Welcome to The Transformational CISO, a new series of conversations where we get to know forward-thinking cybersecurity leaders across all types of companies and industries.
To kick off the series, today we are excited to welcome Aurobindo Sundaram as our first guest. Aurobindo serves as the Head of Information Assurance & Data Protection at RELX, a multi-billion dollar global provider of information-based analytics and decision tools for professional and business customers with over 33,000 customers. RELX is the parent company of LexisNexis Risk Solutions, Reed Exhibitions, Elsevier, and several other organizations.
Aurobindo is responsible for the overall strategic direction of the RELX global information security program. His stakeholders include RELX's Board of Directors, group & division CEOs and functional heads, CTOs, and CISOs—to whom he articulates strategy, security tradeoffs, risk posture, and readiness. He also coordinates CISO and CTO activities across all RELX businesses, and brings decades of experience as an information security program leader.
A full transcript of the conversation can be found below.
DREW: Welcome to The Transformational CISO, a series of conversations where we spend time getting to know forward thinking chief security officers across all kinds of companies and industries. I’m Drew Rose, co-founder and chief strategy officer at Living Security, a cyber security human risk management company, that serves over 150 enterprises globally. Today is our first session and I’m really excited to welcome Aurobindo Sundaram as our very first guest. Robin is the head of information assurance and data protection at RELX, a global provider of information and analytics for professionals and business customers across industries. He’s responsible for the strategic direction of RELX’s global information security program. His stakeholders include the RELX’s Board of Directors, Group Indivision CEO’s and functional heads — CTO’s and CISO’s to whom he articulates RELX’s strategy, security tradeoffs, risk posture and readiness. His remit extends across 30,000 employees globally with over 40 offices in 40 different countries and customers in over 180 countries. Aurobindo has graduate degrees in computer science and management and he is also a CISSP. We’re going to dive right into the first round of questioning for Robin. Number one is introduce yourself to the audience. When did you start to get interested in cybersecurity and what was your path to becoming a CISO?
AUROBINDO: Sure, thank you for having me by the way, it’s a pleasure to be with you and talking to Living Security. I started off in information security actually almost 25 years ago, but I was in multimedia code development when a funding opportunity came along to help me get through my graduate school studies and from there my first job out of grad school actually was at an oil field services company where they were just getting their security program started. So really, I was just in the right place and the right time 25 years ago working in a large company in security operations and governance. Then, I moved a couple of times in my career working on operations, primarily governance, and a lot driven by crises, so security incidents, and near misses that sort of help bring security to the forefront.
D: That’s awesome, so over this time obviously responsibilities can vary from company to company and I think you would agree that one of the overall goals and objectives of a CISO is risk management. How have you seen risk change from those early days, 20-25 years ago, into what you’re seeing today?
A: Sure, I really think that 25 years ago when I came in, security was really an afterthought. You know, people thought about it as “it’s not really an issue but if we’re going to devote anything to it, let’s do a couple of training sessions, manage firewalls, and that's the end of it,” and so that’s evolved over time to where security is truly a business enabler and a business priority. You see companies that just get taken down and disappear off the face of the Earth because of information security issues, and so more and more, whether it’s in manufacturing or in high-tech, companies are seeing that with everything being online and digital, everything that you do is connected to security.
D: Yeah, that makes sense and so over that time period as things shifted from that afterthought to being on the forefront of our minds where we’re seeing the impact everyday, how has the responsibility changed as somebody that sits as a CISO for an organization?
A: I think what CISOs have had to do and what I’ve had to do is get much more business aligned and much more pragmatic about how you do security. Previously, if you could roll the date back 25 years ago, security was completely and primarily technical and they dealt with firewalls, technical changes, and they had essentially a you either do things this way, which is secure, anything else you do is not secure enough and not good enough, right? Security was thought of as the culture of “no” not “how” and what’s happened over the past 25 years and continues to happen is security is becoming a business function just like finance, just like legal, just like HR where you have to give options, you have to say “this is the risk, it's a business decision, but here is the risk, here are the options” and give the business a pragmatic way to go forward, not just say no.
D: You come from a very technical background, you were running security programs, you have a degree in computer science, as a CISO, as somebody in the security industry that’s trying to understand that aspect of the business, how are you seeing new CISOs coming — are they coming with the skillset from the business side? Who is teaching them to be more business-minded and where’s the breakdown? You know, maybe 20 years ago it was 95 to 97 percent technical — how do I secure, how do I build, how do I create a strong layer of protection — versus today where you really have to understand the investments, the processes and the impact to business. Kind of talk me through that.
A: Sure, so I was lucky because early on in my career I also went and got a degree in management, so I understood a bit about negotiation, about finance, about business priorities and strategy, so I was lucky that way, but I think every new CISO coming into a role now really has to be not only technically sharp or have the staff that is technically sharp, but have all of these skills, right? They have to realize security is one priority along with digital transformation, along with financial transformation and so on, and then come prepared with these skills: one is negotiation and sort of partner building, the second is financial acumen, to be able to point out here are the options and here’s how you can to do it and the third is communications, its how do you get to not just your CEO, but to all of your team members, to all of your users in your company and so I always say this when someone asks me, “how large is you team?” I say, I've Got a team of 30,000 people because I’m looking at every single employee as someone who can help us get to where we want to go. So these are the three skills that I’d say every CISO needs to have to succeed.
D: Yeah and I’ll bite on the last line. Absolutely, every person inside of an organization contributes to de-risking or decreasing the risk of that organization based upon their behavior, so that really aligns to what Living Security is doing. I want to continue pulling on this thread on the business nature of being a CISO in 2021. You work for a very large organization, you have directors, managers, you have individual contributors and architects as well as frontline SOC analysts. Do you find yourself mentoring and helping your team understand the business impact of security and if so how far down the chain do you start that mentorship or conveying of knowledge around you know, this is how you start a firewall I’m going to send you all the training, you're going to be the best firewall admin ever, but they never really understand what they’re protecting and why.
A: That is absolutely the right question to ask and I think my answer is you start at the very bottom of your organization, the lowest levels in the organization because that’s the best way to build the future leaders of tomorrow. So when I talk to my team and they want to do projects I always tell them A, does this move the needle in security? If it doesn’t then why are we doing it? Then B, what’s the risk we are trying to mitigate? What are the options and what is the end state of success? If you can’t answer all of these when you’re doing SOC work for instance, like you’re implementing a project to do let’s say data ____ protection, you’re not going to be prepared to do it five years down the line when you’re in a manager position, so I try to get it at the lowest levels of the organization, having them think about — what's the business impact? What are we trying to address, how do we know we’ve succeeded?
D: Yeah, a couple clear examples from my background kind of building security programs is like we all agree building password managers, two factor authentication, these kinds of tools are great investments to reduce risk for an organization, but you can’t sell “oh these are good because it’s going to stop an attack”, you have to also go at the sales pitch as the person that wants to you know bring that solution to the team and say, “this is the impact on the team if we install a password manager, it’s going to cost this much time for training, it’s going to delay logging into a site by this long and that’s the cost but what is the gain? I think really early on as we think about tool enhancement and creating new tools, switching out new tools, you know even though something might be bigger, better, brighter, more efficient, we always have to consider the cost to impact, time of resources to make sure that we’ve really thought through what is that going to be beyond the actual just dollar figure investment. I think that for junior level employees that are wanting to do different things, those are all really great opportunities for them to start developing, you know, that pitch right? How do I get the business to go all in on my idea that as a CISO, I mean I don't want to put a percentage on you, that a large part of your job is just pitching to business, right?
A: No, you’re right and quite honestly we’ve made mistakes as well and I’ll talk about password managers in a second, right? And sometimes in the past we’ve had this thought of “if we build it they will come” and so we pushed put a password manager and said hey everybody you can use this password manager it’s really easy you should use it and then we went back several months later to look at how many people had used it, not many at all and that’s when we realized, yes the tech folks know how to use it but articulating both the cost and the value to users and showing them what’s in it for them is key to getting people to engage.
D: Yeah 100% right? You have to lead them to water, you have to make them understand the benefits and values to them both as a person in 2021, as well as an employee to the company. This is a great thought on really trying to build the business acumen for the security team at large versus “oh you know it used to be security is just the CISO’s job,” now security is everyone’s job, right? And now that second thought is “oh the business side of security is just a CISO’s job.” Well in fact, it's everybody’s job.
A: Yeah you’re absolutely right.
D: Let’s move on. I’d love to start talking about some threats. It’s always fun to see, you know, what you’re most worried and concerned about. So, as a transformational CISO, what threats are flying under the radar that CISOs should be paying more attention to? And on the flipside are there threats that are getting too much attention today?
A: Sure, okay so let’s start with under the radar and for me, it’s around user management or let me call it human risk management, right? So we’re expecting users to support their own I.D, we expect them to move quickly at the speed of business, but we don’t give them the tools to help them succeed and then we turn around and say, “well, we can't fix stupid.” Maybe we’re the stupid ones, right? And so that bothers me a lot, we’ve got all of this technology and processes, we’re not paying attention to how much stress we put on users just from an overall work prospective and then specifically from a security perspective and if we devote more time in helping users help themselves and I’m not talking about split users and education from technology, but it’s the training, the awareness, the technology sort of overlays, the process overlays to help them to help them help themselves is my big under the radar piece. When you’re talking about the threats that get too much attention, I think this happened 20 years ago and it’s coming back now, it’s about too much fear, uncertainty and doubt. Everybody is talking about “you could be hacked tomorrow! Use our ML and AI implementations now. Hackers could be on your network.” And I think it’s just counterproductive, because people and the business just eventually get blind to it and so the less we do of that, the more we do true risk assessment, management and mitigation, I think we’ll be better off instead of throwing our hands up every time there’s a new security attack.
D: Yeah, I love that your first thought — and I thought about this over the last couple of months — is that we need a field, a subset of an existing field that’s something like cybersecurity user experience, like how can we create the user experience for logins, for changing passwords, for reporting incidents, for understanding whether we’ve been owned or not, how can we make that experience so seamless and easy that it’s like ordering an uber, right? It’s like watching a movie on Netflix. How do we make it match what the big tech companies are investing millions and millions of dollars in to keep them engaged, to keep them buying products, to keep their revenue flowing, how do we do that from a cyber security investment to keep the risks diminishing, right? The second side, and I love the fear, uncertainty and donut perspective, I’ve actually been thinking through around helping to create cyber criminality more normal, meaning that this shouldn’t be something that you know we’re having explosive headlines all the time, but it’s something like we need to make it so normal that when we talk about it it's like we lock our door, we lock our car, we don’t carry around big expensive things in the city in our arms by ourselves, right? It’s a normal decision, it’s normal for us to talk to our friends and our family instead of being like “oh that’s cyber warfare and the government is doing their thing and I’m not smart enough or technologically savvy enough to help.” Instead you can make little impactful decisions everyday as a non-technical person to reduce the risk for yourself, so I agree with both of those, the threats that are flying under the radar and us kind of exploding these topics to make them way more scary than they should be.
A: Yeah, you hit up on a really good point there which is we never are nor do we need to educate our users to be technical experts, right? But how can we give them the base level of knowledge that they can be successful and secure in their daily computing life? And if you can do that for 90% of users and get 90% of their risk addressed with sort of simple stuff like attachment from an unknown person, that sort of thing, you’ve done most of the work.
D: Yeah, 100% agree. I’ve had this conversation with my parents and it’s like I try to get them there but some of these tools that I want them to use to protect them are just not user friendly, right? They do require a little bit of understanding and the more we can invest in the simplification of them I think the better our industry and the world would be from a risk avoidance perspective. How big of a threat are individual employees when it comes to a company security posture?
A: That’s a good one. So, I don’t think of employees as a risk as much as I think of them as an asset, right? So clearly, they’re our largest attack surface — you’ve got one network, you’ve got 10,000 machines, 30,000 employees — so clearly there’s an attack surface issue of yes, anyone of them can be targeted, but at the same time they’re also 30,000 points of defense on our network, right? And we’ve had situations where one employee noticed something funky happening and alerted us so we saved our whole network from a phishing attack. So I really like to think of employees as assets. We actually, funny you mentioned it earlier, we do have a tagline that says “security is everyone’s job.” So yes, they are a large attack surface, yes there are things they are vulnerable to just because they’re humans rather than computers, but there’s sort of two ways to look at it, right? One is if we give them the tools, the training, the engagement, they’re going to our best defense mechanisms. At the same time, if we don’t train them, if we don’t give them an easy way to report a security incident, they’re going to be our worst enemies. So my focus is not at looking at, you know, the two percent of the people that fail a phishing test, but it’s about saying wow we’ve got 98% of our employees that are fabulous, how do we get those other two past the finish line and what are they doing that we’re not helping them enough? So, my focus is yes of course there is a threat from all of these users being exposed, but there’s a huge opportunity that more and more we try to engage with them more.
D: Yeah, I mean so how do you — this is something that we are really passionate about at Living Security is metrics and analytics. How do you measure the good stuff? We have the technology to measure the blocks, to measure the deny statements, to measure the amount of threats that are remediated by technology when they’re coming through our networks, but how do you record the good positive behaviors and I love analogies, anybody that knows me knows that I always think about these kind of crazy analogies. My analogy is around one of my favorite sports which is baseball. It’s like trying to assess somebody's batting average by only annotating the amount of misses. They’re going to be batting 0-0-0 because you never know the good stuff which is when you get a hit which balances their batting average. So, if we’re only measuring the bad stuff, how can we prove or show that our employees are actually doing the behaviors that we expect out of them or would like them to do?
A: Yeah sure I think by measuring bad you can actually in some cases be able to tell that you’re doing well and so one of the things we do is track when a security threat gets all the way through our controls and a user falls prey to it, right? If it’s a phishing attack or something of the sort where we end up wiring money to a fraud serve, we’re like oh well we had one of those, so you can look at it and say look, we used to have processes that allowed this to happen 50 times, yes it's happened one time this whole quarter, but that’s a 98% improvement. So by looking at incidents or lack thereof, we’re able to infer that wow we’re actually doing pretty well. The second is we actually do go out and ask people to tell us about the good things they’ve done. So we've got something called — we just finished doing it — the RELX Superhero Awards Program where we just sent out a note to the whole company and said if you’ve seen somebody that does super cool security stuff in their daily life, tell us about it and so we awarded people. We got a lot of engagement from our staff that said “this person, you may not know what he does, but these are the things he’s done to help our whole office be secure.” So I think there’s a lot of outreach to find out what people are doing, the good things people are doing that we never see, but some portion of it is just looking at okay have we had incidents or near misses? We’ve had more near misses than incidents, that means we’re doing a decent job.
D: Yeah that’s solid and that really goes back to the whole normalizing cyber. Its like you would normalize somebody going above and beyond to close a deal or go above and beyond to establish a partnership, to help troubleshoot a problem with your product, but how often are companies normalizing going above and beyond security requirements, like helping a co-worker identify a possible threat, helping to identify whether an email if malicious or not, and I think that again that’s really great in creating a positive security culture that goes beyond just a security organization. Security champions, ambassador programs are getting bigger and bigger and really that’s what we want. We want people that are ambassadors to cybersecurity out there in their departments telling everybody how important it is to stay safe and do the right thing and to one of the metrics you brought up, reporting when bad things happen whether they cause it or not, knowing they’re not going to get yelled at or screamed at by the cyber team because they now they have to go reimage their computer.
A: Yeah, can I make a point on that please?
A: We forgot two things. One is something I learned from the oilfield industry which is no blame reporting. No matter whether you screwed up or not, if you report it there will not be consequences for reporting it. It’s kind of like what you tell your kids, if you call me at two-o-clock in the morning, I don’t care what you did, I’ll be there to come figure out the issue. So that’s one thing we do, the other is easy reporting and so across our four divisions and corporate we’ve just set up an email address, security@, that domain, and we say if you want to report anything, report it to anyone in the company at security@RELX.com or email@example.com or whatever, we’ll figure out the right person to investigate it, just report it, we’ll handle it. So that’s helped a lot as well.
D: We learn so much as an indirsty from our operational technology partners where lives are on the line. If incidents occur, I'm talking about physical incidents, it is so normalized taking the measures to protect the human being as you're out on the jobsite, the oilfield, the powerplant. That no blame reporting you got from the oil and gas industries is beautiful, I love that terminology. It's actually the first time I've heard it, so this is one of my major takeaways, but back to the reason why. It doesn’t matter that there’s a problem now, the most important thing an organization can do is go out and fix it before it hurts somebody and in the cyber world its before we cause an incident and personal information, which again can be not as life damaging as physical injury, but from an emotional psychological problem depending on the type of data that gets out it can still have a large impact in the people that its affecting.
A: You’re absolutely right and we’ve seen cases right, so identity theft, stalking, etc. Nothing to sneeze at it when you lose personal data so it’s sort of the physical impact of a security breach come six months down the road, but it could still be substantial.
D: That’s awesome. Well I’m running out of time, nit running out of questions, definitely running out of time, Robin. Some of my major takeaways, I’ll work backwards: no blame reporting, I’m going to be messaging that out to my team, we may be reaching out to get a blog out there. I think that is a very simple approach that an organization can take to open up the doors to any type of reports or incidents, right? I think going back, going down to the entry level cyber security employee when we’re talking about bringing up business and understanding the impact cybersecurity can have on a business, I think that’s huge. And cybersecurity UX, I really want to get that as some kind of field, where technology organizations like Living Security are really out there focusing on making good cybersecurity behaviors easy for people of all ages and backgrounds. Robin, last opportunity to say any kind of major takeaways from today’s talk as well as please share with the watchers, the viewers your social media if they can reach out to you maybe on Linkedin to continue some of these conversations.
A: Yeah sure, so first things first, Linkedin, I’m on Linkedin as Aurobindo Sundaram, it's just one word or you can search for me by name you’ll find me. The second thing, I just wanted to piggyback on your last point about cybersecurity UX and I think it's really key that cybersecurity UX extend all the way down to the end users, right? If we stop at management, or executives or sort of metrics and dashboards we’re missing the boat a little bit. It’s only when we extend it down to the users and get them to help us that it trickles back up to management, but I think you covered everything else perfectly.
D: Awesome, well thank you Robin. Definitely a transformational CISO, helping us to move from technology first to business centered and human first which is something that I am 100% on board with, on that train. It’s been a pleasure to have you. THis has been our first conversation with a CISO for our brand new series, The Transformational CISO. Looking forward to having a bunch more of these conversations, targeting new and relevant topics of today that all CISOs and anybody in the cybersecurity industry would find valuable, so looking forward to those conversations. Thank you so much and y’all have a great day.