CISO Q&A with Delinea’s Stan Black
Barbara Hoffman
As part of our interview series with Delinea’s leaders, we sat down with Stan Black, Chief Information Security Officer. Before joining Delinea, Stan was Chief Security and Intelligence Officer at Lattice Security, SVP, Chief Security Officer, and Chief Information Officer at Citrix. Prior to Citrix, Stan was Chief Security Officer at Nuance Communications. He was also named Cybersecurity Professional of the Year by Cybersecurity Insiders.
If you’re an IT security pro looking to progress your career, or a security leader wondering how others have managed the role’s challenges, you’ll want to hear what Stan has to say. Read on for behind-the-scenes insights and advice from a seasoned CISO.
Q: What are your main responsibilities as a CISO?
At Delinea I’m responsible for the cybersecurity of the IT operations of our company and the oversight of our product security. Many CISOs don't have that second role, but I'm from the software world so over the past 15+ years my role has extended to advising and overseeing the security of software.
In previous roles, the scope of my responsibilities expanded and contracted to meet the needs of my employers, including physical security, Technical Surveillance and Counter Measures (TSCM), eDiscovery, investigation, litigation support, and forensics. TSCM monitors all communication signals during critical meetings to identify electronic eavesdropping and deploys countermeasures in the event of attempted infiltration. One of the most challenging functions I supported was geopolitical risk and threat management, where my team identified real-time physical threats near company offices and provided protection services in times of crisis.
Everything that happens in a large city happens in a large enterprise: Bribery, threats of violence, violence, kidnappings. The security function of a business is there to make sure the critical assets, the customers, and the employees are safe.
Q: How do you prioritize among all those responsibilities and potential threats?
At Delinea, my priorities are simple: Protect our infrastructure and ensure our product security meets or exceeds customer expectations. These two are almost interchangeable.
Q: How do you organize your teams for these different roles?
My team has two core focuses: security governance and Security Operations (SecOps). The governance team ensures our business and products meet industry and global security standards. The SecOps team identifies, contains, and controls cyber threats, enabling our business to operate without interruption.
I think in terms of maker, breaker, and operator. Software development is the maker. Sometimes they have the breaker inside of their team, but I historically have that outside to facilitate separation of duties. And I have the operators, which are the folks that work for me as a customer of Delinea, just like our customers on the outside.
We had makers, breakers, and operators all with different lenses on a common problem—the results were spectacular
Each of these teams has a different perspective. When they come together, amazing things happen.
Let me give you an example: One company I worked with had a hackathon. Originally, the engineering team, the IT team, and the cybersecurity team would each go and try to capture the flag. I mixed the teams together. We had makers, breakers, and operators all with different lenses on a common problem, and the results were spectacular.
Q: Which one of those personalities best describes you?
My personality is a maker. I hire people to operate. I then have the “how do I break it?” mindset. It’s like being a hacker, which is a good thing. Hackers historically like to take things apart to understand how they work, how to fix them, and sometimes, make them better.
I’m also an advisor and a collaborator. I work with sales, marketing, legal, and HR teams. My job is to understand their security challenges, enable their functions to operate more securely, and get security out of the way. Security has evolved from sitting in the back room, drinking Mountain Dew, and eating old pizza, to the team trusted across the company and by customers.
Q: What are some of the roadblocks you face to doing your job well?
Getting budget dollars is always challenging but we always manage to acquire the resources we need. With the team focused on supporting the business goals and not just being a cost center, our programs align with other teams’ goals, often enabling us to share in larger budgetary pools and resources. Historically, security has been perceived as a business success barrier, not an enabler. I’m working to make sure I am not seen as the “CNO,” or Chief No Officer.
Q: What do you do to overcome those challenges?
I align what I do with making customers happy. Having security built into your product shortens the time for a customer to close a deal. It'll make contractual standardization a lot easier.
Our constant diligence and oversight of release activity make sure that it's a great product that a customer loves—and it's a great product that a customer loves that's secure.
And remember, I'm also a customer. (Ok, that sounds like a Hair Club for Men commercial).
Q: Where does PAM fit into that whole ecosystem?
PAM is like air. You don't get rid of it, period. It's not one of those things that might or might not be on the budget. It's on the budget. That’s especially true for regulated, highly secure organizations, but it’s becoming true for all organizations.
When the internet was created, it wasn't “fail closed,” it was “fail open.” Over time, applications, end users, and devices increased in complexity. The very things we consider trustworthy, like open SSL, are now vulnerable. All of a sudden, compute capacity got so smart that they figured out a way to hack the very fabric of the internet.
So, if you’ve just got Multi-Factor Authentication, think of the large international hotel chain breach of 500 million accounts. Who had the same username and password for their system at work? Many, many people. The criminals said, "Oh, I can go request a new Multi-Factor Authentication token.” It was self-serve because companies want to make a user-friendly experience.
With PAM, we can properly enforce very granular control over our end users
PAM is one of the most effective methods to mitigate that type of risk. With PAM, we can properly enforce very granular control over our end users, ensuring that they have access to the things they're authorized to have. You find more PAM relevance in either totally on-premise or hybrid companies. Because the reason PAM exists is that infrastructure directory services, the very thing that runs all our businesses, has an inherent shortcoming regarding access, authorization, and password enforcement.
Q: What are the most important factors you look for when making a technology purchase?
User experience is critical. That’s for the day-to-day usage, not only from an administrative, IT, and security perspective but also for the user, the employee. The best security are the products workers don’t know are there. Additionally, I prefer to purchase products delivered on a platform. This delivery model reduces SecOps engineers’ ramp-up time and allows us to add features and functions over time. When a product slows a worker down from getting their job done, they will try to find a way around it, defeating the very purpose of the tech.
The additional benefit of platform products in the cloud is we don’t have to worry or deal with tech-refresh cycles every three to five years.
Q: Delinea’s just been through a merger. Do you have any security lessons to share from that experience?
Sure, of course, mergers are disruptive. But they also provide a unique opportunity to enhance your security posture. During this merger, we brought together two strong security companies with an extensive set of security tools and talent. Now we have an opportunity to select the best tech, consolidate, and even reduce operating costs.
Integrating asset management, access control, and automated policy monitoring and enforcement certainly reduces numerous manual processes and drives down human error.
Q: What are you investing in now to prepare for the future?
I’m always thinking about less drag on user experience. Password-less technology is now a user expectation. The operating systems inherently have a requirement for passwords. All the apps require it too. That needs to go away. So, we will need to utilize various forms of zero trust. We’re going to need to combine proximal awareness, the asset, and the individual in a more harmonious way.
When viruses first came out, there would be a new one maybe once or twice a year. Now with machine learning and malware, security teams need to invest in really smart countermeasures. I think there's going to be a variety of new technologies that will not allow an application to run in a fashion that doesn't adhere to an approved policy or standard.
The other thing that I love about investing in the cloud is that if a product is designed and developed natively in the cloud, and you're delivering microservices, there’s less risk. If a single session, for a single application, for a single user is compromised, it’s contained.
Q: What advice would you give other CISOs or hope-to-be CISOs?
A CISO is hired to solve problems, but the reality is that often they only get baling wire, duct tape, and spit to do it with. So, you have to prioritize.
My advice for CISOs is to pick their battles strategically. Break down your risks by level of exposure. Security threats have many shades of grey. There are 560+ standards, regulations, and laws around the world. So you need to understand and communicate what the risks and requirements are, in the right priority. Be explicit as to what is wrong, and when your team can address it, depending on the budget you have.
Avoid Stockholm Syndrome. What I mean by that is when you keep hearing from your business counterparts, “We have to release the product. We committed to the street.” It can feel easier to say, “Yeah. All right, maybe we don't need to do it now. Yeah, it's probably not that critical. Yeah, we'll get to it eventually.” Stick to your guns. Have your core security items that you will not bend on. And keep the customer at the front of your mind—always.
Seamlessly extend privileged access—everywhere