When Will IT Security Escape the Cat-and-Mouse Game? with Sean Atkinson, CISO of CIS

Robin Tatam [0:00] Well hello. Welcome to today's episode of the Pulling the Strings Podcast, as always powered by Puppet. My name is Robin Tatam. I'm a senior technical marketer and evangelist for Puppet by Perforce. Everyone knows good security hygiene is important, but what do you do when your mom's not around to teach your server to wash behind its ears? To find out, I'm drawn by Sean Atkinson, who you may know as the chief information security officer, CISO for short, for the esteemed Center for Internet Security, as well as host of CIS's own fantastic podcast available at cisecurity.org. Sean, it's a pleasure to have you here in the studio.

Sean Atkinson [1:00] Thank you, Robin. Great to be here.

Robin Tatam [1:01] Well, Sean, I'm going to embarrass myself right out of the gate and confess I'm a little starstruck. I've been a follower of CIS and even a contributor to a handful of the benchmarks for a number of years now. So I'm excited to have you here, hear your views on cybersecurity as well as have you share how CIS is empowering us all to fight back against these bad guys that are out there.

Sean Atkinson [1:25] Wonderful. No, great to be here with you as well. Our strategic partnership and the work that we're doing and that we as CIS want to continue to do, it's great and I'm a fan boy as well, so we're all good, Robin. We're in good company.

Robin Tatam [1:40] Fantastic. Well, before we jump into the serious nature of what usually is the case in a security conversation, we've got a small tradition here of having guests share a quick fact about themselves. Perhaps you have a fun hobby or an interesting personal anecdote that you'd be willing to share with the listeners.

Sean Atkinson [2:00] Absolutely. Yeah, so I grew up in England and my story is this, is I always knew I was coming to America basically. I was born in the United States, but grew up in England. And the little vignette is I was doing my bachelor's degree in England. My final exam was Thursday afternoon and I landed in JFK Friday morning. And basically that was in 2000. I've been back to England twice and just loving what I've been doing here. So that's my little story.

Robin Tatam [2:33] Well, that's fantastic. You and I actually share somewhat of a common thread. You were born in the US and grew up in the UK. Obviously I can tell that from the accent. My journey is actually reversed. I was born just outside London in the UK and have now spent what is sadly an inordinate amount of time here in the US, hence the lack of an accent. So we probably crossed paths at one point, but that is a fun, interesting fact. And yeah, I'll keep that in the back of my mind here.

Sean Atkinson [3:08] Yes, absolutely Robin. That's awesome.

Robin Tatam [3:10] Well, Sean, for those of us that may have been living in the dark, perhaps for the past few years, let's maybe start by having you share a few of the common responsibilities that a CISO has, maybe where that role fits into an org chart alongside a CIO or a CTO.

Sean Atkinson [3:31] Absolutely. Yeah. From a CISO's perspective, what you're looking at is cyber security strategy. Now that obviously has multiple arms as it were, that stretch out into those other roles. So when we're working with the CIO, we're looking at technology implementation strategies, building a capability and infrastructure that has security behind the scenes. The other element, and this is one to really think about with the CISO role, is the evolving element of privacy. And this really then delves deep into not only data management, but your sales strategy. It's working with your legal team. And that has started to really permeate certain CISOs that I talk to in terms of their role, the oversight, the understanding, the ability to really start to integrate the privacy by design with security by design into a component process.
And that's really where you get into the strategy, Robin, is really thinking about it. And this is one of the tenets that sometimes gets missed, but it's risk management. And it's one of those things that it's, well, when you talk about cyber security risk, that's a technology problem. And it's no, no, no, we've got to pull that back. That's a business problem. We need to address it as a business. We need to think about these risks from the business perspective. So that's one of the things I do is try to articulate those certain elements for the organization's approach with respect to information security versus cyber security. They are again defined differently and it has different aspects as it permeates through an organization's business processes has to be reflected through not only the technology we use, but also how we use it.

Robin Tatam [5:16] Yeah, absolutely. And we see those, I'll call them tentacles of different elements of this conversation feeding into different departments and at different levels within an organization. So it certainly makes sense. Now you're a CISO for an organization whose mission is to provide cybersecurity guidance to other organizations. And maybe from that unique vantage point, where do you currently see the world of cyber security?

Sean Atkinson [5:45] It's interesting. It's a great question because I see elements of improvement. I see a lot of work in the DevOps space, so DevSecOps and the modernization of our coding infrastructure. But to be honest, Robin, we've still not solved the problem. So as you mentioned, the podcast that I do and I talked to other guests and things of that nature, we've still got the same problems we had years ago. 30 years ago we still had patching problems. I've not seen that solved. And here's one of those elements, one of the tenants is where do we start to see the precipice of security becoming more maturated. And we can add new tools, new capabilities, foundational elements. And one of the things this year obviously, and respectfully for the last couple of years has been the integration of AI, that this is going to help us solve these problems. I see them as tools, but I don't see them as the solution. And that's where I think we certainly have really topics to talk about Robin. We could create a podcast series and still not get through everything we need to get through,
But it's those elements that I feel that there's improvement. I think the board awareness and executives' awareness of security is heightened just by the fact that literally everything we do from a business process has a technology component. I couldn't have said that 30 years ago, but we can now. So their awareness is better. But I think it's that risk communication and also the investment in security, not necessarily revenue generating unless you respectfully you're a cybersecurity organization, but it's those things that I see Robin that really start to be the differentiators, where you look at mature organizations. And then you look at organizations that necessarily CIS from the cyber underserved want to help get them to a level of maturity where they are protecting, respectfully, their assets.

Robin Tatam [7:48] And I agree. Gen AI is on the tip of everybody's tongue. I attended AWS's re:Invent show recently, and out of that massive, massive expo area, I doubt that there was a single vendor booth there that didn't mention AI in big letters somewhere. So there's obviously an intent there. I agree. There's no silver bullet. They're tools in a tool belt. They need to be combined and deployed in a way that is helpful and beneficial to the overall security stance. But the tools that are being deployed on the good side of the equation also potentially are being deployed on the bad side of the equation and maybe even more aggressively as we see the evolution of these different attacks and how AI can make that more effective and happen more quickly and efficiently. At some stage one offsets the other. So while I see it as definitely something that we're watching and engaging with, I don't think you're just going to flick a switch and say, "AI is going to save us."

Sean Atkinson [8:57] I completely agree. Completely agree. Like you say, I love the analogy, the tool in the tool belt, it's complementary, but we've got to use it in the right ways. And like you say, there's also an adversarial element to it as well, that as we use it for an advantage, so those attacking entities, those advanced sophisticated cyber attackers, they're using it too.

Robin Tatam [9:19] Yeah, for sure. So when you look at the change and the evolution of risk, when you look at 2024 and then you have the benefit of hindsight with 2023 and earlier, are we seeing trajectories of greater risk or are some of the efforts that we've been leveraging. Because let's face it security is not a new conversation, compliance is not a new conversation. Even when people got on that bus a little bit late, this is a very good chance, hopefully they're on that journey at this point, but where are we at as far as that trajectory? Is it paying off? Have we successfully lowered risk or is the target shifting so monumentally that we're just in this perpetual cat and mouse game?

Sean Atkinson [10:08] I think personally I see the cat and mouse game. The way I'll reflect on it is I take a look at vulnerabilities for certain years. And we're on a trajectory to have the most vulnerabilities ever identified in a single year, starting this year. I just looked at the first quarter we're escalating in terms of the number of vulnerabilities identified. Now whether that's AI enhanced assessment or there's just more people looking at respective vulnerabilities for systems in some cases though, and I love your thoughts on the AWS conference, I have the same with RSA last year, and I expect this year, you go into the vendor hall, there's the whisper, AI, AI, you just hear it. It's everywhere.

Robin Tatam [10:50] It's a little more of a scream I think nowadays. But yeah, for sure.

Sean Atkinson [10:55] Exactly. It's just everywhere. And so that works respectfully in terms of how we see the AI integrated into our processes. But the one thing for this year that I am seeing is AI assessment strategies. So versus just, "Oh, I'm going to implement AI", is there is a better understanding of what that AI is doing, specifically generative and in some cases AI enabled capabilities with machine learning, predictive capability, seeing a lot more questions asked about the technology before it's necessarily implemented, that's good. You need that element because it fits into an overall security supply chain assessment strategy in my opinion. And we need to be asking these questions because ultimately… Introduction of new capability, new technology, the new bright sparkling capability is great, but ultimately there has to be value generation coming from it. There's an underlying ROI that I need to get in terms of implementation, but there's also a risk perspective that I need to understand the implementation in those spaces.

And one of the other things, Robin, we can reflect on is for a few years there, and I still see it, but AI's taken over, but before that was zero trust. Everything was zero trust. And ultimately I'm starting to see movements, even within my organization. One of the things I mentioned is every new security or implementation project should have zero trust built in. I make sure that it is. That's the process to get us to maturation, not these immediate reactions, but there's a need to adjust organizational posture over time to be able to integrate to get the greatest value.

It's not just putting a box in the rack, flicking it on or using a cloud service and you're ready to go. In a lot of cases there needs to be integration. It needs to be done in a judicious way so that necessarily we can understand, one, the impact of its potential use, but then also its potential impact if it doesn't work. Or it causes ultimately unnecessarily an incident in our business processes, then we need to be able to react in kind. That's why again, proper change management, proper assessment are going to be contributive and need to be reinforced more than ever within this current infrastructure in this year.

Robin Tatam [13:21] And I think as so many people have shifted to either a cloud or a hybrid cloud environment, the expectation that the cloud provider is taking care of security, I think is definitely an item that requires clarity. There are definitely elements of infrastructure that are being handled by cloud providers that obviously offset some of the work that we used to have to do in a data center environment, but there's a lot of elements in the security and compliance space that still falls on the responsibility on the shoulders of the organization and that zero trust kind of thing. And the application development efforts I think are a big part of that. I guess I've identified a few ingredients that I talk to people about when we talk about the, let's call it secret sauce of DevSecOps and that's pushing security left, earlier and deeper into that software development lifecycle.

It's leveraging automation, which helps assure we've got some ongoing agility. We're maintaining that velocity that the DevOps teams are demanding. And then thirdly, breaking down the walls between the functional teams and getting the objectives aligned. We've traditionally had pretty big barriers between various teams, whether it's InfoSec and DevOps where, "Hey, this isn't my problem, this is your problem." And then when they find something it's chuck it over the fence and wait for that response to come back. Do you agree with that kind of assessment? Would you add items to that list out of that left push, the automation and the breaking down of walls? Is that valid in your eyes or are the things that you would take off that list or maybe add to that list?

Sean Atkinson [15:03] No, completely valid. I think you've hit the nail on the head there, Robin, with those perspectives. Because one of the things that we look at and we want to strategize for is that integration. That there needs to be a security voice right at the beginning. So shift left, absolutely. The quicker we get it implemented, I think the more effective the security implementation becomes. It then permeates necessarily those walls. Breaking down those walls, absolute requirement.

In fact, those walls exist as a risk because if we're not able to communicate and necessarily have a conversation between engineering, DevOps, security and basically come together with a plan, an opportunity, and in some cases an aligned goal, we're not going to be successful. We have to do this together. And the word you mentioned, which I say constantly is velocity because we're asked to do more in shorter periods of time. So if we can do that more efficiently, then we can meet those objectives while also maintaining the principles of security, DevSecOps, agility, allowing those to feed off of one another. It is critical. And so Robin, I love your list. I would keep it right there and have others follow your thoughts.

Robin Tatam [16:24] And you mentioned the teams and having to do more with greater speed, but we're also continuing to hear about global shortages of skilled resources, especially in information security. Do you see a short-term answer to that? We're turning out more and more cybersecurity professionals, but it looks like it's not at the same velocity. Again, we'll use that word, and the same trajectory as the level of increase in risk. Do you have an idea of what it's going to take to bring those two lines closer together? And does that mean that we end up with teams becoming, or at least the lines between the teams becoming a little more blurred. We can't just draw a line in the sand and say, "This is what we do." Because, well, we don't have enough people to go around to fulfill all of those roles. Do you see a solution to that in the short term?

Sean Atkinson [17:19] I don't necessarily in the short term. I think this is where I fall into this, Robin. I think security shouldn't just be on the mind of the security professional, the person that's dedicated to that necessarily as their job role. It should be integrated throughout, we'll call it the development lifecycle, the operational lifecycle. That's where we're going to start to look at these skill shortages. And you've got the adage that AI can help assist in those spaces. Fill in those gaps and potentially in the short term to provide an integrated capability that one can do alerting. Let's say we've got AI enabled development through co-pilots and things of that nature. Wonderful. That gives us an ability to get to a certain level of security, but it's not always the answer. One of the things I've also noticed, Robin, and one of the things you mentioned is skill.
Traditionally, one of the things I've seen, at least with some of the security engineers of certain generations, is they came up through system administration networking and things of that nature. There's a fundamental understanding of certain implementations of technology and in some cases, some of the new security analysts don't necessarily have that foundation. And I think those respectfully in system administration and networking, programming, any underlying foundation with a technology perspective and then adding security on top, I think gives you contextual approaches. What I see now is addressing, ultimately, everybody wants to be a pen tester. We want to be red team, we want to attack, we want to find the vulnerability. And I think it takes away necessarily from the immediate skill set, which I see as being defense. Or even going purple team, do both sides of that equation to help blue become better. Let's use red to attack.

And that's where I see elements of short-term capability coming into play. But I do think from a skill set perspective this is, like cyber security, working in cyber security is not a destination. This is the journey. You have to be a continuous learner. If not, you're going to have a certain level of knowledge and a couple weeks, a month, six months, a quarter, a year, whatever it happens to be, that knowledge is no longer in some cases relevant. And we've got to certainly think about long-term learning.

And in a lot of cases, solving these puzzles. Not an easy task. And it's not for the faint of heart, even though you see persons coming into the industry because of respectfully a certain number of positions, I even read something that there's not as many security positions as advertised before. And where are we on this side? Again, it depends on who you read and who you trust. But that leads us to where we need to really assess the environment and contextualize it, I think a little bit more. You can specialize. Ultimately now we've got such specialization, it's not just a security analyst, it's incident response, forensics, pen test, vulnerability assessor, threat analytics, all different types of elements there.

Robin Tatam [20:37] And that's only going to grow. Nothing's going to take away most likely, at least in the short midterm, in terms of those necessities. And for me, the sharpening of the pencil in terms of what we're asking these people to do is going to be part of the answer at least today as we say, we have finite resources. This is what we need them to do. We've got to provide them with the efficiencies and the capabilities that allow them to do their job more easily and to take some of the grunt work away. If there's something that's highly repetitive, let's not use those limited resources to take time to do that. Let's automate those things and then those skilled personnel can focus on interpreting the results, for example. And I think that's going to be a requirement for probably an extended period of time.

Sean Atkinson [21:28] Completely agree. Completely agree.

Robin Tatam [21:31] So a lot of our listeners, Sean, I would say identify themselves on the technical end of the DevOps community. They're platform engineers, they're DevOps engineers. What role do you see somebody in that kind of position playing in the cybersecurity story within an organization?

Sean Atkinson [21:50] Oh, absolutely. Huge story. Because ultimately that's the platform in which the story of the organization is told. And so when I work with my own DevOps teams, it's certainly an alignment on strategy. And I think the best way that I can say to address this is common communication, communicate as often as is reasonable for respective organizations, but understand that there are opportunities on both sides for success. Security shouldn't be necessarily implemented so that it is detrimental to the process, but it certainly needs to be done in a contextual approach to understanding the business process, the data that is ingested, processed, and the output of these respective capabilities. Ultimately, from the platform perspective, again, one of the big elements obviously is the CIS benchmarks that we're providing as foundational elements in the space. And that's in a lot of cases is the contribution to certain security programs assessment strategies.

So one of the things that we want to engage in is the governance risk and compliance side of cybersecurity, and we have to make a pure distinction between security and compliance. They are not one and the same, the way I introduce it to my organization and to others is compliance is the byproduct of good security. If I can provide a security posture assessment, elements of that contribute to control and information security frameworks. So when we're working with development platforms, those elements, one is to build an understanding of one, to identify risk. But also contributive elements back into the program. So that one, it's not a push-pull as it were. It's a journey together. And if we can do that, solve those problems and work through those processes, one of the things I tend to do is have security analysts go through, whether it's an online course, something along those lines in those spaces, understand the vernacular, understand the terms, understand the challenges these teams are having to deal with.

We don't want to be contributive to those challenges. But we do want to introduce the need for security through those processes. And the same respect through the DevOps processes and personnel in those respective roles is looking at security, foundational security, secure code training, looking at configuration management, looking at implementation of tools and automation strategies to make this easier. And again, where Puppet's partnership with CIS comes into play is not only is it the greatest level of automation, but it's also doing it with a secure foundation that leads us to success. There's not necessarily the consternation of deciding on configuration management of an underlying platform.

We can move to different areas of discussion because we've, in a lot of cases, got to a point where we've integrated and we're working through that and we know that we're on a solid foundation that allows us to have different discussions. And I think contextually that adds so much to organizations because it's then the next layer of security protection. Once we've reached that particular foundation, then it's the next discussion. And in the DevOps processes, yes, agile, a lot of different changes, a lot of integration, but I think because we build cadences and a culture of these types of discussions, talk in each other's language, it is, I think, critically important.

Robin Tatam [25:38] I 100% agree, and I know there's a lot of confusion and misuse of certain vernacular, and I don't think that helps anybody, especially when they're kind of dipping their toe into the space because there is confusion over interwoven use of the word security versus compliance. And I love that you say compliance is a subset of good security. I usually joke that compliance is the subset of bad security. Because let's face it, compliance probably wouldn't be here if we were all tip-top and had perfect security. But we know that's not a reality for whatever reason, and therefore they are regulatory mandates and others that are intended to hold our feet to the fire.

And having tools like CIS benchmarks and CIS controls, I think goes a huge way to making that process standardized in giving us a baseline that we can work from for consistency because we know it's a moving target, the benchmarks are updated with quite some frequency, and for good reason. And if we just think we've finished the security cycle and move on to the next project, I think we're going to get a rude awakening at some point in the very near future when we realize that not everything's clicked into place constantly.

Sean Atkinson [26:48] Absolutely, absolutely.

Robin Tatam [26:50] How many benchmarks do you have at this point? Do you know?

Sean Atkinson [26:54] There are over, I think, 115. Over 115.

Robin Tatam [26:57] Yeah. I know it's a big effort for you guys, and obviously each one of those has hundreds of different controls and in configuration conversations within it. So like I said at the beginning, I've been involved in some of that in a small context, but I can only imagine behind the curtain the wizard is a busy guy or gal and working through all of that evolution as the risk changes and the benchmarks need to keep abreast of that as well. What an effort that is.

Sean Atkinson [27:30] Oh, absolutely. Now they do a phenomenal job of assessing, because ultimately you’ve got to think when a version of a certain operating system and a major update to an operating system calls for our requirement to update those. But in a lot of cases after the fact of when those are released and the velocity, I think that's our key word for today, by the way, Robin, is velocity.

Robin Tatam [27:55] I think I'm going to get that on the T-shirt, Sean, I think you're right on that.

Sean Atkinson [28:00] So the velocity in which they react and then provide the next benchmark with the required configurations, with the changes and the alterations within those systems is nothing short of amazing. And it's also contributive to the volunteer community. This is a consensus-based approach to the strategy of building these benchmarks, and it's a call to action in some cases. And again, the work that you've done, Robin is contributive to that and all the other volunteers that we have in the community, it's huge. Really contributing to setting the foundational goal of building out configuration that not only can succeed in necessarily providing business function, but then also can be considered hardened to respective standards from a plain vanilla deployment. It is hugely contributive and something obviously CIS takes very seriously and is a passion for us in this space.

Robin Tatam [29:01] And I think the success comes from how prescriptive they are. I mean, there's so much obviously discussion around PCI and GDPR and Sarbanes-Oxley and the laundry list of various regulations and the different frameworks that are out there. But having something that's so prescriptive I think is beneficial. And what we've done on the Puppet side to integrate the CIS-CAT Pro Assessor, that is obviously your technology integrated into ours allows us to facilitate spreading that prescriptive example across that infrastructure no matter how scaled that infrastructure environment is.

And I think that's a huge thing. Because the reality is nobody's going to do that manually, even if they wanted to. I always use the analogy of a supermarket and saying imagine if you had to manually go down every shelf, how frequently would you do that? Checking to see if items on the shelf are in the correct place that they have a price tag on.? The price is correct. There's so many different things that have to be validated where something can do that in an automated fashion. You're still getting the same benefit, but you're doing it without the grunt work. You're doing it without the inordinate amount of lift that would be required to do so otherwise.

Sean Atkinson [30:15] Oh, completely agree. Completely agree. Then that's where you're going to see the success because it's, one, ultimately the puppet platform itself, but then allowing that integration to gracefully assess through this automated fashion leads to, I think, a lot of success across and why it's such an important partnership

Robin Tatam [30:35] And it's corrective as well. We've had CIS I'll call it enforcement capabilities within the puppet enterprise solution for actually quite a while now. But we know compliance is not just applicable for those that don't have a need for an enterprise solution. So earlier this year we put that security compliance enforcement extension out available as a premium add-on module to those folks who are perfectly happy running our open source Puppet solution. So we're pushing that out as a way of providing alignment with great benchmarks like CIS in an automated fashion, regardless of what back end functionality you're running. So that was an exciting turn of the crank for us in terms of value proposition. And I know obviously a lot of people listening are running open source Puppet, and I think sometimes they look at those extensions and say, "Well, that's not available to me." And in this case it most certainly is. So that's part of how we're furthering that availability of CIS content to everybody in the puppet community.

Sean Atkinson [31:45] Wonderful. Yeah.

Robin Tatam [31:46] Well, Sean, I could honestly, like you, sit here probably all day and keep chatting. But with that being said, I'd love to have you back on if you'd be open to that and we can continue this conversation.

Sean Atkinson [31:58] Oh, absolutely. I'm ready for part two.

Robin Tatam [32:00] Perfect. Well, before we go, any parting wisdom that you want to share? Is there anything about CIS that you want to drop that maybe we haven't already?

Sean Atkinson [32:10] No. Again, I appreciate that. cisecurity.org to assess the benchmarks, it's actually 55 in total, not 150. I don't know where I came up with 150, but it's 55 benchmarks in total. I just had to look it up just to confirm.

Robin Tatam [32:24] All right, well it's still plenty.

Sean Atkinson [32:26] Still plenty. Exactly. Exactly. One of the other elements that I just want to mention as well is the CIS controls as a framework, practical guidance for implementation of security controls. Again, obviously I'm biased second to none, but certainly helps with our mapping processes as well. A lot of work in that space to map to NIST CSF, ISO 27000, 853 from NIST as well. And then finally the podcast, “Cybersecurity Where You Are,” myself and our chief evangelist, Tony Sager, every other week we have a podcast. We're nearly up to, I think we've recorded, Robin, our 85th episode. So going well.

Robin Tatam [33:10] Wow.

Sean Atkinson [33:11] Yeah.

Robin Tatam [33:11] Well, we're number one, so we'll work on getting episode number two out in maybe a little series that we can do. And I definitely appreciate you being here, Sean, it's been fantastic to get your insights. You're in a unique position and I have a valuable voice in this conversation. And I definitely appreciate you taking time out of your schedule to join us, and we'll look forward to chatting more.

Sean Atkinson [33:36] Thank you, Robin. I really appreciate it. And thank you and to Puppet for all the great work that you do in this space.

Robin Tatam [33:41] Sounds good. Well, once again, thank you for listening. Thanks for being here on the Pulling the Strings Podcast, powered by Puppet.