs, but at the same time, make sure they're able to enforce the right policies to reduce those risks.

It is really important to make sure... Sometimes the structure in an organization, those who might have, let's say, where they're smaller and they're building up that role, it might be good for that person to report to the CEO for a period of time until the organization is able to build it out and get it as the right structure and the right pull-out policies and processes to make it successful. In more mature organizations, sometimes it needs absolutely reporting into the CIO because that's where they have that synergy, but they have to make sure that they have a dotted line back into the executive team, back into the board when needed. You're absolutely right, it's so critical because in many cases, if that's not there, the CISO can't really make change, they can't really direct the organization in the right manner. For those who's really, let's say they're starting off as a CISO, they're first time CISOs, what would you recommend their top focus be in year one? What things should they think about as the priority or should they look to try to change or evolve in that first year?

Merike Kaeo:

I think that's very dependent on the business to be quite frank with you, because I think that there's probably different needs and priorities whether or not you're in the financial industry, retail industry, healthcare industry, what-have-you. But I think if you're coming in as a CISO, either as a first time CISO, or if you're following somebody else's footsteps, it's first and foremost important what is the business risk? I will always come back to that because you need to understand what the priorities will be for you to do an effective job in the business environment that you're in. Then, also you need to understand what is the security posture, what is the existing security posture, and also understand what are the motivations for certain threats that will be instantiated in your environment. I mean, ransomware, the ransomware services, they're after money and the target is absolutely everyone, but there may be other reasons that your business or organization may be targeted for cyber attacks, so having an understanding of where and why I think that's important also.

Joseph Carson:

Absolutely. I think it's really important to make sure that as you're going down that path to understand what the businesses and the services they have. Sometimes even starting with a proper good asset inventory discovery, not only what does the business have, but what systems do they actually have deployed, where are they deployed, who's using them? Having a really good understanding of not just the business model itself, but also what's that infrastructure that supports the business. Do you have actually a good inventory and understanding of it all, because I'm pretty sure many organizations don't have a good solid inventory, and they sometimes do it static or manually, but not continuously. That's probably a major challenge. Absolutely not just about knowing the business, but also knowing what the business has from a technology perspective.

Merike Kaeo:

Yeah. If I may add, one thing that I always found funny is that when people say, "Oh, I need a firewall and I need whatever acronym of the day," and then I would come in and say, "Well, what are we trying to protect?" Then everybody's hemming and hawing, and I'm like, "Well, what is the data that is important to your business?"

Joseph Carson:

Absolutely. Every time I get asked... When you think about even banks, when banks build a structure, they start with a vault first and then they build everything else so it works, because sometimes that's really the essential, most critical part. For organizations, to your point is that what is it you're protecting? Is it data? Is it an application? Is it something physical? Is it intellectual property? Is it code? Is it an application that's been deployed? What is it that you're actually putting the security controls in front of? Also at the same time, we want to make it usable and accessible because at the same time, it has to actually have some operational function. Sometimes putting too much security in place can make it the opposite where you're actually impacting productivity in the business and that makes a negative impact and does create friction. The CISO's role sometimes is about the balance between friction because they have to make sure that they get the fine line where it's not too much and it's not too less, that they have to make sure that they find that right balance.

One of the important things that I find is, and there's so many, I do a lot of research and looking at different frameworks out there, and there's so many cybersecurity frameworks, and depending on what country or what industry you're in. What frameworks do you recommend for CISOs to try and adopt? There's no one framework that fits everything, it's you probably have to take a mismatch of sums, different versions or different ones that's risk focused or control focused or let's say a very holistic focus. Which frameworks do you recommend that CISOs really look at, and what's the ones that you would look at to adopting in your area?

Merike Kaeo:

Yeah, again, that's a really good question. Ironically, I had given an RSA talk, I was on a panel and we were working on this data-centric cybersecurity framework. My role as part of working on that group was why yet another framework, what are all these other frameworks that exists, and there's more than 20 of them, and why yet another one? But in my own work when I'm a CISO, there's two that I specifically look at. One of them is, again, I'm mostly US based, so it's the NIST cybersecurity framework, but I think that's also being adopted by other geographical regions because it holistically is a very good framework that has business leadership also understanding the five pillars of cybersecurity domains, which is the identity, protect, detect, respond, and recover.

Then in conjunction with that, I always like to use a framework that is more operational in nature so that you don't just have the overall security governance framework, but you also have some on the ground actionable items. I usually use the CIS version eight, that's the most current one framework.

Joseph Carson:

Yep.

Merike Kaeo:

Yeah. With the two of them, I find that you can create a very good holistic security strategy that deals with operational security controls that then also tie into overall security governance model. But depending on what industry you are in, you also have to look at the frameworks that are specific to the energy sector, financial sector, healthcare sector, what-have-you.

Joseph Carson:

Whether it be HIPAA or SOC, or whether it be PCI compliance, depending... You could be in all of those areas, you might have... It's not that you might have just one single framework, you might be in a business that all of those apply.

Merike Kaeo:

Yes, but I do think that tying in NIST with the CIS is a really good foundation.

Joseph Carson:

I absolutely agree, because I always look at it... The talk at RSA I think was great because it gives you the on the ground close to the business model and then that 50,000 foot view, but it's really important to have frameworks that will help you create a strategy, a strategic focus that is around what you're doing now, what you need to be doing a lot in the future, and where you need to be going in the direction. Then you've got that operational thing, the day-to-day stuff that still needs to be done and the more tactical and actionable side.

Absolutely. For me, I do see that both the NIST and the CIS security controls do apply in both of those areas really well. It really comes down to... I think for me, I also like that a lot of those frameworks have adopted also a risk-based approach, because that was something that was missing for a long time was that... Especially when you apply things like CVEs, it just gives you an idea of assumed score, it doesn't really mean that that's the same score that everyone has, it's not the same risk to every organization. That's where the risk approach come in, where it's really about, well, how does that impact me? Is that system public facing or is it internal only? What other controls do I have in play?

This is really where the risk portion is so critical into the strategic and operational side, because it allows you to tailor it much more to the business, as you mentioned previously. It's really important to make sure that you map to the business and don't do these in a bit of a silo. Tell me a little bit more about your talk at RSA, because I thought of bringing this up. It was packed, I have to say that, and such a great panel. You talked more about being a data-centric model side of things. Why is that important? Why is it important to look at it from a data aspect?

Merike Kaeo:

Sure. Yeah, I was really happy with the RSA panel, and I'm really happy with the work that the data-centric cyber maturity model is actually doing. Sorry, you get a little bit tied up when you're talking so much.

Joseph Carson:

Not a problem.

Merike Kaeo:

But the RSA talk, what we wanted to do was to raise the awareness that there is work now ongoing to create a new framework that really looks front and center at data, because the realization is that really all of the frameworks and all of the security controls that you're trying to put into place, what you're trying to protect is the data, whether or not it's intellectual property, whether or not it's code, it's all data. Most of the frameworks that exist implicitly look at data, but not specifically, and so we wanted to take a look at what is missing in all of the other frameworks.

This data-centric cybersecurity framework is really a companion to most of the other frameworks that exist. As I was mentioning earlier in our conversation that one of my roles in this work was also starting to look at all the other frameworks and looking at the gaps that this new framework now is trying to identify. I also want to mention that that talk actually came out of Sounil Yu's work where he created the Cyber Defense Matrix. What he's trying to do and getting a groundswell of individuals to be part of this is to take a look at data, also networks, application, users, and trying to create a cohesive way to articulate the security of applications or services so that people will understand from the plethora of products that exist where they tie into protecting either applications, data, users, network from a holistic viewpoint.

Joseph Carson:

Can you mention a little bit about what the tech tree method was, because I find that part very insightful as well, because there's a right way of doing things and a wrong way of doing things? We can mention a little bit about what the tech tree process was or that part of the framework.

Merike Kaeo:

Absolutely. Anybody that's been doing security for a while knows that there really isn't a cohesive structure to doing security. What the tech tree is trying to do is it's trying to identify interdependencies and the sequence by which you could have a strategic focus on cybersecurity. As you were mentioning earlier, when you're looking at most companies, sometimes they haven't even done the classification of the data to do the inventory. Really, realistically, that's probably the first thing you should do. What data do I have? Where is it? Is it something I need to protect or not? Before you actually put in the protection mechanisms. This tech tree is trying to articulate the overall dependencies and also the sequence of steps to be able to provide the security services within an organization.

Joseph Carson:

Absolutely. To your point, it's like doing a vulnerability assessment on the data that you have versus the data that you really do have.

Merike Kaeo:

Exactly.

Joseph Carson:

In many cases, it really means that you have a good, much more clear understanding of the scope of things. That's the challenge that many organizations face is sometimes they'll do it on what they have or what they believe that they have, and until they do an inventory... I mean, I have a great example. Years ago, I was involved in a lot of IT asset management side of things, and one great example I remember was that it was a massive organization, really large organization, over 100,000 endpoints and employees, hundreds of thousand employees. They assumed that their spreadsheet that said they had 120,000 desktop, laptop assets, mobile devices and so forth, 120,000, and that's how many licenses that they needed to purchase, and that's how much their OS licenses and application licenses said that they had, 120,000 devices. That's not including servers or anything, that's just the end user side of things or applications.

Ultimately I was like, "No, no, no, we need to go and do a proper asset inventory. We need to really look at what is on your network and what you really do have." They were adamant. After going back and forward quite a few times, we finally got to the agreement, let's do a proper discovery, let's go in and do an automated discovery to really find out what assets you really do have. After doing it, it was a few months of doing this inventory sort of gathering and understanding about what was in the environment, and it came back 140,000 systems. They had 20,000 more devices that they didn't know that they had. The ironic thing here was that these were devices that they were not patching, they were not protecting, they didn't even know they had.

When we did the calculation, the energy saving alone just for those systems paid for the de-provisioning process and even the solution that they were going to buy, the energy saving just by itself. That was impressive that these were devices, the problem was that as employees got new devices, the old one, rather than being de-provisioned, it slightly moved over to the side of the table and then was used as... It had the legacy applications so they could still use those when they needed to, it had the old data that they could go back and reference, or they could use it for getting around and playing games or accessing things that their new device was protected against. That was really just a kind of process that they just hadn't got a good de-provisioning process, so 20,000 more devices. I always remember that case, that it really highlights when it sprawls over a long period of time if you're not doing it consistently, proactively, if you let that problem accelerate, that 20,000 machines, that's a large organization by itself.

Merike Kaeo:

Oh yeah.

Joseph Carson:

It looked a small blimp for them, it's a big blimp for many organizations.

Merike Kaeo:

I have a more recent example, and this speaks to cloud instances. How many people actually or organizations do a survey of really how many cloud instances that they have? That's a lot of money. You have to understand what you have in place either from systems, from data, and the cloud instances, I can tell you there's organizations that are wasting a lot of money by not knowing what instances they have, and even worse, what instances may not be decommissioned if they're no longer needed that can then be used by threat actors for some attack surfaces.

Joseph Carson:

Absolutely. That's a growing major area is definitely cloud environments and hybrid cloud environments where you've got, and even employees going and getting their own instances outside of the organization's main domain, and they end up having all these micro silo instances all over the place with different configurations and no consistency. Then somebody goes and implements some type of data sharing between those like an API call, and then data's going back and forward unnoticed by the organization, and this causes a major issue. That's where you get into a lot of cloud lateral moves, privilege escalation, and data leaks, just because employees have the ability to go and create their own environments quite easily. In many cases, that's where even cloud, the shadow IT problem is a bigger problem than when it was on premise. You've got this massive shadow cloud problem now, so absolutely, it's a growing area for sure.

What's your way of staying educated? Is there any good reading materials that you'd recommend? Is there any good webinars or good educational areas? What's the area of education or recommendation you would have for CISOs to stay up to date?

Merike Kaeo:

It's a multi-pronged area, and to be quite honest, I think nothing beats personal relationships and networking. Going to conferences like the Black Hats, DEF CONs, RSA, where there are a lot of CISO type meetups, but also more technical ones. I think those are really critical to meet and really discuss things that you might not even talk about over the phone or any kind of medium and really to stay current. But I think that there's some really good blogs out there that have existed for a very long time, like with Brian Krebs for one. I find that security researchers are now writing more books, and I'm sorry, I don't have the names right now, but Mikko Hypponen wrote one.

Joseph Carson:

Yes, secure, connected, and smart, something like that.

Merike Kaeo:

I think everything that's connected is vulnerable, I believe that's a title of a book. Then, looking at former CISOs or even current ones that are writing books about risk management. But one of the areas that I really like to read on that's maybe not typical for many CISOs is I want to read about geopolitical aspects. There's a book recently I came across called The Digital Silk Road, which gives you a really good view of what's happening in Asia, specifically China. Then, I really like the book called Deep Survival, which is why some people live or die or what happens, because again, this deals with crisis management and just looking at, well, how do you overcome crises and survival? I think many CISOs are really stressed these days because there's so much going on. But I look at other industries where if you're a surgeon working on the brain, I mean it's live or die situations, and so how do folks in those situations overcome this not panicking in a crisis situation?

Joseph Carson:

Absolutely. I think for me, absolutely, that's one of the skills that is lacking in our industry a lot, is how to deal with things like mental health and stress, because in these roles, they are continuous, and incidents always happen in the worst time, and the toll it plays in people's health itself is significant. You're absolutely right is that in the CISO role, while it's very technical, very IT focused, and application, and they do have a team to manage, and it's like first responders, it's like that emergency room in the hospital type of thing, you're always on the go and you're never getting that time to rest. Absolutely. For me, crisis management is one of the top things, skills that CISOs should be looking to obtain. It's about how to make sure that they find the balance, make sure they're able to reduce burnout within their staff, people, and even within themselves.

For me, I think anything that really helps find that balance is critical. The one that definitely I'm going to take a look at the one you mentioned, for sure. For me, I think one of the ones that I really looked at was Atomic Habits, which was a great book as well. It was about trying to change things, small habits at a time, and something that was very insightful. But my next book is Rick Howard's Cybersecurity, the first one, that's one that's on my to-do list. I just finished Freaky Clown's, FC's How I Rob Banks and Other Places, which was fantastic. I definitely highly recommend it. Also, Jeff White's Lazarus Heist, those are great reads. But absolutely for a CISO, anything that's in crisis management would be an absolute must have for sure.

What final recommendations would you have for anyone who's aspiring to be a CISO? What would be some of the steps or paths they should take? Definitely, one of the things you recommended just a moment ago was about the network, people around you, and finding even CISOs who could be mentors and help you on that path. What additional things would you highly recommend?

Merike Kaeo:

I think as a security strategist and leader, the more you know about the different areas of security that eventually you may lead, the better it is. If you have an opportunity to work in different areas of security within your environment, I think that would really help you quite a bit as you move up in your career. Then overall, if your ultimate goal is to provide the overall strategy, because having... I will never forget what my first boss, when I was in my twenties, early twenties, told me. He goes, "Never forget what the people in the trenches are doing," because they're the ones that really know what's going on. Even if you're in a leadership role, having an understanding of what they go through also gives you more empathy in terms of what that role actually entails, and hopefully you'll become a better leader from that also.

Joseph Carson:

Absolutely. Very great insights. Absolutely. Make sure you're not too far away from the trenches and you have a good connection there. At the same time, make sure that your breadth of skills is broad in multiple areas because the CISO is responsible for it all. You come from an application background or incident response background or a software engineer or tech support, you have to remember that, yes, absolutely, there's more than those areas. Cybersecurity is a massive field by itself, it's so broad that it's really important to make sure that you at least have insights and at least good knowledge yourself, but at the same time, surround yourself with really smart people who can help you at the same time and provide the more technical or in-depth areas where you need it. Merike, it's been fantastic, absolutely, having you on the show and really insightful for me. It's given me a lot of things to think about and a lot of next steps for me to go and look into. Any final words or any final closing things you would like to share with the audience?

Merike Kaeo:

Yeah, all I can say is whatever you do in life, when there's a stressful moment, don't panic. Take a step back, think about the realities, talk to people that you trust, and have fun in whatever you do in life. Life is too short to stress too much.

Joseph Carson:

Absolutely. That's very wise words. The most valuable thing in this world is time and how you deal with it and how you use it is the most valuable thing, and it should be your first priority is to use your time wisely and have fun at the same time. Absolutely. Merike, it's been amazing having you on the show, really hopefully looking forward to catching up with you in the near future for sure. For the audience out there, definitely, how would people connect with you or if they have questions afterwards, what's the best way to reach out to you?

Merike Kaeo:

I can be found on LinkedIn, or I'm fine with people emailing me at merike@doubleshot security.com.

Joseph Carson:

Fantastic. We'll make sure that we'll add those to the show notes. For the audience, hopefully this has been very educational and maybe you are in a position where you're aspiring to be a CISO, or maybe you're in your first year, or maybe you're already an existing CISO that's been doing multiple years. I hope this has been very valuable. I hope that you'll get different insights and that this will help you further your career much, much further in the future. It's been fantastic. Merike, many thanks for being on the show. For the audience, stay tuned every two weeks. This is the 401 Access Denied Podcast, bringing you thought leadership, really amazing guests, knowledge, educational content to really help you on the future of your career, and at the same time try to make the world a bit safer. Thank you, stay safe, and take care. See you again soon.