On CXOTalk episode 777, we speak with Kurt John, the Chief Security Officer of Expedia Group, who discussed managing and leading cybersecurity in 2023. From building a decision support structure to explaining the value of security to boards of directors, this interview takes a deep dive into the life of a modern Chief Security Officer.
Cybersecurity Lessons from Expedia Group's Chief Security Officer
As businesses increasingly rely on technology, cybersecurity has become a top priority for organizations worldwide. On CXOTalk episode 777, we speak with Kurt John, the Chief Security Officer of Expedia Group, who discussed managing and leading cybersecurity in 2023. From building a decision support structure to explaining the value of security to boards of directors, this interview takes a deep dive into the life of a modern Chief Security Officer.
We are joined by guest co-host, QuHarrison Terry, the Chief Growth Officer at Mark Cuban Companies.
Don't miss this opportunity to gain valuable insights into the future of cybersecurity and hear from a seasoned leader in the field.
Here are the topics covered in this discussion:
- On Expedia Group and Kurt John's role
- On complexity in the security landscape
- On technical threats to consider
- On security for travelers, partners, and employees
- On security in the Expedia Group brands and ecosystem
- On building a decision support structure for security
- On defining boundaries of the security ecosystem
- On security and privacy as market differentiators
- On threat intelligence and business outcomes
- On preventing fraud in e-commerce with the security value chain
- On information sharing to prevent fraud
- On explaining the value of security to boards of directors
- On investments in security and cost savings
- On companies adopting GDPR as a standard
- On the imperfect nature of security systems
- On the importance of security post-mortems
- On advice for new CISOs
- On the role of AI in security
- On the impact of security and trust in the travel industry
Kurt John is Global Chief Security Officer at the Expedia Group, where he overseas governance and execution of cybersecurity, physical security and privacy. He is also a non-resident senior fellow at the Atlantic Council where he helps to think through the most relevant Cybersecurity challenges at the intersection of geopolitics, business and security facing the United States and its allies. This includes making recommendations for policy makers to help bolster the security of our way of life. Kurt holds multiple board positions in private and public organizations including Virginia Innovation Partnership Authority – the Commonwealth’s initiative to drive innovation of the tech economy.
QuHarrison Terry is a growth marketer at Mark Cuban Companies, a Dallas, Texas venture capital firm, where he advises and assists portfolio companies with their marketing strategies and objectives. Previously, he led marketing at Redox, focusing on lead acquisition, new user experience, events, and content marketing. QuHarrison has been featured on CNN, Harvard Business Review, WIRED, Forbes and is the co-host of CNBC’s Primetime Series – No Retreat: Business Bootcamp. As a speaker and moderator QuHarrison has presented at CES, TEDx, Techsylvania in Romania, Persol Holdings in Tokyo, SXSW in Austin, TX, and more. QuHarrison is a 4x recipient of Linkedin’s top voices in Technology award.
Transcript
Michael Krigsman: Today on CXOTalk, we're speaking about security and how to manage and lead security in 2023. We're speaking with Kurt John, who is the chief security officer of Expedia Group, and my esteemed guest cohost is QuHarrison Terry, who is the head of growth marketing for the Mark Cuban Companies.
On Expedia Group and Kurt John's role
Gentlemen, welcome. Kurt, tell us about Expedia Group and tell us about your role.
Kurt John: I am Chief Security Officer for Expedia Group, which means I'm responsible for physical security, IT security (or cybersecurity), as well as privacy.
Michael Krigsman: And QuHarrison Terry, welcome back. I love when you're a cohost, and I'm just thrilled to welcome you back. Tell us about what you do and the Mark Cuban Companies.
QuHarrison Terry: I'm the head of Growth Marketing at Mark Cuban Companies, as you've already stated. I'm happy to be on CXOTalk and really looked forward to the upcoming conversation with Kurt. I'm excited for this convo because we have to talk about security. Right, Mike?
On complexity in the security landscape
Michael Krigsman: Kurt, what do you see as the security landscape right now with all the complexity?
Kurt John: One of the things that I think a lot of companies are struggling with and what the threat landscape looks like, it's the scale. I like the word you just used, complexity. Just the size, scale, and with that comes the complexity of the environment.
There's cloud. There's edge computing. There's artificial intelligence. There's automation. There's orchestration.
What's funny about it is that not only are we transforming our business models and our ability to drive impact in the market, but also the bad guys are as well. They have the same types of structures, the same joint ventures, the same type of collaborations that they are doing to try to drive their side and make money for themselves.
We are trying to not only implement new business models to drive more impact in the market, but we also have to then defend against adversaries who are doing something similar. I would say the biggest challenge is that size, scale, and complexity.
On technical threats to consider
But having said that, there are probably a couple of things you can organize yourselves around when it comes to actual technical threats. There has a lot to do with your endpoint devices, the computers we're all using.
It has to do with cloud because we're all using it. For a subset of the population of companies, it has to do with edge computing as well.
Then finally, artificial intelligence, ensuring that when we build those data models and we try to scale them, things can go bad really quickly. So, both from a security perspective, as well as from an ethics perspective, paying attention to artificial intelligence is really important.
On security for travelers, partners, and employees
QuHarrison Terry: Kurt, you're at Expedia. There are tons of people in the world that are out there, and they do the chief security office role. But at a travel company, what does that entail?
Kurt John: It's about our travelers because that's fundamentally what we're trying to do. We're trying to connect our travelers with new experiences around the globe.
In order to do that, we need to serve them up with new capabilities, new ways for them to engage and plan their trip. And so, we organize ourselves our travelers, partners, and of course, our employees. A lot of the decisions we make and the questions we ask ourselves and answers we tend to give ourselves is around travelers, partners, and employees.
Now, fun fact about Expedia. A lot of people don't know this. There's the expedia.com, but Expedia Group also owns a lot of other brands as well.
It was interesting. I was talking to a friend of mine. I was saying, "Hey, look. I'm going to go work with Expedia now."
They were like, "Oh, wow, Expedia. You know Expedia is pretty good, but you know who is even better? Orbitz.com. You should probably look into that."
And I said, "Oh, okay. I think I will," but at that time, obviously, I knew.
But orbitz.com, travelocity.com, hotels.com, Verbo, carrentals.com – the list goes on. So, a fun fact is we drive value in the market through a lot of different brands.
On security in the Expedia Group brands and ecosystem
Michael Krigsman: How do you think about security across this very broad landscape of different companies, different well-known brands?
Kurt John: The necessity to share information because we've gotten to the point now where you're unable to accomplish whatever it is you need to do on your own. Unless you're building a very specific widget (hardware widget at that) that other people are consuming (and even then you need someone to provide steel or some other type of raw material), you need an ecosystem of partners in order to be successful.
Fundamentally, I look at it in two ways. The first is, how do you work with your partners to drive security consistently throughout your entire ecosystem? That means that obviously everyone doesn't need to meet this incredibly high bar. But what's the threshold of which you want to collaborate with your partners to really implement security across your entire value chain so that everyone is strong (because, of course, the weakest link analogy)? That's the one side.
On the other side, for me, is the threat intel and the ability to share data because some folks within your ecosystem might be experiencing certain attacks. The question then becomes, how well can you all share information together so that you can insulate yourself or try to pivot to prevent such an attack?
I've found incredible uplift and value in both partnering with your ecosystem as well as sharing information with your ecosystem. I think that's really the future.
Even the federal government, the U.S. Government from CISA, as well as the Office of Record of National Cybersecurity, says the same thing. In other words, to beat all of us, you probably need to beat one of us. But then the flipside of that is to beat one of us, you have to beat all of us. Very convoluted, but essentially, what that means is if we all cooperate and share information and just ensure that there's consistency of controls throughout our ecosystems, I think the U.S. economy, broadly, as well as our own individual companies, would benefit quite a bit.
On building a decision support structure for security
QuHarrison Terry: How does Expedia think about, internally, that decision support system that you're describing? It's like, to work across just the organization, everybody has their directives and goals. But in order to reach that alignment, you really do need to be able to frame or lean into some type of support network, and more so specifically around decisions because I imagine, when you're dealing with security threats and things of that nature, you don't have a lot of time. This is not something where, "Hey, let's come back to it next week," or next month, or next quarter.
Kurt John: This is not specific to Expedia. This actually could be applied to any company. It applied to the companies I've been with before, and anyone can adopt this.
Fundamentally, you're looking at two things. I think oftentimes people don't take enough time to actually build out that structure that you just described. It's very much ad hoc, and you want to move from ad hoc to optimized as quickly as you can.
What that means is consistency of processes. A) What does your government structure look like? B) How do you evaluate risk within that organization? You need a repeatable way to do that. C) Do you know your risk appetite?
This is very interesting. I've been at companies before, and this is not Expedia. Many, many years ago, I was a consultant, and I've seen companies where they think they have a very conservative risk appetite. But when you look at the way that they're making decisions and the type of things they're going after, it's very much contradictory. They have a very aggressive risk appetite.
I think that emerges because people (or organizations) aren't intentional about defining what your risk appetite is. Is it conservative, aggressive, or somewhere in between? What do you rally around? What are you more comfortable with the risk on versus not? That goes back to your risk appetite.
Then finally, you likely need (within your structure) a way to make decisions really quickly, like you alluded to. That means that you likely need to assign certain decisions to certain risk thresholds.
For low, medium, high, obviously a higher critical risk might go through the CEO. But if there's something of a lower risk, that might be made at the director level or below.
Really, I think what that comes down to is more intentionality overall around your risk program. I think not enough companies treat it that way.
Michael Krigsman: Be sure to subscribe to our newsletter. Hit the subscribe button at the top of our website.
On defining boundaries of the security ecosystem
We have a really interesting question from Arsalan Khan on Twitter. Arsalan always asks these great questions. He says, "When technology is everywhere and with everyone, what do you define as the boundaries of your ecosystem?"
Kurt John: Definitely today, the boundary of your ecosystem not only has moved backwards from sort of like your corporate network, but it's become incredibly more porous as well, so a lot of holes in it. And so, the way I think of it is you don't define that boundary, which is—
Within the security community, you're going to find some people might roll their eyes at this, but zero trust. Bear with me for the time being. It's been thrown around quite a bit in the media and companies are kind of like, "Where does your trust mecca?"
But zero trust, still the tenants of it remains true. In other words, how do you create an ecosystem within your environment that allows the appropriate access of your partners and your employees (wherever they may be), in a way that doesn't require you to give carte blanche access to everything?
My fundamental tenant on this topic is I have no boundary and, even if I did, it would be incredibly porous. So, how do I better manage access at the software level? Zero trust is a big aspect of that.
QuHarrison Terry: What concerns have you seen on the privacy side due to that?
Kurt John: The biggest concern with this new setup is data sprawl, and that comes from three reasons. A) The velocity and scalability that comes with cloud.
You can swipe a credit card, and then you're just off to the races. You have a dev environment. You have a pipeline. You could build something. You have a minimal viable product. You're putting data in there. Then someone is like, "Ooh, that's interesting data. Let me make a copy of it."
It's very hard to get started. Sorry. It's very easy to get started and very hard to contain. So, data sprawl is one.
The second has to be, in my opinion, the ever-evolving privacy landscape. GDPR did a really good job of landing this very specific list of things that people need to do. But for example, in the U.S., different states are still thinking through how to handle privacy differently.
That means if you're in the U.S. or you're doing business in the U.S., then you need to potentially being paying attention to 50 different privacy regulations.
Luckily, for the most part, there's sort of like a common thread throughout them. But you can't deny that the complexity of having to do one-offs or nuances based on a particular state.
I think those are the two biggest things. In the first case, you just need to be really intentional. In the first case, meaning data sprawl, very intentional about having a very specific privacy strategy. But it can't be in isolation.
There's a lot of convergence between privacy and security. And so, you need both an individual privacy strategy, but you also need a joint strategy when it comes to your data and just your general carpet information protection.
In the second case, one would hope (and I've seen some indications of this) that we're thinking of an updated federal privacy law, which would then make companies' lives a lot easier.
On security and privacy as market differentiators
Michael Krigsman: Now we have another question from Chris Peterson. He says, "To what extent can security organizations be a market differentiator for their company by saying we offer better security, better privacy to the customers that they serve?"
Kurt John: One of the things that security typically struggles with, generally, as an industry is articulating its value because our value is derived by the lack of incidence or the lack of breaches, and it's very hard to prove a negative. I've seen more and more, and I tend to call these business value metrics.
There are operational metrics that you need to drive down vulnerabilities. You need to drive down risk. You need to articulate risk clearly and so on. Those are operational or risk metrics.
Business value metrics are how those activities deliver value to the business. A good example of that is let's say (for my more security-savvy folks) ISO 27001. For those that don't know – and this ties directly to Chris's question – it is a certification by a standards body that you can obtain as an organization. It essentially says that you are doing a really good job when it comes to the governance of security within your organization.
That is, to me, an excellent example of moving from not just driving down risk (which it does because it means you've put certain things in place to make sure you have a healthy security program), but then it also becomes a business value metric. Why? Because your partners, if they want to sign a deal with you, might ask you, "Look. Security is really important for us. It can derail our operations. How seriously are you taking it?"
Then you hand them that certification. And it's not the end all, be all, but it's a significant step in the right direction to showing that you have differentiated yourself in the market. That's a really easy example.
I think, more and more, as you move down the tech stack or you get to more technical outcomes of security, I think you're going to see those also start to get reflected in the market as well. I'm actually pretty excited about this because it solves an age-old problem, which is A) the CEO and CSOs (in years past) spoke different languages: one very technical, one very business-centric. But B) whenever the CEO or whomever the board might ask, "Well, how are we doing?"
"Well, we're doing great. No breaches."
"Well, if no breaches, do you still really need all that money?" Right?
[Laughter] That's a touch conversation. Now, with these business value metrics, it makes it an easier conversation.
QuHarrison Terry: When you're building the vision of an environment where there aren't many incidents, there has to be threat vectors or things that you find prevalent.
Kurt John: Correct.
On threat intelligence and business outcomes
QuHarrison Terry: They have different effects on how you set up not only your internal org but even how you communicate the value of the systems you put in place because those are top of mind to you. Are there specific computer incidents that you find right now very forthcoming or eye-catching?
Kurt John: I rely a lot on my threat intel team to show what the general threat landscape looks like and what that means, for example, for Expedia. The other, to your point, is if there are incidents that my security operations team is mitigating or preventing from going live in the environment and blowing something up, then I would also raise those and say, "Hey, look. Within the last 30 days, here are the incidents that we prevented."
I'll say this really quickly. To get to the crux of your question, the way I handle that now is I make an incredibly tight correlation between what my team is focused on and business outcomes.
Let's say, for example, a company is focused on building out stronger partners with third parties and trying to drive more automation there. Then all of a sudden, APIs and edge computing is really important to drive that type of business efficiency that my program needs to pivot as well. Why? Because that's a business strategy that's critical for success, and so my program needs to also pivot with that.
On preventing fraud in e-commerce with the security value chain
QuHarrison Terry: In that environment, just given that you're an e-commerce company and there are tons of e-commerce companies out here dealing with this similar issue, how do you think about fraud and is that a part of the threat vector that you are responsible for, or is that something where you have to work very closely with an internal business unit?
Kurt John: There's some fraud that starts from a security incident. There's some fraud that starts from a misconfiguration, which some might argue is still a security incident. There are some that might start from a privacy incident, which again some might argue is the same, but it's a little bit different.
What it comes down to is a lot of heavy partnership, I have found, throughout at least three to four functions, generally, within the industry. Typically, you see skillsets across those.
The best way to think of it is a value chain. I think most processes and outcomes as a value chain.
If, as an organization, (for anyone that's listening) you want to make sure you handle fraud really well, then what's the outcome you're looking for? What steps do you need to make happen? Then focus on driving that process regardless of where they may sit within the organization.
There are always opportunities to optimize and shift things around. But what you want is the type of environment where you can get an outcome, find the milestones, and then drive horizontally across the various business units.
On information sharing to prevent fraud
QuHarrison Terry: When you think about the government, the government has this role where they're dealing, obviously, with some of the bad actors at the highest level in this space. But you're seeing so many edge use cases just pop up overnight because you're responsible for this fraud thing. What would a better corporate-government alliance on fraud protection specifically look like in your eyes?
Kurt John: If you're not familiar with ISAC, it's Information Sharing and Analysis Centers. There are a bunch of different types. There's the retail and hospitality. There's the financial. There's electric. These are all intended to be sector-specific groups of companies that focus on specific threats and then share information about it.
What's interesting about your question is that I would argue – and maybe it's more so in the e-commerce/consumer side of things – most businesses are subject to fraud, particularly if you have weak controls. Maybe a better way that comes to mind – and I've never thought about this before, so it's a really good question – is do we need to start thinking about these topic-specific risks that are plaguing, that are running horizontally across multiple sectors and, quite frankly, plaguing a lot of companies and sectors?
To answer your question, maybe it's some type of information-sharing type situation specifically for fraud.
Michael Krigsman: Wayne Anderson, who is another regular listener that also asks these great questions, he has two related questions. Let me ask you both of these because they're connected.
Number one: "In a consumer ecosystem where individuals cannot hold a provider accountable contractually, what to you is the biggest board motivator for a security program's incremental investment?" In other words, what's the argument that you make to boards around the value of security (because us consumers, when providers go down or release our private information, there's just nothing we can do about it)?
Then he also wants to know, "In your mind, how do you group or what are the important metrics that a security team can present to drive board members and business colleague conversation?" I think, to summarize, what he's really talking about is how do we get boards and senior business leaders, executives, to take this seriously.
On explaining the value of security to boards of directors
Kurt John: When it comes to boards, there are two things. The first is you need to find a way to articulate to that board how security is helping to either protect or enable the journey that the business is on.
To the best extent possible, you always want to articulate your security outcomes in the context of the business strategy. Typically, there's an update on the business strategy during board meetings, so for you to come either before or after, and to be able to say, "Well, yes, and here are the steps we're taking to help safeguard that strategy." That's one.
Two, consumers are also getting very savvy. I think boards and just management, in general, are beginning to realize that (especially with the advent of social media platforms like Twitter), things can go south really quickly. Having seen that, I think boards are much more sensitive to how companies are perceived.
I think the biggest driver, which it should be as a foundational item, is compliance. Are we doing anything that's going to land all of us in the jailhouse or testifying in front of Congress? No. Check.
Who are we as a company and are we taking the steps necessary that our consumers will continue to perceive us as advocates of their security and/or privacy? If we are not – and I think a lot of companies need to ask themselves this question – then who are we?
I use the term "individual" because I see companies as having unique cultures and personalities and so on, so bear with me as I use the term "individual" loosely. What type of individual are we when it comes to security and privacy? And how far are we willing to go?
The third is, do we even need to be best in class or are we the type of company that's good at industry standard? Is it best in class? Is it a little bit below? That's a continuous risk conversation that a company needs to have with itself.
I don't subscribe to every company needs to be best in class at all times. There are a lot of variables that you need to consider. When it comes to your colleagues, it's the same thing – just taken down a level.
The overarching company strategy in terms of how security is protecting that, you then need to have those exact same conversations with your counterparts or other business leaders. Here's how we are driving security within your organization. It's very topic specific.
When it comes to security, you cannot make an even spread except for things like your annual security program. You want to create a specific type of outcome, conversation, whatever you want to call it, with specific business leaders.
Then the final thing I would say is you need to be very maniacal about feedback. You have an idea of what it is you want to accomplish. You're going to try your darndest to connect with the board and other business leaders in a way that you think makes sense.
You're going to really push for outcomes that make them successful. But you're not always going to get it right, and so you want to have a closed feedback loop system where you are constantly getting feedback. How did that land? Was it useful? Was it not? And so, I'm a big proponent of business value metric. How are we landing? And then getting that feedback. So, if you need to pivot on that business value metric, then you do.
On investments in security and cost savings
Michael Krigsman: I think it's a good answer. When it comes to the boards, there's no quick and dirty response. There's no magic bullet here, right? It's a matter of convincing the board that they have to make this investment, which is obviously tough because the investment is like insurance.
It's like, "Gee, I think we should buy a lot, a lot, a lot of insurance for this risk," to get back to what you were saying earlier, that may seem really unlikely.
Kurt John: Completely agree. Then one other thing I'll mention is you have to be an incredibly amazing steward of that money.
What do I mean by that? If you're about to get an investment, you need to two things. A) You need to be very clear and articulate about what value gets delivered when, and set milestones for you and your team so the money just doesn't end up in the ether.
Then at the end of the year, kind of like, "Well, look at this."
"Yeah, but we gave you ten times that. Is that all we got for the value?"
Then the other is that just because you're getting an influx of money doesn't mean that you don't need to be just incredibly practical about cost savings as well. You constantly want to do that.
If there are tough decisions that you need to make in order to drive more optimization and cost savings, you almost need to treat those separately, so you optimize. You constantly optimize your spend regardless if you're getting an influx of cash or not.
On companies adopting GDPR as a standard
Michael Krigsman: We have a question from Arsalan Khan again on Twitter who asks really excellent, excellent questions. He says, "GDPR is a good framework, and we know that the U.S. federal government is not going to jump quickly onto that level of data privacy, so why don't companies just adopt GDPR themselves as a standard?"
Kurt John: The biggest caveat that companies have why they wouldn't just do that is because they would be mostly global companies. I think you'll find that they're U.S.-based companies that primarily operate in Europe or they're European-based companies that will do that in a heartbeat.
But if you're looking at more global companies, you're going to find that they may be more hesitant to do so because one of the challenges is their ever-evolving privacy regulations as you work your way east or west if you're in the U.S., and then not to mention the 50 states as well. For example, I know California just did CPRA. Oregon is looking at one. There's one in Virginia as well.
Companies, I think, are hesitant, and what they end up doing is they try to find the common denominator and solve for that until there's a more predictable regulatory environment. I think that's maybe the key takeaway. In the absence of a predictable regulatory environment, companies are going to try to do the common denominator in order to avoid wasted funds because if you optimize for GDPR and then a state or two or maybe a federal law in the U.S. comes along and sort of tosses it on its head.
QuHarrison Terry: You know Mike Tyson has a saying where he says, "Everyone has a plan until—"
Kurt John: You get punched in the face. [Laughter]
On the imperfect nature of security systems
QuHarrison Terry: Exactly. Exactly. I want to start to amplify this conversation a bit. As the chief security officer, you can build a security system that's really damn good, but there's no system that's perfect. When you do have an intrusion or you do have something that goes further than you would like, what goes through your mind?
Kurt John: One of the things, as a chief security officer, you need to be able to do is to figure out how to fail fast and fail gracefully because nothing – as you alluded to, Qu – is pitch perfect and something will go wrong. When it does, you don't want to languish and sort of tumble. You need to be able to fail and then recover as quickly as possible.
One of the things that I focus on as well (and this is, again, not just for Expedia, but just something to do well within the industry) is you need to constantly be evaluating your ability to fail quickly and recover quickly. I that honestly is the biggest difference between companies that handle a breach well and others that don't because if a nation-state decides to come after you, there's very little you can do to prevent it.
I was at a CISO conference this week, and someone asked the question, "Do consumers really even care anymore, though, that breaches happen?" I said, "Well, okay."
The question wasn't for me. I was an audience member, but I kind of spoke up. I said, "Yes, maybe we are desensitized a bit as consumers because there are breaches. Every day, you're reading about something different. But it doesn't mean necessarily that consumers don't care."
The trouble that companies get into has shifted from a breach has happened (that's expected these days) to how does a company respond to that breach and what is their communication like. To me, that is also a part of your ability to fail quickly, fail gracefully, and recover.
On the importance of security post-mortems
QuHarrison Terry: There's one thing that I will say. When I worked in security, one of the things that we got really good at that I think helped us out a ton was the post-mortem and the art of the post-mortem. One of the things that we did a little bit differently was we always led with the implemented fixes.
Oftentimes, you have your post-mortem, and that's right after the event. You're saying, "What could we do better? What did we do wrong?
We led with the fixes and the solutions. Even if they were in development, we started there. Then we started to divulge into what were the mistakes and what can we do to do better moving forward.
What is the post-mortem process that your team look like at the highest level?
Kurt John: I would say it's no different from how it should be done. The question then becomes, for me, the fundament questions I ask is what just happened and how did it happen.
Even if you don't necessarily know completely what adversary got access to what, typically you can get to the how fairly quickly. What you what to start to do there is try to figure out are there other areas within your environment that replicate this type of either misconfiguration or vulnerability that you need to start looking at really, really quickly. It's always putting what happened in context. Then, simultaneously, you obviously need to work on what was accessed because then there might be some reporting requirements.
But for me, it's all about figuring out the how so that I can stem any type of subsequent breach that might happen. But then, after that, I need to get into fixing mode really quickly and be able to communicate clearly to the board and others that might need to get that information.
On advice for new CISOs
QuHarrison Terry: If you could go back in time – let's say you have all the information that you now know today – what would your younger self do? I'm talking about you just got this job. You're brand new into the role. It's the top of the year. There are a lot of people that just got new titles, titles changed, elevated, and they're sitting in the hot seat. They haven't gotten punched in the face yet, so what advice would you give to them?
Kurt John: There are probably four or five things. I hope I can remember them right because the thing about getting into a seat like this, it could be really, really overwhelming.
There are a gazillion different things happening. Everyone needs your time. Especially as a new CISO, it's really hard to filter out the signal from the noise.
The advice I would have is make sure you're incredibly clear about your objectives and key results, and always come back to them regardless of how people randomize you. That's what you're looking to deliver.
The second this is, in the security field, there are probably five things. There's awareness and training to try to reduce the likelihood that your user population does something silly. There's endpoint protection just because most people click on stuff and you just want to make sure.
I use the term endpoint loosely. That includes servers.
There is vulnerability management. You want to try to spot and get rid of those vulnerabilities as quickly as possible.
Then, to the extent that you can, there's also identity and access management.
If you can nail those four, I think you are in a much, much better position than a lot of other organizations, quick frankly. Then you sort of build from there.
Figure out what your foundation is. Build some OKRs to those. Then that is your North Star. You are working on that religiously and let the noise come and go. You just focus on delivering on those.
Michael Krigsman: Chris Peterson earlier had asked a follow-on question regarding the ecosystem. He says, "How does Expedia—" But I'm going to generalize this "How does security and IT deal with partner issues like when Southwest Airlines had their disruptions around Christmas?" But to generalize, what do you do (or what should one do) when partners have a security meltdown and the data is leaking and you're involved because of that?
Kurt John: What should you do? Hopefully, you're left of boom. This is sort of the industry term for when something happens.
If you are, you want to start fostering relationships with your key partners today. Share information. Share policies. Find out – get reporting both ways and so on. That's what you want to do then.
If it's right of center and something has already happened, you also want to truly be a partner. Lean in with your resources and see and ask how you can help.
That's in both directions, both you as the primary person, and maybe there's a third party. But if you're a third party and there's a primary, you also want to do that because, again, without all of us with kind of skin in the game, we're not successful. Build strong partnerships, active partnerships.
On the role of AI in security
Michael Krigsman: Arsalan wants to know, "What about AI and the role of AI in security, maybe even using AI as an advisor to the chief information security officer?"
Kurt John: It came to my attention that someone forked ChatGPT and started doing some analysis and some development around that type of capability with security. It's interesting because it would do something sort of like reverse engineer that malware that just came in and put the indicative compromise in the system and so on. Basically, just told it generally what to do, and it was able to do all of that.
I absolutely think there is a place today, and it's going to be an even bigger place in the future for the way AI is going to help abstract a lot of the complexity of security and allow us to focus on outcomes. Now, some people might hear that and think, "Well, jobs are going away." I disagree. Security is a very complex space, and I think what this does is free up very limited resources to work on more complex and interesting business problems.
Michael Krigsman: We have a really interesting point from Karrie Sullivan on LinkedIn. I'm going to ask this one to both of you because this question gets caught right square in between you both. Okay?
She says, "Great "Growth Mindset" thinking. Security is about human behavior as much as it is about having great technology. Getting stuck in the crisis and letting a breach languish is never the right answer. Post-mortem and continuous improvement are as much about improving the barriers but also the people reaction and response."
And so, this is my question to you both. It's this growth mindset with security that, as far as I can see, drives – or it's growth mindset within the business that helps create the conditions that drive all the breaches and drive the fact that my personal information is out there on the Web. Qu, I blame you, and, Kurt, apologies, but I have to also blame you (as representatives of your sort of separate breeds of growth mindset, growth people, and security people).
QuHarrison Terry: I am sure you might have seen it, but Gen-Z is very much into this. We all remember growing up with these. Kurt, do you remember this phone?
Kurt John: I do remember that phone.
QuHarrison Terry: The crazy thing is, this is a BYOD phone that you have to worry about now. No, I'm serious. Flip phones are back.
On the flip side, this is also the same device that you have that you've got to worry about. And the bad guys, the bad actors, they're on both. This is actually probably more simple, so it's easier to infiltrate a network.
We oftentimes don't even think about it, and so, marketers, we ruin everything. We always see the emerging trends, and we comment. We don't think about privacy. We don't think about data. We just use it because we want the look. We want the press. It oftentimes falls in your lap on the security side to fix it.
But when I think about the people notion, this has always been true historically. What was old once becomes new. What is new once becomes old.
It's just fascinating to see, now in a more connected landscape, how those things can even play into a competitive intelligence. They can play into threats and security risk and vulnerabilities.
But the way I'm going to pass this back to you, Kurt, is how do you think about that because AI is cool today, but I remember an era where voice was all the rave. I remember an era where blockchain and big data was all the rave. There's always a hyped trend, but you are responsible for keeping it all within the same vessel and making sure that engine goes forward.
Kurt John: The technology might change but, to the point of the person who asked the question, you can swap out the technology but, in essence, what you're looking for from your user community is the exact same thing.
First of all, security is job zero. Second, are they advocates or champions for security? If they're not, they need to start more on the awareness training and just engagement level and feedback level to try to drive that culture.
Then, from my perspective, it also comes down to diversity and that growth mindset. The growth mindset speaks for itself. How can I learn, evolve, grow in order to be better and respond better to these types of issues?
Then diversity. I'm talking ethnic, cognitive, you name it, every type of diversity. One of the things that's pretty interesting about security, it's a very creative field.
Two people could sit and stare at the same thing. Just because you had a spark of inspiration, you can figure out how to solve this issue where someone else might not.
Yes, it's technical, but also there's a certain level of art to it. Whenever you're in a situation like that, you want the type of team that has very different backgrounds. When they come together, they're greater than the sum of the parts.
I would say it's a combination of culture, which includes that growth mindset, as well as diversity.
On the impact of security and trust in the travel industry
QuHarrison Terry: What is the impact that you've seen from the application of IT security on the travel industry at large? Thinking before and after, and largely because of some of the practices yourself, colleagues, and partners have put in place that has led to new environments for us all.
Kurt John: I would say it's the ability to care deeply about your traveler and the experiences they have. Part of that experience is not just being able to see the Grand Canyon or Christ the Redeemer Statue or whatever else it might be. It's them having the confidence in sharing information with you and trusting you that you could facilitate this experience in a way that helps them have a better outlook on life after versus before taking that trip. I think it's driving and trying to continue to build the confidence with our travelers and our partners.
Michael Krigsman: With that, I'm afraid we are out of time. A huge thank you to Kurt John and to QuHarrison Terry. Thank you both for doing this today.
Kurt John: Thank you for having me.
QuHarrison Terry: Likewise.
Michael Krigsman: A huge thank you to our great audience. You guys are so smart. Thanks so much, everybody, for watching.
Before you go, be sure to subscribe to our newsletter. Hit the subscribe button at the top of our website. Subscribe to our YouTube channel. Check out CXOTalk.com, and we will see you again next time.
Have a great day, everybody
Published Date: Feb 03, 2023
Author: Michael Krigsman
Episode ID: 777