CISO Insider S3E1 - Radical transparency with Robert Former

January 13, 2022
On this page

At Nightfall, we believe in the power of learning from those who have done it before. That’s why we created CISO Insider — a podcast interview series that features CISOs and security executives with a broad set of backgrounds, from hyper-growth startups to established enterprises. Through these interviews, we’ll learn how industry experts overcame obstacles, navigated their infosec careers, and created an impact in their organizations.

We’re sharing the unique opportunity to learn how to further your security expertise, hear best practices from thought leaders, and learn what to expect when pursuing a career path in the security industry. For CISOs and executives, it’s an opportunity to share learnings and provide mentorship at scale. Security professionals will get a unique lens into the security landscape, uncovering career-accelerating insights.

Acquia’s VP of Security and CISO Robert Former joins CISO Insider to chat about the importance of securing user data in his dual role at Acquia as a steward of security operations and governance, plus many more exciting topics around data security.

Click on the player below to listen to the chat, or follow along with the transcript in this post. For questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from, please email us at marketing@nightfall.ai.

Chris Martinez: I'm Chris Martinez. Today on CISO and insider, we’re joined by Acquia’s VP of Security and CISO Robert Former. He discusses his experiences as a cybersecurity leader and how radical transparency has helped him at every step of his career, making the right decisions for his org by accepting the appropriate levels of risk, effectively managing data security and compliance in a platform as a service environment, and maintaining the connections necessary to make remote work successful. We also get into what ethical hacking really means and the importance of securing user data in his dual role at Acquia as a steward of security operations and governance. You'll hear the straight talk with a sense of humor on cybersecurity in our chat with Robert today. Please join me in welcoming Robert to CISO Insider.

Chris Martinez: Today I'm joined by Robert Former, who is the CISO and VP of Security at Acquia. Thank you so much for joining us. How are you?

Robert Former: Doing well. Thank you for having me here, Chris. I'm really looking forward to it.

Chris Martinez: First, we're going to get into some questions about data security fundamentals. In your own words, why is data security so important to you in your role and for your company?

Robert Former: Data security is almost a personal crusade for me. As a penetration tester, I've been able to find how easy it is to leverage simple mistakes and gain an unholy amount of information. As the VP of Security and Chief Information Security Officer, I am where the buck stops when it comes to security. I have to answer to the CEO, the board and most importantly, our clients. At our company, we take on a lot of client data. We're a platform as a service, so we're not just taking on our clients' data, but we're also taking on our clients’ clients' data. There’s several layers of responsibility here. But ultimately, the buck stops with me.

Chris Martinez: Can you talk about the positive impacts of ethical hacking and what you think people really need to know about this discipline that they may not know?

Robert Former: Ethical hacking is an essential part of this industry because so much is done over the internet, and there are many places that things can go sideways, whether through just simple mistakes or malicious code. My personal experience has been that the best way to catch a thief is to hire a thief. Ethical hacking is also fun. The results can be important for an organization, which is why I feel it's important for organizations to engage with ethical hacking.

Robert Former: People hear the word hacking, and they immediately think of negative connotations, but the original meaning of the word hacking was to get in there and try and figure something out. It was not a negative connotation. Ethical hacking or ethical pen testing is the same thing. You're in there to learn and find things and fix things. I think that the industry needs to remain focused on the fact that there really are good actors doing this across the entire field.

Chris Martinez: You've worked in many different sectors over your career, from IoT to the energy sector and now maintaining Drupal websites and AWS. What security lessons have been relevant for you across the board in these roles, and how has working across these different sectors been different?

Robert Former: One of the chief lessons that I've taken away from every single one of these roles has been from ethical hacking: how the ability to learn from both your own mistakes and other people's mistakes improves the quality of the product and the quality of the code. I really started to get into this when I was working in the energy sector on smart meters. The team that I worked with at that company, they were fantastic and receptive. We had an intense and very effective internal research team, making certain that the product that we pushed out the door was as safe as we could reasonably make it. And that was important because the product we were pushing out the door at that time was literally a life or death type of device. If the smart meter cut power to somebody who's on a ventilator or some important piece of medical equipment in their house, you can do extensive damage.

Robert Former: From there, I moved into the financial industry, and later SaaS, data centers, platform as a service for two companies now, and that's just reinforced all of those lessons for me. It's easy for things to slip through the system and past automated tools. You actually need to get the human in there. The more layers you have, the more checks you have. As long as you keep it reasonable, and you can still release your code, the better quality of code you're going to release means your users will be safer. 

Chris Martinez: I'm glad we're talking about your work at the energy company because the next question is about your work specializing in security research in the energy sector. Can you speak to the work you did in that role and share a clear picture of what security research is with our listeners?

Robert Former: I was working for a consulting firm at the time, and we were contracted by a sizable energy company on the West Coast. We were brought in to look at the security program and controls that were available on smart meters. When we were done with our assessment, we found that it was left wanting to a certain degree. And personally, I found that to be rather disturbing. At the time, there was a great deal of bad press going around about smart metering and smart energy, people making all sorts of ridiculous claims about getting headaches because of the radio frequency in it and things like that. 

Robert Former: But shortly after, when the project ended and the report was issued, the company that made the meters I was working on offered me a position testing their meters. They had taken to heart that they needed an external and objective perspective. I didn't have any skin in the game as far as the quality of the code, other than it had to be as good as possible. So I could be truly objective within the company. That was a really important lesson for me because I've carried that forward both as a security researcher and in leadership.

Robert Former: Security research is slightly broader than just ethical hacking. Security research means that you are digging into the elements of the product and the software and hardware itself. And you are part of the process from inception, from ideas through initial design, through testing and integrating security to those steps. You utilize security research to find out what could be done because security research is really the art of figuring out what a system will do when you try to make it do something it shouldn't. Quality testing is making certain it does what it should. My job is to figure out what can I make it do by telling it to do something different. That's the fundamental differentiator.

Chris Martinez: How did you get involved with writing and social media publishing on platforms like Security Sock Monkey, Security Facepalm Blog, and Dark Reading?

Robert Former: Security Facepalm is my personal favorite because this is a place for security practitioners to come together and talk about silly things that we've run into throughout our careers. One of my favorites was a story that one of my peers told me about a client of hers who insisted that they wanted to get a D minus on a PCI audit. Now, anybody who's dealt with PCI understands, there is no D minus. There is pass. There is fail. But the driver behind this was that they wanted to put the absolute bare minimum work into their security in order to convince people to buy their product. They weren't actually interested in the security. They were interested in the certification. That's a major disconnect, and that's what started me writing.

Robert Former: I started contributing to the industry where I could write either as a guest poster or on my own blogs. I've been invited to write some articles for Dark Reading and some other places because I do like to evangelize the usefulness of knowing what's on your own system and the difference that an objective security perspective makes.

Chris Martinez: What are the unique challenges when managing cybersecurity responsibilities in a platform as a service environment, especially around compliance?

Robert Former: Platform as a service (PaaS) is a unique middle ground between infrastructure as a service and software as a service. The key differentiator is that you share security and compliance responsibility with the client. So there's a line. That line can be somewhat fuzzy at times, between what we as a PaaS provider are responsible for, which is things like making certain that the operating system is properly patched and that the supporting apps inside the instance are kept up to date and that we're managing them appropriately, both from a software perspective and from a delivery perspective. But there's a point at which the customer has to take responsibility for some of the security and the compliance as well because you're writing and executing your own custom code there.

Robert Former: So it can get tricky at times in explaining how that works to new developers who have never worked on a PaaS platform before, or to new executives, or to new lawyers. It’s a unique challenge, and I really enjoy it because it's an opportunity to better understand what the client’s needs are. It helps us to understand what they need and helps them to understand what we can provide and what we cannot provide as a service provider.

Chris Martinez: In our previous chat, you mentioned how you think of compliance as a result of security. I'd love to hear more about that.

Robert Former: Going back to a little anecdote from Security Facepalm where I talked about the client who said they wanted to get a D minus on a PCI audit, and the story that they weren't actually interested in the real results of the audit. The purpose of compliance is to measure security. The approach that I prefer, and I find that most people in the industry feel this way even if they don't necessarily articulate it the same way, is to start with security. What is the goal of your organization? Don't set the goal of your security simply by the compliance frameworks that you want to achieve. Set them by your client requirements and adjust them based on business risk.

Robert Former: Once you've gone through that process, only then should you be asking, how do I stand up in compliance? If there's a compliance requirement that may be higher than what you've put into your effort, then you adjust your effort because that becomes a business risk. It becomes a business need for that particular control. Things like password changing cycles, password complexity cycles, and patching cycles are things that can vary in small, but important ways between different compliance frameworks and what companies are actually able to deliver. So in delivering compliance, you have to do it from the perspective of doing the right thing in security. Only then are you truly compliant.

Chris Martinez: Currently, you're in a dual role as CISO and VP of Security at Acquia. How are the two titles different in terms of work and responsibilities and teams that you manage?

Robert Former: The teams that I currently manage are half operational and half compliance. As VP of Security, I feel it's my responsibility to ensure that the security operations team has all of the tools and the resources that they need to do their job effectively and meet the requirements of our security controls. The vulnerability management team also falls on that side of the house. Again, it's important that I'm able to provide them those tools. Now, the other side being compliance, I feel it necessary to have a separate team managing the compliance efforts within the organization because there's a principle in auditing that says you cannot audit your own work.

Robert Former: The people who are actually doing the auditing are not on SecOps. They're not moving the knobs or flipping the switches or reading the dials. They are making certain that the people who do are doing that appropriately. The people who are reading the dials, flipping the switches, and turning the knobs, it's not their job to manage the governance of it. It is their job to do their job. By keeping those two parts of the house separate, that helps to define the difference between the VP of Security which is, I feel, an operational role, and a CISO which is a governance role more so than an operational role. That's my personal interpretation of the job.

Chris Martinez: When you think of managing compliance in your org, what are the top priorities in terms of systems you secure or other areas of concern?

Robert Former: Any system that touches data. So in any SaaS or PaaS environment, you have layers of systems. There are systems for control, tests, auditing, and logging. Following the data is the key to setting the priorities for security. You want to make certain that you're putting your utmost effort into building as many different security layers around the client data as possible. Because that's really the brass ring in this, is to get that client data out of the system and to close that client data. Otherwise, you wouldn't be protecting it, right?

Robert Former: That's where the priority lies. And all other controls flow from that. The goal of our security program is to protect customer data first, and ensure the confidentiality and the integrity of that data, and then to protect the availability of that data. Confidentiality and integrity always should come first. Then every other system is built to support that goal. As long as you keep that goal in mind, you don't get caught up in the minutia of advice about what it takes to get a control done. Focus on control intent. What do you need to accomplish? Sometimes, you may be able to find a creative yet equally effective way of getting something done that works better in your new environment such as PaaS.

Chris Martinez: In your previous answer, you were talking about treating confidentiality, integrity, and availability of data as separate things. Can you talk a little bit more about why?

Robert Former: It really comes down to what is the purpose of security. Availability is a very important part of security and securing any system because data that you can't get to is useless. But there’s also an old adage that the most secure system in the world is the one that you never turn on or that you never put data into. That's why I like to focus first on the confidentiality of the data, if that's an appropriate part of it, or the integrity of the data. It really depends on what the client's requirements are, but confidentiality and integrity of the data have to come first. If I have to sacrifice data availability in order to protect that confidentiality and/or integrity as is important to the client, then that's where I'm going to focus my efforts first.

Robert Former: Now, there is a reasonable use case where availability is more important than confidentiality and integrity, but that's on a customer by customer basis. That becomes more of an operational question to me, making certain that you can maintain that availability through fault tolerance, high availability DCPDR programs.

Chris Martinez: You are a practitioner of radical transparency in your role. How can CISOs and other tech leaders learn and refine this powerful skill?

Robert Former: I view radical transparency as absolute objective truth about what you are delivering to the customer. As a consumer of different security services, I feel that it's important that I objectively know what is the state of the service I'm consuming, because that allows me to make informed risk decisions on my system and how my system is going to deliver. But you can't have one without the other. You cannot expect transparency without delivering transparency. I've come to call it radical transparency because over the years, there's been a tendency to avoid exposing anything you don't absolutely have to. And it's not always a question of keeping the system secure. It's a question of not raising uncomfortable questions with your clients.

Robert Former: My view is that raising uncomfortable questions with your clients is the only way you're going to improve the system. That's the purpose of audits, and that's the purpose of radical transparency. I feel that it's difficult in some organizations to manage this. It's not always viewed very well by the sales, or management, or finance teams. But at the end of the day, if you have built a trusted relationship between yourself and your client where they trust you to tell them when something has gone wrong, it’s important for them to know that. They need to trust that you're going to tell them that because if you hold that information back and then something happens to their data, you're the one that's at fault for not informing them of what they need to know to make a risk-based decision. And here’s the radical part, even if that risk-based decision is to find another provider. It's not the best outcome, but it's the most honest outcome.

Chris Martinez: What motivates you to get out of bed every day to do your job as a security leader?

Robert Former: Results. Results matter. Effort is important, but you need to make certain that your effort is directed and your effort is effective. What motivates me to get out of bed is to protect our clients' data because I try to treat our clients' data the same way I would treat my grandmother's checking account. Don't treat it like your own data. Everybody is handing their data out on all the social media platforms. We will give away personal data for anything free. Don't treat it like your own data. Treat it like grandma's data because you wouldn't hand out grandma's social security number just to get a free T-shirt, would you? That's what gets me out of bed.

Chris Martinez: Can you give an example of the results you're looking for?

Robert Former: The result that I'm looking for is the ability to find a problem, resolve the problem, and then not find that problem anymore. There are always problems and things that need fixing. To me, the effectiveness is measured in how many of the things you actually find in the process of delivering security for your team and for your clients. Nobody's system is perfect. If you're not finding anything, you need to try harder. You're not quite doing your job.

Chris Martinez: What are the top two lessons you've learned from your team in the last year?

Robert Former: The first one, because of what's happened with COVID, many people in the industry are having their first turn at working from home, working in a socially isolated space. One lesson that has really been reinforced over the pandemic is to maintain contact. Have those one-to-ones, not just between management and team but between different team members and have a one-to-one where you don't talk about work. Talk about how your kids are doing in school or car trouble, or if you’re not doing well. That is the connection that we lose when we're not face-to-face in the office, and we have to make an effort to make that connection. Building the personal interactions is the biggest lesson that has been reinforced for me over this past year.

Robert Former: The other lesson I've learned from my team has been how much more effective people can be if they don't have to drive three hours into the office every day. There is so much productivity that has been recovered. My company is based in Boston. People have to drive on the Mass Turnpike. That's a nightmare. Not having to do that, it adds to time that they can work. It lowers stress because they don't have to deal with idiot drivers, and in the end, I believe that it has a strong positive impact on employee satisfaction with their job.

Chris Martinez: Can you share one positive thing that's come from your teams working remotely during COVID for you and your team?

Robert Former: As individuals, there are a number of members of this team and previous teams that had not really experienced working remotely or working from home on a regular basis. And I think for many of them, this has been an important lesson in self-discipline. I have to be very careful about self-discipline and not go chase the latest thing that showed up on an ad or something that showed up on Twitter on my iPhone. There is a difficult degree of discipline that you need to apply to yourself. I think that's been an important lesson.

Robert Former: Watching the team struggle with that sometimes, whether it's my team or other teams, has informed my own approach to staying on task and focused. I've been working from home for years, but that doesn't mean everyone else has been doing it for years. I think there's another important lesson that's come out of this period, and that is a lesson for senior management. There's long been, I think, a reluctance to allow the work from home model because there was just an assumption that your workforce is just going to slack off in their pajamas all day long and watch soap operas and eat bonbons. It's actually proven to be quite the opposite. People are more productive. People can be more engaged. Yes, there are challenges, but they are challenges that, as individuals, we can meet. And as a team, if you work together, you can rise to and meet them and actually perhaps exceed expectations as a result. I think that's been an important lesson for leadership at the executive level.

Chris Martinez: If you could go back to the beginning of your security career and answer one question you had then, based on your knowledge and experience now, what would that question and response be?

Robert Former: Patience. You cannot change the world overnight. It is imminently frustrating to be in this business at times because when we find a problem, we want to fix the problem quickly. And even the smallest thing can build to a certain level of urgency internally, particularly when it's not being addressed quickly. The lesson that I would go back and teach myself is one, be patient. It takes time to fix things. The older systems and policies are, and the longer they've been in place, there’s more effort and time and socialization it takes to effect change.

Robert Former: The other thing I would go back and really pound into my skull would be to stop pursuing perfection. Sometimes good enough is good enough. Focus on the goal of what you can control and focus on the business risk. You can't spend $10,000 to solve a $1,000 problem. You can spend $1,000 to solve a $10,000 problem. Know the difference. Understand and learn what it means to accept risk. That could be the hardest challenge, and that would be the biggest lesson that I would go back and try and teach myself.

Chris Martinez: I love what you just said about accepting risk. Can you get into that a bit more?

Robert Former: A good example is riding a motorcycle. I love riding motorcycles. I had a number of friends who had some very serious accidents, and every time that happened, I had to step back and do a risk/reward calculation. And for the longest time, I chose to accept the risk. When I was younger and didn't have any children, I didn't have as much to lose if I got into an accident. As time wore on, my personal take on the universe required me to be a bit more cautious. I watched the folks around me here in Michigan start riding without helmets, which personally is not something I could do. I feel naked on a motorcycle without a helmet, but that's a risk decision someone else has made.

Robert Former: And that's the key, risk acceptance. Understand what your appetite for risk is, and understand that should the consequences turn out the way you didn't want, you still have to accept responsibility for having accepted that risk. That's what risk acceptance is. It can be just as hard to not accept a risk. It's the lottery problem. Everybody plays the lottery because they think they're going to win. Everybody who goes cliff diving does so because they don't think they're going to break their neck. Positive outcome or negative outcome, risk acceptance is about weighing the possibilities and understanding what you truly are willing to accept as a risk.

Chris Martinez: I heard you're starting a podcast. I would love to hear more about the podcast from you.

Robert Former: It’s still in the idea phase right now and, frankly, it’s giving the opportunity and the excuse to buy more equipment. Who doesn't want more toys? What I'm going for is ultimately going to be a semi-comedic take on security and compliance. I have an unusual sense of humor, and it comes out in some almost inappropriate times during conversations, but it also has served me well to diffuse difficult and intense situations. So the way I've been explaining this to people is my goal is to put together a short podcast, topic-driven, but with an approach that kind of blends Louis Black style of curmudgeonly yelling and early Dennis Miller almost arrogant intelligence that comes into it because you're not taking yourself too seriously when you do that. I like to think that that helps to get the point across. It's very much a work in progress, but I'm hoping I can get this off the ground in the next few months.

Chris Martinez: Do you have anything else you'd like to promote, like social media channels, articles you've written, pieces from your team or anything?

Robert Former: I've seen a number of folks on Twitter who have done a fantastic job of doing a positive take on security and compliance. SwiftOnSecurity is one of my favorites. Accidental CISO is another one that I've been following. I think that that particular individual has had some really good takes. Wolfgang Goerlich is a pragmatist from the word go. There are a lot of good authors and influencers on Twitter that I've been following. I've also found some amusing stuff on Reddit. Some of them get pretty inappropriate at times, but it's amusing to me.

Robert Former: As for writing, my team hasn't had much of an opportunity to do that yet. We're working toward building that up. I guess the only other thing I would say is if you can find your way to either the Security Facepalm blog or the Security Sock Monkey Twitter account, those are places where I let off steam, frankly. I used to try and do it anonymously because I didn't want the attribution to some of the things I was saying to get back to me because getting back to my job. Instead, I'm a little more generic about what I say in there now, and that's the lead up to the podcast.

Chris Martinez: Totally looking forward to it, and we will make sure our listeners can access that. Thank you, Robert. 

Robert Former: Thank you very much, Chris. 

Chris Martinez: Thanks for listening to CISO Insider, a podcast created and sponsored by Nightfall AI, the industry's first cloud-native data loss prevention solution. If you are enjoying this show, please leave us a review and rating on Apple Podcasts. The ratings and reviews help more people find us. Follow Nightfall on Twitter, Facebook, LinkedIn and Instagram at @NightfallAI. Email us at marketing@nightall.ai with questions, feedback, and suggestions about CISO Insider including suggestions for CISOs you'd like to hear from. Stay safe out there, and we'll see you again next time.

Next time on CISO Insider we’re joined by Lisa Hall as she talks about her experiences as Head of Information Security at PagerDuty. Stay tuned for this great discussion with Lisa coming in February 2022.