February 1, 2023 • 23 mins
Episode 25- We speak with Scott Barronton (CISO) Chief Information Security Officer for a large public manufacturing company.
Scott Barronton a 25 year veteran in the corporate security space shares his experience from the early years in the space to the current and evolving threats with modern techniques used by hackers.
Scott walks through different security frameworks including the NIST Cybersecurity Framework. His advice is helpful for organizations to understand both the technologies and strategy to protecting organizations for the long run, through proven processes, assessments and regulatory changes in the security space.
About Scott Barronton:
IT Leader with over 25 years Information Security experience across a wide spectrum of Fortune 500 companies. He is skilled in Risk Analysis, Risk Management, Threat and Vulnerability Management, Privacy Protection, IT Security Compliance, and overall Information Risk Management. Scott has demonstrated successes in addressing security risks from a business perspective and is recognized by his peers as having a balanced view between business needs and security standards.
Linkedin:
https://www.linkedin.com/in/scottbarronton/
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Play the King (00:01):
This podcast is sponsored by OMI, the company
that makes CRM work.
Today, my guest is ScottBarronton, a global Chief
Information Security Officer ata large manufacturing company.
Scott, thank you for being here.
I'm excited to talk to you.
Can you just start by, you know,, usually you see three
letters in the acronym in theC-suite.
You have four, so you must beextra, extra important here.
(00:24):
What is a Chief InformationSecurity Officer?
Scott Barronton (00:27):
Hey, thanks for having me as well.
The Chief Information Securityofficer is the person inside of
an organization that'sresponsible for everything
related to cybersecurity.
And, you know, I could have thethree letter acronym CSO, but
generally that means that you'reresponsible for things like
(00:49):
physical security as well.
I don't have thatresponsibility.
Play the King (00:53):
And, and so that's interesting.
You deal entirely, I was aboutto say the metaverse, but that
is a very trendy, you know, new situation.
You have been doing this for alot longer.
Give me a little more detail onthat.
What does your job entail then?
You're not hiring the bouncersoutside of the server farms, but
(01:14):
, uh, but what are you doing?
Scott Barronton (01:15):
That's right.
So, you know, my team'sresponsible for protecting and
shielding the company fromattacks that originate in the
cyberspace.
So think of hackers, you know,our day-to-day job is to defend
the organization against thosewho want to launch some type of
(01:35):
attack against us, remotely.
Play the King (01:38):
Given the nature of the way the information has
changed in the last, you know,let's say, I don't know maybe
even 75 years ago, maybe even 50years ago.
In the last, say, 25 years hasyour field changed?
What are some of the majorthings you've seen shift over
(01:58):
that time?
Scott Barronton (02:00):
So, you're right, this was not a thing 75
years ago.
You know, when I first startedin the industry, my very first
company wasn't even connected toanything outside of ourself.
We were only connected fromoffice to office, but there was
no such thing at that time, as,you know, the internet and this
(02:20):
whole cyberspace.
So, 25 plus years ago, when Igot started in this field, the
information security role wasreally about managing accounts,
passwords, access to mainframe,things of that nature.
I started while I was in collegedoing an internship.
(02:45):
And it was funny because at thetime, the guys that I worked
with were old main framers, andthey would say, oh, give that to
the new guy.
You know, this is gonna be a fad, will always be a, a mainframe
organization.
It wasn't very long before thoseold guys were actually reporting
(03:06):
to me in a more holisticsecurity world.
Play the King (03:10):
You provided a few notes to me before the
conversation, which were veryhelpful.
But there's one thing I want tosee if we can dig in on you.
You said, you know, back then,you know, 25 years ago, you
could think like a puretechnician, that's no longer the
case.
What does that mean exactly?
Scott Barronton (03:24):
Yeah.
So, you know, I like to saysecurity's full of propeller
heads.
You know, people who think aboutblack and white.
just purely the technical aspectof it.
But to be a chief informationsecurity officer, you have to
think more like the business youhave to.
I commonly meet with the topbusiness leaders in our
(03:47):
organization, and they're nottechnical people.
So if I went and just startedtalking like a pure technician
to them, there would be noconnection between us.
I have to understand thebusiness and what are the
business priorities, and thenalign the technical aspects to
(04:08):
make sure that we're meetingthose objectives.
Play the King (04:11):
Scott, can you take me through the universe of
risks that you are sort oftrying to guard against here?
Maybe you could rank them evenin terms of, a long s hot, but
really bad to, hey, this is atypical e veryday thing, it
happens,< laugh>, or you ar e dealing with corporate espionage?
(04:31):
Are you dealing with people whoare trying to steal information
so that they can, you know,blackmail the company?
What are the risks here?
My imagination is k ind ofrunning, maybe you can bring me
back to earth.
Scott Barronton (04:40):
So you're not far off on all of those.
Definitely what we call insiderthreat or cyber espionage is
something that we have to dealwith.
Matter of fact, there's multiplebad actors out there on the
internet today that will payyour employees a large sum of
(05:01):
money to gain access to yoursystem.
So you think about our systemadministrators, you know, we
believe that we're paying oursystem administrators
appropriately for the market,however, someone comes and
offers them an opportunity tomake a million bucks to get that
privileged access that theyhave.
So you really do have to watchfor issues like that.
(05:24):
There's technology that can helpus to do that, but, it's a, it's
an emerging field.
From a day-to-day, the blockingand tackling of my world are the
things that we've been doing forages, looking for
vulnerabilities in our systemsor weaknesses that someone might
try to exploit to gain accessdefending against cyber attacks,
(05:49):
where a bad actor's trying togain access to our systems.
We do that on a daily basis.
Play the King (05:59):
I have so many questions I want to ask you, but
I guess just a real brief one,do you guys use ethical hackers
who, who come and say, we foundsome bugs.
Do you guys pay out a bug bountyfor disclosing these to you?
Is that something you guys do oris that not really part of,
part of what we'retalking about here?
Scott Barronton (06:16):
No, it's actually a real thing.
So, ethical hackers, you caneither engage with them directly
and they do what we call apenetration test of your
defenses.
So they, you know, will try toexecute, uh, different attacks
that go against vulnerabilitiesto see if they can capture the
flag.
(06:36):
And those are all wellcontrolled activities that you
do with these hackers.
But then you also have peoplethat are called researchers, and
those are not necessarily peoplethat you've engaged with
directly, but they come to youand say, Hey, on this system or
this product, we found thissecurity vulnerability that we
(06:58):
want you to be aware of, youprobably want to fix this
because this is something webelieve that someone else could
find as well.
Bug bounty programs, they'rereal.
I would say it's also an areathat just recently everybody's
paying more attention to andscrutinizing and making sure
(07:18):
that, all of this is above boardand ethical and whatever the way
that we reward these researchersfor this type of work.
Play the King (07:30):
So I want to ask you about how organizations can
sort of beef up theirinformation and security, but
maybe we could start on theother side, which is how does
someone who's maybe interestedin this field, how do they even
get started?
What is the path to becoming achief information security
officer?
Scott Barronton (07:46):
So, becoming the Chief Information Security
officer is really working yourway through the ranks, right?
And I would say anybody whowants to get into this space,
this is the time and opportunityto do so.
Even in the current culture, youknow, last numbers that I saw is
there was about 2 millionunfilled security jobs in the
(08:08):
industry.
So there's more demand forpeople than there are
experienced people to fill thosejobs.
But, you know, in order to dothat, I'd say for anyone looking
to one day fill the seat, itstart right now, just be willing
to say yes.
Right?
When you're asked to dosomething, take that on as an
(08:29):
opportunity to gain experienceand make yourself more
well-rounded.
Often a lot of people are veryexperienced in one area of
cybersecurity, but maybe lackedsome of the other pieces that
aren't so sexy.
Anybody who's in the space willknow writing security policies
(08:52):
is not the most sexy thing thatyou could ever do! However, it's
important from a chiefinformation security officer
perspective, because thesecurity policy is the
foundation of which managementhas set boundaries for the
company.
And so you're the enforcer ofthat policy.
(09:12):
And so I would just telleverybody, be well-rounded.
You can't be a hundred percentcompliance focused.
You have to understandtechnology, and you can't be a
hundred percent technologyfocused.
You need to understandcompliance and the business.
Play the King (09:30):
So I'm a soccer fan, and so the metaphor I would
use here, it seems to me likeyour job is sort of like being
the goalkeeper.
Like when everything's goingwell, nobody notices.
And then when things go wrong,, it's all on you,
.
That's right.
Talk about that component of thejob.
It seems like not just likeknowing the how, but the almost
like the moral fiber or the theability to say, Hey, guys, look,
(09:53):
this is on me.
Or the buck stops with you, sowhatever cliche you want use.
Scott Barronton (09:58):
You're the manager.
Accountability
Play the King (10:00):
.
Yeah.
Can you talk about that?
Scott Barronton (10:01):
Yeah.
I preach accountability, with myteam and within the industry,
really because at the end of theday, we're the ones that are
accountable.
So we have to be part fortuneteller and look at the events
that are happening around us andsay, boy, how could those affect
us?
And then, you know, alsooperating with switches.
(10:24):
So at some, some point in time,you know, cyber hygiene is a
hundred percent dependent uponyou, right?
The hygiene of yourorganization.
Play the King (10:35):
Is that a cultural thing that you can
instill, or are you more, isthere a way that you find when
you're hiring, when you'reasking questions of perspective
people for your team like that,you're sussing out at that
point, or maybe it's both?
Scott Barronton (10:49):
Yeah.
So when I'm hiring, one of thethings that I look for is just
kind of a natural inquisitivenature, always questioning and
asking the why behind thingsthat's so important for anyone
in security.
Because not only do you need tounderstand why and how things
(11:09):
work, but then you need to beunderstanding of processes that
are inside your organization andwhere are their weaknesses
inside those processes, not justthe technology aspect.
Play the King (11:23):
So Scott, you, you know, your company is a very
large company.
What are some of the smallerorganizations that you, that you
see, what do they get wrong whenthey're building their security
system?
What are some of the challengesmaybe unique to smaller
companies?
Scott Barronton (11:35):
Yeah, I think one of the biggest things with
smaller companies, just becausethey're constrained with
resources, they often think thetechnology person that they've
hired can handle informationsecurity.
That's just not the case.
Matter of fact, we often have,uh, differing objectives in
(11:57):
front of us.
Think about the, if I comparedmyself to a chief information
officer, the CIO of a company,one of the primary objectives of
the CIO is about uptime andavailability.
And so at all cost, you makesure that your systems are up
and running.
(12:18):
Well, that's important to achief information security
officer.
Matter of fact, it's in thetriad of confidentiality,
integrity, and availability.
That's something that security'sfocused on, but it's only a
part.
And so we have to also thinkabout confidentiality and
integrity of those systems aswell.
And so often the desire is toget the CIOs to get things out
(12:43):
there fast and quick, notnecessarily focused on the
confidentiality and integrity ofthose systems.
Hmm.
So, you know, giving that job tothe technology guy, they're
going to often overlook the riskside of things.
Play the King (13:01):
Gotcha.
That's, that's reallyinteresting.
You've been preaching, you know,also understanding the business
goals and North star of theorganization you're serving,
which obviously has some effecton the choices someone in your
role makes, right?
For how you protect theorganization.
Scott Barronton (13:18):
Yeah, and I think you have to have that
North star, if you will, theplan that you're executing
against.
And I use, standards b asedframework for o ur information
security program, have in thelast few companies that I've
worked for.
And basically, that plan isbased off of an industry
framework, and we set ourstrategy, b ased on where we are
(13:42):
and where we want to be.
If you follow t hose standards,you're going address 90 plus
percent of all, s ecurity riskthat an organization may face.
So one of the things that I dois we do an assessment against
the framework.
We set forth our strategy or aplan over the next three to five
(14:04):
years, and we execute againstthat plan.
We don't change unless somebodycan make a really good argument
of why we should be doingsomething different.
And I think that's somethingthat small organizations
struggle with, t hey're veryincident focused.
So something h appens in eitherto the organization or around
(14:30):
them, and then they go and lookfor technology or solutions to
meet that one specific need.
And so what they end up doing isspending a lot of money on
different tools, technology, butnot getting really, the
protection that they need andaddressing the risk that are, t
(14:50):
hey're focused on theirorganization or their industry.
Play the King (14:55):
All right.
So let's, let's, let's turn thetables now.
What can small to medium sizeorganizations do to avoid some
of these pitfalls?
How can they get better at this?
Scott Barronton (15:04):
Well, I think starting with a standard
industry framework in assessingyourself against that! We do
twice a year assessments ofourself against our framework.
We want tosee where we're makingprogress and where we need to
continue to adjust.
(15:24):
And then sometimes you look andyou say, you know what?
The needs of our industry or theneeds of our company have
changed, and this is no longer apriority for us, and we'll make
those changes, but we just don'tdo it on a whim.
And so I would suggest for smallto medium sized companies that
(15:45):
you really drive your CISO to befocused around a framework,
it'll save you time, money,everything in the long term.
Play the King (15:55):
And when you say framework, I think there's one
that you, you mentioned in thesenotes so that I think maybe we
should mention this, it'll givesomeone listen to this.
Sure.
Something they can Google that'sthe N I S T cybersecurity
framework.
Maybe you could just say, whatis it about that one that made
you wanna mention it what shouldpeople would be looking for when
they're evaluating?
All right.
Is this something we want try toimplement
Scott Barronton (16:16):
Here?
Yeah.
So for over the last decade ofmy career, I've been working
either with or around afinancial technology company.
Our customers are all banks.
And so in the United States, theUS regulators who oversee the
banks, they use the NISTframework.
(16:38):
And so I've built all of myassessment techniques and
capabilities around thatframework to make sure that
we're meeting the needs that thebank itself is going to be
assessed against.
NIST is a great one because iteasily maps out other frameworks
you might choose, like, ISO orCOVID.
(17:00):
There's a, there's an easymapping between NIST and those
other frameworks.
I would say it's not thespecific framework that you
choose because they're all good.
Just choose one and focus onthat.
Play the King (17:15):
Gotcha.
And then you also mentionedthat, even if your company is
not at a stage where you want tomake a full-time hire, there are
solutions for a fractional CISOright?
Someone who can do this, not asa full-time employee, but can
still provide a lot of value.
Scott Barronton (17:32):
That's right.
So if you're in a situationwhere you can't necessarily
afford to go out and hire afull-time CISO, there are
organizations out there now whoare providing CISO as a service
or you know, some kind offractional, CISO role where you
(17:53):
get a percentage of their time,they come in, they help you to
do this type of assessment, tocreate a strategy and plan, and
then help to oversee and managerisk, but they're just not a
full-time employee.
And you can get'em to assist orhelp at a fraction of the cost.
And so for smallerorganizations, that may be the
(18:16):
best path for you, rather thanbelieving that the technology
person that you have on staff orthe person most familiar with
technology often is the way itgoes is capable of managing
these risks.
Play the King (18:32):
Scott, I imagine someone in your role is
constantly thinking about whatcould go wrong.
What are the most pressing itemsin your opinion, the things that
are on the horizon that you'remost worried about in this
respect?
What's keeping you up at night?
Scott Barronton (18:47):
Well, I'd say there's a personal and
professional aspect to that.
From a personal perspective, I'mseeing more and more
accountability laid on theshoulders of the Chief
Information Security Officer,we're seeing regulations that
come out that would really holdthe Chief Information Security
(19:09):
Officer, your board ofdirectors, maybe your management
team personally accountable upto and including, legally,
right?
So any type of criminalaccountability there for actions
that they deem to put thecompany at risk.
And then I would say from justan industry perspective we're
(19:32):
seeing more and more regulationsaround the world that our teams
have to be aware of and makesure that we're, uh, that we're
meeting.
And it's, if you just take theUnited States along, it's
different from state to stateand, you know, and so that's
putting a huge burden on ourinformation security teams.
(19:53):
And then, you know, if it, Isaid, if you've been under a
rock and you haven't heard aboutransomware, it's not gone away.
We're seeing fewer companies payransoms now, which is possibly a
good thing.
But your organization, I wouldsay is just as acceptable to
ransomware today as it was twoto three years ago.
(20:17):
And so, the hackers, the badguys, they're constantly
evolving and changing theirtechniques, and you gotta make
sure that you're adjusting andchanging with them.
Play the King (20:29):
One, one last question for you, which is, how
has this trend toward workingfrom home changed things in your
field?
Scott Barronton (20:35):
It's actually changed the industry a lot.
I actually started, three and ahalf, four years ago, preparing
our company for the ability thatour security controls would work
no matter where our employeeswere.
So if you're at home, you're ina coffee shop, you're a hotel,
(20:55):
you have the same type ofsecurity controls, a lot of
organizations had more of alegacy mindset to that.
And so they required, or theyhad really good security when
you were in the office, or theyrequired you to connect to a VPN
or something like that back toyour corporate office to be
(21:16):
secure.
Well, when the pandemic hit andeverybody was immediately
dispersed out of the offices andworking from their homes or
wherever, a lot of companiesreally struggled because now
they needed to take that legacyarchitecture and make it to
where their employees wereprotected no matter where they
(21:38):
were.
And so I think we had the right,we had the right strategy there,
and so it wasn't reallydifficult for us to pivot to a
full-time remote worker, but Iknow a lot of organizations did.
Play the King (21:52):
Scott, this has been really fascinating.
Thank you for the time.
I wonder maybe when, as youleave us, if you could suggest
something for people to read ifthey're interested to, you know,
or watch if they're interestedin learning more here could be,
uh, a publication that followsthis field closely, a video that
is particularly good.
Like anything come to mind, abook, whatever it is that help
(22:16):
people understand this a littlebetter?
Scott Barronton (22:18):
I would say there is no shortage whatsoever
of resources out there foranyone who wants to learn more.
If you're interested in learningabout, you know, the techniques
of attackers, then I would saysites like Bleeping Computer or
(22:40):
Dark Reading, those are allgreat sites that tell you about,
current attacks and things ofthat nature.
If you're interested in learningmore about becoming a Chief
Information Security Officer, Iwould say organizations like
Sands provide you that goodrounded view of everything
(23:05):
that's involved with informationsecurity.
Play the King (23:07):
Fantastic.
Scott, thanks again.
Really appreciate your time.
Scott Barronton (23:10):
Yeah, thank you.
This podcast is sponsored by OMI, the company
that makes CRM work.
Today, my guest is ScottBarronton, a global Chief
Information Security Officer ata large manufacturing company.
Scott, thank you for being here.
I'm excited to talk to you.
Can you just start by, you know,
letters in the acronym in theC-suite.
You have four, so you must beextra, extra important here.
(00:24):
What is a Chief InformationSecurity Officer?
Scott Barronton (00:27):
Hey, thanks for having me as well.
The Chief Information Securityofficer is the person inside of
an organization that'sresponsible for everything
related to cybersecurity.
And, you know, I could have thethree letter acronym CSO, but
generally that means that you'reresponsible for things like
(00:49):
physical security as well.
I don't have thatresponsibility.
Play the King (00:53):
And, and so that's interesting.
You deal entirely, I was aboutto say the metaverse, but that
is a very trendy, you know,
You have been doing this for alot longer.
Give me a little more detail onthat.
What does your job entail then?
You're not hiring the bouncersoutside of the server farms, but
(01:14):
, uh, but what are you doing?
Scott Barronton (01:15):
That's right.
So, you know, my team'sresponsible for protecting and
shielding the company fromattacks that originate in the
cyberspace.
So think of hackers, you know,our day-to-day job is to defend
the organization against thosewho want to launch some type of
(01:35):
attack against us, remotely.
Play the King (01:38):
Given the nature of the way the information has
changed in the last, you know,let's say, I don't know maybe
even 75 years ago, maybe even 50years ago.
In the last, say, 25 years hasyour field changed?
What are some of the majorthings you've seen shift over
(01:58):
that time?
Scott Barronton (02:00):
So, you're right, this was not a thing 75
years ago.
You know, when I first startedin the industry, my very first
company wasn't even connected toanything outside of ourself.
We were only connected fromoffice to office, but there was
no such thing at that time, as,you know, the internet and this
(02:20):
whole cyberspace.
So, 25 plus years ago, when Igot started in this field, the
information security role wasreally about managing accounts,
passwords, access to mainframe,things of that nature.
I started while I was in collegedoing an internship.
(02:45):
And it was funny because at thetime, the guys that I worked
with were old main framers, andthey would say, oh, give that to
the new guy.
You know, this is gonna be a fad, will always be a, a mainframe
organization.
It wasn't very long before thoseold guys were actually reporting
(03:06):
to me in a more holisticsecurity world.
Play the King (03:10):
You provided a few notes to me before the
conversation, which were veryhelpful.
But there's one thing I want tosee if we can dig in on you.
You said, you know, back then,you know, 25 years ago, you
could think like a puretechnician, that's no longer the
case.
What does that mean exactly?
Scott Barronton (03:24):
Yeah.
So, you know, I like to saysecurity's full of propeller
heads.
You know, people who think aboutblack and white.
just purely the technical aspectof it.
But to be a chief informationsecurity officer, you have to
think more like the business youhave to.
I commonly meet with the topbusiness leaders in our
(03:47):
organization, and they're nottechnical people.
So if I went and just startedtalking like a pure technician
to them, there would be noconnection between us.
I have to understand thebusiness and what are the
business priorities, and thenalign the technical aspects to
(04:08):
make sure that we're meetingthose objectives.
Play the King (04:11):
Scott, can you take me through the universe of
risks that you are sort oftrying to guard against here?
Maybe you could rank them evenin terms of, a long s hot, but
really bad to, hey, this is atypical e veryday thing, it
happens,< laugh>, or you ar e dealing with corporate espionage?
(04:31):
Are you dealing with people whoare trying to steal information
so that they can, you know,blackmail the company?
What are the risks here?
My imagination is k ind ofrunning, maybe you can bring me
back to earth.
Scott Barronton (04:40):
So you're not far off on all of those.
Definitely what we call insiderthreat or cyber espionage is
something that we have to dealwith.
Matter of fact, there's multiplebad actors out there on the
internet today that will payyour employees a large sum of
(05:01):
money to gain access to yoursystem.
So you think about our systemadministrators, you know, we
believe that we're paying oursystem administrators
appropriately for the market,however, someone comes and
offers them an opportunity tomake a million bucks to get that
privileged access that theyhave.
So you really do have to watchfor issues like that.
(05:24):
There's technology that can helpus to do that, but, it's a, it's
an emerging field.
From a day-to-day, the blockingand tackling of my world are the
things that we've been doing forages, looking for
vulnerabilities in our systemsor weaknesses that someone might
try to exploit to gain accessdefending against cyber attacks,
(05:49):
where a bad actor's trying togain access to our systems.
We do that on a daily basis.
Play the King (05:59):
I have so many questions I want to ask you, but
I guess just a real brief one,do you guys use ethical hackers
who, who come and say, we foundsome bugs.
Do you guys pay out a bug bountyfor disclosing these to you?
Is that something you guys do oris that not really part of,
Scott Barronton (06:16):
No, it's actually a real thing.
So, ethical hackers, you caneither engage with them directly
and they do what we call apenetration test of your
defenses.
So they, you know, will try toexecute, uh, different attacks
that go against vulnerabilitiesto see if they can capture the
flag.
(06:36):
And those are all wellcontrolled activities that you
do with these hackers.
But then you also have peoplethat are called researchers, and
those are not necessarily peoplethat you've engaged with
directly, but they come to youand say, Hey, on this system or
this product, we found thissecurity vulnerability that we
(06:58):
want you to be aware of, youprobably want to fix this
because this is something webelieve that someone else could
find as well.
Bug bounty programs, they'rereal.
I would say it's also an areathat just recently everybody's
paying more attention to andscrutinizing and making sure
(07:18):
that, all of this is above boardand ethical and whatever the way
that we reward these researchersfor this type of work.
Play the King (07:30):
So I want to ask you about how organizations can
sort of beef up theirinformation and security, but
maybe we could start on theother side, which is how does
someone who's maybe interestedin this field, how do they even
get started?
What is the path to becoming achief information security
officer?
Scott Barronton (07:46):
So, becoming the Chief Information Security
officer is really working yourway through the ranks, right?
And I would say anybody whowants to get into this space,
this is the time and opportunityto do so.
Even in the current culture, youknow, last numbers that I saw is
there was about 2 millionunfilled security jobs in the
(08:08):
industry.
So there's more demand forpeople than there are
experienced people to fill thosejobs.
But, you know, in order to dothat, I'd say for anyone looking
to one day fill the seat, itstart right now, just be willing
to say yes.
Right?
When you're asked to dosomething, take that on as an
(08:29):
opportunity to gain experienceand make yourself more
well-rounded.
Often a lot of people are veryexperienced in one area of
cybersecurity, but maybe lackedsome of the other pieces that
aren't so sexy.
Anybody who's in the space willknow writing security policies
(08:52):
is not the most sexy thing thatyou could ever do! However, it's
important from a chiefinformation security officer
perspective, because thesecurity policy is the
foundation of which managementhas set boundaries for the
company.
And so you're the enforcer ofthat policy.
(09:12):
And so I would just telleverybody, be well-rounded.
You can't be a hundred percentcompliance focused.
You have to understandtechnology, and you can't be a
hundred percent technologyfocused.
You need to understandcompliance and the business.
Play the King (09:30):
So I'm a soccer fan, and so the metaphor I would
use here, it seems to me likeyour job is sort of like being
the goalkeeper.
Like when everything's goingwell, nobody notices.
And then when things go wrong,
.
That's right.
Talk about that component of thejob.
It seems like not just likeknowing the how, but the almost
like the moral fiber or the theability to say, Hey, guys, look,
(09:53):
this is on me.
Or the buck stops with you, sowhatever cliche you want use.
Scott Barronton (09:58):
You're the manager.
Accountability
Play the King (10:00):
Yeah.
Can you talk about that?
Scott Barronton (10:01):
Yeah.
I preach accountability, with myteam and within the industry,
really because at the end of theday, we're the ones that are
accountable.
So we have to be part fortuneteller and look at the events
that are happening around us andsay, boy, how could those affect
us?
And then, you know, alsooperating with switches.
(10:24):
So at some, some point in time,you know, cyber hygiene is a
hundred percent dependent uponyou, right?
The hygiene of yourorganization.
Play the King (10:35):
Is that a cultural thing that you can
instill, or are you more, isthere a way that you find when
you're hiring, when you'reasking questions of perspective
people for your team like that,you're sussing out at that
point, or maybe it's both?
Scott Barronton (10:49):
Yeah.
So when I'm hiring, one of thethings that I look for is just
kind of a natural inquisitivenature, always questioning and
asking the why behind thingsthat's so important for anyone
in security.
Because not only do you need tounderstand why and how things
(11:09):
work, but then you need to beunderstanding of processes that
are inside your organization andwhere are their weaknesses
inside those processes, not justthe technology aspect.
Play the King (11:23):
So Scott, you, you know, your company is a very
large company.
What are some of the smallerorganizations that you, that you
see, what do they get wrong whenthey're building their security
system?
What are some of the challengesmaybe unique to smaller
companies?
Scott Barronton (11:35):
Yeah, I think one of the biggest things with
smaller companies, just becausethey're constrained with
resources, they often think thetechnology person that they've
hired can handle informationsecurity.
That's just not the case.
Matter of fact, we often have,uh, differing objectives in
(11:57):
front of us.
Think about the, if I comparedmyself to a chief information
officer, the CIO of a company,one of the primary objectives of
the CIO is about uptime andavailability.
And so at all cost, you makesure that your systems are up
and running.
(12:18):
Well, that's important to achief information security
officer.
Matter of fact, it's in thetriad of confidentiality,
integrity, and availability.
That's something that security'sfocused on, but it's only a
part.
And so we have to also thinkabout confidentiality and
integrity of those systems aswell.
And so often the desire is toget the CIOs to get things out
(12:43):
there fast and quick, notnecessarily focused on the
confidentiality and integrity ofthose systems.
Hmm.
So, you know, giving that job tothe technology guy, they're
going to often overlook the riskside of things.
Play the King (13:01):
Gotcha.
That's, that's reallyinteresting.
You've been preaching, you know,also understanding the business
goals and North star of theorganization you're serving,
which obviously has some effecton the choices someone in your
role makes, right?
For how you protect theorganization.
Scott Barronton (13:18):
Yeah, and I think you have to have that
North star, if you will, theplan that you're executing
against.
And I use, standards b asedframework for o ur information
security program, have in thelast few companies that I've
worked for.
And basically, that plan isbased off of an industry
framework, and we set ourstrategy, b ased on where we are
(13:42):
and where we want to be.
If you follow t hose standards,you're going address 90 plus
percent of all, s ecurity riskthat an organization may face.
So one of the things that I dois we do an assessment against
the framework.
We set forth our strategy or aplan over the next three to five
(14:04):
years, and we execute againstthat plan.
We don't change unless somebodycan make a really good argument
of why we should be doingsomething different.
And I think that's somethingthat small organizations
struggle with, t hey're veryincident focused.
So something h appens in eitherto the organization or around
(14:30):
them, and then they go and lookfor technology or solutions to
meet that one specific need.
And so what they end up doing isspending a lot of money on
different tools, technology, butnot getting really, the
protection that they need andaddressing the risk that are, t
(14:50):
hey're focused on theirorganization or their industry.
Play the King (14:55):
All right.
So let's, let's, let's turn thetables now.
What can small to medium sizeorganizations do to avoid some
of these pitfalls?
How can they get better at this?
Scott Barronton (15:04):
Well, I think starting with a standard
industry framework in assessingyourself against that! We do
twice a year assessments ofourself against our framework.
We want tosee where we're makingprogress and where we need to
continue to adjust.
(15:24):
And then sometimes you look andyou say, you know what?
The needs of our industry or theneeds of our company have
changed, and this is no longer apriority for us, and we'll make
those changes, but we just don'tdo it on a whim.
And so I would suggest for smallto medium sized companies that
(15:45):
you really drive your CISO to befocused around a framework,
it'll save you time, money,everything in the long term.
Play the King (15:55):
And when you say framework, I think there's one
that you, you mentioned in thesenotes so that I think maybe we
should mention this, it'll givesomeone listen to this.
Sure.
Something they can Google that'sthe N I S T cybersecurity
framework.
Maybe you could just say, whatis it about that one that made
you wanna mention it what shouldpeople would be looking for when
they're evaluating?
All right.
Is this something we want try toimplement
Scott Barronton (16:16):
Here?
Yeah.
So for over the last decade ofmy career, I've been working
either with or around afinancial technology company.
Our customers are all banks.
And so in the United States, theUS regulators who oversee the
banks, they use the NISTframework.
(16:38):
And so I've built all of myassessment techniques and
capabilities around thatframework to make sure that
we're meeting the needs that thebank itself is going to be
assessed against.
NIST is a great one because iteasily maps out other frameworks
you might choose, like, ISO orCOVID.
(17:00):
There's a, there's an easymapping between NIST and those
other frameworks.
I would say it's not thespecific framework that you
choose because they're all good.
Just choose one and focus onthat.
Play the King (17:15):
Gotcha.
And then you also mentionedthat, even if your company is
not at a stage where you want tomake a full-time hire, there are
solutions for a fractional CISOright?
Someone who can do this, not asa full-time employee, but can
still provide a lot of value.
Scott Barronton (17:32):
That's right.
So if you're in a situationwhere you can't necessarily
afford to go out and hire afull-time CISO, there are
organizations out there now whoare providing CISO as a service
or you know, some kind offractional, CISO role where you
(17:53):
get a percentage of their time,they come in, they help you to
do this type of assessment, tocreate a strategy and plan, and
then help to oversee and managerisk, but they're just not a
full-time employee.
And you can get'em to assist orhelp at a fraction of the cost.
And so for smallerorganizations, that may be the
(18:16):
best path for you, rather thanbelieving that the technology
person that you have on staff orthe person most familiar with
technology often is the way itgoes is capable of managing
these risks.
Play the King (18:32):
Scott, I imagine someone in your role is
constantly thinking about whatcould go wrong.
What are the most pressing itemsin your opinion, the things that
are on the horizon that you'remost worried about in this
respect?
What's keeping you up at night?
Scott Barronton (18:47):
Well, I'd say there's a personal and
professional aspect to that.
From a personal perspective, I'mseeing more and more
accountability laid on theshoulders of the Chief
Information Security Officer,we're seeing regulations that
come out that would really holdthe Chief Information Security
(19:09):
Officer, your board ofdirectors, maybe your management
team personally accountable upto and including, legally,
right?
So any type of criminalaccountability there for actions
that they deem to put thecompany at risk.
And then I would say from justan industry perspective we're
(19:32):
seeing more and more regulationsaround the world that our teams
have to be aware of and makesure that we're, uh, that we're
meeting.
And it's, if you just take theUnited States along, it's
different from state to stateand, you know, and so that's
putting a huge burden on ourinformation security teams.
(19:53):
And then, you know, if it, Isaid, if you've been under a
rock and you haven't heard aboutransomware, it's not gone away.
We're seeing fewer companies payransoms now, which is possibly a
good thing.
But your organization, I wouldsay is just as acceptable to
ransomware today as it was twoto three years ago.
(20:17):
And so, the hackers, the badguys, they're constantly
evolving and changing theirtechniques, and you gotta make
sure that you're adjusting andchanging with them.
Play the King (20:29):
One, one last question for you, which is, how
has this trend toward workingfrom home changed things in your
field?
Scott Barronton (20:35):
It's actually changed the industry a lot.
I actually started, three and ahalf, four years ago, preparing
our company for the ability thatour security controls would work
no matter where our employeeswere.
So if you're at home, you're ina coffee shop, you're a hotel,
(20:55):
you have the same type ofsecurity controls, a lot of
organizations had more of alegacy mindset to that.
And so they required, or theyhad really good security when
you were in the office, or theyrequired you to connect to a VPN
or something like that back toyour corporate office to be
(21:16):
secure.
Well, when the pandemic hit andeverybody was immediately
dispersed out of the offices andworking from their homes or
wherever, a lot of companiesreally struggled because now
they needed to take that legacyarchitecture and make it to
where their employees wereprotected no matter where they
(21:38):
were.
And so I think we had the right,we had the right strategy there,
and so it wasn't reallydifficult for us to pivot to a
full-time remote worker, but Iknow a lot of organizations did.
Play the King (21:52):
Scott, this has been really fascinating.
Thank you for the time.
I wonder maybe when, as youleave us, if you could suggest
something for people to read ifthey're interested to, you know,
or watch if they're interestedin learning more here could be,
uh, a publication that followsthis field closely, a video that
is particularly good.
Like anything come to mind, abook, whatever it is that help
(22:16):
people understand this a littlebetter?
Scott Barronton (22:18):
I would say there is no shortage whatsoever
of resources out there foranyone who wants to learn more.
If you're interested in learningabout, you know, the techniques
of attackers, then I would saysites like Bleeping Computer or
(22:40):
Dark Reading, those are allgreat sites that tell you about,
current attacks and things ofthat nature.
If you're interested in learningmore about becoming a Chief
Information Security Officer, Iwould say organizations like
Sands provide you that goodrounded view of everything
(23:05):
that's involved with informationsecurity.
Play the King (23:07):
Fantastic.
Scott, thanks again.
Really appreciate your time.
Scott Barronton (23:10):
Yeah, thank you.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.