#LetsTalkSecurity – Security at the Speed of Change VP, Security Research
Transcript
Rik Ferguson: [00:00:00] Haha, tricked you this time. I waited for the music to end and a little bit more, because it’s the final show in the season. So, I wanted to do things properly. You know, how properly I wanted to do things. I had a major panic just 20 minutes before we were due to go on air. When I looked in the mirror for the first time today and realized that the humidity had caused an extremely bad hair day, I had to run for you, all for you, and washed and combed and brushed and made myself look presentable. So here I am. Presentable for episode five of let’s talk security. The final episode in this season, we will be back for more. Trust me, this has been fun. This has been informative. It’s been engaging. Thanks to you. Don’t forget. We are here to answer your questions as well. I have plenty of questions for this week’s guest, but we’re coming at you live. We’re coming at, you live on LinkedIn. I’m on Twitter and on YouTube. So if you have questions, drop them in the chat. And we’ll make sure that we get to them for you. Um, I had some fantastic guests throughout this season. Um, today’s guest is no exception. She has a long and storied career. Um, in fact, um, my guest and I started our careers in the same year. Um, but we have taken wildly diverging paths on our journey through information technology and security. My guest today started her career in the army. She’s gone on to work for US partner state for USDA, and she is currently a VP and chief information security officer at Carrier Global. She’s Nicole Ford. Hey Nicole.
Nicole Ford: [00:01:54] Hey Rik. How are you?
Rik Ferguson: [00:01:56] I am very well. I’m very excited to have you on the show. Um, what’s amazing is that for every show, and actually if you’re watching you don’t know this, but for every show, I always try and have like a preparatory chat with my guests the day before, or at least the morning of, something. With Nicole I couldn’t manage that because she is obviously an extremely busy lady and lots of demands on her time. Um, and we had a last minute panic, but Nicole has made sure she could be here with us today. And I’m super grateful for that, that you’ve kind of cleared the decks for us. Um, I was super impressed when I found you online, watching not only your ability to speak, and you’re super personable and clearly super experienced and super intelligent, but the amount of knowledge and wisdom you have to impart blew me away. So that’s why I saved the best for last. And I ain’t got you queued up for this final episode. So maybe Nicole, I mean, I’m totally building you up here, so maybe you could let everyone know a little bit about your journey. Cause like I said, it’s been long and storied. So how did you get into this business in the first place? And where did that journey take you?
Nicole Ford: [00:03:05] So I always tell people that, you know, back in the day, when I actually came into cyber, you don’t pick cyber, cyber picks you, right? Because there was no cyber. So information security really didn’t exist. All we, all we heard was IT. IT is, um, what I actually went into. So I started my career in the US army, um, doing a lot of top secret work, um specifically in an underground Skift in a mountain. When I tell people that they’re like, I’m sorry, what? Um, that’s where I really started my career. And, you know, spent a few years in the army and then, um, transitioned to the civilian world, where I was still working with the department of defense. I spent some time, um, building Naval ships for the department of the Navy. And, um, went on to work for a grocer, which is interesting because how do you go from department of defense, super top secret, to working for a grocer? It’s just, you know, one of those trajectories where you just take the opportunity as it comes and you just roll with it. Right. So worked for a grocer was super cool to learn, um, the retail and grocery industry, and then transitioned to work for department of state diplomatic security, which is super cool. Right. They manage all of the embassies around the world. So I really got a sense of what was occurring, now that was during 9/11. And there were several different information sharing initiatives going on during that time to make sure that, um, you know, the department of state and all the other, you know, three letter agencies could share information. So I participated in some working groups to really help facilitate that.
Rik Ferguson: [00:04:51] So what I think back to my days, like I said, 1994 was kind of according to LinkedIn anyway, that for both of us, that’s kind of day zero. Um, when I think back to my early days back then, a lot of the stuff that I was using and dealing with on a daily basis isn’t around anymore. Is that the same for you? Is there so much technology that you’ve left behind that you almost can’t count it?
Nicole Ford: [00:05:14] So imagine, remember the.com boom and all of the newer technologies that were introduced and how there was a shift between those technologies and the technologies even we have today. So from the nineties to the two thousands, and then, you know, to where we are, I’ll just call it the 21st century. Um, so there has been these major shifts of technology and I’ve been able to really follow them. I think while I was at state and I served as an enterprise architect that really gave me a sense of how to really architect solutions for large scale enterprises, which I think was really important. When you think about your security career, most people that started when I started, um, we were building IT solutions first. Right. We learned solutions. And as a result, we also learned how, um, you know, attackers or threat attitudes can impact those solutions very quickly. So it was just this migration from building to then understanding how to secure solutions.
Rik Ferguson: [00:06:19] So you mentioned during 9/11 you were working at the department of state during that 9/11 period did that cause any change in sort of the approach to information security, to cyber security?
Nicole Ford: [00:06:36] Wildly, right. So all of a sudden there was this focus, um, and you know, cybersecurity information security actually got a name for what we were doing. And it was really because they realized that the systems that were in place were all disparate, didn’t communicate with one another. And that there had to be a way to connect those systems so that we can derive outcomes, or understand that something is going to happen, or predict something happening, or stop. Right, so I think at that point it was a realization that we had to lean into technology because technology was important and could have stopped something a terrorist attack, which is exactly what 9/11 was. Um, and that we needed to lean into the technologies that we were using to be productive in the work environment. Now we need to use it to do bigger and better things. And I think that that was the door.
Rik Ferguson: [00:07:28] So, I mean, if we just kind of leap forward to your current role at Carrier, you have, you’ve not been there that long in the grand scheme of things, and you joined that at really transformative time for the business.
Nicole Ford: [00:07:42] Yeah, it was a huge, huge opportunity. You know, in my past life, it was the, this was the second time that I would have taken a company public. So, um, I had this opportunity to really help transform this 115 year old company, because Carrier has been around for 115 years, and we’re a founder’s company and most people know us as an HVAC company, but we’re so much more than that. I mean, we’re HVAC, we’re fire security and safety, and refrigeration. So imagine the pandemic and everything that’s happening now. Um, our ability to, um, carry those vaccines or help transport vaccines to places that they need to go to, even in disparate locations or rural locations was critical. So we play such a really, really important role. Um, and so imagine two years ago, somebody saying, hey we want to go public. Um, we’re going to spin off from, you know, the behemoth organization, United technologies, which was so super fantastic, and become our own company again. Right. So this is not the first time, but really just, um, a really pivotal point for Carrier. And so, you know, Carrier got an opportunity to really transform, um, really stand out. And I think that that’s really what we did so super exciting time to really come in, um, help to really craft a strategy to transition in a year. So imagine this, imagine starting in August of 2019, starting with Carrier and I’m focused on the IPO and then three weeks before the IPO, the pandemic hits, it’s super crazy.
Rik Ferguson: [00:09:24] And your priorities go 180.
Nicole Ford: [00:09:26] Right. So they turn completely and all of a sudden, now I’m focused on how do we get remote access to 55,000 people around the world.
Rik Ferguson: [00:09:37] That’s a huge workforce. I mean, that’s, that’s not small potatoes, you know, I always think of Trend Micro as being this great, huge global company. Uh, you know, we’ve been called an internet security giant by the media and so on, there’s 7,000 of us. So I can only begin to imagine the challenges of a 35,000 person organization.
Nicole Ford: [00:09:55] Well, it’s, um, 56,000 and we’re a manufacturing organization. We’re not, you know, super savvy in technology. So in some instances it was, hey let’s get remote access to these employees, but also we have to train them on how to use the tools and the systems and so on and so forth. So it was a really behemoth effort. Um, nine days we were able to get it done before, uh, everything was locked down.
Rik Ferguson: [00:10:27] So you were able to get what done in nine days? That’s an astounding number.
Nicole Ford: [00:10:31] Yeah. We’ll deliver, um, remote access to people so that they could go home and they could still work.
Rik Ferguson: [00:10:37] Standing start, like you had no real solution in place and nine days later you were done?
Nicole Ford: [00:10:41] No real solution in place. No real solution. We had a small POC because again, we weren’t, um, a separate standalone company at this point, so we weren’t even out the gate. So at this point we’re like, okay, well, we’ve got to get everybody online. We have to make sure that they can be productive during the pandemic. We don’t know how long the pandemic is going to occur. We have no idea how long people were going to be at home. And so in nine days we were able to roll out a solution and a strategy, scale it, so that we could leverage it for all of our employees, but then make sure that, um, we have resiliency built into the environment so that it would continue over the period of time, which was unknown to us at the time.
Rik Ferguson: [00:11:26] So what does that process look like? Where do you start? Obviously you start by going, I have to do what? But once you’ve done that, what comes after that?
Nicole Ford: [00:11:34] I think, I think it’s important to have really good leadership. And we did like, we have a fantastic leadership team at carrier. I’m super excited and always love working with the carrier leadership team and everybody just sprung into action. And we worked as a team. Um we really worked on, we had a few different groups of people, and this is where some of my military experience came into play, actually setting up a war room, having specific teams that were focused on specific tasks. And we really like scaled out the technology first, working with our vendors, we had really good vendors. Once we call them, and again, they’re getting calls from everywhere around the world saying, hey we really need your help. So the vendors played a critical role in helping us through this process and really working with them, scaling the technology. We had, you know, groups of people that were deploying the technology and training team members. I mean, we ran lunch and learns and webinars around the clock just to make sure people had everything that they needed. And we set up micro sites for people so that they could get the information very quickly, especially people who didn’t have specific access into our environment. So it was a massive.
Rik Ferguson: [00:12:51] And you approached all that from, from a zero trust perspective, right? That was the overriding architectural model that you were applying.
Nicole Ford: [00:12:58] Yes, and here’s what’s interesting. Like I said, we had everything in a POC, so, you know, that’s very, very small. Um, it was POC enclosed, uh, that we were running just so that we can understand the technology. Now, fortunate for me, I had already rolled this out prior at another role. So I had experience with this organization, uh, the vendor was fantastic and because of those relationships, we were able to really get their support and actually rolling this out, scaling it, and the zero trust architecture, the ability to scale using software defined, you know, software just in general helped. Because there wasn’t hardware we needed to deploy. Right, there’s more of a, it’s almost like a managed service approach. It really helped us because we now were partnering with one of the best in the business to actually roll this, this architecture out and get people onboard and online as quickly as possible.
Rik Ferguson: [00:13:59] So I know there’s a, there’s a US government, um, you know, not directive, but certainly a push towards zero trust within their own estate in the US. I think that’s going to give it some significant legs in terms of having a long-term sustained future as the de facto approach to security. Where do you see it going? Obviously, you know, the easy win for zero trust is for identity and access management, I guess. And that’s probably what you were mostly hitting in your initial rollout for IAM stuff. Where do you see, obviously, if I’m wrong, tell me, but that’s my, that’s my impression. So where else do you see zero trust being applicable? Because the reason I ask, I’m sure you’ve realized by now, all of this is coming off the top of my head while I speak to you. Um, the reason I ask is because I know that Carrier as an organization, you do, as you said, a whole load of different things that people don’t probably realize that you do as well as the HVAC stuff. The cold chain is smart culture chain. You do connected home stuff as well, right? And obviously you have your own corporate security needs as well. Where else in that whole web of things that you do as a consumer and as a provider of technology, where do you see zero trust fitting over and above identity and access management?
Nicole Ford: [00:15:12] So I think zero trust has a really unique position today. One thing that was very attractive to us was that it allowed us to quickly eliminate our tech debt. Now, remember I told you we’re 115 years old, but we’re almost like at this point, a well-funded startup, right? So we’re, well-funded startup. We have to get people up and running and then you’re right, we still need to be able to provide support and access to our own customers. We’ve got the connected code chain, IOT security, you name it. We’re doing it. Um, and we really had to look at how do we lean into and leverage zero trust as a digital enabler. And that’s what we did. We started to transition to the cloud last year. You know, our efforts were like, let’s use the cloud as much as possible because the cloud almost allows you to start over. Right, it allows you to say, okay if I could architect this properly, what would I do? And, it really kind of changes the paradigm to security, really being an enabler and looking at IAM as being the front door and the perimeter instead of what we would consider the traditional perimeter. And so zero trust has allowed us to scale quickly right, and do things that we would otherwise have taken us five, you know, six years and a really long road to get done. It doesn’t mean that we don’t still have things we need to clean up on the back end right. But what it does do is it opens up this environment that we can leverage, that is quick, that is nimble and allows for more innovation.
Rik Ferguson: [00:17:01] Yeah, it’s it’s um, you know, you, you mentioned, uh, adoption of cloud, um, being one of the other important pillars. And I know that you, the security team that you have now at Carrier, that’s something that you had to build from scratch, basically, because you were, you were extracting your organization from a parent company. So you didn’t take that many people with you and you had to build a team from scratch. So you’ve got, um, Uh, relatively new, um, security architecture, zero trust your, would you characterize carrier as a cloud first company did, did splitting out and give you that luxury to say we’re going to be cloud first or even maybe would you say you, I suppose you could say you were born in the cloud if we could.
Nicole Ford: [00:17:46] So imagine you have an opportunity when you’re splitting from a parent company to decide to leverage what’s already there or transform. And those are your two options you can either say, okay, I’m going to take what’s there and I’m going to make it mine. Or I’m going to transform, and we decided to transform. And then not everybody does that, right. Some people say I’m going to take the safe route and I’m going to leverage what’s there. Um, but for us, we were fundamentally different than our parent company, right. We are in the manufacturing space. We, we sell different products, HVAC versus, you know, aerospace and defense. Totally different. And so as a result, our ability to sell product is like the lifeblood for us. So using this ability to transform and leveraging the money that we received as a part of that divestiture was huge and allowed us to make smarter investments and make decisions on when we start any new project, we’ll start in the cloud versus starting in our traditional on-prem environment.
Rik Ferguson: [00:18:52] Yeah. I mean, it just makes functional sense as well as financial sense, right. Has that pivot to cloud as a basis for everything that you do, has that caused you to think about security any differently? Because I know obviously, you know, looking back through your career, my career, the hardware, the architectures, the best practices that have been available have obviously evolved and changed over time. Um, but security, the way that security was done, um, never really needed much of a fundamental change as much as it has. With the advent of cloud, has it caused you to consider security differently now that you are basically in a software defined world?
Nicole Ford: [00:19:36] Oh, absolutely. Like security is the key, right? You’re not transitioning to the cloud without having that security foundation. And so where we were all, you know, there’s always been that struggle between like infrastructure and security, and when they bring us in, well, when you’re in the cloud, we’re first at the door. We’re there. We secure everything. Um, I use cloud security directors and principals. Um, and they’re communicated across the organization. And they’re really important right. Here are our cloud security directives. These are our principles. This is what we’re going to live by, and we’re not going to deviate from these 10 or 15 things. And we’ve all agreed that those are the 10 or 15 things that are the most important. And it’s really all about hygiene in the cloud, right? Making sure that we have proper hygiene, making sure that we have a really strong IAM identity kind of program, and we’ve really invested in that space and we’re using some of the best technologies. I mean, MFA super important. Um, making sure that we’re leveraging role-based access. Um, making sure that we’re encrypting, I mean, those are like tried and true principles in the cloud, so you have to have a good cloud security foundation in order to make this work. And that’s what I think was different. Uh, for us, as we started to transform. We did our job first, and if we do it right, our security guard rails are in place every time an instance is spun up. So we don’t have to get in the middle of innovation, right? We don’t, because we’ve already built out the environment the way we want it. And so each time you spin up a new environment, it has our security controls in place. So we’re not a blocker. We’re an enabler.
Rik Ferguson: [00:21:21] And are you as an organization, um, would you classify your software development side as a DevOps kind of environment? Or are you not there yet? Or you’re not going there?
Nicole Ford: [00:21:33] So we are right. So we are going to the, I call it DevSecOps cause I am security, right. So yeah, I think we’re transitioning to that DevOps environment and with the CICD pipeline, that’s kind of the transition we’re still making. We do still have traditional product development teams and development teams that are still trying to transition, but overall we’ve really made our security kind of development life cycle, very easy. Um, and depending on what kind of product development life cycle or software development life cycle you’re in, or you have in place, we find ways to kind of insert ourselves. And I think it’s more of an agile and flexible way, which I think has been helpful for the team.
Rik Ferguson: [00:22:22] Yeah, absolutely. Now, one of the things that I’ve seen you mention, in fact, you mentioned it on your LinkedIn profile. Um, when you were talking about the work that you’ve done at Carrier, and reading about the work you’ve done at Carrier is fascinating to me because everything, and it was something that I had been speaking about when I’ve been speaking in public over the last 18 months or so, about the pandemic. And I used to give presentations, pre pandemic where I was talking about, oh, here’s the future of enterprise architecture and information security over, you know, five years from now. We’ll kind of be here. From an observer standpoint, it looks like we massively accelerated towards that destination during the pandemic. Everybody had to adopt everything much faster and implement it. And in anger, not in a proof of concept. Um, so when I was reading about the stuff that you’ve done at Carrier, it was like the perfect crucible of all of those things. You were new to the company, the company was new, the teams that you were building out were recruited from scratch, which I’m going to ask you about. Cause that must be an interesting journey. Um, but then you talk about doing all of these, you know, real leading edge things, like the zero trust editing access manager. But also you talk about cyber fusion center that you set up. What is that? How did you do it? What is it? And what is the purpose behind it?
Nicole Ford: [00:23:39] Yeah, so the cyber fusion center is not a new term. You know, when you think about your SOC, right. SOC, NOC, you hear these terms, you go, okay, what are those? So the cyber fusion center really brings all of that together, right. So imagine having your infrastructure, your cyber team, and then all of the other ancillary teams that have to be a part of that life cycle in order to ensure that an incident happens one time. Right, so your threat intelligence, your patching and vulnerability management team, your incident responders all in the same room, and I’m saying this is, think about it virtually they’re in the same room. There is a process, a well-defined process in place that ensures that when we find an incident, we’re able to remediate it very quickly or contain it, remediate it, and then we’re looking at all of the activities that have to happen to close the loop. They’re all together working in the cyber fusion, that’s what that fusion really means, is the bringing together of all the functions into one body working together. So if you look at a wheel, you know, how it kind of completes itself 360 degrees is really important to kind of understand that closed loop that we try to create to ensure that if we see an incident, you know there obviously is a vulnerability that we close it as quickly as possible and we close that loop.
Rik Ferguson: [00:25:07] Complimentary today is actually the question that I can see that just came in. I’m not sure what platform it came in from, but can you explain about zero trust, security model? I guess we should have seen as we’ve been talking about it a lot for the past sort of 15 minutes. Um, I’ll go first because it came from LinkedIn. Thank you, it came from LinkedIn. So thank you. For me, the really simple description of zero trust is eliminating trust from your environment. That’s why it’s called zero trust. Um, making sure that what is happening is supposed to be happening. Uh, and the person or thing that’s doing it, is the one that’s supposed to be doing it and making sure that any assessment of any of those factors is continuous. So you don’t allow something in, based on trust on a Wednesday and let them carry on doing what they’re doing on a Friday, because you trusted them on a Wednesday. That’s my, in a nutshell definition.
Nicole Ford: [00:25:57] Yeah, so zero trust to me means, like you said, it’s trust no one, trust no device, just trust no person, right. And a person has to validate who they are constantly, right. And that’s what the system does. The systems say, who are you again? So I’ve accessed this resource yesterday, but today when I go to access it again, although this resource may have known me from yesterday, it’s who are you again? And we have to go through that process, which means that you have to have strong identity and access management in place to make that happen. Yeah, I was just going to say, and so when you think about that cycle, it’s a constant, you know, validation that’s occurring in the systems, through the people and the resources that they’re trying to access.
Rik Ferguson: [00:26:42] Yeah. And for me it should, and in some cases it does, rely heavily also on risk insights. So it’s not just about, um, you confirming your identity through some credential interaction procedure. It’s also about, what system are you using to log in from, what geography are you in? What kind of network are you on? What projects are you working on right now? Are you behaving in any way out of the ordinary? And all of these can be different factors that not only dictate whether or not you get access. But also dictate the kind of access that you get at that given time, all those things kind of play into the zero trust.
Nicole Ford: [00:27:18] Yeah. I mean, so the conditional access is really, really important, right. And it’s all risk-based, so depending on if I’m traveling and I’m, you know, somewhere in the middle east or somewhere in Asia PAC or even, you know, in the China region, it can be anywhere. And there’s a lot more, we have a different risk score for that area. Then obviously the system is going to ask you to validate who you are authenticating. And it may ask you for an additional method of authentication as a result of that. So we’re always taking into account factors like location and even timing. Cause we’ve baselined, you know, typical times when people log in based on their geography, it’s a whole host of things that we’re looking at and it’s really making the system smarter about who you are and how you access our systems.
Rik Ferguson: [00:28:11] So I hope that answered your question. Thank you very much for submitting it. And if any other viewers have questions, feel free to drop them in, that’s part of the reason why we’re here. So, Nicole and I have to finish our conversation 15 minutes from now because Nicole has a very hard deadline at that point. So I am going to make sure I get into the questions that I really want to ask. Um, and one of them for me is around risk management. We just spoke about risk just now, so I thought it was a perfect segue. I always give it away though. You know, I say it was the perfect segue. I should just do and not mentioned the fact that it was a segway and just kind of be proud of myself. But anyway, I talk too much. So what I wanted to ask you about was third parties. Obviously you have third parties within your supply chain and you are clearly a very important component in other people’s supply chains as well. Looking at the current threat landscape and how island hopping as an attack vector or as a methodology is becoming more prevalent. How supply chain compromise as a means of entry to organizations is becoming more prevalent. How do you address that in your risk management, in your threat modeling, uh, in your architectural concepts, the fact that obviously you have your own supply chain, how do you risk manage that? Uh, and how do you assure the people who are your customers, that your supply chain is secure? That you as a supply chain vendor are secure.
Nicole Ford: [00:29:31] Yeah, that’s a hard question. I think we’re all still wrestling with that. I think after seeing Solar Winds and that whole incident kind of go out of whack. Um, we’re all kind of focused you know, our own internal supply chains, making sure that we’re asking the right questions. And in some instances we’ve gone back to vendors to say, Hey, you’re a high risk vendor. Talk to us about how you’re mitigating your risk. We want to understand your security program. I mean, we’re asking a lot more questions than we were asking before. Now we are asking about software builds, right? We weren’t asking about software builds before. Um, and that’s just additional information that we now need to use in order to risk rank all of our vendors. I think it’s really important to note that vendors that we thought were high risk are still high risk, but vendors that we probably put as a medium or low risk are now, um, they’ve actually increased in scale because we now understand that there are third parties out there that are using different technologies and everybody is upscaling. Let’s talk about the fact that digital transformation isn’t just happening at Carrier it’s happening in all companies, right. So even the, the janitor who comes in to take your trash out, may be using some technology to do his job, I mean, which is kind of crazy right. But it made us take a step back and say, do we really understand our vendors? Do we understand their risk rating? And do we need to go back and revisit specific vendors to make sure that we have stronger language in our contracts, that we understand their security program. And do we truly understand the relationship enough to know where an attack can occur. And, um, we’ve spent more time in third party risk. Um, then I thought we would at the beginning of the year, but because of what we’re seeing and I mean, think about it this has been an unprecedented year of attacks. I mean, when you think about it, and now the fact that there’s like this whole ransomware as a service is still relatively new, having to explain that to your executive team is like really tough, right?
Rik Ferguson: [00:31:45] Like you have to explain to them access as a service.
Nicole Ford: [00:31:52] Yeah stuff like that. So, um, third party is big. Now, how do we ensure that we aren’t an attack vector and we’re not, you know, passing threats or malware to our customers. We really, really are taking an aggressive stance and making sure that we’re, you know, testing even ourselves over and over and over again, um, to make sure that we’re not making key and critical security mistakes. And so that’s something we pride ourselves in, but I will say to you, we still have a long way to go.
Rik Ferguson: [00:32:24] And I think continually, right. I don’t think that’s, that’s probably a badge of honor to recognize that we have a long way to go. Uh, anyone who thinks they’ve arrived at secure, arguably is in the wrong job, right? You will always have a long way to go and you will never get to where you want to be. And that’s, that’s both the great attraction and the great frustration of being in the security industry in any way. We’ve we’ve hit quite a lot of buzzwords so far through this conversation, but hopefully in very concrete ways. Um, so there were a couple of others that spring to mind that we haven’t hit yet. So I thought, why not? You know, zero trust, identity, access management, risk management, third-party supply chain. Uh, what about other things, cloud we’ve talked about. Other things that kind of fit that buzzword, bingo, characteristic and whether they are having, or will have any material impact on the job that you do, or the company that you secure. Artificial intelligence is that something that’s helping, hindering or just a load of rubbish. XDR, whole new product category. Does that make any impact on you?
Nicole Ford: [00:33:29] Um, so artificial intelligence is still a little bit of a buzz word. I mean, I hear it a lot. I hear it from a lot of my vendors specifically. Um, I’ve seen it work in some instances, not in others. We are, you know, as an organization really trying to lean into AI as much as possible.
Rik Ferguson: [00:33:51] You must be doing it internally, quite a lot, given the amount of data that your, the things that you sell must be generating. Right, so to have that volume of data.
Nicole Ford: [00:33:59] Yeah, we’re, we’re certainly using it to kind of derive outcomes, right. So we’re using AI to do that. Um, we’re using, I actually have something really cool called the cyber chat bot that I’m leveraging AI. And yeah, it’s the cyber chat bot and we’re using AI to actually make it smarter over time. Um, and it’s really to promote self-service internal to Carrier. So yeah, it’s something that we’re starting to toy with, and we’re adding it to some of our internal technologies, especially in the area of automation, which I think is really an up and coming area in something that I think the security team needs to embrace or security industry needs to embrace a little bit more. And I’ve leaned into it a lot because, you know, obviously I can’t continue to hire a ton of people or a cadre of people, but I need to be able to make quick decisions. So that’s really where I see it working for us now. I’m hoping that we can continue down our path and journey and use it a little bit more.
Rik Ferguson: [00:35:05] Yeah. I mean your data volume is going to outstrip your budget for headcount at some point anyway, right. Because one is growing far faster than the other, without doubt. Um, okay, so that, yeah, that’s AI. What about XDR? Is that something that you, because obviously the big thing 12, 24 months ago was EDR, endpoint detection and response. And there was the whole Gartner magic quadrant for it in an industry category built around EDR and that’s transitioned over the last year or so into XDR by preference. So taking intelligence from and delivering intelligence to an extended variety of sources. So whether that’s network, whether that’s gateway, whether that’s end point and being able to correlate across all those different devices, uh, follow the path of an attack throughout the network and then take action based on that. That’s what I mean by XDR.
Nicole Ford: [00:35:54] I’m not sure. Not yet. Um, I’m not saying it’s not a capability we have or don’t have because I’m sure we do, but we’re still in a lot of ways we’ve deployed like 39 tools, we deploy 60 capabilities, and so we’re still in that baseline mode, right. So I just want to get the maximum value out of the tools that I’ve deployed. And, you know, EDR is pretty important to us. I mean it’s working well, and I can tell you that we’re quite pleased with the decision we made there. Um, we love working with the company that we chose in that space, but in general, I think it’s been well received for us and we’ve seen our attacks go down as a result. So, I mean, if XDR is like the latest and greatest and that’s the new buzzword.
Rik Ferguson: [00:36:56] Yeah. The X is for extended. So it’s I suppose more EDR if you extend your answer.
Nicole Ford: [00:37:05] Let’s call it EDR plus, right.
Rik Ferguson: [00:37:07] It’s endpoint, and network, and gateway, and cloud. And it’s extending your EDR capability beyond EDR.
Nicole Ford: [00:37:15] I’d be interested in seeing how that works absent of like my SIM and some of the other technologies I have that are doing the correlation for me anyway. So not sure that we’re not, maybe we call it something different.
Rik Ferguson: [00:37:29] Yeah, earlier in this series I had Allie who’s a forest analyst. Um, I think she was in my second episode. Yes. It was second episode of this season. Um, and the reason I asked about XDR is because she is the great proponent of XDR. So it may be worth either having a chat with Allie, who is hacker X Bella on Twitter, or going back and looking at that second episode, because we did speak a lot about it and you’ll get obviously then an independent perspective on it. Cause I’m not going to wax lyrical about it.
Nicole Ford: [00:37:59] I will look her up. I’ll look her up and see if I can learn more. Yeah, absolutely.
Rik Ferguson: [00:38:04] That was a really interesting episode. Okay, so what have I got, I’ve got five minutes to ask you more things. Like you said for threats, this has been a year like no other, I mean, probably for just about everything. This has been a year, like no other in, in any conceivable sense. Um, but certainly threats. What is your perfect storm? What’s your perfect nightmare. Your alarm doesn’t wake you up one morning, your phone does. What’s gone wrong? What’s the biggest disaster you can conceive of? Uh, and you don’t have to tell me whether you’re equipped to deal with it or not. I’m sure you are, but what would be your nightmare of a wake-up call?
Nicole Ford: [00:38:39] I think because we’re a manufacturer, business disruption is going to be my biggest nightmare, right. Right now, you know, we have all these supply chain delays. Around the world it’s happening to everyone. So to me, the biggest threat would be having some sort of business disruption. And I won’t say what the threat is, but we all kind of know what it is, right. And yeah, if something like that were to happen really to would be bad. To create product and get it out the door to our customers, I think is pretty critical to us. And is one of our number one concern.
Rik Ferguson: [00:39:17] So you, obviously you have a bunch of OT, is that within your remit, as the CISO, as well, to secure that operational technology environment, because that’s the coming together of those worlds is relativity important right?
Nicole Ford: [00:39:28] The convergence of IT and OT, and I say IT, OT and IoT is really important. And I think that, you know, all CISOs need to have a lens on what’s happening across those three areas because we have the defense capabilities for what I call enterprise IT, how do we extend that into the OT space? And then we have to be really cognizant of you know, the types of equipment we have in the OT space and the best ways of securing that. And I mean, using some just tried and true security controls is really important in that space. So, um, I’m laser focused on IT, OT, and IoT.
Rik Ferguson: [00:40:13] So when you got to kind of architect the security of this new old company that you work for, did you get to say OT is mine or are you still working in partnership with someone, is it still a silo?
Nicole Ford: [00:40:29] So I think here is a little different because we are a manufacturer. We just out of the gate just started to work together. It was, hey we want to do what’s right for our business. Here’s what we know, right. How can you help us to secure it? So really open environment. Um, you know, obviously in some respects, in other places I’ve been, there’s Fiefdoms and it’s hard to kind of break in and say, hey how can I help you in this space? But I think we just have this open environment, um, where we’re, you know, in this change cycle and everybody’s working well together and I’m super encouraged about that. Like, it’s certainly been a great experience for me and the carrier, like I said, carrier leadership has really leaned in, has done a great job.
Rik Ferguson: [00:41:16] So I’ve been asking everyone this question as kind of a final question and I have a minute to ask it. So I’m going to make you be no exception whatsoever. Um, we’ve said a couple of times a year, like no other for all kinds of reasons. We’ve all lived through pandemic and various lockdowns and restrictions and changes in our worlds, and each of us have had a very different experience of that. We’ve lived through it in different ways and at different challenges, personal and professional, what’s been the big lesson that you’ve learned from that? In what way has it changed your outlook? Not necessarily on security. Um, but what have you learned from the way that we’ve had to live over the last year and a half?
Nicole Ford: [00:41:58] I think it’s changed me in a lot of ways. Right. So it’s changed me in stopping in some instances and smelling the roses, right. Because a lot of people didn’t get an opportunity to do that. You know, we’re running so fast, we’re always doing so many things, but how do you stop for a moment and enjoy the moment?
I think it allowed me in some respects to really understand what was important, you know, to me, which was my family. You know, obviously the work that I do and in other areas was extremely important, but it also made me pause for a moment and enjoy my extended family and people that I don’t always see. I think it also made me think about resiliency, right?
How can we become resilient as people, right, as a company. As Carrier is a company we want to be as resilient as possible. And, as a person it’s how do I stay healthy, right. How do I make sure that if anything, like this were to ever happen, I’m in the best position to win. And so I really think that the time to reflect and better understand what’s important and how you can reinforce yourself in times of pandemic and crisis has been really thought provoking for me. One other thing to notice, CISOs, there’s always a crisis, right? We’re going from crisis to crisis. So we’re used to this whole crisis management. And so I just saw a ton of amazing things happening in the cyberspace during the pandemic that really made me hopeful. Lot of people on the right side of cyber doing what’s best for people, and companies, and families, and organizations. I was just really, really proud to be a part of the cybersecurity industry. It was great.
Rik Ferguson: [00:43:53] That’s fantastic, Nicole. I know you have to run. It’s been an absolute pleasure. I’m really grateful that you made the time for us today. It’s been a fantastic conversation. Thanks so much for joining us. Enjoy the rest of your day. And hopefully at some point we’ll get the chance to meet in person. That would be amazing.
Nicole Ford: [00:44:09] Thank you, Rik. I appreciate it.
Rik Ferguson: [00:44:11] All right. See ya.
Nicole Ford: [00:44:12] Bye.
Rik Ferguson: [00:44:15] There you go. Um, Nicole Ford, I knew she was going to be amazing. I was absolutely convinced of it. Uh, when I was doing research into who I wanted to come on this season, I hope you all agree. That’s it. That’s the end of the second season of let’s talk security. If you have enjoyed it, let us know if you want to come on and talk to me next season. Let me know. You can find me on Twitter. I’m going to get this right at this time. Hold on. It’s this hand, this corner. There, you can find me on Twitter. That’s me on Twitter. If you want to come on and talk to me, contact me, let me know. Let’s have a chat in the meantime. I’ve been Ron burgundy and you stay classy.
Read More HERE