Security Execs Talk Facebook CSO, ‘Single Pane’ & Strategy

On the Sept. 10 edition of “Task Force 7 Radio,” show host George Rettas was joined by guest co-host and BitGo Chief Security Officer (CSO), Tom Pageler. Topics of discussion ranged from cyber spend, to security presence and venture capital.

To kick off the show, Rettas hearkened back to earlier episodes by providing some news and analysis. The first segment touched upon the departure of Facebook CSO, Alex Stamos, who left the company last month, after months of publicity around the move. The company has also been questioned over its security practices in the wake of the election meddling scandal and the Cambridge Analytica mishap.

The “TF7 Radio” hosts discussed Stamos’ position in the social media company, and how a clash with executives may have led to his departure. Earlier this year, Reuters and the New York Times reported on Stamos’ standing in the company, saying that his day-to-day responsibilities had been assigned to others and ultimately he was prompted to make plans to leave. He was then convinced to stay with the company until August. A tweet from Stamos after the report suggested that he was fully engaged with his work at the social media giant, but that his role had changed, Rettas said.

Upon leaving the company this summer, Stamos became an Adjunct Professor and CISAC Fellow, Hoover Visiting Scholar, at Stanford University. There, he’ll engage in teaching, research and policy engagement through CISAC and the Hoover Institution's Cyber Policy Program as well as the Stanford Cyber Initiative.

Facebook’s Security Strategy

Separately, Facebook announced that it would not be replacing Stamos. The company’s former CSO also reportedly wrote in an internal Facebook post that the company would be reorganizing its security team, which would no longer operate as a standalone entity, the N.Y. Times reported. Facebook workers would be more closely aligned with product and engineering teams.

The “TF7 Radio” co-hosts then opined on this matter. Pageler said large, and simply efficient, enterprises should have a security structure, for a decentralized model could cloud overall strategy. “I think it’s a really bad move, pushing security down to lines of business (LOB) without any oversight,” Pageler said.

Nevertheless, he predicted that the security structure will reemerge over time, amid questioning from shareholders, security experts and perhaps lawmakers. He compared the move to the financial space, saying that you cannot simply get rid of an auditor because everyone will audit themselves.

See Related: Onfido CTO Discusses Identity Verification, Blockchain, ML

Rettas said that the fact that Facebook security may not operate as a “standalone entity” is bothersome, considering security is supposed to be business-aligned and an overall facilitator. Similarly, Pageler said the move had all the signs of internal “friction.”

“I can’t imagine security embedded in the business,” Rettas said, suggesting there would be no consistency or standards, likely “breeding chaos.”

Piggybacking off this, Pageler added that a large enterprise wouldn’t simply terminate a Chief Financial Officer (CFO) or the chief legal counsel. So why, Pageler asked, would a successful company opt for a CSO-less operation? He said that over time, Facebook will hear questions from many members of the information security community.

‘Single Pane’

In the show’s middle segment, Rettas and Pageler dissected a recent Market Watch story regarding the Equifax breach disclosure anniversary, as well as associated (and seemingly insurmountable) challenges.

Rettas said the story uncovers headaches security executives have when managing technology that was not built with security in mind. As such, CISOs are faced with a number of choices, which can be overwhelming. A “consistent theme,” however, seems to be the space giving way to the concept of a “Holy Grail” – or, a central solution to cyber security.

Rettas said in the wake of the anniversary of a breach affecting approximately 148 million consumers, there is a growing need for consolidation in a fractured sector. Kevin Mandia, Chief Executive, FireEye, was quoted in the Market Watch story as saying that cyber security needs consolidation, as the best of breed is not sticking out as much anymore.

Rettas also acknowledged what he called a move to the “central pane of glass,” suggesting that companies are seeking solution sets under one contract. And yet, he said, there were 600 vendors at the RSA Conference (April 2018).

Specific Approach

The host and security executive said end users need a strategy to go about selecting technology. It demands specificity, because if it’s absent, there are no elimination or identification processes. As such, it could spell “big trouble.”

Pageler suggested security end users attend these large trade shows with an objective. That allows for due diligence, exposure to the vendor’s security controls and their protection of the proverbial “vault.”

Rettas cited ESG Global Research numbers that analyst Jon Oltsik provided Market Watch. According to that report, 62% of businesses polled want to buy their security suite from a single vendor.

See Related: 'Diversity In Security Is A Business Imperative': EY Partner Shelley Westman

For Pageler’s approach to the market, he said it’s best to have a sort of defense in depth posture. “You don’t want to be solely reliant on a vendor,” he said. “You want the ability to pivot, and you don’t want a large vendor to say, ‘It’s on our roadmap…’”

The conversation then moved toward cyber spend. Rettas cited additional Oltsik numbers in that “platform wars” are on the horizon, where vendors compete for bigger, more lucrative deals where the deployment process could span several years.

He also cited Market Watch and Gartner, suggesting that worldwide spending in the space is projected to grow from $114 billion in 2018 to $124 billion in 2019 (or more).

Oversaturated Market?

Rettas also referenced M.W. commentary from Gee Rittenhouse, General Manager of Cisco’s security business, who said “delays in security incident detection and complexity” are due to “juggling multiple vendors cobbled together to form coherent defenses,” and that is driving consolidation. The security expert also said 25% of customers polled are using 20-50 vendors.

“You have to invest significantly in security,” Pageler commented. “It’s OK to have multiple vendors. But you should be reviewing (them), and looking at vendors (frequently).”

He said security “out of the box” may be OK for some small companies, but for many others, they cannot rely on a single vendor, because it they get it wrong, a massive compromise sets in worldwide.

The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes of "Task Force 7 Radio," click here.

Connect with Pageler on LinkedIn, here.

Be Sure To Check Out: Certifications A Part Of 'Vicious Circle' In Cyber Security Space?