CISO Interview Series- Doug Steelman: CISO Dell SecureWorks
Profile Subject: Doug Steelman
Doug Steelman is the Chief Information officer of Dell SecureWorks, where he leads the defense of Dell SecureWork’s networks.
Before joining Dell SecureWorks, Steelman was the Director of the U.S. Department of Defense (DoD) Dynamic Network Defense Operations for U.S. Cyber Command. In that role, he was responsible for synchronizing, integrating and directing cyber capabilities to defend the critical missions that DoD networks support. Steelman previously was the Director of DoD Network Defense for the Joint Task Force-Global Network Operations. He earlier served as the Pentagon Network Assurance Division Chief where he led day-to-day Pentagon Computer Incident Response Team operations. Steelman was instrumental in defining DoD cyber defense execution and in establishing the framework for vulnerability and threat prioritization for DoD cyber operations.
Steelman began his career in 1991 serving in the U.S. Air Force and holds a bachelor’s degree in computer science.
Prior to working for Dell, you spent nearly 20 years working for the military and in government leadership roles. What sort of challenges have you faced as you have transitioned to working for a publicly traded, for-profit company? Was there a need to get up to speed with respect to certain security issues, or did you face any challenges as you shifted into a civilian culture?
I think the security concerns are the same. Software exists everywhere which is written by humans so it is flawed and has vulnerabilities. This point is not lost on the threat of who will look to exploit the vulnerabilities, regardless if you are talking about nation state, hactivist, or criminal threat actors. In both the USG and private sector reducing vulnerability and working to resist threat actor intent is important in my view. Even though we can stop some tradecraft’s intent if we have an understanding of how it functions, prevention will eventually fail to a determined threat actor. When it does, you have to contain and respond quickly so incident response is key. From this perspective, things are the same. Where it gets different is with the focus on the threat. I think the private sector community has improved here but more work remains in my view. In my previous jobs, it was nice to have tight coupling with the law enforcement and intelligence communities. They each have different authorities, as does the military, to achieve effects against the threat. I am a big believer in both threat and vulnerability focus as opposed to focusing solely internally on hardening yourself. If this is all you do, it is a losing strategy in terms of advanced cyber threat actor resistance.
To me, there are pros and cons working in USG and in the private sector. In DoD cyber, the focus is on achieving effects to support the warfighter and protect our personnel/interests. In the private sector, the focus is on revenue by providing outstanding products and services, without it you are out of business. There are obviously budget concerns in USG, but inefficiency will not put the DoD out of business as it will in the private sector as an example. It would be nice if the threat of going out of business could translate to a similar forcing function for USG with respect to budget. Conversely, the focus on the mission can sometimes take a back seat to profit in the private sector, specifically in the tradeoff between security and the speed of products to market. Of course, this is a common theme, especially when you see the number of big brand vendor patches released each week.
Related to that, what are some welcome differences that you are enjoying in your new role?
Without question, a welcome difference is the Team I joined where the entire business is based on what I am passionate about. I am a believer that information/cyber security is critical to our collective future success, particularly in the United States. I believe exploitation and cyber espionage are here to stay, which negatively impacts our way of life. I also believe, when the day comes for cyber “attack” with intent to harm our way of life, it is not likely to come against DoD networks. Instead, I believe the focus will be on infrastructure largely in the private sector.
I also enjoy the speed with which we can take an idea from concept to development to execution in industry as compared to government execution of the same. There are many checks and balances in the USG which make these processes slower. To be clear, there are some brilliant people on USG with concepts for dealing with modern threats which are very innovative. Without some of these challenges, USG could indeed move faster. This would be good for our Nation and the information security community writ large as the USG has been looking at the cyber threat problem for a long time.
How did your background prepare you for this position? What knowledge have you gained that someone in a civilian CISO role might not have had?
In the last couple of years, there has been an enormous amount of press on the “APT.” I believe the collective understanding, even to those not in our business, has improved a great deal. In USG, however, we have been looking at my definition of APT for over 10 years. I think the focus on “the who”, or the threat actors’ capability and intent has given me a different perspective as I approach my role in the private sector. The other area would be the operational approach itself. I’ve had the great honor and privilege to work with and learn from some of the best in the world in terms of “Operations” in DoD terms. The idea of planning, organizing, sequencing, and executing and operation to ultimately deliver effects against specific targets brings laser focus to the team. I believe many parts of these operational constructs apply in industry when dealing with advanced threat actors in cyber, which is a contested domain for corporations like air, land, and sea are for DoD.
Do you have any specific advice for officers or enlisted personnel who are nearing the end of their tours of duty in the military and are seeking to transition into civilian roles?
Interview with prospective employers early and often. Ask a lot of questions and remember you are interviewing the company as much as they are interviewing you. I believe most military members understand clearly what gets them up in the morning today. In the civilian world, my recommendation is to be comfortable that the company’s values, goals, and objectives are in line with your personal values.
For someone who has specifically served in an information security role in the military or government, what would that person need to consider when transitioning into a civilian role? Is there specific training that would be helpful?
In 2012, information security roles are in high demand. There are apprentice level through master level skillsets in USG like anywhere else. Those who have the chops know who they are and will not have a problem transitioning. It’s not like there is a different TCP/IP stack in the private sector when you leave USG. Vulnerabilities are still vulnerabilities, and threats will look to exploit/attack them as you are used to, only the “why” changes. Industry needs lower end skillsets as well, but if a USG person wants to transition into a more advanced role, they would obviously need to get some job experience before leaving or attend training. There are so many things to do these days from countermeasures to exploit development to architecture to incident response to reverse engineering. One would need to decide what their focus is and move out accordingly.
In general, where do you think that most companies are falling short when it comes to security preparedness?
My biggest frustration in coming to the private sector is the focus on compliance. Companies must comply with PCI, HIPAA, NERC, etc. to stay in business. I get this, and we could talk for hours about regulatory challenges… But I observe many who make this the centerpiece, and believe compliance solves their security problems as well. Practically, you cannot prevent/detect exploitation, data theft, or attack without visibility. You cannot have visibility without proper instrumentation. You cannot understand impact to your organization or contain and respond to intrusions without proper skillsets accomplishing analysis and making countermeasure decisions. There is no single tool which can prevent “APT”, regardless what product marketing material may claim. Security is not an end state, it is a process, which requires proper instrumentation and trained human beings for analysis. Why are companies falling short? Some don’t understand the threat, the threat’s intent, and what this means for their business so the level of security effort is commensurate. Some only want to check the compliance box and keep costs down. Some buy plenty of tools but forget the criticality of the people and process requirements to accompany the tools. And some erroneously believe: “I’m not a target”.
How does a CISO justify the cost of a robust information security organization? For the CISO who works for a company that’s just struggling to stay afloat, what can he or she realistically do to help the organization without creating a financial burden?
I think it is your job as a CISO to ensure your leadership understands the threat, what this means to you, and potential impact to the organization if you are not prepared to deal with the threat. From here, to me it is about how well you can sleep at night? Are your people, process, and tools sufficient to allow you to prevent advanced threat actor techniques, tactics, and procedures? Can you detect when prevention fails? Can you respond? How long do these processes take? You also need to understand your own environment, what is most important (we call this Key Terrain) in terms of protection requirements, and where your vulnerability exists. If you cannot demonstrate your defense posture and an ability to resist the threat, then you have no controls to steer the ship. Make a formal risk assessment based upon your preparedness or lack thereof. Have your leadership acknowledge and accept this risk. From here it is about budget. Obviously better skillsets and capabilities can be obtained with more budget. If budget is limited, consider open source tools for your instrumentation or you may want to consider outsourcing some of your defensive responsibilities.
What do you think are the potential information security threats that companies might face in the future that are not on most people’s radar yet?
I think most threat scenarios have been covered widely. Supply chain, mobile, cloud, bios, etc. In my view, threat actor exploitation really hasn’t changed much for many years. Why should they? If this were football, and I am running off tackle every play for 10 yards per attempt, I am going to march down the field and score, and ultimately win. If you don’t stop me, why would I change my play calling? This is what I see in our industry. New methodologies will come and go for delivering technical capabilities for organizations. Today’s discussion is cloud. But data which is important to you remains in infrastructure, which has vulnerabilities, which threat actors will attempt to exploit and steal. Also, ways to deny/destroy/disrupt this information, aka “attack”, will remain. Our industry will adjust to counter. I see this tug and pull continuing for many years until we collectively start focusing on the threat, and removing the threat from the keyboard.
As we saw with RSA, there is interest as always in obtaining credentials or identity. I think we will continue to see threats focus on circumvention of these technologies.