Play the King & Win the Day!

Episode 25- Scott Barronton (CISO) Chief Information Security Officer

Season 4 Episode 25

Episode 25- We speak with Scott Barronton (CISO) Chief Information Security Officer for a large public manufacturing company.

Scott Barronton a 25 year veteran in the corporate security space shares his experience from the early years in the space to the current and evolving threats with modern techniques used by hackers.

Scott walks through different security frameworks including the NIST Cybersecurity Framework. His advice is helpful for organizations to understand both the technologies and strategy to protecting organizations for the long run, through proven processes, assessments and regulatory changes in the security space. 

About Scott Barronton:

IT Leader with over 25 years Information Security experience across a wide spectrum of Fortune 500 companies. He is skilled in Risk Analysis, Risk Management, Threat and Vulnerability Management, Privacy Protection, IT Security Compliance, and overall Information Risk Management. Scott has demonstrated successes in addressing security risks from a business perspective and is recognized by his peers as having a balanced view between business needs and security standards.

Linkedin:
https://www.linkedin.com/in/scottbarronton/

Play the King:

This podcast is sponsored by OMI, the company that makes CRM work. Today, my guest is Scott Barronton, a global Chief Information Security Officer at a large manufacturing company. Scott, thank you for being here. I'm excited to talk to you. Can you just start by, you know,<laugh>, usually you see three letters in the acronym in the C-suite. You have four, so you must be extra, extra important here. What is a Chief Information Security Officer?

Scott Barronton:

Hey, thanks for having me as well. The Chief Information Security officer is the person inside of an organization that's responsible for everything related to cybersecurity. And, you know, I could have the three letter acronym CSO, but generally that means that you're responsible for things like physical security as well. I don't have that responsibility.

Play the King:

And, and so that's interesting. You deal entirely, I was about to say the metaverse, but that is a very trendy, you know,<laugh> new situation. You have been doing this for a lot longer. Give me a little more detail on that. What does your job entail then? You're not hiring the bouncers outside of the server farms, but, uh, but what are you doing?

Scott Barronton:

That's right. So, you know, my team's responsible for protecting and shielding the company from attacks that originate in the cyberspace. So think of hackers, you know, our day-to-day job is to defend the organization against those who want to launch some type of attack against us, remotely.

Play the King:

Given the nature of the way the information has changed in the last, you know, let's say, I don't know maybe even 75 years ago, maybe even 50 years ago. In the last, say, 25 years has your field changed? What are some of the major things you've seen shift over that time?

Scott Barronton:

So, you're right, this was not a thing 75 years ago. You know, when I first started in the industry, my very first company wasn't even connected to anything outside of ourself. We were only connected from office to office, but there was no such thing at that time, as, you know, the internet and this whole cyberspace. So, 25 plus years ago, when I got started in this field, the information security role was really about managing accounts, passwords, access to mainframe, things of that nature. I started while I was in college doing an internship. And it was funny because at the time, the guys that I worked with were old main framers, and they would say, oh, give that to the new guy. You know, this is gonna be a fad, will always be a, a mainframe organization. It wasn't very long before those old guys were actually reporting to me in a more holistic security world.

Play the King:

You provided a few notes to me before the conversation, which were very helpful. But there's one thing I want to see if we can dig in on you. You said, you know, back then, you know, 25 years ago, you could think like a pure technician, that's no longer the case. What does that mean exactly?

Scott Barronton:

Yeah. So, you know, I like to say security's full of propeller heads. You know, people who think about black and white. just purely the technical aspect of it. But to be a chief information security officer, you have to think more like the business you have to. I commonly meet with the top business leaders in our organization, and they're not technical people. So if I went and just started talking like a pure technician to them, there would be no connection between us. I have to understand the business and what are the business priorities, and then align the technical aspects to make sure that we're meeting those objectives.

Play the King:

Scott, can you take me through the universe of risks that you are sort of trying to guard against here? Maybe you could rank them even in terms of, a long s hot, but really bad to, hey, this is a typical e veryday thing, it happens,< laugh>, or you ar e d ealing with corporate espionage? Are you dealing with people who are trying to steal information so that they can, you know, blackmail the company? What are the risks here? My imagination is k ind of running, maybe you can bring me back to earth.

Scott Barronton:

So you're not far off on all of those. Definitely what we call insider threat or cyber espionage is something that we have to deal with. Matter of fact, there's multiple bad actors out there on the internet today that will pay your employees a large sum of money to gain access to your system. So you think about our system administrators, you know, we believe that we're paying our system administrators appropriately for the market, however, someone comes and offers them an opportunity to make a million bucks to get that privileged access that they have. So you really do have to watch for issues like that. There's technology that can help us to do that, but, it's a, it's an emerging field. From a day-to-day, the blocking and tackling of my world are the things that we've been doing for ages, looking for vulnerabilities in our systems or weaknesses that someone might try to exploit to gain access defending against cyber attacks, where a bad actor's trying to gain access to our systems. We do that on a daily basis.

Play the King:

I have so many questions I want to ask you, but I guess just a real brief one, do you guys use ethical hackers who, who come and say, we found some bugs. Do you guys pay out a bug bounty for disclosing these to you? Is that something you guys do or is that not really part of,<laugh> part of what we're talking about here?

Scott Barronton:

No, it's actually a real thing. So, ethical hackers, you can either engage with them directly and they do what we call a penetration test of your defenses. So they, you know, will try to execute, uh, different attacks that go against vulnerabilities to see if they can capture the flag. And those are all well controlled activities that you do with these hackers. But then you also have people that are called researchers, and those are not necessarily people that you've engaged with directly, but they come to you and say, Hey, on this system or this product, we found this security vulnerability that we want you to be aware of, you probably want to fix this because this is something we believe that someone else could find as well. Bug bounty programs, they're real. I would say it's also an area that just recently everybody's paying more attention to and scrutinizing and making sure that, all of this is above board and ethical and whatever the way that we reward these researchers for this type of work.

Play the King:

So I want to ask you about how organizations can sort of beef up their information and security, but maybe we could start on the other side, which is how does someone who's maybe interested in this field, how do they even get started? What is the path to becoming a chief information security officer?

Scott Barronton:

So, becoming the Chief Information Security officer is really working your way through the ranks, right? And I would say anybody who wants to get into this space, this is the time and opportunity to do so. Even in the current culture, you know, last numbers that I saw is there was about 2 million unfilled security jobs in the industry. So there's more demand for people than there are experienced people to fill those jobs. But, you know, in order to do that, I'd say for anyone looking to one day fill the seat, it start right now, just be willing to say yes. Right? When you're asked to do something, take that on as an opportunity to gain experience and make yourself more well-rounded. Often a lot of people are very experienced in one area of cybersecurity, but maybe lacked some of the other pieces that aren't so sexy. Anybody who's in the space will know writing security policies is not the most sexy thing that you could ever do! However, it's important from a chief information security officer perspective, because the security policy is the foundation of which management has set boundaries for the company. And so you're the enforcer of that policy. And so I would just tell everybody, be well-rounded. You can't be a hundred percent compliance focused. You have to understand technology, and you can't be a hundred percent technology focused. You need to understand compliance and the business.

Play the King:

So I'm a soccer fan, and so the metaphor I would use here, it seems to me like your job is sort of like being the goalkeeper. Like when everything's going well, nobody notices. And then when things go wrong,<laugh>, it's all on you,<laugh>. That's right. Talk about that component of the job. It seems like not just like knowing the how, but the almost like the moral fiber or the the ability to say, Hey, guys, look, this is on me. Or the buck stops with you, so whatever cliche you want use.

Scott Barronton:

You're the manager. Accountability

Play the King:

<laugh>. Yeah. Can you talk about that?

Scott Barronton:

Yeah. I preach accountability, with my team and within the industry, really because at the end of the day, we're the ones that are accountable. So we have to be part fortune teller and look at the events that are happening around us and say, boy, how could those affect us? And then, you know, also operating with switches. So at some, some point in time, you know, cyber hygiene is a hundred percent dependent upon you, right? The hygiene of your organization.

Play the King:

Is that a cultural thing that you can instill, or are you more, is there a way that you find when you're hiring, when you're asking questions of perspective people for your team like that, you're sussing out at that point, or maybe it's both?

Scott Barronton:

Yeah. So when I'm hiring, one of the things that I look for is just kind of a natural inquisitive nature, always questioning and asking the why behind things that's so important for anyone in security. Because not only do you need to understand why and how things work, but then you need to be understanding of processes that are inside your organization and where are their weaknesses inside those processes, not just the technology aspect.

Play the King:

So Scott, you, you know, your company is a very large company. What are some of the smaller organizations that you, that you see, what do they get wrong when they're building their security system? What are some of the challenges maybe unique to smaller companies?

Scott Barronton:

Yeah, I think one of the biggest things with smaller companies, just because they're constrained with resources, they often think the technology person that they've hired can handle information security. That's just not the case. Matter of fact, we often have, uh, differing objectives in front of us. Think about the, if I compared myself to a chief information officer, the CIO of a company, one of the primary objectives of the CIO is about uptime and availability. And so at all cost, you make sure that your systems are up and running. Well, that's important to a chief information security officer. Matter of fact, it's in the triad of confidentiality, integrity, and availability. That's something that security's focused on, but it's only a part. And so we have to also think about confidentiality and integrity of those systems as well. And so often the desire is to get the CIOs to get things out there fast and quick, not necessarily focused on the confidentiality and integrity of those systems. Hmm. So, you know, giving that job to the technology guy, they're going to often overlook the risk side of things.

Play the King:

Gotcha. That's, that's really interesting. You've been preaching, you know, also understanding the business goals and North star of the organization you're serving, which obviously has some effect on the choices someone in your role makes, right? For how you protect the organization.

Scott Barronton:

Yeah, and I think you have to have that North star, if you will, the plan that you're executing against. And I use, standards b ased framework for o ur information security program, have in the last few companies that I've worked for. And basically, that plan is based off of an industry framework, and we set our strategy, b ased on where we are and where we want to be. If you follow t hose standards, you're going address 90 plus percent of all, s ecurity risk that an organization may face. So one of the things that I do is we do an assessment against the framework. We set forth our strategy or a plan over the next three to five years, and we execute against that plan. We don't change unless somebody can make a really good argument of why we should be doing something different. And I think that's something that small organizations struggle with, t hey're very incident focused. So something h appens in either to the organization or around them, and then they go and look for technology or solutions to meet that one specific need. And so what they end up doing is spending a lot of money on different tools, technology, but not getting really, the protection that they need and addressing the risk that are, t hey're focused on their organization or their industry.

Play the King:

All right. So let's, let's, let's turn the tables now. What can small to medium size organizations do to avoid some of these pitfalls? How can they get better at this?

Scott Barronton:

Well, I think starting with a standard industry framework in assessing yourself against that! We do twice a year assessments of ourself against our framework. We want tosee where we're making progress and where we need to continue to adjust. And then sometimes you look and you say, you know what? The needs of our industry or the needs of our company have changed, and this is no longer a priority for us, and we'll make those changes, but we just don't do it on a whim. And so I would suggest for small to medium sized companies that you really drive your CISO to be focused around a framework, it'll save you time, money, everything in the long term.

Play the King:

And when you say framework, I think there's one that you, you mentioned in these notes so that I think maybe we should mention this, it'll give someone listen to this. Sure. Something they can Google that's the N I S T cybersecurity framework. Maybe you could just say, what is it about that one that made you wanna mention it what should people would be looking for when they're evaluating? All right. Is this something we want try to implement

Scott Barronton:

Here? Yeah. So for over the last decade of my career, I've been working either with or around a financial technology company. Our customers are all banks. And so in the United States, the US regulators who oversee the banks, they use the NIST framework. And so I've built all of my assessment techniques and capabilities around that framework to make sure that we're meeting the needs that the bank itself is going to be assessed against. NIST is a great one because it easily maps out other frameworks you might choose, like, ISO or COVID. There's a, there's an easy mapping between NIST and those other frameworks. I would say it's not the specific framework that you choose because they're all good. Just choose one and focus on that.

Play the King:

Gotcha. And then you also mentioned that, even if your company is not at a stage where you want to make a full-time hire, there are solutions for a fractional CISO right? Someone who can do this, not as a full-time employee, but can still provide a lot of value.

Scott Barronton:

That's right. So if you're in a situation where you can't necessarily afford to go out and hire a full-time CISO, there are organizations out there now who are providing CISO as a service or you know, some kind of fractional, CISO role where you get a percentage of their time, they come in, they help you to do this type of assessment, to create a strategy and plan, and then help to oversee and manage risk, but they're just not a full-time employee. And you can get'em to assist or help at a fraction of the cost. And so for smaller organizations, that may be the best path for you, rather than believing that the technology person that you have on staff or the person most familiar with technology often is the way it goes is capable of managing these risks.

Play the King:

Scott, I imagine someone in your role is constantly thinking about what could go wrong. What are the most pressing items in your opinion, the things that are on the horizon that you're most worried about in this respect? What's keeping you up at night?

Scott Barronton:

Well, I'd say there's a personal and professional aspect to that. From a personal perspective, I'm seeing more and more accountability laid on the shoulders of the Chief Information Security Officer, we're seeing regulations that come out that would really hold the Chief Information Security Officer, your board of directors, maybe your management team personally accountable up to and including, legally, right? So any type of criminal accountability there for actions that they deem to put the company at risk. And then I would say from just an industry perspective we're seeing more and more regulations around the world that our teams have to be aware of and make sure that we're, uh, that we're meeting. And it's, if you just take the United States along, it's different from state to state and, you know, and so that's putting a huge burden on our information security teams. And then, you know, if it, I said, if you've been under a rock and you haven't heard about ransomware, it's not gone away. We're seeing fewer companies pay ransoms now, which is possibly a good thing. But your organization, I would say is just as acceptable to ransomware today as it was two to three years ago. And so, the hackers, the bad guys, they're constantly evolving and changing their techniques, and you gotta make sure that you're adjusting and changing with them.

Play the King:

One, one last question for you, which is, how has this trend toward working from home changed things in your field?

Scott Barronton:

It's actually changed the industry a lot. I actually started, three and a half, four years ago, preparing our company for the ability that our security controls would work no matter where our employees were. So if you're at home, you're in a coffee shop, you're a hotel, you have the same type of security controls, a lot of organizations had more of a legacy mindset to that. And so they required, or they had really good security when you were in the office, or they required you to connect to a VPN or something like that back to your corporate office to be secure. Well, when the pandemic hit and everybody was immediately dispersed out of the offices and working from their homes or wherever, a lot of companies really struggled because now they needed to take that legacy architecture and make it to where their employees were protected no matter where they were. And so I think we had the right, we had the right strategy there, and so it wasn't really difficult for us to pivot to a full-time remote worker, but I know a lot of organizations did.

Play the King:

Scott, this has been really fascinating. Thank you for the time. I wonder maybe when, as you leave us, if you could suggest something for people to read if they're interested to, you know, or watch if they're interested in learning more here could be, uh, a publication that follows this field closely, a video that is particularly good. Like anything come to mind, a book, whatever it is that help people understand this a little better?

Scott Barronton:

I would say there is no shortage whatsoever of resources out there for anyone who wants to learn more. If you're interested in learning about, you know, the techniques of attackers, then I would say sites like Bleeping Computer or Dark Reading, those are all great sites that tell you about, current attacks and things of that nature. If you're interested in learning more about becoming a Chief Information Security Officer, I would say organizations like Sands provide you that good rounded view of everything that's involved with information security.

Play the King:

Fantastic. Scott, thanks again. Really appreciate your time.

Scott Barronton:

Yeah, thank you.