Eric Brown: 0:05

You're listening to the Audit presented by IT Audit Labs. Gretchen, welcome to the Audit, which is a podcast by IT Audit Labs that you've heard about and agreed to jump on. So thanks for coming on and agreed to jump on. So thanks for coming on, and you have been a CISO for quite a while at a few different organizations. You were at Minnesota Judicial for a while and then you were at Metropolitan Council for a while as their CISO and you've recently moved on. But what I thought was interesting about your time at Metropolitan Council, you were also the Director of Infrastructure, which it's kind of like, I don't know, every CISO's dream to control both security and infrastructure, so you don't have to battle with anybody to get something done.

Gretchen White: 1:02

Yes, that is true. You only battle with yourself in the mirror in the morning.

Eric Brown: 1:09

So, yeah, what have you been up to? What do you do in these days? What do you like about security, and is there anything in particular you want to talk about?

Gretchen White: 1:18

Well, I made a change from the public sector to the private sector and my time with infrastructure, ops and security did help me realize that I really would prefer to be in the security realm. That playing both is good for a while, but not a position I want to be in permanently. Sure.

Eric Brown: 1:39

There was a recent breach in Minneapolis yes, minneapolis Public schools, and I don't know. When these breaches hit close to home, people clam up, and then you hear these whisperings about what happened, but nobody really says anything. And then maybe you read something in the paper two years later about what happened and to me it seems not not to to go off on a tangent, but it seems to me and and um evan franken from fr secure talks about a broken industry in information technology or information security, and he talks about just that concept that we're working in a broken industry. And to me this seems like one of those things that is broken about the industry, because we know there was a breach very close to home, but nobody ever talks about exactly what caused the breach, which would be really helpful for people who want to make sure that the breach doesn't happen to them. Right, if the malicious actors are that close to home and reaching out to other schools and municipalities, you would think we would want to get in front of it sooner than later.

Gretchen White: 3:02

Well, and even this one calling it an encryption event. That was a new technology to be used, so that was kind of interesting. One reason we don't always share with each other is because we know what our issues are before something bad happens. And when the bad thing happens, there's some piece of us that has to go back and say I knew what I should do and I didn't get it done.

Eric Brown: 3:29

It is hard and if we know what needs to be fixed but we didn't fix it, why wouldn't we have fixed it?

Gretchen White: 3:39

Right, Because there's too many things to fix and it doesn't take just the technology right. You have to influence people to be able to fix it.

Eric Brown: 3:47

You know, I think that might be one of the hardest things about the job is really communicating what the issues are in a way that resonates and is understandable with the people who are in control of the budgets.

Gretchen White: 4:06

Yes, and I think that the people in control of the budgets or the decision-making maybe don't have as much experience about what impact security incidents really could have. If you look back to when I was a kid, we would get in a car without the seatbelt being buckled. We actually ride in the back of a pickup truck and lawn chairs to go out fishing. If my kid did that now, I would be horrified. So I think it's kind of that where the experiences have to catch up to what we know we should be doing.

Eric Brown: 4:40

So let's take a look at this Minneapolis public school situation and I pick on it because the aftermath has been really horrible. The data that was leaked I shouldn't even say leaked, the data that was stolen and then publicized was really terrible. Right, it's very sensitive information about minors and, as information security practitioners, it really hits home that something under your care was exposed in that manner. And I hear what you're saying, where it's like well, I knew about the issues but I couldn't do anything about them. And the issues in this particular case, as I understand it, were an unpatched ESXi environment and old, outdated, probably signature-based anti-malware solutions on the endpoint, so poor endpoint control and poor patching practices in a core environment.

Eric Brown: 5:52

So, that said, I don't know how do you, as somebody leading a security organization, if you've got those issues, what do you do? Because you know about them? But then and you know that those are critical issues in the environment, what do you do to resolve that? Because now they've got all sorts of security professionals crawling all over that environment and they're probably going to spend millions of dollars to fix it. So when I say, oh well, we don't have budget, well, somehow they found the budget to resolve those issues. Right, the money came from somewhere. So how do you operate in that position where you know you have a glaring problem, but you can't resolve it?

Gretchen White: 6:47

problem but you can't resolve it. I think, for myself, you have to be persistent, right, and you have to figure out what's the right cadence of being persistent so that you'll be heard Like, in this case, it doesn't really matter if they spend millions of dollars in fixing it, there is a group of children that they're not going to be able to fix it for Right. And, I think, being creative about how you get the funding, whether you work to get, if you're in the public sector, whether you look at grants or other opportunities and then I think I'm Thinking about what pieces of your security posture are the most important. I think we would all say using the latest and greatest endpoint protection. Most of us consider to be critical to our security posture and I'm a real believer in patching right. You just got to find a way to keep operationalizing that and working with the business side to accept that this is a normal part of day-to-day operations.

Eric Brown: 7:54

And you've been in public sector for a while securing different environments, presumably you've run across end-of-life systems well beyond their end-of-life date still in production.

Gretchen White: 8:12

Yep.

Eric Brown: 8:14

How did you approach that?

Gretchen White: 8:16

I try to be an advocate besides the security money, but go out and actually advocate for the infrastructure groups that need the funds. So I think you can't go in and just say, hey, this is what's wrong. I think you have to support that side with saying it's going to cost X amount of dollars and this many people and we need it for security. But this is the group that needs the support to make it happen, because we can't make everything happen and many times we're just saying what we think the issue is and what we want resolved. But I think we have to stretch across the aisle there and help them frame up the story and get the funding needed to resolve the issue.

Eric Brown: 8:59

How have you been successful in doing that in your career?

Gretchen White: 9:03

Well, a couple things I do is that? Because you know, I was an old project manager, so I'm all about the implementation Deliver what you said. The first thing I try to do in an organization when I'm new is if there's a smaller effort where I can show hey, you gave us X amount of dollars, went and worked with these different groups, business infrastructure, and here's the outcome we delivered, you know, and fixed this particular security issue. Try to build some basically equity so that the next time when I have to go in for the larger, harder issue that I have already a reputation that my team will deliver and use the money wisely, especially in the public sector. You know we talk about being good stewards of state funds and then the other piece is always just being able to tell the story to a broad audience, be it technical or non-technical, what the seriousness of the security gap or the security flaw is.

Eric Brown: 10:08

And what if you can't get past those decision makers who are holding the purse strings? What do you do?

Gretchen White: 10:23

Well then you call in an outside party like IT Audit Labs and say, hey, could you come and look at this and support what I've already told them.

Eric Brown: 10:29

That usually works, doesn't it?

Gretchen White: 10:31

All kidding aside, sometimes it takes the third group. One person rings the bell, second person comes and says the same thing, and then you got to get a third person. But there again, that's where the persistence and the not giving up comes into play.

Eric Brown: 10:49

And it seems like we run into that, don't we, Anna? And as professionals working for an organization, as their security officer, you run into that resistance internally when you say I need this much headcount or I need these tools or I need this budget to accomplish whatever we're going after, risks that we're trying to mitigate. And it takes that external influence, sometimes in the event of a third-party benevolent influence, who's coming in to give you an opinion on your environment or an audit findings from an audit and then remediating those or some standard be it pci or hippo or sock to or whatever it is right where you've got to satisfy sieges, you've got to satisfy the findings of that audit to be compliant. And then there's the malicious side where you suffer a breach and then data is exposed and there's a cleanup effort. There's that external influence that is prompting or that usually gets a financial reaction internally to be able to accomplish the things that were already projected to be done.

Eric Brown: 12:20

So I don't know. I kind of go back to what Evan says around the broken industry, and for me that's the piece of it that's broken is the communication side, where we kind of clam up when there's something that happens, and then the other piece of it is. Sometimes it takes an external influence to accelerate an advancement of funding and it shouldn't be that way. But I understand money's tight and yeah, I don't know. What do you think?

Gretchen White: 12:56

So from the CISO chair, I think one of the things we don't necessarily do well is going in and saying for a million dollars I can fix this, for three million I can get you here, and for five million I can get you here, and for $5 million I can get you there, so that it can be considered more of a business decision. You know how much risk am I willing to accept? I think that's a key thing that we have to be able to do. And then I also think let's be pragmatic about it. If I can do one thing and it gets me 80% more secure on my endpoints, but I still have 20% of the gap, 80% improvement is still a big improvement. So I think that we have to be somewhat pragmatic about our ask too.

Eric Brown: 13:42

If you're coming into an environment that's got problems all over, what are you going after first, are you going after firewalls? Are you going after account security? Going after endpoints, vulnerability what are you going after?

Gretchen White: 13:57

I think the first thing that I want to look at is I want to look at what is the thing that they're trying to protect the most right, Like what is their core business? And then what would be the impact of a breach for that? For instance, in the judicial branch your cases if the integrity of the data was off, you could spend additional time in jail. Your case could take longer. So getting that trust back with the public would be very challenging to do.

Gretchen White: 14:31

Other things, like banking, of course, integrity is important, but the systems being available and me being able to find out what my bank account balance is would be important. So that's one thing is I want to understand the business side of it, and then there are so many ways to go at it that many times you really have to evaluate what funding do I have? What is the current state of my protections? So, if I don't have an EDR, maybe that's what I start with first, but that's something I think the security team at the organization discusses and puts together a priority list. That's what I would do. What have you done? What do you?

Eric Brown: 15:12

do. I agree with everything that you've said. It's the crown jewels of the organization and what's important to that organization. I think there's industry-wide ways that malicious actors get in, and that's largely by phishing, as we all know. So, looking at a decent security program around, just keeping the untargeted and in some cases, targeted attacks out from email because, as we all know, users are click happy. So if we can help to reduce that vector, that's a great thing to do. But I go back to your patching as well of just understanding what do we have out there in the environment, and you can use different models, like CIS, and one of CIS's first tenets, if you will, is to know what's in your environment. So then you know what you're protecting, be it physical assets or data, just depending on. Again back to the crown jewels piece.

Gretchen White: 16:30

Sometimes that knowing your environment is actually the hardest first step.

Eric Brown: 16:35

It is, and I've worked with quite a few organizations, and having a CMDB does not seem to be at the top of many initial lists. Does not seem to be at the top of many initial lists.

Gretchen White: 16:47

Right. It takes a lot of work to maintain a CMDB. The places that I have worked where there has been one that has been implemented well, it's an ongoing full-time people supporting it, many expectations around change management. It's not a the tool does not solve the process problem, just facilitates the fix.

Eric Brown: 17:19

What's your personal threshold for being able to impact change? So you're brought into an organization to presumably help them and you make your recommendations. You bring in a third party. Hopefully it's benevolent and you don't have a breach. But if you're not able to impact change, then what do you do?

Gretchen White: 17:45

I think you have to evaluate if you're a good fit, because it is really a lot about the people side. If in the reporting structure you are not successful at influencing and can't build that trust relationship with your professional opinion is acted upon, I think you have to decide whether maybe it's time to move on. And maybe you know another quote type of CISO in that organization could influence.

Eric Brown: 18:13

You bring up another good point there around reporting structure In your mind and I know this is a topic that comes up a lot when CISOs get together what's the right reporting structure?

Gretchen White: 18:25

Well, what is really the correct thing is that the CISO has a bucket of money. So you need to evaluate who's got a bucket of money and is willing to share it, because the security it's not cheap. Right, the people are hard to find, the tools are expensive. The market is changing in the tools all the time, so I think there's pros and cons. If you report on the IT side to the CIO, it seems that your access to financial support in some ways is easier. Cios typically have larger budgets. They're used to spending money on quote cost center type activities. If you report to the chief risk officer, you usually are able to influence the organization understanding the risk, figuring out what their risk appetite is and determining whether they accept the risk, want to mitigate the risk. So it makes those conversations easier. I think the latest one I've seen now is where the CISO is like creating their own path now that they're not below the chief risk officer and they're not below the CIO.

Eric Brown: 19:39

Right into the CEO or the board or some structure like that.

Gretchen White: 19:43

Yeah.

Eric Brown: 19:45

I do think a clear line into organizational leadership is important, but equally important is having that champion when you go into an organization, somebody that gets it and somebody that's going to help you advocate for solving the goals that you've set for yourself and the organization, for yourself and the organization. So even if you're reporting into the CEO, maybe that CEO doesn't get it or has other things that they're focused on, so it might be just as hard to get that funding. But if you've got an advocate or a champion that really is helping the voice be heard for security, I've seen that work pretty well too.

Gretchen White: 20:26

I also think if you build good relationships with internal audit and legal, that can also help your cause, because it isn't necessarily just you at the table. They understand risk and they understand the need to take action and that has been very helpful to me in the past when I've built relationships with those two groups.

Eric Brown: 20:51

Compliance as well.

Eric Brown: 20:52

I think, I was working at an organization where was there? Maybe about a year or so, maybe a little less, and we had called out. One of the items of risk at one point was not having the central printing where you have badge access to print so you could print essentially any copier, and they probably had close to 300 of those multifunction copiers throughout the campus and you could walk up. At the time you would have to select from a huge dropdown list. That was like your building time. You would have to select from a huge drop down list. That was like your building your floor. Um have to figure out, like the, you need some sort of decoder ring to figure out what was the right printer that you were printing to, because they all have weird names. But you'd print to it and then you'd go over and get your prints and and at the time we had brought up that, oh, this is probably something that you want to resolve because people are printing confidential documents and they're just laying on the printer.

Eric Brown: 21:52

Well, it wasn't until maybe nine months later or so, the organization brought in a new compliance officer and within that person's first week on the job, they're touring, they're going around to the different buildings.

Eric Brown: 22:07

Person's first week on the job. They're touring, they're going around to the different buildings and in one of the buildings that had healthcare information that the workers were printing out healthcare information, the person picked up something from the printer and just had a petite mall and from that point in time forward we put a program in place that had central printing. But it never would have happened if that person hadn't come in and championed the need to have that badge access to print and then it's only stored on the print server for two days or something like that before it's deleted. But I mean that was pretty cool to see and really a neat project to be part of. It took about two and a half years to get done and of course people were resistant to it, but it's so much easier now to print because you can print at any building at any time. It's really great.

Gretchen White: 22:59

Yeah.

Eric Brown: 23:00

So you were in banking before Gretchen and then you did a stint at Judicial and then more in the public sector with Metropolitan Council doing transit. So you've seen a lot. How did you get started in security?

Gretchen White: 23:18

Well, my husband gives me good career advice and I was working as an infrastructure project manager and I had worked some security projects. I'd worked some networking projects. I'd worked some networking project. I'd had a really broad experience in the technology project realm and he was like you should do this security thing, you would be good at this. It's complicated, there's always something new to learn in it. And I was like, well, I don't really know what this thing is except from the project. So I took a risk manager position at the bank and then there started down the path of what do I need to learn? Some SANS classes, got a CISSP, surrounded myself with some, you know, technology and security people that had been in that arena for many years, and that is how I started down the path.

Eric Brown: 24:18

When you took those SANS classes, I thought I remember you telling me at one point that you scored very well on the exam and you got into some sort of secret sands club.

Gretchen White: 24:30

Well, what I actually did was and it was actually a consultant told me to do it I actually went and took the CISSP and the GSEC 401 all within 45 days. I took the classes and the exams. Oh, wow classes and the exams. Oh wow, it was 45 really hard days at home like working and studying all night, and I really was worried about whether I would pass or not. So I encourage everybody don't worry about if you're going to pass. Go out and take it and get a group to support you in that effort.

Eric Brown: 25:09

What's the if you score really high on the test?

Gretchen White: 25:15

Yeah, they have a group that they're like an advisory group for the classes and pieces.

Eric Brown: 25:22

Oh, so you got into that.

Gretchen White: 25:23

No, that wasn't me. I missed that by a point. Thanks for bringing that up, Eric.

Eric Brown: 25:33

You get some sort of tattoo if you're in that advisory club. That sounds pretty cool.

Gretchen White: 25:38

You know the SANS classes are expensive, but the best thing that happened from that class, from taking the 401 class, was you got to see security end-to-end the network. There are some RISC pieces, endpoints, linux, windows machines, all of it. And until I had taken that class, you know, I only had certain areas that I'd been focusing on, like vulnerability management or logging and alerting, and that was the best thing for me was that I got to see it really end to end.

Eric Brown: 26:12

Nice.

Gretchen White: 26:13

Yeah.

Eric Brown: 26:14

Do you have any recommendations for people just getting into the industry or interested in the industry? Maybe they're in junior high school or high school and they're thinking about security. They hear about security. Any thoughts for them?

Gretchen White: 26:31

Well, now there's all kinds of schools that actually have degrees. You know, even like six or seven years ago, there weren't very many choices. So even in the Twin Cities, metro Street has a very reputable program. If you want to do more of a work and go to school, western Governors University is a very cost-effective way and I've had people on my team get their degrees from there and you earn certs that you can use for your job while you're working towards your four-year degree. And then I think the SANS classes obviously take a larger financial commitment, but Black Hills Information Security has a pay what you can program, and those classes are very good for somebody starting out, and I think some of them even are classes around. What does it take to have a career in security?

Eric Brown: 27:26

Oh, yeah, same recommendation for people who might be coming to security as a second career. Maybe they've been doing something else and now they want to get into security somehow.

Gretchen White: 27:39

Yeah, and then I would say that you should try to get exposure to the different realms of security. We've talked kind of a lot about the tech side, but the auditing, the presenting risk, those are all writing policy, those are all different functions, that are a different type of people than, say, your security engineers.

Eric Brown: 28:03

Nice, cool. Well, outside of security, gretchen, what are the things that you like to do?

Gretchen White: 28:10

Well, I kind of like security a lot, Eric.

Eric Brown: 28:14

Well, what I mean is do you have any other hobbies, or are you at home hacking into Russia in your spare time?

Gretchen White: 28:24

I well, I have kids, so I like to spend a lot of time with my kids and my husband. I well, I have kids, so I like to spend a lot of time with my kids and my husband. I like strategy games. Go and play games. My latest thing now is I was a tennis player in my younger days and I'm trying to make that over 50 crowd conversion to pickleball.

Eric Brown: 28:43

Oh, yes, yes yeah.

Gretchen White: 28:45

But yeah, I could use some more balance in my life. I can't say that I'm very good at that.

Eric Brown: 28:52

yet I've never played pickleball, but I hear it's really exploding. Yes, it's a hot one right now. And are there just local community meetups or do you have a group that you play with?

Gretchen White: 29:09

Well, I belong to a gym where I play, but there's, I think, the parks now have converted a lot of the tennis courts to pickleball. I've heard that there's a lot of community clubs now too, but I haven't done that yet.

Eric Brown: 29:19

Maybe we should do that, Gretchen. We should start a Twin Cities security meetup with pickleball.

Gretchen White: 29:25

Well, I did used to take a pilates class, right, I was taking private pilates lessons. Oh wow, at one point I was like the third um client of the morning on saturdays and she actually said to me what is this job that you do? I said, well, I work in security. She says, well, you are the third client I have each sat Saturday morning. That's in the security professional. I'm like, yes, it's very stressful. We come here when you're doing Pilates. You can't think about anything else. You can't be thinking about your latest security vulnerability or any of those things.

Eric Brown: 30:02

That's good advice. Well, thanks, Gretchen. Anything else you wanted to talk about that we didn't get a chance to talk about?

Gretchen White: 30:12

no, but thank you for having me and you know, if anyone gives you some feedback on how we can get more support for our security efforts in the CISO role, hey, if somebody knows the magic easy button, I want to hear it.

Eric Brown: 30:26

Yeah, me too well thanks, gretchen, appreciate your time.

Gretchen White: 30:32

All right, thank you.

Eric Brown: 30:34

Thanks, bye, bye. A well-designed framework will reduce organizational risk and improve overall security. Posture no-transcript.