Listen to this article
This audio has been generated with an AI tool.
As part of a new blog series, Sekuro CTO, Jason Trampevski chats with Nathan Wenzler, Chief Security Strategist at Tenable to get his take on exposure management and the broader cyber security landscape. From the human-centricity of cyber security to the role of a CISO, this is your chance to be a fly on the wall for an insightful conversation (and sometimes deep philosophising) between two cyber security leaders.
The fourth and final in the series, this blog will focus on the importance of protecting critical infrastructure, the changing role of the CISO and the critical role of partners.
CRITICAL INFRASTRUCTURE: AIR GAPPING IS NOT YOUR ANSWER
To your point, because it has such a direct tie to the wellbeing of people in the community, it's got to be prioritised. We're not just talking about manufacturing, we're talking about power and water systems and food supply, and these are day-to-day life necessities.
Jason: What are your thoughts about how governments and organisations are addressing critical infrastructure? For me, this is the hottest topic right now because that is what’s going to have the biggest impact on society, at the end of the day.
Nathan: I can’t agree with you any more than that. Critical infrastructure is a major issue and it comes with special challenges. Not just because of the nature of the technology involved, but there’s a cultural element there.
We are still dealing with an industry of engineers who believe that air gapping is the solution for everything. I’ve been doing this for 40 years and I’ve kept these systems up and running, and everything’s changed. Every aspect of our environment has changed.
I think the steps being taken in a lot of countries around critical infrastructure are hugely positive and necessary. But I would also say it’s probably not enough. I think we need more, and part of it is getting past the mistaken belief that everything is safe because it’s air gapped.
I hate to bring up the classic, obvious example, but just look at Stuxnet. It’s the perfect use case of how to violate an air gap network. Is it difficult? Sure. Is it possible? Oh, yes. So, we’ve known for a long time that even air gapping is not a real solution to these problems.
To your point, because it has such a direct tie to the wellbeing of people in the community, it’s got to be prioritised. We’re not just talking about manufacturing, we’re talking about power and water systems and food supply, and these are day-to-day life necessities.
Don’t be blinded by compliance
Jason: I agree, and yet it feels like a lot of organisations are only driven by compliance.
Nathan: Yes, and those organisations have lost the narrative. They have forgotten what it is that they’re there to do. Especially in the government sector where you are serving the constituents, you are there for the good of the public and to ensure their safety. You can’t just check the box. You have to take it more seriously and really find ways to go above and beyond to ensure that you’re doing all of your due diligence.
You need to be ensuring that systems are kept online and safe and that you have good visibility into that environment. You need to understand what can be a target, and where it could go wrong, and to make sure you’ve got the right steps in place to deal with an incident. To do that, you’re going to need a combination of people, process and technology that we’ve already spoken so much about already.
For anyone operating or within the supply chain of critical infrastructure systems, the time for wondering if you should do something is long over. The time is now.
The evolving role of the CISO needs to be risk-driven
Security is not an IT function, it's really a risk function. Risk doesn't deal in binary absolutes, risk is all about probability and likelihood. You have to have flexibility. The decisions that get made from a risk perspective are very different from the decisions that get made from a technology perspective.
Jason: New threats come in thick and fast across every sector, not just critical infrastructure – how are you seeing the role of the CISO change?
Nathan: There’s a really interesting problem in the security space right now because as security practitioners, security is still a relatively young function. We’ve only had CISOs formally for the last 20, maybe 25 years. IT has been around a lot longer than security has.
A CEO or a CFO are really well-understood disciplines. You can go to school, you can get a business administration degree, you can get a finance degree. But we’re still figuring some of that out in security.
It’s hard to answer that question because a lot of it depends on the background of the security practitioners and CISO involved. You get a lot of folks today who’ve been in the industry for 15, 20, 25 years who are now in leadership positions, but they came up from an IT world. And if you’re a technology person, say a systems administrator, you tend to see the world in a very binary way.
Is my server on or is it off? Is the software installed? Are the 50 servers deployed? Everything is this very black and white binary approach and so you naturally look at the world that way. However, security is not an IT function, it’s really a risk function. Risk doesn’t deal in binary absolutes, risk is all about probability and likelihood. You have to have flexibility. The decisions that get made from a risk perspective are very different from the decisions that get made from a technology perspective.
When you’re working with a CISO who is a technologist, you might find they won’t buy a tool unless it does 100% of everything they need it to do. But you’re never going to get that. I personally think that mindset is part of the reason why we have 50 or 60 tools because those technologist-type security people say, “Okay, well that tool doesn’t do all five things I need so I’m going to buy five different tools because I want to do each thing at a hundred per cent.”
The success or failure of a tool a lot of time comes down to the background of the decision maker and the security team. If they’re a technologist (which is going to be the vast majority of them), they’re the ones that ask the really weird poignant questions when they do evaluations. They’ve essentially kept the mindset they used as a technologist and applied the same framework for business risk decisions and really what you need is for somebody to step in with that business mindset to ask “But is it close? Does it move the needle for us? Does anybody have any other tool to do all of it at 95% like this one does?”.
You get business leaders who will say they don’t know anything about tech and won’t challenge the IT and security teams. And then your business ends up with a lot of tools and starts to ask why they need it all. To be a successful CISO today, you need a combination of technical expertise whilst also understanding risk and not losing out on something ‘great’ in the pursuit of perfection. That’s hard. And very few organisations frankly do this well.
The success or failure of a tool a lot of time comes down to the background of the decision maker and the security team. What you need is for somebody to step in with that business mindset to ask ‘But is it close? Does it move the needle for us? Does anybody have any other tool to do all of it at 95% like this one does?’.
Jason: With this in mind, is this what you see the value a partner can bring to the table?
Nathan: A hundred per cent. Your partners are best positioned to be that long-term trusted advisor. If you establish credibility, which you have to if you’re going to stay in business, and can demonstrate that you have the best interest of the customer in mind, then yes, you absolutely become that critical voice that is separated from the vendor as a whole.
When they’re having a conversation directly with Tenable there is an expectation that they are being sold to, however, when a partner comes in and says, “Well, actually it’s a good product, we know it works. Let me show you how it can help you,” there is an establishment of credibility. It’s invaluable in these kinds of conversations and for security people, especially because they focus on trust perhaps more than any other discipline. We heavily rely on our trusted partners and advisors out there who have those relationships to establish the credibility we need.
You need a combination of technical expertise whilst also understanding risk and not losing out on something ‘great’ in the pursuit of perfection. That's hard. And very, very few organisations frankly do this well.
Nathan Wenzler
Chief Security Strategist, Tenable
Chief Security Strategist, Tenable
Nathan has over 25 years of experience in the trenches as CISO of Information Security programs, helping organisations to optimise, mature and accelerate their information security and risk management programs. Nathan’s focus areas include vulnerability and exposure management, PAM, incident response, process and workflow improvements, executive-level program management, and the human-focused aspects of InfoSec.
Jason Trampevski
Chief Technology Officer (CTO), Sekuro
Jason is a strategic technology leader dedicated to helping organisations achieve their goals through the effective use of technology. His expertise lies in building resilience and driving business success. As a specialist in transforming complex business requirements into streamlined technology solutions, his focus lies in harmonising the essential components of people, processes, and technology to empower organisations to maintain agility and competitiveness in today's rapidly evolving digital world.
