Fast and Furious: How to Tackle Speed and Complexity in Security with Ramy Houssaini (BNP Paribas)

Hank Schless  00:09

Hi everyone, and welcome to the Security Soapbox. My name is Hank Schluss. And I am your host, and today we're going to be talking security with somebody who truly lives it every day and has throughout their career. I'm very excited to be joined by Rami Houssaini, who's the chief cyber and technology risk officer at BNP Paribas. Rami, welcome to the show.

‍

Ramy Houssaini  00:27

Hey, thanks for having me. Glad to be here.

‍

Hank Schless  00:30

It's a real pleasure. And for the audience. We'll have Rami do a little intro in a second. But he has been leading privacy and cyber risk at BNP Paribas for over five years now. And really started his career, actually, in the mobile space. One of his first projects was developing anti-fragile software for a highly resilient telecommunication infrastructure over at Motorola. So he brings a wealth of security experience. He's been helping organizations transform their cybersecurity and technology risk management over to this borderless operating model driven by data and cloud technology. So today, we're going to go into some of the top security considerations that CISOs should be aware of in this rapidly changing security environment, and really how they can best present those security challenges to the c-suite and board of directors, which is something I've always been particularly interested in. I'm excited to hear your perspective Rami. But first, could you just tell the audience a little bit about yourself, how you found your way into security as a professional?

‍

Ramy Houssaini  01:27

Sure. Okay. So as you pointed out in the intro, I started, actually, my career as a software engineer at Motorola. And I didn't know it at the time, but I was actually doing security as a code. So I was actually automating security controls for a highly resilient, telecommunication infrastructure, you know, the one used by public utilities, defense, governments and other agencies. So this experience gave me the opportunity to work closely with engineering product operations teams, and how to understand their perspective and view. So I took this very early view in my career, that cyber didn't exist in isolation. It's all about business enablement. It’s about not necessarily just building the most secure computer, but really the one that can actually serve a business purpose. I have had more than two decades of global experience helping highly regulated organizations successfully and safely leverage technology to enable innovation and get the clarity on how to operate within good risk tolerance. And I was lucky to have the opportunity to build high performing teams in different environments and cultures. So it's been educational, to really get perspective from different industries, because it helped me around my thoughts, but also acquired some battle scars. And it's this diverse portfolio of experiences that served me well in my career, to manage complex situations, but also to anticipate challenges.

‍

Hank Schless  02:58

And I'm sure those challenges have evolved as you've moved through so many different types of software changes, hardware changes, the way we do networking, where we store data, how we access it, all the good stuff, that now kind of in that CISO seat people are thinking about more frequently. So my first question for you is really, well, it's two parts. What do you think are kind of the top two challenges that just about every security org, regardless of their industry, is facing today? And then what I think would be really interesting for the audience is, you know, what's one challenge you think is sort of starting to emerge or surface but will be potentially more problematic in the future, kind of on that upward trend?

‍

Ramy Houssaini  03:35

Sure, I really can think of two things: I mean, complexity and speed. So let's start with complexity. I mean, today, when you are actually managing cybersecurity operations at scale, you're dealing with the multitude of security controls. And this is very complex and difficult for two reasons. First, the telemetry that is generated by these different controls creates noise that requires significant processing in order to really understand the insights and capture the key weak signals and filter out the false positives. I talk to my peers all the time. And this is definitely a big issue, the amount of intensity that goes into filtering out false positives. And this can explain why some of the recent deep breaches that we have seen, these breaches took a while to actually be fully recognized as such, even though there were some weak signals. So we require a lot of processing before we can confirm that there is an attack. And the second reason is the proliferation of point solutions. So we start having a specialization of the cybersecurity workforce which limits their end to end understanding of the overall cybersecurity posture of the organization. So this is why optimizing the array of controls,  making sure that we have the right security architecture, this becomes quite important but also more challenging. When it comes to speed today, I think the mantra that could be basically heard everywhere is that cloud is fast and security is slow. We still have very much an analog approach to addressing cybersecurity challenges in a business environment and context that is moving at cloud speed. So we have to make, actually, security digitally automated, make sure that we are able to embed it natively, so that we can match the agility at the business in the cloud age.

‍

Hank Schless  05:40

With the first part, you were saying, I think we hear the term “cutting through the noise” a lot in this industry. And many may think it's a bit overused. But much like a lot of other terms we hear a lot, it is legitimate to your point about being able to discover the proper signals on a malicious activity. And then what I also think is they’re saying about security, “keeping up with the speed of cloud.” One thing I think about is a colleague of mine who once said that software is developing more quickly than the human hardware can keep up. And I just thought that was an interesting way of putting it. It's almost the same idea here, right? We're innovating so quickly in the cloud that the practices that we implement as humans they can't keep up with that. So really embedding security into those, whether it's the development process, whether it's the delivery process, whatever it is… really seems like a key point for you.

‍

Ramy Houssaini  06:27

Absolutely, I mean, I think it's quite clear that when you look at that, just what we're dealing with in terms of the perimeter, it had become so fluid, so dynamic in nature, that the, you know, boundaries in the traditional sense have disappeared. So it's no longer a static entity. It's really driven by cloud, by digital transformation, Internet of Things, mobile. And not only that, but also an increasingly geo-distributed workforce. So, against this backdrop, we have to match the modernization of the architecture and the expanded attack surface that this modernization brings, along with a different approach to cybersecurity, and one where, frankly, that conventional castle-and-mote-like cybersecurity model doesn't work anymore. And that doesn't mean that the perimeter and the boundaries isn't important to protect. But we need to expand essentially what we do in terms of adopting and zero trust and in terms of making it a critical component of our cyber risk management and matching, indeed, the velocity of the changes in terms of the business architecture.

‍

Hank Schless  07:41

I completely agree. And in addition to all that, we're kind of moving into this, this topic here of the complex digital footprint, right? Really, what does it look like? What does infrastructure look like and how you're, how you're building that, how you're managing that. Zero trust is obviously a critical part of that. But you know, are there any other key factors that you see, as people are kind of tying newer or more modern security challenges to that bigger footprint? And then more complex?

‍

Ramy Houssaini  08:11

Yeah, absolutely. I mean, the management of the attack surface itself is quite an important step. So having the right inventories, making sure that you have capabilities to do asset discovery at scale. We're talking about a very dynamic environment, every M&A activity, every new product, every new partnership changes the infrastructure footprint, changes how you look to an outside attacker. So it's quite important that things are done in a dynamic and non-static way. So for me, mastering the basics in terms of knowing what is your footprint every day, and how is it changing? How's it morphing? And how do you deploy your controls in a native way? When it comes to identity access management, but also logging and monitoring? How can you expand your capabilities to detect anomalies in that complex new environment? We're talking about real-time processes, real time actions, and manual becomes less and less important; in fact, becomes more dangerous in such an environment.

‍

Hank Schless  09:26

I think that's really interesting what you say about mastering the basics on kind of a day in, day out; it's almost like it becomes part of your daily routine. Really, you come in, sort of assess the risk. You assess the changes that have been made. You assess maybe a new integration, potential new avenue that your data is taking to either get to your service or out to a third party or an integrated service. And then really implementing those changes in real time. And you're, I guess, making the changes to the processes. That's a very interesting point, especially from the perspective of somebody who in that that sea level. And do you think it's indicative of the fact that security strategies need a complete overhaul? Or do you think at this point, it's more about sort of adjusting the mindset and the approach to tackling those challenges on a daily basis. And also on kind of when you're looking at a bigger scale, you know, maybe your quarterly or annual challenges as well.

‍

Ramy Houssaini  10:18

It's definitely a cultural shift. We need to be thinking that we are part of a big race. And racing games are about two things: about reliability and about making mistakes, but it's also about speed. So for me, it's about how do we ensure that we are able to support the move to another nice IT architecture where we are able to embed security, resilience, compliance and privacy controls in a native way? How can we make sure that we are applying updates before new and enhanced controls? And how can we make sure that we are detecting anomalies in the environment and doing remediation? But also, how can we equip, in a way, developers and other internal customers that we may have in the environment with the improved capability so that they are actually playing their part? This is also the cultural shift, that we're not talking about only security teams or IT teams doing the work. But this is really about embedding a lot of the controls upstream, and ensuring that we don't have, essentially, deadlocks further down that will slow the business, that will reduce its agility. Because a lot of things created some blind spots and created some operational surprises downstream.

‍

Hank Schless  11:43

One thing I actually want to… I read an interview you had earlier this year with The Stack. And what I thought was the most interesting part, because it ties to… I saw the stat about, I think it was something like 23% of board members think ransomware should be a top priority to secure against. It was across a few hundred businesses. And so there was one part of your interview where he talked about how cyber risk ties to business risks. So could you dive into that a little bit for us?

‍

Ramy Houssaini  12:09

Yeah, absolutely. I mean, I cyber. For me, it's just like any other business risk. So when it comes to the conversation at boards or any other level of management, we need to really not treat it in isolation. We need to understand it's an evolving landscape and changes with the M&A activity with new product, new capabilities. So it's dangerous to manage it in isolation, because probably some of the best and most sustainable mitigation comes from controls that are designed to mitigate other types of risk. So we need to really understand the bigger picture. So not thinking of cyber in a vacuum, but rather in the context of the business. And the impact of this realization is that you really shift the dialogue at the board level in terms of how does cyber connect to other aspects of the firm strategy, other objectives that they have, and also, the opportunities that cyber brings in terms of creating differentiation, in terms of improving customer experience, in terms of providing adjacent benefits to the organization –– this is really key. So to me, I think the secret to improve the quality of the dialogue is to not treat cyber in isolation, but also to ensure that we are looking at the upside that cyber can bring. But also ensuring that we deal with cyber at the board level with the same rigor and the quantification that we apply to other types of risks.

‍

Hank Schless  13:52

Right? So really making it positive in the same way that, you know, you don't want to slow down development of new features. You don't want to have to be seen as something that slows down the business, but look at it as an enabler, something to differentiate your business, something to create a better customer experience for your users. I mean, depending on the industry you're in –– if you're a bank, you can say, “Hey, we provide, you know, X security.” Differentiated to your customers; someone may go with you guys over your competitors. And the last thing I do want to ask you is if there was sort of one actionable recommendation for any CISO right now, as they look towards the future? What would you say that that one thing should be?

‍

Ramy Houssaini  14:28

I think it's about investing in defensible architectures and in automation to go hand in hand. So, for me, creating more defensible and resilient architecture by minimizing the attack surface, ensuring that we reduce the blast radius, implement zero trust across not just user access but also production environments. And remember that this whole process has to engage the business as well as technology –– so, understanding the upstream requirements from the customers all the way to the downstream in terms of the supply chain, the third party relationship. All of this is something that we need to do. From an architectural perspective, automation is key. We talked earlier about the velocity  that the business is operated at in the cloud, how you can create new infrastructure in seconds. We need to be able to make sure that the security is also evolving at the cloud edge or the cloud speed,  and automation is going to be absolutely key priority. So DevOps teams should inherit some of this accountability. But I would not be surprised to see more and more information security organizations invest in their own SecDevOps capabilities to address this challenge. 

‍

Hank Schless  15:57

I couldn't agree with you more on that last piece. So, Robbie, thank you so much for joining us today. It's been incredibly educational. I hope the audience found some good nuggets in here to walk away with. And if people want to follow you or find more of your thought leadership, where can they do that?

‍

Ramy Houssaini  16:12

I think my LinkedIn profile is a good place to start. Thank you, Hank, for this dialogue, and I appreciate it. 

‍

Hank Schless  16:19

Absolutely. Thank you, Remy. And thank you, everyone, for tuning in today to Security Soapbox. You can find the latest on security news at lookout.com/blog. You can find us on Twitter at Lookout and LinkedIn as well. And, until next time, thank you all for joining us. Have a good one.

‍