InfoSec Beat: Risk Hide And Seek

DAN KIRNER: Exceptions are about the worst
thing you could do in terms of cultures, of being secure. KRIS BURKHARDT: Hello again everyone. Welcome to another edition of the InfoSec
Beat Podcast. I’m your host, Kris Burkhardt, broadcasting
from the Nick Price Memorial Underground Subterranean Faraday Cage here in our top-secret location. And my guest today is Dan Kirner. Dan leads, amongst other things, the security
regime in our CIO Group here at Accenture. And we’re going to talk about his responsibility,
scope, scale and how he manages it all. So, Dan, welcome to the program. DAN KIRNER: Yeah, great to be here today,
Kris, thanks for inviting me. KRIS BURKHARDT: Super. So, Dan, why don’t we start out, you know,
Accenture is a big place. Why don’t you tell us a little bit about
the estate that you manage here and your responsibilities for security? DAN KIRNER: Yeah, you know, so I run security
for our CIO Organization under Andrew Wilson, our CIO. And really the scope, the way I think about
it, is sort of by the stack, right. On the identity front, we’ve got over 500,000
employees, contractors and alumni. On the end point, 450,000 workstation, 140,000
mobile devices and then video devices on top of it. On the compute side, we’ve got 17,000 servers. There’s our entire network that we’ve
got. We’ve got a lot of things around application
architecture, VSTS Octopus. And then, of course, we’ve got 1,000 general
apps, 450 web apps and 80 mobile apps. So a lot of stuff to look after. KRIS BURKHARDT: Wow, that is a lot. That’s got to be up there in the top 1%
of enterprises for things to manage. That’s a lot of vulnerabilities and compliance
and risk to keep track of. So how do you do it? How do you keep track of all that stuff and
how do you manage those vulnerabilities? DAN KIRNER: You know, actually first thing
is, frankly, the relationship with you, Kris, right, and your teams of knowing what’s
important, when it needs to be done, why it’s important, how it ties to the value that the
board and Andy Vautier, our CISO is trying to drive. Because if you don’t have that, right, if
you don’t know the value part of it, it’ll always seem like work. So I think we’ve got that. And I’d say the other two things are we
have incredible accountability. So we know what to do and we know who’s
going to do it from the MD, all the way to the analyst. And then I would say the other thing is we
always just make sure our denominator, the things we’re going after is right. And in the short term, that probably makes
us look not so good. But in the long term, after a few months,
having everything out there, knowing your total scope, gets you in the rush to build
a team behind it to drive things. KRIS BURKHARDT: I think that’s a great principle
to follow, right, really understanding your scope and understanding the breadth and the
individual items that you have to correct. You know, I know you and I speak a lot about
the sort of nails that stick up that need to be hammered back down, but we don’t – you
know, it’s pretty rare that you and I get together and talk about all the things that
go right. And we do a lot of those things. We do manage to keep, I think, all of that
scope that you initially led off with in a good place. What are some of your other principles for
delivering and operating IT in general, but also really doing it in a secure way. What’s your go to advice for other colleagues
we might have in the industry? DAN KIRNER: Yeah, I mean I think the key is,
you know, I talked about this a little bit before, this concept of accountability, it’s
an equal priority and we don’t go into production unless we’re secure. So you can do all the speeches you want and
you can go through a lot of things, but the thing that makes people move, you know, once
they understand the value is, gee, we’re not going to let that into production unless
it’s secure. And we have the support of our CIO, we certainly
have the support of you and our CISO, Andy, that we’ve taken these sort of measures
in terms of accountability. This is an equal priority. And I would say it’s actually an equal priority
plus one, meaning it is the tiebreaker. So if you’re debating whether, hey, we’re
going to do this or be secure, in the last two years, I can’t think of an instance
where be secure didn’t lead. And, again, those are extreme cases, but overall,
what it’s done is it’s changed our culture, so that the people are more worried about
it. The accountable people then yourself, Kris,
Andy, you know, in the CISO organization or even Andrew and myself, right. People are more worried than me because they
understand the value and they understand the implication and they understand how it’s
going to inhibit them getting a new capability out to their customer. I would say the other thing is on the customer
side of things, as much as we talk about the IT side, we, the business leadership and the
CIO leadership, have really locked hands on saying, security is important from the get
go. So we, you know, two or three years ago, we
might have had pushback. I would say today, not only don’t we pushback,
in many cases, the business will bring up the point like, gee, is that secure? Are we doing the right thing? And what happens in the end is you don’t
have security. You don’t get to that point where you have
insecure things. You start to prevent stuff. KRIS BURKHARDT: I think that’s a great point. It goes back to your original point about
understanding the value of security. And our business partners really understanding
that and helping us drive. So security stops becoming the CISO organization’s
problem as you say and really becomes everybody’s concern and people take it seriously. So that’s, you know, thanks in large part
to you and your organization. So let me ask you, what about those times
when we have to talk about things that aren’t as secure as we want to, the dreaded E word,
exceptions? I have it on good authority that you don’t
like those. Is that true and can you tell us a little
bit about your thoughts? DAN KIRNER: That is a very good way to say
that, Kris, so thank you for that. You know, I think people sometimes call me
Mr. No Exceptions. In fact, our CISO calls me that like six months
ago. Exceptions are about the worst thing you could
do in terms of cultures, of being secure, almost – but let me sort of break it down,
right. What does an exception do? One, it just hides or masks the risk. No bad guy and I’m going to quote my friend,
Tony Leraris, no bad guy cares if you have an exception. So that’s sort of the better part. The faster part is getting it out there and
getting people to work on it is always faster. You know, giving them a year to fix something,
not really a good thing. So we’ll sometimes say you might get an
extension of a month, but we will never allow an exception where you can’t have it for
like a year or something. And then I would say the last thing that probably
gets hidden is having an exception is extraordinarily expensive, extraordinarily in terms of the
risk. We just sort of talked about that. But then the management of it, being on old
software, defending it and once you get one exception, then there’s more exceptions
that come down. So, you know, at the beginning, Kris, you
asked me sort of our scale, right, and it’s pretty big by any measure. And we’re constrained by vendors and clients
and different things. Maybe not to the extent that everyone else
is, but we’re certainly constrained by that stuff and we don’t have any exceptions. And it was, you know, I’ll be honest. It was painful in the beginning. The scorecard looks worse. The client or the team is – the IT team
or business team is a little upset because they can’t work on that functionality that
they wanted to do stuff. But once we set that culture in place, I’m
maybe asked for, I don’t know, one to two exceptions a month. When I took over, we had 3500 exceptions out
there and we just grandfathered those in a little bit and then boom, we put the no exception
policy in place. And we got better and better at not just saying
no exception, but here are the alternatives. KRIS BURKHARDT: Yeah, I think that’s a great
story, right. And to kind of bring it back a little bit. We read about breaches in the news all the
time. In some ways, it makes our job easier because
we don’t have to convince anybody that security’s important. But I don’t remember ever reading about
a company standing up and saying, yes, we were breached, but we had an exception. I don’t think that’s ever happened. So, well, Dan, it’s been a great chat so
far. Do you have any last words of wisdom out there
for our listeners who want to clean up and keep their own space secure? DAN KIRNER: Yeah, a couple points on that,
Kris. Whether you’re an executive listening to
this or an IT exec or a business exec, probably my number one thing would be own it. Don’t wait for the security guys to tell
you what to do. The thing I say and this is a compliment is
your security guys are the least common denominator. They’re just a basic level of security. The things that they’re telling you to do
are like, man, we better get it done. But go above that. Own it, own it, own it as you go through it. We talked a little bit about understanding
the value. The opposite way, I’d say that is, you know,
if you’ve been lucky to this point and haven’t been breached, congratulations. But the thing I reminding myself through all
the things that go out there in the newsfeeds, as you said, is it’s just a matter of time
it’s going to happen to us. In fact, I was on a call today with our CIO,
you know, it’s not an if, it’s a when and how far does it go, right? And by putting these mitigations in place,
it won’t go very far. So that’s sort of the second thing. The third thing I’d say and, again, these
are little bit more emotional is just because you didn’t do it before or just because
you were breached, it’s not too late. Get the stuff in place, get to somebody you
know, get to that person that’s passionate about leading this and make sure they build
a culture of secure is valuable. It’s part of the new digital. It’s not extra cost. It’s not extra work. It’s IT today. KRIS BURKHARDT: I think those are great parting
words and, Dan, I’d like to thank you for the chat today, for the fantastic advice for
our listeners and for helping to keep Accenture secure. DAN KIRNER: Yeah, thanks, Kris. It’s been a pleasure to work with you and
be with you. It’s just I really enjoy the culture of
security we have teamed together to develop within Accenture. KRIS BURKHARDT: Well, thank you as well. Well, everyone, it’s been another edition
of the InfoSec Beat Podcast. Thanks again for tuning in and until next
time, good-bye.

Leave a Reply

Your email address will not be published. Required fields are marked *