[00:00:00] Erick Rudiak: I think what I'd love for people to think about this series is the spirit of camaraderie and the spirit of community that has always been there and information security. And I think one of the really cool things about this series is that it creates a concentrated digestible version of that really enriching, magical experiences, where people who are passionate about their topic. Just to kind of get together and talk. And it's not about getting the predictions right so much as it is about having the conversation.
[00:00:34] Producer: Hello and welcome to security visionaries hosted by Jason Clark, chief security officer and chief strategy officer at Netskope. You just heard from our first guest, Erick Rudiak, senior vice president and chief technology officer of Northwestern mutual.On this show, you'll hear from world-class practitioners and thought leaders like Erick on how they stay on top of the game and networking and cloud security to kick things off. You're about to listen to the first half of a two part discussion on the principles of security transfer. This discussion and the security visionaries podcast are part of a security transformation playbook, a set of new resources from Netskope and some of the industry's most forward-thinking leaders examining the most important issues in security today, before we dive in, here's a quick. From our sponsor,
[00:01:24] Sponsor: The security visionaries podcast is powered by the team at Netskope. Netskope is the SASE leader. Offering everything you need to provide a fast data centric and cloud smart user experience at the speed of business today. Learn more at netskope.com.
[00:01:42] Producer: Without further ado, let's get into episode one of security visionaries with your host Jason Clark.
[00:01:49] Jason Clark: Welcome to Security Visionaries. I'm your host, Jason Clark, CSO at Netskope today. I'm joined by my very special guest, Erick Rudiak air. Okay, how are you?
[00:01:57] Erick Rudiak: I'm great. It's good to see you again. Good to hear you again, get to talk security. Uh, I'm loving it. Thanks so much for the opportunity.
[00:02:06] Jason Clark: Yeah, what we've been, um, we've been talking about this for quite a while, which we'll we'll get into. Right. And so it's nice to, uh, it's, it's nice to seeing this all come to fruition. So we'll talk about that with, uh, with the listeners, but they get started. What, um, do you remember how we first met.
[00:02:21] Erick Rudiak: I think we first met the way that most CSOs are introduced to you, which is they move to a new town. They get a new CSO job and Jason Clark calls him and says, welcome to St. Louis. Um, let's go have dinner. Like let's just talk shop and no, I distinctly remember. I think you were literally the first person who hadn't interviewed me for the Express Scripts. To welcome me to town. Uh, and then like, I'll always be grateful for that. And you were very welcoming,
[00:02:50] Jason Clark: I think, uh, we grabbed sushi. It was sushi, wasn't it?
[00:02:52] Erick Rudiak: You probably offered steak and I redirected, I countered with sushi. Um, and that I can, that that began a long tradition of you and me disagreeing.
[00:03:03] Jason Clark: Agreeing to disagree on lots of topics. Um, and that was probably, what year was that
[00:03:09] Erick Rudiak: That would have been early in 2011 that we met.
[00:03:11] Jason Clark: Wow. That's crazy.
[00:03:14] So tell me, you know, tell us a little bit about, about your journey, right? What got you to the CTO role that you're in now and just, you know, a little bit about that.
[00:03:24] Erick Rudiak: I mean when I think about my, uh, certainly my paths into information risk, I had a number of times in my career where I was fortunate to be both at the right place at the right time and to make the right friends. And so my journey into information risk kind of started in the summer of 1997. I was working at Hewitt Associates, uh, and we had decided that we were not going to be outpaced by our competition to put 401k self-service onto the internet. And this was the time when we were building internet technologies from whole cloth. So, you know, Java middleware was still a nascent and emerging technology. Uh, I remember. Doing performance testing and realizing the day of launch that we needed, SSL accelerators, and, uh, having rainbow technologies drop ship us a couple of like two you high crypto boxes that just generated random numbers really fast. Cause you know, we were just asking for P and P prime and Q and Q prime nonstop on launch. But at the end of that Amazing project, which launched a number of careers, including the current CIO of CVS was, uh, was part of that project team. And the CTO at Hewitt approached me and said, look, uh, like this was an inflection point up until, uh, that summer of 1997, the internet was considered unsafe at any speed, especially for a company like Hewitt, those protecting millions of people's personally identifiable information. And it went from unsafe at any speed to. Not to be connected to the internet. And so I was brought into a position kind of out of that development team that built an internet application and into internet security full-time. So I progressed in my career at Hewitt eventually became chief information security officer. And then express scripts came calling in 2011. We built express scripts into a Fortune 25 company. It was really exciting and it was great that we were mission line, like express scripts handle the third of the. Nations prescription drug, traffic, um, electronically, uh, the details around the prescriptions, um, the, you know, the payments, the, the costs, the reimbursements, and we were a company that made money when we made healthcare safer and more affordable for certainly our clients. Um, but eventually the whole country because of the way that we lead. And so after nine years of express scripts, we were acquired by Cigna and I had an opportunity to really think. What I was going to do in my career. And so it was, uh, it was really exciting, uh, both to have a pause, to step back and think about my career in a way that was kind of unencumbered by current projects, current team's current situation. And I looked at continuing a career information risk, but I also looked at doing something radically different where my background in information security would make. A more well-rounded and interesting contributor in a different role. And so I had, uh, had the good fortune to interview with Northwestern mutual and to be chosen as their chief technology officer. And that's what I've been doing for the last couple of years.
[00:06:36] Jason Clark: So Erick, you know, I love talking to people like yourself that were a CSO, and then took another, another role. Right. Um, whether it's a CIO role or a CTO role, or even, you know, jumping into the business side, uh, you know, a little bit like obviously, you know, The crazy thing. It became a marketing and strategy officer from CISO. Right. Which is not the common beaten path, but what would you do differently right now that you've been in the CTO role? And if you were put back into a CSO role again, what, what have you learned that would make you do things differently?
[00:07:12] Erick Rudiak: Certainly one of the things that, that I had when I was. CSO was a great relationship with our CTO. It was always a partnership. It was always a one team, one dream model. At the same time, like the level of empathy that I had for our developers, you know, has risen 10 X in my time at Northwestern Mutual and really having an opportunity to live the day in the life of our developer every day, as opposed to periodically when I have a chance to work with our software engineering teams. And so kind of under, you know, understanding in a much more profound and personal. What the challenges are for our development teams, understanding in a much more direct way, how our development teams operate in an agile fashion, the tools that are available to them, the, you know, the. The CI CD pipelines that they use, the, you know, the delivery schedules and demands that are placed on them. And also the opportunity to work with a different CSO with different points of view has been a gift to me, the opportunity to work with Laura Diener, who joined Northwestern Mutual and to learn from. And to observe the way that she thinks about risk. Um, like she is one of my favorite people to talk to because we kind of share this heritage and yet that diversity of thought and the different approaches that Laura and I have used, um, have absolutely enriched my point. And so if I ever had an opportunity to be a CIS, so again, um, I take the things that I learned from building relationships, with software engineers, with testers, with our QA teams, with our agile coaches, as well as seeing how another CSO operates day in, day out and goes after and reduces the kinds of risks that I used to go after and reduce, um, like that has enriched me all around. Awesome.
[00:09:06] Jason Clark: It sounds like. Sounds like I need to meet her right. As well. I love, uh, I love talking and, and working with brilliant CSOs that all have different views. And that's how, obviously in the end, that's all that's, what's amazing about this industry is we all learn from each other. Right. And we have a common enemy and, uh, and so, you know, we're in the end, right. We're just here to help each other. So when we talk about that, right, and it's a big part of the conversation today, you and I united on a project, which we called security 2025, 2 years ago. And now we're where, you know, there's a, it's, it's kind of permeated into this podcast, which we call Security Visionaries, and then a book called the Security Transformation Playbook. And, you know, again, two years in the making, I think 30 to 50 round table dinners around the world and lots of steak and sushi dinners, Erick, you know, and trying to interview people and, and surveys and just, just lots of thought, right? What excited you to even get involved.
[00:10:04] Erick Rudiak: First and foremost, it was the opportunity to give to the community that had given so much to me over the years. Like I felt that having spent, you know, over a decade as a CISO, so the least that I could do was to write a few things down and participate in a project. Ultimately, at its purest, it was all about making the industry better. And so the opportunity to give back the opportunity to, you know, to spend like dedicated unadulterated time thinking about information security and thinking about how our industry could get better and being part of that transformation kind of acting in service of, of this fraternity and sorority of CISOs that we're part of like that was by far the biggest appeal. You know, I also saw that it was a project that was going to be successful. Like I saw in you, Jason, and in the materials that, you know, the, that you began showing me there in the spring of 2019, that this was going to be a, you know, a part of every CISOs playbook, a part of their bookshelf, that would be kind of required reading that we had the opportunity to both capture the histories of the past and those lessons learned and to turn those into a vision for the future. And the thing about spending time with other CISOs is like, we're constantly learning from each other. And if we're lucky we get to be part of a community. So if we're lucky we get to be part of slack channels and mailing lists and fly-ins, and the thing that I recall in the thing that I valued about those interactions was the opportunity to kind of download a lot of information all at once when I would get together with CSOs, whether it was dinners that you'd sponsored or other communities that I was part of. And so to be able to contribute to that, uh, in, you know, in greater volume was extremely appealing. Um, and so, yeah, I was really excited to sign up for the project.
[00:12:04] Jason Clark: So we've, uh, it kind of kicked off. Right. The things I'd said to you is like, this is the security is inverted, the upside down world, right. Or it's security, inverted, it's upside down. Cause our data is no longer on a CPU we own. And our apps and our users are no longer on a network we own and control. Right. And that completely changed the game. Um, and in, in many ways it gives advantage, right. To a bad guy and a disadvantage of security unless we flip it. Other than that, what else would you add to what our kind of original purpose was?
[00:12:36] Erick Rudiak: When I think about when I think back to it, I think about that inversion as a, as something that was non-obvious that we had an opportunity to kind of bring the bow and, you know, and really put the role of the CSO in a different context than it had been before. And so like what you describe as the inversion kind of on the Silicon side of things, there was also an inversion happening. Um, you know, on the carbon based life forms, the humans that are doing the work. And so this other inversion of the CISO going from, in, in a lot of companies, being the conscience of the company, being the one person kind of standing up and, you know, in fighting the good fight and advocating for information security for data protection, for cyber defense, um, there is also an inversion of the CISOs role from being that conscience of the company to. Being part of the C-suite to being included in the room where it happens and that role, that persona of the CISO had to change. And so this opportunity to really think about, you know, the inversion of the CISOs role from conscience of the business to business advocate, who happened to be well steeped in the art of cyber defense, made that role unique. And that transformation was something that, you know, I saw as being absolutely vital to not just my career, um, but the CISOs that we all talk to in the St. Louis community, and that we had an opportunity to talk to you through our other communities. Like that was one of the things that was common about those CISOs and the opportunity to capture that and kind of marry that Silicon based inversion and the carbon-based inversion that was happening, um, was super exciting.
[00:14:24] Jason Clark: Yeah. I think that's a great way to put it. And then, you know, so Erick, when we started this right, We kind of were like, okay, we're going to, we're going to paint this future. We're going to get people this playbook and, and give them some advice. Right? Tips, coaching, like the whole purpose of a playbook, right. Is to tell them what, what obstacles they are going to run into and give them some strategies around that. But I'd say everything, even for us, kind of got accelerated things that we thought were going to happen by 2025 started happening significantly sooner. Right?
[00:14:52] Erick Rudiak: It did. Like I think about, uh, in, in the summer of 2019, Kind of writing about, there was a chapter in the book where we were writing about there's very different ways that we have to grant access to data in the cloud. And like you and I had a chance long before that to collaborate on a data loss prevention project that I think was pretty successful, um, in. I think we both saw that traditional data loss prevention wasn't going to work when most data had moved out of a data center that, you know, the, that trombone, hairpin network traffic design that kind of forced everything through a small number of appliances is, uh, it was just impossible to scale when that inversion happens. And so I remember identifying places where for purposes of the book, we could take screenshots and illustrate this idea that changing an ACL on a file in a cloud service was both the first step to a potential data breach in progress and something that traditional information security appliances we're not going to catch. Like it was a case for change to the entire way that the industry thought about. Information protection. And then there was a breach, like literally, as we were writing those chapters that followed that exact same, uh, that followed that exact same script. So, uh, it was, uh, it was both humbling and it was a reminder that, uh, like we needed to finish the project before all the great ideas about the future just simply became pontificating about the present.
[00:16:25] Jason Clark: I mean, even in, and that's, you know, part of what, you know, causes teams to have to create some pivots. Right. It was like, okay, well this is actually all happening now. You know, adjust addressed our strategy for the launch of this. Right. And, uh, it just kind of talk about it in a little bit different way and even provide some more relevant stuff like the pandemic. Right. Talk about the impact of remote work, right. And in the end that, you know, SaaS and, you know, you've got a chapter around API APIs, uh, and I think it even relates to, you know, the chapter on talent, right. And the changing role of the CISO, speaking of that changing role of the CISO. So I just did a. That I, at one that I've done a couple of years ago, where I am, I'm asking about certain parts of the budget, um, network security, part of the budget, and the majority of network teams own the network security part of the budget. Generally 75% was still owned by the networking team, um, firewalls, et cetera. And I redid that survey to the network leaders, directors, and above, and security leaders and 93%. Said that they're both their teams network and security will converge over the next few years and become one team because the network now has become the internet. Right. Um, that's significant. I don't know if you know what your thoughts are on that or what you're seeing in that space, but that kind of highlights is just that this would not have happened. When we first started writing this book, people would not, would not have said those are coming together.
[00:17:55] Erick Rudiak: Sure. And I think one of the, you know, one of the powerful things about having a book like that and having a playbook is like, there are certain natural evolutions that have. In information security. And I think about like another one that we wrote about, and that, you know, that I personally got to experience was the way that companies build security operation centers. And there's kind of this natural progression from kind of, you know, level zero maturity where everything's either non-existent or ad hoc, but over time as you grow through, you know, that CMI maturity, Companies will start to build teams and then they'll start to realize, oh my gosh, this is really big. And they'll go out and get a service and then they'll start to manage the service. And then they'll start to build teams that are adept at certain parts of information risk that are just so close to the core that they have to be good at it. And then eventually they strike an equilibrium and that equilibrium isn't necessarily the same in every company, but you know, the, this idea of kind of moving up the maturity scale and as you move up the maturity scale, different solutions make sense, like build versus buy becomes a different equation. Insource versus outsource becomes a different equation. And so like one of the things that, that just kind of interesting to reflect on is how helpful it is to have a plan. And kind of walks you through, oh, this is what it looks like when you take that next inflection point in maturity. Um, it's okay to be at a level zero or level one, if you're just constantly moving forward, if you're constantly getting better and having that playbook helps you anticipate the future. And that's like, that's a really cool part about the book, I think. [00:19:36] Jason Clark: Yeah. I mean, so speaking of that, like in your mind, who do you, who do you envision the main personas are people. That are reading this book.
[00:19:46] Erick Rudiak: Ideally, it's everyone, right? It's the, you know, feel good summer hit that everyone's got on their bookstand. Um, but no, I think if you are, you know, if you are a CISO or a Deputy CISO or somebody who aspires to, to take their career in that direction, I think it's, you know, I think there's a lot of valuable material there. I think one of the things that I liked about this project is though. We took a deliberate position and we made a deliberate efforts to make the book not just about of Naval gazing information, security folks. There's plenty of good stuff for InfoSec geeks like yourself and myself in the book. But if you're a CFO, if you're a CIO, if you're a CTO and you want to. Just kind of dive into the book for a chapter or two and understand a little bit about what's going on in the head of that CISO, who is now your partner across the table. Who's part of that one team, one dream approach to running the technology of your enterprise. I think there's going to be a lot in the book that is appealing. To those other non-information security audiences as a little bit of a decoder ring as a, you know, uh, as a little bit of insight into, oh, this is what CISOs think about. This is the history of their industry and why they've, you know, why they've acquired some of the habits and some of the beliefs that they have, and it's done in a really accessible, really digestible format. Um, and so, yeah, I think everyone should read it.
[00:21:17] Jason Clark: Yeah, you know, it's funny, I, I just published a Dummies book and it’s SASE Architecture for Dummies, and that was very hard to, you know, that process of creating a Dummies book because you're, you're, you're dumbing it down. Right. And so you're like, oh, but I want to say so much more, but amazing, like you say, for everybody, um, we literally published it a few months ago and already has 3000 downloads. Right. Um, that's pretty cool. If I think about what's changed the most in security when we talked about this pandemic, you know, that that change of, of the data is no longer on a CPU you own or control. Right. That's where that, I think both of those come in.
[00:22:03] Erick Rudiak: I used to be that guy, like I used to get up in boardrooms or get up in town halls and say our work on our Silicon, like that's how we were going to stay safe. Um, and that era's over like that, that is the, that's a bygone. Like, I don't think that, uh, you know, if I were to become a CSO again, I could make that same claim. Our work on our computers would handcuff whatever company I was going to be at. Like it would put us at a competitive disadvantage.
[00:22:32] Jason Clark: Yup. What brought me to St. Louis as well, Right Erick, it was the CISO role at Emerson electric and, you know, I, I got there and, you know, it was 2000 different locations and 140,000 employees and 80 divisions. And the first project I kicked off a global project was called command and control. Right. It was very military terminology, but it was, we're going to, we're going to take command and control of every network of every device, of every application that we have.
[00:23:02] Erick Rudiak: Right. That's gone. Yeah. And you know, and I used to pat myself on the back, I was really proud that our work on our Silicon included BYOD. Like we had this vision that our work on our silicon was compatible with BYO D because we had technology. We had, uh, we had gateways, we had additional security that allowed our work on ourselves. To embrace BYOD, but that was also at a time before this inversion of the network perimeter happened, where our working on our silicon made sense. It doesn't anymore.
[00:23:38] Jason Clark: So if we were to, you know, move, go forward to somewhere other, five to 10 years. Right? What do you think CSOs will wish that they had invested in right now? If they could go back in time, when you look in your crystal ball, the future.
[00:23:53] Erick Rudiak: Ooh. I mean the, uh, look, the easy answer is people. The right people can overcome all sorts of other obstacles and deficiencies, whether it's technology or budget or time, I would always invest in our people first. You know, the, the second thing that I'd look at is orchestration. Like when I think about, and there's a chapter in the book where we talk about, uh, kind of, uh, this idea of in the past, like is great. Cause there's an RFC on this that we quote and it's an RFC, like from the early eighties server naming conventions, right? Like, are you going to name your servers after Muppets or Star Wars characters or planets? Um, you know, uh, back when I was at Northwestern university, uh, I was supporting the geology department and they had all of the servers were named after Greek mythology heroes. Um, and yet, like there is a transition that's happened. And so the interesting thing about going from kind of having a personal, like first name basis, relationship with your computers, to your computers, being like Lego bricks with almost infinite supply with almost infinite interchangeability and interconnectivity. Like one of the things, the first things that scared me about that inversion when I was a CISO was, oh my gosh, what happens to digital forensics and incident response? Like how do my incident responders give me the play-by-play on a server that had a designed lifespan of five hours or five minutes. And it was wild, you know, just kind of thinking about, oh, like this is going to require. In into not just new technology, not just new, you know, not just new processes, but it was going to require people who were able to think in this entirely new way. And so when I think about that and when I think about like what, uh, what I would begin investing in today as a CISO. So I would think about the kind of machine-driven orchestration that's. When everything is a Lego brick and when there are thousands and thousands and thousands of Lego bricks and they aren't just servers, but they're microservices, they are, you know, they're Docker containers, um, like keeping track of all that and doing so in a way that supports incident replay, that supports investigations, um, that allows me to kind of have, you know, uh, have the fact base at my fingertips in the moment that matters most, which is I'm brought into the boardroom and the CEO, a board member, the CIO, the CFO says, Hey CISO, tell me what happened. Um, in 10 years, when, you know, when everything is a short-lived microservice or when enough things are short-lived microservices, because Kubernetes spun something up and spun something based on, you know, an entirely dynamic traffic. Like that requires an entirely different way of thinking about how our people work and thinking about how our infrastructure technology orchestrates alongside and informs our security technology. And so like that, that investment in orchestration, I think, uh, you know, CISOs would be extraordinarily wise to look at that and that orchestration needs to happen everywhere. It needs to happen in a data center if you still have one. And it certainly absolutely has to happen in the cloud.
[00:27:22] Jason Clark: You know, we talked about even a core principle is orchestration automate, right? That every technology you buy, I think that we, the principle is stop buying black box solutions that everything needs to be open and integrated. Right.
[00:27:37] Erick Rudiak: That's right. Yeah. Yeah. We talked about like, if, if your security product doesn't have an API, but you were aware. Uh, don't buy it. Yeah. Like be really careful because if it doesn't have an API, odds are some other security product that you need to be able to see into and out of it's state and will be blind in that blindness, uh, becomes a disadvantage when we're defending systems and defending data.
[00:28:00] Jason Clark: You know, you said something that sparked a thought, you talked about how we use the name servers and, and, and, you know, there was a personal attachment that we had, right? Like you would build a, you you'd build a system and it represented you and. I would work at midnight to just make sure like that, that representation of me was solid and, you know, never, never had issues. We never went down. And, and uh, and then whenever you had to retire that system, that you'd spent, you know, hundreds of hours investing in a building, it was kind of depressing to watch something that you built have to go. Right. Um, that doesn't really it for apps that exist, but that doesn't exist for infrastructure anymore.
[00:28:41] Erick Rudiak: Yeah. Welcome to the future.
[00:28:41] Jason Clark: Yeah. So, you know, thinking about this, right. And we're going to be getting together and, uh, another episode with, uh, with a colleague or two, and we'll be talking about kind of all of the, the core principles, right? The principles that you need to stick to that, you know, if you don't do anything. Follow these principles, right? And w principle one, by the way, is challenge all your principals, right? Challenge your existing principals. So that'll be a fun followup episode, Erick, that I'm very much looking forward to, but any, any closing thoughts on you know our project that we've done here over the last two years for the.
[00:29:24] Erick Rudiak: I think what I'd love for people to, you know, to think about this series, uh, and for people to come back to this series and listen is the spirit of camaraderie and the spirit of community that has always been there and information security. And that I think up until now has been kind of difficult to capture. But, uh, I think about all of the things that I've learned from other CSOs at dinner. At birds of a feather sessions, uh, like in the hallways of conferences. And I think one of the really cool things about this series is that it creates a concentrated digestible version of that really enriching, magical experiences, where people who are passionate about their topic, just kind of get together and talk. And it's not about getting the predictions right so much as it is about having the conversation. And I'm just thrilled to be able to have a conversation with you Jason.
[00:30:18] Jason Clark: I think that's a brilliant, brilliant answer. It is magical. And, you know, there's, there's all, you know, just like you said in the beginning, It’s a diversity of thought, there's hundreds of people of CSOs and CIO is that we're involved in the making of, of this research, right. And of the series and the book. So, you know, all of them have, have helped us and we've learned a lot through it. Right. And that's kind of how this all started was, was we need to use. Together and truly help each other transform our organizations ourselves, right. Our people. And in our, most importantly, the technology stack, that's going to give us our leverage point again, cause security has really lost leverage, right. There's, 90% of their spend was in the data center and on the network as that data and the users are not on the network, it's being stretched like a rubber band. Right. And so that, um, there's no doubt that everybody will gain some great tactics and strategies and tips for their program. Right. Um, and the cool part about the book and the series. It's not like you have to read this A to Z. Front the back it's, it's purely you, you can dive into any one section you want because you've, you're dealing with that situation. Right. Or that's something that's interesting to you right then. And that's, that's how we purposely designed this was you can, you can dive right in the middle if you would like to. Right. And so that, uh, hope that mainly we, when everybody to get something from it and us together as a community, right. Make, uh, make the world a safer place. And. Help help security pro programs to be successful.
[00:31:56] Erick Rudiak: Amen. That sounds fantastic.
[00:31:56] Jason Clark: So it's not as magical as what Erick said, but, so that was good. Um, where Erick you've always been for the last 10 years, a good, a good friend and, and partner in this research and, uh, you know, thank you so much for, for taking the time here and we'll see you in the next episode.
[00:32:16] Erick Rudiak: It's mutual. My friend, I look forward to being here. Thanks for the opportunity.
Sponsor:The Security Visionaries podcast is powered by the team at Netskope looking for the right cloud security platform to enable your digital transformation journey. The Netskope security cloud helps you safely and quickly connect users directly to the internet from any device to any application. Learn more at netskope.com.
[00:32:43] Producer: Thanks for listening to Security Visionaries. Please take a moment to rate and review the show and share it with someone, you know, who might enjoy it. Stay tuned for part two, in which Jason and Erick will be joined by their colleagues for round table discussion, breaking down each of the 10 principles and how to apply them to drive transformation at your organization. Part two is available now.