Shawn Irving, CISO of Ferguson plc, has had a longstanding association with Venafi. He deployed Venafi at his two previous companies, and during his interview for our ebook 7 CISOs Explain Why You Need Machine Identity Protection, Shawn joked that perhaps he deserves a customer loyalty card. At the same time, Shawn made it clear that he doesn’t use Venafi in the hopes of nabbing a free dinner with our CEO Jeff Hudson (although he would welcome it). Instead, Shawn has used Venafi at so many companies because he believes today’s digitally distributed organizations must have control over their machine identities for operational and security reasons.
As with my interviews with CISOs Billy Spears, John Graham and Justin Metallo, only a tiny portion of my interview with Shawn made it into our ebook—and like the other CISOs I interviewed for the project, most of the great insights Shawn provided ended up on the cutting-room floor. The purpose of this interview, as with my interviews with the aforementioned CISOs, is to provide you more of Shawn’s insights into the importance of machine identity protection.
Robyn Weisman: You used Venafi at your previous two companies. Does your current company use our platform?
Shawn Irving: Not yet. However, I recently asked my CIO about his top IT headaches, and he actually said, The only thing more irritating on an operational level than firewall issues are unexpected expiring certificates! I mentioned Venafi and learned he successfully used Venafi at his previous position. So, he has a sympathetic ear to this problem from an operational perspective.
Robyn: So, Venafi is already seen as an operational solution, something that protects you from liability.
Shawn: Yes. And it’s definitely on our roadmap after we do a maturity assessment of our current program. Because my current company is headquartered in Europe, we are using the ISO 27000 framework standard, which is more of a global security standard than NIST, to determine our roadmap. One of the things that no doubt will stand out are gaps in our coverage around user and machine identities, and part of closing that gap is getting control over our certificate and key management. From there, we’ll prioritize it against other gaps, and then address our program as a whole.
Robyn: Once you complete your audit, how do you use that outcome to prioritize which security projects to fund?
Shawn: We take the control objective that exists in the ISO standard, and for each one of them, we evaluate ourselves against how mature our information security program is at delivering against that objective. We use a scale of 1-5, which is a CMM-style (Cybersecurity Capability Maturity Model) measurement. So, if we’re at a 1 in a certain area, and we want to be at a 4, we figure out if achieving that requires a capital project or a baseline initiative that causes us to invest in people, processes or technologies to advance to that level of maturity.
Then each objective is weighted based on the relative importance from our perspective of that objective against the other objectives in its domain. We weigh the domains by their relative importance to us across the board, and then we roll all of that up into a single calculation that our program with its thousand-plus controls as defined within the ISO 27000 standard is at, let’s say, a 2. So, to get from a 2 to a 3, I put the focus on these prioritized objectives from this analysis as the basis for creating my investment program.
Robyn: Why is having a machine identity protection solution like Venafi’s so important for today’s organizations?
Shawn: Before companies started paying attention to certificates and keys, they were way down the path of paying attention to IDs and passwords. Before I considered Venafi, I was focused on privileged access from an IBM password point of view. But I soon realized the analogy of applying a privileged access point of view to a certificate and a key was just a natural addition because those keys and certificates were really stand-ins for how we automated system-to-system authentication and authorization in the past.
Robyn: So, what would you say to any CISO who isn’t thinking about machine identity protection at this point?
Shawn: I’d tell them they’re ignoring an obvious gap, particularly when you're dealing with any company that is trying to orchestrate its system communications outside of a closed data center—which is every company on the planet.