We are thrilled to present the next episode of our Security Expert Interview Series where we spoke with Chris Whalen. Some of the programs Chris has implemented include: Change Management, Threat and Vulnerability Management, Security Incident Management, Cryptographic Standards and Guidelines, Risk Assessment and Treatment, Supplier Selection and Management, Centralized endpoint management (Jamf for Macs, Intune for Windows), and etc. He is currently serving as Director of IT and Cybersecurity based in Canada. Now enjoy the full interview.

1. Firstly, thank you very much for taking part in this campaign, Chris. Can you tell us about your professional background and areas of interest?

My professional career began in IT at a high tech start-up that failed after a year. It failed but many lessons were learned and the valuable experience I gained, as a result, could not have been gained elsewhere. Plus, it was really fun. After that, I spent a year as a consultant at Natural Resources Canada as an IT Project Manager before joining my current employer, Solace. They are a high-tech company that develops technology to enable the real-time flow of event-driven data.

At Solace, I started as a software developer along with a handful of others working on the initial prototype of the platform in use today. As the company grew, the needs for IT grew and so I transitioned into making IT my full-time job. Cybersecurity was always interwoven in my work, having curiously explored the early days of the Internet (web) and learning about Linux and the various open-source tools used in penetration testing today (e.g., Nmap). So, I managed a growing IT Team that also took on cybersecurity duties to the best of our abilities (and resources).

The cybersecurity landscape changed and three years ago, I became the Director of IT and Cybersecurity, confirming my interest and objectives along with the company’s commitment to cybersecurity. I formalized our processes and put in place structure in support of the NIST Cybersecurity Framework to start somewhere, and then, once we were ready for external validation, to comply with SOC 2 and ISO 27001. All while maintaining the technical and security operations (IT and SOC) and developing the strategic vision for IT and cybersecurity in support of the objectives of the organization.

My interest is technology, but my passion is cybersecurity.

2. You are currently working as a Director of IT and Cybersecurity. Is there a typical workday for you as a director and more specifically, what are some of your primary concerns on a daily basis?

Every day is different! Since I am responsible for both IT and Cybersecurity, I need to balance the needs of IT (“keeping the lights on”) with the needs of cybersecurity (“keeping the lights secure”), which at times can come into conflict. Because I understand the objectives of the organization, the conflict is resolved by ensuring that we align with those objectives.

Some days I could be working with our consultants or auditors, sharpening our controls, or improving automation in support of those controls. Other days I may be involved in our incident management process from investigation to mitigation, to remediation, and lessons learned. Other days I am meeting with my team or mentoring individuals and doing what I can to empower them to succeed. I take great pride in their development. I’m fortunate in that I get to be involved in a wide variety of IT and cybersecurity issues and that makes each day a different day.

As for concerns, it used to be that I was concerned about what might hit us that day – any unforeseen incidents that can impact the organization. Now, with the structure I’ve put in place along with the people and resources we have, I’m much more at ease (not that I welcome any trouble)! Being prepared (as best you can) is important, right?

Now my main concerns are providing the guidance I can to my team, removing roadblocks where possible, and to contribute on an individual basis to whatever is called for that day, week, month, year.

3. What is anything you wish you knew when you first went into a career in IT security?

Ha! When I first started my career, I never thought the threat landscape would become so sophisticated and organized and that cybersecurity would reach the attention of the board room and governments. It’s expanded from lone wolf hackers and thrill-seekers to nation-state actors and professional cybercriminals (ransomware crews). So, I would tell myself that as a fun story and perhaps a warning (but stay the course, it’s going to get a lot more fun!).

To answer more specifically, don’t be afraid to make mistakes and when you do (and I have), don’t beat yourself up for it. Learn from it and move on. We’re all human.

4. What are the top 3 soft skills needed to be a successful IT security leader?

Communication is so important that I’ll stick to that. In cybersecurity, we have an understanding of technical and complex issues that can be hard to explain, even amongst ourselves. Let’s start with knowing your audience. The message I deliver to the board or executives is going to be different from the message I deliver to the rest of the organization (e.g., to HR or to a technical team).

Imagine learning about a new adversary technique where your organization may be at risk, but to mitigate that risk requires additional resources. I understand the technical details and the potential damage if the risk is realized, but I need to translate that into the impact on the business and why asking for resources is justified.

This message is important to craft and deliver, otherwise, it might not be properly received, and the risk remains, possibly until it’s too late and the damage is done. How to explain that a bit of spending now can prevent a major headache later in the form of even larger spending, bad PR, lost customers, etc. And that there’s no guarantee the risk can be 100% mitigated. Risk analysis helps of course, but you need to be able to communicate that line of thinking and be able to back it up.

Take that further and apply it to a cross-functional project like cybersecurity compliance. In working towards building a compliance program from scratch to achieve a successful SOC 2 audit, I needed to work with different parts of the organization from HR, Legal, Finance, technical teams in R&D, along with my own team. Having the ability to convey the importance of SOC 2 to them, explaining their role, and getting their buy-in is essential for success. Even before you get to that point, you need to support at the top. It’s a big investment and a lot of people agree and help.

If you can’t convey your message in a way that your audience understands, you won’t get very far.

5. One of the areas you are specialized in is vulnerability management. Why do organizations need vulnerability management?

Well, vulnerability management is an age-old cybersecurity problem. It’s just as important today as it was 20 years ago. Why? Because the software will continue to have vulnerabilities and those vulnerabilities will continue to be exploited.

Vulnerability management addresses that problem by systematically discovering vulnerabilities, evaluating them, and mitigating and remediating the associated risks which are often by applying patches from the vendor.

Let’s look at two examples. The first relates to organizations that maintain an on-premises environment in the shift to working from home. Perimeter devices such as VPN gateways became, and still are, commonly targeted for exploitation especially by ransomware crews. Indeed, the top four routinely exploited vulnerabilities in 2020 involved remote working technologies. That trend continues in 2021 (source https://us-cert.cisa.gov/ncas/alerts/aa21-209a). Those that did not quickly recognize the risk and did not quickly address the vulnerability became susceptible to, and often a victim of, ransomware. That’s not good.

The second example involves organizations that may rely on SaaS for their important applications. While they take advantage of the SaaS provider being responsible for managing vulnerabilities, those organizations are still responsible for the management of the endpoints accessing their data (i.e., mobiles and laptops). That means addressing vulnerabilities in the operating system and the installed applications including web browsers and the myriad of add-ons and plugins.

Those endpoints can be a big problem. Adversaries exploiting vulnerabilities on the endpoints can gain access to sensitive data on the endpoint. They can also use that endpoint access onwards to sensitive data in their SaaS providers. Single Sign-On is a boost to security and efficiency but can be a risk if the endpoint is compromised.

To protect the most important asset (information), I take a defence in-depth approach. Vulnerability management is a crucial layer in that defence.

6. What are the most common roadblocks to vulnerability management?

Priorities. Often, there are competing priorities between keeping the organization online and keeping the organization secure. For the security team, addressing critical vulnerabilities is a high priority. However, for the IT team, who is responsible for applying the fixes, it’s likely not a high priority.

In large organizations, the cybersecurity team has tools and other inputs giving them a picture of the vulnerabilities in their environment. Then, it’s typically up to the IT team to test, plan, deploy, and verify the fixes to those vulnerabilities.

In doing so, the IT Team has two important considerations: downtime to apply the fix and the risk involved in making a change. Plus, they have business process owners telling them to postpone the change (for various reasons) and reschedule to a later date. These added complications make it more susceptible to resist, delay, or skip remediating those vulnerabilities.

For small organizations, it may be the same team or even the same person finding and remediating vulnerabilities. They too are likely juggling a variety of high priorities, which means “keeping the lights on” usually takes precedence, and remediating vulnerabilities takes a back seat.

What can be done to help?

For any size of the organization, taking a risk-based approach is very efficient. Work smarter not harder.

For example, an asset with sensitive information on the Public Internet should have vulnerabilities quickly addressed. Whereas, if that same asset was not on the Public Internet and didn’t have any sensitive information, remediation can be de-prioritized.

Another example considers the vulnerability itself. If the vulnerability has a critical severity (e.g., CVSS of 9.0 to 10.0), what is your exposure? If the vulnerability can be exploited remotely without user interaction, then it’s very serious and should be remediated ASAP.

However, if the vulnerability requires a local user account to be exploited and only a few trusted employees have an account, and those accounts are protected with Multifactor Authentication, you can de-prioritize since your risk exposure is much lower.

It’s about making risk-based decisions to help prioritize and become more efficient. Ask yourself what is involved to exploit the vulnerability and what kind of data is at risk.

And if there’s really no time – patch early, patch often.

7. How do you stay up to date with industry news about cyber security? Feel free to share the sources/websites with us.

This is easy and I don’t feel like it’s a task I’m forced to do. I just do it since I really like cybersecurity. I read articles, blogs, and whitepapers, much of it a daily ritual. I listen to podcasts. I follow a variety of Twitter users. And, more so pre-pandemic, attend conferences.

I have a list of technology and cybersecurity websites that I tend to frequently visit. I’ll also check out whitepapers and blogs from vendors (e.g., CrowdStrike, Mandiant, and Microsoft) to get a more detailed analysis, depending on the topic I’m diving into.

Podcasts are great. I can be doing an activity that doesn’t require focus and listening to a podcast at the same time. For cybersecurity-related podcasts, I really like Risky Biz and Darknet Diaries. SANS Internet StormCast can be a neat and quick way to start the day. There’s more out there to choose from and of course many, great podcasts outside of cybersecurity.

8. Our last question is usually a personal one: what personal development do you do on a regular basis to keep yourself sharp?

Earlier this year I prepared for and passed the CISSP which was both interesting and challenging. Thankfully I was able to leverage my experience, but of course, I still had to study and prepare. Now, to help maintain, I take online courses and ask those on my team to do the same. At least one per quarter. I think it’s important to continually invest in yourself, especially with the rapid pace of technology, but I do give flexibility in course selection. I put more value on the action than the content. Continual improvement.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.