Podcasts
Security Unlocked
Ep 56
Security Unlocked 1.19.22
Ep 56 | 1.19.22

What’s a BISO?

Show Notes
Transcript

Nic Fillingham: Hello and welcome to Security Unlocked, a new podcast from Microsoft, where we unlock insights from the latest in news and research from across Microsoft security engineering and operations teams. I'm Nic Fillingham.

Natalia Godyla:  And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research and data science.

Nic Fillingham:  And profile some of the fascinating people working on artificial intelligence in Microsoft security.

Natalia Godyla:  And now, let's unlock the pod.

Natalia Godyla:  Hello, everyone, and welcome to another episode of Security Unlocked. Today, we are joined by Alyssa Miller who is a BISO at S&P Global Ratings and the topic for the conversation today is, "What the heck is a BISO?" You know, Nick, I'm really excited to dive into this episode but I feel like we should call out that you weren't in this episode.

Nic Fillingham:  I was not, no, I'm sorry that I, I missed this one. Hello, listeners, apologies for, for not being on this episode, although you're in, you're in great hands. Natalia absolutely did not need me, I was completely redundant, which I guess is a good thing. Yeah, no, it was a milestone birthday for me, so I took a couple of days off and the family and I got in the car and we drove up to Mount Rainier, which is one of the, the big beautiful snow capped mountains here in Washington State. I think it's, I think it's a volcano, maybe a dormant volcano. Gosh, I hope it's a dormant volcano, didn't see a lot of lava, saw a lot of snow. Got very wet. Made a wet snowman, threw some wet snowballs, had some hot cider and cocoa, came home. Tons of fun, but I missed the interview. But I have listened to the recording, it was fantastic, I'm so glad that you covered what was going to be my first question which is what is a BISO?

Natalia Godyla:  Right. CISO for a business unit. That's the way I understood it. You have a security officer that is much more closely aligned to a particular business group and they either roll up to a CISO for the overall organization or maybe the CIO. We even get into those details as to how to the BISO fits in the overall security structure of an organization.

Nic Fillingham:  Yeah, it's fascinating to think that the decision making sort of seniority and the scope of a CISO can be sort of compartmentalized for an individual business unit. Obviously when an organization is, is complex enough that maybe they have very different businesses in-- inside the one big sort of uber business that they may need to be, so it's a fascinating idea and, and I think folks'll really like the conversation with Alyssa. The one thing you didn't ask, which I was, you know, I was a bit disappointed, Natalia, is who or what dubbed Alyssa the Duchess of Hackington, which I think as you, you just learned is an actual place near Kent in England. So do we know if Alyssa is an actual duchess? Or is this a Twitter based title?

Natalia Godyla:  You know, you said you were redundant but this is exactly why we need you on every episode. I did not ask, which means we need to have Alyssa back on the show.

Nic Fillingham:  Absolutely. But before that, we should listen to the episode, what do you think?

Natalia Godyla:  Yeah, let's do it. On with the pod.

Nic Fillingham:  On with the pod.

Natalia Godyla:  Hello, everyone, welcome to another episode of Security Unlocked. Today we have Alyssa Miller on the line with us. She is the BISO at S&P Global. Welcome to the show, Alyssa.

Alyssa Miller:  Thanks, it's exciting to be here, I appreciate it.

Natalia Godyla:  So, you will be a new voice for our audience. I'd love to kick it off just with an introduction to who you are. So, who is Alyssa Miller?

Alyssa Miller:  [LAUGHS] That's a long story but I'll try to keep it short. So, first and foremost, as you mentioned, I'm the Business Information Security Officer for S&P Global Ratings. As I tell people, I've been a hacker all my life, I was the kid who took apart all her toys, took apart the family electronics to try to figure out how they worked. At the age of 12, I got myself a paper route and I saved up $1,000, ran over to Best Buy, bought myself my first computer and used that computer then to learn about modem communications and UARTs and serial comms and the whole nine yards, which led to me hacking into some dial up community services we had back in the day. And we're talking, like, you know, '89, '90, '91 here, so, also, you know, a time when not everybody had personal computers in their homes.

Alyssa Miller:  You know, I started professionally in tech as a programmer, did that for about nine years before I moved into security as a penetration tester and then from there, it's been kind of just a steady progression of, you know, higher to higher level leadership roles within different organizations both in consulting and resellers and vendors. I've kind pf seen pretty much everything, I feel like.

Natalia Godyla:  [LAUGHS] So, what was it that drove you to start hacking at a young age? I mean, it was, it was at a time where security was still not a topic that everyone talked about, at least not at the level that we talk about it today. So, you know, what made you fall into that more niche topic area?

Alyssa Miller:  I mean, so, initially it was just curiosity, right? It was-- As a kid it was just pure curiosity. Like, I wanted to understand how, how different stuff worked. So, what better way to understand how it works than take it apart and look at what it's made out of. Which is funny because, I mean, when you think about what we do as hackers in, you know, the software and network space, that's exactly what we do. Hey, I found this new network, I want to figure it out, I want to see how it works. I mean, when it came to, you know, some of my early hacks where I guess the, the legality of it might be a little more questionable, thankfully I think I'm way past statute of limitations and I was, you know, a juvenile, so I think I'm safe. But, no, I mean, seriously it was-- I wanted to have access to this service and, so, people who remember, like, Prodigy and AOL and Compuserve, they used to send you these discs. And it was like, "Hey, you get 50 free hours, sign up." And, so I signed up, I did my time and my time was running out and I wanted to keep using it. So, I-- Like, healthy, like. I went to the freaking library and took out books on UART and, you know, just serial comms and I had already at that point taught myself basic programming, so I kind of learned some pieces.

Alyssa Miller:  And, yeah, I just-- I, I got into some of the communications that were going on with the modem and, and was able to see where I could actually manipulate from the client side, some parameters that broke me in. So, that was kind of just out of, like, "Oh, this would be cool if I could do this," and, okay, I did it. You know, the internet came around a year or two later, I got involved with a lot of the IRC communities and such. I was never wanting to be big in, like, the BBS world, but when IRC came up on the internet, then I was-- that's where I started to get into hacker community and, and some of that culture.

Natalia Godyla:  I love just picturing the librarian seeing this kid come up with, like, heavy technical books, checking them out and them just trying to, like, process what this kid is about to do.

Alyssa Miller:  Oh, the best part was the look on her face when I started asking her about, "Do you have a book on this topic?" and it was, like, you know, just complete blank stare, like, you know, and I'm like, "Where are the computer books?" Like, literally, that was-- You know, it's, like, almost movie-esque, but that was literally how it went down, I walked into the library and I still remember the library on Mill Road in Milwaukee that I went to and, you know, I had to take the bus 'cause I didn't drive at that point. And, yeah, just, you know, sat there, like, started digging into these books and found a few, checked them out and, yeah, from there things just kind of went.

Natalia Godyla:  It's incredible how far you've come from, you know, thinking about those days where you were just trying to figure out how to even get access to that information, to learn how to hack and now you're a BISO at S&P Global and a BISO is such a, a new role in security. So you're really shaping what a BISO will be for the future generations, people moving into security. So, so, let's dig into that a little bit. The BISO function is still relatively new. Let's start with what the heck is a BISO? What is your role as a BISO?

Alyssa Miller:  So, it's interesting because it is very new which means it also varies widely from organization to organization. But for me and certainly in my role at S&P, a BISO is ultimately-- my job is to be the bridge between our business line and the CISO's organization. So, we've got a big company, you know, a big central corporate structure where infrasecurity and IT and all that stuff live, but then there's divisions. There's four main divisions who were all, like, independent companies at one time and came together under this S&P Global umbrella. And, so, those divisions are kind of customers of those corporate functions in IT and security and whatever. So, my job is really to be that bridge between the two because, as we know, security and the business oftentimes are butting heads and it, it-- What I really stress to people though is it's a two way bridge. So, when I came in, the way the job was kind of laid out was it was my job to build a security culture in the division.

Alyssa Miller:  So, of course, I envisioned that I'll be spending a lot of time advocating to engineers and to developers and architects, why they need to do the security thing. But what I found is a lot of my time, in fact the majority of my time, is actually spent going the other direction and advocating on behalf of the business back to the security team and trying to get them to align their strategy, their programs, their individual initiatives to what it is that we're doing in the business. And for good reason, because not only does that get the business to buy into it, right, if the business sees, alright, this is connected to what we're trying to do, it's actually better for the security team because if I can take, "Oh, you want to spend $5,000,000 on a new EDR tool, well, let's talk about what that's going to enable in terms of revenue from the business side." They're going to have a lot easier time winning that funding. Right? It's a lot easier to say, "I want to spend this 5,000,000 and it's going to let you guys make more money," is a far stronger message than, "I'm going to spend this $5,000,000 to protect you against this nebulous risk that may or may not ever actually happen."

Natalia Godyla:  So, you've touched on this a little bit so far in your explanation but, you know, how come this function exists today? What are the gaps that a BISO's trying to close? Like, one of the ones that you outlined here is the fact that you're trying to connect the business and security in a more real way, make sure that they're both speaking the same language. Can you speak to that a little bit more and maybe some of the other challenges that the BISO addresses for the business?

Alyssa Miller:  Yeah, I think ultimately and this is kind of universal, it's definitely-- it applies to me, but I'm, I'm seeing it universally that, you know, the, the BISO is the one that brings the business context in one shape or another. Now, I would hope that BISOs would be influencing both directions, not all implementations of the role work out that way but at the end of the day, most enterprise organizations especially have this situation of a centralized security function that's trying to build a security strategy that encompasses all of the business units that exist within the organization. And, so, what the BISO is there to do is kind of provide that, that link of, "Alright, let's understand now, we know that security's doing this thing, how are we going to bring that into the business and make sure that that's actually being implemented?" So for some BISOs, their role is more just that side of it, it's just the-- and some of them get very tactical, some of them are very tactically focused on, "How do I implement what the CISO org is trying to do?"

Alyssa Miller:  Again, I think there's more value in the approach that we've taken at S&P where our BISOs are influencing both directions and in fact I'm not very tactical in this role, in fact I'm very, very strategic, that's my focus.

Natalia Godyla:  You've used a couple of terms here, you know, being an advocate, being a strategic leader. A lot of this also sounds very consultative. Do you feel like your role is to be that, you said "bridge" but almost like a consultant to both sides so that you can speak to the security team in the c-- like you said, the context of the business, and then speak to the business team in the context of security? Is, is that a right way to think about it?

Alyssa Miller:  Oh, absolutely. Yeah, because, like, whether it's the architects and I'm trying to help with what they're designing, whether it's, you know, security and I'm trying to coach them on, "Alright, le-- let's talk about you, you got this, you know, 42 point list of initiatives you want to bring to the table over the next three, four, five years, whatever, let's talk about how you align those." All of that is very consultative and what that leads to, the other real value that I think in my role is then because, at least within S&P, our divisions, like I said, are former companies. A lot of what I'm doing to them is bringing that-- you know, I'm in the ratings division, we have our own boards. Right? I've got a board of directors, I've got regulatory boards, everything else that I'm, I'm reporting to. So instead of them getting the view from their centralized security function that maybe doesn't have the best understanding and vision into what the division is doing, now I can report to those boards and even to our corporate executives and corporate, you know, corporate board of directors as well, here's the view from within this business.

Alyssa Miller:  This is what we're doing. And so even that becomes not so much consultative in the terms of trying to accomplish, but consultative in terms of bringing that visibility to those levels so they understand.

Natalia Godyla:  So, before we go much deeper into BISO, I do want to ask you a little bit of a wild card question. So, you know, the BISO emerged as a role because there was a need to connect the business and the security teams. Do you see other roles that need to appear in the security space? Like, are there similar gaps where we need to find-- need to build a new position to help create bridges like this? And, and if you see that, like, what other roles do you expect to emerge over the next several years?

Alyssa Miller:  So, there's one in particular that I'm actually working on implementing right now at S&P, in fact, and it's actually-- I think this role has probably existed longer, at least in some conceptual level, than the BISO, and that is this idea of security champions. We go back to 2008, dev ops arise on the scene, 2012 suddenly security figures that we have to be a part of it. We still haven't figured out how to actually do a lot of the things that we'd like to do in security, you know, the things that we want our devs doing to, quote, unquote, push left. That's a tired term if I've ever heard one. And I think, you know, the security champions is one of the ways that we need to do that because now that's taking that next level-- it's taking what I do at this BISO level, right, you know, where I'm at kind of top of the division, I'm running security strategy globally for our division, but now I need someone that can connect between me into those engineering teams and can bring that security presence.

Alyssa Miller:  But I don't want to, I don't want to take a security person and shove them into my engineering team. No. I want an engineer who I can train up on the security aspects, who's interested in that part of it and can be security minded, but at the end of the day they're still an engineer. And that still, you know, they have that credibility, they're still part of that team, that's still their primary focus, now with things where I'd traditionally rely on my corporate security team to, you know, handle, you know, researching false positives from our sca-- you know, our, our code scanning tools, our dynamic testing tools etcetera, all those kinds of things, all those tasks that overwhelm our security team, well, let's augment that. Because that's a win win. It takes that strain off them but it also makes thing a lot faster. It pushes you farther left and it makes sure that from a development side, we can really speed up and make that pipeline more efficient, which, at the end of the day, that's got to be security's responsibility as much as it is the developers.

Alyssa Miller:  When we talk dev ops, we're talking this idea of shared responsibility and unfortunately when security people hear that term, we're kind of arrogant and we come back and we say, "Yeah, security's everybody's responsibility." Sure, yeah, it is, but if we're going to say that then we also have to accept responsibility for what has traditionally fallen in the dev and ops roles, that's stability, efficiency of the pipeline, delivering quality code, all of those aspects, we now have to accept that responsibility, that's the whole point of shared responsibility. So, you know, that's where I see the security champions as a huge way of addressing that and I know people have talked about it, some companies have done a really good job of implementing it, it's still not even close to universal even in the largest, you know, enterprises, let alone into smaller start ups or non-tech organizations.

Natalia Godyla:  Mm hm. I haven't heard anyone phrase it quite that way and I really love that, turning the security is everyone's responsibility on its head and, and looking at the other side of things. I've heard a few Opsec folks start to talk about building champion programs, I love that it's becoming more of a mainstream conversation, it's great that you're bringing in a role like that. Tanya Jenkin, Chris Wysopal have, have mentioned in a few different capacities something similar. So from your past experiences, what really set you up well for this role? If there's someone listening who is aspiring to be a BISO in the future, what could they do to scale up now?

Alyssa Miller:  So, a couple of things. I think, that early part of my career, just having the understanding of what it's like to be on a development team, that empathy for the engineers and understanding what they're-- they go through. I mean, I didn't work in a dev sec obs space, right, I mean, I was-- dev ops was just coming up as I was transitioning over into security. So, I was never a developer in that space, but I worked with devs who were as we were building out those pipelines. And, so, I understood their world and I understood the unique challenges and where the excitement was coming from and, and what the goals were. And so I think that that was important. But then, you know, obviously the security aspects of it, having broad security understanding is good too. You know, I've always been a little bit more focused in application security but, as I mentioned, you know, I worked for a financial services company as far as a programmer and then in security. That was 15 years of my life.

Alyssa Miller:  Then I got into consulting and I spent, I think, six years in consulting in a couple of different organizations and as I progressed in leadership, you know, the last consulting organizations I worked for, well, last two, so I worked for a company that was called Aspect Security, they're now part of Ernst & Young, but I headed their program services practice which focused on how do you build an opsec program? So, not, let's go out and we're going to do app assessments for you on a very tactical level, but, you know, going into, you know, large financials and government agencies and things of that nature and saying, "Alright, let's sit down and look at, you've got a suite of, you know, nearly 1,000 applications, and, you know, you've got a couple thousand developers, how do you secure all of this and how do you prioritize and do all those things?"

Alyssa Miller:  And so, those conversations were happening at a, a very high level, often executive level. And I was often called on to do board presentations. So, I think getting some of that exposure, and I know it's easier said than done, not everybody has that opportunity to, to know what it's like to be in a board meeting, not everybody even gets a chance to interact directly with executives, but trying to have conversations, even if it's just like social media or something, just listen to what executives are saying. Listen to how they talk and I'm not just saying your CISO. Talk to, or listen to a CIO, a CTO, a CFO, even the CEO. And we kind of-- In security a lot of times, we sort of bemoan those people because they seem to be the ones that always stand in the way.

Alyssa Miller:  But I think as you understand what their motivations are and accept that they do have a different language you have to speak, and you learn how to speak to them, both to those motivations and with that language, that's an invaluable tool. Because ultimately, as I said, I mean, I'm, I'm presenting to the boards, you know, and I'm, I'm actually doing a survey right now of BISOs just to kind of understand what others' perspectives are that are peers of mine and I can tell you that, you know, right now, about 70% of the respondents are telling me that they're called upon to, to provide updates to executive committees and boards. So, that, that tells you that for this role, that-- that's a very powerful element in what we do.

Natalia Godyla:  Yeah, you're really operating at multiple altitudes, right? You're getting to know what the individual practitioners are doing, and not just in security, and then you're talking to, like you said, the board, the C level executives. So, what, what is the, the, like, secret sauce to being a successful BISO? Your-- You said there's a variety of different ways that people are tackling the BISO role. Have you seen some best practices already emerge, even though it is a nascent position?

Alyssa Miller:  Yeah, I-- you know, I think there's a few things and, and this is where I'll get some argument because I can tell you again from that, that survey I've done, you know, 41% of them are telling me that they report to the CISO, which I think is wrong, because I think that takes the value away because now I feel like that advocacy on the part of the business will always be influenced by the same security org that we're trying to build the bridge with. So personally, I report into the CTO of our division. Right? So, my focus-- At the end of the day, my boss is part of the business, he's not a part of the security infrastructure. And that's important because there are times where I do literally have to go toe to toe, so to speak, with the CISO or someone in his organization. And, you know, when you're doing that, if you're up, up against your CISO, you don't want to be in that position when they are your boss. If he or she is someone that, you know, has that influence over you, it's a lot harder.

Alyssa Miller:  Sure, you know, any good leader should allow you to bring differing opinions but there's times where that can be problematic and it's still, that undertone is there. So, I think that's one key thing. I think giving that visibility, like I talked about already, to the board, to the executives is important. But then the other-- you know, if there's any other secret sauce to it, I think it's really-- it's something we're not-- we don't do well in security and that is, where I talked about it before, being able to provide linkage to the business value that security brings. And I don't mean managing risk. Whenever security tries to, you know, we try to establish our value, we always talk in terms of risk and it kind of-- that's where we get a lot of the old style fud conversations where we're just trying to create fear and whatever. But the bigger issue is when you're talking about risk, yes, your executives are interested in risk and that is a part of the conversation, but it's also kind of an intangible thing and we all know that, you know, at the end of the day, money talks.

Alyssa Miller:  So, if you can tie what you're doing into revenue streams, into actual true enablement, which is a word too that's getting overused right now, you know, but by enablement, I mean actually helping create revenue and showing that direct linkage between, "We're going to do this in security and it's going to mean that you can do this from a revenue generation perspective." That's enablement. Or, "We're going to do this thing in security and it's going to open up this new line of innovation," which then indirectly becomes an avenue into revenue. That's what your CEO is looking for. That's what the CEO wants to hear about more than risk, more than anything else. By the way, your CFO kind of cares about that too.

Natalia Godyla:  [LAUGHS] Just a little bit.

Alyssa Miller:  Your marketing, your CMO, they're, they're kind of there too. So, you know, I, I think, all of that is-- That's the real secret sauce that I think even, you know, as security practitioners, BISOs or otherwise, we just-- we really need to get better at doing.

Natalia Godyla:  To your first point, I can understand how it might be challenging to interact with the CISO and, and progress change if you're operating in that org, but I think the operating that org also changes your incentive. So, I think you've had a really unique opportunity to think more about the business because the CTO thinks more about the business. Do you-- Has that had a really big impact on how you viewed the role of security moving forward and, and maybe abstracting that even beyond just rolling up to the CTO, how has being a BISO changed your perspectives on security strategy?

Alyssa Miller:  So, I think, honestly and this isn't me tooting my own horn or something but it's actually reinforced something I was kind of getting there anyway, which was this idea of how do we do better in, you know, connecting to, to revenue. This is something I've been giving talks on for the last couple of years, which is why I say that. So-- But it has given me new context and it's also given me the ability and some affirmation because I've had the opportunity to put it into practice. And I've actually seen the value it brings. I've seen it accelerate things within our business. I've seen it influence and where I've been able to be an ally to both the CISO organization and to the business. I mean, that, that to me is, like-- That, that's awesome. So, it, it's taught me a lot about that. It has given me the opportunity-- It's definitely shaped me in terms of just being able to get a, a real view of what it feels like sometimes when you are dealing, and I've been there before way back in my past but I've been focused on security for so long that I kind of lost perspective on what it's like to be on that business side when you've got a security org telling you, "Well, we need to do this, this, this," and you're like, "Wait, that doesn't even make sense, why would we do that?"

Alyssa Miller:  You know, and it's because they don't have that visibility, they don't see why-- you know, what they're pushing sounds great to a security practitioner and it-- you know, it's right on paper until you try to apply it to the business and what the business is doing then suddenly it's, well, wait, this isn't the right thing. And so, being in a position now where I can leverage the fact that I do have that, that perspective that those security people have but, you know, sometimes I can be their worst, their worst nightmare because I come with that knowledge, but I'm, I'm fighting for the business in these cases. And, so, again and not to make it sound adversarial 'cause it really isn't, but, you know, it-- I've had that opportunity now to be reminded of what that's like and to really take a lot of the things that I've been saying and put them into real practice because I'm not a consultant anymore, I'm not working for a vendor anymore.

Alyssa Miller:  I'm in the trenches doing this. So, I have to, you know, move out of just, "You should do this," to, "Here's how we're going to do this."

Natalia Godyla:  So, for those who are still thinking about security in terms of risk and not revenue, do you have an example you can share of, you know, how you framed a problem, a security problem around revenue and tried to make that change in the business? Just to help people contextualize how they can have that conversation and tackle the problem that way.

Alyssa Miller:  Sure, yeah, a, a great example I always talk about is I was doing work with a company that is an IP company, so they're all about intellectual property and intellectual property protection. And they have this-- a milestone in their process where private information that's IP now becomes public information, and so it would get published and they were moving their on prem systems to the Cloud and, you know, part of that, they were trying to figure out, okay, how are we going to, you know, how are we going to make sure this Cloud's safe, and, you know, they-- we're really worried about this environment 'cause we have all this really sensitive non-public information that we have to protect and so, one of the things we were talking about was this idea of implementing a CASB solution, you know, a Cloud Access Security Broker, I believe, whatever it stands for. Who cares? CASB, that's what everybody knows. But, no, seriously, we were talking about implementing this and I'm like-- you know, we started to draw the parallel of, hey, we're going to implement this CASB thing, not only does this help you because you can now, you know, control your internal users and where data flows and whatever, but you could actually create a really cool online service that you don't have today, that that's stuff that you publish right now, that kind of goes out into archives in paper form, imagine creating a subscription service where people could have access to a space in your Cloud where that stuff goes and it's protected, you know, and all this.

Alyssa Miller:  So, we actually tied this new revenue idea to launching this CASB solution as part of their Cloud migration and it was effective. And they did. I mean, they actually launched it-- launched that as a product offering, they designed it into their, their Cloud transformation strategy and it became reality.

Natalia Godyla:  Switching gears a little bit, but I'd love to pick your brain on some of the, like, macro questions around security. You know, as a, as a BISO, what are you seeing as some of the biggest concerns right now in security? What, what emerging threats might be on mind for you? Or any, maybe, broken best practices that you just wish we would stray away from?

Alyssa Miller:  We are so bad at hiring in security, it's mind numbing. And it's funny to me how many people will argue against me on this. Like, a lot of people see it. There's a lot of people out there talking about job descriptions are awful, you know, we've got job descriptions that are calling for, you know, ten years of COPA90s experience. When did COPA90s come out? You know, like, my god, seriously, it's not been around for ten years.

Natalia Godyla:  The recs are almost meme worthy at this point, and I think that is, that is what people are tearing apart on security on Twitter right now.

Alyssa Miller:  It is. But then here's the thing. Like, I will-- I actually just put a Tweet out there the other day about here's some rules to follow to make a better job description. And one of them was, don't-- in your job description you have that requirement section, like, which-- these are-- should be your hard requirements, these are the things you absolutely have to have, if you don't have these, we're not hiring you. Then you have the preferred qualifications. What I said was, "Don't put a technology in your requirements section." 'Cause how many times do we hear security leaders, "Oh, I can teach anybody the technology, I want them to have passion, curiosity, all these things," but then we don't practice that. And we insist-- we drop these, you know, 20 bullet long lists of requirements that include things like a degree, a certification, whatever. Are you really going to not hire somebody if they don't have those? Then that shouldn't be there.

Alyssa Miller:  Okay, let's say your SOC uses Splunk, so you come in-- you know, have somebody come in who's, you know, got a really strong, you know, capability for working in an environment like that where they're, you know, processing stuff in real high stress, real time environment but maybe they've not used Splunk before, you're telling me that you wouldn't want them in your SOC? Like, yeah, you would, and you'll teach them-- you'll let them learn Splunk. And, honestly, as we look at studies that have been done on this, the on-boarding, the time spent on-boarding a new resource is not spent in teaching them the technologies that you're using. The time that holds or that extends that on-boarding is dedicated to things like learning the environment, learning the business processes, navigation of the organization. Those are the things that create long on-boarding cycles, so if you think because you got some unicorn who matched up to this laundry list of requirements of all the technologies that you use, that they're suddenly going to come in and be able to hit the ground running even faster? You're looking at the wrong evaluation.

Natalia Godyla:  I-- I'm just so intrigued by one of the statements you said earlier, that I, I want to hear your take on it a little bit more. So, the, the term "resilience" you hit on a little bit earlier, I'd love to hear what do most people think resilience is and what do you think is the real definition? Like, what's the gap between those two?

Alyssa Miller:  I have no idea sometimes what people think it means, quite honestly. I, I hear people spout it out and then I'm like, you know, then you hear what they're talking about, so, wait, this-- Uh huh. To me, resilience is that thing of understanding-- we've said this in security for years, you'll get breach, it's not if, it's when. Right? How many times do we say that? Okay. So, if you just say that to an executive, are they going to want to spend money on more security stuff if you tell them, "Well, it's not really going to be effective anyway, we know we're still going to get breached." "Well, then what value am I getting from that?" The value is in resilience, and the resilience is how do we limit the impact, how do we recover quickly and with the least amount of cost to the organization? And that cost can come from, you know, data breach, it can come from lack of availability, it's your resource cost in recovering, all those things. So it's kind of limiting that blast radius and being able to actually get back to business as usual quickly.

Alyssa Miller:  That's what we're talking about with resilience, you know, and that can be at a very micro level, we might be talking about, you know, a system that is being dossed and it's able to respond to that, react to that, end the situation maybe because we've got some type of dos protection in place, or it, you know, it, it drops that container, it spins up a new one, or something, whatever it's doing. You know, however it ends that, it comes back and it-- you know, the faster we can recover not even from a breach but just even recover from an attack and, and that attack, that's what we're talking about with resilience. Because we know the attacks are going to happen, we know sometimes they're going to be successful, so we have to build that knowledge in and be better at how we're going to detect, respond, all the things we see in the CSF, right? How do we do all that? And I just-- I don't hear people connecting that oftentimes when they talk about resilience. They talk about resilience as, well, we need all these controls in place. Well, those are defensive controls, that's one element of if we want to use the NIST CSF as an example, detect-- you know, defend is one element.

Alyssa Miller:  Let's think about all the other parts of that. And that's where we start to see true resilience and unfortunately some people get it, a lot of people still don't seem to yet.

Natalia Godyla:  You know, it seems like the, like the depth of the approach to the resilience concept, you've got the-- at the highest level you have just a few discussions on the controls but if you really fully think out the whole thought process around resilience, that's when you start to have the concept that you just shared. Before we jump off here, I wanted to end on a little bit of a happier note. So, you know, what, what gives you hope in security? You know, what have you seen in emerging trends that makes you feel good about the direction that the security industry is headed?

Alyssa Miller:  What we are doing to bring people up in terms of skills and so forth from, you know, the academic space and so on, I mean, we've got graduate programs in cybersecurity. They're doing open source security research. I mean, there, there's labs at various universities who are grabbing just, you know, projects off of GitHub and doing security research against that. It contributes back to the community, it provides these, you know, graduate students with real world experience that really enables them. And, you know, that's just one example of a lot of the things we're doing. We are seeing some insanely creative stuff in this space. I mean, just today I, I saw a video, some Mom recorded because her kid got in trouble at school, he, he hacked into their Wi-Fi network, and not just of the school, of, like, the entire school district and was, like, switching the internet connection on and off whenever he wanted a day off of school. And I'm like, you know, think about that. Yeah, that, that's the kind of thing-- I know everybody-- you know, like, the mom was mad and the school called the police and all this wild crazy stuff, but there's a certain level of brilliance in that as well. And I, you know, I think the school's trying to do their best, like, they, they didn't suspend the kid, they didn't-- I don't know how much trouble he did get into but, like, they're putting him in programs and projects where he can expend that creative energy.

Alyssa Miller:  So, I think we're seeing, you know, even mainstream start to understand that, like, there-- and, and maybe it was misdirected but there is some really useful skill in someone whose mind works that way and was able to do what he did.

Natalia Godyla:  I feel like that brings us right back around to the beginning of this conversation. As you were saying, you know, you, you didn't know that security was a path that you can take and here there is this brilliant kid who, who is hacking at the same age you were. But what's different is people can set him up for success now, really early on. They can point him in the right direction and let him use those skills and that creative energy, as you said, which I agree, it's just-- it's such a great testament to the way the industry has matured. Well, Alyssa, it's been fantastic to have you on the show, I really appreciate you joining to talk to us about the BISO role and your background in security.

Alyssa Miller:  Yeah, well, I really appreciate you having me, it's been an absolute pleasure.

Natalia Godyla:  Well, we had a great time unlocking insights into security from research to artificial intelligence. Keep an eye out for our next episode.

Nic Fillingham:  And don't forget to tweet us at MSFTSecurity or email us at securityunlocked@microsoft.com with topics you'd like to hear on a future episode. Until then, stay safe.

Natalia Godyla:  Stay secure.

Security Unlocked
Podcast Info
HOST(S):
Nic Fillingham
Natalia Godyla
Nic Fillingham likes to ask questions and find out how stuff works. For over 15 years Nic has worked at Microsoft on Xbox, Windows, developer tools, Microsoft 365 and Security. A transplant from Australia, Nic lives just outside of Seattle on a small farm with his family and too many guitars.
Natalia Godyla is an award-winning B2B product marketer and speaker, currently in the Security Product Marketing group at Microsoft. She specializes in cybersecurity marketing and has a Sec+ certification. Fun fact: Natalia is also a published poet and founder of Rebel Data.
Schedule: Wednesdays
Credits: Executive Producer is Bruce Bracken, Producer is Rob Petrillo, Production Manager is Max Solomon, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft