Skip to main content
banner image
venafi logo

An Interview with CISO Billy Spears: Making a Case for Machine Identity Protection

An Interview with CISO Billy Spears: Making a Case for Machine Identity Protection

machine identity protection
January 28, 2019 | Robyn Weisman

If you ever get the chance to chat with Billy Spears, CISO of loanDepot, I highly recommend it. I first met Billy when I interviewed him for our ebook 7 CISOs Explain Why You Need Machine Identity Protection. During that conversation he talked about so many topics—from how to talk to your board of directors about machine identity protection to how the classic horseshoe ring puzzle can illustrate the importance of machine identity protection—that when the time came to choose two paragraphs from all that wonderful material, I felt almost crestfallen.

Fortunately, Venafi has a blog you may be familiar with, where we have space to highlight more Billy Spears goodness. In this portion of the interview, he helps me understand how CISOs tend to view machine identity protection and how he, as a CISO, decided to incorporate Venafi in his organization’s privileged access management (PAM) program.

Robyn Weisman: What motivated you to invest in protecting machine identities? Did you experience any “Aha!” moment?

Billy Spears: I didn’t have an “Aha!” moment per se. As the head of a security organization, you try to automate where possible, but there are still so many manual processes to assess. Human error is rampant, especially when thinking about how you’re connecting devices. You have the traditional system outages, along with breakages, reconciliation challenges, the need for actively monitoring and replacing certificates to ensure a consistently positive user experience.

Given that we’re connecting more and more machines into our network, I knew we needed to protect their identities. You cannot expect a human or group of humans to keep up with even a fraction of the certificates requiring management. It didn’t make sense for me to think otherwise.

Robyn: What were the primary areas you were concerned with? Discovery? Operational support?

Billy: Part of it was discovery, and part was operational support. We had an obvious discovery issue because the number of keys and certificates I was told we had sounded way too low, based on my experience at other organizations.

And I knew we had operational support issues because if you don’t know how many keys and certificates you have, you don’t know what you need to manage them. To me, that was the bigger risk. How are we handling keys and certificates now, and how long does it take us to accomplish whatever we’re doing?

If it’s been taking them, say, 30 minutes to provision each certificate, then from an operational standpoint, you want to ask: If we automate this process, how much time would we save? If, by using automation, we can cut the time down to five minutes or less, we’re saving 25 minutes per certificate—and given the number of certificates that we have, that’s quite a bit of savings from the jump!

Robyn: Was this how you justified your decision to your board?

Billy: No, how I justified it was different. When you enter a new organization, you first want to figure out the landscape and the potential risks. But you need facts to support your instinct. So, I looked for granular facts to support the proposed investment over future quarters.

Once I gathered the facts, I sold machine identity protection as part of a privileged access management program stack. I explained my need to understand all the various connections and managed the organization’s vault of all secured keys, certificates, and passwords.

Robyn: How do you evangelize to other CISOs to get them to invest in machine identity protection, especially in light of the many other priorities they face?

Billy: The way you’ve just framed it is the absolute wrong approach to teach CISOs about machine identity protection. When you take the average CISO, they face so many complex issues every day. We have something like 3,500 different tools to choose from to protect our organizations across seven layers, and inside each layer are complexities that are difficult to contend with.

So, it’s a gray area where we have to compare logic with reasonableness. Then we have to consider cost and effectiveness. All CISOs are strapped with the cost of investment. So, ultimately, it’s not about machine identity protection or a firewall. No, it’s a CISO saying: What do I need to protect my environment, and what level of maturity do I need to achieve that over some period of time?

Robyn: But it seems like CISOs, among others, tend to forget about or discount the importance of machine identity protection because machines for the most part don’t talk.

Billy: Machine identity protection is a challenge because people do overlook it. It’s not something in your face. But that’s the risk in this particular scenario. Because when machines talk to your network, we forget the risks they pose just by connecting. Things like discovery, auditability, the consequences of letting certificates expire, and so forth.

So, you need to say: How do I package this into a stack, and how do I maximize the value of the stack to my enterprise? I think the way to sell machine identity protection is part of an organization’s privileged access management program because you need to understand the true identity of anything that connects to your environment, whether it’s a person or machine. You need that handshake that says: These are authorized things in my environment, and they have the approval to do whatever they need to do for their specific roles throughout their life in your company.

Related posts

Like this blog? We think you will love this.
photo of a broken piggy bank with coins and cash falling out
Featured Blog

Why Banks Need to Protect the Machine Identities of APIs

For that reason, many users may not wish to have account details ma

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Robyn Weisman
Robyn Weisman

Robyn is a Senior Content Writer at Venafi. She helps enterprise IT vendors pinpoint their marketing challenges and develop content marketing strategies. She worked for several well-known technology trade publications for over 15 years, and has a Master's Degree in Screenwriting from USC.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat