The changing role of a the CISO

CISO Interview Series: Michael Sutton, CISO, ZScaler

Michael Sutton is the CISO of ZScaler. He has forged a long career working in information security and has seen many changes over the years. We spoke to him at AusCERT 2016 about his career, the changing role of the CISO and what he’s seeing in the world of infosec.

Tell us about your path to becoming a CISO
I’ve done start-ups for most of my career, running research teams. All of the start-ups have been early pioneers in this space. I’d run the malware team doing threat analysis. I’ve been with Zscaler for eight years and spent the first sin-and-a-half years of that as the VP of security research.
As a start-up you’re not going to have a CISO on day one but someone’s got to handle the internal security. It was logical that as I was running all the research that it involved into that role.
What attracted you to the security industry?
Going back, I was always a technology guy – we had the first Commodore 64 in the neighbourhood. When I got into my career and started working for start-ups, I was fascinated by the attack side of the equation.
When I look back, I unconsciously followed the path of the attackers. My first start-up was focussed on network security in the early 90s. Then I moved to web security and, at Zscaler, I’m focused on the client side.
It’s relatively easy to protect servers. They don’t move and limited people have access to them. It’s really hard to protect the end user – they’re mobile, using their own devices and the attackers recognise that. That’s where the challenge is.
What are the things you look at when recruiting security staff?
I find that recruiting for security is really unique. Someone’s educational background is less important to me than in other job descriptions. Some of the best and brightest I’ve had the pleasure of working with over my career have dropped out of school or didn’t go to university.
You tend to get the guy that loved security but didn’t love school. That’s not a bad thing. I look more for what have you done. Have you been involved in open source projects? Have you been involved in various industry initiatives? That tells me about who you are – that’s what attracts me.
What about former black hat security people?
I would have real hesitation in hiring someone with a criminal conviction. Not because I don’t think they can turn around but I start by looking at who is this person. If I’m convinced this person has turned the corner that’s fine. But you have to look at this from a risk perspective.
But I can think of one individual I hired. They had a little brush with the law when they were younger; they were a bit naïve and hacked into a website. As I got to know the individual I got to know this was a childhood mistake and not a reflection of who he truly was.
We’re now in this era when mega-breaches are part of the environment we live in. Are organisations changing their attitude to the protection of customer data? Are companies cavalier with how they are handling data?
When I think about that, my first question is why. Is it because it’s happening more or because we’re hearing about it more? The answer is both.
What is the impact? The most important impact is that security is now being a board-driven impact. Security is at least a quarterly, if not every month, board discussion. It’s also that they want the CISO in the room. CISOs need to adapt to that – they’re not back-room technologists anymore and they need to adapt.
That’s the positive thing – it’s brought security to the forefront.
What are you doing about the security skills shortage?
As a company, you need to ask what are you good at. If you’re a widget factory it will be hard to employ top-level security people. But there are ways to deal with that.
I’m going to start leverage resources that have better talent so they are an extension of my security team so I don’t have to hire ten of the best and the brightest.
I think it’s a good thing to be outsourcing components of your security.
For us, we have to go after the talent where it is. We have internships for people coming out of school, we need to be adaptive and flexible. I don’t care where they are – if they can deliver, that’s great.
What advice would you give to a new CISO standing in front of the board for the first time?
The CISOs that fail to make that transition are going to succeed.
You have to be able to translate your world into theirs. You’re in a world with technical risk – we had this many incidents and this many computers were infected. You need to translate that into language the board can understand.
For example – you had 20 infections on computers. What does that mean to them? But it’s straightforward to translate that. We had this many breaches that caused this much downtime and resulted in this much productivity loss. That’s something the board can understand.
I also find boards have members that are more technical in nature. Beyond security, that’s the nature of nay company. They have complex systems. Find those individuals to help you navigate that world.
We need to be seen as empowering and helping the organisations. For example, lots of people are storing things on Dropbox and that’s causing me a risk. But putting the brakes on that is the wrong way to approach it. There’s too much they can do to get around it. They’re not doing it because they are malicious. They are doing it because it’s helping them in their job.
Look at that and find ways to empower them so they can do what they want but mitigate the risk. Then you’re seen as someone helping employees. That’s what you have to do to be a successful CISO.
Are there particular sectors that are doing a better job at protecting their businesses? What are the lessons they can learn from each other?
There are conservative sectors such as banking and finance but that’s not going to be adaptable to all environments. But you can learn lessons.
Healthcare is an industry that’s getting beaten up and that’s not surprising. I think there are two reasons.
We’re seeing a shift from debit/credit card breaches to personally identifiable information (PII). There are reasons for that. In the US, we’re going to “chip and PIN” so it’s getting harder to do point of sale breaches. And there’s greater awareness in retail because of the breaches we’ve seen. The bad guys are adapting and shifting to the PII side and they’re very attractive to nation states – for example the OPM (Office of Personnel Management) breach in the United States.
But PII is really valuable – it’s more valuable that credit/debit card data.
That’s one reason healthcare has been in the crosshairs – they have really great PII.
Healthcare, traditionally, does not have security at a strong level. That’s why they’ve been hit with ransomware. The ransomware evolution is very interesting. They’re making a lot of money.
The bad guys, when they realise they haven’t infected Joe Blow’s PC but have infected an enterprise computer can ask for greater ransoms.

Join the CSO newsletter!

Error: Please check your email address.

Tags infosec strategyAusCERT2016CISOszscalerIT skills shortageCISO LeadersAusCERT conferenceCISO interviewinfosecsecurity staffingHealth care ITbanking and finance

More about Dropbox

Show Comments

Editor's Recommendations

Solution Centres


View all events Submit your own security event

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Media Release

More media release