You have to know what you have in order to protect it, and CISO Tammy Moskites has all the right ingredients to help organizations protect their assets and reputations.
Tammy Moskites is a seasoned IT security professional who has a knack for finding order in chaos. And as the former CISO at The Home Depot and Time Warner Cable, she has seen her share of the unknown in the constantly changing security landscape. With 25 years of experience in managing and running IT departments, Moskites, who now serves as Venafi’s CISO and CIO, recently took time with CIO Insight to discuss what keeps a CISO up at night, the delights of South Indian food (Moskites is a foodie) and where she was when she found out about The Home Depot breach that occurred several years after her tenure there.
CIO Insight: Your resume has some very interesting stops along the way. You were the CISO for The Home Depot and later, Time Warner Cable. You were also a food columnist for several years. What’s your favorite region or city in terms of cuisine? Any favorite dishes you’d recommend?
Tammy Moskites: My family and I all love cooking. Two of my sons attended Johnson and Wales and have Culinary degrees. I hold monthly cooking classes at my home for some of my friends and I have so much fun sharing my love and passion for cooking. Having travelled many places around the world, I always say I love eating at home the best—but I’ll let you know about my favorite regions for food, since selecting just a dish would be too difficult: Chennai, India, has the most amazing mix of spices, flavors and aromas that are second to none—South Indian food is really a perfect treat for a hardcore foodie! You can also find some great Indian food in London! Florence, Italy, would have to be another choice for their wines and pastas—and of course New England for the amazing seafood options and lobster.
CIO Insight: One of your areas of expertise is creating order out of chaos. In IT, systems and processes generally don’t start out as chaotic, but they often become chaotic and unwieldy. Why and how does this happen, and what’s the trick to restoring order in IT?
Moskites: When I address chaos, I look at: people, process and technology. For example, I first look at our requirements of the program, by functional element and determine our must haves. Then, it is important to determine what tools are being used and if there are any that you can take out of the mix. It would just create more chaos to buy more tools that do the same things as the ones you already have. Those would include redundant or outdated systems, and also keeping in mind that you need to still meet the security regulatory requirements that address the acceptable risk appetite for your company. But just doing this doesn’t fix anything, but it does clean up your tools and reduce expense. To improve, you must address the skillsets of the professionals doing the job(s), and ensure they have the proper training. If they don’t know how to use the tools, that doesn’t improve anything and will result in more chaos. To ensure that the process works, it is important to document the processes and procedures they currently use today, then evaluate step-by-step to see where the value comes from. If there is no value, then stop doing it. Once you have everything in place for each functional element, you must stay evergreen by frequently keeping documentation and skillsets current.
CIO Insight: You were the CISO of The Home Depot several years before the company endured a significant data breach that involved the theft of payment card information and customer email addresses. Do you recall where you were and what you were doing when you first heard the news? What was the first thing that went through your mind?
Moskites: Yes, I had left there several years earlier. I can remember the exact place because I was in London–sleeping–when I heard the news. A call from a reporter in the U.S. woke me up (don’t recall which paper), all I know is when I looked out my window from my hotel room, it was dark out and Big Ben said it was only 2:30 in the morning (give or take an hour–it was dark, I was sleeping, lol). The first thought that went through my mind–is Oh my goodness, what happened–and then I thought about the security professionals at Home Depot and the impact they must be enduring.
CIO Insight: What keeps a CISO awake at night?
Moskites: The unknown, and the rapidly changing security landscape keeps us up at night. At this time, with so many significant data breaches occurring constantly, and sensitive data being lost, it just adds to the already many worries. From a 2014 study done by Informatica and Ponemon, they exposed that the main concern for C-level executives is not securing and protecting the data, but instead, they stay awake because they don’t know the location of sensitive or confidential data. It is very important to have an incident response program in place that is documented and tested regularly. This won’t stop the breaches from occurring, but will allow you to be able to react quickly and give customers the confidence that you have your incident response program in place, and well-tuned.
CIO Insight: Data breaches and cyber-crimes make headlines, but rarely do we hear of the arrests and prosecutions of the criminals behind these attacks and thefts. Who are they, is there any hope in discouraging them from hacking organizations and people, and why is it so difficult to prevent them from having their way with business and government networks?
Moskites: We have an entire new category of war. We fight wars in the air, the sea, the land and now in cyber. We are constantly hearing about all of the cyber-breaches, attacks and thefts, as well as the sophisticated tools at the hackers' disposal. And a vast majority of the attacks are still coming in through phishing emails and infected attachments. This is nothing new, and they are sometimes using the same techniques from the 1990s. Add to that, that the average cost of a data breach is nearly $4 million, and has increased 23% over the past two years. It makes it difficult for those companies that are hacked to put any more funds into finding the hacker themselves. Some of the largest breaches that happened last year cost companies tens of millions in loses and funds to stop the breach. The best way to discourage breaches happening to your company now is to make sure you are at least covering all the basics in IT security protection. Building this foundation of basics, along with a strong and informed team will be the best steps to have in place. As I stated before, you must have a strong, well-practiced, incident response program. It is no longer, if you are going to get breached, but when, and how you react is what your customers are paying attention to.
CIO Insight: Are breaches the result of a people problem or a tech problem?
Moskites: Breaches can be the result of both people and tech problems–but in most cases it is a combination. Threat actors can always find more sophisticated ways to beat any technology protection system in place, making them irrelevant. Instead of having the current system in place, where protection systems continually send IT/security teams notifications of threats, and the teams must continually review and make sure they eliminate, block and tackle those threats. We talked earlier about the basics, it is important to have a good inventory of assets, software, identities and keys and certificates, it is very important. You have to know what you have in order to protect it! When it comes to some of the attack vectors that had heightened awareness over the last 18 months, we really need to ensure we have a good foundation of “known good” around trusted keys and certificates that are the foundation of the Internet. There must be a system in place that is continually scanning to ensure that there are no fake, expired or untrusted keys and certificates that could enter into your network. Just as the immune system for the human body does: by constantly monitoring for dangers and then defend against them.
CIO Insight: Is this a good era to be involved in IT security?
Moskites: I have been in security for so long–well before security was cool. I always had a passion for staying ahead of the threat factors, but it is exciting to see others with my passion. It is definitely an exciting time to be involved in IT security, that is, if doing something different every day excites you. While we are constantly working to secure our systems, networks and sensitive data, the cyber-criminals/threat actors are right there with us finding ways around the protection we build. It is also a great time for learning and sharing information that has worked for some and finding ways to implement it for your own company. The most exciting part of this era in cyber-security is knowing that things are on the verge of changing dramatically in how information is shared, monitored and protected and will continue to change. Global focus on how data is stored and shared, coupled with compliance laws and regulations–will always keep us busy as well! Salaries are skyrocketing and jobs are plentiful–there is a negative unemployment rate in security–we cannot find enough talent and there are an abundance of jobs–these jobs are not going away anytime soon, and this industry will also welcome those passionate about learning and security protection! Cheers!
Patrick K. Burke is senior editor of CIO Insight.