Cyber attackers know most organizations have visibility gaps, which is why it is important for security leaders to know as much of the attack surface and their assets as possible.
Here, we talk to Anne Marie Zettlemoyer, CISO at attack surface management platform, CyCognito, about security hygiene and what it means to CISOs.
Security: Where has your career path taken you over the past 25-plus years?
Zettlemoyer: I have an MBA from The University of Michigan — Ann Arbor — and my undergrad majors were in Finance and Accounting. I’m a Wolverine twice over. I have two certifications as well: CISSP and CeH (Certified Ethical Hacker).
My first security job was in D.C. I was recruited from graduate school by the Secret Service as a Special Advisor to the Director.
They were looking for MBAs, and specifically for people who were strong in strategy and execution. They wanted people who could solve tough business and operational challenges, in even tougher settings. My accounting background was a surprisingly good fit for security. If you think about it, accounting and security have a lot of overlap. You have to be able to build robust, dynamic systems that are trustworthy and resilient to fraud and abuse. Principles of continuity, resilience, separation of duties and even the good old “security” triad of Confidentiality, Integrity and Availability — are all tenets of accounting curriculums. Finance is heavy on building predictive models, managing risk and reward — and security is a risk equation.
I continued my work with various government and commercial clients while at Deloitte, then made the pivot into Mandiant, Capital One, Freddie Mac and then later became the Divisional Security Officer for Digital at Mastercard.
Now, I’m excited to be with Cycognito as CSO. I joined the company because I was so impressed by their risk-based approach to security.
Security: How has the enterprise cybersecurity threat landscape evolved during recent months?
Zettlemoyer: Enterprises are increasing their understanding of the types of threat actors and their motives. That’s become their focus.
Before, most conversations were centered around just data breaches, but now we're seeing growing concern over a broader set of threats, like espionage, access-as-service, ransomware, destructive attacks, hacktivism, etc.
Threat actors pursue targets for a variety of reasons, including persistence to sell their access to other threat actors. It's not just “break in and steal data or money” anymore. It's also increasingly, “break in, see what's there, build a back door and sell the access so others can get what they want.” They want to get in and stay undetected, carefully exploring every attack path to find a big payoff to accomplish their goal or sell the capability to another.
Another thing that’s changed is threats can come from anywhere. Nation-state cybercrime has become top-of-mind. From any corner of the world, bad actors can sabotage or paralyze your operations.
Whether it’s a nation-state threat, the teenage hacker who wants to flex by pranking a large company, or a widespread vulnerability like Log4j, one thing is certain: we’ve all changed how we look at risk, including governments.
This has put a spotlight on security hygiene and third-party risk in a very real way. For organizations, it means we should all double down on visibility, get to know the lay of the land, and understand attack paths. We have to know what an intruder can do once they are able to get in. And we have to prioritize threats, because we’re inundated with alerts, and many of them turn out to be false positives.
Security: What does security hygiene mean to CISOs?
Zettlemoyer: In the simplest form, security hygiene is knowing as much of the attack surface and your assets as possible, and the profile, access rights and purpose of each asset. Security hygiene requires you to map it as fully as you can, and keep it clear and understandable. It’s vital to know what the assets you use are connected to — with an up-to-date view, and ongoing asset management that you keep tuned to the company’s risk tolerance. Robust security hygiene gives the CISO and security teams confidence, clarity and credibility.
Attackers know that most organizations have visibility gaps. They seek to take advantage of blind spots, and they only need to be right once. Even attackers with basic skills can use cheap tools and get lucky. Security hygiene requires doing full enumeration and handling all the foundational essentials.
Security: What security leadership lessons have you learned in your career?
Zettlemoyer: We have to be the calm voice in the storm. Leaders don’t panic or spread FUD. Under duress, great leaders focus on trust and execute on the responsibility we have been given.
You will never know everything, and your decisions about the business can’t be made in a vacuum. We can’t presume to know all the inner workings of the business or why their decisions are made. We can’t be in every conversation — nor should we be.
Partner with your line-of-business colleagues to define strategy and what needs to get done. Invariably, you will learn a lot from them about their business.
Our job is to provide the best possible guidance and expertise and help the business make the best decisions on managing its risk. Collaboration is the key to achieving this.
Separate, yet related: another lesson I’ve learned over the years is that talent is evenly distributed but opportunity is not. An employee with talent and ability may be languishing in a role they’ve outgrown, through no fault of their own. Aptitude, interest, curiosity and opportunity can lead to game changing outcomes. When I think of the best practitioners I know — none of them have uniform paths, they are all different, and very few came up in what we would consider “the traditional sense” of IT degrees alone.
Security: Do you have advice for security professionals moving into leadership roles?
Zettlemoyer: It is tough to go from hands-on roles to management. New managers often want to step in and grab hold of the steering wheel because they are used to having direct control.
Know when to stand back and let others swim. Leading people is different from always being the hands-on implementer — most of the time, it means getting out of your team’s way. Jump into the trenches only when your judgment tells you that’s better than giving directives.
For new leaders, training is critical. For example, a CISO knows a lot about technology but also is tasked with knowing how security impacts the business. The business side of things isn’t always obvious to someone stepping into that role for the first time. Many CSOs and CISOs run into this issue.
Listen to your colleagues. Have conversations with other executives in the organization. You’ve walked the walk to get where you are; now you’ll also have to “talk the talk.”
Finally, once you move into a leadership role you are responsible for the professional growth of others; not just your own. Helping people develop in their careers is one of the most rewarding aspects of being a leader. It’s an exciting change, a new kind of responsibility, and doing it well brings its own sense of accomplishment.