CISO Insider S2E4 — A risk-based approach to data security with Chris Sandulow

July 12, 2021
On this page

At Nightfall, we believe in the power of learning from those who have done it before. That’s why we created CISO Insider — a podcast interview series that features CISOs and security executives with a broad set of backgrounds, from hyper-growth startups to established enterprises. Through these interviews, we’ll learn how industry experts overcame obstacles, navigated their infosec careers, and created an impact in their organizations.     

We’re sharing the unique opportunity to learn how to further your security expertise, hear best practices from thought leaders, and learn what to expect when pursuing a career path in the security industry. For CISOs and executives, it’s an opportunity to share learnings and provide mentorship at scale. Security professionals will get a unique lens into the security landscape, uncovering career-accelerating insights.  

In this episode, MongoDB Deputy CISO Chris Sandulow joins us for a discussion on the challenges and opportunities he faces in his everyday work as a data and security steward at one of the leading document-oriented database services. 

Click on the player below to listen to the chat, or follow along with the transcript in this post. For questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from, please email us at marketing@nightfall.ai.

Chris Martinez: Welcome to CISO Insider, Nightfall’s chat with Chief Information Security Officers. We host CISOs from different industries to discuss their pathways to the role, the challenges they face in their everyday work, and lessons they can share with anyone aspiring to become a CISO. This podcast brings you into the world of cybersecurity and gives you a window into the most brilliant minds in the business.  

Chris Martinez: Today on CISO Insider, MongoDB Deputy CISO Chris Sandulow joins me for a discussion on the challenges and opportunities he faces in his everyday work as a data and security steward at one of the leading document-oriented database services. One big idea rises to the top in our chat: how a risk-based approach to issues and productivity flexibility allows his teams and organization to do their best work as security practitioners, and as individuals. This approach is based on empathy for his teams, understanding customers' needs, building a nontoxic team for continued success, and creating the right work-life balance at MongoDB. This plus a lot more is ahead on today's episode. Please join us in welcoming Chris to CISO Insider.

Chris Martinez: You've had a really interesting career path from the Army, to financial services, and now to the document-oriented database space. How has this career path impacted how you approach data security?

Chris Sandulow: I went to college for electrical engineering in 2004. At the time, information security was not a mature field, and there were not a lot of practitioners out there. In college I had a love of audio. I used to build amplifiers and crossovers and drivers, so I went to school to learn more about that. I left college thinking I would be building robots, and I landed my first job at the Department of Defense working for the U.S. Army. While I was there, I met some of my best and closest friends and we all branched out to work in different branches of security.

Chris Sandulow: When I left the military, I focused my career on taking a number of different, very technical roles in different domains. I thought if I could understand the technical nuances of a particular domain early on, I could probably make better decisions in those areas later in a senior management role. I took roles that gave me experience in different domains, particularly in areas like incident response and automation, which got me into coding and scripting; and offensive security, like network and pen tests, which taught me a lot about SDL steam maturity and how to attempt to eliminate classes of problems. Then I stepped into the startup world, where I was MongoDB's first security hire. Over time, MongoDB allowed me to grow into a leadership role, where I could take my knowledge from different domains and apply them from a leadership perspective.

Chris Sandulow: I've studied large organizations with lots of resources to learn how they manage security, and I’ve watched how very small companies and startups manage security. I’ve also studied the different types of leaders in those organizations and what they've done right and wrong. To sum it all up, I tried to look at a bunch of different environments and how each organization was approaching the security problem, and take what's best out of those environments and avoid what was the worst.

Chris Martinez: How does your team maintain visibility and security of critical data for the entire company?

Chris Sandulow: It’s important to focus on relationship building and nurturing those relationships. While I might not be aware of all the assets out there, somebody is, so it's important to find ways to connect those people and nurture that relationship. One thing that I always talk to my colleagues about, and particularly people on my team, is that you must desire for your colleagues to succeed. We don't need to be best friends, but it's important to understand what success means for them, and understand those teams’ processes, their perspectives, and their roles. If you have this information, it's easier to create a relationship with someone in a non-combative way, and help them feel comfortable sharing information with you. It’s helpful to understand what's out there and maintain visibility, and make people comfortable with working with us.

Chris Sandulow: Secondly, we also invest in a security championship program. I found this to be really helpful to connect our team with others out there that have an interest in security. At MongoDB, we specifically speak with people across multiple different departments, and we engage with them regularly, and utilize this relationship for info gathering and focused training, as well as proof of concept for pilots amongst a group of people that have some passion for security. And lastly, even though this sounds obvious, it's really important to be aligned with business objectives and thinking about the direction of where the business is going, and expanding upon that. We need to understand if we make a certain product decision or certain change — then ask what it means to the security posture of the product. What does that mean to our current plans, and does it impact our capabilities at all? The common theme here is relationships and making sure that you nurture those relationships, and understand the perspectives of the people you're working with.

Chris Martinez: Where are the biggest hotspots or areas of concern for data security in your organization? You can be general, like naming specific code repos or databases, or actually naming the apps.

Chris Sandulow: I think third-party vendor management is a problem, not only for us, but for everyone with a relationship with third parties. If we think about security products back in the day, you generally had the concept where you could bring a software product on premise. If that was in your environment, you had some level of control around how you could operate that product and maintain security controls around it.

Chris Sandulow: But nowadays, many products simply aren't available on premise, or we don't want to maintain them on premise. So you're stuck with having to accept the security constraints of a SaaS vendor and what they have in place. This often means you might be stuck in a situation where a vendor is business-critical, but you're unhappy with their security posture, and you need to make a risk decision and determine if there are other ways to limit that risk. It can be very difficult to make a realistic business discussion around this, given the difficulty in monitoring the security practices of a third party vendor.

Chris Sandulow: Commingling and conflating work and personal life is also a hot spot for me. This is due to the current-COVID situation and the work from home posture many companies have adhered to. In particular, I'm worried about employee burnout. As the line between work and life becomes blurred, it's hard to get assurance that people are taking time for themselves and not burning out. I have a personal concern around that for not only my own team, but other people, to make sure that they are able to draw those boundaries. 

Chris Sandulow: Related to that is, of course, when you're working from home, you might not always be using corporate assets. You might be using your own devices at home. This creates situations where, as a parent, perhaps you have a computer for your children to play games on, and maybe you want to hop on there and check an email. Understanding the risk behind that is not always apparent to people who work from home. From a corporate security perspective, we have to make decisions: Do we want to force employees to work in a particular manner? Do we want to give them some productivity flexibility, especially during these challenging times? The pandemic has created some scenarios where we may have to get more comfortable with situations that we haven't been in the past, or think of interesting creative solutions to reduce the risk around those situations.

Chris Martinez: Now we're going to get into some questions about the security leader role. What unique challenges is your security organization facing in the new landscape of rapid cloud adoption and remote work?

Chris Sandulow: You said rapid cloud adoption, which is a key part of it. I had mentioned earlier that a concern of mine is third-party vendor management. That's a part of this SaaS proliferation, or the proliferation of add-ons, or things you could extend existing programs with. In many of these cases, it's “take it or leave it” with respect to the security of a particular vendor or product. This creates situations where you may have to ban the use of a certain piece of software, or a certain extension, because it's not mature enough for your security needs. One particular area of focus is browsers — it helps to think about them in terms of the type of controls that you would want to put on an operating system or an endpoint. Start by asking, should my browser have the same types of controls as that I’d put on an operating system or endpoint solution? 

Chris Sandulow: We think about things like browser extensions, and when you work through a certain application in a browser, you can often use OAuth or other protocols to integrate a third party with your data. That becomes very difficult to manage, and some of those management processes are now with the employees themselves. Thinking about the work from home environment with people using personal devices — a lot of work is happening through a browser now. It becomes very difficult to get assurances around how people are working in browsers and whether the security controls there are sufficient. This is an interesting area to focus on and learn how we could enable employees to use the tools that are best for their productivity and environment, but also get some assurance around how they're extending the usage of certain tools, and making sure that they're not using anything that's malicious like a Trojan.

Chris Martinez: MongoDB has been around for a long time, and it's easy for big companies with a long history to have a “seen-it-all” mindset. How has MongoDB's approach to solving data security problems evolved over the last decade as a company?

Chris Sandulow: Here’s some of my philosophy around providing solutions. In general, I think it's important to always make sure you provide a risk-based approach. It sounds obvious, but a one size fits all solution is probably the worst answer in most cases. If you're giving the same textbook answer to a problem, you're not really providing value. Going back to the concept of nurturing relationships and understanding the missions of other teams in your organization — this approach helps you give pragmatic solutions that others will appreciate because they understand that you're thinking about their context. Nurturing relationships and continuing to explore those connections is important. Lastly, finding different ways to incentivize people to come to you and work with you. Championing other programs and calling out and even marketing different successes is important to incentivize others to want to work with you.

Chris Sandulow: I'm very strong on that particular point, probably because I've seen this go very poorly in other organizations, particularly with some security teams that are often seen as combative. They add friction to a process, and that ultimately results in situations where people want to go around the security team and not work with them. I’ve found an empathetic, nurturing approach to be very helpful when learning more about the people you're working with, particularly at MongoDB. The journey here MongoDB has been very interesting. When we first started, we largely sold on-premise enterprise software. We would sell licenses and our customers would install our software in their environment, and they largely would be responsible for the management of that software and the data being used by the software. Fast forward to now, where we, like most companies, are now focusing on offering a cloud-based solution because this is mostly what our customers want.

Chris Sandulow: In this new world, the focus for security changes to be less about corporate and SDLC on an on-prem product to be more about nurturing customer trust and getting customers to feel comfortable with the product environment and how you're protecting it. What we found to be really valuable here is getting to a point where you have multiple independent third parties performing an audit and attesting to your controls over time, and then exposing that information to your customer. From there, the customer can see that not only are you marketing great features, but you also have an external third party saying the same things about the product as well. I think it's also important on the product side to completely understand your customers. Particularly in the SaaS space, there's always going to be a set of customers that are not comfortable moving to the cloud, or that have certain workloads that are very sensitive.

Chris Sandulow: We've tried to understand and work with them and provide specific features that help them feel more comfortable. Particularly at MongoDB, we have a great feature called Client Side field level encryption that allows our customers to seamlessly encrypt data on their side as a client and work with the data seamlessly to the point where our cloud service is only storing encrypted information, and we can't see what they're storing under any circumstances. Features like that, as well as demonstrating our operational maturity, goes a long way in helping our customers trust us and want to work with us.

Chris Martinez: What insights can you share as a leader in the technology space, both as an organization and as an individual security practitioner?

Chris Sandulow: It’s important to educate your peers and make other senior leaders aware of the goal of your security program. This might sound obvious, but it's important to state that the goal is not to make a hardened shell that is completely impenetrable or that can't be hacked. That's nearly impossible. If it was possible, it would be infinitely expensive. The discussion should be around raising attacker costs, and making it infeasible to attack certain parts of a company, because it would be too expensive for the attacker. We are resource-constrained, but so are the attackers. The attackers are not going to go after something that's very hardened. I think selling this point and making everyone aware that this is your objective is a key point in understanding how risk decisions and discussions should go.

Chris Sandulow: In particular, I'm a big fan of using tabletop exercises to highlight this and to raise awareness, particularly among executives. We've had a lot of success in doing that. Secondly, I think building a non-toxic team is really important, and arguably more important than building a team of technical wizards or rockstar type engineers. I personally feel that having strong relationships and nurturing those relationships with other parties is really important. That's ultimately how we become successful. A non-toxic team is extremely critical because this team will be working on incidents. You're going to be working in situations in a high stress environment where timing is critical, and making sure that team works together efficiently is absolutely critical to being successful.

Chris Sandulow: As you become more senior, it becomes more important to protect your time. I transitioned from a hands-on engineer to a senior manager and leader. As you progress up the career ladder, you will have an unlimited number of people that want to talk to you, and just as many people that you want to talk to, from people within your own organization to vendors. There is never enough time to talk to enough people and do your project work, and somehow make time for yourself and family life.

Chris Sandulow: It's important to make sure that you carve out time for what's important for the business, but you also have to protect your time so that you're not always running out of time. And lastly, staying up-to-date is critically important. Stay in touch with your vendor communities, the open source community, and utilize your own personal networks, whether that be Slack organizations, LinkedIn, or your own personal connections. Being on top of what's happening in the news, how others react to certain incidents, and what capabilities are out there is absolutely critical to make sure that you know the best solutions to the current problems today.

Chris Martinez: Can you elaborate on some of those tabletop exercises that you do?

Chris Sandulow: Topic wise, we tend to stay on whatever is forefront in the news. In particular, our objective here is to raise awareness among other people that are not security professionals. They typically have the level of knowledge that you would see on the front page of CNN.com — a very high level report on a hack that happened. We try to construct a scenario that includes the same level of detail, but also includes areas within the business that we could use additional guidance on, and how we want to solve that particular problem. I'll give you one critical example with ransomware, and the general questions of, “Could we be ransomed here? What would that look like? How would we respond? What would it look like to our customers? Do we have their appropriate playbooks to respond for different teams, whether that be communications, engineering, or other teams?” These questions can lead to a lot of interesting discussions, and also highlight to different leaders that they may have gaps that we need to address.

Chris Martinez: In our cloud-first world, how are you thinking about securing all of your cloud infrastructure and applications? Where are the biggest gaps, and where are the best learnings coming from?

Chris Sandulow: Third party vendor management is really important. You must understand how companies or vendors have access to different parts of your systems, or different parts of your data. More specifically, a common problem is static credentials that third-party vendors use to work with you. In many cases, we have to deal with static credentials, and that creates a number of problems. We have to worry about how the vendor is protecting those credentials. Even internally, when our employees have access to this information as part of their job, we must make sure that joiners, leavers, and movers on certain teams have their credentials rotated. Achieving solid operational maturity around that is important.

Chris Sandulow: If it's very expensive for your team or the engineering team to rotate credentials, it's probably not going to happen. It's important to have those discussions ahead of time, so you can create processes to make it seamless when it needs to happen. I think I've mentioned asset discovery a couple of times. We can't secure what we don't know about, so it's really important to make sure that you're aware of the tools and services your company is using. On that note, it's important to reinforce that shadow IT, or employees spinning up and using their own services, cannot be permitted. Culturally, it should not be permitted because it's not something you can control. 

Chris Sandulow: We've seen a lot of success integrating closely with our procurement processes. Long story short, if you want to get something paid for, insert triggers in there so the security team is aware, and can follow up when something new comes up that we weren't aware of.

Chris Martinez: What's one hidden or lesser known skill that security leaders really need to excel in their work, on the security side and as a successful manager and co-worker?

Chris Sandulow: I personally consider that most cyber security problems in all domains are, to this day, unsolved. We have a bunch of tools and ideas about how we can reduce risk, but the problems still exist and they don't necessarily go away. There's any number of examples of companies who have spent billions, and they still get popped in very creative ways. I think it's important to think about that and realize that these are unsolved problems, and think about the type of people that we would need to help us find different ways to solve these problems. We should try to hire people that have different backgrounds and different perspectives, because if we hire people that all have the same mindset, we shouldn't expect to get different or creative ideas.

Chris Sandulow: I personally like to hire on personality and passion first, and technical experience after that. If someone is passionate about a particular area, they're going to think about it in a different way than someone who's not. From a personality perspective, if they're the type of person that's comfortable sharing this information and working with others, it will lead to creative solutions. Long story short, I avoid a monoculture. I have found that approach leads to better solutions.

Chris Martinez: What motivates you to get out of bed every day as a security practitioner?

Chris Sandulow: Definitely, my family, my son and my wife. That's most important to me. But on a professional note, seeing my team's output is a huge motivator. I am so proud of my team. Sometimes I pass a very high-level objective or vision to them, and they run with it. Seeing the output is extremely rewarding. I'm happy to have an amazing team working with me, and I'm really excited to see the output that they deliver.

Chris Martinez: What are the top two lessons you've learned from your team in the last year?

Chris Sandulow: The dedication of my team has always impressed me. When push comes to shove, the team always delivers. Particularly, building out a team during COVID where you're working with people that you've never met in person, or who have never been to your office in person. I had some concerns about how to make sure that they know the proper ways to work remotely, or the proper ways to work on high severity items. But all those concerns were unfounded. I am continuously impressed by the team and their dedication.

Chris Martinez: Now that things are opening up again, and we're trying to get out of the COVID funk, what security-oriented conferences are you looking forward to when things start opening up again? And which ones do you typically get the most value out of?

Chris Sandulow: I think it differs for everyone. I'm looking forward to Black Hat this year. It's been a number of years since I've gone to Las Vegas for this. I'm looking forward to going back to see old friends and connect there. Generally when I think of conferences, I get a lot of value out of walking the perimeter of the vendor expo area. I particularly call out the perimeter, because that’s generally where the smaller booths with the newer companies are, and I think that's where you're going to see a lot of new ideas. The larger booths in the center tend to be companies you're already aware of. I like to talk to the newer players in town, and see where they're going.

Chris Sandulow: Regarding content in conferences, I think a lot of the high-level talks are mostly rehashed ideas, so there's not a lot of actionable ideas that come out of things like keynote speeches. Maybe you can get some thought leadership out of that. It's more important to think of conferences as a training and networking exercise for your staff and teams. It's a good way to have your team network and meet people outside your company, and help them build their careers.

Chris Martinez: Which podcasts or books have you read lately that you can recommend to our listeners?

Chris Sandulow: I'll give a generic answer for this one, because I think everyone has very different opinions on books and how to consume content. I think the most important thing here is making sure you're staying up to date with what's going on in the world. Some people like Twitter. Some people like LinkedIn. Some people like their own networks. But really the most important thing is to find what works best for you and where you find the most value, and then carve out time for that. Make that part of your weekly routine. Make sure you have time to stay up-to-date. Don't treat it as a thing that you should do in your personal time or do elsewhere, because you’ll probably end up dropping it.

Chris Martinez: That's really good advice. A lot of the time when we think about personal enrichment for work, we don't put it into our work schedule, even though it is part of what we're doing at work.

Chris Sandulow: A lot of people do that. I guess it's part of the hustle mindset where you always have to be working 24/7 and you think even when you're at home, you should be working and thinking about work. I think that works for some people at certain points in their life, but it could be unsustainable for others. I think it's more realistic and pragmatic to build your learning into your workday, so that you have time for it. You should block out time for it, as opposed to leaving it to something that you'll just do whenever you think you’ll have free time.

Chris Martinez: Do you have anything you'd like to promote, like your personal social media channels, like LinkedIn, or articles you've written, or anything else you want to share?

Chris Sandulow: I want to share that we have our conference coming up soon. MongoDB.live is this July 13th and 14th. I encourage people to register. It's free. We have a lot of interesting programs at the event, so please join us at MongoDB.live. It will be virtual on July 13th and 14th. 

Chris Sandulow: I invite anyone listening to connect me with me on LinkedIn if you'd like to contact me and talk more on any of these topics. I'd love to continue the conversation on LinkedIn. Thank you for having me on the show.

Chris Martinez: Thanks for listening to CISO Insider, a podcast created and sponsored by Nightfall AI, the industry's first cloud native data loss prevention solution. If you are enjoying this show, please leave us a review and rating on Apple Podcasts. The ratings and reviews help more people find us. Follow Nightfall on Twitter, Facebook, LinkedIn and Instagram at Nightfall AI. That's Nightfall AI, and email us at marketing@nightfall.ai with questions, feedback and suggestions about CISO Insider, including suggestions for CISOs you'd like to hear from. Stay safe out there and we'll see you again next time.

Next time on CISO Insider, One Main Financial CISO Michelle Valdez sits down with us to discuss how to build a community of cybersecurity through resilience and reducing human risk. We’re excited to share our discussion with Michelle with you on July 21. Stay tuned for the rest of our season 2 lineup!