Podcast: Achieving Security Maturity
Demetrios Lazarikos (Laz)
March 18, 2022
Sean Martin 0:03
Alright, here we are for another story here on ITSP Magazine. I often wonder what defines success for a story. When we produce, is it the number of people that listen to it? Is it the number of people that respond to the story? Is it all of the above? Does it matter? Do we have to measure to figure out if it’s successful or not? The same is true for information security and security programs, and ultimately the maturity of an organization when it comes to managing their security posture. Today, we’re going to talk about measurement and maturity of programs and connect that all to the business. And who better to do that than our good friends at Blue Lava. We have Laz and Andy Hoernecke and we’re going to dig into the Blue Lava Cybersecurity Maturity Model. Laz and Andy, thanks for joining us.
Thank you, Sean.
Sean Martin 1:48
So, before we get into the “what,” let’s learn a little bit about the “who.” The first part of the “who” is who you two are, and then we’ll get a quick word on Blue Lava. Laz, I’m going to start with you. Provide a brief background on how you arrived at Blue Lava and some of the things you’ve done leading up to this point.
Alright. Thanks, Sean. Yeah, so my full name is Demetrios Lazarikos. But, I go by Laz. It’s easier but I answer to either Demetrius or Laz. You know, I’ve been in the security space for over 30 years, and have been a CISO three times. I think, as Andy and I were talking early in our careers about these problems. How do you measure a program? How do you actually show the business where the biggest risks to revenue and the biggest impact against the business is going to be when you’re making security investments? I’ve been working on a number of levels, with business leaders and security leaders and security professionals throughout my career. We will talk about this in a future podcast. But, when we founded the company, I think the thing at the core was, Andy and I are operators and when we looked at it through the operator lens, we said, “Hey, this is missing,” and we’re going to talk about what “this” is here in a minute. But, the key thing is, we looked at it not only as security leaders and security practitioners, but we also looked at it as business leaders through a business lens. What we wanted to do was, we wanted to take the biggest pieces of business, impacts in business investment, and align security programs and program management to those. That’s what we’re doing at Blue Lava. We’re giving people a way to measure, optimize, and communicate what they’re doing with their security program in the language of the business.
Sean Martin 3:03
Love it. I can’t wait to get into this and many more conversations with you and the rest of the team. We’re on now to Andy. Andy, tell us a bit about your background and things you’ve worked on. It’s all important in this context.
Similar to Laz, I also have a background in security. I started out as a consultant. So, I worked for a lot of different companies, especially in the app realm, which I’m sure everyone is aware has really evolved a lot over the past 10, 15, 20 years. It’s kind of been an ever-changing and ever-growing experience of adapting and figuring out how to tackle the new trends, the newest attacks, and the newest threats. After I consulted for a number of years, I ended up kind of moving into internal roles and crossed paths with Laz. We’ve worked together a number of times before, built different software, and tried to tackle these problems internally at different companies. We found that there were just some things missing. There was not a great roadmap for building and scaling a security program to help kind of guide the way as security has evolved over the past couple decades. We found that we’re in a situation where no one can really be an expert in all of these different domains and all of the different areas of security. So, having a model that helps guide you, through all of the different areas, we thought was really critical to start with. We put you on the path of being able to effectively measure and then optimize a security program within the company that you’re working for.
Sean Martin 4:52
Yeah, phenomenal. Laz, I’m gonna kick it off with you. Because maturity doesn’t just mean you’ve run a program for a long time, right? And then it has an established team. It’s much more than that. So what is “maturity?” What does the maturity model mean, specifically around cybersecurity? And what’s missing from most businesses today in that context?
Yeah, so there’s three things to unpack there, Sean. I think the first one is, “why a maturity model?” This is what I learned on the maturity model. I have to know where I am and where I’m going. That’s number one; as simple as that. I have to know where I am and where I’m going. We know security and compliance are not the same. I could be compliant but not secure. In my security program, I have to know where I am and where I’m going. The next part of that is, “What am I willing to accept as a business?” If I understand where I am, where I’m going, and how the business is operating, I can align my program to those business objectives. If I don’t understand those business objectives, I’m going to be out there at sea without a rudder. Without a light, you know, a guiding light – my North Star. I have to have something to measure what I’m doing with my program. Maturity models have been around, you know, we didn’t design ours in a vacuum. We went out to the community. The company, the platform and the content on the platform at Blue Lava…everything we’ve been doing at Blue Lava, since the very early days, has been built with, by, and for the CISO community. Our teams, our operators, our customers, our customer’s teams, everybody that’s been working with us, since the very beginning, have all had input into the model and the data and the supporting workflow. Those are three areas, when you ask about building a model and looking at maturity and trying to figure out where you are and where you’re going. I think it’s important to understand that, because we wanted to give everybody a different view. We want to give everybody the data to look at, “Where am I today? Where do I need to be next quarter? Where do I need to be, you know, two quarters from now or a year from now,” speaking the language of the business and being able to take that and measure how I’m doing and how I’m performing and where I need to make investments with my program.
Sean Martin 7:37
Andy, I need you to talk to me a little bit about how you begin to build this model out. A lot of conversations I have, or at least see online, in terms of what people think is success for their security team is the number of patches they get through or that they blocked that patch before it became a problem. It seems very practical but, maybe not the best thing for the business. So, tell me how you look at the data you need, how the team operates around that data, and how that data connects to the business in the context of building out this model.
To your point, patching is critically important and I think that’s a really good example of something that obviously an organization needs to build into their security program. But, just looking at the number of patches you have put in place or been able to take care of isn’t a good way to measure your overall program. When we founded this company and we started building the assessment, we initially were looking primarily at the NIST cybersecurity framework because that is kind of where all the companies were moving. What we found was that, although NIST is a really great lens to look at the different functions of your security program (Identify, protect, detect, respond and recover), it doesn’t really go into the detail that you need in order to understand if you’ve built an effective and mature security program. It doesn’t really ask about the specific people, the process, and the technology that you put in place…or whether or not you’ve operationalized them or whether you’re leveraging them effectively. That’s really where our starting point was. How do we do that? How do we make that connection between what the security function within an organization is doing, who they’ve hired, the processes, the technology, and how they are working to protect the business? Going back to your patching example, if I say that I put 10,000 patches in place this week, that’s great, but that’s one measurement in time. Maybe, I just had to stop the entire engineering department’s efforts for two weeks in order to accomplish that because we were so behind. You know, maybe I’m doing it once a year but I’m never going to repeat that more frequently than that. The lens that we wanted to take when we built the maturity model was really around, have you built an effective program that can support the business on a sustainable, prolonged basis, and if you haven’t, how can you improve in each of the different areas in security, that are tied back to, as Laz said, “The risks and the business objectives of the company?”
Sean Martin 10:42
And last, how does an organization look at this model that you’ve built? Do they put it in their existing environment? Do they start from scratch and say, “Here’s the baseline that I should at least start from. How do I get there,” or do they look at their own environment and say, “This is my baseline, I’ve gone too far in some areas. I need to step back and head off to the right or to the left and then forward,” or is it both depending on the nature of the business that’s being managed?
Well, I think there’s two parts to this, actually…there’s probably three, but I’m going to consolidate them. The first part is, I have to build a baseline. I have to understand what I have and what I don’t have…whether you’re a new CISO, or you’re an established CSO in a new CISO role…everybody wants to understand what they have and what they don’t have. In order to do that, it’s essential to build a baseline. They build that baseline, then from there, you can start sifting through the data and looking at what is important to the business. Because each business is different. Each industry is different, right? Like, you know, retail may be worried about point of sale terminals and internet facing applications. FinTech companies may be worried about internet facing applications and sensitive information about product roadmaps and go to market strategies. Oil and gas may be concerned about where the blueprints are, or the topographical maps, you know, for anything that’s going to happen over the next 40 years on an oil project. Each industry has different business drivers and it’s important then to understand your baseline as it maps to the business. Once you have that, you can start assessing and looking at things by data, by infrastructure, by application, by project geography, and then start making decisions. You know, M&A…you’re going to acquire a new company wouldn’t it be nice to have that baseline before you acquire the company? Have it to see if they are mature or not, where you need to make investments before you tie that infrastructure into your existing environment, etc. So, that’s part one. Part two is once you have the data, then you have the opportunity then to focus on those key areas for the business. What I like about it, is using that approach on maturity, and Andy hinted at it, it’s kind of like, “Do I really need to be at the highest performing level, my company or my industry?” I’m not saying you know, you’re cutting corners. What I’m saying is, we’re making business investments about what’s important to that organization and in that industry. I think it’s critical as security leaders and as security practitioners, that we do more with data around this. I’m not talking about speeds and feeds and taking our data and, you know, our web and blocking OFAC countries. What I’m talking about is understanding how the company is running, how it’s operating, and then mapping our program to that. Here’s a great example, if you’re running an organization and growth is supposed to be 20 to 30%, you know, for the year over year over the next two to three years…and maybe it’s going to be organic, or maybe it’s going to be through acquisition…having that type of data upfront after you build a baseline and being able to say, “Okay, if I’m hitting my target goals as a company, where do I make these investments now quarter over quarter?” If I’m not, what areas can I consolidate? And why is it always security’s the one at the table saying, “I need security as a team sport.” I have to be able to go across the organization and influence everybody so they understand what we’re doing with the program, and then also where I need help, support, and investment around people, process, and tech. First part recap, I have to build a baseline, I have to understand what I have and what I don’t have aligned to the business based on my business needs, my industry, my specific company. Second part of that, I have to be able to speak to everybody across the organization, and align what I’m doing with those business objectives. Now, I have that ability to do that after I build my baseline, it’s just a different way of looking at the data in a different way of presenting it to the executive staff, the board, the audit committee, and the analysts or you know, any of the business teams.
Sean Martin 15:35
And then…No, jump in Andy.
Yeah, I was gonna jump in and just say, I think those are all great points and just to expand a little bit on that…something that that’s kind of implied and what Laz was saying, you know, we felt like before the Blue Lava CMM, there wasn’t a great way to get that baseline and especially not to get a consistent baseline. So, if you had multiple business units, if you have multiple divisions, if you wanted to be able to measure and compare them in a meaningful way, that was very challenging. In our experience, the way that security programs tended to be measured was either through the lens of compliance, which we all know isn’t sufficient to really secure your organization, or through a framework, like a cybersecurity framework, where you’d have consultants come in and do a risk assessment for your organization. But, those tend to be very one-off and very unique. Even if you get a different contractor year over year, your scores might shift. The questions that they asked may be different and so it’s really hard to get consistency within the organization and also over time. I think what we felt like this was leading to was a situation where security teams by nature just end up being very tactical. They don’t have anything to kind of point to as far as a North Star that’s guiding them. Therefore, they’re just in firefighting mode, figuring out, “What do I do today? What do I do tomorrow?” They can’t look ahead and farther than that. An example that I can give is, when I was at Netflix, my previous job, we focused a lot on building automation. It was really a challenging place to be as a forward facing company, because there was no kind of framework to help us show what is the next thing that you should build to do better in account takeover. What is the next thing you should build to do better in your vulnerability identification processes? We were very reliant on the skill-set of the team and what the team had as far as their “experience bank” that they were coming with and kind of this tribal knowledge from the community of people at companies that we could talk to and say, “Well, what are you guys seeing? What are you guys working on?” That was kind of another big driver of building this capability maturity model, when we started Blue Lava. It was to have this documented roadmap that would take a company that may just be starting out in and say, “Here are the first couple things you can do. Here’s the first six months that you can do to start building up this program.” But, then would go well beyond what compliance takes you to and also show you what are the cutting edge things you can be doing in a couple years so that you have something to be working towards. To Laz’s point, account takeover, application security, or network security…those things are critical to the survival of your business and being able to meet those objectives that your business has set.
Sean Martin 18:48
Laz, I want to turn to you because I mean, we can look at an example like Netflix and say I’ve seen a gazillion presentations focused on security from that organization. Clearly they get the value of investing in security.
Yeah, not only are they bold about it, but they’re releasing open source software. They’re sharing information. You’ve seen it. I think everybody here who is listening has. If you haven’t I invite you to collaborate with us. I mean, you know, yeah, they’re the Titan, right?.
Sean Martin 19:21
Right. So, the reason I’m pointing that out is some organizations clearly aren’t that size of company and don’t have that level of maturity yet. So, my question to you is, “Do you have to be mature to leverage a model or start small and what are the questions you would ask?” Because you have to feed the model with data, right?
Right. Good topic, Sean. I think so. There’s a couple things here. Like Andy mentioned, we’ve been talking about this for years. And you know, in a future podcast, we go to the founder series with Julia, we’re going to talk about why, right? The business and the method…building that bridge to tomorrow requires business in security. So we’ll talk about how that started in the future podcast for the founders. I think we looked at it and said, “Every company is worried about their program today.” And it’s just the way it is. The board, the investors, the executive staff…it doesn’t matter if you’re a 200 person shop or you are a 200,000 person shop. Cybersecurity is a topic of discussion at the dining room table right now. It’s affecting everyone and when we look at it through that lens…we’re trying to do and demonstrate something that’s never been done before. We’ve been told we’re pioneers in this space and that’s a great compliment. But, being a pioneer means that you, as a user of the platform, you as a recipient of the data and looking at it, you have to also be working to think about things differently. So, when we talk about that, when you think about the data, and how you have that, I can be a small organization, or I could be a large enterprise, I have to start thinking in those terms. Where am I today? Where am I going tomorrow? How am I going to get there? How will I fund it? What is my target objective? Why am I trying to reach that objective? Then work backwards from that goal. And you know, you’ve heard Andy and I mentioned this, we’re looking at it through a business view, and then working backwards with our security program aligning with that business view and. And when I talk about what I have and what I don’t have in those requirements for your modern day security program, I want you to think about that. It’s not that I have to go invest in a tool. Andy also discussed being tactical, it’s not about being tactical anymore. It’s about pulling up and realizing that I’m not an expert in all areas of security anymore. I’ve got to rely on other teams and other business leaders, and cloud architects, and data transformation, and digital transformation teams to be part of this. When I look at gathering that information, and looking at my model, and putting that information out there in a report, the way that we’re seeing success with our customers and in the industry is by democratizing security. What I mean by that is giving people the ability to answer questions about what’s happening or not happening in their organization. Collecting that information and bringing back and reporting on it at any level of the organization. Validation is occurring, whether it’s internal peer validation or it’s our system with the proprietary algorithms, showing them – here’s what I have, here’s what I don’t have, and this is why you should care.
Sean Martin 23:13
And I want to go to Andy, because, Laz as you said, it’s not about being tactical and I’m going to say it’s not tactical, it’s practical. You touched on this being built by and for the CISO community…for the business. One of the things that we can all look at is NIST or an ISO and say, “A great place, perhaps if you know nothing, to start.” But, those don’t evolve quickly, or much at all, really, in the context of threats, business change, and technology change. People change, working from home, pandemics and things like that…they’re slow to adapt. So, can you talk to me about the role of community, the value of just in time or real time adaptation of the model to the business, driven by the community, and by the changes of leadership in the company perhaps even?
Yeah, definitely. I mean, I think that community aspect has been a driver for us since the very beginning. Part of that goes back to the conversation from earlier around previously, the way that security programs measured compliance and the other frameworks weren’t well aligned to the operationalization or the operation of the security function within the organization. A common example that I will give is, at various companies I worked at we needed to do a PCI assessment and the way that that would work is some consultants would come in, they’d ask some questions, and they’d write a report. There might be a couple minor things that had to be tweaked in order to remain compliant and then that report would go on a shelf for 12 months – wouldn’t be thought about again. We really wanted to build the model that represents the gold class standard from our community and the security community on how do you build an effective security program. That’s really where we started. We got input from people who are experts in every one of these different disciplines in the security model. To your point, you’re exactly right, a lot of the frameworks that are out there today are slow to evolve and that’s another thing that we really wanted to avoid. We are constantly working. We have a team that’s dedicated to the upkeep of our content. We’ve found that is one of the most important areas of our business and something that I think we even underestimated at first…how critically important it is. But, we’ve made a ton of investments in making sure that our content remains up to date, accurate, and evolves as the security threats that companies face evolve. That’s definitely not something that can be underestimated. Again, that’s something that we have really strived to work towards, from early days.
Yeah. And on that, Sean and Andy, I think it’s critical to understand the frameworks are awesome. I used to be a QSA. I used to work on some of the early revs before they were published. You know, I love them, they’re a great foundation, but they’re not a security program or program management for your security program. If you’re measuring performance, and you want to know where you are and where you’re going, frameworks give you a good foundation. But, it’s not really the same thing as running a program. And what I mean by that is, the framework that you may be using may only scope in certain things, during a certain period of time, we’re talking about a holistic view of your security program. We’re looking at it by running it as a business unit. Security as a business unit.
Sean Martin 27:08
And then I’m going to stick with you Laz because one thing that comes to mind is, as we talk about this standard framework that’s been set for a while you can put a definition of your program around that. Even something like a PCI or a SOC 2, it’s fairly well defined. It gives you something to talk about. I’m showing that something may be dated, right? And scope might not be the full picture. Something that’s real and connected to the business and changing with the business – how do you leverage your model to have that conversation? But not getting into the weeds…you’re going to lose everybody when you’re doing that.
Yeah, Sean, I didn’t mean to cut you off. I just got excited about this topic. Sean, you’re hitting it. You’re right on. It’s like everybody says, “Are we FedRAMP? Do we have our SOC 2? Are we PCI, HIPAA?” It’s like, yeah, that’s great but, that’s a snapshot in time. And what we’ve had to do when you’re building a bridge to tomorrow is you have to bring people along – and we brought people along. That’s why you’ll keep hearing about the community at Blue Lava – with, by, and for the CISOs with the practitioners. It has become essential as part of our mission, as we go down this path of giving people the data that they need to be successful. We are educating them, the board of directors, and everybody on the executive staff about the need and the difference between having a security program and having a compliance program. Compliance should be the output of your security program. Now, I know people will disagree with me. Love or hate that term but, here’s the reality…It’s our fiduciary responsibility as security leaders to understand what I’m doing with a modern day security program, something that’s relevant today to my business, not something that’s sitting on a shelf for two or three years and not being updated. When Andy was talking about the assessment that ran for eight months. We have to be cognizant of what we need to take to the business because they are asking us to level-up and give them the information that aligns to the business. And you know what, Sean, here’s the deal. Andy and I will speak freely about this all day long. We talk about it. We’re practitioners, we’re former security leaders, and analysts. Most of the team at Blue Lava have that background. We’re all former practitioners and operators. I’d invite everybody to look at the Blue Lava homepage or our LinkedIn page. Enterprise Strategy Group (ESG) and Gartner are talking about what we’re doing and why it’s special, why it’s different. I’d invite you to look at the Blue Lava website, I’d also invite you to stay up to date with us. You can reach out to us and you can comment. We’ll respond. Like Andy mentioned, we’re active. And we’d invite you to learn more about what we’re doing.
Sean Martin 30:34
I love it Laz and I can sense the passion. I’ve clearly had many conversations with both of you individually and together on this topic, and many more. There’s no question that we need to…I’m trying to say we need to have a modern day means to build a modern day security program. I think we’ve reached a point today where CISOs got the role but they didn’t know what the role was, right? They formed it and defined it over time. They began to measure things that they did over time and those things changed. The world has become more complex. I think we need to take a step back, look at the frameworks we have, look at the Blue Lava model, and how we can connect that together with the frameworks. Most importantly, how we connect that to the business. I’m going to give Andy the final word here. Can you give me one example? Just put the fine pen on this for our listeners. An example of where this has produced something incredible for an organization? They got budgets, they made a decision that helped them generate more revenue, something that you can pull on that says, “This is why this matters.”
I think I could give you a lot of those examples. I think what you mentioned, budget, finding the right team, those are kind of the baselines we see just about in every one of our customers, right? I think one of the things that I would say I am most proud about is looking at a customer who is a very complex organization – multinational, many different business units, and seeing them running 40-50 assessments. For the first time they are able to give a comprehensive, holistic picture of their security program across their entire organization. I think that is really one of the things that I’ve seen over and over again. Every company struggles with being able to provide not only the details of their security program in every business unit, in every country, but to be able to tie it back to the individuals…to be able to have that information coming from the individual contributors, the practitioners who are working on the ground. You know that people who answered those questions know what they’re talking about and are giving accurate information. I think that is one of the best things that I’ve seen. It is just really leveling-up the ability to have accurate and actionable information. Because that’s kind of the whole hypothesis of this entire experiment that we’ve been running, which is that the data hasn’t been there before. Without the data, how are you going to make decisions? How are you going to figure out how to optimize and align to the business? It’s going to be very difficult, which is what we’ve seen. I think those are the types of stories that I’ve been most happy about. It’s really being able to see very complex organizations be able to simplify this in a way where they can communicate the information up to the executive staff and up to the board in ways they’ve never seen before. They have that kind of “lightbulb moment” where it’s like, suddenly I understand.
Sean Martin 34:12
Yep, I love the lightbulb moment. I know that you have an Ebook that’s available that kind of walks through some of this and really connects the content coming from the company, from the team inside, to help drive this because they are the business, right? The people running the company are the business and they have the view into what matters. When you have that information, you can make better decisions on how to map your security program to that. So, I want to take this moment Laz, any final thoughts for me before we close?
Yeah, I love the discussion, Sean. Final thought is you have to build that baseline. You have to understand the data and then from that information, it’s critical to build those projects and align to the business. I would challenge everybody to start thinking about that in business terms. I know we’ve been talking about it for decades. But you know, it’s 2021 and we have something that works, and we want to share it with the world.
Sean Martin 35:20
I want to thank you for sharing your time with me and our audience to have this conversation about what it means to have maturity and a way to measure it, starting with a model and even before that, starting with a baseline. Laz and Andy, I appreciate it. There’ll be links in the show notes for the ebook and other resources that we love to offer. I’d even put Laz’s email on there. I’m kidding. I know you’re very responsive, but they’ll certainly be ways for you, for the audience, to connect with you and the team.
Awesome. Thank you. Thanks, Andy. Thanks, Sean. Thanks, John. Thanks. Alright. Bye.
Transcribed by https://otter.ai