CEO on collaboration tool security, insider threats, skills gap
Michael Coates, CEO and co-founder of cloud collaboration security platform Altitude Networks, speaks to industry trends and his transition from CISO to CEO.
The convenience of cloud collaboration tools in the workplace cannot be denied. Many organizations rely on applications such as Box, Slack and Office 365 that facilitate communication and information-sharing between employees. But cybersecurity leaders encourage caution when it comes to collaboration tool security. These tools may make daily tasks easier, but they just as easily create a target for a cyberattack.
Insider threats can cause as much damage as any outsider, perhaps more easily and, in some cases, accidentally. For many CISOs, inappropriate privilege access and file sharing in such collaboration tools are persistent challenges that are difficult to trace. They can also cause lawsuits, for example when an engineer allegedly walked off with Google's intellectual property before he quit the company to go work for Uber.
In this Q&A, Michael Coates, former CISO of Twitter and current CEO of Altitude Networks, discusses the insider threat problems he experienced while CISO, the cybersecurity skills gap and his transition from CISO to CEO.
In the debate over whether chat app and collaboration tool security risks are worth the reward, he and Altitude Networks co-founder and CTO Amir Kavousian, former chief data scientist at Capital One Financial Corp., present a new option. Their company formally launched in July 2019, with $9 million in Series A funding. Its cloud collaboration security platform is designed to prevent data loss, inappropriate data sharing and unauthorized privileged access. To accomplish this, it uses metadata analysis of files and relationship analysis to identify potential misuse by employees in the network.
Editor's note: This transcript has been edited for length and clarity.
How has the founding of Altitude Networks' collaboration tool security platform been a response to your experience as a CISO?
Michael Coates: What we're building was largely inspired by pain points that I experienced personally as CISO. I needed a solution to a pressing problem, and when I went out to the market that solution did not exist.
Our platform allows companies to securely use cloud collaboration software, like Google Drive, Box and Office 365. We integrate into those platforms and analyze sharing behavior. We can tell companies specific problems that are happening, for example, if a slide deck was just shared by an employee to their personal email account. That is a critical risk that the security team would be concerned about. You wouldn’t want that data to be controlled by a personal account that could be compromised. Another example is privileged and internal legal documents accidentally shared with the world or a financial earnings report being shared with the public or the entire company.
What are the biggest challenges facing security leaders today?
Coates: I think we've fundamentally shifted from a classic 'defend the perimeter' mindset to defending specific assets. The asset most important to a company is its data. The challenge presented is that technology transforms the way data is moving throughout a company. Previously it was protected deep inside a company's on-premises data center. You could previously build firewalls, rulers and layers of control, but now that's changed entirely. All the data is at the fingertips of the employee. This is great for efficiency and collaboration, but it has totally thrown the security model on its head.
I often talk about a data-first security program. Data is easily shared with contractors and third-party relationships. An employee can click and share a critical document in one motion with an entire company.
We hear about breaches because data is impacted, not because a system happened to be compromised. Data can be compromised for any number of reasons -- employee mistake, malice. Things like GDPR and the California Consumer Privacy Act support this as well.
How can organizations prevent insider threats in work environments where cloud applications are so popular?
Coates: Jumping into new technology and new collaboration platforms is not an either-or. You don't have to choose breakthrough technology and sacrifice security -- you can have both. The dominant approach to security over the past few years was to cripple functionality in the name of security. That's why you saw the entire industry of data loss prevention really take on a poor light. There is an encrypt-everything approach. Limit functionality, make the experience cumbersome. I think we can do the opposite -- I think we can give visibility and control, which are crucial if you want to be confident that collaboration and data-sharing are safe and permitted.
And you can have confidence that the collaboration and the data sharing happening are all safe, permitted and in good conscience with how you want your data to be treated.
What specific skills does one need to successfully lead a security organization today?
Coates: Leading a security organization takes far more than technical expertise. To lead a security program, you need to be able to influence people and represent the interest of the business -- with security as a facet of that. The more you can relate to other business leaders, the more you can train the security objectives in a way that is successful and that isn't looked at as a hindrance or just a cost.
An effective security leader must be able to step back from the trees and look at the forest. By that I mean there are a number of security issues happening from headlines to new zero-days to patches you need to apply. But the most important thing you can do is establish a solid risk management framework and then prescriptively go through to analyze what risks are the most prevalent to your organization and provide the most value to assert effort on.
How would you describe the transition from a CISO to a CEO at your own company?
Coates: By design, a CISO is a risk-related role. You are concerned about what could go wrong. I think some of those skills and mindsets are very helpful in the transition to CEO of a security company.
Now I'm looking at the security what-ifs for our customers in terms of the value that we bring. In the CISO role you look for new technologies and new solutions, but you are not diving deep into one particular area per se. As a CEO, I combine the need to understand the business with the way in which a security solution operates -- along the lines of accuracy, ease of automation, ease of use.
What has been your experience with the cybersecurity skills gap? How did you deal with that in your hiring practices?
Coates: I don't disagree that there are more jobs and opportunities than there are candidates out there. But I do push back that companies can't find great people. I believe that we have created security unicorn job descriptions where we look for a combination of skills in one person that is completely unrealistic.
What we need to do is structure roles into a set of skills that is achievable by candidates. We need to build our security team in a way that compartmentalizes focus. We can't have superheroes in security teams that can solve every problem.
Once you have a senior security engineer building run books and procedures, that enables you to hire junior security engineers to follow them with a limited set of skills. You can grow them into your next batch of security engineers. But we don't focus on the repeatability and instead only hire senior engineers that can do everything.
The last thing is to get away from certification as a gateway to security hires. Certifications are a great way to learn but a horrible way to gate interviews. The lazy way of hiring people is to say to recruiters: Go find people who have CCNA because I don't want to do any more work.
Instead, hiring managers need to sit down with recruiters and explain the role and types of experiences and qualifications that are helpful. Offer one or two questions that would be helpful to ask the candidate and list some possible answers that are considered good or great. All of those things should replace the kind of naive approach of saying CISSP required.