(phone ringing) - You're listening to the Cyberwire Network, powered by N2K. (upbeat music) - Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by Databrokers. So I decided to try delete me. I have to say delete me is a game changer. Within days of signing up, they started removing my personal information from hundreds of Databrokers. I finally have peace of mind, knowing my data privacy is protected. Delete me's team does all the work for you with detailed reports, so you know exactly what's been done. Take control of your data and keep your private life private by signing up for delete me. Now at a special discount for our listeners, today get 20% off your delete me plan when you go to joindeleteme.com/N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com/N2K and enter code N2K at checkout. That's joindeleteme.com/N2K code N2K. (upbeat music) - My dad works in B2B marketing. He came by my school for career day and said he was a big row as man. Then he told everyone how much he loved calculating his return on ad spend. My friends still laughing me to this day. - Not everyone gets B2B. But with LinkedIn, you'll be able to reach people who do. Get $100 credit on your next ad campaign. Go to linkedin.com/results to claim your credit. That's linkedin.com/results. Terms and conditions apply. Linkedin, the place to be, to be. (upbeat music) - Hello and welcome to this CyberWire special edition. On today's episode, N2K CyberWire's executive editor, Brandon Karp, sits down with Danielle Ruderman, senior manager for worldwide security specialists at AWS. And Adam Michael, chief information security officer at Texas A&M. They discuss CISO circles, security challenges faced in higher education, and fostering the culture of security. The group got together at the recent AWS Reinforce Conference. (upbeat music) - I am here today at AWS Reinforce with Danielle Ruderman, senior manager for worldwide security specialists. And Adam Michael, the chief information security officer at Texas A&M. Danielle, Adam, so great to have you on the show. - Thank you. Very happy to be here to talk about the CISO circles. - Thank you for having me. - So yeah, as Danielle mentioned, we're here to talk about CISO circles. We're here to talk about the senior security executive community, peer learning, peer learning opportunities, the things that CISOs like Adam here are concerned with, are focused with, and are trying to, areas they're trying to develop in as a community. So Danielle, could you give us a sense of the CISO circles? What is the CISO circle? How does it play out in reality on the ground? What's the value there? - Sure. So the CISO circles for AWS is a mechanism that we created for us to connect our AWS security leaders and our service team leaders directly with our customers, but directly with our customers in different countries. We really wanted to make sure that we were taking our leadership out to where the customers are, and this was really intended to be a trust building activity. We wanted to learn from our customers, but we also wanted to create a space where our customer CISOs could interact with each other. Because that's really where the value comes is hearing these conversations from CISOs and different industries, different businesses all be able to come together. And it's intended to be a learning opportunity, right? So the CISOs do learn from each other, and we're there to listen to be part of the conversation as well. And the big thing is that we do prioritize open discussion. And we make a really big point about this. As I know, Amazon does a lot of conferences. We're here at Reinforce, right? We're used to kind of getting up on stage and presenting and talking, but in that environment, right? It's closed door, Chatham House Rule, NDA, and it's a real opportunity for people to be very real with each other. You know, talk about the real issues we're facing, and for us to share roadmap information, what we're thinking. So it's intended to be a very collaborative, safe space. And I think I'm hoping we have achieved that for our customers. Well, Adam, curious from your perspective, what are those real issues that you might be facing and your experience with the CISO circles would love to hear kind of how you've experienced it so far? Sure. Well, you know, like anything else in our industry, those issues change over time. So I've attended now two or three of the CISO circle events, two were these cross industry, where we had CISOs from various sectors, right? And that was a year or two ago. So the most recent that I've attended was one that was focused on higher ed specifically. And obviously that being just in the past six months or so, generative AI came up, security around AI and machine learning, how we deal with the contractual issues that arise there. We talked about cultures of security, how we build that within our organizations. And also higher ed tends to lag a little bit behind a lot of other industries in terms of how we adopt new technology. So some of us are still dealing with issues of adopting cloud technologies, right? Things that might be more common now in certain industries are still something we are moving into. Cloud native application, things like that. I'd be curious, Adam, to pull the thread a little bit on what you just said because you shared that you did host a circle at Texas A&M recently. And someone who's worked in higher ed myself and been around that world also. Higher ed's mission has nothing to do with technology. Organizations tend to not focus on the security enterprise and the IT enterprise. And so you're working for an organization that's typically pretty focused on the students and the research part of the organization, if it's a research institute. So I'd be curious, your experience in that environment, how you've addressed security, how you've brought that into the community, into the culture. And then also lessons learned from the CISO circle that you hosted at A&M. Right, well, so yes, you're right. Technology isn't the focus, but like any other large enterprise, right, effort in 2024, you can't accomplish the things we want to accomplish in higher ed without very strong technology as its foundation and the infrastructure. And we are a very high research activity institution, $1.4 billion in research expenditure annually. We have a lot of students where right now, I think maybe the largest public research institution in the United States by student enrollment, 78,000 students this year. And that's just on our main campus. Yeah, so when you deal with that scale, you have to have technology to enable the things you want to do, even basic things like teaching in the classroom, dealing with student enrollment issues, being for, you know, student, the scheduling problem, of 78,000 students across multiple thousand classes and sections in hundreds of individual rooms on campus in the various buildings, that's a big problem, right? And being able to handle that requires a lot of technology infrastructure. So some of that's in the cloud, some of it's on-prem. We are constantly evaluating and looking at, where is it appropriate for us to move to cloud workloads? Where do we need to keep things on-prem? And none of that even speaks to the research technology, conducting research in any field, any field in 2024. It doesn't matter if it's, you know, computer science or if it's physics or chemistry or even English in the humanities, it is conducted with technology. And sometimes machine learning, lots of data science, lots of, you know, data that supports whatever we're investigating. And that requires a lot of technology, right? A lot of storage, a lot of compute. And so we're constantly trying to figure out how do we provide that to the researchers? So our researchers can purchase cloud computing services from us through the main technology organization. >> So you've also mentioned this idea of culture of security. So I'm curious, Danielle, in your experience, running CSO circles and really managing this program, this global program at AWS, how do you see this idea of fostering culture of security? How do we do it as senior security executives in an effective way? >> Right, and I'll tell you a little bit of background. So the idea of culture of security has been something that's been talked about at Amazon at AWS for a long time. Security is our top priority. And we've heard these stories and have these customer meetings. And so we decided to offer this to the CSO circles because it's just over time and something that's really resonated with customers. And the whole premise behind this, I want to give you like this idea. The phrase culture of security, we use very deliberately instead of security culture. 'Cause culture of security is the idea that security is a priority for everybody in the company, right, everyone. Whereas when we say security culture, we're talking about the culture of your security team itself. And both these things are very important, but when we say culture of security, we mean, hey, you as a security leader, security owners, how are we scaling that responsibility out to the business so that security teams can do more with less? And that's really why the topic has resonated, especially today, is I haven't met a CSO or security team yet that feels they have enough resources. >> Sure, yeah, of course. >> And so a lot of these concepts and these mechanisms that live within that idea of culture of security are ways for CSOs and security teams to really push that responsibility out to the business and find ways to partner. So you can, the security team can really be a partner and enabler to the business. >> And your experience, Adam, in kind of incorporating that, I mean, how do you see that idea of a culture of security? >> Yeah, I completely agree with that formulation. Our security team, clearly we have our own culture and I work hard to develop that, but the difficult part is getting those ideas and beliefs and the things, priorities, the things that are important to us. How do we translate that back to the rest of the IT organization? Much less the rest of our entire university as an organization, right? So just starting with the idea of getting that culture of security to the rest of IT, we're under 10%, right? As a security team of the overall IT professionals within our university, there is no way we can accomplish all the things that I wanna do. I can't move the needle on security within my organization. If the only people thinking about security topics are my employees on my team, I have to get that idea, I have to get that culture moved out into the rest of the technology organization. And so that's definitely on my mind a lot and being able to talk about how you accomplish that with peers and learn from things that have been successful for them, that is very nice. We'll be right back. (upbeat music) And now a word from our sponsor, No Before. It's all connected and we're not talking conspiracy theories. When it comes to InfoSec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. No Before, provider of the world's largest library of security awareness training provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. No Before's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco, 35 vendor integrations and counting. Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real-time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more at nobefore.com/securitycoach. That's nobefore.com/securitycoach. And we thank No Before for sponsoring our show. (upbeat music) Imagine this, your primary identity provider goes down, whether it's a cloud outage, network issue or even a cyber attack. Suddenly your business grinds to a halt. But what if it didn't have to? Meet identity continuity from Strata, the game-changing solution that keeps your business running smoothly no matter what. Whether your cloud IDP crashes or your on-prem system faces a hiccup, identity continuity seamlessly shifts authentication to a secondary or even tertiary IDP, automatically and without disruption. Powered by the Mavericks Identity Orchestration Platform, identity continuity uses smart health checks to monitor your IDPs availability and instantly activates failover strategies tailored to your needs. When the coast is clear, it's a seamless switchback. No more downtime, no lost revenue, no frustrated customers. Just continuous, secure access to your critical applications every single time. Protect your business from the high costs of IDP outages with identity continuity from Strata. Down time is a thing of the past. Learn more at strata.io. Keep your business moving even when the unexpected happens. That's strata.io. [MUSIC PLAYING] Now, Danielle, you hosted a panel here at Reinforce, and related to this topic we're discussing right now, our security culture of security. And you know, it struck that on that panel, you had someone from financial services. You had someone from AWS. Here on this discussion, we have you Danielle from AWS, Adam from Higher Education. So inherently, we're building these cross-industry connections. So I'm curious to your perspective there and how you've approached that. It seems very intentional that you're building these cross-industry connections and global connections in the CSO network. Can you talk to that a little bit? Sure, right. So the first question about this cross-industry collaboration is we actually started the CSO circles that way, because we started as a very small scrappy program. And inviting CSOs who were interested in this format, we just ended up with this cross-section of individuals. And over time, we've asked the attendees, would you like to have a CSO circle where it's just one industry or do you prefer it this way? And what we've learned is by far the preference is to mix different industries together. And we have some really interesting stories where different industries have learned from each other. In one case, actually recently in a circle in DC, we had a media and entertainment customer and a financial services customer struck up a conversation. And it turned out one of them had solved a problem that the other was trying to solve. And so they went off and shared knowledge together, again, two completely different industries. I talked to another CSO who was a pharma executive, and she said that she struck up a conversation with an automotive CSO. And by talking about how the automotive CSO secures the supply chain for their manufacturing, she was able to rethink how they secure the production line for their drugs, the drug manufacturing. And she said, I never would have thought about doing that if I hadn't talked to this person from a completely different industry. And if you think about it in security, we like to segment sometimes our ISACs and our security groups by different, right? We want to keep the likes together. - Totally. - But there's definitely an opportunity to bring together different industries to learn from each other. And for us, we're bringing together customers of AB2AS who can, how are you using AWS in your industry? And maybe I can learn something from that. Having said that, we do have a few industry-specific circles. So I think occasionally doing those is helpful. So you get a chance to talk to your peers about those issues that are very specific to say the energy industry or the auto industry. But then having the opportunity to also do the cross-industry collaboration, I think we honestly need both. - Right, right. I'm glad you brought up the ISACs. It's exactly where my mind was going of how we have pretty stove-piped by industry ISACs in this community. But there does seem to be inherent value in cross-industry collaboration, global collaboration. Adam, is that something that you've been able to leverage in your role at Texas A&M? I'm curious to what extent higher ed's been able to learn from healthcare or financial services or other types of industries? - I think generally higher ed's not great about learning from other industries. We tend to be pretty insular. - Okay. - We, you know, there's, whether we admit it or not, I think there's a culture in higher ed that tends to think that, well, you need to be in higher ed to understand higher ed problems. And I think that's short-sighted. I have learned a lot from my engagement with CISOs and other industries at CISO Circle, for example. And so, yeah, I have opportunities to interact with higher ed CISOs. We have our own industry, you know, conferences and organizations, there's internet too, there's edge cause, that's great. And I would never give those up, we need those. But I think that being able to have opportunities to connect with a CISO or a peer from another industry is very valuable. - So, you know, this idea of I want to keep talking along this idea of cross-industry collaboration and global collaboration. And it's something else that struck in my mind is, we're talking about this at the highest level. We're talking this with the CISO, the senior executive level. What about pushing that down into the organization? What about talent and cross-industry collaboration and learning at every level of the security enterprises? Is that something that you've seen discussed at all in these circles or that you've considered with some of these industry groups? - So, at AWS, we actually have a sister program to the AWS CISO Circles. It's the security builder circles. So, after we found that the CISO circles themselves were successful, we kicked off exactly what you're saying. It's a very similar opportunity, but for those within the CISO's team. And so now that's a separate program we run globally as well. And that's much more technical. We get into the issues that more of the builders, if you will, on the security teams care about. And that's where we are also able to bring in like our service team, PMs and GMs, to come sit down with our customers. And that's been a fantastic experience. It's almost like a mini cab, if you will, customer advisory board, because you're getting a group of customers together to talk about something like zero trust or how are we dealing with ransomware? How are we doing threat mitigation? And that requires us to bring security executives from multiple different teams together. And now you've got this really cross-functional group having a conversation about a very real world challenge for a customer. And the service teams are able to learn very deeply. And then the customers are sharing how they're solving for it. So for us, that's been a very popular program as well in addition to the CISO circles. - Wow, yeah, I could see the power in that potential idea. So, Adam, curious your vision, what you're focused on leading Texas A&M security enterprise into the next decade, this Gen AI data focused, analytics focused, decade of security. What's your priority? What are you laser focused on for the next set of your initiatives? - Wow, well, things are changing so rapidly. I think that trust, digital trust and privacy are going to be areas that I have to really lean into. I think we understand generally how to look at risk assessment and vulnerability management and mitigation. Can't let up on that. That's not going anywhere, right? We've got to sort of stay the course, but we have to back up a little bit and look at the things we're doing from a higher elevation. And if we stay sort of down at the 5,000 foot level and we're just looking at, oh, no, this new CVE just released and we've got to patch these machines, yeah, we've got to do all those things. But when you back up and look at a higher level, the changes that are happening to the cybersecurity field because of AI, yeah, I think it's going to change the way that I have to interact with my executive leadership. They're not going to be just asking, oh, have you patched? They're going to be asking, are we doing the things we need to do to protect our students, our research data, right, the things that are important to accomplish the business, the mission of Texas A&M. Danielle and Adam, so great to have you join us. Thank you for being here. Thank you. Appreciate the opportunity. Thank you so much. Our thanks to Danielle Ruderman, senior manager for worldwide security specialists at AWS and Adam Michael, chief information security officer at Texas A&M for joining us. Our Cyberwire executive editor, Brandon Carp, hosted the conversation. Thanks for listening. We'll see you back here next time. [MUSIC PLAYING] [DING] [DING] [BLANK_AUDIO]
