Skip to main content
banner image
venafi logo

An Interview with CISO Shawn Irving: Why Machine Identity Protection Is Critical to Privileged Access Management

An Interview with CISO Shawn Irving: Why Machine Identity Protection Is Critical to Privileged Access Management

Privileged access management, certificate manager, NIST
April 23, 2019 | Robyn Weisman

Shawn Irving, CISO of Ferguson plc, has had a longstanding association with Venafi. He deployed Venafi at his two previous companies, and during his interview for our ebook 7 CISOs Explain Why You Need Machine Identity Protection, Shawn joked that perhaps he deserves a customer loyalty card. At the same time, Shawn made it clear that he doesn’t use Venafi in the hopes of nabbing a free dinner with our CEO Jeff Hudson (although he would welcome it). Instead, Shawn has used Venafi at so many companies because he believes today’s digitally distributed organizations must have control over their machine identities for operational and security reasons.

As with my interviews with CISOs Billy Spears, John Graham and Justin Metallo, only a tiny portion of my interview with Shawn made it into our ebook—and like the other CISOs I interviewed for the project, most of the great insights Shawn provided ended up on the cutting-room floor. The purpose of this interview, as with my interviews with the aforementioned CISOs, is to provide you more of Shawn’s insights into the importance of machine identity protection.

Robyn Weisman: You used Venafi at your previous two companies. Does your current company use our platform?

Shawn Irving: Not yet. However, I recently asked my CIO about his top IT headaches, and he actually said, The only thing more irritating on an operational level than firewall issues are unexpected expiring certificates! I mentioned Venafi and learned he successfully used Venafi at his previous position. So, he has a sympathetic ear to this problem from an operational perspective.

Robyn: So, Venafi is already seen as an operational solution, something that protects you from liability.

Shawn: Yes. And it’s definitely on our roadmap after we do a maturity assessment of our current program. Because my current company is headquartered in Europe, we are using the ISO 27000 framework standard, which is more of a global security standard than NIST, to determine our roadmap. One of the things that no doubt will stand out are gaps in our coverage around user and machine identities, and part of closing that gap is getting control over our certificate and key management. From there, we’ll prioritize it against other gaps, and then address our program as a whole.

Robyn: Once you complete your audit, how do you use that outcome to prioritize which security projects to fund?

Shawn: We take the control objective that exists in the ISO standard, and for each one of them, we evaluate ourselves against how mature our information security program is at delivering against that objective. We use a scale of 1-5, which is a CMM-style (Cybersecurity Capability Maturity Model) measurement. So, if we’re at a 1 in a certain area, and we want to be at a 4, we figure out if achieving that requires a capital project or a baseline initiative that causes us to invest in people, processes or technologies to advance to that level of maturity.

Then each objective is weighted based on the relative importance from our perspective of that objective against the other objectives in its domain. We weigh the domains by their relative importance to us across the board, and then we roll all of that up into a single calculation that our program with its thousand-plus controls as defined within the ISO 27000 standard is at, let’s say, a 2. So, to get from a 2 to a 3, I put the focus on these prioritized objectives from this analysis as the basis for creating my investment program.

Robyn: Why is having a machine identity protection solution like Venafi’s so important for today’s organizations?

Shawn: Before companies started paying attention to certificates and keys, they were way down the path of paying attention to IDs and passwords. Before I considered Venafi, I was focused on privileged access from an IBM password point of view. But I soon realized the analogy of applying a privileged access point of view to a certificate and a key was just a natural addition because those keys and certificates were really stand-ins for how we automated system-to-system authentication and authorization in the past.

Robyn: So, what would you say to any CISO who isn’t thinking about machine identity protection at this point?

Shawn: I’d tell them they’re ignoring an obvious gap, particularly when you're dealing with any company that is trying to orchestrate its system communications outside of a closed data center—which is every company on the planet.

When did your organization realize you needed machine identity protection? Let us know in the comments or on Twitter!

Related Posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

small house model on a spiderweb of cracks in the pavement

Outages Are Like Earthquakes—Both Are Catastrophic and Hard to Predict

An Interview with Phil Agcaoili: Why Financial Services Organizations Need Machine Identity Protection

An Interview with Phil Agcaoili: Why Financial Services Organizations Need Machine Identity Protection

enterprise cyber security, PKI tool, iot protection

An Interview with CISO Justin Metallo: What It Takes to Protect Machine Identities

About the author

Robyn Weisman
Robyn Weisman

Robyn is a Senior Content Writer at Venafi. She helps enterprise IT vendors pinpoint their marketing challenges and develop content marketing strategies. She worked for several well-known technology trade publications for over 15 years, and has a Master's Degree in Screenwriting from USC.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat