All C-suite execs must be CISOs first: John Shier, Sophos

C-suite need to be CISOs first as security needs to be an overlay function to every part of the business says John Shier, Senior Security Expert at Sophos.

Keeping hackers at bay is a nightmare for any company, across any industry. CISO's role is tougher with new-age threats (and old ones too), amid the proliferation of endpoints and complexity of networks. CSO India spoke extensively with John Shier, senior security expert, Sophos on the most complex of the security topics and his outlook on it.

Edited Excerpts.

What are the new age trends in security? Are they scarier now, than ever before?

Some of them (the security trends) are scarier than the others. On one hand, the threat from nation-state, well-funded actors through targeted attacks are real with plenty of examples in 2017. It’s interesting to see them employ very basic ground level cybercriminal tactics. Phishing was a consistent key component in every single major incident last year, including the Dyn attack. Cybercriminals are using phishing to generate money or infect a computer. They have also started to use off the shelf pen testing tools, in case of Petya ransomware there was not only using psexec (Microsoft internal tool) but other new tools. Some techniques that have been time tested and well-wormed.

“CISO is a concoction of a security expert, a skilled negotiator and often a political activist within the organization.”

John Shier

Senior Security Expert, Sophos

On the other side, the ‘garden variety’ cybercriminals have high motivation but maybe many have little knowledge in terms of deep exploitation. They often use tactics of nation-state actors by grabbing a shadow broker’s dumps/ exploits and incorporating into their activities. There is cross mixing of tools, tactics, and procedures (what we call TTP) that is both fascinating from a security researcher, but it is a scary trend. You cannot separate the bad cybercriminals into an advanced, nation-state and low skill garden-variety as they are now intermixed, unfortunately.

If the cybercriminals supposedly reuse or repackage known threats, does that make them lazy? Or they assume CSOs are sluggish too?

Absolutely. Some of them (hackers) are lazy. But it is an opportunity for many as they don’t have to rewrite or find their own exploit as they use little time developing the existing ones.

On the other side of the spectrum, I don’t think CISOs are lazy. They are often caught in an awkward position of providing security for business and also providing availability for services to business units. They have to answer to other business leaders and C-suite of the company and often the priorities either mixed up or shoved down a little bit. Selling the vision to the board that every modern company is a software company that needs security team can be a tough task. Translating the severe impact on business due to lack of security posture which might alert the CFO and reprioritize things. CISO’s job is a concoction of a security expert, a skilled negotiator and often a political activist within the organization.

Will CISOs enjoy sleepful nights in a hyper-connected world wherein networks and endpoints are compromised by traditional attacks and there are modern hacks of cryptocurrency, bitcoin?

The job of a CISO, CIO and senior leadership in the company is to understand, assess and manage risk. You can accept, transfer or avoid the risk. Phishing is one of the most prevalent vectors to deliver ransomware and all other threats today. If a company wants to mitigate the risk, the emails can be stopped but that is not realistic. Hence you put security controls and acceptable security policies around it. You can transfer the risk by hiring trusted partner or move to the cloud when you don’t have in-house experts. They will do management of back-end infra and you are busy with policies and day to day management. 

“CISOs need to really understand each departments’ risk posture and how can they best avoid, transfer or accept that risk for each part of the business.


                                                  John Shier

                                    Senior Security Expert, Sophos

CISOs need to really understand each departments’ risk posture and how can they best avoid, transfer or accept that risk for each part of the business. Once CISOs start doing that effectively they can have better sleep at night.  

I seriously feel CEO, CFO, CIO and other stakeholders should be CISO first and be aware of the company’s security posture. The prevalent messaging of industry colleagues and research analysts is very reminiscent of the fact that the security needs to be an overlay function to every part of the business. There is no space for conflict as security does not impede the business but enables the business.

Endpoints have proliferated across devices with new trends like authentication, user identity to name a few. Are you buoyant on machine learning?

Identity management is a very hot topic in the industry. Continuous authentication is one of the pieces as a credential of one-time authentication can be stolen by bad guys which introduces 2FA approach as well. There is more focus on authentication and identify on understanding how it impacts the access to information and access to assets within the organization.

Sophos' acquisition of Invincea - machine learning next-gen AV technology gives us that added capability. We have heard a lot of competition and other vendors. What gets lost in the noise? For comprehensive coverage you need traditional dead security (anti-malware endpoint product) and machine learning together work together. The endpoint can be anything (mobility, wearable, tablet) and hence it may make more sense for certain kind of endpoint to have a local database of known bad stuff augmented by machine learning technology. On other devices, we need to learn more about machine learning approach.

Machine learning isn’t perfect either. If you are training models poorly you will have a bad outcome. There’s a lot of gray area in terms of is the user, file, process-good or bad. Different pieces of security formula can convict da different kind of badness on the network.

How does Sophos manage both large domains of security: endpoint and network?

Sophos brings all the pieces together - which has always been our strength – from when we introduced synchronized security to bring endpoint and network together. We have data protection piece that enables encryption everywhere on any data and any device. We bring in the next gen piece Sophos Intercept X a year ago and now finally machine learning that gets us close to EDR.

John Shier’s 5 Security Mantras for CISOs

1.    Do understand your business and its priorities and then bolster the security message.


2.    Implement program to instantly apply the patch from Microsoft across X percent of company.


3.    Identify the pieces of business to apply security fundamentals quickly and robustly.


4.    Don’t think you know it all as the ‘who will come after me’ sentiment has eroded today.


5.    ‘Rinse and repeat’ policies and continuously analyze the changing security landscape.

We have all different places where users and data pieces interact to make better decisions on what’s good and what’s bad through leveraging different techniques. Our goal is to provide traditional and new solutions with new pricing and reduced complexity. We want to make it easy to use Sophos solutions for the people working under CISOs who have a lot of projects with little time on time.

Are we living in the days of most ‘best of breed’ companies transform into ‘end to end’ security companies for their customers?

Different point solutions mean ten different consoles, ten different numbers for support, limited interaction between products for an end user company. Today we see prominence of threat analytics, correlational security, risk assemeent across different multiple disciplines. The next ‘best of breed’ vendor provides world class security at foundational basis and solutions across network, endpoint, data protection and other aspects as well. And provide analytics that funnel into one central point for CISOs to implement the appropriate policies that reflect the needs of the business.

The ‘best of breed’ security platform has been our approach for quite some time and other vendors follow that route too to offer as much as security stack to end users as possible.

What would be your advice (dos and don’ts) for CISOs going digital on the security landscape?

CISOs are extremely passionate about security and they want to drive security initiatives as hard as possible across the company. However, do understand your business and its priorities on the deliverables to the customer and then bolster the security message. Implement a program to apply the patch from Microsoft or others across x percent of the organization right away. Had every company applied the patch when it was released, a lot of problem for Wannacry would not have happened.

Don’t think that you know it all. Many security professionals have been in the game for a long time but the cybercriminals will find another route. Don’t be complacent as ‘who will come after me’ sentiment has eroded today. Rinse and repeat and continue to analyze the changing needs of business but also the altered security landscape.

Do the right things for right reasons at the right time. But keep the mind open to learn and implement new solutions that protect the company and also the business. When security and business work together, you will win.