Steve Wright - How to Combat the Exploding Threat Landscape Before It's Too Late

Cyber Vanguard
Written By Michael F. D. Anaya | Founder
Steve Wright
Up and to the right graphic

Critical Stats

LinkedIn: https://www.linkedin.com/in/steven-w-20197862/

Started their cybersecurity journey in: 1992

Most passionate about: Gamifying security metrics

Favorite zero-day: Log4j/Log4Shell

Favorite song: Asik Veysel and Wind in the Trees by Joe Satriani

Introduction

Over the past 20+ years, Steve has repeatedly built security programs that protect corporate assets and data, advance the business, and defend the brand by understanding an organization’s business delivery model, commitment to end users, and disruptors. Doing so has allowed him to build winning security strategies that align with business objectives, eliminate unnecessary complications, and inform decision-makers on crucial data points.

Steve offers a distinct advantage to organizations needing a visionary and resourceful leader who can build top-flight security programs that meet budget, regulatory demands, and risk appetite.

Steve is a cyber vanguard

We selected Steve because he is a cyber vanguard! Steve is among the wisest, most experienced cybersecurity professionals I have ever worked with. His depth of knowledge and experience are unmatched. Let me just say this: When shit hits the fan, you call Steve. He will figure it out. He is a fixer, a cybersecurity version of Winston Wolf, just a tad cooler!

Without further ado, we asked Steve our standard set of 5 questions to rule them all, and here are his responses:

Five questions to rule them all!

1. What is the biggest problem we are dealing with in cybersecurity?

Organizations are not effectively addressing the growing number of threats they see daily. At a planetary scale, I advise the company to determine which risks present the greatest dangers to its bottom line and gamify them from the boardroom to the operator. Why? When you have >1M findings daily, you cannot ask a handful of operators to fix all of them in a reasonable timeframe. Doing so would skew operator deliverables away from creating products to sell, solving production problems for customers, or researching the next wave of features needed to grow the business. Which in turn takes away from the business.

2. How can we address the growing number of threats organizations face?

By aligning the financial costs of assets (cloud and on-prem) against severity, customer obligations and contractual requirements, and user safety scoring (how secure or vulnerable an operator/user makes their environment), you can start creating “breach-o-nomics.” Breach-o-nomics is something I coined. It is where you can communicate “loss” to the boardroom in terms of $$$ (something that resonates well with any Board of Directors) and “risk” to the operator to help them focus on what are the most critical, if not material, findings to address. When done well, this will reduce your findings from millions to a handful of things to fix with full visibility into customer and business impact. AND those responsible for remediations will love you for it. 🙂

3. What are three actions a CEO can take to protect their company from cyberattacks?

  1. Hire a Chief Information Security Officer (CISO). Simple. CEOs are hired to drive the business. They need a CISO they can trust who understands what makes the business tick and can effectively defend it.

  2. Invest in security early. Organizations that invest in security when they create their product, infrastructure, and training/awareness programs will be well positioned as the company grows. When security is an afterthought within the three areas, it is far more expensive to fix later. Small, continuous investments upfront in these areas increase security 10-fold, keep costs manageable/predictable, and, most importantly, keep the company auto-compliant because security is ingrained in the products, infrastructure, and people.

  3. Take third-party risk seriously. Demand the highest levels of security from those you do business with. Invest well in third-party vendor management to ensure those you rely on are self-reporting, committing to hold themselves to a higher standard, and can prove that your data/service is secure.

4. What are the best resources for learning more about cybersecurity?

  1. Any posts, writings, or talks from Brook Schoenfield (check out his books too)!

  2. Chris Romeo and Robert Hurlbut’s Application Security Podcast - They talk about application security and its future and review upcoming standards — great practitioners with fantastic insight.

  3. The Register: Enterprise Technology News and Analysis - It’s offbeat with interesting takes on cybersecurity and upcoming technology. I enjoy reading the articles to help push my perspective into new directions and look at things from a different angle.

  4. CSO Online | Security at the Speed of Business - Many articles are about security and its relation to the business. This helps me pull my technical bias into aligning with the business, i.e., it keeps me grounded. 🙂

  5. Any book I can get my hands on regarding telling stories with data. A few I am currently reading:

5. What is one piece of advice for those wanting to pursue a cybersecurity career?

Remember that there is always a balance between helping the business and making it secure – companies need to make money, and security can stop that from happening. Consider developing your security philosophy muscle memory early in your career to benefit you later. You can start with a simple philosophy:

  1. Understand the business: What are the customer's contractual obligations, how does the company make money, what does a material impact look like, and how do you avoid audit clause activation? This will develop your “Business Awareness” muscle.

  2. Defend the business: Align the understanding you gained from (1) to form an opinion about how to avoid a breach, what key risks to address, and which controls should be in place to help be audit-ready. Doing so will build your “Security Alignment” muscle.

  3. Protect the customer: Bringing (1) and (2) together (business awareness and security alignment) to build customer trust. A customer-first approach will always lead you back to protecting what matters most and help you focus on the riskiest problems. Protecting the customer will promote and develop your “Customer Trust” muscle. In my opinion, it is the most important muscle to develop. 

 It is the best day ever. So was yesterday, and so is tomorrow, and every day from now until forever. Thanks to interviews like this one, which I will share with all my besties!

Are you looking to go to a persona page?

Cyber 101 | The Solopreneur | SMB | BoD

Michael F. D. Anaya | Founder

I’m a techie who’s been in cybersecurity for over two decades. My passions are being a top-tier dad, helping others, speaking in public, and making cyber simple. I am also partial to cheesecake and bourbon, but not together… well, come to think of it, it might be a killer combo! TBD.

https://www.mfdanaya.com
Previous

Thomas O’Malley - Fighting Cybercrime Head-On: Expert Solutions for a Secure Future
Next

Andrew Pak - How to Close the Talent Gap in Cybersecurity