CISO Program Manager, Amber Pedroncelli, sat down with Chad Cottle, a finalist for the Most Improved Information Security Program of the Year Award for the 2016 InfoSec Tech & Exec Awards.
Chad Cottle is the CISO and Deputy CIO of the City of Lexington, Kentucky, as well as a finalist for the Most Improved Security Program of the Year with EC-Council Foundation. Welcome to the program, Chad.
Chad C.: Hey, thanks for having me.
Amber P.: Absolutely. Thanks for being here, and congratulations on being named a finalist. Looking at your nomination, it’s very extensive. One of the main reasons that you were selected as a finalist is one sentence: “In brief, Lexington went from ground zero to a robust and maturing information security program in under two years,” and much of this is credited to you, so let’s talk about how you got started in security.
Chad C.: Yeah, that’s a fair question. I didn’t sit down and say, “Hey, tomorrow I’m going to be the security guy,” but my interest in security and IT and computers and everything probably started back in 1982, ’84, something like that, whenever ‘War Games’ came out. I was completely enamored with the whole idea of hacking and what hacking could do and the protection of data and those kinds of things.
As my career grew, I started off as a programmer, moved to more systems administration stuff, and had done the full life cycle and moved into management. The short version is that I noticed that we were doing some security things, but we were always doing them in an ad-hoc fashion. We didn’t have a formalized program that was set up with the sole goal of actually protecting assets, protecting data, and basically securing the fort, so a couple years ago, after we had a bit of an incident, it wasn’t anything bad, but it opened up our eyes, and sat down and said, “Let’s charter this thing out, and let’s actually do this and build something, and let’s get the funding to do it right instead of trying to do things piecemeal.” That’s how it all came together.
It always comes down to the business case, right? What kind of business case can I sell to my CFO in order to get IT priorities recognized? Sometimes, it’s risk, right? You can do all the qualitative risk you can or the quantitative risk analysis, but sometimes, it’s telling the story. I think that’s probably my key benefit and the key asset that I bring to the organization. I can talk to the people who are not technologists, right? Because they don’t want to hear a lot of ones and zeroes. They actually want to hear how it impacts them or what their potential risk is, right?
Being recognized as a finalist is super important to us, because it puts a little stamp on the idea that this money … We always have to be stewards of the taxpayers’ dollars, right? This says that, “Hey, we took this seriously. We made progress. We made progress that we care about, and we’re still trying to mature.” Security is not a destination. It’s a journey, right?
Amber P.: You went from talking about how it was ad-hoc, you’d do things as you needed to, reactive, into building a business case. I would assume hours and hours of work went into doing that, just understanding where you were and then actually putting thought into where you wanted to be and where you thought you could realistically get to. What was that process like?
Chad C.: The business case, I’d love to tell you that it was some consultant endeavor, and it took hundreds of hours, but it really wasn’t. It was more of a think piece, right? Again, I think what I bring to the organization is, I can talk to people. I’m not afraid to have conversations, but I’m also not afraid to talk about technology to people who don’t necessarily get technology and explain what it means to them.
I’d ask a simple question. I was interested in something, an event that had happened, and I ask our network guys to give me a network diagram. They honestly looked at me like I’d asked them to give them a lock of hair from their firstborn child. I started pulling the covers back and realized that, even when I thought we were doing things in an ad-hoc fashion, sometimes we really weren’t doing them at all, and just took that empirical, firsthand knowledge and built a story around it, right? It’s about the dialogue.
I’ve presented C-levels with many documents in the past, of interesting statistics and interesting diagrams and things like that, but sometimes, it’s the words that you use to tell those stories that actually get them to action, right? Especially in a government setting, where politics is really that invisible hand, as it were, right? There’s money, and then there’s risk, and there’s compliance and those kind of things, but politics still shapes and guides those discussions, and you have to be able to maneuver in that landscape, which is tough sometimes, because you’re competing against things that citizens find to be of tangible value, right? They can go out. They can put their hands on a streetlight, or they can see the police officers or the EMT’s and the firemen. They can drive on roads that have been patched appropriately and don’t have potholes. They don’t really see IT and IT security, if that makes a lot of sense.
Amber P.: No, it does. We’ve talked about ROI, and it’s hard, even when you’re not trying to deliver some value to the average person but even to a board of directors, proving the dog didn’t bark, that kind of thing, so I imagine, when you’re dealing with just average citizens, it’s got to be difficult to feel like you’re using their taxpayer money effectively.
Chad C.: Right, because a lot of these things, they don’t see, you know? Even if you look at the “technical things” that IT purchases, they don’t stop in and say, “Hey, can I see your firewalls?” or, “Hey, can we see all the switches you guys bought with all this money?” right? It’s what that value add and that service add-on that they get in knowing that, when they bring their child to parks and recreation to sign up for tee-ball for the summer, that we’re going to do our best to make sure that their credit card data doesn’t get compromised, to make sure that any potential medication information that’s handled by many of the social service agencies is well protected. It’s that peace of mind, but they don’t really see that.
Things like this that become visible, that say, “Hey, that we took this seriously, and we’re trying to be good stewards of the money, and we’re trying to be good stewards of your data, right?” This is an interesting thing. My CIO is excited that we’re considered a finalist for this, but this is one of those things, you don’t want to just jump up and down and advertise too much, right? Because then I feel like it puts a target on your back, right? “Hey, we’re the greatest infosec program in the world!”
Amber P.: In your nomination, it mentions that you come from a background of project management. I think it’s something about a recovering project manager is how you describe yourself.
Chad C.: Right.
Amber P.: Can you talk about having that core competency? It’s one of our certified CISO domains, project management. How has that impacted your ability to tell good stories and get your information security program leaps and bounds from where it was two years ago?
Chad C.: Sure. Project management is one of those things. Even PMI has retooled their whole body of knowledge to talk about the importance of stakeholders, and that’s just the heart of it, right? Is knowing who your stakeholders are, being able to identify them, being able to communicate with them, being able to get the sponsors to buy into your vision and to your program, and also managing the resources appropriately. You’ve got to be able to differentiate between what’s operational versus what’s a project, what’s strategic versus what’s tactical. You’re right. It’s a core competency. I think successful CISOs and successful IT people, successful business people, need to understand the value of projects, right? When do you charter a project? When do these projects transitions from, “Hey, we want to install a firewall,” to they transition to operations?
That’s been a key factor in my success here, as well as the team’s. We’re not a “projectized” organization. I wish we were. We’re definitely more of a “metricized” organization, but having those skills are so important, because you can come in, and you can deliver your business plan to the stakeholders, you can manage buy-in, and you can actually show a deliverable. You know how to work your stakeholders when things go off the track, because they often times will.
The success we’ve had in the past two years, we chartered it as a program, program being a common link between many projects that have the same kind of end game or goal. Under our information security program, we’ve chartered all different kinds of things that cover everything from hardware installation to people to processes and things like that. It’s a successful model. It’s one that we get, we understand. It works for us. It’s obviously not a one-size-fits-all for everyone, but it simply works well for us, because we get it. Sometimes, it’s the little wins that you get out of some of the smaller projects where you see progress, you know?
When I mentioned to our team that we were going to apply for this award, I still received some puzzled looks, almost to ask, “Why?” I think the greatest satisfaction is, sometimes, when you’re able to step back and say, “Wow, we really have made progress.” I don’t think some of the team is still there yet, right? They’re so entrenched in solving the problems that they haven’t seen all the incremental gains and the huge gains we’ve seen from all this. It pleases me. There’s a lot of satisfaction I’ve gotten out of just receiving that e-mail that says that we’re even considered to be a finalist for this, because it proves to me that we have made progress. We set out to win the game, and you can’t win the game if you’re not winning the matches, right?
Amber P.: Right. Looking at your nomination again, it covers a lot of components, and one of the ones that jumped out to me is it mentioned the steering committee. Can we talk a little bit about how helpful that was in getting all this accomplished?
Chad C.: Yeah. Governments are odd entities, right? We don’t have a board of directors to report to. You’re beholden to the taxpayers, so sometimes, you have to set up your own quasi-structures to make sure that you’re held accountable to something, right? That you’re reporting out, that you’re actually delivering message and value to stakeholders. The way we carve that up is that we have a steering committee that’s based on representative membership from the various high-level departments of government, those being law, public safety, public works, and those kind of things, so that there’s input and buy-in from those folks as well as an agreed upon mission and direction and strategy, really, for those various groups.
At the end of the day, if we’re doing all this security work, and that’s great and all, but it ultimately, it’s either benefiting or it’s making some kind of change to somebody’s line of business, right? This group, in addition to helping guide what we work on and how we work on things and then help us with the battles for funding and things like that, too, they also have change management, because change management, as we’ve found along this journey, is still just … It locks up with this 100% of the time. You’ve got to be able to manage your people and help them through change and help the processes change, too, because this doesn’t exist in a vacuum. We don’t just do security, and then, all of the sudden, everybody’s happy, and it works. There’s a lot of other moving pieces and parts.
Amber P.: Can you talk a little bit about some of the innovations you might have had in change management? I don’t hear that a lot, and it was highlighted in your nomination as well. What did you do to manage the change?
Chad C.: Again, being, like I say, a recovering project manager, I’ve done a lot of IT projects, huge ERP implementations, and I wouldn’t say there’s necessarily anything super innovative about it. It’s just being able to follow the right conversation at the right time, the right tool and technique, the right mitigation strategy, having the right conversations. It’s just having a plethora of experience and being able to bring that and show the change and show how it’s going to impact people and show what happens if we don’t do these, right?
It’s one thing to say, “Hey, we’re going to make this place more secure,” but now you have to use multifactor authentication, right? Because that becomes a burden to someone at some point in time, like “It used to work quite well when I VPN’d into the network, and I just came right to my desktop.” Now you’ve got this other stuff. It’s trying to help people see that you feel their pain but you have the shared goal of getting them to where you need to be and getting them to where they need to be, if that makes any sense at all.
Amber P.: Yeah, that does make sense. You also mentioned funding, having to deal with limited budgets. Anything you learned through this process about having to do that? Of course, working in government, that’s usually a constraint, not always, but usually.
Chad C.: Yeah, it definitely was a strain. One of the most interesting things we found out when we decided we were going to just charter a program is that the government really is not set up to pay people to do security work, right? The best and the brightest generally don’t come to work for the government for the scale that the government wants to pay, so we had to make the case that there has to be money put in budgets for people, and ‘people’ meaning to go out and pay industry scale to get those kind of services, right?
Our particular city had seen a lot of atrophy in skill sets. We had to reinvest in training for folks internally. We had let a lot of the infrastructure start to age and get so far behind that they were non-existing maintenance contracts and years out of service, so you have to make the case to get those things as well. Then it’s a balancing act of, “I need so many resources, and I need so much technology, so much infrastructure, and how are these things going to mesh together?” That, to me, was the top obstacle. It wasn’t having conversations about tough things. It was, “Okay, wow, now that we’ve got this funding, what do we do with it?” It was an interesting problem to have, because it’s one we hadn’t had before. We got our operations budgets, and sometimes, we got incremental increases if we’d made the case that something had finally hit the dirt, but it was actually having a new line of funding and saying, “Wow, this is great. This is everything we’ve always wanted. How do we use it, right? How do we use it appropriately?” Then you start to go through the risk process and how you’re going to attack things, how you’re going to get your biggest value, your biggest bang for your buck, you know? “Where are my AD20’s and those kind of things?”
We found what worked for us was Australian Signals Directorate, the ASD, had done a lot, a great body of research, for technical stuff, like how do you solve the most problems with the least amount of resources and least amount of legwork? Their ASD top four has proven to be great for us. We’re able to look at those and focus on those as the technical pieces, right? We were able to buy equipment we never had before, next generation firewalls. We were able to get operational intelligence out of a [SEAMS 17:49] system. Having Splunk. We partnered with Splunk. I think we’ve become a center of excellence for Splunk. We’ve entertained the FBI. We’ve entertained universities. Other governments come in and actually look how we’ve set ours up, how we continue to monitor data, and that was kind of … The light bulb went on for us with that as well. It’s great to finally have all this information, and then, once you do it, you can start looking at it in new and interesting ways.
One thing that was cool that happened in all this … We’re trying to seize on the whole idea, because you have a lot of smarter people working for you. The engineers kept telling me how great Windows 10 was compared to Windows 7 and, obviously, compared to Windows XP, and our patching process has always been ad-hoc, so we invested in a patching solution and a patching process as well, like policies and procedures. Along the way, we went ahead and tried to capitalize on IBM’s July 29th date to get all of our PC’s upgraded.
In doing so, one of the nice benefits of doing that along the way is we were able to add the Splunk forwarder to all of our computers, so that now we’re getting desktop intelligence that we never had before, right? Everybody’s looked at data and firewalls and DMZ’s and things like that and how stuff moves, but actually getting insight to what traverses our internal network and what happens at the PC is giving us great insight that we’ve never had before. Now, we can continue to grow that.
The long story short is, we’ve never had all of this stuff before, and so we tried to make sure that we seized on it, because we never know, and governments, you never know when the funding is going to go away, right? We wanted to jump on it and show value and show progress. That’s why the project approach worked well for us, too, for report outs. We can close out projects and show that these projects have been completed. Again, being a finalist for this shows that someone else has validated that we’re trying to put our best foot forward and do something correct, right? As opposed to continuing to do IT in an ad-hoc fashion, like we have.
Amber P.: You’ve accomplished so much. You’ve done so much. You’re the center of excellence now. You have that model going. What’s your next goal? Where do you go from here?
Chad C.: That’s a really good question. Moving into phase two of certain projects. You guys had asked a question, I think it was in one of your questions, about how do you measure yourself? To me, that’s the next big step, is we have baselines now. We know where we started from. We know the progress we’ve made. How do we continue to make improvements? How do we know when we’ve been successful? That, to me, is the logical next step. It’s something that we’ll run through in our next committee meeting. These are our touch points of where we are, but what do we do next, right? There’s so many technical projects that you can just keep showing wins on, but strategically, I think that’s the next step, is to continue to mature as an organization and be able to say … I believe in the adage, “What gets measured gets done,” right?
Technically, I don’t think we’ll ever run out of work, and there’s always an ongoing punch list that adds a lot of fluidity into it, in terms of the time of year and what resources are available, but strategically, it’s growing the program and increasing awareness, too, because so much of this happens at the people level, right? Everybody talks about, these days, about the VLANing of people. You can’t fix people who don’t understand that there’s a problem, right? If people come on, and they get phished so easily, because the phishing e-mails are getting craftier and craftier, that’s something we want to look at pretty strongly as well, is looking at how we continue to increase awareness. Everybody offers a solution. There’re poster programs and phishing campaigns, and we’ve used those, but those haven’t been the most successful thing in the world.
It’s because, sometimes, people just don’t necessarily pay attention to the message you’re trying to deliver. One creative thing we’ve talked about, is trying to look at how we can tie this to job performance so that, every quarter, people have to take a quick five-minute video, and that has to be part of their employment portfolio, that they have to pass those things in order to maintain computer access and that kind of stuff.
Strategically, just trying to mature and grow and keep learning. There’s so much to learn, and there’s so many things that … We have so much technical debt that we’re trying to get rid of.
Another thing, it’s a phrase we use around here quite a bit, too. It’s we have to still figure out creative ways to get people to see the difference between pets and livestock. When we want to start growing and changing things and these IT solutions that people have held onto for so long, really, they treat them as pets when they should be livestock, right?
Change that mentality, that we don’t commission a server and an application and continue to use it for 20 years, right? These things do have life expectancies. We’ve got to move on from that. It’s always a change management problem.
Amber P.: Right. Pulling back a little bit, you’re a super accomplished CISO. What advice would you give a fledgling CISO? What’s something that you see a lot and think, “If people just did this, they would have better results?”
Chad C.: I think it’d be to know your business, right? You only function well if you understand your business. Like I said before, IT, infosec, any of these computer things, they just don’t happen in a vacuum. You can come and put any technical solution you want to in place, but if you don’t understand your business and its people and what you’re trying to do, you’re simply just not going to be successful, because you’re going to hit roadblocks, right? You’ve got to always manage buy-in and make sure that you’re … You’ve got to have those people skills. You got to be able to make sure that people understand you and you understand their business and the changes that you want to make somehow enhance or make their life better or enhance the company’s bottom line. I think people should focus a lot on project management and project management methodology. Those prove themselves time and time again. It’s not just for IT but for most any industry. Those are things that I would tell someone to focus on.
Learn some business skills, too, you know? Having some understanding of P&L and your general ledger, those kind of things pay dividends, too, as opposed to just stepping in, saying, “Hey, I’m the IT security guy, and I know security.” Always be a lifetime learner. Don’t stop learning. There’s so many avenues to get information. It’s not just from traditional sources, too, not just from Twitter and blog posts and things like that. There’s some fringe IT sites that are out there that have threat intelligence and information that you should be aware of, right?
Amber P.: Yeah. It sounds like you’re great at that, a lot of information always at your fingertips, so that’s wonderful as well. Thank you, Chad!