Evolving from IT to Cybersecurity Leadership - John Hathaway, VP IT Security @ Cambridge Savings Bank

Evolving from IT to Cybersecurity Leadership - John Hathaway, VP IT Security @ Cambridge Savings Bank

Evolving from IT to Cybersecurity Leadership - John Hathaway, VP IT Security @ Cambridge Savings Bank

Sep 29, 2024

Episode Description

In this conversation, John Hathaway, VP of IT Security at Cambridge Savings Bank, discusses the evolving landscape of cybersecurity, the importance of understanding security blind spots, and the balance between security measures and productivity. He emphasizes the need for continuous education, the challenges faced in cybersecurity today, and the role of AI in shaping future security practices. Hathaway also shares insights on leadership decisions, the stress associated with security roles, and offers advice for those looking to enter the cybersecurity field.

Watch On YouTube

Episode Transcript

Episode Transcript

Episode Transcript

hi everyone and welcome to the handson ciso podcast my name is Edie and today we'll be talking to John haway with a

long history in it today John is the VP of it Security in Cambridge Savings Bank

John has over a decade of experience in tightly controlled Industries including healthc care Banking and travel so

hearing about his perspective can definitely teach us a lot how are you doing today John I'm doing well how are

you I'm great so I'm really interested in hearing this is your first official

or not first but one of the first official security rols you've done but

you've done security for quite some time so tell us how does that work yeah so

you know this this is my first role dedicated to it security where my

background is really as an IT operations generalist in that whether I was doing

whether I was do the Hands-On practitioner or operating in a leadership capacity pretty much all

those facets of it whether it's Cloud systems infrastructure help desk

security risk compliance everything that had it purview in it was things that I had dealt with and you know today where

I am with Cambridge Savings Bank uh this is my first role that is really dedicated to the security function where

that can certainly go far and wide

perfect and how does your day-to-day look like now so day to day is is you know much

like I think a lot of it people will tell you uh because I again it's so much from my background just being in it in

general um I don't think the day-to-day is ever really the same which is part of what makes us attractive and makes it

not not really boring and uh keep keeps us on our toes but uh you know there

things range from uh you know dealing with audit

requests uh as a bank we we we deal with a lot of um internal and external audits

um you we're dealing with various uh teams in in internally to uh address uh

you know if a website gets blocked uh we have to address our content filtering

and make ensure that the the URL is safe we work on various projects to uh

Implement uh you know more secure and stringent uh baselines like such as the

the CIS uh the most up today CIS Benchmark ensure that that's uh

implemented across our environment properly um yeah it's really a little of

everything and there are times where you know we may even have uh an incident akin to uh you the crowd strike incident

recently where we uh wake up and all of a sudden we we're we're we're uh tasked

with with having to handle something that reaches that that degree of criticality so what made you interested

in Security in the first place Security in of itself is is very

uh interesting because it like it has an Ever evolving

landscape the the threats that people face it's it's you know it's a it's a cat and mouse game the the

vulnerabilities become more complex the the solutions and the the the the things

that um you have to do to protect get to protect your your company against those threats are ever evolving much like um

you know related back to it where you know we're not just dealing with on Prem infrastructure we're we're dealing with

cloud and how that's evolved so I think the the interest in security was

much like uh the interest that I had gotten into in terms of pursuing leadership roles after doing Hands-On

earlier in my career so I had done having done you know Hands-On and Leadership uh in it operations uh

security has become uh you know very very hot um Niche and so I've decided that you

know from what I've dealt with in my career I I feel that uh that that that's something of interest that I I'd like to

dive uh deeper into because it's it's something that I just have a a greater interest in at this

point what made you decide to get the certifications you got and just like go

really keep learning and digging deep although it wasn't technically something

you had to do well I think as a as a as a

professional really in any capacity the certifications and and such it for me

it's a function of just continuous learning it's it's uh continuing to stay

a breast of things and and continuing to stay relevant so um my my inspiration to get

my cissp is something I've been wanting to do for a long time and where I've uh entertained the

prospect of potentially just getting into security as a specific Niche I felt

like uh with my 20 years of experience in it having that and having the cisp

was going to provide a really good foundation for me to be considered for roles

so with that things kind of happened pretty quickly having gotten my cisp

back in April and then I found myself at at a cber Savings Bank in my current capacity just a couple months

later amazing now that you're in the security hat do you find yourself

feeling more often like the bad C or like the person who needs needs to be like we can't do this we can't do

this yes it's unfortunately it comes with it comes with the territory but to

to kind of really qualify where I come from is playing the bad cop I don't like I like to find

Opportunities to say yes like I like to find Opportunities to help people

achieve what they're trying to do because there there's no question that security becomes a detriment to

productivity but on fortunately it is a NE necessity in the in today it's been a

necessity for quite some time you just have to have a pragmatic approach

to how you approach solving a problem essentially which you know could go into

any number of different specific examples but so if you have to say no to something it it could actually just be

that there there hasn't been a a solution properly vetted yet and you can't just throw it in because you have

a deadline that yesterday interesting have you ever

been um well you haven't been in Security in

the other companies necessarily but were you ever aware of a serious breach or

security incident that happened in one of the companies you were working at and

obviously no names or anything like that but how was it coped with

yeah um so I mean to to to clarify you know I really actually have served in

SEC the security capacity in terms of my general generalist it operations background just it hasn't I haven't

worked for a company as large uh where there's the the the scope and scale of

it really had a requirement of having a dedicated security team but yeah I I

dealt with uh dealt with an incident that uh there there were a number of

email accounts number of 365 email accounts that were compromised and it

was largely just because the the the company I worked for uh had a a

different perception of of how well protected they thought they were and uh

the the the resulting Fallout from that was really having to work around the

clock um with to to to implement a number of different um things whether it

was writing a wisp they didn't have implementing mobile device management and uh pen testing and vulnerability

management because they they just didn't have any of these um programs in their environment and it

was at the same time that they were actually under hot water for other reasons so it was so to to bring it all

together it's in in light of that uh email incident where the the accounts

were identified as being compromised it was was basically having to FastTrack a tremendous amount of work

and projects that t typically take a lot of time and that was just not a very fun

Endeavor for anybody that sounds quite a stressful

period to have from the interesting so do you think it's

common for companies to assume they're much safer than they are I think so and and that's just

because um sometimes the the business really just doesn't have the advocacy or the

presence you know at the key leadership positions in their company whereby the

the real awareness and education and you know telling it how it is would would really be put in front of them so that

they could actually truly understand so um you know some organizations have the

it security or or data security or just Security in general um adequately

represented within the leadership ranks and other companies

don't and when you look at it now and even in the past how do you view

education versus putting controls like what is the balance between I'm going to

teach my people to be extra safe and to think about security and to do all the right things and on the other hand I'm

going to make sure that technically there is as little chance as possible for someone to make a

mistake well for for Education you really need to try to make it relatable

you need to you can't just throw generic data security training at people because

people don't want to do this to begin with so if you're able to

put training in place um that's relatable and even maybe incentivize it

by you know if you pass with a certain score or if you identify if you're reporting X number of ad uh fishing

potential fishing emails for that that are actually backed by a training campaign you know you can offer offer

Amazon gift card or whatever I think that and then having controls that again

are are easy to understand and easy to follow and in easy to explain the

relatable context as to why they're there I think um you know the balance of

those things uh will go a long way in terms of you know achieving that proper

balance but also achieving the degree of Buy in that you can possibly get from you know your

colleagues who were the the users in this case what is one thing that you think

people out of security don't really understand about security

security I think that with a like a lot of things if if it doesn't affect them

directly like personally I think that they just don't have a an understanding

for you know what what the true consequence of a breach or or an incident really means so if you've never

had your identity stolen if you've never had your bank account uh drained because

you you were uh successfully socially engineered to to give up that information um I just don't think that

anybody can really truly appreciate something until you you have a direct

experience that you can internalize and say oh yeah that you know these other things that I'm seeing that for the

business uh they're trying to protect themselves in a similar conceptual capacity I have to protect myself to

ensure that you know I I don't give up my bank account information or my social security number or anything like that uh

and by the same token you know my my my employer has to take the same type of um

measures to ensure they don't get compromised in some form or

fashion interesting do you feel like there's a lot of um handling stress when

you're in a security role especially in those situations where something might

have gotten it maybe not even breached but like was

close yeah um there is stress because

um for a couple reasons number one it depends on how you know if you're

leadership team looking at the it and security folks to say if if the security if the

um something happens sometimes the there's a and shame game that

is not it's just not productive but it's also not um and sometimes it's just not

really pointed in the right direction um because in in it we we know that we

we constantly battle with having resources and tooling and advocacy to

put the Protections in place and and usually is a a direct impact of not

having those in in adequacy will result in breaches or incidents or things that

come very close to it whereas if um Sally and accounting uh you know

responds to the to the to the email from their CEO at their CEO's name at

gmail.com asking them to you know wire some money over you know or or Amazon gift cards

whatever it is yeah um you know that that that's uh there is definitely stress from um kind of a again like a

lack of understanding overall in terms of you also how you really handle handle

the the reaction to those incidents and you really have to especially where ones are are not in uh resulting in a direct

uh a direct impact or or consequence you really have to take it from a human

perspective that this is a Learning lesson not so much blame and shame or

you know it's certainly different if you have if you're a repeat offender but everybody makes mistakes and you never

know what somebody's going through or dealing with and you know in any respect so that's you that's my take on

that that's really interesting what do you think what do you think

is what do you think are the main issues right now in cyber security like the

things you think about most

I think the I think the main issues in cyber security

are you know I think first and foremost just relative to um what I've dealt with

personally and which I'm sure any number of other it and Security Professionals deal with is um ensuring that they have

the right advocacy and resourcing to have a respectable program that allows

them to effectively do their jobs and do it reasonably well there's there's

security is a a cat and mouse game you know there's always uh always going to be new threats and everything but um I

think what a lot of companies struggle with is really uh I think what cyber security

really lacks right now is just even though it kind of is a cliche statement

I just I still feel that the education and awareness in the leadership levels

to either again provide that advocacy for resourcing and tooling that is just it's it's it's really just that's what

it costs to do business now you can't just rely on wind built-in Windows to

Fender and having a pair of fire you know having a firewall there's so much more to it so I

think that's the biggest challenge and um I I also think that uh in the

regulatory landscape I think that at least domestically I don't think that the United States has

enough appropriate regulation to protect um people and hold people hold

others accountable whereas in in Europe you've got gdpr which is very stringent

and has very um specific consequences for violations so I think off the top of

my head when I think of cyber security and what's uh the challenges I look at it from the perspective of the business

I also look at it from the perspective of just being an everyday

person that's really interesting so you have a lot of experience in like highly regulated

Industries what do you what are some of your takes like in terms

of is compliance enough is like how do you view

it um so I I guess I I would take that question and look at it

from you know the entirety of of a business and I think um you know even some high highly

regulated uh Industries there are businesses that exist in the industry that still struggle to

have excuse me that still struggle to um

really have the security mindedness baked into the culture and you still have even you know

higher level um Executives that or leadership folks that try to

circumvent the rules and the policies the controls and things or try to or

some some form of Shadow it uh evolves and they've they've uh you've got some

unknown infrastructure you're dealing with uh any number of different circumstances like that and I I I just I

continue to think that uh there's just a a lack of

um really understand I also think there a lack of culpability um you know

companies like change healthc care with that breach and um you know so many uh

retailers like you know Target and Home Depot who have also been subject to data breaches there just isn't you know the

those companies are all reasonably uh prepared to you know pay a fine that

has that may not change the um you know change the circumstance they they may

not they may not make uh required improvements based on the situation so

um you know those I think between again culpability for uh have it being

responsible for an incident especially where there's gross negligence involved um and and uh again security-- minded

culture where you you also kind of have to fight internal battles where you all would hopefully be um you know working

towards the same goal and having folks that are you know do you know of that mindset uh that's you know that's that's

that's where I am on now

cool what is one thing that you think Security

Professionals sometimes Overlook but should pay more attention

to I think Security Professionals um you know

are if if you getting getting into security I I found a lot of folks are

very you know narrow-minded and um you

know focused on security like they're they're trying to build Fort Knox and

and and it's well- intended but they they lack the understanding of business

context as to why certain things have to be a certain way and they also

lack potentially they they lack the um you know who else is affected by that

in it and security you know you're still trying to strike that right balance of

security and usability as I I alluded to earlier

there undoubtedly security can be and is in a lot of cases

a a detriment to productivity but it's really being

mindful of of everybody who H who who everybody who's a stakeholder and the users your colleagues who are just again

sallying accounting or whoever they they all have a job to do and and the the

most successful Security Professionals are going to be those who who achieve the right balance of having uh strong

security while enabling their colleagues to be able to do what they need to do as

well how do you balance that like on one on the one hand

really making sure your space is like everything is happening the way it

should security-wise but also enabling the business and communicating to

management why certain things can't happen in a certain speed or why certain

things can't

happen yeah unfortunately that that question comes with a lot of it depends

there's uh there's just so much that that is different you know no two companies are are the same and a lot of

Industries are you know not the same uh you you I think the what you

just said about communication and um compromise like what I when I think about okay you

you've got you've got these things that you have in from security you've got your side that you have to advocate for

the the user experience you have to advocate for or that you you're trying to facilitate I think also a significant

component of that is is risk it's risk assess it's it's identifying assessing and treating the

risk of whatever scenario is put in front of you and if you have compensating controls to mitigate

certain circumstances and um I think that the having a thorough discussion in

uh talking through a scenario is is going to end up finding

the right compromise the right balance of what you can do what you can't and so

in a you know again there there's no way to really be specific about that um but

that is about a spefic specific in terms of an approach I would take to try to handle most scenarios that are put in

front of me so what do you think is one blind

spot many cesos have well so you know that's an

interesting question I would actually reframe that to say what is one blind spot that Business Leaders that have

security under their purview um you know what what is their blind spot because not every organiz I think I

mentioned that earlier like not not every organization has C Level representation or even you know even to

senior levels of uh you know Management in the company in a company so there's

there's two things that I think are are very important first of all having an

honest like having an accurate perception of what your

capabilities are to protect um your company from all the threats like what

is what is your real Baseline and I think a lot of businesses have a false

sense of what they have or what they think they can do and from that I would

all I would uh I would say that the other so that there's the component of you know how well can you protect

against uh common threats or even evolving threats um but the other thing

is is while you may be successfully protecting against threats um are you

also prepared like this is the part two are you prepared for an incident like do

you have an incident response plan do you have run books um communication plans um you know

things of that nature that will detail what you do because and flying by the

seat of your pants on that it is not something that you can do effect you

need to be able to effectively and efficiently deal with an incident to contain it and then do the do the

needful as far as you know communication to to impacted stakeholders whether it's outside or or internal folks so I I

think um those two together are important and and I would strongly recommend for those who either you know

kind of are actually starting to scratch their head um I would strongly encourage even

though it's a it's a small it's a small investment in the grand scheme but uh I

would highly recommend having an assessment done of your your business and your it security and and the ability

to respond to incidents and and the ability to protect yourself so that you can get a sense of where you are against

a maturity model like CIS or or nist or whatever so you know I I think that's an

excellent question I would I would uh strongly encourage you know if there are other business folks just happen to be

listening to this it's just a good question good thing to ask and raise because in this in this day and age um

again that there's just now you you can't rely on Windows Defender to do anti-malware for you with just firewall

that's not enough um you need to you need to be tooled and resourced in a lot

of different areas because the threats are are just omnipresent in so many different ways that's so that's all

important right how do you think cyber security changed over the past few years like what was it

like five years ago 10 years ago versus now well I I think the motivation has

certainly changed um I think that there were script kites who were oh wow look I

can I can penetrate this company's weak security and and I'm like you know I'm a prodigy for my age um things like that

now today it's it's all about the ransomware and the uh um you know the

the financial gain that if uh somebody pays the the the the demand to have

their uh content decrypted if even if the threat actors even do the

decryption um I think that's been a material change and uh something else I

I I mentioned earlier about um the regulatory climate I think that um there

has been slow but some movement forward with things like gdpr R and uh CCPA the

California consumer uh protection act uh there are some you know Europe and

California and these respective examples have uh taken strides to um advocate for

people and in that that makes businesses who have certain uh data elements uh

they they they've put a requirements in front of that to be you know something you need to be in compliance with and if

you're not then you you're going to face consequences for it so I think those two

things and of course that you know the the the the the the answer that's always

thrown out in um like a broken record is yes the the the threat landscape has continued and

will continue to become increasingly complex and

pervasive does AI concern you

it does um you know AI is a double-edged sword AI is a tool that has so much

potential to make a big difference in um productivity and and enabling

capability within a business but at the same time AI is also

um if you put if you inadvertently put customer data or proprietary data into

it you know it gets absorbed into the large language model and it's learned and it's no longer private so um Ai and

its implementation uh are are concerning but I I I think a lot of

um the concern about AI is AI in its you know as it's known

today is still very much in its infancy and people fear the unknown so

there hasn't you have to kind of it's it's tough to sometimes you get competitive Advantage by being the first

to to tackle something and other times being the first to Market um you know is

is a is a big risk that come that could have a significant consequence and I think that a lot of companies and a lot

of Industries have determined that you know their AI posture is just something they have to be very very diligent about

because the uh they they've seen uh what it can do and and you know what the

potential uh consequences of of not handling it appropriately

are interesting do you have any prediction

of where it's going to go like both Ai and cyber

security um me I think AI is not going anywhere I think AI

is I think over time I think AI will as it is now today like that there are

companies that are implementing AI capability to enhance their tools um you

uh there are you know tools like uh mcast for example doing email and spam

Pro protection they're um they have a an AI component that that looks at

underlying data and and can actually then go and basically tell you you

received an this email that came from an external person in the area AI intelligence whon whon

actually did a domain lookup to say oh well hey this domain was registered recently so this actually could be a fly

by night kind of operation and then you've got this Banner on your email that provides useful information to

protect you um so there's there's there's utility in

AI um so I think I think the the business world is going to

kind of slowly but I I think the the the business world will continue to adopt AI

I think with its Evolution I think um you know some of the AI I think uh large

language models will will uh I think there there will be more homegrown large

language models instead of you uh having to leverage the the the ones like chat

gbt and Gemini um and others like it to to to protect and I think they over time

it'll be easier to to uh to to build those and and then leverage them for

their business so you know bringing that all together um again there's utility

that that AI will be useful for but then on the other side I think AI will

evolve um slowly but in practicality where I think um companies will be able

to develop their own AI proprietary um capabilities without having to

necessarily leverage what is now you know the largest known of the the chat gpts and

such got it do you currently have a team of security people or is it you managing

the entire security I have a team of five so with

me that's that's six so yeah we're we're an organization that is certainly large

enough to have a dedicated security team and uh you know and the guys

are do kind of do it all that we're still small enough where we've got a lot of generalists doing a lot of different

things but um not not too we haven't grown to the scale of like having

necessarily dedicated person for a dedicated function yet interesting and

what would you recommend anyone who is looking to get into cyber security or

wanting to enter or even advance in the field

um you know I think people getting into security I I probably have a slightly

different take on that I guess an analogy I could use in

the music world is that you don't become a musician who sells out stadiums and

Arenas overnight by taking a couple of uh lessons to play the guitar or and

taking a couple vocal lessons from a a teacher uh takes time it takes experience it takes you know things of

that nature to really understand um or to to gain the experience of uh where

you you've got the the the the everything you need to become that that

musician that sells out and becomes that popular there are a lot there's um in

terms of um taking on security as a you know getting into it there's there's a

lot of um you know college programs and a lot of you know advertisements that that basically say there's there's a

path in and it's e you know it's quick and it's easy but in my thing

is I don't think that I would be as um effective in in my capacity if I

didn't have the underlying experience that I have I started in the help desk where I got to see from the user's

perspective I saw with the clicking on I saw where they save things I saw got a good feel for what they were doing on on

their side of the computer and then on the on the sis admin side Network admin side I got to see the back in I got to

see the configurations I got to kind of see the what it looks like to see what what the what this means in terms of

what the users are doing and how it translates on this side so with

that I I I'm of the mind that the mo I think it it's the most practical advice

it's not to say you have to spend 20 years in it to uh to get into security but I think

it's important to get some degree of a practical it operational experience

in some capacity because to your question earlier about what is what do

some security folks not think about or you know paraphrasing what that question was and I said they they lack the

business context um that there's a lot of there's a lot of angles from which they're they're going to miss

visibility or Miss um how to evaluate something

so for me I think the totality of my experience allows I'm not saying I know it all I never know it all I'm just

saying that having some degree of practical experience to then get into security so that you can look at it from

all sorts of different angles and not just some unilateral or like textbook

taught which textbook textbook in experience are two different things um

you know I I I think that that my advice is um to to get some degree of practical

experience and then explore what facets of security interest you um look at talk

to people Network talk get a mentor I think those are things that are um very

important towards um positioning yourself the best to to

get into the field do you remember any time

maybe in the recent past or maybe a long time ago where you made a leadership or

a security decision that ended up being maybe not the best

decision and then how did you deal with it how did you fix

it I'm sorry would you would you restate that question because I want to make sure I understand the right the right

context I was asking do you remember any time either in the near past or years

ago when you were much younger do you remember a situation where you made a decision about either leadership or

security that ended up being a not so great decision and then what did you do to fix

it um

I I I think that if I were thinking back to a decision I made that wasn't necessarily the

best I I I think that um it really comes back to what I said

about advocacy and resourcing and and Tooling in that I may not have

um made the the best uh I I didn't do as

much as I probably should have to really fight the battle to um

Advocate uh for the resourcing that I needed and I think that the consequence

that that had for me is you know I I made um I made reference to the in the

question you asked about you know what was the without naming companies or whatever what was the worst security

incident that I've either had to deal with or whatever um I've had you know other environments

where without advocating for the additional resourcing it just it put a

it put more on the shoulders of myself and the team that I had to still meet

um expectations of getting things done by a certain time or whatever where the

those expectations may not have actually been reasonable to begin with so you

know I think that um if I had fought a little harder potentially or maybe try

to create think of a way to uh if I couldn't get additional body maybe bringing in a trying to advocate for a

you know an outside company to come in for an engagement which would be far less expensive than having a dedicated

full-timer um I think that's probably um the issue and then the consequence that

um came from it

great one final question that is actually a two-part question but before

that I want to say thank you so much for your time and perspective I feel like you bring a lot of um like a different

energy because you have so much experience in another

field like the way you look at things is very from that view and I think that

adds a like an important layer to it so thank you so much um okay so my final

question is what gets you excited about cyber security versus what keeps you up

at night about s security I think what's exciting about

it is you know that again that cliche answer that that there's always

something new there's always going to be new um from the cat cat and mouse game there's always going to be new threats

to protect against there's always going to be new battles to fight and um you know and and from that that's

just keeps it interesting and that's what's exciting to me because I I'm not the type never have been the type where

I I like to just kind of do the same thing every day the thing that that keeps me up at night is um you know I

think even in my current uh environment I think we have a lot of great tools I

think we have a lot of great process procedure and things of that nature that that um that prepare us to not only um

deal with uh an incident that may not become an incident or I'm sorry it it it

allows us to be adequately prepared to protect our environment but it also has

left us prepared to deal with an incident and have a Playbook or run book to so that we're not um flying by the

seat of our pants to to deal with something we've got a lot you know so we got a lot great with that but there

there's always a concern that you miss something there might be just like one misconfiguration that was missed and

that could be the the one thing that allowed somebody to get in uh that's that's what kind of keeps me up at night

but um I think so that's for my current situation and I would just generally say as far as keeping me up at night I would

think uh just from the experience I've had in in my career um what keeps me up at night is

uh even though there's only so much time in the day and so much so much you can do it's still really hard to deal with

the Fallout because you still ultimately have to deal with the Fallout in in circumstances where you're not provided

the resourcing and the tooling and advocacy that you really need um which again goes back to the business so um

that that's that's where I am on on uh what keeps me up at night but or but what keeps it exciting at the same

time perfect perfect thank you so much oh thank thank you so much for

having me on I really really enjoyed this

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel