cyberSECURITY EFFECTIVENESS PODCAST:

Bang! a chemical reaction

08/30/2018
What do you get when you combine a surging demand for cybersecurity experts with one of the largest plastics, chemicals, and refining companies in the world? In this first episode of the Cybersecurity Effectiveness Podcast, host Brian Contos sits down with Dave Bang, the man in charge of IT Security Architecture at a multi-national chemical company, and gets his take on the industry’s attitude toward prioritizing security, current processes, and personal experience with their team in ensuring success.
With security instrumentation, you know unequivocally that the technology that you've invested in, that the resources you've invested in, the people you've invested in, are actually functioning the way they're supposed to be and the way everyone thinks that they are.
dave bang
IT Security Architecture Manager at one of the largest plastics, chemicals, and refining companies in the world.
stay up-to-date with the latest from verodin

Dave bang

IT Security Architecture
f500 chemical company
Dave Bang is the manager for IT Security Architecture working on the Information, Protection, Architecture, and Compliance (IPAC) team for one of the largest plastics, chemicals, and refining companies in the world. Dave is responsible for IT security vulnerability management and represents the IPAC team on new projects from a security and privacy perspective. Dave also manages the IT Security Awareness program. He has a Bachelor of Science degree in Computer Science from Texas A&M University and is a Certified Information Systems Security Professional (CISSP).

Brian Contos

CISO
Verodin
Brian Contos (@BrianContos) has two decades of experience as an executive, board advisor, entrepreneur, and author. Brian worked at DISA, Bell Labs, Riptech, ArcSight, Imperva, McAfee, and Solera in over 50 countries, across six continents. He speaks at events such as Black Hat, BSides, and RSA, and is frequently interviewed by the press.
about the series:

cybersecurity effectiveness podcast

Cybersecurity experts from around the globe share experiences about their journey to increase security effectiveness. Do boards and business leaders understand the risks? Is security improving, barely keeping up with threats, or falling painfully behind? And more importantly, if what kept us secure has stopped working, what do we need to do to fix it? Join host Brian Contos and his guests as they explore these questions on the Cybersecurity Effectiveness Podcast.
Transcript: Bang! A Chemical Reaction
Brian:
Welcome to the Security Effectiveness podcast, sponsored by Verodin. The Verodin Security Instrumentation Platform is the only business platform for security that helps you manage, measure, improve, and communicate security effectiveness. I'm your host Brian Contos and we've got a really special guest today. Joining me is Dave Bang. Welcome to the Security Effectiveness Podcast, Dave.

Dave:
Howdy, happy to be here.

Brian:
Hey Dave, before we kick things off, why don't you give our listeners a little bit of background on who you are and what you do.

Dave:
Okay, so like you said, my name's Dave Bang. I'm the manager for studio architecture for a large chemical company based out of Houston, Texas. I've been in IT for 25 years now, and in security for the last 12 years doing various things. I became a studio architect probably [over] the last four or five years.

Brian:
Awesome. So Dave, let's just jump right in because I know we've got a lot to cover. Let's drill down into chemical companies. So, from a cybersecurity analyst perspective, what are some of the key issues facing the chemical industry today?

Dave:
So we deal with a lot of the same things that most industries deal with. I like to break them down as to keeping the bad guys out and keeping the good data in. So we have intellectual property, we have some personal data and company data, client data, that kind of thing. But the chemical industry, as well as some other manufacturing industries, we have the additional vulnerability of being manufacturing. And so the manufacturing floor actually poses its own security threats because if someone were to get access to those controllers, they could turn something on or turn something off, or make changes that could actually cause things to blow up. It adds a certain degree of difficulty to what we're working on.

Brian:
You know Dave, somebody like you that's on the more of the cybersecurity side, as opposed to, you know, the hands-on operational side, dealing with the SCADA equipment and whatnot, how often do you even get access to, you know, physical access to that area and to those people to walk the floor and talk about their devices, and sort of what they're concerned about?

Dave:
So we've actually partnered with the manufacturing team pretty closely over the last five or six years, so I try and get out to visit them on a regular basis. I certainly talk to them on a weekly basis, if not more often. But, I try and get out there and walk the floor and help out with security assessments and things like that as often as I can.

Brian:
Oh, that's great to hear. So you've been doing this for over two decades. What's gotten better, or what's gotten worse in this industry since you've started, and why do you think that's happened?

Dave:
What I would say--so like you said, I've been doing security for about 12 years--and what I would say has gotten better has been the visibility of security as a requirement and as a facet of IT in general. Manufacturing in general in the chemical industry, really only in the last maybe seven or eight years, has come to see security as something that's important to them, rather than something that's important to other industries. So that's where I've seen it get a lot better. It's got a lot more visibility, and it's got a lot more priority from upper management, as well as board members, customers, stock owners, you know, just everybody is talking about it, and the more things that get talked about, the more things get done.

Brian:
Yeah. Awareness, as we know in this space, is so critical. You mentioned something there that I wanna drill down into a little bit. You said upper management and boards, so let's talk about those business executives, not necessarily security executives, or even IT or you know, tech executives. What are they doing to really understand the state of protecting everything from intellectual property to infrastructure?

Dave:  Well, they're doing the most important thing which is asking questions, instead of people in my position having to go and ask, "Hey, can I talk to you about these things?" they're coming to us and going, "Hey, I want an update on where we are, what's our security footing, what are we doing to address vulnerabilities, you know, how are we positioned compared to our competitors?" They're asking good questions and wanting to get updates in a way that they can understand. But they want to be informed. They want to not be the guy that didn't know what was going on that the company's responsible for.

Brian:
Yeah, yeah. And you know, these days, you know, people on the board are aware of security. It's not like some crazy notion to discuss security during these high-level meetings these days, and I think it puts a lot of pressure on the business leaders to have something to say, and to be informed, and to know the state of things. What executives are asking for this evidence as it relates to how effective are our security controls, and what's working, what's not? So what executives are asking for this, and if there's some that aren't, what executives should be asking for it but currently aren't at that stage?

Dave:
So I would say like I said before, I would say that the manufacturing industry and the chemical industry has come a long way, and are being asked those questions. And they're being asked at a high level, so at board of directors meetings, at senior executive leadership team meetings, at town hall or community meetings, security and cybersecurity are being talked about, and, you know, the question is always, "Well, how do you know," right? It's become a more of a conversation about well how do you know that you're safe and less of a conversation of, "what technologies do you have in place?"

Brian:
Yeah.

Dave:
It's easy to throw technology at a problem as evidence that you're dealing with the problem. And that's generally the first thing that happens is people become aware of security, the first thing they wanna do is go out and buy a silver bullet technology, or set of technologies, and they don't often take the next step, which is looking for proof that the technology is actually being effective. So, you can see the more mature leaders. You can see the more mature executives are the ones that are, "Okay, great. You've got all the stuff in place, but what is it actually doing? You know, how effective is it being in protecting us, and how are you going on proving that?"

Brian:
Yeah. Yeah, that makes a lot of sense. You know, there's this notion that every dollar you spend, it's reality. But every dollar that you spend on cybersecurity is a dollar that you're not spending on what your core business is, and whether you're a bank, a hospital, or a chemical company, your reason for operating isn't to be secure or comply into something like that, it's to do the core business. So it's, you know, I really see this as another flavor of risk. You know, cyber being another flavor of risk like all the other types of risk that have to be dealt with, and of course in your line of work, there's a number of infrastructure-related risks that could have much more devastating impact than someone's Oracle database getting hacked into, which could, you know, nightmare scenario leading to the destruction of critical assets, or perhaps even harm to human life, so that the stakes are of course a lot higher.

Dave:  
 The stakes are a lot higher. And you're right, it is about risk mitigation and I think that's probably a good telling point when you're having a conversation with leadership. If leaders are asking questions based on a risk discussion, you're much more likely to come to a good, well thought out strategy than if they're asking the questions based on well, what are the regulations require us to do, or what's the minimum we can spend, or you know, can you show me the profit generation, or the return on investment. Those are kind of the wrong questions when you're speaking about those things from a risk perspective. It's risk avoidance and risk mitigation. Those are the right things to be asking. And then it becomes less about you know, how much money are we spending, and more about what's the impact that we're avoiding? And what's the risk we're willing to accept going forward?

Brian:
Yeah. You know, again, talking about executive leaders and boards, I know when you get to that level in an organization, that metrics, and the KPIs, and the requirement for measurements ,I mean they've got KPIs for measuring KPIs as they need to because they're you know, you're running a large organization, the hold into your shareholders and stakeholders, and other individuals. How important is it, are you finding, to be able to measure that security effectiveness, and really show value for security controls in this industry?

Dave:  
Well, it's important for a number of different reasons. Probably the number one reason to have it is so that you know unequivocally that the technology that you invested in, that the resources you invested in, the people you've invested, are actually functioning the way they're supposed to be, and the way everyone thinks that they are. That way you don't have to worry, "Am I gonna be hacked, or am I gonna miss something?" You still have to worry about that, but you don't have to worry about it missing it because something was misconfigured.
Dave:    
Some of the other benefits are back at that misconfiguration, where you can find out hey, this thing's not set the correct way, or a change was made that impacted the way that it works, and even though you didn't know that, but if you've got a way to test it, and you've got a way to measure it, then you know when changes are made that you can track down and figure out okay, well how do we either back that change out, or what else do we need to do to make things work again? And you're not waiting for some bad thing to happen, and then the investigation for what happened, and you come to find out that, "Oh, well a change was made, and it bypassed our security controls, and we didn't know it." So you don't wanna be stuck in that situation, so having a way to measure whether things are still working the way that you've implemented them, and that you actually implemented things correctly, that's invaluable.

Brian:    
Yeah, that was great. I really loved the way you framed that, and I think it puts it into a very realistic perspective in terms of, you know, there's the philosophy of how to approach these things, and then there's the real rubber meets the road and how it has to be done to be effective. Well, thanks so much for that Dave. And before we wrap up, I'd like to ask this one final question to all our interviewees. I'm very excited to ask this to you today because we are both fans of the comic book genres. We attend the cons. You, I know, attend the comic cons all over the country, but who is your favorite superhero or super villain and why?

Dave:
Comic books or movies?

Brian:
Let's say either one.

Dave:
Either one, okay. Well my favorite always, and it's kind of an obscure one, there's a Canadian superhero team called Alpha Flight, and one of the founding members of Alpha Flight was a character named Sasquatch. And for some reason, I always just really enjoyed the character Sasquatch. He changed from kind of a nerdy scientist kinda guy into this super strong, super powerful being, but he didn't have the downsides of the whole anger issues, memory loss pieces that Banner had to deal with with the Hulk.

Brian:
I love it. I'm thinking back to the first time I ever saw an Alpha Flight comic book, and I actually think it was across over of X-Men and Alpha Flight. And of course, they had that Canadian connection through Wolverine, right?

Dave:    
Right.

Brian:
And that's how it got brought together. Awesome. Well, thanks Dave, and thanks to all our listeners for joining, and be sure to check out other Security Effectiveness Podcasts sponsored by Verodin.
download
stay up-to-date with the latest from verodin
Business Need
technology
company
resources
blog