- Home >
- Resources >
- SecureTalk >
- Mastering the role of CISO with Todd Fitzgerald
Mastering the role of CISO with Todd Fitzgerald
What are the essential principles for successful CISO leadership? In this episode of Secure Talk, Justin Beals, founder and CEO of Strike Graph, sits down with cybersecurity expert Todd Fitzgerald to explore this question. As the author of 'CISO Compass' and the newly released 'Privacy Leader Compass,' Todd shares his journey from a computer programmer to a cybersecurity leader and touches on critical topics from his books. The discussion delves into the evolution of the CISO role, and his approach to CISO strategy, including different methodologies such as incident-driven and vision-driven approaches.
Todd also provides an insider perspective on the renowned SolarWinds hack and the lessons it offers for improving security measures. With over 20 years of experience as a Chief Information Security Officer, Todd's insights offer invaluable guidance for navigating the complexities of cybersecurity leadership.
View full transcript
Secure Talk - Todd Fitzgerald
Justin Beals : Hello everyone, and welcome to the Secure Talk podcast. We're very glad to have you joining us today. We have an exceptional guest to chat with, a deep expert in the topics we're going to review. Todd Fitzgerald is joining us today. Todd has worked as a CISO, a chief information security officer for over 20 years at a variety of different organizations.
He teaches cybersecurity leadership at the McCormick School of Engineering and is the vice president of cybersecurity strategy at the Cybersecurity Collaborative. And Todd has a couple of books that we'll be chatting about today. One of the books is CISO Compass, Navigating Cybersecurity Challenges with Insights from Pioneers.
And Todd, you have a new book just released in 2024, the Privacy Leader Compass, a prolific amount of work. My friend, that's a lot. Thank you. Welcome to the podcast today. We're really glad to have you joining us.
Todd Fitzgerald: It's great to be here. This is an area that I'm really passionate about and glad to share information.
Todd, tell us a little bit about your early formative experiences, maybe before you settled on a career. I'm always a little curious how you might've been entranced with technology or security or any of the topics that you work in today. And of course, there's a lot of us that didn't do any of that before we fell into a career.
Todd Fitzgerald: Yeah. Well, I'd like to say it was all planned from when I was in kindergarten, but it didn't quite work that way, but it's funny. I always tell people when you look back, you can get, you can connect the dots. And when I was in college, I started off as a mathematics major. Then I got the calculus and I didn't like that.
So then I became an accounting major. I got to tax accounting and I thought that's really boring. And so then I was a business administration major, got out of college. My first job was as a computer programmer. Did that for a couple of years, then became a DBA. And then I decided I was never going to be the best DBA.
And so I thought, well, maybe I should manage DBAs. And I was managing DBAs and data modelers. And then that changed into security a bunch of years later. And that's kind of how the path took. But as you mentioned, I'm also a writer and I write books and I go back to when I was in the third grade, I got a typewriter for Christmas.
And it was one of these old black royal typewriters with a ribbon and everything. And I thought, and I used to type stories and, and I had a couple of friends and we created this imaginary club called the FBI club. And we would go down at recess. And at lunchtime in the woods behind the school, and we would, we would find these fake criminals, and I would write these stories on my typewriter that we would use as a basis to go find these criminals, and I would type them out.
And now, now that I've had kids of my own, I realized why my parents bought me a typewriter in the third grade, because I was always on my father's. Typewriter. And I think it was a way to get me off of his typewriter.
Justin Beals: Yes, I could see that, like the fake cell phone, because your child is always trying to grab your phone. That's right. Yes.No, that, that really resonates. I was interested in computers at a very young age. The first time I saw one, I wanted to take it apart and figure out how it worked. And my degree is actually in theater, although I went right back into technology for a career.
So it takes interesting curves, doesn't it? Yeah.
Todd Fitzgerald: Yeah, it does. And I was, I was in every spring and fall play from seventh grade through high school. So I, I had an interest in, in, in drama as well, which to this day really helps me because I do a lot of public speaking. Or around security. And so I think a lot of those lessons learned there really helped me.
But I, I was also interested in the technology and I built a couple of computers. And I think everybody does that kind of in the beginning. Let's see, you want to see how everything works. And these days we, I don't know that people are building many computers because they're so cheap, but I had some of those.
My first PC was an Apple 2 Plus. And, and I tell people this, it's, I can't believe I spent that much for it. It was 5, 800 and that was decades ago. Obviously, you look at what you get today for what you got then is, is a totally different story.
Justin Beals : Yeah. The first computer I owned on my own. I didn't buy a car.I bought a computer. It had 20 megabytes of hard drive space. And that was considered expensive at the time. So, but you became a, you know, looking at your LinkedIn, you became a CISO back in 1998. That's early days for even the role of a chief information security officer.
Todd Fitzgerald: Yeah, absolutely. It was a great experience.
And what's funny about that time is I didn't realize it was early days. It didn't feel like early days to me because people have been doing security for a while. It's just that we really didn't start to have that. That, that role, and I feel fortunate to have been where I was at that time, because I, I wrote the first professionally recognized book.
It was published by ISC squared, who creates the CISSP credential. I wrote a book called CISO Leadership Essential Principles for Success in 2006. When I was doing the CISO compass book, I thought, well, I'll just, I'll rewrite that one. And, and it's, it was a total rewrite and the book is twice the size. So it just tells you where we've come to.
Justin Beals : Yeah. Well, back then in 98, you were pretty alone. There were only a few in those types of roles, only a few businesses that felt they had a risk profile that. Might've invested in that type of role. But today in your book, see, so compass it's littered with, I think over 75 others, these those stories, which I found incredible.
It's not just your opinion, but that there's a amalgamation of a lot of your peers in this book.
Todd Fitzgerald: Yeah, it was. So when I, when I wrote this book, I was actually under contract to write it for a couple of years. And I, because there was, there was nothing in the market that put the structure around what is this job?
What is the job of a CISO? What are all the things that need to be done to be a successful CISO? And so. I, I wrote the book and, and so it's not, it's not just a collection of stories. I didn't want it to be, let's get a hundred people together, write a hundred things and call it a book. Um, it's actually written as a roadmap and then we infused.
Into that, these, these gray boxes about different topics and, and think of it like as a, as a job interview, what was the situation? What did you do about it? What were the results? What would you do differently next time? And that's what I challenged key people in the industry to write about things that they were passionate about.
And that's what they did. And so what, what's ended up is now you, now we have these perspectives of. of people on, on a whole host of different topics that we're dealing with. And then what we've done since then is, is I also have a podcast called CISO stories that actually started off with the idea that, well, why don't we take these gray boxes and have that person talk for 20, 25 minutes.
On that particular topic, if somebody wants to learn more, I think it's so important that we learn from other people and maybe that's the thing I realized early on in my career. I know X, but there's a lot of other people that know other X's. And so it's only when we put all those together that we that we leverage from each other because we've all had different experiences.
Justin Beals : You're right about the book. It's not a survey book. It's not a [00:09:00] chapter by an author where you've edited them together. You have a very specific perspective on what the role of the CISO is, how to roll that out practically as a contributor inside the business. And then it's supporting evidence from people that have been impacted by some of these decisions as CISOs and other organizations.
Yeah, absolutely. Specifically, one of the things I noticed in the CISO compass book is that a lot of the material is about the business side. I have to imagine that a lot of people moving into the role of CISO. Have been very technically focused on security specifically, whether it be red team type work or, um, securitization of processes or dev security operations.
And now they're moving into this leadership role. And it seems like you're introducing the business of security for these individuals in the book.
Todd Fitzgerald: Yeah. And I think that we all get to those leadership roles because of something that we did well, technically, and that's a whole different skill set. When now we're managing all these projects, we have all these stakeholders.
We're trying to satisfy everybody. I remember years ago, I gave a presentation at RSA. They were, they were experimenting with these 20-minute presentations. How do you give a presentation in 20 minutes? And so I came up with this title. Do you want to be a techie or a CISO? And my challenge to the group was to the attendees was: I want you to decide in the next 20 minutes which direction you want to take in your career. And I had several people come up to me afterwards and they said, thank you so much. And the reason is because I think a lot of people waste so much time in their careers trying to figure out which way they want to go and, and life is only so long. And so if you're going to go the techie route, that's fine.
Then, that's going to take you down a certain path. You need to learn the deep technical expertise that's required for that. If you want to go the leadership path, well, then you're going to have to leave some of those technical competencies behind and pick up the other skills that are needed.
Justin Beals : Yeah, it's a tough balance. And especially as I work with software developers, senior software engineers, sometimes I say, look, you're at the crossroads, right? You're kind of either going to be a deep expert and an individual contributor, but at a very important contribution level. And that's fine.
That's because you don't want to, maybe, manage other human beings, or you're going to move into a management role. And there's a, there's a habit of contributing code that doesn't always come in if you're not practicing it every day. Then you'll [ag and it'll be really hard and you'll, you'll need to move more of that management work.
Yeah. One of the parts of the book that really was interesting to me. And if you'll permit me, I'm going to quote it was the four different methodologies of devising a strategy as a CISO for an organization where you've joined and as the four of them are an incident driven approach. A pre planned, systemic, top down, vision driven approach, the structured bottom up cybersecurity approach, or a toss a softball in the bushel basket unconscious approach.
Let's talk about the ones we don't like so much but happen all the time. The incident security approach. Tell us a little bit about how this comes to be, Todd.
Todd Fitzgerald: If you look at a lot of organizations, they have a, they may have a security program. They may not have put much investment into it. An incident happens.
And so everybody scrambles around, and they fix, they fix the problem. And then they move on to the next thing. So they really don't have this continuous program, but that's their strategy. We end up having a strategy, whether we formally document what that strategy is or not, there's a strategy by which we're living by and the toss the softball in the bushel basket approach is I remember as a kid going to the fair, and to get the big stuffy animal, you had to throw these three balls into the bushel basket. Well, they always bounced out, right? And that's what we do with tools. That we get Oh, that's going to fix our problems. And so we get that, and we buy that. We put it in; we don't leverage the tool. We don't use all the capabilities of the tool. We don't train people how to use the tool. And so we don't get all the value out of it. And before you know it, we end up with all these tools in our organization that are underutilized.
Versus actually thinking through this, the top-down vision approaches is the standard where we're, where we're taking a vision, and we're mapping it to our mission, we have goals, and we have individual projects that are part of that security program. And we're very methodically thinking through that. The bottom-up approach is where we start to look at things like the technical infrastructure, and then we build up from that, and we start mapping those things to audit findings and to the laws and the regulations and then to the maturity of the security program. So, either 1 of those 2 may be our starting point. And it's actually okay.
Some organizations are going to start from your bottom up approach. If you think of organizations, for example, that are using things like the CIS control method, where we're looking at those controls, and you're looking at infrastructure, and we have all these vulnerabilities and things that need to be patched, and they're very IT focused.
But what I would say is that over time, what we want to be doing is getting to more of the top-down approach. We can start with the bottom up to fill in those gaps, but then we want the security program to be seen at that strategic layer and not just as an IT issue.
Justin Beals: Yeah. And so often, it feels like the CISO is brought in to solve a problem because security is often considered a cost center.
So you're not looking as a business to necessarily spend money on it until either someone gets nervous enough about the risk landscape or an actual problem has emerged that has got to be taken care of. But then, as you do, if I were to see, so you're, you've got to be focused on that initial problem a little bit, you've got executive oversight that's expecting some type of quick solution.
And even if I'm doing bottom up where I want to take advantage of what we have in place. The top down gives us scalability, right? Like, when we are top down visioning out, we can get ahead of the problems, I feel like.
Todd Fitzgerald: Yeah, we can identify that, yeah, we're not just dealing with our, with our current situation and where that's at.
And to your point about a lot of organizations being that incident driven, Dr. Larry Poneman did a study quite a while ago now that he did that, but he was looking at, okay, why are organizations getting a CISO in the first place? And most of it was either there was a breach or there was some regulatory compliance concerns, which are top down type things. And so. It wasn't, people said, you know what? I think, I think it'd be a good idea to have a CISO. There's usually some, some other external influence that's doing that, that's creating that because as you say, it is, organizations still see it as a cost. As much as we, we beat that drum that it's a business enabler, initially, I think it always starts out as a cost.
Justin Beals: Yeah, you have this phrase in the book. I really liked it. “Compliance cannot be used to show good security, but good security can be used to show compliance”. I think the relationship between. What you're doing and testing what you're doing is critical, really, in a lot of practices, but especially things that are impacted by technology.
Todd Fitzgerald: Yeah, the attackers aren't reading our company compliance reports and deciding whether we have good security or not. They're finding where the holes in the infrastructure are and coming in that way.
Justin Beals : Yeah, I mean, I could say something like Agile software development is a great way to build product, but it's not going to build a great product, right?
Like it won't, it is a good methodology. It gives you a framework on which to operate or to your point on that bottom up. Let's do a gap analysis to something like CIS. It's not going to define the best operational security for an organization.
Todd Fitzgerald: It's interesting. You mentioned Agile. I teach an IT risk management course for Northwestern, and I had a guest speaker in this last week, and he was talking about IT project risk.
And we're talking about this very issue about Agile versus Waterfall method. And I liked his approach. He was saying that, you know, when you're unclear of what you really want to do, you start off with this Agile approach and you get everybody in the room to do that. But once you've figured out what needs to be done, then, then you shift into this Waterfall approach so that you have a systematic process for actually delivering things, and then you come back to the agile process. I thought that was a really good way of looking at it.
Justin Beals: Yeah. I've been dinged by my engineers sometimes [for not following agile too strictly. And I grew up in the waterfall modality, and they both have their place, right? There's a, there's a time where, you know, being a little more focused on the next two days, week, two weeks.
Of what I need to do is really helpful for getting that done. This is a time when we need to know what's going to happen in a quarter and then the next quarter. And at least need to draw a line in the sand on what we're going after. Yeah. One of the questions I really was curious about in, in some of the very large organizations that we've worked with in the past, I've seen a little bit of a shift.
We've heard about difficult difficulty in scaling the CISO role, especially where there are kind of multiple business units. Running directly at achieving their goals. They have unique products and markets and the teams might not as easily fit into that CISO strategy. Now, how do you consider a more federated approach to security management for a CISO at a very large organization?
Todd Fitzgerald: Well, I, I think when we get to the large organizations, the CISOs are more focused on the strategy component of things. I mean, they're not into. They can't be into the level of detail the different business units need, but I think setting the direction. And if we think about what's, what's the key role of the CISO, it's really as a risk manager.
And so if the CISO in those large organizations is setting that risk appetite, what's the tolerance for risk and really getting executives to understand that across the business units, then you can have a conversation. Spans business units because you're talking about dollar loss. You're talking about what's the impact to our systems going to be, and that may be different depending on what that particular business is doing.
Some businesses may need to be up all the time. Other businesses may not. And so you can have that kind of discussion as to what's tolerable and what's not tolerable.
Justin Beals : When I first started looking into building some product in the compliance space, one of the things that I was confronted with right off the bat was, what is the security posture that's right for the organization I'm attempting to secure?
What data do I need to understand what we need to do? And it was interesting. I think I was kind of like risk is an old way to think about it. I wanted to find a new modality, but I wound up right back at risk analysis and saying, what do we need to do? It seems like the real scoping for security happens when we understand what risks we're confronted with.
Todd Fitzgerald: And it's very difficult. It's I think we're still struggling as an industry. And I think to be fair, we're in an industry, a role that's only been around for 30 years. If we look at the financial sector, for example, we've had accountants for over 100 years. So, so they've had time to have things like licensing requirements, uh, CPAs, right, set of rules.
We don't quite have those yet. We're, we're still, we have frameworks. I know when I was writing about it in the book, I got the 13 frameworks and just decided to stop because there's, there was, there was so many and then, and there's all these different issues we have to deal with. We have to deal with the privacy issues.
We need to understand what's going on with other incidents. The role has become so broad that, that we have to understand all these things. And we look at some of the new regulations. If we look at the SEC regulations, for example, that are talking about material risk, well, how do we establish what's material or not?
And, a lot of our organizations haven't] done that in the context of a cyber security incident as, as far as what should be material. And so we need to, we need to think of those things before they become a material event.
Justin Beals : Yeah, it, the risk analysis space as, as its own space is very complicated. It starts out feeling pretty simple, but it quickly gets into some fairly arcane mathematics and logic, and I think there's got to come a little full circle where we can share that knowledge that we learn about the risk profile with our other executives in a way that they can consume it.
Todd Fitzgerald: Absolutely. And I found in my experience to just working with some executives that I know some like the, the very quantitative methods and I think we're being driven to that.
But for a lot of executives, just getting an agreement, what's high, medium and low. Risk is going to differ by executive. So, we have to lay out what does that mean? What does a low risk mean? What is a medium or high risk? And I found it's actually better to center the conversation around the likelihood and the impact and not talk about what the risk is, because you derive that when those two parameters, then, you can talk about the, what the resulting risk is. And then you can have a debate around, should that be higher or should that be lower, but at least you're getting the executives to focus on impact and what's the likelihood of that, that event occurring.
Justin Beals : It's a clear signal if the discussion is just roaming around. That you haven't kind of driven to enough precision to have an answer, right? And I like the likelihood and impact modality as well, because people can hold that in their mind a little bit as they analyze it relatively. Yeah. In the strategy portion of the book, you use McKinsey's seven S's, which I thought was bringing in a business framework to some of this effort, really interesting to learn.
But there were three that were top of mind. I felt like you were very practical. It's the strategy, the structure and the systems in designing kind of a CISO impact. Just help us understand how you think about those three elements.
Todd Fitzgerald: Yeah. So the McKinsey framework, this is what I wanted in, in first putting this book together was I wanted structure.
I'm an organized type of person, and I wanted a way, how do you look to see that we have a good program that, within our organizations, and this goes beyond frameworks. Frameworks are about primarily about controls, right? That they're put into systems. Well, the McKinsey framework, Is was actually developed many, many decades ago, and it was when two consultants were going out to organize or McKinsey was going out to organizations and saying, well, if you get the structure of your organization, you'll achieve your strategy. And Tom Peters, who's a management guru, and George Waterman said, no, that's not the case. There are actually seven things that you have to get right to execute your strategy. And so we took those seven S's and mapped those into the cybersecurity things that we do, because aren't we really trying to be an effective business? So we're actually a business within a business.
And so that's why this becomes so powerful of bringing those things together. So, the structure of the organization deals with reporting relationships; what are the functions that the security team needs to deal with? The systems piece are those IT processes and routines that we use in our organization, not just IT processes or routines, but what are all those things that we use? For example, the CISO has] tools of risk management, uh, control frameworks, and then leveraging incidents.
And then we look at style. How do we relate with our board and our executives, staff? How are we rewarding our staff and evaluating our staff skills? How are we training the right skills in the organization? And then shared values. What are all those things that the glue that brings that culture together, and that's a lot of policies, procedures, data protection on laws and regulations.
And so that gives us a holistic view to look at the organization. And in the systems piece, we tend to focus on frameworks, risk management. But I added this leveraging incident in there because I think it's really important to see those look at incidents. Their own incidents and then incidents that are external and say, what can we learn from them?
We don't have to crash the car to know what kind of damage it causes to the car, right? But we can learn from other people as to what went wrong in that situation that we can learn from.
Justin Beals : And certainly in the startup world, there's lots more failures than there are successes, and you're really trying to drive lessons learned into the next initiative every single time.
It's a precious bit of work, but I understand talking about incidents can be a little scary and demoralizing sometimes and, and just create fear, but it's not meant to do that, right? I mean, to give us an opportunity to respond.
Todd Fitzgerald: and there's so much information out there about what happened at these organizations that we can learn from there's, uh, we've had the high profile breaches, but even other breaches as well.
We can learn different things from each of them.
Justin Beals: Yeah, we're seeing a lot more impact, to what I would call middle tier, maybe a thousand employee or similar size-types of targets, and that need a similar type of support from a security perspective. Speaking of that security support, one of the things that I think is really shifted in this work is that this is a very horizontal business function, right?
This is what used to be IT security; cyber security was the focus of the CISO more than anything. But today I see it impacting everything from education of staff. Financial processes through to cyber security itself. It's really broad.
Todd Fitzgerald: Yeah, absolutely. And again, that's why this role has expanded so much because it's across the whole organization.
And I, I think another, there was another big change that happened, and this was the ransomware tax, the not petty and want to cry that we had in 2017; I think they changed the game. Because you used to hear this all the time. Well, I don't have any information that the hackers would want. And, I started to, to think about that and thought, well, develop this mantra of, it doesn't matter that it doesn't matter what data you have; it's the fact that you want your data and you need it to run your business and you don't want it disclosed. And that's all that it requires. And the attackers have, have figured that out. So we have the ransomware and the double extortion attempts. And because of those components, every single business is now a target.
Justin Beals: yeah, it's the hostage-taking. Yeah,
Todd Fitzgerald: yes, I need that data to, to run and, and, and if you lock it up or, or you lock it up and, and I pay and I get the keys back, and if I'm dealing with somebody that's, we're dealing with criminals, right? Then the next step is, well, I wonder if they'll pay us not to post it somewhere the data that we exfiltrate exfiltrated. So, that changed the game for every single organization.
And I don't know that some organizations recognize that, or if they do recognize it. If they're investing the same amount of money, understanding that, what would that cost you? It used to be the, I remember the old saying during the, the business or business continuity, disaster recovery focused days, if your business was, it was, it was offline for five days, you were essentially out of business.
And I think for some organizations, that's actually pretty true. If there are other products that could replace you.
Justin Beals : The ransomware attacks have been such a lucrative marketplace that where I think we've talked a little bit on our podcast about how we're seeing this move from a nation state type movement to almost startups themselves from the attacker, the threat landscape, um, perspective, we saw a Lockbit back online after a week after their takedown.
Todd Fitzgerald: Yeah. They came right back and the business to them, they've got the whiteboards, the cubicles, they're figuring out their strategies, just like we're figuring out our strategies.
Justin Beals: Yeah. So, I'd love to talk a little bit about your other book, the Privacy Compass. Work that you've done, what, what inspired you to write a, an another, well, you're obviously motivated to write, but another topic that needed some very specific information.
Todd Fitzgerald: Well, it's interesting when I was writing the CISO compass, I ended up with about 50 pages of that book about privacy. And I have also been teaching privacy to security professionals because I think it's an important thing that security people need to know. And so with the structure of the CISO compass book of building a good security program within our organizations, since that model was, was so successful, I thought, well, why don't we pivot this to the privacy leadership, because that's a whole nother related discipline.
Just as important. And so I partnered with Dr. Valerie Lyons, who has a PhD in privacy and has also run cybersecurity for a bank in Ireland for 15 years. And she's also the COO of a privacy and cybersecurity consulting company. So we partnered together, and we reached out to close to 65 other contributors, and it's kind of a who's who of privacy that we reached out to, and they were glad to contribute to the book and give their perspectives just like we did around cyber security, we've done this around the different aspects of leading a privacy program.
It's a book for privacy practitioners as well as cyber security practitioners. So it was a great compliment to the CISO Compass book.
Justin Beals : Yeah, they're closely related work. However, it feels to me like the privacy space. Can be much more, um, regulation focused, um, and also kind of best practices.
What, what is humane in the way we want to treat each other and the data we store about each other, is that correct?
Todd Fitzgerald: Yeah. And what we see a lot, and we've done some workshops around the book as well. And there's, there's a lot of people in the legal profession that are in privacy. And what's different there is that a lot of the lawyers understand the law, and what the requirements are, but not necessarily how to make that happen in, in implement that. And so.
What this book does is it takes it from the regulation of what you should do and says, well, this is, this is how you do that. This is what, this is what organizations need to do to be compliant with these laws.
So if you want the law, you can read the regulation itself, but this brings it. Just like the CISO compass does for cyber security leaders brings it so that the people that are having to build these privacy programs to comply with the laws can can execute on that.
Justin Beals : I think it's super helpful because oftentimes I've seen a lawyer that understands privacy quite well.
They understand the law and maybe they write an internal policy, but it kind of ends there, right? It's not part of the fabric of the culture.
Todd Fitzgerald: Yeah, because we have to, I'm glad that you state that because it, it, it has to be something that's going to be operational, just like we have to have security controls that, Meet our own environments and aren't over the top.
Justin Beals : Well, Todd, I have really enjoyed reading CISO Compass. I'm excited to read a Privacy Compass now. Uh, I think they are, I read a fair number of books that are high on theory, but not necessarily pragmatic about implementation. And what I loved is that I, in reading the books, I felt like I really understood how to roll out these programs that multiple scales of an organization.
One thing we always like to do on secure talk is review a breach a little bit. And, uh, this one is a little long in the tooth, but there's still a lot of discussions about it. And we, we thought that it's a large enough impact, especially with your experience that you might be willing to discuss the solar winds, a hack with us a little bit.Does that sound good?
Great. So I'm just gonna provide a little background information. I think many of us have heard of it, but just so folks know: SolarWinds is a major software company based in Tulsa, Oklahoma, and they provide a system management tools for network and infrastructure monitoring. They also offer other technical services to hundreds of thousands of organizations around the world.
It's, it's quite a pervasive solution. And one of the company's products is an IT performance monitoring tool called Orion. Since it is IT monitoring system, SolarWinds Orion has privileged access to IT systems to obtain log and system performance data. It is that privileged position and wide deployment that made SolarWinds a lucrative and attractive hack.
And we have in the SolarWinds hack, what's commonly been referred to as a supply chain breach. That to me means that they were able to inject malicious code into the software supply chain. Is that right, Todd? Are we, are we thinking about how this? Yeah, perpetrated in the right way?
Todd Fitzgerald: it was during the compiling process, and I, and I did have the opportunity to interview Tim Brown, who is the CISO for SolarWinds at the time of the breach, who is still the CISO, and for those listeners that aren't aware, he's, he's been charged, By the, by the government with fraud and, and so forth.
Um, not sure where that, that case is, is going to go. Uh, I think the, the courts will have to have to sort all that out. I think what's interesting about this case is that in the things, some of the things I learned from Tim Brown is that the, at the onset of a breach, there's a lot of misinformation that gets put out there.
For example: it was put out there that that they got in because an intern had created a password of SolarWinds123. Well, when I was talking with Tim, the story from Tim's side is no, that's not really true. Yes, there was a spreadsheet that was out there with that password on there that was created by an intern, but that was done six months earlier and it had nothing to do with the breach.
But the reporters had tied it to the breach, and we're trying to, trying to make a statement about weak security, weak security controls. They also interviewed CISO and and got some information about that. My understanding is that CISO hadn't worked for the company for five years because Tim had been in that position.
And so, and so I think we all have to take an objective view of this. I have another friend who was tracking SolarWinds articles, and he was up to like 3000 articles about SolarWinds. I think it was an attack. I think it was, it was actually pretty sophisticated. I know that gets said a lot, but it was somebody that knew what they were doing as to when to inject that into the code.
What I can tell you. What they've done since that time in some of the lessons learned, because I think that's what we probably should be focusing on, is that SolarWinds had their own internal SOC when that, when that incident happened. Today, they have three SOCs, and I believe two of them are managed externally, and so they're doing multiple verification processes on that code, as it's, as it's going through the system, they've tightened down those controls.
AndI think that's the unfortunate thing about incidents is that the investments always get amped up. After the incident, right? Because they knew that they needed to, according to Tim, they, it, and I don't know if this is still true or not, but they kept 92 percent of their customer base B because they were, they were trying to be forth, forthright with, with what happened.
So, I think those are some of the lessons we can take away is you're going to have to make some extra investment. You're going to have to reach out to your customers. And take that time and explain what happened.
Justin Beals: Yeah. I don't wish any ill will to someone that's going through this. And also we know that we're all a target on some level, and I think sharing our experiences is an opportunity for all of us to improve a little bit what happened. And it does seem like the injection into the, the build process is quite unique, right? Like I could see a social hack, allowing for some code Into your concurrent versioning system and then four controls around production release.
But this seems to have been someone that was quite methodical in the way they understood about production code releases in SolarWinds. So they, there was some access and intelligence for a while before the hack was even perpetrated. And I think they had access to systems for almost 14 months before they were realized.That's what takes a lot of post intelligence and planning. Or non detection.
Todd Fitzgerald: Yeah. Hackers are patient. If there's a big payoff, you know, if I told you we we've got this 50 million that we're going to split with each other, you just, it's going to take us two years. You might be up for that.
Justin Beals: Yeah. Todd, it has been wonderful to read your books.
I'm very grateful for them. Thank you for that. It's been amazing to chat with you today. We really appreciate you being a guest on Secure Talk, and I look forward to your future work. Thank you so much.
Todd Fitzgerald: Well, thank you. It's been a pleasure talking with you.
About our guest
Todd Fitzgerald promotes security/ privacy leadership and collaboration amongst security and privacy practitioners by hosting the successful SCMedia CISO STORIES weekly podcast, advisory board participation, and international speaking engagements. Todd also serves as VP, Cybersecurity Strategy, CyberRisk Alliance, and BluOcean Digital CISO Solutions Executive Advisor. Todd has authored 5 books, including #1 Best-selling (2019-2022) and 2020 CANON Cybersecurity Hall of Fame Winning book entitled, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers (Taylor & Francis, 2019), as well as co-authoring the ground-breaking first professional organization published Chief Information Security Officer Book, CISO Leadership: Essential Principles for Success (ISC2 Press, 2008), and contributed to over 20 other cybersecurity books.
Named 2016–17 Chicago CISO of the Year, Todd’s global multi-industry and Fortune 500/Global 2000 company positions include CAO Information Security & Technology Risk Northern Trust, Global CISO Grant Thornton International, Ltd, Global CISO ManpowerGroup, and senior IT/Security leadership roles in Wellpoint/National Government Services, Zeneca/Syngenta, IMS Health and American Airlines. Todd earned a B.S. in Business Administration from the University of Wisconsin-La Crosse and Master Business Administration with highest honors from Oklahoma State University and is an adjunct lecturer in IT Risk Management and Cybersecurity Leadership for Northwestern University.
Other recent episodes
Keep up to date with Strike Graph.
The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.