May 29, 2023 • 34 mins
An in-depth conversation with former CISO (Chief Information Security Officer) of the Minnesota Judicial and Metropolitan Council, Gretchen White. ITAL’s own Eric Brown and Gretchen discuss topics including the day-to-day grind of advocating for funding and implementing security protocols, how to prioritize security needs and access risk on a budget, reporting structure, and how to effectively impact change within an organization. Chalk full of tips, Gretchen, has expertise in communicating organizational needs to decision makers and has some priceless nuggets to share with up-and-coming CISO’s and those who work under their guidance.
#cybersecurity #CISO #chiefinformationsecurityofficer #careeradvice #organizational #leadership #communication #security #influence #metropolitancouncil #minnesotajudicial #pointofrisk
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Eric Brown (00:05):
You're listening to the Audit presented by IT Audit
Labs.
Gretchen, welcome to the Audit,which is a podcast by IT Audit
Labs that you've heard about andagreed to jump on.
So thanks for coming on andagreed to jump on.
(00:25):
So thanks for coming on, andyou have been a CISO for quite a
while at a few differentorganizations.
You were at Minnesota Judicialfor a while and then you were at
Metropolitan Council for awhile as their CISO and you've
recently moved on.
But what I thought wasinteresting about your time at
(00:45):
Metropolitan Council, you werealso the Director of
Infrastructure, which it's kindof like, I don't know, every
CISO's dream to control bothsecurity and infrastructure, so
you don't have to battle withanybody to get something done.
Gretchen White (01:02):
Yes, that is true.
You only battle with yourselfin the mirror in the morning.
Eric Brown (01:09):
So, yeah, what have you been up to?
What do you do in these days?
What do you like about security, and is there anything in
particular you want to talkabout?
Gretchen White (01:18):
Well, I made a change from the public sector to
the private sector and my timewith infrastructure, ops and
security did help me realizethat I really would prefer to be
in the security realm.
That playing both is good for awhile, but not a position I
want to be in permanently.
Sure.
Eric Brown (01:39):
There was a recent breach in Minneapolis yes,
minneapolis Public schools, andI don't know.
When these breaches hit closeto home, people clam up, and
then you hear these whisperingsabout what happened, but nobody
really says anything.
(02:00):
And then maybe you readsomething in the paper two years
later about what happened andto me it seems not not to to go
off on a tangent, but it seemsto me and and um evan franken
from fr secure talks about abroken industry in information
(02:21):
technology or informationsecurity, and he talks about
just that concept that we'reworking in a broken industry.
And to me this seems like oneof those things that is broken
about the industry, because weknow there was a breach very
close to home, but nobody evertalks about exactly what caused
(02:43):
the breach, which would bereally helpful for people who
want to make sure that thebreach doesn't happen to them.
Right, if the malicious actorsare that close to home and
reaching out to other schoolsand municipalities, you would
think we would want to get infront of it sooner than later.
Gretchen White (03:02):
Well, and even this one calling it an
encryption event.
That was a new technology to beused, so that was kind of
interesting.
One reason we don't alwaysshare with each other is because
we know what our issues arebefore something bad happens.
And when the bad thing happens,there's some piece of us that
(03:24):
has to go back and say I knewwhat I should do and I didn't
get it done.
Eric Brown (03:29):
It is hard and if we know what needs to be fixed but
we didn't fix it, why wouldn'twe have fixed it?
Gretchen White (03:39):
Right, Because there's too many things to fix
and it doesn't take just thetechnology right.
You have to influence people tobe able to fix it.
Eric Brown (03:47):
You know, I think that might be one of the hardest
things about the job is reallycommunicating what the issues
are in a way that resonates andis understandable with the
people who are in control of thebudgets.
Gretchen White (04:06):
Yes, and I think that the people in control of
the budgets or thedecision-making maybe don't have
as much experience about whatimpact security incidents really
could have.
If you look back to when I wasa kid, we would get in a car
without the seatbelt beingbuckled.
We actually ride in the back ofa pickup truck and lawn chairs
(04:28):
to go out fishing.
If my kid did that now, I wouldbe horrified.
So I think it's kind of thatwhere the experiences have to
catch up to what we know weshould be doing.
Eric Brown (04:40):
So let's take a look at this Minneapolis public
school situation and I pick onit because the aftermath has
been really horrible.
The data that was leaked Ishouldn't even say leaked, the
data that was stolen and thenpublicized was really terrible.
(05:01):
Right, it's very sensitiveinformation about minors and, as
information securitypractitioners, it really hits
home that something under yourcare was exposed in that manner.
And I hear what you're saying,where it's like well, I knew
(05:22):
about the issues but I couldn'tdo anything about them.
And the issues in thisparticular case, as I understand
it, were an unpatched ESXienvironment and old, outdated,
probably signature-basedanti-malware solutions on the
(05:44):
endpoint, so poor endpointcontrol and poor patching
practices in a core environment.
So, that said, I don't know howdo you, as somebody leading a
security organization, if you'vegot those issues, what do you
do?
Because you know about them?
But then and you know thatthose are critical issues in the
(06:08):
environment, what do you do toresolve that?
Because now they've got allsorts of security professionals
crawling all over thatenvironment and they're probably
going to spend millions ofdollars to fix it.
So when I say, oh well, wedon't have budget, well, somehow
(06:29):
they found the budget toresolve those issues.
Right, the money came fromsomewhere.
So how do you operate in thatposition where you know you have
a glaring problem, but youcan't resolve it?
Gretchen White (06:47):
problem but you can't resolve it.
I think, for myself, you haveto be persistent, right, and you
have to figure out what's theright cadence of being
persistent so that you'll beheard Like, in this case, it
doesn't really matter if theyspend millions of dollars in
fixing it, there is a group ofchildren that they're not going
to be able to fix it for Right.
And, I think, being creativeabout how you get the funding,
(07:13):
whether you work to get, ifyou're in the public sector,
whether you look at grants orother opportunities and then I
think I'm Thinking about whatpieces of your security posture
are the most important.
I think we would all say usingthe latest and greatest endpoint
protection.
(07:33):
Most of us consider to becritical to our security posture
and I'm a real believer inpatching right.
You just got to find a way tokeep operationalizing that and
working with the business sideto accept that this is a normal
part of day-to-day operations.
Eric Brown (07:54):
And you've been in public sector for a while
securing different environments,presumably you've run across
end-of-life systems well beyondtheir end-of-life date still in
production.
Gretchen White (08:12):
Yep.
Eric Brown (08:14):
How did you approach that?
Gretchen White (08:16):
I try to be an advocate besides the security
money, but go out and actuallyadvocate for the infrastructure
groups that need the funds.
So I think you can't go in andjust say, hey, this is what's
wrong.
I think you have to supportthat side with saying it's going
to cost X amount of dollars andthis many people and we need it
for security.
(08:37):
But this is the group thatneeds the support to make it
happen, because we can't makeeverything happen and many times
we're just saying what we thinkthe issue is and what we want
resolved.
But I think we have to stretchacross the aisle there and help
them frame up the story and getthe funding needed to resolve
(08:57):
the issue.
Eric Brown (08:59):
How have you been successful in doing that in your
career?
Gretchen White (09:03):
Well, a couple things I do is that?
Because you know, I was an oldproject manager, so I'm all
about the implementation Deliverwhat you said.
The first thing I try to do inan organization when I'm new is
if there's a smaller effortwhere I can show hey, you gave
us X amount of dollars, went andworked with these different
groups, business infrastructure,and here's the outcome we
(09:26):
delivered, you know, and fixedthis particular security issue.
Try to build some basicallyequity so that the next time
when I have to go in for thelarger, harder issue that I have
already a reputation that myteam will deliver and use the
money wisely, especially in thepublic sector.
(09:49):
You know we talk about beinggood stewards of state funds and
then the other piece is alwaysjust being able to tell the
story to a broad audience, be ittechnical or non-technical,
what the seriousness of thesecurity gap or the security
flaw is.
Eric Brown (10:08):
And what if you can't get past those decision
makers who are holding the pursestrings?
What do you do?
Gretchen White (10:23):
Well then you call in an outside party like IT
Audit Labs and say, hey, couldyou come and look at this and
support what I've already toldthem.
Eric Brown (10:29):
That usually works, doesn't it?
Gretchen White (10:31):
All kidding aside, sometimes it takes the
third group.
One person rings the bell,second person comes and says the
same thing, and then you got toget a third person.
But there again, that's wherethe persistence and the not
giving up comes into play.
Eric Brown (10:49):
And it seems like we run into that, don't we, Anna?
And as professionals workingfor an organization, as their
security officer, you run intothat resistance internally when
you say I need this muchheadcount or I need these tools
(11:12):
or I need this budget toaccomplish whatever we're going
after, risks that we're tryingto mitigate.
And it takes that externalinfluence, sometimes in the
event of a third-partybenevolent influence, who's
coming in to give you an opinionon your environment or an audit
findings from an audit and thenremediating those or some
(11:37):
standard be it pci or hippo orsock to or whatever it is right
where you've got to satisfysieges, you've got to satisfy
the findings of that audit to becompliant.
And then there's the maliciousside where you suffer a breach
and then data is exposed andthere's a cleanup effort.
(12:00):
There's that external influencethat is prompting or that
usually gets a financialreaction internally to be able
to accomplish the things thatwere already projected to be
done.
So I don't know.
(12:21):
I kind of go back to what Evansays around the broken industry,
and for me that's the piece ofit that's broken is the
communication side, where wekind of clam up when there's
something that happens, and thenthe other piece of it is.
Sometimes it takes an externalinfluence to accelerate an
(12:45):
advancement of funding and itshouldn't be that way.
But I understand money's tightand yeah, I don't know.
What do you think?
Gretchen White (12:56):
So from the CISO chair, I think one of the
things we don't necessarily dowell is going in and saying for
a million dollars I can fix this, for three million I can get
you here, and for five million Ican get you here, and for $5
million I can get you there, sothat it can be considered more
of a business decision.
You know how much risk am Iwilling to accept?
I think that's a key thing thatwe have to be able to do.
(13:20):
And then I also think let's bepragmatic about it.
If I can do one thing and itgets me 80% more secure on my
endpoints, but I still have 20%of the gap, 80% improvement is
still a big improvement.
So I think that we have to besomewhat pragmatic about our ask
(13:41):
too.
Eric Brown (13:42):
If you're coming into an environment that's got
problems all over, what are yougoing after first, are you going
after firewalls?
Are you going after accountsecurity?
Going after endpoints,vulnerability what are you going
after?
Gretchen White (13:57):
I think the first thing that I want to look
at is I want to look at what isthe thing that they're trying to
protect the most right, Likewhat is their core business?
And then what would be theimpact of a breach for that?
For instance, in the judicialbranch your cases if the
(14:18):
integrity of the data was off,you could spend additional time
in jail.
Your case could take longer.
So getting that trust back withthe public would be very
challenging to do.
Other things, like banking, ofcourse, integrity is important,
but the systems being availableand me being able to find out
what my bank account balance iswould be important.
(14:40):
So that's one thing is I wantto understand the business side
of it, and then there are somany ways to go at it that many
times you really have toevaluate what funding do I have?
What is the current state of myprotections?
So, if I don't have an EDR,maybe that's what I start with
(15:01):
first, but that's something Ithink the security team at the
organization discusses and putstogether a priority list.
That's what I would do.
What have you done?
What do you?
Eric Brown (15:12):
do.
I agree with everything thatyou've said.
It's the crown jewels of theorganization and what's
important to that organization.
I think there's industry-wideways that malicious actors get
(15:36):
in, and that's largely byphishing, as we all know.
So, looking at a decentsecurity program around, just
keeping the untargeted and insome cases, targeted attacks out
from email because, as we allknow, users are click happy.
(15:56):
So if we can help to reducethat vector, that's a great
thing to do.
But I go back to your patchingas well of just understanding
what do we have out there in theenvironment, and you can use
different models, like CIS, andone of CIS's first tenets, if
(16:18):
you will, is to know what's inyour environment.
So then you know what you'reprotecting, be it physical
assets or data, just dependingon.
Again back to the crown jewelspiece.
Gretchen White (16:30):
Sometimes that knowing your environment is
actually the hardest first step.
Eric Brown (16:35):
It is, and I've worked with quite a few
organizations, and having a CMDBdoes not seem to be at the top
of many initial lists.
Does not seem to be at the topof many initial lists.
Gretchen White (16:47):
Right.
It takes a lot of work tomaintain a CMDB.
The places that I have workedwhere there has been one that
has been implemented well, it'san ongoing full-time people
supporting it, many expectationsaround change management.
It's not a the tool does notsolve the process problem, just
(17:10):
facilitates the fix.
Eric Brown (17:19):
What's your personal threshold for being able to
impact change?
So you're brought into anorganization to presumably help
them and you make yourrecommendations.
You bring in a third party.
Hopefully it's benevolent andyou don't have a breach.
(17:39):
But if you're not able toimpact change, then what do you
do?
Gretchen White (17:45):
I think you have to evaluate if you're a good
fit, because it is really a lotabout the people side.
If in the reporting structureyou are not successful at
influencing and can't build thattrust relationship with your
professional opinion is actedupon, I think you have to decide
whether maybe it's time to moveon.
And maybe you know anotherquote type of CISO in that
(18:09):
organization could influence.
Eric Brown (18:13):
You bring up another good point there around
reporting structure In your mindand I know this is a topic that
comes up a lot when CISOs gettogether what's the right
reporting structure?
Gretchen White (18:25):
Well, what is really the correct thing is that
the CISO has a bucket of money.
So you need to evaluate who'sgot a bucket of money and is
willing to share it, because thesecurity it's not cheap.
Right, the people are hard tofind, the tools are expensive.
The market is changing in thetools all the time, so I think
(18:48):
there's pros and cons.
If you report on the IT side tothe CIO, it seems that your
access to financial support insome ways is easier.
Cios typically have largerbudgets.
They're used to spending moneyon quote cost center type
activities.
If you report to the chief riskofficer, you usually are able
(19:12):
to influence the organizationunderstanding the risk, figuring
out what their risk appetite isand determining whether they
accept the risk, want tomitigate the risk.
So it makes those conversationseasier.
I think the latest one I'veseen now is where the CISO is
like creating their own path nowthat they're not below the
(19:35):
chief risk officer and they'renot below the CIO.
Eric Brown (19:39):
Right into the CEO or the board or some structure
like that.
Gretchen White (19:43):
Yeah.
Eric Brown (19:45):
I do think a clear line into organizational
leadership is important, butequally important is having that
champion when you go into anorganization, somebody that gets
it and somebody that's going tohelp you advocate for solving
the goals that you've set foryourself and the organization,
(20:05):
for yourself and theorganization.
So even if you're reportinginto the CEO, maybe that CEO
doesn't get it or has otherthings that they're focused on,
so it might be just as hard toget that funding.
But if you've got an advocateor a champion that really is
helping the voice be heard forsecurity, I've seen that work
(20:25):
pretty well too.
Gretchen White (20:26):
I also think if you build good relationships
with internal audit and legal,that can also help your cause,
because it isn't necessarilyjust you at the table.
They understand risk and theyunderstand the need to take
action and that has been veryhelpful to me in the past when
I've built relationships withthose two groups.
Eric Brown (20:51):
Compliance as well.
I think, I was working at anorganization where was there?
Maybe about a year or so, maybea little less, and we had
called out.
One of the items of risk at onepoint was not having the
central printing where you havebadge access to print so you
(21:13):
could print essentially anycopier, and they probably had
close to 300 of thosemultifunction copiers throughout
the campus and you could walkup.
At the time you would have toselect from a huge dropdown list
.
That was like your buildingtime.
You would have to select from ahuge drop down list.
That was like your buildingyour floor.
Um have to figure out, like the, you need some sort of decoder
(21:34):
ring to figure out what was theright printer that you were
printing to, because they allhave weird names.
But you'd print to it and thenyou'd go over and get your
prints and and at the time wehad brought up that, oh, this is
probably something that youwant to resolve because people
are printing confidentialdocuments and they're just
laying on the printer.
Well, it wasn't until maybe ninemonths later or so, the
(21:56):
organization brought in a newcompliance officer and within
that person's first week on thejob, they're touring, they're
going around to the differentbuildings.
Person's first week on the job.
They're touring, they're goingaround to the different
buildings and in one of thebuildings that had healthcare
information that the workerswere printing out healthcare
(22:20):
information, the person pickedup something from the printer
and just had a petite mall andfrom that point in time forward
we put a program in place thathad central printing.
But it never would havehappened if that person hadn't
come in and championed the needto have that badge access to
print and then it's only storedon the print server for two days
or something like that beforeit's deleted.
(22:41):
But I mean that was pretty coolto see and really a neat
project to be part of.
It took about two and a halfyears to get done and of course
people were resistant to it, butit's so much easier now to
print because you can print atany building at any time.
It's really great.
Gretchen White (22:59):
Yeah.
Eric Brown (23:00):
So you were in banking before Gretchen and then
you did a stint at Judicial andthen more in the public sector
with Metropolitan Council doingtransit.
So you've seen a lot.
How did you get started insecurity?
Gretchen White (23:18):
Well, my husband gives me good career advice and
I was working as aninfrastructure project manager
and I had worked some securityprojects.
I'd worked some networkingprojects.
I'd worked some networkingproject.
I'd had a really broadexperience in the technology
project realm and he was likeyou should do this security
(23:39):
thing, you would be good at this.
It's complicated, there'salways something new to learn in
it.
And I was like, well, I don'treally know what this thing is
except from the project.
So I took a risk managerposition at the bank and then
there started down the path ofwhat do I need to learn?
(24:03):
Some SANS classes, got a CISSP,surrounded myself with some,
you know, technology andsecurity people that had been in
that arena for many years, andthat is how I started down the
path.
Eric Brown (24:18):
When you took those SANS classes, I thought I
remember you telling me at onepoint that you scored very well
on the exam and you got intosome sort of secret sands club.
Gretchen White (24:30):
Well, what I actually did was and it was
actually a consultant told me todo it I actually went and took
the CISSP and the GSEC 401 allwithin 45 days.
I took the classes and theexams.
Oh, wow classes and the exams.
(24:53):
Oh wow, it was 45 really harddays at home like working and
studying all night, and I reallywas worried about whether I
would pass or not.
So I encourage everybody don'tworry about if you're going to
pass.
Go out and take it and get agroup to support you in that
effort.
Eric Brown (25:09):
What's the if you score really high on the test?
Gretchen White (25:15):
Yeah, they have a group that they're like an
advisory group for the classesand pieces.
Eric Brown (25:22):
Oh, so you got into that.
Gretchen White (25:23):
No, that wasn't me.
I missed that by a point.
Thanks for bringing that up,Eric.
Eric Brown (25:33):
You get some sort of tattoo if you're in that
advisory club.
That sounds pretty cool.
Gretchen White (25:38):
You know the SANS classes are expensive, but
the best thing that happenedfrom that class, from taking the
401 class, was you got to seesecurity end-to-end the network.
There are some RISC pieces,endpoints, linux, windows
machines, all of it.
And until I had taken thatclass, you know, I only had
(26:00):
certain areas that I'd beenfocusing on, like vulnerability
management or logging andalerting, and that was the best
thing for me was that I got tosee it really end to end.
Eric Brown (26:12):
Nice.
Gretchen White (26:13):
Yeah.
Eric Brown (26:14):
Do you have any recommendations for people just
getting into the industry orinterested in the industry?
Maybe they're in junior highschool or high school and
they're thinking about security.
They hear about security.
Any thoughts for them?
Gretchen White (26:31):
Well, now there's all kinds of schools
that actually have degrees.
You know, even like six orseven years ago, there weren't
very many choices.
So even in the Twin Cities,metro Street has a very
reputable program.
If you want to do more of awork and go to school, western
Governors University is a verycost-effective way and I've had
(26:55):
people on my team get theirdegrees from there and you earn
certs that you can use for yourjob while you're working towards
your four-year degree.
And then I think the SANSclasses obviously take a larger
financial commitment, but BlackHills Information Security has a
pay what you can program, andthose classes are very good for
(27:18):
somebody starting out, and Ithink some of them even are
classes around.
What does it take to have acareer in security?
Eric Brown (27:26):
Oh, yeah, same recommendation for people who
might be coming to security as asecond career.
Maybe they've been doingsomething else and now they want
to get into security somehow.
Gretchen White (27:39):
Yeah, and then I would say that you should try
to get exposure to the differentrealms of security.
We've talked kind of a lotabout the tech side, but the
auditing, the presenting risk,those are all writing policy,
those are all differentfunctions, that are a different
(28:00):
type of people than, say, yoursecurity engineers.
Eric Brown (28:03):
Nice, cool.
Well, outside of security,gretchen, what are the things
that you like to do?
Gretchen White (28:10):
Well, I kind of like security a lot, Eric.
Eric Brown (28:14):
Well, what I mean is do you have any other hobbies,
or are you at home hacking intoRussia in your spare time?
Gretchen White (28:24):
I well, I have kids, so I like to spend a lot
of time with my kids and myhusband.
I well, I have kids, so I liketo spend a lot of time with my
kids and my husband.
I like strategy games.
Go and play games.
My latest thing now is I was atennis player in my younger days
and I'm trying to make thatover 50 crowd conversion to
pickleball.
Eric Brown (28:43):
Oh, yes, yes yeah.
Gretchen White (28:45):
But yeah, I could use some more balance in
my life.
I can't say that I'm very goodat that.
Eric Brown (28:52):
yet I've never played pickleball, but I hear
it's really exploding.
Yes, it's a hot one right now.
And are there just localcommunity meetups or do you have
a group that you play with?
Gretchen White (29:09):
Well, I belong to a gym where I play, but
there's, I think, the parks nowhave converted a lot of the
tennis courts to pickleball.
I've heard that there's a lotof community clubs now too, but
I haven't done that yet.
Eric Brown (29:19):
Maybe we should do that, Gretchen.
We should start a Twin Citiessecurity meetup with pickleball.
Gretchen White (29:25):
Well, I did used to take a pilates class, right,
I was taking private pilateslessons.
Oh wow, at one point I was likethe third um client of the
morning on saturdays and sheactually said to me what is this
job that you do?
I said, well, I work insecurity.
She says, well, you are thethird client I have each sat
(29:46):
Saturday morning.
That's in the securityprofessional.
I'm like, yes, it's verystressful.
We come here when you're doingPilates.
You can't think about anythingelse.
You can't be thinking aboutyour latest security
vulnerability or any of thosethings.
Eric Brown (30:02):
That's good advice.
Well, thanks, Gretchen.
Anything else you wanted totalk about that we didn't get a
chance to talk about?
Gretchen White (30:12):
no, but thank you for having me and you know,
if anyone gives you somefeedback on how we can get more
support for our security effortsin the CISO role, hey, if
somebody knows the magic easybutton, I want to hear it.
Eric Brown (30:26):
Yeah, me too well thanks, gretchen, appreciate
your time.
Gretchen White (30:32):
All right, thank you.
Eric Brown (30:34):
Thanks, bye, bye.
A well-designed framework willreduce organizational risk and
improve overall security.
Posture no-transcript.
You're listening to the Audit presented by IT Audit
Labs.
Gretchen, welcome to the Audit,which is a podcast by IT Audit
Labs that you've heard about andagreed to jump on.
So thanks for coming on andagreed to jump on.
(00:25):
So thanks for coming on, andyou have been a CISO for quite a
while at a few differentorganizations.
You were at Minnesota Judicialfor a while and then you were at
Metropolitan Council for awhile as their CISO and you've
recently moved on.
But what I thought wasinteresting about your time at
(00:45):
Metropolitan Council, you werealso the Director of
Infrastructure, which it's kindof like, I don't know, every
CISO's dream to control bothsecurity and infrastructure, so
you don't have to battle withanybody to get something done.
Gretchen White (01:02):
Yes, that is true.
You only battle with yourselfin the mirror in the morning.
Eric Brown (01:09):
So, yeah, what have you been up to?
What do you do in these days?
What do you like about security, and is there anything in
particular you want to talkabout?
Gretchen White (01:18):
Well, I made a change from the public sector to
the private sector and my timewith infrastructure, ops and
security did help me realizethat I really would prefer to be
in the security realm.
That playing both is good for awhile, but not a position I
want to be in permanently.
Sure.
Eric Brown (01:39):
There was a recent breach in Minneapolis yes,
minneapolis Public schools, andI don't know.
When these breaches hit closeto home, people clam up, and
then you hear these whisperingsabout what happened, but nobody
really says anything.
(02:00):
And then maybe you readsomething in the paper two years
later about what happened andto me it seems not not to to go
off on a tangent, but it seemsto me and and um evan franken
from fr secure talks about abroken industry in information
(02:21):
technology or informationsecurity, and he talks about
just that concept that we'reworking in a broken industry.
And to me this seems like oneof those things that is broken
about the industry, because weknow there was a breach very
close to home, but nobody evertalks about exactly what caused
(02:43):
the breach, which would bereally helpful for people who
want to make sure that thebreach doesn't happen to them.
Right, if the malicious actorsare that close to home and
reaching out to other schoolsand municipalities, you would
think we would want to get infront of it sooner than later.
Gretchen White (03:02):
Well, and even this one calling it an
encryption event.
That was a new technology to beused, so that was kind of
interesting.
One reason we don't alwaysshare with each other is because
we know what our issues arebefore something bad happens.
And when the bad thing happens,there's some piece of us that
(03:24):
has to go back and say I knewwhat I should do and I didn't
get it done.
Eric Brown (03:29):
It is hard and if we know what needs to be fixed but
we didn't fix it, why wouldn'twe have fixed it?
Gretchen White (03:39):
Right, Because there's too many things to fix
and it doesn't take just thetechnology right.
You have to influence people tobe able to fix it.
Eric Brown (03:47):
You know, I think that might be one of the hardest
things about the job is reallycommunicating what the issues
are in a way that resonates andis understandable with the
people who are in control of thebudgets.
Gretchen White (04:06):
Yes, and I think that the people in control of
the budgets or thedecision-making maybe don't have
as much experience about whatimpact security incidents really
could have.
If you look back to when I wasa kid, we would get in a car
without the seatbelt beingbuckled.
We actually ride in the back ofa pickup truck and lawn chairs
(04:28):
to go out fishing.
If my kid did that now, I wouldbe horrified.
So I think it's kind of thatwhere the experiences have to
catch up to what we know weshould be doing.
Eric Brown (04:40):
So let's take a look at this Minneapolis public
school situation and I pick onit because the aftermath has
been really horrible.
The data that was leaked Ishouldn't even say leaked, the
data that was stolen and thenpublicized was really terrible.
(05:01):
Right, it's very sensitiveinformation about minors and, as
information securitypractitioners, it really hits
home that something under yourcare was exposed in that manner.
And I hear what you're saying,where it's like well, I knew
(05:22):
about the issues but I couldn'tdo anything about them.
And the issues in thisparticular case, as I understand
it, were an unpatched ESXienvironment and old, outdated,
probably signature-basedanti-malware solutions on the
(05:44):
endpoint, so poor endpointcontrol and poor patching
practices in a core environment.
So, that said, I don't know howdo you, as somebody leading a
security organization, if you'vegot those issues, what do you
do?
Because you know about them?
But then and you know thatthose are critical issues in the
(06:08):
environment, what do you do toresolve that?
Because now they've got allsorts of security professionals
crawling all over thatenvironment and they're probably
going to spend millions ofdollars to fix it.
So when I say, oh well, wedon't have budget, well, somehow
(06:29):
they found the budget toresolve those issues.
Right, the money came fromsomewhere.
So how do you operate in thatposition where you know you have
a glaring problem, but youcan't resolve it?
Gretchen White (06:47):
problem but you can't resolve it.
I think, for myself, you haveto be persistent, right, and you
have to figure out what's theright cadence of being
persistent so that you'll beheard Like, in this case, it
doesn't really matter if theyspend millions of dollars in
fixing it, there is a group ofchildren that they're not going
to be able to fix it for Right.
And, I think, being creativeabout how you get the funding,
(07:13):
whether you work to get, ifyou're in the public sector,
whether you look at grants orother opportunities and then I
think I'm Thinking about whatpieces of your security posture
are the most important.
I think we would all say usingthe latest and greatest endpoint
protection.
(07:33):
Most of us consider to becritical to our security posture
and I'm a real believer inpatching right.
You just got to find a way tokeep operationalizing that and
working with the business sideto accept that this is a normal
part of day-to-day operations.
Eric Brown (07:54):
And you've been in public sector for a while
securing different environments,presumably you've run across
end-of-life systems well beyondtheir end-of-life date still in
production.
Gretchen White (08:12):
Yep.
Eric Brown (08:14):
How did you approach that?
Gretchen White (08:16):
I try to be an advocate besides the security
money, but go out and actuallyadvocate for the infrastructure
groups that need the funds.
So I think you can't go in andjust say, hey, this is what's
wrong.
I think you have to supportthat side with saying it's going
to cost X amount of dollars andthis many people and we need it
for security.
(08:37):
But this is the group thatneeds the support to make it
happen, because we can't makeeverything happen and many times
we're just saying what we thinkthe issue is and what we want
resolved.
But I think we have to stretchacross the aisle there and help
them frame up the story and getthe funding needed to resolve
(08:57):
the issue.
Eric Brown (08:59):
How have you been successful in doing that in your
career?
Gretchen White (09:03):
Well, a couple things I do is that?
Because you know, I was an oldproject manager, so I'm all
about the implementation Deliverwhat you said.
The first thing I try to do inan organization when I'm new is
if there's a smaller effortwhere I can show hey, you gave
us X amount of dollars, went andworked with these different
groups, business infrastructure,and here's the outcome we
(09:26):
delivered, you know, and fixedthis particular security issue.
Try to build some basicallyequity so that the next time
when I have to go in for thelarger, harder issue that I have
already a reputation that myteam will deliver and use the
money wisely, especially in thepublic sector.
(09:49):
You know we talk about beinggood stewards of state funds and
then the other piece is alwaysjust being able to tell the
story to a broad audience, be ittechnical or non-technical,
what the seriousness of thesecurity gap or the security
flaw is.
Eric Brown (10:08):
And what if you can't get past those decision
makers who are holding the pursestrings?
What do you do?
Gretchen White (10:23):
Well then you call in an outside party like IT
Audit Labs and say, hey, couldyou come and look at this and
support what I've already toldthem.
Eric Brown (10:29):
That usually works, doesn't it?
Gretchen White (10:31):
All kidding aside, sometimes it takes the
third group.
One person rings the bell,second person comes and says the
same thing, and then you got toget a third person.
But there again, that's wherethe persistence and the not
giving up comes into play.
Eric Brown (10:49):
And it seems like we run into that, don't we, Anna?
And as professionals workingfor an organization, as their
security officer, you run intothat resistance internally when
you say I need this muchheadcount or I need these tools
(11:12):
or I need this budget toaccomplish whatever we're going
after, risks that we're tryingto mitigate.
And it takes that externalinfluence, sometimes in the
event of a third-partybenevolent influence, who's
coming in to give you an opinionon your environment or an audit
findings from an audit and thenremediating those or some
(11:37):
standard be it pci or hippo orsock to or whatever it is right
where you've got to satisfysieges, you've got to satisfy
the findings of that audit to becompliant.
And then there's the maliciousside where you suffer a breach
and then data is exposed andthere's a cleanup effort.
(12:00):
There's that external influencethat is prompting or that
usually gets a financialreaction internally to be able
to accomplish the things thatwere already projected to be
done.
So I don't know.
(12:21):
I kind of go back to what Evansays around the broken industry,
and for me that's the piece ofit that's broken is the
communication side, where wekind of clam up when there's
something that happens, and thenthe other piece of it is.
Sometimes it takes an externalinfluence to accelerate an
(12:45):
advancement of funding and itshouldn't be that way.
But I understand money's tightand yeah, I don't know.
What do you think?
Gretchen White (12:56):
So from the CISO chair, I think one of the
things we don't necessarily dowell is going in and saying for
a million dollars I can fix this, for three million I can get
you here, and for five million Ican get you here, and for $5
million I can get you there, sothat it can be considered more
of a business decision.
You know how much risk am Iwilling to accept?
I think that's a key thing thatwe have to be able to do.
(13:20):
And then I also think let's bepragmatic about it.
If I can do one thing and itgets me 80% more secure on my
endpoints, but I still have 20%of the gap, 80% improvement is
still a big improvement.
So I think that we have to besomewhat pragmatic about our ask
(13:41):
too.
Eric Brown (13:42):
If you're coming into an environment that's got
problems all over, what are yougoing after first, are you going
after firewalls?
Are you going after accountsecurity?
Going after endpoints,vulnerability what are you going
after?
Gretchen White (13:57):
I think the first thing that I want to look
at is I want to look at what isthe thing that they're trying to
protect the most right, Likewhat is their core business?
And then what would be theimpact of a breach for that?
For instance, in the judicialbranch your cases if the
(14:18):
integrity of the data was off,you could spend additional time
in jail.
Your case could take longer.
So getting that trust back withthe public would be very
challenging to do.
Other things, like banking, ofcourse, integrity is important,
but the systems being availableand me being able to find out
what my bank account balance iswould be important.
(14:40):
So that's one thing is I wantto understand the business side
of it, and then there are somany ways to go at it that many
times you really have toevaluate what funding do I have?
What is the current state of myprotections?
So, if I don't have an EDR,maybe that's what I start with
(15:01):
first, but that's something Ithink the security team at the
organization discusses and putstogether a priority list.
That's what I would do.
What have you done?
What do you?
Eric Brown (15:12):
do.
I agree with everything thatyou've said.
It's the crown jewels of theorganization and what's
important to that organization.
I think there's industry-wideways that malicious actors get
(15:36):
in, and that's largely byphishing, as we all know.
So, looking at a decentsecurity program around, just
keeping the untargeted and insome cases, targeted attacks out
from email because, as we allknow, users are click happy.
(15:56):
So if we can help to reducethat vector, that's a great
thing to do.
But I go back to your patchingas well of just understanding
what do we have out there in theenvironment, and you can use
different models, like CIS, andone of CIS's first tenets, if
(16:18):
you will, is to know what's inyour environment.
So then you know what you'reprotecting, be it physical
assets or data, just dependingon.
Again back to the crown jewelspiece.
Gretchen White (16:30):
Sometimes that knowing your environment is
actually the hardest first step.
Eric Brown (16:35):
It is, and I've worked with quite a few
organizations, and having a CMDBdoes not seem to be at the top
of many initial lists.
Does not seem to be at the topof many initial lists.
Gretchen White (16:47):
Right.
It takes a lot of work tomaintain a CMDB.
The places that I have workedwhere there has been one that
has been implemented well, it'san ongoing full-time people
supporting it, many expectationsaround change management.
It's not a the tool does notsolve the process problem, just
(17:10):
facilitates the fix.
Eric Brown (17:19):
What's your personal threshold for being able to
impact change?
So you're brought into anorganization to presumably help
them and you make yourrecommendations.
You bring in a third party.
Hopefully it's benevolent andyou don't have a breach.
(17:39):
But if you're not able toimpact change, then what do you
do?
Gretchen White (17:45):
I think you have to evaluate if you're a good
fit, because it is really a lotabout the people side.
If in the reporting structureyou are not successful at
influencing and can't build thattrust relationship with your
professional opinion is actedupon, I think you have to decide
whether maybe it's time to moveon.
And maybe you know anotherquote type of CISO in that
(18:09):
organization could influence.
Eric Brown (18:13):
You bring up another good point there around
reporting structure In your mindand I know this is a topic that
comes up a lot when CISOs gettogether what's the right
reporting structure?
Gretchen White (18:25):
Well, what is really the correct thing is that
the CISO has a bucket of money.
So you need to evaluate who'sgot a bucket of money and is
willing to share it, because thesecurity it's not cheap.
Right, the people are hard tofind, the tools are expensive.
The market is changing in thetools all the time, so I think
(18:48):
there's pros and cons.
If you report on the IT side tothe CIO, it seems that your
access to financial support insome ways is easier.
Cios typically have largerbudgets.
They're used to spending moneyon quote cost center type
activities.
If you report to the chief riskofficer, you usually are able
(19:12):
to influence the organizationunderstanding the risk, figuring
out what their risk appetite isand determining whether they
accept the risk, want tomitigate the risk.
So it makes those conversationseasier.
I think the latest one I'veseen now is where the CISO is
like creating their own path nowthat they're not below the
(19:35):
chief risk officer and they'renot below the CIO.
Eric Brown (19:39):
Right into the CEO or the board or some structure
like that.
Gretchen White (19:43):
Yeah.
Eric Brown (19:45):
I do think a clear line into organizational
leadership is important, butequally important is having that
champion when you go into anorganization, somebody that gets
it and somebody that's going tohelp you advocate for solving
the goals that you've set foryourself and the organization,
(20:05):
for yourself and theorganization.
So even if you're reportinginto the CEO, maybe that CEO
doesn't get it or has otherthings that they're focused on,
so it might be just as hard toget that funding.
But if you've got an advocateor a champion that really is
helping the voice be heard forsecurity, I've seen that work
(20:25):
pretty well too.
Gretchen White (20:26):
I also think if you build good relationships
with internal audit and legal,that can also help your cause,
because it isn't necessarilyjust you at the table.
They understand risk and theyunderstand the need to take
action and that has been veryhelpful to me in the past when
I've built relationships withthose two groups.
Eric Brown (20:51):
Compliance as well.
I think, I was working at anorganization where was there?
Maybe about a year or so, maybea little less, and we had
called out.
One of the items of risk at onepoint was not having the
central printing where you havebadge access to print so you
(21:13):
could print essentially anycopier, and they probably had
close to 300 of thosemultifunction copiers throughout
the campus and you could walkup.
At the time you would have toselect from a huge dropdown list
.
That was like your buildingtime.
You would have to select from ahuge drop down list.
That was like your buildingyour floor.
Um have to figure out, like the, you need some sort of decoder
(21:34):
ring to figure out what was theright printer that you were
printing to, because they allhave weird names.
But you'd print to it and thenyou'd go over and get your
prints and and at the time wehad brought up that, oh, this is
probably something that youwant to resolve because people
are printing confidentialdocuments and they're just
laying on the printer.
Well, it wasn't until maybe ninemonths later or so, the
(21:56):
organization brought in a newcompliance officer and within
that person's first week on thejob, they're touring, they're
going around to the differentbuildings.
Person's first week on the job.
They're touring, they're goingaround to the different
buildings and in one of thebuildings that had healthcare
information that the workerswere printing out healthcare
(22:20):
information, the person pickedup something from the printer
and just had a petite mall andfrom that point in time forward
we put a program in place thathad central printing.
But it never would havehappened if that person hadn't
come in and championed the needto have that badge access to
print and then it's only storedon the print server for two days
or something like that beforeit's deleted.
(22:41):
But I mean that was pretty coolto see and really a neat
project to be part of.
It took about two and a halfyears to get done and of course
people were resistant to it, butit's so much easier now to
print because you can print atany building at any time.
It's really great.
Gretchen White (22:59):
Yeah.
Eric Brown (23:00):
So you were in banking before Gretchen and then
you did a stint at Judicial andthen more in the public sector
with Metropolitan Council doingtransit.
So you've seen a lot.
How did you get started insecurity?
Gretchen White (23:18):
Well, my husband gives me good career advice and
I was working as aninfrastructure project manager
and I had worked some securityprojects.
I'd worked some networkingprojects.
I'd worked some networkingproject.
I'd had a really broadexperience in the technology
project realm and he was likeyou should do this security
(23:39):
thing, you would be good at this.
It's complicated, there'salways something new to learn in
it.
And I was like, well, I don'treally know what this thing is
except from the project.
So I took a risk managerposition at the bank and then
there started down the path ofwhat do I need to learn?
(24:03):
Some SANS classes, got a CISSP,surrounded myself with some,
you know, technology andsecurity people that had been in
that arena for many years, andthat is how I started down the
path.
Eric Brown (24:18):
When you took those SANS classes, I thought I
remember you telling me at onepoint that you scored very well
on the exam and you got intosome sort of secret sands club.
Gretchen White (24:30):
Well, what I actually did was and it was
actually a consultant told me todo it I actually went and took
the CISSP and the GSEC 401 allwithin 45 days.
I took the classes and theexams.
Oh, wow classes and the exams.
(24:53):
Oh wow, it was 45 really harddays at home like working and
studying all night, and I reallywas worried about whether I
would pass or not.
So I encourage everybody don'tworry about if you're going to
pass.
Go out and take it and get agroup to support you in that
effort.
Eric Brown (25:09):
What's the if you score really high on the test?
Gretchen White (25:15):
Yeah, they have a group that they're like an
advisory group for the classesand pieces.
Eric Brown (25:22):
Oh, so you got into that.
Gretchen White (25:23):
No, that wasn't me.
I missed that by a point.
Thanks for bringing that up,Eric.
Eric Brown (25:33):
You get some sort of tattoo if you're in that
advisory club.
That sounds pretty cool.
Gretchen White (25:38):
You know the SANS classes are expensive, but
the best thing that happenedfrom that class, from taking the
401 class, was you got to seesecurity end-to-end the network.
There are some RISC pieces,endpoints, linux, windows
machines, all of it.
And until I had taken thatclass, you know, I only had
(26:00):
certain areas that I'd beenfocusing on, like vulnerability
management or logging andalerting, and that was the best
thing for me was that I got tosee it really end to end.
Eric Brown (26:12):
Nice.
Gretchen White (26:13):
Yeah.
Eric Brown (26:14):
Do you have any recommendations for people just
getting into the industry orinterested in the industry?
Maybe they're in junior highschool or high school and
they're thinking about security.
They hear about security.
Any thoughts for them?
Gretchen White (26:31):
Well, now there's all kinds of schools
that actually have degrees.
You know, even like six orseven years ago, there weren't
very many choices.
So even in the Twin Cities,metro Street has a very
reputable program.
If you want to do more of awork and go to school, western
Governors University is a verycost-effective way and I've had
(26:55):
people on my team get theirdegrees from there and you earn
certs that you can use for yourjob while you're working towards
your four-year degree.
And then I think the SANSclasses obviously take a larger
financial commitment, but BlackHills Information Security has a
pay what you can program, andthose classes are very good for
(27:18):
somebody starting out, and Ithink some of them even are
classes around.
What does it take to have acareer in security?
Eric Brown (27:26):
Oh, yeah, same recommendation for people who
might be coming to security as asecond career.
Maybe they've been doingsomething else and now they want
to get into security somehow.
Gretchen White (27:39):
Yeah, and then I would say that you should try
to get exposure to the differentrealms of security.
We've talked kind of a lotabout the tech side, but the
auditing, the presenting risk,those are all writing policy,
those are all differentfunctions, that are a different
(28:00):
type of people than, say, yoursecurity engineers.
Eric Brown (28:03):
Nice, cool.
Well, outside of security,gretchen, what are the things
that you like to do?
Gretchen White (28:10):
Well, I kind of like security a lot, Eric.
Eric Brown (28:14):
Well, what I mean is do you have any other hobbies,
or are you at home hacking intoRussia in your spare time?
Gretchen White (28:24):
I well, I have kids, so I like to spend a lot
of time with my kids and myhusband.
I well, I have kids, so I liketo spend a lot of time with my
kids and my husband.
I like strategy games.
Go and play games.
My latest thing now is I was atennis player in my younger days
and I'm trying to make thatover 50 crowd conversion to
pickleball.
Eric Brown (28:43):
Oh, yes, yes yeah.
Gretchen White (28:45):
But yeah, I could use some more balance in
my life.
I can't say that I'm very goodat that.
Eric Brown (28:52):
yet I've never played pickleball, but I hear
it's really exploding.
Yes, it's a hot one right now.
And are there just localcommunity meetups or do you have
a group that you play with?
Gretchen White (29:09):
Well, I belong to a gym where I play, but
there's, I think, the parks nowhave converted a lot of the
tennis courts to pickleball.
I've heard that there's a lotof community clubs now too, but
I haven't done that yet.
Eric Brown (29:19):
Maybe we should do that, Gretchen.
We should start a Twin Citiessecurity meetup with pickleball.
Gretchen White (29:25):
Well, I did used to take a pilates class, right,
I was taking private pilateslessons.
Oh wow, at one point I was likethe third um client of the
morning on saturdays and sheactually said to me what is this
job that you do?
I said, well, I work insecurity.
She says, well, you are thethird client I have each sat
(29:46):
Saturday morning.
That's in the securityprofessional.
I'm like, yes, it's verystressful.
We come here when you're doingPilates.
You can't think about anythingelse.
You can't be thinking aboutyour latest security
vulnerability or any of thosethings.
Eric Brown (30:02):
That's good advice.
Well, thanks, Gretchen.
Anything else you wanted totalk about that we didn't get a
chance to talk about?
Gretchen White (30:12):
no, but thank you for having me and you know,
if anyone gives you somefeedback on how we can get more
support for our security effortsin the CISO role, hey, if
somebody knows the magic easybutton, I want to hear it.
Eric Brown (30:26):
Yeah, me too well thanks, gretchen, appreciate
your time.
Gretchen White (30:32):
All right, thank you.
Eric Brown (30:34):
Thanks, bye, bye.
A well-designed framework willreduce organizational risk and
improve overall security.
Posture no-transcript.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.