Transcript
Welcome to the Wake Up Podcast by Veeam, global leader in data resilience. My name is Caroline Wong, and I'm your host. I'm delighted to be joined today by my good friend, Vanessa Pigueros. Vanessa, welcome. Thanks, Caroline. It's great to be here with you today. I am so excited. And I wonder if you can tell us about a role that you were in where you experienced an Absolutely. In one of my CISO roles, and I've held a few of those roles, we had a situation where we got some calls into our customer care center, and the customers were just explaining that they had been receiving phishing emails, and how could somebody know their particular email. And there were specific customers that we knew that this was not just broadly known information. And in addition, we had seen some of our test accounts were getting emails. So we knew, like, wow, this is something interesting. It must have come from somewhere within our environment. We didn't know where. We spent a lot of time, almost 24 by 7, investigating, trying to find the needle in the haystack which, as you know, often happens with incidents. We looked through all of our logs, and we finally discovered and got to a point where we realized that there had been a salesperson's laptop who had been compromised. While they were in session with one of our CRM systems, the attacker was on the person's laptop, and they essentially were able to get into the CRM system while the salesperson was in session and exfiltrate a large amount of data in a very quick time frame. Vanessa, what kind of time period did this take place over? I mean, are we talking, like, two days? Are we talking several days? What was the... How long did it last? Well, from the time we discovered it to the time we... In terms of the customer care receiving calls, to the time we actually figured out what was the root cause and how it had happened, it took about five days, and those were an intense five days, as I mentioned, 24 by 7. People up all hours of the night. We had shifts going on between different locations in the world to continue investigating so that we could, you know, get... People could get some sleep, but it feels like forever. Five days feels like forever, and the stress level on the team, the exhaustion, it's really impactful, and I think when you're dealing with those kinds of really traumatic situations, it definitely feels... Five days felt like months. I wonder if you can kind of imagine being there with your team and tell us some of... What did it feel like in those moments? You know, I've been in situations where there's cops in the office, and people are bringing in toothbrushes, and I wonder if you could just share with us some of the moments that you remember from that time. Well, I think as a leader, the one thing I had to keep in mind is, as panicked or as stressed as I felt internally, I had to project calm, and when others around me were kind of losing it, freaking out, I was like, we'll figure this out, I had to stay calm, and you know me, I kind of have a calm demeanor already, but that doesn't mean I'm not human, and internally I was very stressed out. At that time, I had a Fitbit, and I actually said I was doing some kind of research on how trauma impacts human beings, totally separate from anything related to cyber. I like to connect things, I mean, I look at things that are very different, and I try and look at the similarities between them, and how can you apply the things that somebody goes through when they experience very traumatic situations, not like an incident, but I'm like, you know, there's similarities here. So I decided to track my resting heart rate during that time period, and so when I looked at it, I realized that during that time period, I actually extended almost a month of an elevated heart rate of about 10 beats per minute, which is significant, you know, for my resting heart rate somewhere around 59 or 60, so I just was like, I looked back on that, and I'm like, the impact on me personally, was, is just plain black and white there, and I saw it in my team, and everybody has a different way of demonstrating stress, so some people eat a lot, I mean, one guy on my team, he basically ended up gaining 20 pounds during that incident, others don't eat, and so you see others don't sleep, and I had to, many times had to tell people, you know, go away, go sleep, come back to the, come back, when you come back, we can, you know, you'll probably be able to think a little better, a little more clear, and also the executives, you think it's just the people who are in your team, but the executives all had a different, different kind of method of dealing with their stress, and some of the executives, I would have to say, were not helpful to the situation, in fact, they made the situation worse, so I think regardless of title, there's like, every human being has an ability to deal with a crisis differently, and I think sometimes organizations don't realize, just because somebody has a C title, or they're an executive VP, or whatever, it doesn't mean they're the right person to deal with the crisis. It sounds to me like there's a dual impact of the incident, not only the impact of whatever bad security thing happened, but also the impact to the humans who were involved, I wonder if you can share kind of any additional thoughts on those. No, I think when a, I mean, honestly, when a traumatic situation occurs, or some kind of shock to the system, you know, we go into fight, flight, freeze, and you've probably seen this, people who get hysterical during an incident, and they're not helpful, people who seem to, in normal conditions, are creative, but they have no answers, and they seem to just not be able to help the situation, and those who, I'd say, get very, and we see a fair amount of this, like, well, we need to get them back, we need to go do this, we need to go fight, you know, and so I think, or the blame situation goes on, like, well, let's blame the person who clicked on that phishing email, or let's blame the vendor, let's blame, you know, so it's a way, I think, that people are trying to distract from, like, the situation is what it is. At a different time, we can talk about root cause, but right now, we need to, like, address this situation, and blame is not going to make, you know, that situation better or worse at that, I mean, it could make it worse sometimes, but, like, it's definitely not going to make it better. Vanessa, what was your experience in terms of communicating to various stakeholders? Were you in a position where you needed to inform any sort of external third parties, whether that be customers or regulators or anything like that? What was that like for you? Absolutely. I mean, there are many stakeholders you have to keep informed. I think that's one of the biggest challenges for the leader, the CISO, is the communications aspect, and you have this top C-level people pinging you. You have your direct boss pinging you. You have the enterprise customers that are starting to ping you. You have to, you know, one of the first groups I reached out to was, you know, I had an ongoing relationship with the FBI, local FBI. You reach out to them. I mean, these are all relationships that they're not new. You cultivated them before this happened. I mean, that's, like, one of the important things to do is to cultivate relationships before any incident happens. So I think that was all those different stakeholders are all pinging you at the same time and wanting information, wanting to know what the issue is, wanting to know when we can figure it out, how could we fix it, what do we need to release publicly with, you know, with media. Like, all of that is happening at the same time, and you're trying to manage your team and what effort they're doing to actually figure out and remediate the incident or deal with it. We had a special group, like, we had to kick, like, a special group just to field calls from our enterprise customers, and that is, you know, a lot of that work dragged on for almost three months after the incident, where the customers wanted to know what happened. They wanted to know, they essentially were worried about their data and wanted to get assurance that we were, you know, we still had the good protections in place. That meant we got on calls, and some of the customers were yelling at you. Some of the customers were, like, oh, I feel really bad for you. I'm sorry. Like, very empathetic, and then, but in the end, I think what was really important with the customers is to own our, the accountability we had in the situation, and help the customers understand, you know, what we knew about how it happened and what we were doing to address and fix it, and I think most of the customers, if you took that approach, were very understanding, and I think we were able to maintain a level of trust with them, even though it was definitely had a little damage, but they were understanding, and I think the way we approached explaining it and taking accountability made them feel better. What a rollercoaster, and what a multifaceted one at that. I can just imagine you're managing your own emotions. You're trying to lead your team. You're trying to technically figure out the recovery, the response, the containment. You're getting pinged by all these people. How did you handle it? How did you do it? I don't know. I look back, and it's a bit of you go on autopilot, and I think I have a very resilient personality myself, but I also have to say I had to take time by myself. I had to really keep myself grounded, and that is challenging, and I think physical activity helps me, so jumping on the treadmill or doing something to just keep all that excess stress, somehow kind of get it outside of your body a little bit, or just giving you that time to some meditation sometimes to help. I mean, trying to get as much sleep as I possibly could, which was tough, so I'm like an eight-hour. I want eight hours of sleep a night, but in this time, I was maybe getting six, five to six, and it's the first four days or five days I think maybe got four hours of sleep a night, and it's not healthy for me, and I knew I had to figure out how to get some more, so to me, sleep is absolutely critical in these times, so being aware of all those physical aspects of yourself and balancing that with the mental and emotional is very important. Vanessa, we've been talking about a particular incident, and you've led through many incidents and events throughout your security leadership career. I wonder if you'd tell us a little bit about some of the research that you've done in this area with regards to mental health and trauma. Yeah, I think it kind of was an interesting coincidence in terms of I had a certification through the SANS.org Institute, and part of the certification was every five years, you had to do a research paper and publish it. Now, they've changed the policy since then, so you don't have to do that anymore, but I was thinking, what do I want to write about? I also had at the same time been doing my own personal journey, understanding trauma, how it impacted me, and often trauma happens at a young age, so trying to understand how that impacted me and the different things about my life, and I started reading books like The Body Keeps the Score, and I started reading multiple books on trauma and how it impacts people, and I was reading, and also going back to how I like to connect things, I was reading it, and I'm like, wow, this same thing kind of happens in organizations when they have an incident, and yes, this is what happens to people when they encounter an incident, like how they react, so I saw the parallels between the two of those things. I think a lot of times people don't draw that kind of connection, especially when you think about it at an organizational level, like how that particular incident would impact the organization, how it behaves, how it deals with crisis situations, so that is really that connection, and I started to realize that the way an organization reacts is similar to how a person reacts under a traumatic situation, so there's things from, as I mentioned earlier, fight, flight, freeze, think about it, an organization does the same thing. Organization will say, no, we didn't actually, they'll fight the situation, they'll be like, well, no, that really wasn't our fault, that was the vendor's fault, that was the bad employee's fault, that was the CISO's fault who didn't do their job, so they'll fight the situation. They also can go into denial, and they'll publish things, well, no, we actually didn't have an incident, and we know a lot of organizations have been caught by that, later they're like, oh, yeah, they did have an incident, so why did they lie about it, because they're in denial and they're trying to protect themselves, I mean, this all comes back to what we do as humans in terms of protecting ourselves, or they'll do nothing, and they'll simply freeze, and everybody's waiting for them to make an announcement about what's going on, because the customers know something's going on, their service is down, they're not saying what's the problem, and, you know, they just haven't figured out how to, you know, they basically went into a freeze mode, so I saw that, and I'm like, this would be a great paper and interesting to write about, so I dove into that, and just kind of put together those parallels, and then how you come out of those situations, how you, and I know we'll talk about this a little more, but, like, the learnings and different things, so there's ways to manage through that traumatic situation that actually can, you can come out on the other side even better, but during that process, to recognize that human element is super critical, but to realize that the organization can also behave in that way was, like, a very interesting finding I had. Wow. You know, and we as security practitioners, like, we have procedures that help us prepare for incidents. We do tabletop exercises, but I don't know that organizations ever really get to practice being traumatized and operating while in a traumatized state. Often I don't think they do, and tabletops help. I mean, obviously, you want to practice whatever you can, but until you're really in that situation, you're absolutely right. You don't, you don't have that human feeling connected to the urgency, the unknown of what's going on, which is very unsettling to anybody. Vanessa, I think there's been a bit of a cultural shift in terms of the blame and the scapegoating that happens when security incidents occur. What are your thoughts about that? Yes, I absolutely think that has changed over time. I joined security in 2003, and essentially it was like a firewall with security. I think complexity has increased, the pace of change has increased, and I think people are more likely to, when these incidents first started happening, it was rare, and a lot of times you didn't even know that an organization had a breach. I think the frequency of breaches is increasing, but there was this middle period where we were kind of shifting from not happening a lot to happening more, and I think organizations would look to the CECOs and blame them for the reasons, and often you would hear about CECOs getting, you know, as an incident occurred, the next thing anybody in the security community predicted was, oh, the CECO's going to get fired, and sure enough, that typically happened. I think as incidents have become more common, that's not happening as much, and there's, I think, a couple of reasons why. One is, I think we're getting numb to incidents. Like, it's so common, it's so, how many people's credit cards have been compromised, nobody cares anymore, it doesn't make the news, where 15, you know, years ago, that was a big news article, it's not anymore, so that's one aspect of it. The other aspect, I think, is that organizations are realizing how incredibly complex it is to secure the environment with all these different, you know, technologies, interconnectedness, looking at systemic risk and how one thing can cause a domino effect on the organization. They realize they can't just blame one person anymore, so you find it's less common for the CECO to actually get fired now. Thank goodness for that evolution. I remember when performance reviews for security leaders would say, you know, if there were no incidents during this time period, then you would receive your bonus, you know, and how totally not aligned with reality that sort of thinking was. You know, now we've got NIST-CSF, it's all about an incident. We talk left of boom, right of boom, there's an acknowledgment, finally, that incidents happen, and they actually just happen all the time. I think also what was occurring when people were being measured by that was not having, you know, if you're successful, if you don't have an incident. I honestly think there was a lot of cover-up in terms of not maybe active, like malicious cover-up, but it's like I had a situation in one role where we turned a DLP solution on, and it was finding so many things that management said turn it off. So the willful not wanting to know what was really happening, because if you did, you would have to do something about it, was like, I think a real thing. I think it's less common now, because it's a little more normalized to have the incidents. Thank goodness. I remember those days. Don't write it down. Don't do the pen test. Don't look. Because if you look and you find something, then all of a sudden it's going to become our responsibility. And I do remember that from a couple of decades ago. Vanessa, what advice do you have for all of us? Given your research on trauma, given your experience leading through incidents, what can we learn? And how should we manage ourselves? Yeah, Caroline, I think what's really important is having strong internal values. I think personal values about how you want to do your job and how you want to be transparent in your job. And I think that there are many challenges in the CISO role in those areas, especially if you work for in the way the organizational structure is. For example, when you work for a CIO, and I know there are many wonderful CIOs out there, but when the CISO reports to the CIO, it's an inherent kind of conflict of interest. And here's what I mean. You are essentially going to the board or higher level management and you're talking about issues, gaps, risks that your boss owns, that your boss has in one way or for maybe a perfectly legitimate reason has not dealt with. And that is a very challenging situation for a person to be in. And you do not want to highlight where your boss isn't doing the job. And there's no perfect structure, but you have to really look at what is the right one for your organization. When I think about transparency, being transparent with your boss, being transparent with the board, hopefully as a CISO, you are reporting regularly into the board. What the board doesn't need is you to tell them what you think they want to hear. The board needs to hear what the real problems are so they can make decisions around capital allocation that will support the directions that you need, that you want to go as a leader. And I often see CISOs, CISOs, people say it differently. I see them trying to minimize the problems. And then I also see some that catastrophize the problems. You know, so it's like there's this middle ground. It's like don't do either. Like come to the board or your exec level with the problems and discuss how that might impact the business and how much does that impact demand, you know, different resources being allocated. I think when I think about the incident that happened for me at one organization, one of the reasons I was not fired when we had a very public incident was because I had gone to the board several times in a reporting, like several reporting periods, and I had highlighted to them the top five risks of the organization security-wise. And I had also outlined who the owners of those risks were because, as you know, often the security teams don't own a lot of the risks. You know, they're owned in the CIO. They're owned in the marketing. They're owned in different places. And when the incident occurred, three of those top five risks were part of the reason the incident occurred. So the board could not say, you did not tell us. The board could not say they were not aware. And so it really in when others were, this was a time when people were getting fired for incidents. But I was able to come out of that not getting fired, which was a major victory in itself that I was happy about. And I just, I continue to tell CISO, don't hide, you know, present it in a business way. Don't make it seem better because you need the money to fix it. You need the money to address the issues. So those are really important. Now, as it relates to, I know you're probably going to ask me about the people side of it. Every time there was an incident, I made sure that we did a lessons learned exercise. And the first thing I found that when people got through an incident, they wanted to forget about the incident. They don't want to go and rehash what happened. They want to actually, like, you know, they just want to get away from it, which is also a very human thing, right? You think about I want to get away from that thing that made me feel bad. So I would force, you know, the lessons learned meetings. And it's not enough just to review the lessons learned. It's important to track progress to closing the gaps that occurred when, as a result of that incident, you know. So those are some big things that I've found have helped in create a culture of learning. Vanessa, what advice do you have for incident responders, for security leadership in terms of how to take good care of themselves when it comes to mental health as they prepare for inevitable incidents to occur? Yeah. So there are, first of all, I think you should practice as much as you can. And as we discussed earlier, you'll never know the exact incident. So doing the tabletops is really important. Involving all levels of the organization. Talking about, again, how did this tabletop go? Where were the areas where we didn't handle it so smoothly? You never know what occurs. So I think that's important. Practice what you can. I think having communication ready. Like, just draft it up. Like, this is the incident. Obviously the incident's going to be different. But you draft it up. You build the connections with the communications and the marketing teams ahead of time. This isn't like something you're trying to create on the fly during all the chaos. So that's important. Now at a personal level, incident responders, I think, and this goes for anybody in the very challenging space of cybersecurity, is, and this is my philosophy, my opinions, but you have to physically take care of yourself. You have to figure out what is that thing that you're going to do. And everybody's different. Everybody has different things. But what's your routine? How are you going to take care of this body that has to deal with all this stress and trauma, which a lot of, especially in incident response, people are under? So those are techniques that I think you have to dedicate time to. And too often, Caroline, you know people in our industry, they resort to alcohol. They resort to things that numb them. And there's been articles written about how, especially security professionals, resort to that. And I think there has to be, you know, you have to have a more healthy approach to it because you are in an incredibly stressful job and you have to figure out other ways to deal with that. And I think that people have to make some time for it too. Like if you're working 80 hours a week and you have a family, your family's suffering, you're suffering and you're not probably making any time. You're probably not doing the best in your job, even though you may think you are. So I think, you know, time is super important and carving out the time you need to take care of yourself. Thank you. Thank you for your stories. Thank you for your leadership. Thank you for your advocacy for us to take care of ourselves. I so appreciate this time with you today, Vanessa. Thank you. This has been great. This has been Wake Up, a podcast by Veeam, global leader in data resilience. I'm Caroline Wong. Join us next time.
