In this week’s episode of The Future of Security Operations podcast, I'm joined by Brent Deterding. Brent has over 25 years of experience in security, both on the vendor side and now as a security leader. He spent a big part of his career with cloud-native security analytics platform SecureWorks, and he’s currently the CISO of Afni, a global provider of contact center solutions in the U.S., Philippines, and Mexico.
Brent and I discuss:
His unconventional path to becoming a CISO
Building a security team with zero attrition
Removing the burden of stress in incident response
Strategies for risk prioritization
Facing off against cybercriminal group Scattered Spider
Why prioritization and leadership are among security's biggest challenges
Being dubbed "the happy CISO" after reporting high levels of job satisfaction
Brent's four security non-negotiables
The right way to approach CISOs as a security vendor
Measuring success when you're metrics-averse
What the SOC will - and should - look like in five years
The Future of Security Operations is brought to you by Tines, the smart, secure workflow builder that powers some of the world’s most important workflows.
Where to find Brent Deterding:
Where to find Thomas Kinsella:
Resources mentioned:
How to connect with me as a vendor by Brent Deterding on LinkedIn
In this episode:
[01:56] Brent's unconventional path to becoming a CISO
[04:10] Finding the right fit at Afni
[06:09] Separating his identity from his job and removing the burden of stress
[10:22] Why Brent sees risk prioritization and leadership as security's biggest challenges
[13:02] Brent's first steps as CISO at Afni including deploying MFA across 10,000 employees
[16:29] Going up against threat group Scattered Spider
[17:43] Brent's custom risk frameworks
[23:03] Measuring success as someone who's metrics-averse
[26:19] How Brent developed his unique leadership style
[29:13] Supporting his team to do their best work
[31:55] Brent's tips for security vendors
[36:07] Using AI for resilience and protection
[39:20] What security could and should look like in five years
[42:53] Connect with Brent
TL:DL? Read Brent's take on…
Evaluating risk:
"My CEO stopped me and he goes, 'Brent, let me tell you right now, I don't give a damn what some maturity score says. I want to know that we're mitigating risk.' And I was like, 'You're my guy!' I don't need to spend six months and $50,000 or $100,000 on an assessment to say, 'Hey, that's a problem.'"
His top priorities as CISO:
"I identified four hills that I would absolutely die on as a CISO. One of them was 100% strong MFA. For me, that means YubiKeys. Every single employee has them, no question, no qualms. Another was no BYOD... for bulk access, like someone's laptop, VPN, things like that, no BYOD, only by corporate devices. Third, 100 percent EDR coverage. Every single device, 100% EDR, no questions. And fourth is rapid patching of any external vulnerabilities."
Stress is not a burden for me because I feel no stress over things that I do not control. I learned the hard way in operations where you're talking to someone on the other end of the phone who's having the worst day of their year, if not their career, because of a breach, and emotions are hot. If you take that personally, you're going to be one miserable human being.
Risk prioritization:
"How do companies lose money? Ransomware, BEC. Funds transfer fraud is kind of a subset of BEC, in my opinion. What are the vectors for that? Phishing, stolen credentials, external vulnerabilities. So if I do those four things that I mentioned, does that almost entirely mitigate all those very common risks? Yeah. How much money do I spend on those things? Not much."
Efficiency:
"It's an Elon Musk quote, I think, that the biggest mistake smart engineers make is they optimize the process that should not exist. So all too often we look at things like, 'Oh my God, we took 70,000 alerts a day and got it down to 70 a day, that's a huge win.' Yes it is, but it's an even bigger win if you can start with 10 a day."
Tell me a plausible story where not doing this causes significant negative impact. And if I can answer that question like that, we better fix it. And if I can't answer that question, or if the question is three, four levels of theory down, that's a lower priority.
Measuring success:
"I am little bit metrics adverse. I like telling the story. I like mitigating risk. I don't put any metrics around that. Other people may have to, that's your culture, whatever, but it works for me."
His first three years at Afni:
"Year one [as a CISO] was kind of like, 'Hey, here's what we're doing.' And we were busy, we had a lot of stuff that we were getting out. Year two was really maintenance mode, like, 'We've done a whole lot of stuff, now we're going to go crank it down a little bit in some defined areas.' Year three, where I'm in now, is make security boring. Nothing in my world is urgent. There are important things all over the place, but nothing in my world is urgent, at least from a cyber incident perspective."
What were the biggest problems in cybersecurity 30 years ago? Passwords and patches. What are the biggest issues today? Passwords and patches. Are we getting better in 30 years? Maybe. It's arguable. There's nuance there. But the basics work. They dramatically simplify the entire equation, and, frankly, make life more enjoyable. I hope that we have a renewed focus on the basics.
Listen to more episodes of the Future of Security Operations podcast.