Sep 29, 2024
Episode Description
In this conversation, John Hathaway, VP of IT Security at Cambridge Savings Bank, discusses the evolving landscape of cybersecurity, the importance of understanding security blind spots, and the balance between security measures and productivity. He emphasizes the need for continuous education, the challenges faced in cybersecurity today, and the role of AI in shaping future security practices. Hathaway also shares insights on leadership decisions, the stress associated with security roles, and offers advice for those looking to enter the cybersecurity field.
Watch On YouTube
hi everyone and welcome to the handson ciso podcast my name is Edie and today we'll be talking to John haway with a
long history in it today John is the VP of it Security in Cambridge Savings Bank
John has over a decade of experience in tightly controlled Industries including healthc care Banking and travel so
hearing about his perspective can definitely teach us a lot how are you doing today John I'm doing well how are
you I'm great so I'm really interested in hearing this is your first official
or not first but one of the first official security rols you've done but
you've done security for quite some time so tell us how does that work yeah so
you know this this is my first role dedicated to it security where my
background is really as an IT operations generalist in that whether I was doing
whether I was do the Hands-On practitioner or operating in a leadership capacity pretty much all
those facets of it whether it's Cloud systems infrastructure help desk
security risk compliance everything that had it purview in it was things that I had dealt with and you know today where
I am with Cambridge Savings Bank uh this is my first role that is really dedicated to the security function where
that can certainly go far and wide
perfect and how does your day-to-day look like now so day to day is is you know much
like I think a lot of it people will tell you uh because I again it's so much from my background just being in it in
general um I don't think the day-to-day is ever really the same which is part of what makes us attractive and makes it
not not really boring and uh keep keeps us on our toes but uh you know there
things range from uh you know dealing with audit
requests uh as a bank we we we deal with a lot of um internal and external audits
um you we're dealing with various uh teams in in internally to uh address uh
you know if a website gets blocked uh we have to address our content filtering
and make ensure that the the URL is safe we work on various projects to uh
Implement uh you know more secure and stringent uh baselines like such as the
the CIS uh the most up today CIS Benchmark ensure that that's uh
implemented across our environment properly um yeah it's really a little of
everything and there are times where you know we may even have uh an incident akin to uh you the crowd strike incident
recently where we uh wake up and all of a sudden we we're we're we're uh tasked
with with having to handle something that reaches that that degree of criticality so what made you interested
in Security in the first place Security in of itself is is very
uh interesting because it like it has an Ever evolving
landscape the the threats that people face it's it's you know it's a it's a cat and mouse game the the
vulnerabilities become more complex the the solutions and the the the the things
that um you have to do to protect get to protect your your company against those threats are ever evolving much like um
you know related back to it where you know we're not just dealing with on Prem infrastructure we're we're dealing with
cloud and how that's evolved so I think the the interest in security was
much like uh the interest that I had gotten into in terms of pursuing leadership roles after doing Hands-On
earlier in my career so I had done having done you know Hands-On and Leadership uh in it operations uh
security has become uh you know very very hot um Niche and so I've decided that you
know from what I've dealt with in my career I I feel that uh that that that's something of interest that I I'd like to
dive uh deeper into because it's it's something that I just have a a greater interest in at this
point what made you decide to get the certifications you got and just like go
really keep learning and digging deep although it wasn't technically something
you had to do well I think as a as a as a
professional really in any capacity the certifications and and such it for me
it's a function of just continuous learning it's it's uh continuing to stay
a breast of things and and continuing to stay relevant so um my my inspiration to get
my cissp is something I've been wanting to do for a long time and where I've uh entertained the
prospect of potentially just getting into security as a specific Niche I felt
like uh with my 20 years of experience in it having that and having the cisp
was going to provide a really good foundation for me to be considered for roles
so with that things kind of happened pretty quickly having gotten my cisp
back in April and then I found myself at at a cber Savings Bank in my current capacity just a couple months
later amazing now that you're in the security hat do you find yourself
feeling more often like the bad C or like the person who needs needs to be like we can't do this we can't do
this yes it's unfortunately it comes with it comes with the territory but to
to kind of really qualify where I come from is playing the bad cop I don't like I like to find
Opportunities to say yes like I like to find Opportunities to help people
achieve what they're trying to do because there there's no question that security becomes a detriment to
productivity but on fortunately it is a NE necessity in the in today it's been a
necessity for quite some time you just have to have a pragmatic approach
to how you approach solving a problem essentially which you know could go into
any number of different specific examples but so if you have to say no to something it it could actually just be
that there there hasn't been a a solution properly vetted yet and you can't just throw it in because you have
a deadline that yesterday interesting have you ever
been um well you haven't been in Security in
the other companies necessarily but were you ever aware of a serious breach or
security incident that happened in one of the companies you were working at and
obviously no names or anything like that but how was it coped with
yeah um so I mean to to to clarify you know I really actually have served in
SEC the security capacity in terms of my general generalist it operations background just it hasn't I haven't
worked for a company as large uh where there's the the the scope and scale of
it really had a requirement of having a dedicated security team but yeah I I
dealt with uh dealt with an incident that uh there there were a number of
email accounts number of 365 email accounts that were compromised and it
was largely just because the the the company I worked for uh had a a
different perception of of how well protected they thought they were and uh
the the the resulting Fallout from that was really having to work around the
clock um with to to to implement a number of different um things whether it
was writing a wisp they didn't have implementing mobile device management and uh pen testing and vulnerability
management because they they just didn't have any of these um programs in their environment and it
was at the same time that they were actually under hot water for other reasons so it was so to to bring it all
together it's in in light of that uh email incident where the the accounts
were identified as being compromised it was was basically having to FastTrack a tremendous amount of work
and projects that t typically take a lot of time and that was just not a very fun
Endeavor for anybody that sounds quite a stressful
period to have from the interesting so do you think it's
common for companies to assume they're much safer than they are I think so and and that's just
because um sometimes the the business really just doesn't have the advocacy or the
presence you know at the key leadership positions in their company whereby the
the real awareness and education and you know telling it how it is would would really be put in front of them so that
they could actually truly understand so um you know some organizations have the
it security or or data security or just Security in general um adequately
represented within the leadership ranks and other companies
don't and when you look at it now and even in the past how do you view
education versus putting controls like what is the balance between I'm going to
teach my people to be extra safe and to think about security and to do all the right things and on the other hand I'm
going to make sure that technically there is as little chance as possible for someone to make a
mistake well for for Education you really need to try to make it relatable
you need to you can't just throw generic data security training at people because
people don't want to do this to begin with so if you're able to
put training in place um that's relatable and even maybe incentivize it
by you know if you pass with a certain score or if you identify if you're reporting X number of ad uh fishing
potential fishing emails for that that are actually backed by a training campaign you know you can offer offer
Amazon gift card or whatever I think that and then having controls that again
are are easy to understand and easy to follow and in easy to explain the
relatable context as to why they're there I think um you know the balance of
those things uh will go a long way in terms of you know achieving that proper
balance but also achieving the degree of Buy in that you can possibly get from you know your
colleagues who were the the users in this case what is one thing that you think
people out of security don't really understand about security
security I think that with a like a lot of things if if it doesn't affect them
directly like personally I think that they just don't have a an understanding
for you know what what the true consequence of a breach or or an incident really means so if you've never
had your identity stolen if you've never had your bank account uh drained because
you you were uh successfully socially engineered to to give up that information um I just don't think that
anybody can really truly appreciate something until you you have a direct
experience that you can internalize and say oh yeah that you know these other things that I'm seeing that for the
business uh they're trying to protect themselves in a similar conceptual capacity I have to protect myself to
ensure that you know I I don't give up my bank account information or my social security number or anything like that uh
and by the same token you know my my my employer has to take the same type of um
measures to ensure they don't get compromised in some form or
fashion interesting do you feel like there's a lot of um handling stress when
you're in a security role especially in those situations where something might
have gotten it maybe not even breached but like was
close yeah um there is stress because
um for a couple reasons number one it depends on how you know if you're
leadership team looking at the it and security folks to say if if the security if the
um something happens sometimes the there's a and shame game that
is not it's just not productive but it's also not um and sometimes it's just not
really pointed in the right direction um because in in it we we know that we
we constantly battle with having resources and tooling and advocacy to
put the Protections in place and and usually is a a direct impact of not
having those in in adequacy will result in breaches or incidents or things that
come very close to it whereas if um Sally and accounting uh you know
responds to the to the to the email from their CEO at their CEO's name at
gmail.com asking them to you know wire some money over you know or or Amazon gift cards
whatever it is yeah um you know that that that's uh there is definitely stress from um kind of a again like a
lack of understanding overall in terms of you also how you really handle handle
the the reaction to those incidents and you really have to especially where ones are are not in uh resulting in a direct
uh a direct impact or or consequence you really have to take it from a human
perspective that this is a Learning lesson not so much blame and shame or
you know it's certainly different if you have if you're a repeat offender but everybody makes mistakes and you never
know what somebody's going through or dealing with and you know in any respect so that's you that's my take on
that that's really interesting what do you think what do you think
is what do you think are the main issues right now in cyber security like the
things you think about most
I think the I think the main issues in cyber security
are you know I think first and foremost just relative to um what I've dealt with
personally and which I'm sure any number of other it and Security Professionals deal with is um ensuring that they have
the right advocacy and resourcing to have a respectable program that allows
them to effectively do their jobs and do it reasonably well there's there's
security is a a cat and mouse game you know there's always uh always going to be new threats and everything but um I
think what a lot of companies struggle with is really uh I think what cyber security
really lacks right now is just even though it kind of is a cliche statement
I just I still feel that the education and awareness in the leadership levels
to either again provide that advocacy for resourcing and tooling that is just it's it's it's really just that's what
it costs to do business now you can't just rely on wind built-in Windows to
Fender and having a pair of fire you know having a firewall there's so much more to it so I
think that's the biggest challenge and um I I also think that uh in the
regulatory landscape I think that at least domestically I don't think that the United States has
enough appropriate regulation to protect um people and hold people hold
others accountable whereas in in Europe you've got gdpr which is very stringent
and has very um specific consequences for violations so I think off the top of
my head when I think of cyber security and what's uh the challenges I look at it from the perspective of the business
I also look at it from the perspective of just being an everyday
person that's really interesting so you have a lot of experience in like highly regulated
Industries what do you what are some of your takes like in terms
of is compliance enough is like how do you view
it um so I I guess I I would take that question and look at it
from you know the entirety of of a business and I think um you know even some high highly
regulated uh Industries there are businesses that exist in the industry that still struggle to
have excuse me that still struggle to um
really have the security mindedness baked into the culture and you still have even you know
higher level um Executives that or leadership folks that try to
circumvent the rules and the policies the controls and things or try to or
some some form of Shadow it uh evolves and they've they've uh you've got some
unknown infrastructure you're dealing with uh any number of different circumstances like that and I I I just I
continue to think that uh there's just a a lack of
um really understand I also think there a lack of culpability um you know
companies like change healthc care with that breach and um you know so many uh
retailers like you know Target and Home Depot who have also been subject to data breaches there just isn't you know the
those companies are all reasonably uh prepared to you know pay a fine that
has that may not change the um you know change the circumstance they they may
not they may not make uh required improvements based on the situation so
um you know those I think between again culpability for uh have it being
responsible for an incident especially where there's gross negligence involved um and and uh again security-- minded
culture where you you also kind of have to fight internal battles where you all would hopefully be um you know working
towards the same goal and having folks that are you know do you know of that mindset uh that's you know that's that's
that's where I am on now
cool what is one thing that you think Security
Professionals sometimes Overlook but should pay more attention
to I think Security Professionals um you know
are if if you getting getting into security I I found a lot of folks are
very you know narrow-minded and um you
know focused on security like they're they're trying to build Fort Knox and
and and it's well- intended but they they lack the understanding of business
context as to why certain things have to be a certain way and they also
lack potentially they they lack the um you know who else is affected by that
in it and security you know you're still trying to strike that right balance of
security and usability as I I alluded to earlier
there undoubtedly security can be and is in a lot of cases
a a detriment to productivity but it's really being
mindful of of everybody who H who who everybody who's a stakeholder and the users your colleagues who are just again
sallying accounting or whoever they they all have a job to do and and the the
most successful Security Professionals are going to be those who who achieve the right balance of having uh strong
security while enabling their colleagues to be able to do what they need to do as
well how do you balance that like on one on the one hand
really making sure your space is like everything is happening the way it
should security-wise but also enabling the business and communicating to
management why certain things can't happen in a certain speed or why certain
things can't
happen yeah unfortunately that that question comes with a lot of it depends
there's uh there's just so much that that is different you know no two companies are are the same and a lot of
Industries are you know not the same uh you you I think the what you
just said about communication and um compromise like what I when I think about okay you
you've got you've got these things that you have in from security you've got your side that you have to advocate for
the the user experience you have to advocate for or that you you're trying to facilitate I think also a significant
component of that is is risk it's risk assess it's it's identifying assessing and treating the
risk of whatever scenario is put in front of you and if you have compensating controls to mitigate
certain circumstances and um I think that the having a thorough discussion in
uh talking through a scenario is is going to end up finding
the right compromise the right balance of what you can do what you can't and so
in a you know again there there's no way to really be specific about that um but
that is about a spefic specific in terms of an approach I would take to try to handle most scenarios that are put in
front of me so what do you think is one blind
spot many cesos have well so you know that's an
interesting question I would actually reframe that to say what is one blind spot that Business Leaders that have
security under their purview um you know what what is their blind spot because not every organiz I think I
mentioned that earlier like not not every organization has C Level representation or even you know even to
senior levels of uh you know Management in the company in a company so there's
there's two things that I think are are very important first of all having an
honest like having an accurate perception of what your
capabilities are to protect um your company from all the threats like what
is what is your real Baseline and I think a lot of businesses have a false
sense of what they have or what they think they can do and from that I would
all I would uh I would say that the other so that there's the component of you know how well can you protect
against uh common threats or even evolving threats um but the other thing
is is while you may be successfully protecting against threats um are you
also prepared like this is the part two are you prepared for an incident like do
you have an incident response plan do you have run books um communication plans um you know
things of that nature that will detail what you do because and flying by the
seat of your pants on that it is not something that you can do effect you
need to be able to effectively and efficiently deal with an incident to contain it and then do the do the
needful as far as you know communication to to impacted stakeholders whether it's outside or or internal folks so I I
think um those two together are important and and I would strongly recommend for those who either you know
kind of are actually starting to scratch their head um I would strongly encourage even
though it's a it's a small it's a small investment in the grand scheme but uh I
would highly recommend having an assessment done of your your business and your it security and and the ability
to respond to incidents and and the ability to protect yourself so that you can get a sense of where you are against
a maturity model like CIS or or nist or whatever so you know I I think that's an
excellent question I would I would uh strongly encourage you know if there are other business folks just happen to be
listening to this it's just a good question good thing to ask and raise because in this in this day and age um
again that there's just now you you can't rely on Windows Defender to do anti-malware for you with just firewall
that's not enough um you need to you need to be tooled and resourced in a lot
of different areas because the threats are are just omnipresent in so many different ways that's so that's all
important right how do you think cyber security changed over the past few years like what was it
like five years ago 10 years ago versus now well I I think the motivation has
certainly changed um I think that there were script kites who were oh wow look I
can I can penetrate this company's weak security and and I'm like you know I'm a prodigy for my age um things like that
now today it's it's all about the ransomware and the uh um you know the
the financial gain that if uh somebody pays the the the the demand to have
their uh content decrypted if even if the threat actors even do the
decryption um I think that's been a material change and uh something else I
I I mentioned earlier about um the regulatory climate I think that um there
has been slow but some movement forward with things like gdpr R and uh CCPA the
California consumer uh protection act uh there are some you know Europe and
California and these respective examples have uh taken strides to um advocate for
people and in that that makes businesses who have certain uh data elements uh
they they they've put a requirements in front of that to be you know something you need to be in compliance with and if
you're not then you you're going to face consequences for it so I think those two
things and of course that you know the the the the the the answer that's always
thrown out in um like a broken record is yes the the the threat landscape has continued and
will continue to become increasingly complex and
pervasive does AI concern you
it does um you know AI is a double-edged sword AI is a tool that has so much
potential to make a big difference in um productivity and and enabling
capability within a business but at the same time AI is also
um if you put if you inadvertently put customer data or proprietary data into
it you know it gets absorbed into the large language model and it's learned and it's no longer private so um Ai and
its implementation uh are are concerning but I I I think a lot of
um the concern about AI is AI in its you know as it's known
today is still very much in its infancy and people fear the unknown so
there hasn't you have to kind of it's it's tough to sometimes you get competitive Advantage by being the first
to to tackle something and other times being the first to Market um you know is
is a is a big risk that come that could have a significant consequence and I think that a lot of companies and a lot
of Industries have determined that you know their AI posture is just something they have to be very very diligent about
because the uh they they've seen uh what it can do and and you know what the
potential uh consequences of of not handling it appropriately
are interesting do you have any prediction
of where it's going to go like both Ai and cyber
security um me I think AI is not going anywhere I think AI
is I think over time I think AI will as it is now today like that there are
companies that are implementing AI capability to enhance their tools um you
uh there are you know tools like uh mcast for example doing email and spam
Pro protection they're um they have a an AI component that that looks at
underlying data and and can actually then go and basically tell you you
received an this email that came from an external person in the area AI intelligence whon whon
actually did a domain lookup to say oh well hey this domain was registered recently so this actually could be a fly
by night kind of operation and then you've got this Banner on your email that provides useful information to
protect you um so there's there's there's utility in
AI um so I think I think the the business world is going to
kind of slowly but I I think the the the business world will continue to adopt AI
I think with its Evolution I think um you know some of the AI I think uh large
language models will will uh I think there there will be more homegrown large
language models instead of you uh having to leverage the the the ones like chat
gbt and Gemini um and others like it to to to protect and I think they over time
it'll be easier to to uh to to build those and and then leverage them for
their business so you know bringing that all together um again there's utility
that that AI will be useful for but then on the other side I think AI will
evolve um slowly but in practicality where I think um companies will be able
to develop their own AI proprietary um capabilities without having to
necessarily leverage what is now you know the largest known of the the chat gpts and
such got it do you currently have a team of security people or is it you managing
the entire security I have a team of five so with
me that's that's six so yeah we're we're an organization that is certainly large
enough to have a dedicated security team and uh you know and the guys
are do kind of do it all that we're still small enough where we've got a lot of generalists doing a lot of different
things but um not not too we haven't grown to the scale of like having
necessarily dedicated person for a dedicated function yet interesting and
what would you recommend anyone who is looking to get into cyber security or
wanting to enter or even advance in the field
um you know I think people getting into security I I probably have a slightly
different take on that I guess an analogy I could use in
the music world is that you don't become a musician who sells out stadiums and
Arenas overnight by taking a couple of uh lessons to play the guitar or and
taking a couple vocal lessons from a a teacher uh takes time it takes experience it takes you know things of
that nature to really understand um or to to gain the experience of uh where
you you've got the the the the everything you need to become that that
musician that sells out and becomes that popular there are a lot there's um in
terms of um taking on security as a you know getting into it there's there's a
lot of um you know college programs and a lot of you know advertisements that that basically say there's there's a
path in and it's e you know it's quick and it's easy but in my thing
is I don't think that I would be as um effective in in my capacity if I
didn't have the underlying experience that I have I started in the help desk where I got to see from the user's
perspective I saw with the clicking on I saw where they save things I saw got a good feel for what they were doing on on
their side of the computer and then on the on the sis admin side Network admin side I got to see the back in I got to
see the configurations I got to kind of see the what it looks like to see what what the what this means in terms of
what the users are doing and how it translates on this side so with
that I I I'm of the mind that the mo I think it it's the most practical advice
it's not to say you have to spend 20 years in it to uh to get into security but I think
it's important to get some degree of a practical it operational experience
in some capacity because to your question earlier about what is what do
some security folks not think about or you know paraphrasing what that question was and I said they they lack the
business context um that there's a lot of there's a lot of angles from which they're they're going to miss
visibility or Miss um how to evaluate something
so for me I think the totality of my experience allows I'm not saying I know it all I never know it all I'm just
saying that having some degree of practical experience to then get into security so that you can look at it from
all sorts of different angles and not just some unilateral or like textbook
taught which textbook textbook in experience are two different things um
you know I I I think that that my advice is um to to get some degree of practical
experience and then explore what facets of security interest you um look at talk
to people Network talk get a mentor I think those are things that are um very
important towards um positioning yourself the best to to
get into the field do you remember any time
maybe in the recent past or maybe a long time ago where you made a leadership or
a security decision that ended up being maybe not the best
decision and then how did you deal with it how did you fix
it I'm sorry would you would you restate that question because I want to make sure I understand the right the right
context I was asking do you remember any time either in the near past or years
ago when you were much younger do you remember a situation where you made a decision about either leadership or
security that ended up being a not so great decision and then what did you do to fix
it um
I I I think that if I were thinking back to a decision I made that wasn't necessarily the
best I I I think that um it really comes back to what I said
about advocacy and resourcing and and Tooling in that I may not have
um made the the best uh I I didn't do as
much as I probably should have to really fight the battle to um
Advocate uh for the resourcing that I needed and I think that the consequence
that that had for me is you know I I made um I made reference to the in the
question you asked about you know what was the without naming companies or whatever what was the worst security
incident that I've either had to deal with or whatever um I've had you know other environments
where without advocating for the additional resourcing it just it put a
it put more on the shoulders of myself and the team that I had to still meet
um expectations of getting things done by a certain time or whatever where the
those expectations may not have actually been reasonable to begin with so you
know I think that um if I had fought a little harder potentially or maybe try
to create think of a way to uh if I couldn't get additional body maybe bringing in a trying to advocate for a
you know an outside company to come in for an engagement which would be far less expensive than having a dedicated
full-timer um I think that's probably um the issue and then the consequence that
um came from it
great one final question that is actually a two-part question but before
that I want to say thank you so much for your time and perspective I feel like you bring a lot of um like a different
energy because you have so much experience in another
field like the way you look at things is very from that view and I think that
adds a like an important layer to it so thank you so much um okay so my final
question is what gets you excited about cyber security versus what keeps you up
at night about s security I think what's exciting about
it is you know that again that cliche answer that that there's always
something new there's always going to be new um from the cat cat and mouse game there's always going to be new threats
to protect against there's always going to be new battles to fight and um you know and and from that that's
just keeps it interesting and that's what's exciting to me because I I'm not the type never have been the type where
I I like to just kind of do the same thing every day the thing that that keeps me up at night is um you know I
think even in my current uh environment I think we have a lot of great tools I
think we have a lot of great process procedure and things of that nature that that um that prepare us to not only um
deal with uh an incident that may not become an incident or I'm sorry it it it
allows us to be adequately prepared to protect our environment but it also has
left us prepared to deal with an incident and have a Playbook or run book to so that we're not um flying by the
seat of our pants to to deal with something we've got a lot you know so we got a lot great with that but there
there's always a concern that you miss something there might be just like one misconfiguration that was missed and
that could be the the one thing that allowed somebody to get in uh that's that's what kind of keeps me up at night
but um I think so that's for my current situation and I would just generally say as far as keeping me up at night I would
think uh just from the experience I've had in in my career um what keeps me up at night is
uh even though there's only so much time in the day and so much so much you can do it's still really hard to deal with
the Fallout because you still ultimately have to deal with the Fallout in in circumstances where you're not provided
the resourcing and the tooling and advocacy that you really need um which again goes back to the business so um
that that's that's where I am on on uh what keeps me up at night but or but what keeps it exciting at the same
time perfect perfect thank you so much oh thank thank you so much for
having me on I really really enjoyed this