CISO: Data integrity and confidentiality are 'pillars' of cybersecurity

With 20 years of cybersecurity experience, Joan Pepin has seen dramatic changes in the space -- from the rise of organized cybercrime to increased data security attention from executive leaders to the growing complexity of the cybersecurity technology stack itself. Yet, Pepin, the chief information security officer at Auth0, a company in Bellevue, Wash., that provides authentication and authorization as a service, thinks "people often overcomplicate and overthink security."

That's not to say Pepin believes getting security right is easy. Rather, she said security leaders and executives need to focus on what she called the two "pillars" of information security: data integrity and confidentiality.

In part one of this two part Q&A, Pepin shares her vision on what it means to be a security leader today.

Can you explain why you focus on these two foundational elements of data integrity and confidentiality?

Joan Pepin

Joan Pepin: There are two pillars of information security: data integrity and confidentiality. Let's take a simple example: your checking account. Integrity means the number. When you go to an ATM or online or to a teller and check your balance, that number should be easily agreed upon by you and your bank. There should be a clear ledger showing who put money in, when and how much, and who took money out, when and how much. There shouldn't be any randomness; there shouldn't be people putting money in or taking money out without your knowledge or your permission.

So, one pillar is making sure the integrity of information -- the code you're running, the executables of your applications -- should be the same ones the developer wrote. Just like the numbers in your bank account, the code you're running should not be tampered with.

Then, there's confidentiality. You and your bank should be the only ones who know the numbers in your bank account. When you take confidentiality away from your checking account, it's the same problems when you apply that to your applications and infrastructure.

How has the complexity of modern technology affected these pillars?

Pepin: If we think about the entire stack of technology we interact with when we go to the bank and check our balance, there are [layers of systems] and there's probably a mainframe somewhere, and the information flows through all sorts of middleware. If you were to unpack and lay out the entire stack, going to your bank's website, logging in and checking your balance is a very complicated stack. And that's a simple use case; there are others that are more complicated than that.

That's the reason to focus on those two pillars. The layers may get very complicated, but by teasing out those two important pillars and asking, 'What are we doing to ensure integrity?' and 'What are we doing to ensure confidentiality at all nodes?' simplifies the problem. I'm not saying it's easy, but it's a lot less complicated than people give it credit for.

What are the biggest challenges in cybersecurity today?

Pepin: Time. Everyone is on a deadline; everyone wants to get their product to market yesterday. But to think and to ask the question, 'What are we doing to ensure integrity, and what are we doing to ensure confidentiality?' [Answering those questions] is a thoughtful process that requires time.

You really need to be leader to be a CISO. A technologist with good communication skills is not enough.

Then, there's the issue that it's somewhat interdisciplinary. You need to understand the operating system, the networking layer, the application layer. You need to understand human-computer interaction and where people are likely to make mistake. You need to understand where people are likely to do something malicious. An engineering mindset is not enough to answer these fundamental security questions, so the skills gap is my biggest problem as a CISO. People who can holistically approach and evaluate these problems for a complicated environment can be hard to find.

Time, skill sets, and then will -- organizational will that shows up in the form of budgets, head counts and deadlines.

How are you overcoming those challenges?

Pepin: Leadership. The CISO role is evolving; you really need to be a leader to be a CISO. A technologist with good communication skills is not enough. A good administrator and manager with security skills is not enough. You need to be able to influence. You need to have a vision for how this is going to work and how everyone will wind up happy at the end, and you have to do everything you can to bring that vision to life. You have to have the soft skills and hard skills to drive that vision to completion. That's a lot. That's a lot more than managing your people, allocating your budget and meeting deadlines.

What do you see as security issues one or two years out?

Pepin: My mind goes to two different places: the micro and the macro. On the macro front, I expect that international tensions and international politics are going to continue to play a formidable role in security, including regulations like GDPR [General Data Protection Regulation]. All we know now is the text of the law, and we're going to see how it's going to be litigated and how courts will rule.

Also, nation-state actors and their cybersecurity activities, including awareness of nation-state actors' power to surveille and how that impacts people's privacy and their perception of privacy. I expect we'll have a lot of activity on that front.

On the micro level, on the technical front, ransomware is making a lot of money. Anywhere in cybercrime where there's money to be had, people will innovate and people will push. It used to be kids hacked websites to deface them. But somewhere in the late '90s, early 2000s, it became a business; it became people's livelihood, and everything changed. Now, I'm in a business that at least tangentially exists to prevent another business from making money. That's a different challenge that is going to continue.