Secure Your Strategy

December 16, 2022

Jason Lewkowicz, Optiv’s Senior Vice President of Cyber Defense and Applied Security, joins Cyber Security Matters and delves into cyber strategy, resilience, the maturity journey and measuring the success of your security program.

 

Dominic Vogel: Hello, everyone. Welcome to a brand new edition of the "Cyber Security Matters" podcast. I'm your host, Dominic Vogel. And joining me as always is my co-host and Mr. Optimistic himself, Christian Redshaw. Christian, how are you doing today?

 

Christian Redshaw: Well, I'm right on the money with optimistic. It's good to be back in the studio and doing another episode with you.

 

Dominic Vogel: Absolutely, really excited for today's guest. He actually hails all the way from Chicagoland, Jason Lewkowicz. He's the Senior Vice President of Cyber Defense and Applied Security at Optiv. I think it's gonna be a brilliant conversation. So we'll take a brief pause here and we'll welcome him aboard.

 

Christian Redshaw: Let's do it.

 

Dominic Vogel: Jason, thank you so much for joining us today on the "Cyber Security Matters" podcast. How are you doing?

 

Jason Lewkowicz: I'm doing fantastic, thank you.

 

Dominic Vogel: Awesome, well, Jason, I know Christian and I are really looking forward to this conversation, and we've looked up your background, your bio. You seem to be an incredibly interesting human being. So we'd love for you to share a little bit more about your personal and career narrative, let our listeners and viewers learn a little bit more about you.

 

Jason Lewkowicz: Sure, well, don't ask my kids about me being interesting 'cause they would say that I'm not. So a a bit about myself. I'm based in Chicago. I've lived here my entire life. Like everybody who is based in Chicago, that it consumes a 300-mile radius around Chicago. But I can actively and accurately say I lived in Chicago, and I'm within a 17-mile radius, so I'm close enough to call it home. Professional experience: so I am currently the Senior Vice President responsible for cyber defense and applied security at Optiv. So I have 900 professionals around the globe that report to me. And I have responsibility for our managed services portfolio, our threat business, which would be your offensive attack, penetration, red teaming, et cetera. They also do instant response enterprise incident management and insurability, where they're working with organizations to help them drive towards cyber insurance policies. And the last group that I have responsibility for is our architecture and engineering. So they will design blueprints and implement them for any technology that Optiv sells, as well as enhancing it. I also oversee our client advisory board through the end of this term, which expires on the 31st of December this year. And finally, I have responsibility for our India operations. So all of our delivery work that comes out of India ultimately reports up to me. I've been with Optiv for about 10 1/2 months. Before that I was a global CISO for Cognizant. And before that I had a short 23 1/2-year career at Accenture where I departed as their deputy CISO.

 

Dominic Vogel: That is a very short tenure. Yes 23. I'm curious just on the term before I pass it over to Christian, you mentioned the term applied security. I don't think we've ever heard that term used on the show before. I'm just wondering if you could describe sort of what that means, what that term means, applied security.

 

Jason Lewkowicz: So as the security lens and the aperture widens, a lot of the way that I approach security is around business resiliency. There are so many things that can fall into the bucket of a business being resilient. And ideally, resilient can be defined by an organization kind of through the CIA triad, with integrity, availability, blah, blah blah. So I like to spend time with the clients, to really understand what is it that they care the most about, to be, "resilient", and define a program against that. And in some cases it may not always be the tried and true traditional security. And that's where I think that applied security comes in, because it encompasses a bit more.

 

Dominic Vogel: Fantastic.

 

Christian Redshaw: That's an amazing answer. Jason, when you're dealing with these business leaders within organizations and dealing at the board level, how do you collaborate with them? In other words, how do you get cybersecurity and business leaders to collaborate together? What do you find is a message and an approach that really resonates with them?

 

Jason Lewkowicz: Well, the first thing I try to do is to get any of the business leaders that I'm working with, whether it be somebody at mid-level management all the way into the board of directors, to really understand what are the business goals, how does security attach to that. Because in most cases, let's just be honest. Security for an organization, unless it's a cybersecurity company, is a cost drain on an organization. It's a cost center. But if there's a way to take what your security organization is doing and apply that to your sales narrative, as to this is why we're more secure, this is the investment we're making in keeping your data safe, that's something that will resonate very much with the board. The other thing that I'm always looking for and what's made me successful in my career is being, I'll call it high performing. So I'm looking at what are the things that we're doing, how long is it taking them to do, and is there a way to drive operational efficiency through them? Because again, that's a cost-savings measure I can bring back to the company saying, "This is how efficient we have become by having this program in place." So the first piece I try to do is get everybody to understand what are the objectives of the business and how does security apply to it? Then create some success criteria around it, and then execute. And then measure along the way. It's funny, it sounds super simplistic as I describe it, but when I walk into an organization and start speaking with them, I find they often are talking across each other, whether it be the IT team and the CISO, or even the executive management team and the IT, CISO, or maybe even enterprise risk management. They all tend to talk across each other. So I try to be that coach. I'm the marriage coach for them.

 

Christian Redshaw: It is an interesting spot when you're a cybersecurity leader and you're bringing the business and IT and risk together. And how do you fit in with all the other risks that an organization is trying to manage. I think it's a very good approach, especially the part about, okay, once you've had a plan, now it's time to deliver. So transitioning maybe into the client's shoes, and I know from industry to industry it can vary. But what would you say are the common typical elements of a cybersecurity journey? Can you maybe talk about some of the starting point and some of the key milestones along the way?

 

Jason Lewkowicz: Sure, so I think at this point, at least in 2022, most organizations have some component of a security team or a security thing. Even the smallest organizations likely have some type of endpoint protection. So the first pieces, and again, while this may sound simplistic, is goals. What is it that you're trying to achieve? So the first thing, if I'm going and talking to an organization that's very immature, I'll talk to them about what their budget needs are, and what is it they're really trying to get out of the organization. Which usually I will point back to, and again, this will sound basic, what are the things that you care about? You'll hear all the time people talking about crown jewels. It's likely a term that's overused. So I'll just say, "Of the assets you have, I know people are of course your most important, but of your digital assets, your cloud-based, your on-prem, your endpoint, the data you hold, what is the most important?" Because the reality is even an organization with the largest budget on the planet is still not gonna have enough resources to cover everything. So I try to be very focused in terms of what are the things we care the most about? And that's where we create that plan. When I think about the most efficient, the most resilient organizations, in there I'm looking at how can we leverage automation and orchestration to eliminate swaths of teams? Where can we be as efficient and operationally disciplined where we're taking those FTE resources and applying them to innovative techniques. So the ability to achieve an identification of a threat in your environment in under a minute. The ability to contain that threat in under 10 minutes. The ability to eradicate that threat in under an hour. Those types of things that I'm focused on with our most resilient organizations. And a lot of times too, the kind of right in the between, we'll use some type of maturity assessment. What does your business care about? Which framework do you want to align to? And let's just perform a maturity assessment. And from there you can use the leverage to throttle where do you wanna spend money against that original thing I said, which is what do you care about? Ideally, again, we wanna be resilient. What are the threats that our organization faces? Can we defeat those threats. If we can't defeat those threats, a mitigation strategy.

 

Dominic Vogel: I love how you how you're explaining all of this, Jason. Like you said, it may sound simple, but I think that's a testament to how well you're describing it and speaking. One of the things that I wanted to ask you was around culture: let's say a security culture within an organization. A, how important is that as a prerequisite for being able to be - to have a a successful cybersecurity program in an organization? I guess part B to that is how does one go about creating or fostering such a culture?

 

Jason Lewkowicz: So the human firewall, in my opinion, is probably the best active defense an organization can have. I have spent a substantial amount of my career focused on the behaviors of people, the behaviors of things. Everything comes down to an incentive, whether it be a carrot or a stick. You're obviously trying to drive towards a behavior. And from that, it comes from training. So as an information security program is being thought up, the human element has to be taken into consideration. And what I have found in my 20-plus years doing this, where an organization is most successful and where the organizations that I have worked in have been most successful is all around change management. Why are we doing this? Continuous communication. But in that communication, it can't just be this is how it helps the business, this is how it helps our clients. While that's important, if you want to get adoption, you have to take it a step further. By having these good practices of information security, this is how it protects you, this is how it protects your family. And tie that to things that will resonate with them that they're hearing in the news. I mean, Uber, it was just a conversation around the Uber breach, which I understand was a while ago. But it's top of mind right now, and it drives towards why multifactor authentication is important, why having different passwords and using a password vault for things is important. Continuously checking on your identity, making sure that it hasn't been compromised. Even though that may not tie to the information security program, you can tie bad information, security hygiene things to an outcome that they'll be like, "Yeah, I definitely don't want that."

 

Dominic Vogel: That's fantastic, Jason. A follow-up to that, I guess an extension of a point that you were mentioning earlier was around I guess measuring, measuring what security success looks like. And when we boil that down into metrics, and particularly in terms of what's communicated to the board, we still see a lot of organizations where the metrics that are presented to the board are still arguably very operational. X number of attempts were blocked at the firewall kind of thing. Things which are meaningless to your average board director. What type of metrics are most I guess powerful or compelling to a board of directors? What should organizations be focusing on when we're talking about not necessarily operational security metrics, but in those strategic metrics?

 

Jason Lewkowicz: So the honest answer is it depends on the board that you're dealing with and the savviness of the organization. So I'll give you two answers. If I'm dealing with an organization that is small to medium, they have a board that does not have a high IT aptitude or IT competence, it is gonna be more on the transactional, with a focus on here's what our plans are for the year. This is where our spend is. this is kind of the pyramid chart of how busy we are, like alert event incident, et cetera. And then I may talk about some of the things that we're seeing, and how I'm going to leverage those things to drive our strategy forward. And it's usually a simple two-page PowerPoint with these are the things that are going on, and this is what we're doing to be busy. As I move to the right down into the more sophisticated organizations, I will usually do a few things. The first one is I want to paint a picture of what the threat landscape looks like to that specific business. I'm gonna show it through the industry that they operate in. And then I'm gonna show it in the ecosystem. And I'll likely also show it in the region that they operate in, or regions. Or if it's a global company, the globe. I will then leverage that information against a series of metrics. And again, depending on the business, they may shift and change. But I may look at vulnerabilities. I may look at progression into cloud transformation and how we're protecting those pieces. And then I may tie it into what specific threats against that threat landscape have we actually seen? What has been realized? And where do I think we have gaps in our security posture that we are going to need additional spend on? One of the pieces, on a tangent for a second, one of the pieces that I've been emphatic on is a CISO or an information security organization should not be setting the risk thresholds for an organization. They should be measuring against it. Those risk thresholds and that risk tolerance needs to come from the board, from an ERM practice. And it's the CSO's responsibility to show where we are against that threshold. And if we have situations that exceed it, it's not the CSO's job to make the decision. That needs to be brought up to that committee. So again, when we're dealing with a very mature organization or if I'm talking to a board and they have an ERM component, I will also have in the mapped kind of RAG status is as to where we are against the risk matrix, and if we have anything that we believe is encroaching. It could be staffing. So as an example, I love showing metrics around the busy-ness of the SOC, not in the context of how many things are they transacting, but what is the capacity and volume that each SOC, each individual can handle. So if we exceed the threshold, it becomes a trigger point where I'm going to need more staff. So I'll also leverage metrics that way, to show what does the organization need as a baseline for protection, a bare minimum, and then kind of a maximum piece. And depending on, as everybody is saying now, economic conditions being tough, what are the levers that we can pull so that we are again maintaining the appropriate cost impact on an organization. Long-winded answer, but hopefully helpful.

 

Dominic Vogel: That was a brilliant answer.

 

Christian Redshaw: No, that was very well said. And you started to answer the last question that I have for you, Jason. We're talking about we're in a recession. Is there anything that you're finding is different about cybersecurity, and leading the cybersecurity function in the context of a recession versus let's say in more optimistic economic times?

 

Jason Lewkowicz: Yeah, so I'm gonna give you, I will again give you two answers. If I put my CISO hat on as I'm talking, many of my friends, I know that there are pushdowns coming from the CFO or from the board around give-back in terms of money. And it's not just unique to information security. It's usually give back against any of the corporate functions. So in my old role when that would happen, of course I would find it frustrating, raising my hand, pointing back to that threat matrix saying, "These risks aren't gonna go away." On the other side of the fence where I sit today where I'm now helping organizations kind of drive through these challenges, we're just changing to these are the essential things that you need to do right now, and these would be the nice to haves. This way they can articulate back to their finance committee, their investment committee why they need to do these specific things. But the reality is the bad guys are just getting more sophisticated. They have figured out how to monetize exactly what it is that they're doing. I mean, you can see ransomware as a service, and nothing I'm saying is new to any of the audience who's listening to this. But I do not see the threats going away. I do not see ransomware attacks going away. I do not see cyber espionage or any of the nation states that attack, none of that's gonna go away. So again, it comes down to risk threshold and affordability of an organization. And I think it's imperative for the CISOs to just point out and have something documented saying, "This is the potential outcome of not doing this thing." And that takes the onus off of them, and it places it back onto that risk committee.

 

Dominic Vogel: Jason, that was an absolutely awesome conversation. I thoroughly enjoyed every minute of it. The wealth of knowledge, should always know that people from Chicago always deliver. So thank you very much for that. Thank you for a very wonderful conversation, Jason. We really appreciate you joining us today on the "Cyber Security Matters" podcast.

 

Jason Lewkowicz: You're welcome. Take care, gentlemen.

 

Dominic Vogel: Awesome. Thank you.

 

Christian Redshaw / Dominic Vogel: Thanks, Jason. And Christian and I will be right back to wrap up today's episode.

 

Narrator: Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy, and operate complete cybersecurity programs, from strategy and managed security services to risk integration and technology solutions. At Optiv, we manage cyber risk so you can secure your full potential. for more information, visit optiv.com.

 

Dominic Vogel: Jason fully delivered on that conversation. That was just a wonderful, wonderful conversation. Thoroughly enjoyed every minute of that. I think he did a terrific job, lots of great insight. And I really appreciate how his answers were. So I think there's elegance in its simplicity, in the way he was answering the questions. What was some of your key takeaways?

 

Christian Redshaw: I can't disagree with you there. And he gave a couple of two-part answers, so I'm gonna give you a two-part answer here. Part number one, he's talking about getting the goals of the organization, taking that into account, and then having cybersecurity support that. And I liked what he said too about the recession conditions that we're in now, and how to handle cybersecurity there. Really, it's okay, here are the essentials and here are the nice to haves. Nonetheless, the cyber security threat is still out there and it's still real. So it still needs to be taken seriously.

 

Dominic Vogel: Absolutely, and we're really grateful for Jason for joining us today, and we wanna make sure we extend a special thank you to today's sponsor, Optiv Security, for sponsoring today's "Cyber Security Matters" podcast episode. And obviously, we wanna make make sure that we thank the loyal listeners and viewers who join us each and every week. And if you happened to miss a previous episode, do check out old episodes on the "Cyber Security Matters" YouTube page, and/or on your favorite podcasting platform. Until next time, be well, be safe. And we will see you again sometime in the future on the "Cyber Security Matters" podcast.