ISMG Editors: Why Zero Trust Isn't the Answer to EverythingAlso: Saluting CISO Marene Allison's Achievements; Regulating Digital Assets Anna Delaney (annamadeline) • December 23, 2022
A salute to the career of Johnson & Johnson CISO Marene Allison leads this week's Information Security Media Group Editors' Panel, which also reviews essentials for implementing a zero trust strategy and the use of banking standards to regulate blockchain-based digital assets.
The panelists - Anna Delaney, director, productions; Rashmi Ramesh, senior subeditor, ISMG's global news desk; Tom Field, senior vice president, editorial; and Suparna Goswami, associate editor at ISMG Asia, analyze:
- Highlights from an interview with Johnson & Johnson's Allison, who reflects on the proudest moments of her career;
- Key takeaways from a panel discussion around zero trust and how to identify your crown jewels;
- Trends in the cryptocurrency space and whether the application of banking standards to regulate blockchain-based digital assets might succeed.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Dec. 9 edition discussing how the role of the CISO will evolve in 2023 and the Dec. 16 payments special edition.
Anna Delaney: Hello, thanks for joining us for the ISMG Editor's Panel. I'm Anna Delaney and this is a weekly conversation between ISMG journalists on the cybersecurity topics that matter the most right now. Our star players this week include Tom Field, senior vice president of editorial, Suparna Goswami, associate editor at ISMG Asia, and Rashmi Ramesh, senior sub editor for ISMG's global news desk. Great to see you all. Lots of color this week. Rashmi, tell us more.
Rashmi Ramesh: I'm at an open air concert, where the headliner was an Indian music artist. So, I went to a concert after two years - three years actually. So this is confetti raining down on us during the concert that we had cleaned up after - very responsible. But it was just a great night.
Delaney: Yeah, I bet it felt excellent to be at that. Concert in person is a great feeling, isn't it?
Delaney: Suparna, bringing back memories of the World Cup.
Suparna Goswami: Oh, yes. So yes, you can make out it's a FIFA World Cup. I'm also wearing blue, the similar one that Argentina has. So it was an unbelievable final with Argentina finally lifting the trophy after 36 years. And, of course, Messi playing so well is just an icing on the cake. World Cup trophy was something which was missing from his record books. And he got it - not that not winning it would have made him any less of a player. But still, it feels just special just to see him with that World Cup trophy in the hand.
Tom Field: I had no idea you were such a football fan.
Goswami: Oh, I'm generally a sports enthusiast.
Delaney: I knew the cricket. I didn't know the football. It was a wonderful match to watch actually. But both teams played very, very well. Tom, more snow?
Field: Similar to Rashmi's confetti, this came watering down from the sky last weekend and there was about a foot of it that fell. Heavy snow and so it took down trees which took down powerlines and so I spent much of last weekend without electricity and heat and putting a lot of wood into the woodstoves to keep spirits bright. This is a view on one of the windows, by the way. You can see how heavy the snow is on the branches.
Delaney: Yeah, beautiful to look at. I am at Hampton Court Palace wherein King Henry VIII used to live. And this week they put on a light show for Christmas. So there were various light installations scattered throughout the grounds of palace. It was quite impressive to take in with a cup of mulled wine as well, of course.
Field: Did you go there?
Delaney: Yeah, yeah, so it's local to where my family lives. Speaking of lights, Tom, I believe pharmaceutical Johnson & Johnson is losing one of their leading lights.
Field: They are losing a bright light. Last time that you and I spoke, we talked about some of the interviews that we really enjoyed over the past year. And my choice was Marene Allison. She's the CISO of Johnson & Johnson, just an illustrious career. She was in the first female class at West Point Military Academy. She's had some high-profile CISO jobs in her career. She even spent time doing undercover drug busts with her husband in New Jersey for the FBI, which is an entirely different story I hope to get Sunday, but she is retiring at the end of this year from her role at Johnson &Johnson; she has been a CISO for 30 years, not just a Johnson & Johnson but as a CISO for 30 years. She's moving on to do other things. And so, we did have a chance to catch up this week. Interesting of all the things that we talked about: the point that resonated most with me was when I asked her, What was it in her career that really inspired her and let her know, yes, this is the moment, this is why I'm doing what I'm doing. So I want to share with you an excerpt so you can hear her response to my question.
Marene Allison: You know, I have three that stand out. So, the first one was understanding that voice over IP and what it was going to mean. And I was the head of global security at Avaya tower communications. And they asked me to step into what was literally a CISO role or IT security role, and asked me to run the security operation center for the World Cup in Korea, in Japan, in 2002. We were using open source and creating what were we going to do. You know, the friendlies were scanning us, the unfriendlies were scanning us and trying to figure out how we were going to support that. That was a defining moment. Tom, that was when I knew I had bitten - I've been bitten by the IT bug and I could never change who I was and what I wanted the trajectory of my career.
Field: Here we are, some 20 years later and she's just wrapping up that illustrious career. I don't think, by any means, she's going to stop. I know she's looking at board opportunities and wants to be active in the community, wants to be active as a mentor, still just stepping down from the day to day.
Delaney: It all started at the World Cup.
Field: Little did I know that I was playing that extra. But here we go. Tis' the season of giving.
Delaney: So, Tom, she didn't reveal any details about her former career doing undercover drug busts?
Field: That is promised over drink some time at RSA conference with someplace where we can get together. She did leave some hints about her future. She says that she is speed dating right now with all of her opportunities, and that she's a bit overwhelmed, but she's going to start winnowing down, disappointing a few suitors and delighting some others.
Delaney: I can imagine she's spoilt for choice. Sure. So, Suparna, you've been quizzing experts on zero trust and the importance of knowing what your crown jewels are. What was discussed?
Goswami: Sure, Anna, I have been interacting with practitioners closely, thanks for the many roundtable discussions we at ISMG have with them. So one common theme that emerged from my discussion with the practitioners in roundtable was how to apply zero trust strategy for your crown jewels. But the important question is, how do companies decide on the crown jewels? To begin with, how do you know what exactly is the crown jewel? So I spoke with Dr. Chase Cunningham, who is called the doctor of zero trust, Maureen Rosado from BT as well as Patrick English, who is a zero trust consultant with Ztsolutions. And I asked him is how he helps organizations to understand what exactly are their crown jewels. And he said, very interesting thing, he said that unless the companies are in that critical position, they will never understand the crown jewels. So they have to deal with the reality of compromise to know what really is valuable to them, and be in that uncomfortable position. So it is all about having that attack simulation exercise. And no, it's not about red teaming and looting where, you know, this is a simulation going on, but be in that situation as if it's actually happening. So that's when he said the company is actually, "Okay, this is what I want to protect." But my question was: for every business, their data will be the most critical. So how does the overall, an organization makes that decision? What is critical? So, for instance, if I'm from the HR department, for me, the employee data will be the most critical and if I'm a supply chain manager, it might be what I manufacture. So how do we decide? So here, Maureen said a very interesting thing. One is obviously that what she is mentioned, have those exercises. And the other part is, you really need to sit the security team, really need to sit with the business and have those important conversation on what exactly is your crown jewel? And how, in the overall picture, how does it matter. So those conversation is really important, we might not get them kind of importance. But that really matters to complement the technology. Another interesting point that was mentioned by Patrick, which I really liked, was often organizations think that x y, z is the crown jewel, but that is actually not. So, for instance, a lot of them think that servers are the crown jewels, but it is not actually the server, but it's actually the data on the server, which is the crown jewel. So those nuances they need to understand. I was also curious to know that if they are seeing companies invest in zero trust strategies and want zero trust strategy to be applied to everything. So I wasn't very surprised that maybe knew the answer. It was yes. You know, many are trying too fast and fail. And then management comes after them on why have you invested in zero trust, our investments have gone to the dogs, and they dropped the whole idea of zero trust. But that's not how it works. That's what Chase said, you must know what you're aiming for. So, aim is to reduce the risk of compromise and apply zero trust in areas where compromise is most likely to happen, and then work your way up from that. And not everything needs to be under zero trust. We need to accept the fact that some things can never come under zero trust. So the idea to secure the best way possible, what matters most to you is important and then live with the reality that there will be no perfect defense. So it's not that zero trust means zero attacks, there will be no perfect defense. And also controls need to be applied in areas where it makes sense. So one interesting anecdote, he mentioned that if users on the internet is a problem for you, then browser isolation is a solution. Then you need to tell the user why are you doing this. So you're doing X to achieve Y and that will give you a good user experience. But you need to educate the users also, so that they are in your entire plan. And they should be able to support you, so the gist is essentially begin our journey today, do not really wait. Because innovation is happening every day. So we have new organizations coming up with new tools. So if your organization doesn't start with zero trust now, you will be way behind. So just start with it. Start small, but start with it.
Delaney: Very important, really interesting insights, Suparna. I know, as you say, you've been speaking to many security practitioners this year at roundtables, summits. How do you think the conversation around zero trust has changed the most specifically this year?
Goswami: See, as I said, I've been interacting and a lot of my roundtables have been around zero trust, and they have certain apprehensions on where to start from, so not everybody I have interacted with have started the journey. As I said, they have certain apprehensions, but they know the importance of zero trust. And those who have begun the journey, it is all about this nuanced things, how to apply zero trust for critical assets or how to apply zero trust in the cloud? How is it different from applying zero trust on-premises? Or how to apply zero trust on the network? The conversation around data-centric zero trust approach has just about started, it hasn't matured enough. But I think it is the identity which still dominates the conversation. But now, I'm seeing vendors talking about data-centric approach to zero trust. I think the conversation is just about begun. But yes, they all know the importance, but not everybody at least in this region has begun the process of zero trust.
Delaney: Well no doubt, we'll be discussing zero trust on a daily basis next year. Thanks, Suparna. Rashmi, lots has been happening in the crypto space this year keeping you on your toes. I believe you've been discussing the application of banking standards to regulate blockchain-based digital assets with two of our global ISMG contributors, Ari Redbord and Troy Leach. What insights did you glean?
Ramesh: So, I want to set some context before we begin. So ironically, regulation is the buzzword in blockchain-based digital assets industry these past few months, even the year, rather. I say blockchain-based digital assets and not just crypto, because it involves a whole lot of other assets outside of crypto. So, you have your central bank digital currencies, you have stable coins, you have non-fungible tokens and a bunch of other assets. And this call for regulation has only become stronger, with situations like the Terra-Luna crash, and FTX and hundreds of other smaller incidents that most people haven't even heard of. Now, this question of applying standards meant for one industry to another comes up because the logic is that it's all money. But it's a lot deeper than that, and a lot more nuanced than that. Now the best panel that we could draw between the payment card industry before PCI DSS came into being and the current crypto industry, and I spoke to Troy Leach, like you said, who helped establish and lead the PCI Security Standards Council, who said that there's actually quite a bit of similarity between the two, especially when it comes to elements of cybersecurity, because they're both dependent on the same types of technology and business controls, and that they ideally should have the same types of checks and oversight. Now, the PCI standards also came by after major data breaches and fraud that happened in the payment space that became a universal pain point. And the crypto industry, he said, is likely at the same time in history of payments right now. So there is an obvious question, right? Why can't you just, you know, pick up the PCI DSS standard and apply to crypto as it is? And several cybersecurity professionals who have nothing to do with crypto payments have brought this up in conversation as well. But it also has an obvious answer. Not all digital assets are centralized. Not all crypto transactions follow the same processes. And not all tokens function the same way, not even all cryptocurrency behave the same way. So, a shovelware model does not really make sense. What does make sense are two of the key things that mostly come from experts like Ari and Troy, who know a thing or two about regulation. So one is that, yes, certain banking standards are applicable to some form of digital assets in some instances, like I mentioned earlier, for example, centralized financial institutions are the best examples. They're easier to regulate than most other institutions in the space. They already have regulations in place for them. For one, you can ensure that the structure of the centralized financial institution is right, that it has an independent board, that it has a CFO, that it has a security officer - and I'm sure you know what I'm referring to - all of these functions actually have qualified people heading them. So put in place KYC, have a travel rule in place, the issue is compliance, not really a lack of regulation in this instance. So that needs to be addressed. The second was that there are standards out there meant specifically for cryptocurrency. One is a cryptocurrency security standards, which is designed to augment information security best practices and also complement things like PCI DSS under this framework. So that was my long answer. The short answer is yes, you can apply some aspects of banking standards to blockchain-based digital assets, especially the principles behind them. But it cannot be a cut and paste.
Delaney: Excellent analysis, Rashmi. So what do you think has been the most important crypto event or incident of 2022 that really will have an impact on developments next year?
Ramesh: Easy answer, FTX. If you had asked me a couple of months ago, I would have probably said I don't know. They are all in bridge hack, but it's now definitely FTX. It's brought to light so many gaps in just how this ecosystem functions, the rampant fraud that goes on and the hacks that happen every day. So, definitely FTX.
Field: Good, Rashmi. FTX is to crypto with the Target breach was to retail manufacturing over a decade ago.
Delaney: Yeah, that's come up a lot, hasn't it? That comparison. Well, finally, moving on. Tom, can you guess my final question?
Field: Let's see, in the past two weeks, we've done the ghost of Christmas past, a ghost of Christmas present. We're looking ahead.
Delaney: We're looking into the future, the ghost of cybersecurity future. It's quite difficult to name a person because I haven't been able to go round schools, quiz the future CISOs. But I'm going to extend this to maybe there's an initiative or an organization or even technology that you place hoping to help mitigate or even solve tomorrow's cybersecurity challenges. Who is it going to be? What's it going to be?
Field: I hadn't thought of this before. But I could actually just give you a name, you'd have no way to validate that. It's a child in school that I think is going to be the future. Now, I would, you know, I think of this year as sort of a bookend. Beginning of the year, I spoke with Dawn Cappelli, who at the time was retiring from her CISO role at Rockwell Automation. She went on to take a role with with Dragos but regardless of that she was stepping down from a position she'd held for a long time. And then I ended the year talking to Marene Allison, who we just saw, who is stepping down as the CISO of J&J. And both of these are women who have had extensive careers, who have made a mark, who have been educators, who have been mentors, they have a following and they're stepping down. For me, the ghost of cybersecurity future is the person stepping into leadership now, who doesn't know a time when there wasn't an internet. Who doesn't who came of age with cloud applications and APIs and a hybrid workforce and is going to step in without the legacy of knowledge and context that we all had before in a non-digital world. I think there's a terrific opportunity with his next generation of cybersecurity leaders. And I'm encouraged. I don't know who the person is going to be. But I know there are people out there stepping into these roles right now. And I look forward to being able to support them and bring them into our network and help them to spread the word and maybe share some education as well. That's what I look toward.
Delaney: Excellent, excellent answer. Rashmi?
Ramesh: Well, you cannot think cybersecurity and the work that's happened on the government side over the past year or so without acknowledging these two incredible women. One would be Jen Easterly of CISA. And the Australian Cybersecurity Minister Clare O'Neil, who have done some amazing work in the past few months and I cannot wait to see how they transform this industry over the next few years.
Delaney: And there's a boldness, isn't there? Not afraid to call out as they are? No BS.
Field: I think Jen Easterly has been a nominated ghost for every one of these conversations. She should get some special award.
Delaney: Omnipresent, omnipotent. Suparna?
Goswami: I'll not name a person, but maybe something I'm very hopeful for SBOM which President Biden signed in May 2021. While every organization I feel uses the same open-source components, which has niche organizations, they scan for vulnerabilities and they analyze the risk and everything but they do it in silos. So SBOMs will have the common infrastructure and data exchange format, which I think will go a long way in helping companies and it essentially clarifies both identity and material inputs beneath across the supply chains. So I think SBOMs: I'm just waiting that when will India take that step or when will countries in Asia will probably take that step and make that mandatory.
Delaney: So, Tom, remember, you started the year at the Editors' Panel, saying this would be the year of the SBOM. Suparna, we're full circle.
Field: It didn't take off quite so fast as I hoped it would, but I know we've had a lot of conversations about it and movie buffs will appreciate that I will join the partners bandwagon and look at 2023 the year we learned to love the SBOM.
Delaney: Well, I'm going along with what Tom said about our future talent. We've got cyber first in the U.K., and that really tries to nurture a diverse range of talented young people into a cybersecurity career. And then we also have the cyber first girls competition, which aims to develop talented women CISOs such as Marene Allison and Dawn Cappelli. So there is hope.
Field: It's encouraging. You got a generation of leaders has never had to think about whether you should or should not use a personal device for work.
Delaney: Totally. It's mind blowing. Well, Tom, Suparna, Rashmi, this has been an absolute pleasure and a joy. Thank you very much.
Goswami: Thank you. Merry Christmas.
Delaney: Yes, absolutely. Thank you for watching. Happy Christmas.