Elastic’s Mandy Andress on switching from a tech-first to people-first approach to security

To kick off season 5 of the Future of Security Operations podcast, I’m joined by Mandy Andress. Mandy is the Chief Information Security Officer at Elastic, a leading platform for search-powered solutions, and has more than 25 years of experience in information risk management and security. Before Elastic, Mandy led the information security function at MassMutual and established and built information security programs at TiVo, Evant, and Privada. She also founded an information security consulting company with clients ranging from startups to Fortune 100 companies.

In this episode, Mandy and I discuss:

Her move from accounting to security
Why she was drawn to Elastic's employee-centric culture
How her role at TiVo in the early '00s shaped her view of privacy
Switching from a technology-first to people-first approach to security
Recognizing the human factor in incident response
Embracing asynchronous operations on dispersed teams
The importance of bringing your authentic self to work
Staying technical as you move into leadership
How she puts her law degree to use as a CISO
Balancing compliance and overall security posture
Collaboration and knowledge sharing within the CISO community
Elastic's approach of knowledge sharing by default
How prioritizing analyst time will be critical in the future of SecOps
Adopting an infrastructure-as-code approach
Balancing between proactive security measures and reactive responses
Building a culture of security across the organization
Tips for surviving in security operations in tech

The Future of Security Operations is brought to you by Tines, the platform that powers some of the world’s most important security workflows.

Where to find Mandy Andress:

Elastic

Where to find Thomas Kinsella:

Twitter/X

Resources mentioned:

In this episode:

[01:57] Moving from accounting to security

[02:43] Finding a company with strong vision, culture and business foundations

[05:26] Working in network security in the early days of TiVo

[07:05] What’s changed in security since 2001?

[09:20] A career-long fascination with the human factor in incident response

[10:30] Embracing empathy in her leadership style

[12:25] Finding a workplace where you can be your authentic self

[16:10] Exercising her technical muscles

[17:45] The decision to study law

[21:18] Balancing compliance and overall security posture

[23:35] Knowledge sharing in the CISO community

[24:22] Elastic's policy of being "radically transparent"

[29:20] The future of security operations

[31:29] How her security team works with product engineering

[34:03] Adopting an infrastructure-as-code approach

[35:01] Building a culture of security across the organization

[38:09] Her advice for others working in security in a high-growth organization

[41:50] Baking off security products in her home lab

[44:37] Connect with Mandy

TL:DL? Read Mandy's take on…

What’s changed in security since the publication of her 2001 book, Surviving Security: How to Integrate People, Process & Technology:

“When I wrote the book, we were focused on technology, then process, then people, myself included... Today, it’s the opposite. People, process, technology is what's needed to be successful. And I've been really pleased over the last couple of years to see, in the security industry, much more of a focus on the people side of things. Empathy certainly, but also just tying in psychology, and behavioral science into understanding how people operate and creating solutions that work with that. Versus what we're trying to do before, which was to have people fundamentally change how they behave as a human, which isn't a isn't an easy thing to do or a good thing to do.”

Bringing her whole self to work:

“Elastic is the first place that I've worked where truly I could be my full authentic self and fully supported. I’ve thought a lot about it, and probably the key advice that I would have for anyone is that if you can't be yourself at an organization, you need to go somewhere else. And it's easy to say, hard to do at times. At least for myself, now being in an environment where I can be fully authentic, recognizing the stress, the energy, the toil that it takes to work in a different type of environment, it's not something that I would wish on folks. And I really encourage, if you have the opportunity, to find a place where you can be your authentic self.”

Putting her law degree to use:

“I confused a whole lot of people like, ‘What what are you going to do with a law degree? So are you going to leave and be a practicing lawyer? No, that was never the intent. I use every day what I learned in law school, and a lot of it is interpretation of legislation and regulations and understanding the mindset of folks writing those. So we're a much heavier regulation-driven world, certainly in security, so it's about being able to understand how that process works, how those get written, how to understand the intent behind them, being able to translate a bit more into what's real, what you need to implement in your organization and where you need to go ask questions.”

To me that's the only way to be successful, you need to understand what didn't work for you in the past. But you also need to understand what does this organization expect? And be open to the fact that what you did before may not work, and if you try it, it may create more harm than good.

Developing a transparent security culture at Elastic:

“I was able to look at all those things that I said in my past, ‘If I had the time to do this over again, this is what I would do.’ Well, I had that time now so let's let's try some things out. And one of them was, we call it internally being radically transparent. And really our default is to share unless we can't. And there are some things that we can't share internally, some things we can't share externally. But our default is to share, whereas everywhere else I worked, the default was to not share. And for me, anyway, I see a tremendous difference just in the overall security culture... I think folks like to really understand the why and without that, aren't necessarily sure of their role in security.”

Creating a culture of security across the organization:

“One of those key lessons, if I could build a program over again, was making sure that from the very beginning, everything was collaborative and not an information security team that's going in and telling everyone across the organization, ‘This is exactly what you need to do’. Because there are thousands of ways to meet a security objective and work with teams to understand what's the best way that works for them."

The future of the SOC:

“How a SOC works hasn't changed all that much. And I think we still spend a lot of time trying to find information. Yeah, we can automate, and we can find ways to bring that in and faster. But I think there's a next leap that we can make, and I'm not entirely sure what it looks like, but really getting security analysts to be able to spend their time where it's valuable in doing that analysis and understanding how their environment is operating, understanding what should or shouldn't be happening in their environment, and what’s the impact of that.”

There are likely folks at the organization who are much more technical than you are in the security space, really understand the risks that are potentially coming your way. So it's important to be very open to hearing all different perspectives and feedback and ideas.

The infrastructure-as-code approach:

“One of the biggest issues in security oftentimes is the documentation piece of it - why did we do something? What's the rationale for this? And if you're doing an infrastructure-as-code approach, that's one thing that you can enforce a bit more... Often times you might have a separate document, but as things get changed and adjusted, those documents aren't necessarily always kept up to date. So I like the infrastructure-as-code approach. One of the big benefits is having that log of information, it also helps with errors and repeatability as well.”

The importance of flexibility:

"You're moving fast, your priorities and your focus could change daily, sometimes hourly, if you're really early-stage and moving quickly. So finding that way to balance - what are the things that we need to do to continue to move forward? And what are the ways that we need to manage the reactions and pivots that the company is making? That's probably one of the hardest things in an early-stage high-growth organization. It's just finding that right balance, you could very quickly just fall into being fully reactive. And miss that there might be some key strategic directions you need to shift in your overall program not to be ready for where the organization is going.”

Listen to more episodes of the Future of Security Operations podcast.