Critical Point War Stories with Kevin Riggle

And this is why preparation happens so far in advance of needing it, right? Because you can't, in the middle of an incident -- like, I hate the saying of, like, never waste a crisis. I hate that. I -- no one is building long-term infrastructure during a crisis. They're just trying to put the fire out, right?

I need you to be thinking about, again, what are the long-term outcomes that you want to see from this program? Let's build to that now so that we can quickly make decisions in the moment and be proud of where we end up.

(Kevin) Well -- and when I say don't waste a crisis, what I mean is that, you know, take those learnings and then, you know, use that to drive your roadmap for the next year.

(Melanie) I worry about the popular application -- use, at least in the security community where I feel like they've defaulted to managing by crisis. [laughs]

Um, you know, as if we can't get anything done unless we're having a crisis, which I'm like, you should be incentivized to avoid the crisis rather than just allow it to happen because you don't know how else to advocate for your team. [laughs]

Um, I feel like, you know, managing by crisis is not strong management.

(Kevin) Also, I think some of us are in organizations which only really allow us to manage by crisis, and that's, uh, you know, maybe a problem at another level of the organization. But it's a real problem.

(Melanie) But especially if you're in an executive position, you either need to, number one, not take jobs where you're not gonna be able to succeed, right? Like, being able to recognize whether or not you're in that type organization or about to join it. Or, number two, it is in fact your job to change that reality for your team before the crisis, right? Um...

I mean, if you're working for a security executive who can't get budget until there's a crisis, I have a lot of questions about the competency of that security executive.

(Kevin) True. Yeah. Yeah. It's either the executive or the organization or some combination of both, and probably some combination of both, but, like, yeah, get that motivation happening.

(Melanie) I feel like sometimes, especially, like, first-time CISOs, you know, especially if they're coming up through it, the engineering ranks, they may not be prepared or even aware that you're no longer a security person, you are a business executive. You need to be able to form alliances and relationships with your executive peers. in order to get things done.

Um, you know, for example, I mentioned that we do, like, training with various engineering teams on negotiating with product teams, with other engineering teams, right, to get shared PPIs, and to get security outcomes onto a roadmap outside of your reporting chain. You're a CISO, or you're CSO, whatever the title happens to be, right? Chief Information Security Officer or Chief Security Officer, for folks who aren't in security.

Um, you know, you need to be able to... Like, you can't isolate yourself from company politics just because it's unpleasant. It's actually how the business works.

(Kevin) It's the job. Yes.

(Melanie) And if you -- yeah, exactly. Um, and I don't think that we've adequately prepared a lot of newly minted security executives for the reality that -- of this world, right? It's not about being the smartest security person in the room. It's about being an executive who can get shit done.

(Kevin) Interesting. That's an interesting way to frame it. Yeah. I don't know. I'm thinking about the CISO's --

(Melanie) -- like, your Chief Marketing Officer is not always the smartest -- doesn't always -- doesn't come up with everything single, like, good marketing idea by themselves, right? Their job is to go win the budget and to make sure that execution delivers on that investment.

(Kevin) They build and run a team to...

(Melanie) It's a business unit. So, I think more security teams need to recognize, if you wanna be treated like a business unit, you need to act like one.

(Kevin) Okay. How are you driving value for the business? What's your ROI? And we talk in security about that being hard to quantify, but, like --

(Melanie) But I think that's true if you're only focused on security ROI. If, for example, you look at something like support tickets. A lot of companies track the costs of individual support tickets.

(Kevin) Oh, yeah. Very closely. [laughs]

(Melanie) They know to the penny how much every ticket costs, right? Well... As a security organization, can we go talk to our customer support team and find out, are they getting a lot of tickets about security issues? Is there something we can do to reduce the number of security tickets they're getting? Is our log-in process too difficult, right, to get a secure password?

5:00
Is account recovery too difficult? That's usually the one that kills everybody. Um... Because they put in all these security things, and not considered what, like, normal people do -- to -- when they use these tools.

And so if you work with your customer support team to reduce the number of tickets, look at you delivering value to business, right, and it had nothing to do with code reviews, right?

Um... Same thing with, like, CISCO actually produces a really good report on privacy benchmarking every year where their privacy team works with their sales team to find out how many deals did we close because of the privacy data we built, right? So they can actually get tangible ROI for -- because of our privacy thing, either something that we built or something that we removed, right, um... We were able to close all these deals, or we were able to shorten the sales cycle, right? So go work with your cross-functional partners, figure out where are you actually interacting with meaningful business transactions, and -- so it -- it's not like, here's the value of, you know, the vulnerabilities that we found. It's, because of our team, we made more money, and we spent less on support.

(Kevin) Yeah. Oh, that's interesting. Maybe I -- I don't know, I had a project when I was at Stripe to try to take the, like, security compliance documentation, just put together a packet so we could, you know, when a customer comes to us with their own bespoke security questionnaire, we could, like, hand them back the packet, be like, all the answers you need are in here. Uh, yes. Uh, please come back to us if you have any questions. Almost no one reads those.

I'm fairly certain that I was the only person who ever read some of the ones that we received from our vendors, but, like, getting to that point, but also, maybe there's -- I mean, maybe that's the thing I could've, you know, sold harder on. I got, like, halfway through it, and then, like, wound up leaving, but at least, you know, got them started, and -- but yeah, I don't know. Maybe there was also other ROI there that we needed to be more involved in the sales process and, like, or where -- or figure out where the sales process was getting hung up on security issues, if the sales process was, and where we could help there. Yeah.

(Melanie) Exactly. I mean, and it's interesting because I think one function that has done this well is the legal team that deals with contracts, right? So, you know, especially if you have a large vendor. They have very specific requirements for things like data storage and data security and data transfers, right? Um, all of the companies that already have those things in place can sign very large contracts with the large customers quickly -- well, "quickly." [laughs] Right?

But faster than otherwise.

(Kevin) Eh, by enterprise software standards, yes. Faster than somebody has to go put all that stuff in place.

(Melanie) Yeah. And so the thing is, like, there are people in your organization who have this knowledge, who have access to these numbers, and this data. Like, you just need to go analyze it, and put it together, and figure out how to create a narrative that is compelling to the business, right? So, yeah, sure, if you go in there with, like, the Verizon breach report, so like your board meeting and, like, of course no one's gonna take you seriously, right?

Um, and it's why they're all, you know, we see a lot of board presentations that are focused on things like how do we compare to our peers, right, because, particularly in the United States, in areas where we lack regulation, companies are hesitant to stick their neck out in areas where their competitors aren't doing that, right?

Um, and so a lot of boards are like, how do we compare to our peers, and all this other stuff. And I feel like, in a lot of cases, that's a placeholder for a metric that they would truly care about, which is how is security impacting the bottom line?

(Kevin) Well -- and to tie it back to the incident, like, it sounds like this was an opportunity where, like you said, like, security actually delivered kind of a PR win. Like, Uber, in a moment where it really needed a win got one from the security team being able to stand up and say, you know, hey, here's what's going on, here's what we did, here's why.

(Melanie) To be able -- I mean, we were able to disclose all of those reports because our team was so thoughtful in the way that they communicated with this individual. That -- we were proud of what we had said.

Like -- and I mean, like, we deserved to be proud. We weren't just, like, arrogantly proud, right? We were proud of the amount of time and attention that we had given to this communication, long before we ever expected anyone else would ever see it because we just assumed, you know, the same way that people say like, if you -- if you don't wanna see it on the front page of the New York Times, don't say it, right?

That is true.

10:00
Not necessarily because it's gonna show up in the New York Times, but because if it's on Twitter, some people think it's fact, right? And it takes resources to figure out what's even true, and then there's just no way you can rewrite the Internet, right? So it's just so much better to try to prevent the, you know, the incidents from occurring, and to be able to minimize the damage that they can cause in advance.

(Kevin) Get it right from the get-go, as a matter of process and as a matter policy, rather than having to come in after the fact and do clean up on -- yeah. How did -- was -- like, was that something that grew organically as you built it, or was that something where you had to actually take a case to your business leaders, like you're discussing, and, like, sell the ROI of disclosure?

(Melanie) Uh, so, the disclosure piece, I think part of this was a silver lining of all of Uber's PR nightmares, is that we just expected anything could become public, right? Whether -- you know, whether through a researcher or a criminal investigation.

Like, everything was fair game, right? There are so many memes and emojis in my emails because I just expected a judge was gonna have to read it out loud, and I want it to be hilarious, right?

So, you know, these -- we just, by default, we expected to constantly be under the radar, right? Um... Er, sorry, to be under the spotlight. Uh, and so we couldn't fly under the radar, and... And when you assume that somebody is always watching you, it does change the way that you behave. Now, if we think about it from a privacy perspective, it sounds creepy, but from a transparency perspective, as a company, it's really important to just, you know, to just be prepared.

Like, communicate and treat people in a way that you're not worried about this becoming public.

(Kevin) Well, and also it sounds like you were able to communicate in a way that, you know, you were, totally willing, uh... for this become public without being defensive, which is, I think, like, when I think about the kind of conversations that I have had with, especially legal, is, like, the classic people who will get cold feet.

They're, like, very aware, that, oh, yes, all this stuff could become public, and we don't want it to become public, no matter how good a job you've done, and so...

(Melanie) Yeah. I was very lucky in that, during the time that I was at Uber, we had some of the smartest, most experienced security counsel that I have ever worked with, both in-house and outside counsel. Were fabulous. Um, and so that played a lot into it, right? The fact that we had a fully supportive legal team that was -- that understood our perspective, that, like, buried bodies are expensive and stressful.

Like, we don't want to have buried bodies sitting around the company, right? Um... And so, you know, like, I always tell our clients, I'm like, you know, if you have skeletons in your closet, the best thing you can do is pull them out and teach them how to dance.

(Kevin) Okay.

(Melanie) And do it now.

(Kevin) Okay.

(Melanie) Right? Um, because, I mean, just think about, like, any time you're trying to, like, keep a secret, like... How many people do you have to trust to keep that secret, right? Um...

And there are going to be some companies secrets, like intellectual property, that are worth that effort. And then all of the other secrets, why? Why spend money, time, and energy when, you know, trying to keep that a secret, when the reality is if you're just more thoughtful in the way that you communicate...

I mean, it's interesting to me that, you know, there's so much put into risk management in some of these companies and, you know, particularly on cybersecurity teams, and I'm like, the words that come out of your mouth demonstrate how well you actually understand the concept of risk management.

(Kevin) It's not just financial risk. It's not even in reputational risk the way risk management people understand it. It's, like, relational risk.

(Melanie) Yeah. Well -- and even, like, the risk of a misunderstanding can be incredibly costly, right? Even if you are really trying to do something good, right? Maybe it's not anything malicious, but if you didn't communicate it clearly, now there's a huge misunderstanding and a blow up on the Internet, that you have to, you know, defuse.

I don't know, could we have spent, like, four more minutes carefully crafting that message so that it was clearer?

[laughs]

(Kevin) So it sounds like some of the work

15:00
was, like, having you embedded fairly closely with these engineering teams who were doing bug bounty triage to help them sort of... craft the message, and, uh... craft the relationship, and with that, you know, keep that North Star in mind of, like, the relationship that you wanted to have with the researchers on an ongoing basis. And... Uh... Just a little support.

(Melanie) Yeah. Well, and I think you can really divide the value of my role, sitting so closely with those folks, it being, one, I was a constant reminder of thinking about those -- those long-term outcomes, right? But also, I could just be a sounding board for them to go, does this say what I think it says?

[laughs]

You know, like, how's -- getting a second opinion of -- you know, because again, if we're thinking about should this become public, it's gonna be read by more than just somebody with, like, technical background, right? How will this read to a journalist? How will this read to a regulator? How will this read to a customer?

(Kevin) I -- we got in the habit of doing that when I was in Akamai even just on an informal basis. You know, pass the laptop around. I'm gonna send this e-mail. Does this look kinky to you? And it made a big difference. Yeah.

(Melanie) I do that. I'm a communications professional, and I have people in my life and on my team where I'm saying, can I get a a gut check before I hit send on this because I need to make sure that it says what I intend it to.

(Kevin) And then building processes which support that in the organization, and the organization giving people the time to take that extra four minutes rather than, you know, measuring them on how many bug bounty tickets they closed this sprint, and... Yeah. All those things.

(Melanie) I mean, that's a crazy measurement, just in general, because fewer tickets isn't necessarily a good thing.

[laughs]

[outro music plays]