Interview: J. Wolfgang Goerlich, Cyber Security Strategist for Creative Breakthrough
J. Wolfgang Goerlich is an influential leader and IT management executive with the ability to act as a cultural change agent, driving security initiatives and raising security postures. He currently works as a Cyber Security Strategist for Creative Breakthrough Inc (CBI) and has been in the industry for over 20 years. Areas of expertise include managing culture, ITGRC, security community and mentorship, application security and team leadership.
1. Early this year, you took the position of cyber security strategist at CBI. What exactly does this position entail?
What should you learn next?
As a security strategist at CBI, my role is connecting people and ideas to develop strategies for improving cyber security. I work with the senior leadership at CBI's customers to understand their business strategy and collaborate on plans for aligning and maturing their security activities. Within CBI, I provide technical leadership and expertise toward our service lines and vendor partnerships. On select engagements, I work directly with the consulting team to deliver impactful results to our customers.
Another aspect of my position, which I find rewarding, is leading the CBI Academy. I have been mentoring and coaching professionals in my local community for years, so leading the Academy was a natural fit. We often hear CISOs talk about the lack of security talent for staffing their teams. At the same time, we often hear students talk of the difficulty in identifying and gaining the in-demand skills. With CBI Academy, we bridge the gap with an apprenticeship program that accelerates the careers of recent university graduates.
2. What hard and soft skills do you need to do your job well?
Listening is the fundamental soft skill for a strategist. I listen to IT, security, and business leaders to understand the complex business challenges they face. I listen to partners, vendors, and my internal teams to understand the available tools and technologies. From there, I rely upon technical skills built over the years working in systems engineering, software development, and cyber security. Creativity comes into play in collaborating with customers and partners to develop solutions. Then it comes down to communicating the strategy and plan. In sum, my job requires deep technical skills with broad communication and collaboration skills.
3. There appears to be a lot of efforts out there to educate businesses on how to protect themselves on the cyber security front. In your opinion, are companies getting the message?
There is a lot of effort going into educating businesses and much of the effort is misplaced. To make informed decisions, business leaders need to know potential threats, impacts, and actions they can take to protect their organizations. The cyber security industry today focuses almost exclusively on the criminals and splashy breaches, that is, on the threats impacts. The terrifying things are well publicized. Companies get it. Things are broken, criminals are getting in, and damages are occurring. It is time to shift our efforts in education toward what to do about it.
I would also flip the question on its head. As a strategist, I want to see more education from the businesses to the cyber security industry. Do we understand the business landscape and how to integrate security into companies' business strategy and tactics? Are cyber security vendors and consultancies getting the message? Some are. Most are not.
4. Human error is one of the reasons companies open themselves up to cyberattacks. What other things can contribute to businesses making themselves vulnerable?
Currently, companies rely on technologies and IT environments that were created without security in mind. IT may be deployed incorrectly or not maintained in a secure state. Software may not be developed securely, leaving it vulnerable to exploitation. This puts pressure on companies to detect and respond to attacks. Yet businesses may not have monitoring in place, or staff the monitoring. Finally, if and when a crime is detected, the businesses may struggle at incident response and correcting the problem. The problem has to be looked at holistically, beginning with securing the culture and business processes.
5. How would a company go about creating a strong top-to-bottom cyber security culture?
Leading a culture change has long been a challenge in business. Culture is varied. Each organization, each business unit, each team has its own unique norms, traditions, and beliefs. Culture is sticky. Our collective behaviors and habits follow well-worn paths that resist change. There is no one single solution and none of the solutions we have are easy.
One of the efforts I am involved in is the Security Culture Framework. The approach is to break the culture change down into a series of habits and run a succession of campaigns targeting specific habits. By combining training and assessments and tying the campaigns back to an overall scorecard, progress can be made and managed. We are currently testing this approach with user awareness and secure development training. I expect the Framework will develop quickly as more organizations apply it and give the team feedback.
6. What are some of the possible negative consequences of failing to develop, implement and nurture such a culture?
Taken as a whole, the security incidents and breaches over the past decade illustrate the consequences. Criminals get into businesses using three main avenues: manipulating employees, abusing the applications, or exploiting vulnerabilities in the IT environment. Why do employees fall for social engineering and phishing attacks? Why are developers writing code that inadvertently lets criminals in? Why are IT systems configured, deployed, and maintained in such a vulnerable state? All three result from a culture failing to foster cyber security behaviors.
7. Do you find that companies are receptive when it comes to instilling a cyber security culture rather than simply addressing issues on a case-by-case or piecemeal basis?
Many of the organizations I work with engaged CBI for a security strategy and roadmap to protect what's most important to them – their business. It is clear, to the cyber security leaders in those organizations, the piecemeal approach is ineffective in protecting against current threats and flexibly countering new threats. The Security Culture Framework, along with the risk framework and controls frameworks, form an overall structure for mapping tactics and case-by-case security activities. When presented in this light, I find companies are very receptive to the approach.
8. What sorts of trends do you see as it relates to potential cyberattacks, and how can companies protect themselves?
Criminals are getting faster at discovering new attacks and exploiting known attacks for longer periods of time. A record number of zero-day vulnerabilities, those flaws that lack software patches from the vendors, were discovered. Symantec Internet Security Threat Report put this at 24 zero-days in 2014. Even after the vendors release patches, the vulnerabilities continue to be exploited as it takes hundreds of days for the patches to be widely deployed. Verizon Data Breach Report reported "that 99.9% of the exploited vulnerabilities had been compromised more than a year after".
The picture darkens when we overlay the above attack trend with trends in mobile, cloud computing, and the Internet of Things. We have more devices in the hands of more users. We have greater reliance on applications and systems hosted by others. And, we have an explosion of new use cases with new Internet-connected devices. In sum, the attack surface is rapidly expanding at the same time vulnerabilities across are expanding.
To protect themselves, companies must embed security practices in their IT lifecycle. This includes deploying securely, maintaining securely, rapidly patching vulnerabilities, and eventually retiring and disposing securely.
9. What is the most enjoyable part of your job and what is the most frustrating part?
Collaborating with leaders to build and mature security programs is easily the best part. I enjoy listening to some of the brightest minds in the industry, learning what is working and why, and sharing it with our clients. The Academy fits squarely here too. It is the learning, doing, and teaching cycle that I enjoy.
The frustrating aspect? There is never enough time.
10. What advice would you give to a college or university student who is interested in working in the IT/IS space?
What should you learn next?
Students must build both relationships and technical skills. Careers are team sports and it is never too soon to recruit your team. Find people who are ahead of you to advise you. Find people who are coming up behind you and return the favor. On the technical side, build projects outside of class and make contributions to ongoing initiatives. The open source nature of our field has made it easy to network, train, and contribute. Get out there and get engaged with the wider InfoSec community and industry. It is a great time to be involved.