If you ever get the chance to chat with Billy Spears, CISO of loanDepot, I highly recommend it. I first met Billy when I interviewed him for our ebook 7 CISOs Explain Why You Need Machine Identity Protection. During that conversation he talked about so many topics—from how to talk to your board of directors about machine identity protection to how the classic horseshoe ring puzzle can illustrate the importance of machine identity protection—that when the time came to choose two paragraphs from all that wonderful material, I felt almost crestfallen.
Fortunately, Venafi has a blog you may be familiar with, where we have space to highlight more Billy Spears goodness. In this portion of the interview, he helps me understand how CISOs tend to view machine identity protection and how he, as a CISO, decided to incorporate Venafi in his organization’s privileged access management (PAM) program.
Robyn Weisman: What motivated you to invest in protecting machine identities? Did you experience any “Aha!” moment?
Billy Spears: I didn’t have an “Aha!” moment per se. As the head of a security organization, you try to automate where possible, but there are still so many manual processes to assess. Human error is rampant, especially when thinking about how you’re connecting devices. You have the traditional system outages, along with breakages, reconciliation challenges, the need for actively monitoring and replacing certificates to ensure a consistently positive user experience.
Given that we’re connecting more and more machines into our network, I knew we needed to protect their identities. You cannot expect a human or group of humans to keep up with even a fraction of the certificates requiring management. It didn’t make sense for me to think otherwise.
Robyn: What were the primary areas you were concerned with? Discovery? Operational support?
Billy: Part of it was discovery, and part was operational support. We had an obvious discovery issue because the number of keys and certificates I was told we had sounded way too low, based on my experience at other organizations.
And I knew we had operational support issues because if you don’t know how many keys and certificates you have, you don’t know what you need to manage them. To me, that was the bigger risk. How are we handling keys and certificates now, and how long does it take us to accomplish whatever we’re doing?
If it’s been taking them, say, 30 minutes to provision each certificate, then from an operational standpoint, you want to ask: If we automate this process, how much time would we save? If, by using automation, we can cut the time down to five minutes or less, we’re saving 25 minutes per certificate—and given the number of certificates that we have, that’s quite a bit of savings from the jump!
Robyn: Was this how you justified your decision to your board?
Billy: No, how I justified it was different. When you enter a new organization, you first want to figure out the landscape and the potential risks. But you need facts to support your instinct. So, I looked for granular facts to support the proposed investment over future quarters.
Once I gathered the facts, I sold machine identity protection as part of a privileged access management program stack. I explained my need to understand all the various connections and managed the organization’s vault of all secured keys, certificates, and passwords.
Robyn: How do you evangelize to other CISOs to get them to invest in machine identity protection, especially in light of the many other priorities they face?
Billy: The way you’ve just framed it is the absolute wrong approach to teach CISOs about machine identity protection. When you take the average CISO, they face so many complex issues every day. We have something like 3,500 different tools to choose from to protect our organizations across seven layers, and inside each layer are complexities that are difficult to contend with.
So, it’s a gray area where we have to compare logic with reasonableness. Then we have to consider cost and effectiveness. All CISOs are strapped with the cost of investment. So, ultimately, it’s not about machine identity protection or a firewall. No, it’s a CISO saying: What do I need to protect my environment, and what level of maturity do I need to achieve that over some period of time?
Robyn: But it seems like CISOs, among others, tend to forget about or discount the importance of machine identity protection because machines for the most part don’t talk.
Billy: Machine identity protection is a challenge because people do overlook it. It’s not something in your face. But that’s the risk in this particular scenario. Because when machines talk to your network, we forget the risks they pose just by connecting. Things like discovery, auditability, the consequences of letting certificates expire, and so forth.
So, you need to say: How do I package this into a stack, and how do I maximize the value of the stack to my enterprise? I think the way to sell machine identity protection is part of an organization’s privileged access management program because you need to understand the true identity of anything that connects to your environment, whether it’s a person or machine. You need that handshake that says: These are authorized things in my environment, and they have the approval to do whatever they need to do for their specific roles throughout their life in your company.