Risk Grustlers Ep 12 | Security: Building a Business Within A Business

Hey there, everyone! Welcome to Season Two of Risk Grustlers, where we immerse ourselves in the fascinating narratives of individuals within the realm of risk and compliance. With a diverse array of guests hailing from various backgrounds, each conversation promises to be both exhilarating and profoundly enlightening.

Today, we're in for a treat as we engage in a candid discussion with Aaron Wurthmann, the CIO and CISO at Spire One, to uncover his journey through the realm of risk management. Let's explore his insights and experiences in navigating the complexities of cybersecurity.

You can listen to the complete podcast here.

https://youtu.be/PUnWvt3mgGM

Todd: Before we delve into the intricacies, I'm genuinely intrigued by your journey. What sparked your interest initially? Because, frankly, none of us started off in IT and security. It wasn't even a prominent field back in the nineties, barely a blip on the radar. So, please, share your story. How did it all begin for you?

Aaron: Certainly. I was born and raised here in Silicon Valley. My father was a sys admin, working for companies like IBM and Texas Instruments. Computers were always present in our household, but I never saw it as a career path initially. My passion back then revolved around being a tagger and heavily indulging in street art, especially here in the valley. When it came time for higher education, I opted for graphic design. There was a local school offering specialized programs in either sys admin or graphic design, and I chose the latter.

During that period, I worked at a few startups. I believe my first stint was around '96 or '97. Initially, I started as a receptionist, then worked my way up to administrative roles like assistant and eventually office manager. Throughout these positions, I found myself tinkering with the startup's computers due to my background. Tasks like setting up user accounts, managing DNS and static IP addresses, handling anti-accounts, and setting up exchange accounts became part of my routine as an office manager.

Then, one day, a recruiter approached me about a full-time IT position. My initial reaction was reluctance; after all, I enjoyed the autonomy and perks of my current role. However, when she mentioned the salary, which was double what I was making as an office manager, I reconsidered. Thus, my journey into the world of sys admin, SRE, and eventually leadership began, thanks to someone taking a chance on me.

Todd: Now, regarding the bread-making endeavor you mentioned, that's quite a departure from IT! How did that come about?

Aaron: Well, during the pandemic, like many others, I missed the sourdough trend entirely. However, I received a pizza oven as a gift, which sparked my curiosity. I embarked on a quest to perfect pizza dough, researching the most flavorful options. That's when I discovered Serrano as the ideal choice. From there, it evolved into a side hobby of sourdough-making, primarily for pizza.

But as anyone who's ventured into sourdough territory knows, there's a lot of discard involved. So, naturally, bread-making became the next logical step, followed by cakes, muffins, and even English muffins. It's been a culinary journey inspired by a desire for the perfect pizza dough.

Todd: Great, that's good some bread, although let's get back on track discussing security! Even if we did have an enormous budget, there's no way we would be able to protect a company from every single threat. So how do you establish a budgetary baseline for a security program?

Aaron: So, I think it starts with the philosophy that IT and security functions should operate as businesses within a business. It's about being mindful of our spend, understanding who our customers, investors, and partners are, essentially building a community around our security product. Imagine if security were a product – how would we run it?

After adopting this philosophy, the next step is to align with stakeholders and grasp the bigger picture of the company's vision. As security and IT leaders, our role is to enable the company to succeed in achieving that vision. This deep involvement in the business helps us understand its risk appetite and tolerance, which forms the basis of our security strategy.

In practical terms, it's akin to creating a business plan for security. We engage with various stakeholders, from customer support to marketing and sales, to understand their needs and concerns. By doing so, we can tailor our risk management approach to align with the company's objectives.

For instance, we consider both the positive and negative impacts on the company. Positive outcomes might include pursuing a compliance certification that unlocks new revenue streams, while negative risks could involve potential breaches or failures to meet objectives.

Now, regarding budget allocation, the industry standard often suggests around 1% of revenue for security. However, for pre-revenue companies, this calculation can be challenging. In such cases, I propose linking security budget to potential revenue or the revenue targets for the year.

Communicating this risk to stakeholders, particularly the board of directors, is crucial. Even if they accept the risk, it's essential to prepare contingency plans while being willing to let go if our advice isn't followed.

When it comes to presenting security to the board, it's about understanding the business impact of security incidents. We need to speak their language, aligning our discussions with their objectives and concerns. While precise numbers are ideal, establishing rapport and credibility through ongoing dialogue is equally important.

Transitioning from a tactical to a strategic mindset, especially for highly technical individuals, requires learning business speak and understanding investor language. It's a skill set that can be developed with time and effort.

Ultimately, establishing a budgetary baseline for a security program involves aligning with stakeholders, understanding business objectives, and effectively communicating the impact of security incidents in business terms.

Todd: How do you find the right balance between allocating resources for immediate needs and investing in long-term resilience for your security program?

Aaron: It all comes down to a fundamental philosophy I adhere to, which emphasizes the value of diverse skill sets within the team. Rather than solely hiring experts in specific areas, I prefer individuals with varied experiences, like a senior risk analyst who has also worked as a network or security admin. This diversity enables us to maintain a balanced approach to budget and resource allocation.

To stay ahead of scaling challenges, I advocate for proactive measures such as establishing relationships with Managed Service Providers (MSPs) or considering outsourcing before the need arises. By doing so, we can access burst capacity when required without compromising the integrity of our internal team.

For those navigating the early stages of building a company's IT and security infrastructure single-handedly, my advice varies based on company size and growth trajectory. Typically, once a company reaches around 100 employees, it's time to consider focusing either on IT or security, depending on the business's priorities and plans.

For instance, if security plays a significant role in the company's objectives, such as achieving a SOC 2 type II certification for a SaaS business, investing in compliance expertise or suitable tools beforehand is essential. By strategically aligning resources with business goals, small companies can lay a robust foundation for future growth and security.

Todd: Since you mentioned it, do you ever try to sell compliance as a revenue advantage to the company?

Aaron: Absolutely. When discussing compliance with the business, I frame it as a cost of revenue. Just like we calculate the cost of goods sold, understanding the investment needed to obtain certifications like SOC 2 Type II or FedRAMP is crucial for unlocking potential revenue streams. This conversation is essential for security professionals to have with CFOs or board members to align security initiatives with business objectives.

Moreover, in smaller company scenarios, staying informed about industry breaches is paramount. Tools like Feedly help me curate cybersecurity news, allowing me to promptly address concerns raised by CEOs or stakeholders. Regardless of our role, whether a CISO or an individual contributor, it's our responsibility to stay updated and provide confident responses when questions about the company's security posture arise.

Todd: Okay. So since you touched on tools, we all learn from when we get breached or something happens. So when you start at a new company or consulting for a company, do you follow any specific frameworks that you like to measure by

Aaron: Absolutely. There are foundational frameworks like CIS top 20 and various NIST standards that provide a solid starting point regardless of the company's industry or size. However, before diving into specific certifications or compliance requirements, it's crucial to understand the business stakeholders and align security initiatives with their objectives.

Todd: Understood, however with the proliferation of security tools, managing them effectively becomes a challenge. How do you navigate purchasing decisions amidst this vast landscape of security solutions?

Aaron: It's essential to adopt an internal-first approach and evaluate if we can develop certain features or tools in-house before considering external purchases. For instance, if a company lacks visibility into its attack surface, building an internal tool to assess it may be more cost-effective than buying a commercial solution outright. However, it's crucial not to overburden the budget with unnecessary purchases. Developing a clear strategy for in-house development and rigorous documentation ensures continuity and mitigates risks associated with personnel changes.

Todd: So based on all your experiences, have you ever encountered or heard of an organization that severely underspent on security, leading to a significant breach or cyber catastrophe? And if so, what were the lessons learned from that situation? Was it primarily a budgetary issue or a cultural issue, or perhaps something else?

Aaron: I've come across instances where organizations failed to allocate adequate resources to cybersecurity, leading to devastating consequences. While I haven't directly experienced this, I've observed scenarios where there was a breakdown in communication between cybersecurity leadership and budget stakeholders, often the CFO. This breakdown can stem from either party being unwilling to engage honestly with the other. It's crucial for cybersecurity leaders to strike a balance, ensuring they neither overspend nor underspend on security initiatives. Real leadership lies in transparent communication and the ability to reassess and reallocate resources as needed.

Todd: Hospitals, for example, often face budget constraints, yet ransomware attacks can have life-threatening consequences. How do we address this challenge, particularly in non-profit organizations where revenue isn't the primary concern?

Aaron: That's a critical issue. For non-profits like hospitals, the conversation needs to shift from revenue to other critical metrics, such as patient care and operational continuity. By quantifying the potential impact of cyber incidents on patient care and operational downtime, cybersecurity leaders can effectively convey the importance of investing in security measures. It's about understanding the organization's core objectives and aligning security initiatives accordingly, even if revenue isn't the driving force.

Todd: As we wrap up, could you shed some light on how one begins their security journey within a company, and perhaps provide us with a top five checklist of key considerations?

Aaron: Absolutely, Todd. Firstly, it's crucial to grasp the landscape of stakeholders, encompassing partners, superiors, and even potential board members. Next, delve into understanding the people aspect, acknowledging the significance of your team, peers, and reporting structure.

Following that, comprehending the company's approach to cybersecurity is paramount. This entails grasping the overarching mission, tactical methodologies, and historical strategies. Then, delve into dissecting the spend. As a leader, it's imperative to scrutinize past expenditures, particularly in personnel, and prepare for potentially tough decisions regarding compensation.

Lastly, but certainly not least, is technology. Assess the current tech infrastructure, including communication and collaboration tools, and correlate it with the overall expenditure. Remember, it's all about aligning People, Approach, Spend, and Technology (PAST) for a comprehensive security strategy.

Todd: That's fantastic. And I like how you've encapsulated it all into the PAST framework. It's definitely a memorable way to approach it.

Aaron, thank you so much for taking the time to join us today. Your insights into the realm of security and budgeting have been invaluable.

Budgeting with all aspects of security in mind is truly a key requirement. To all our listeners, thank you for tuning in to this episode of Risk Grustlers, Season Two. If you haven't caught Season One yet, remember to take a look at it here!

Stay tuned for more exciting episodes ahead with some fantastic guests lined up. Until next time, stay informed and stay compliant.