Cybersecurity Effectiveness Podcast

back to podcasts
Listen on:
Subscribe:
stay up to date

Mark Weatherford

"Four out of every five security incidents in some form or fashion starts in the supply chain somewhere. So, this means that a supplier or a contractor or someone that you've had a relationship with at some point is responsible for almost half of all cyber breaches."

Mark Weatherford has over 20 years of executive-level security operations leadership experience.

Brian Contos:              

Welcome to the Cybersecurity Effectiveness Podcast, sponsored by Verodin. The Verodin Security Instrumentation Platform is the only business platform for security that helps you manage, measure, improve, and communicate security effectiveness. I'm your host, Brian Contos, and we've got a really special guest today. Joining me is Mark Weatherford. Welcome to the podcast, Mark.

Mark Weatherford:      

Thanks, Brian. I'm glad to be here today.

Brian Contos:                

Hey Mark, we've known each other for many, many years, but if you could just give our audience a little bit of background on who you are, what you've done in the past, and what you do today.

Mark Weatherford:      

Sure. I always feel like I need to go through my entire history when I get a question like this. I actually spent a career in the United States Navy. I was a cryptologist, but most people know more about cryptology than I do. I got into the security business really early on and it kind of launched my career, the rest of it. I was in grad school in the early nineties and I wrote my thesis in 1994 on information security. At the time there was nobody, I felt like there was nobody else in the world that really knew anything about information security, because as you're doing research and you're trying to talk to people and there was just ... there was hardly anybody that knew anything about what I was talking about.

Brian Contos:                

Sure.

Mark Weatherford:      

Anyway, it was an interesting ... it changed my path. After I got out of the navy and I ended up working in state government. The governor of Colorado hired me as the state's first Chief Information Security Officer, and then we built a really nice program there. I worked with the state legislature and we created the first state law codifying the CISO role and given me a budget and responsibilities and all that kind of stuff. And then governor Schwarzenegger in California apparently liked what I had done in Colorado and they asked me to come out to Sacramento and build a security program for the state of California. So, I did that and I was there for well through the end of the Schwarzenegger administration.

Mark Weatherford:      

Then I thought I was going to come back to Colorado, but I ended up moving to Washington DC, working at the North American Electric Reliability Corporation as their Chief Security Officer, and that was where I worked with all of the utilities across the United States and actually in Canada as well. Great job, great community, very relevant mission. It was probably the most fun job I ever had.

Brian Contos:                

Yeah. And I think that's when we met Mark, when you were the CSO for NERC—

Mark Weatherford:      

Yep.

Brian Contos:                

And I was doing quite a bit ... I still do today, but that's when I was doing a lot of work with a lot of the power and energy companies of the utilities, Idaho National Labs and project dates—

Mark Weatherford:      

Exactly.

Brian Contos:                

And all that. Yeah, absolutely.

Mark Weatherford:      

Yeah. And so I thought, literally thought, that was going to be the last job I ever had. Then I get the call from the White House asking me if I would be interested in going to DHS and being the Deputy Under Secretary for Cybersecurity. I never thought that I would go back into government, but you can't turn a job like that down.

Brian Contos:                

Yeah.

Mark Weatherford:      

And that was a ... it was an incredible experience there working, in the executive branch with the White House and all of the civilian federal agencies. But also there I spent a lot of time with the legislature as well. Really kind of explaining, talking about various security issues. We had a huge budget at DHS that everybody wanted to have a little input into. But anyway, it was a fun ride. I left there and went to work at the Chertoff Group and helped build the cyber practice there. And then about three years ago, in fact, almost exactly three years ago, I did something that many of my friends thought was insane and I left and joined a small security startup company out in Silicon Valley, and that's where I am today. I'm at vArmour and we're building technology that I think is game changing, it's certainly being validated with our customers right now in the value that it's providing. Anyway, that's kind of Mark Weatherford over the last 30 years.

Brian Contos:                

Well, and Mark, you left out what I think is the most important part, which is you and I went to the same university. We're both Wildcats. And we know the Bear Down song. Well, I don't know if I know it anymore.

Mark Weatherford:      

Bear down Arizona, that's right.

Brian Contos:    

Awesome.Awesome. Well, Mark, you mentioned vArmour, so let's start there. You have this awesome background and starting with cryptology and then working in various forms of state and federal government. But I know vArmour and I think a lot of our listeners know vArmour's a cloud security company and you work with customers on private and public and hybrid cloud evolution. But what are some of the biggest mistakes you're seeing companies make in this area today? You're exposed to small, medium, large, all of the different verticals and GOs, what are the problems?

Mark Weatherford:      

Yeah, well, you can imagine that there are a lot, but I think probably the most significant issue that people assume that when they move to the cloud, the cloud security provider is magically responsible for all the security issues. So, what I tell people is that the cloud security providers are responsible for security of the cloud, but the users themselves, they remain responsible for security in the cloud. What that means is that the cloud service provider takes care of the native security controls that include things like protecting the compute storage database and network environments, ensuring that the platform is available providing some basic tools for the cloud environment.

Mark Weatherford:      

But the key point there is that the enduser is still responsible for the users, their endpoints, malware, customer content and data, their source code, their intellectual property, their applications, all of that. That still remains their responsibility. And the way I ... An example I use is, if you have a rogue employee that does something bad, that's not the cloud service provider's responsibility. If you have a piece of malware or ransomware that infects your environment, that's your responsibility, that's not the cloud service provider's responsibility. So that's probably the biggest kind of mistake I think that people make.

Brian Contos:                

Yeah. You can't just offload your risk. One of the things that I've noticed, and I'm sure you've seen this as well is, the cloud by design is generally relatively flat. If you have a classical data center design, it's pretty hard for you to accidentally stick the database on the wrong side of the firewall, on the Internet facing side of the firewall. You could, but it would be kind of a silly mistake. And in the cloud it's ... it could be a simple, you mistyped a certain configuration and boom, boom, boom, you have no idea that now your sensitive data is not being protected and you can't offload that risk, right? I think the same things that we applied on prem, we have to think about in the cloud. I hope most organizations have gotten past that notion that I'm completely offloading my concern with risk. They'll take care of all of it because it's simply not the case.

Brian Contos:                

What's most surprising to you? You're working with these customers and they're on their journey to the cloud. What's the thing that shocked you?

Mark Weatherford:      

Well, I think three things that I continuously refer to. The first one is flat networks. And you said it, the cloud is just relatively flat just by its nature. But, network segmentation has always been one of those tools in our security toolbox, where we carve a network up into enclaves for various levels of security, but to limit and control the spread of a security incident. Virtualization hasn't changed the value of segmentation, but I think it's rather ... it's kind of exacerbated the potential problem since workloads now move around in multi-cloud environments are no longer defined by a physical data center. Micro segmentation at the workload level makes it possible to protect workloads really wherever they go and in real time. Three years ago, micro segmentation was considered something new and unique, but today it's an expected security practice.

Brian Contos:                

Sure.

Mark Weatherford:      

The second thing is visibility. We have spent boatloads of money over the years securing our north/south perimeter traffic with very little insight, frankly into our internal networks. And so once again, virtualization and containerization have exacerbated the east/west traffic problem, because as workloads move around you just ... unless your environment is instrumented to see it and collect the data, you're probably missing like 80% of the traffic information that's flowing east and west inside your environment.

Mark Weatherford:      

And finally, I would say application awareness. Asset and configuration management have always been a challenge for us, and in the hybrid cloud world, it really hasn't gotten any better. Most people still don't know what applications they have running in their environments.

Mark Weatherford:      

A quick story, back in the late nineties when I was still on active duty in the navy and we were transitioning to this new program called the Navy Marine Corps Internet, or basically we were, we were consolidating all of the infrastructure and data centers across the entire Navy and Marine Corps. You can just imagine what a huge challenge this thing was. But one of the things that we did was, we had every navy organization in the world survey what kind of applications and in how many of them they had. I think at the end of ... I can't remember the exact numbers, but the number was something like 30,000 applications across the Navy and Marine Corps.

Mark Weatherford:      

The interesting thing about that was when we actually began the transition and over the next couple of years, that we found that the number was probably closer to 60,000 than 30,000.

Brian Contos:                

Of course.

Mark Weatherford:      

And I'm no longer shocked today to see that most people still don't know. I think you still have that kind of problem because people just don't ... and this isn't a criticism because I know how hard it is because things change on a daily basis. And we've talked about Shadow IT for years. And again, that problem has exploded with the cloud because now instead of ... If I'm a user in an organization, I don't have to go and put a requisition to go buy an application, I can just whip out my credit card and go to Amazon or one of the other providers and buy an application in the cloud.

Mark Weatherford:      

So, I guess my point, and I know it's a cliché, but you can't secure what you don't know about, and I think companies need to get a better handle on their application footprint. Really this is one of the things that the vArmour does, through our micro segmentation, visibility and application awareness tools, we're able to help companies to do that.

Brian Contos:                

Yeah. I know there is an area that you've spoken on in the past that's related to this, but a little bit of a different track and that's supply chain.

Mark Weatherford:      

Yeah.

Brian Contos:                

I'd like to kind of dive into that for a little bit. What makes you concerned about cybersecurity aspects in the supply chain today?

Mark Weatherford:      

Well, it's interesting, I just read a Bruce Schneider piece this morning, actually no, it was Brian Krebs. It was on Bruce Schneider's blog, but it was a Brian Krebs interview with Tony Sager, and they were talking about it. But supply chain, it's a subset of ... or supply chain cybersecurity, I should say, is a subset of the broader supply chain risk management issue. When you think about ... We've always worried about that. We always were worried that the product that we're going to get, whether it's software or hardware has either been tampered with or compromised in some form or fashion. But essentially, I think supply chain cybersecurity is really focused on IT Systems, rather than what we typical think of as logistical, getting stuff from point A to point B. But as we all know, the threat and vulnerability environment that we live in today makes the supply chain very, very susceptible to cybersecurity compromises. So, I think it's important that we consider really carefully how those risks impact the delivery of products and services.

Brian Contos:                

Let's get into some details on that if we could. Are there ... You've been exposed to this for a while and speaking about it and researching, et cetera. What are some good examples about some issues in the supply chain as it relates to cyber?

Mark Weatherford:      

Yeah. Well. So, I think, probably the biggest and most recent example is theBloomberg report on Supermicro last month. And while that wasn't a ... it's been denied by everybody almost I think, but Supermicro stock dropped 41% after that article came out. And if you think about it, whether it's true or not, it's exactly what we've always worried about, is somebody installing a component on a piece of hardware that can surreptitiously send mail home without us knowing about it. I think that's probably the most relevant recent example. But if you look also, I think another really good one would be the article in Wired Magazine, I think it was August or maybe it was September on NotPetya probably one of the best unbelievably great article on the impact of malware. If you remember, and I'll just go over it really, or highlight it.

Mark Weatherford:      

Maersk Shipping, Maersk is like, they're responsible for like 20% of the entire world's shipping capacity. So, if you think about i t, one in every five ships out in the world on the ocean today is a Maersk ship and it's delivering products. They have like 500, almost 600 offices around the world, 80,000 employees in 130 countries, and about 800 ships. NotPetya put this entire company out of business for a significant period of time. And so, when you think of this from a supply chain perspective, all of their customers who are depending on ... for frozen foods, fresh foods, raw materials, retail products. The entire supply chain was disrupted because of have NotPetya.

Mark Weatherford:      

It had a profound impact. In fact, that cost, I think it cost Maersk like $300 million. So, those are ... and there're other supply chain issues not necessarily cyber-related, but you may remember earlier this year there was a fire at one of the suppliers for Ford Motor Company, where they build their F-150s. It basically, it stopped the production of the F-150 for several weeks, and their most popular, most revenue producing vehicles. It's just that those are examples of how disruptions in the supply chain can be incredibly disruptive to a company.

Brian Contos:                

Yeah. And one of the interesting things is, you mentioned the stock price and it always makes me think, especially these cybercrime organizations that have close ties to financial investments and what a great way to bring down the value of a stock. Some of these, put option type opportunities, right?

Mark Weatherford:      

Yep, exactly right.

Brian Contos:                

And or buy low and then ... With the notion that it's probably not going to stay down forever and it's probably going to take a rebound, but boy, 41% savings, right?

Mark Weatherford:      

Yeah, what a great ... Think about it, if you were in fact of mind to do that, that stock came back. Of course, it came back, but if you were at the right time, holy cow, you can make a lot of money.

Brian Contos:                

Yeah. Yeah. And I'd probably venture to guess that there's people that have done exactly that in these cases.

Mark Weatherford:      

Yup.

Brian Contos:                

So, are there some statistics around this? What are some of the of the relevant stats that we can look at?

Mark Weatherford:      

Well so, and I cobbled together a few things here because I wanted to have the numbers right. Unfortunately, I don't have the source for all of this right at my hand, but if anybody wants it, they can contact me, 80% of all security breaches originate in the supply chain. And so, that's when you think about it, four out of every five security incidents in some form or fashion starts in the supply chain somewhere. That's a pretty profound number when you think about it. And then, 45% of all breaches are attributed to past partners. So, this means that a supplier or a contractor or someone that you've had a relationship with at some point in your past and maybe not today, are responsible for almost half of all cyber breaches.

Mark Weatherford:      

This is a big one. And this is one kind of going back to our first conversation about we're about cloud and visibility, 72% of companies don't have full visibility into their supply chain. And what this means is that you're buying products and whether it's raw materials or computers, you don't understand exactly where that's ... You may understand onestep back in the supply chain where it's coming from, but you don't understand where the provenance of this thing. Where did it begin? Who has touched it? Who has put products into it at some part in the supply chain, 59% of companies do not have a process for assessing cybersecurity of third parties. This is a huge problem. We did this, we started putting in you were part of this too. We started putting language in our contracts about a decade ago that said, if you're going to sell stuff to us, you have to meet a certain threshold of security within your own organizations. And I still think a lot of people don't do that.

Mark Weatherford:      

So anyway, that's a few statistics you, you might find interesting.

Brian Contos:                

Yeah, yeah, no, absolutely. And I don't think ... the thing is, I don't think it's shocking to most people, that they don't have this level of visibility or this idea of some type of control over what's going in and out of their environments. So, what can companies do? What are some of the steps that can be taken?

Mark Weatherford:      

Yeah. And again, I don't mean to make it sound easy, because it's not easy. But what I encourage people to do and what I've always done is know your vendors, map the supply chain and identify who your most critical vendors are. Not all of our vendors are life threatening for our company. The company that's delivering bagels and water while they're part of your overall supply chain, your company doesn't depend on that. But you may have a vendor, you may even think that you're spreading your supply chain risk out by buying from three different companies, but if you move one step further back in your supply chain, you'll find that all those three companies are buying from one vendor. So, if that vendor goes out, then you've lost your diversity in your supply chain.

Mark Weatherford:      

I think identify your sub tier suppliers that have critical IT components that are embedded in your products. So, whether it's hardware or software, you want to know where that came from. And again, it's not easy to do that, especially when you have a supply chain that may have 30 or 40 or 50 tiers in it. And then I think, know without a doubt, what information or IT systems your vendors can access. Everyone of our companies and whether you're a private company or a government agency, you have vendors that are connecting to your network, that are hitting your website, that are somehow getting inside your IT environment. You need to know who those are and what level of access they have within your environment.

Mark Weatherford:      

I think ensuring, and again, this is a cliché in our business, but ensuring that the CISO's team is integrated into the procurement process, into the vendor assessments and into vendor management. That way, as you're contracting a procurement, folks are making decisions. The security team may say, “Well, wait a minute, that product or that vendor has a horrible reputation or has just had a big data breach themselves.” We stay in touch with these issues in our sphere of influence. And I oftentimes, I think other people within the companies don't necessarily have that level of insight into that.

Mark Weatherford:      

And maybe finally, conduct regular briefings on the threat environment within your company. And again, if you're in IT or security, you're pretty in-tune with this, but the rest of the company may not be. It's kind of like the cybersecurity awareness training we always do. If you spend, make sure that everybody, especially those in your procurement and acquisition organization, are part of that, that they're aware of what's going on.

Brian Contos:                

Yeah, I think that's very sage advice Mark. But I would probably that sometimes the bagels are pretty critical to the organization, I don't know.

Mark Weatherford:      

That's true. You're right.

Brian Contos:                

But let's have ... Let's just do one more question here for you, and that's, who's your favorite superhero or super villain and why?

Mark Weatherford:      

Yeah well, I have always been a Batman fan and everybody loves Batman, and why? Because he's there to save the day. But I would say, there's finite number of those kinds of superheroes. One person thatI ... I said this at a an event recently and people looked at me odd, but I think Elon Musk is a superhero. When you look at what that guy has done, and listen, he's not a perfect individual by any means, but you look at what he's done. A quote I saw of him recently and it kind of puts it all into perspective, just from a work perspective. He said "Work like hell. I mean, you just have to put in 80 to 100 hours every week. It improves the odds of success because if other people are putting in 40-hour week and you're putting in 100-hour work weeks, you're going to get the same stuff done in four months that it takes them 12 months to do.

Brian Contos:                

Yeah.

Mark Weatherford:      

And he is legendary for his work ethic and his hard work. And yeah, he's done some wacky things, but I just ... you think about what this guy has done, both with Tesla, with SpaceX, with The Boring Company. We need people to think ... We need more people thinking big like Elon Musk does.

Brian Contos:                

Yeah, it's hard to imagine somebody thinking bigger than Elon Musk. What I wonder though, because you brought up Batman as well is, who's going to play him in the Elon… Is it going to be a George Clooney, a Christian Bale, a Ben Affleck since they played Batman? Maybe it's, I don't know, we'll see.

Mark Weatherford:      

I don't know. That's a good question.

Brian Contos:                

Awesome. Hey Mark, thanks so much for taking time out of your day to join us in this podcast and thanks to all our listeners for joining. Be sure to check out other Cybersecurity Effectiveness Podcasts, sponsored by Verodin.

download transcript (PDF)
back to podcasts
Follow:
Subscribe:
join the list
X
Business Need
technology
company
resources
blog