Our CEO, Matt Caulfield, recently sat down with Eric Richard, CISO at HubSpot. Eric spoke about his challenges, career path to becoming a CISO, why water balloons are like security, and advice for retaining security talent.
Matt: Tell me a bit about your background and journey to CISO
Eric: I've taken a very non-traditional path to becoming a CISO. I'm a VP of Engineering and I have spent my entire career running engineering teams creating software products.
I joined HubSpot 9 years ago when there were about 500 employees, and for the first six years focused on leading the engineering and product teams.
In my past roles I've always had an interest in security, and even had some security functions report to me. But this is the first time I’ve taken on the CISO title.
Although it’s considered non-traditional, I actually think there’s a lot of benefits coming from an engineering background – especially at a software company. It’s really helped me with threat modeling: I’m in a position where I know where we keep the crown jewels and the data that attackers are after.
Matt: What are your biggest challenges today?
Eric: The biggest challenge today is around MFA. It’s extremely difficult and challenging to get to truly unphishable 2FA. I don't want to rely on passwords that are stealable. Instead, I want to have mandatory, phish-resistant MFA, ideally tied to something you own and something you are.
I want phish-resistant MFA across all the devices that people log in from. Right now, it's challenging to get that. The current solutions that are out there don’t offer this, especially in a way where the user experience for our users is good.
We're finding that we can get 95% coverage but that five percent is still dangerous to not have it. It's a dangerous world and we know that bad actors are out there conducting phishing attacks against us all of the time.
Matt: How has the world of remote work changed your job?
Eric: The world we’re protecting now is very different to that of three years ago. Back then, when most of our employees came into the office, enormous amounts of effort went into our firewall and protecting our office network.
The edge of our network is probably getting attacked, you know, a bazillion times every single day. And the sophistication of those attacks and the ability for those attacks to get through is pretty low. Obviously, when you have things like Log4J things get interesting pretty fast, but I can’t remember the last time one of those sorts of attacks actually turned into something substantial.
Now, 80 to 90% of our employees are not in the office on any given day. We have had to move all of those traditional protections to the endpoint.
Attackers have now shifted to attack the employees and their devices.
So the first thing that I'm super focused on is protecting employee accounts, which are absolutely being targeted regularly. And as we know, humans are the weak spot in any security system. I'm always going to have some people who are gonna be tricked, but we’re getting pretty good at securing this side of things.
If attackers can’t trick users into giving them credentials and getting through MFA, the next obvious step is to trick them into installing software. This is often on their mobile devices. So the next obvious theme is device protection.
Finally, it’s one thing preventing someone from getting in from the outside, but what if they're inside? And how do you handle that? I think that's a whole new challenge that is the next journey we’re trying to go on.
Security is like a water balloon. If you squeeze one side, it just pushes water to the other. We’re never gonna say we're perfect but are the walls around the castle high enough that it pushes attackers to the next vector. The path of least resistance.
Matt: Should IAM sit under IT or Security?
Eric: I can tell you that we have an incredibly tight relationship between our IT and security team as it comes to IAM. The line that we've drawn is that IT can own the operations of IAM. For policy decisions around IAM, security is heavily heavily influencing–if not deciding.
For example, one of the things that we've been spending a lot of time on over the last year is asking which of our applications users have access to and from which devices? That's a policy question and sits with security. IT then helps to go and execute on making those changes, and that sort of relationship is the right one.
Our security team has been incredibly involved in questions like what sorts of 2FA should we have? How do you want to make it so things aren't phishable?
You can't see organizational boundaries. It’s just two teams working together.
When employees are terminated, all their company accounts–including Salesforce–should be deprovisioned. Unfortunately, the reality is that there are often discrepancies between what is in the HR directory and identities in Salesforce.
Matt: How do you make cyber security a board-level issue?
Eric: When something makes the news, for better or for worse, it obviously draws attention from the Board. If you look at the 0ktapus attacks from last year, all of those hundreds of companies are very recognizable. This makes it very relatable and ensures cybersecurity is not a strange, esoteric and theoretical conversation. I can then show the executive team how our employees are being attacked by similar techniques and similar actors.
The new SEC rules that are going into place around cyber security will also have a very interesting effect. Boards will be much more interested in this than they might have been in the past. I’m fortunate that the Board here is already really interested in cybersecurity, so this extends that further. People asking harder questions, challenging and pushing is going to result in better cyber security over time.
Matt: How do you go about attracting and retaining security talent?
Eric: Retaining strong security talent is critical. I am by no means the strongest security technical security practitioner in our team. By no means.
But I think this actually is why my background from engineering actually might be more applicable than a traditional CISO. Engineers love problems. They love puzzles. Almost everyone in my team is like that. They see the work as puzzles, interesting, and challenging. We have people in our security team who transfer from our product and engineering team and vice versa.
For me, the other most important thing I can do is make sure they know that what they’re doing is important. They have to believe this. Can they wrap their head around this really exciting and challenging problem that will have a meaningful difference to the company if they succeed?
In terms of attracting talent, I think it's probably very different depending on the stage of the company. For us, I tend to talk to people about how we are evolving our security program to meet the needs of a larger company. This is where Hubspot is at: we used to be a much smaller company and the security program that we had then might have been the right for that size of the company, but now we're a much larger company.
So some folks are attracted by the idea of helping the company grow up and transform it from one piece to the other. They understand where you're at and they understand what things have to change to get there and what might be different from other types of companies. Fortunately, there’s a group of people who see those as exciting challenges.
Matt: What advice would you give to yourself when you were first starting out? Any good books or resources?
Eric: It really is making sure that I understand the fundamentals. A lot of it is also being able to articulate that to our Board and Executive Team with that in mind.
Years ago, I went through the CISSP certification process and I think that gives you just a broad general understanding of things. We’ve also leaned heavily into the Center for Internet Security CIS Controls.
I’d also encourage you to find really good stories about just what's going on. I'm a big fan of following Krebs on Security and everything that he publishes. There's always interesting stuff going on in there.
My favorites are Kevin Mitnick's book Ghost in the Wires, Katie Hafner’s CYBERPUNK, Cliff Stoll’s The Cuckoo's Egg, and Takedown.