Josh Koplik is the Chief Information Security Officer at IAC, a media and internet holding company with assets including OKCupid, The Daily Beast, and Tinder. He spoke to Vincent Liu about his “security scorecard” system as well as his background and the schism between business and security objectives.
You can read highlights of the interview in this Dark Reading piece. The long-form version is below.
Vincent Liu: First things first, how did you get into security?
Josh Koplik: I grew up in the Midwest, and in 1994, all I wanted was to access the internet. I had my various ways for getting that access. As I grew older, I landed jobs in tech, and the internet became more accessible. I did some helpdesk stuff in college, and I worked as a C developer at a startup in the late ‘90s. I preferred doing more infrastructure-type things. I eventually moved to Fidelity as a security engineer.
VL: Do you feel that one of those roles benefits you more in your current role? Basically, if you had to choose one as more important: networks or applications?
JK: Applications, because they are harder to learn if you don’t have the background. I’ve known people who exceled at infrastructure or network security, but lacked proficiency in application security. Conversely, I’ve never known someone who was good at appsec who lacked the knowledge when it came to networking or infrastructure. I don’t think it’s possible to understand application security without understanding infrastructure and networking. To understand application security, you have to understand what’s happening everywhere else.
VL: Let’s talk more about that arc of where you were at Fidelity to where you are now at IAC. Did you want to be a CISO back in those early days?
JK: Frankly, I was a kid and wasn’t making long-term career goals. I was interested in advancing my career and it became obvious to me that, as a technician, you are bound to hit a ceiling. At some point, you have to step up and take on leadership roles. That’s a requirement for moving beyond technician-level positions. This happened naturally for me at Fidelity. I moved into management and became a director. I learned the ways that you navigate an organization and the ways that you work with constituents and build support for initiatives. Security often find itself in this position where you are convincing people to do annoying things.
VL: What’s your approach to overcoming that challenge of, “Hey, I really need you to do this.”
JK: Don’t attempt to solve every problem. Sometimes you need to compromise. You can’t let imperfect solutions be so dissatisfying that you get no solution. If you have to choose between nothing and imperfect, take imperfect, because it’s better than nothing. There are little things you can do, such as using scorecards. I use people’s inherent competitive nature in this situation. I issue grades, which makes people work harder so they can beat the other guy. The other thing is to let business people make business decisions.
VL: You may not know what makes sense from a business perspective.
JK: Understanding what makes a system secure is easy because it’s a technical problem. Deciding whether or not that’s worth doing from a business standpoint is more complicated. A lot of security people assume that security initiatives are always worth pursuing. If it takes zero resources – no time, no money, no anything – of course you’d do it.
"Every security improvement comes with a cost, and those costs are not always apparent or worth bearing."
VL: So there are times when you would consciously accept risk?
JK: Security people would do well to accept risk, have a process for accepting risk, and make their business colleagues comfortable with accepting risk or paying for mitigation. Many companies have a security exceptions process, but so often those become the way of controlling and manipulating people. I don’t think that’s the most effective way to approach it. A better way to do is to say, “Look, we have this problem. We need to decide what to do about it.” If we have this business that is under-performing, it’s easy to look at the balance sheet of that business and know whether spending $100,000 on a pentest is worth doing. This is one place where, I think, CISOs can run into trouble. Once you get to this point where you are no longer under a CIO, you’re no longer part of a technology organization, and you’re having regular conversations with your CFO, your CIO, with your heads of your business lines, those conversations become easier. Your CFO may not understand stack overflows and intrusion prevention systems, but he knows numbers. So you can say, “Here’s a thing. On a scale of 1 to 10 in terms of importance, I give it a 7. And it costs $150,000.”
VL: What do you, as a security professional, wish business people understood?
JK: I don’t think a lot of business people consider the cost of security events. There’s the first school of thought, which is the perception of the costly breach. The impression is that these breaches cost outrageous amounts of money, but I don’t think that’s the case. Even in the most high-profile examples, if you look at the breach costs as percentage of annual revenue or some metric that takes into account the size of the target to begin with, it’s not that bad. Sure they had rough quarters, but those were as much of their failure to thrive in other markets as they were directly breach-related. And having experienced this, once you open the breach money pit, there’s an incentive from a balance sheet standpoint to throw as much into it as you can. I think breaches, in terms of real impact, get overstated as far as reputational impact is concerned. What does that reputation mean to people and what does it mean in terms of revenue?
VL: This sounds like a use case for tabletop exercises.
JK: Tabletop exercises can help you reach the level of having business people acknowledge what happens during a breach. I think that there are two mindsets in play here: a fear that breaches are more damaging than they really are and that planting an unwarranted confidence that “It won’t happen to us.” People think they are terrible, and maybe partly because they think they are terrible, they imagine they’re somehow safe.
"It will happen to you, it will happen to everybody, and it will be okay."
VL: You mentioned about not using scare tactics. How do you approach the conversation when you don’t want to scare people, but you need to make them aware?
JK: I focus on the facts that are indisputable. You look at our portfolio of businesses and think, “What do these businesses have that is worth anything?” We’ve seen that even the most pedestrian sources, like email, are worth something. Remember the email service, Epsilon, that was breached years ago? They had more than a hundred million email addresses. At the time, a lot of security people shrugged, like, “It’s just email addresses.” But spammers and scammers used that because it had company information. That was enough fodder because of the surface area, and there was a lot of email scamming that originated from that. And there’s the reality that attackers will attack whatever they can get into. It’s the equivalent of walking down the street and trying the lock on every car door you walk by. Everything that exists will be attacked, everything that is vulnerable will be compromised, and everything that is worth anything will be stolen.
VL: How are businesses responding to the security scorecard? Is there any priming that you have to do to prepare them? How do you follow up?
JK: Basically, businesses are listed down the left side. Then, security domains are listed the top such as vulnerability management and incident response. In each little box, there is a letter grade and corresponding color code. Bs are green, Cs are yellow, Ds are red, and that’s it! That’s the scorecard. Behind the scenes, there’s criteria; in other words, it’s descriptive. To earn an A in vulnerability management, you have to do this series of things. It’s not long, you can read the criteria for the entire seven domains in fifteen minutes. The grade levels are slightly different-worded versions of the same thing. Whereas a B might state “most,” a C will state “some.” There is enough room for interpretation that you can wiggle between grade levels, but not enough room that things look fake. It’s an A, B, C, D scale; there is no such thing as an A-. I have enough trouble differentiating between B and C as is. ABCD I can describe well. Those are the four grade levels. Because it’s simple, people at the executive level can understand it at a glance. You can easily present this to a CEO. If a business wants to grow, they will want to do something about poor grades. However, if you go to a struggling business with a bunch of Ds, they’ll shrug and say, “That is the least of our problems. We don’t have any revenue.”
VL: I spoke to Rich Seiersen at GE Healthcare, and he was talking about “useless decomposition.” He said that some things are unnecessary because they don’t progress the conversation. Instead, they end up wasting time and detracting value. What you’re really doing with these scorecards is trying to drive change or to start a conversation, isn’t it?
JK: Grades don’t make you more secure; they need to reflect practices that you are doing that actually make you more secure. Define what those things are and whether or not they are being done. We changed the scorecard and added a fourth grade level and I was struggling. I didn’t want to make up stuff purely to reach another grade level. You need to trace anything you are measuring back to on-the-ground activities that improve security. If you can’t, I question what you are measuring.
VL: What other issues have you’ve encountered?
JK: Say you watch the Olympics, and it’s diving and it seems like they have a hundred-point scale. Scores range from 0.0 to 10.0, right? But it’s not really a hundred-point scale because in reality all the scores cluster between, say 8.8 and 9.9.
"You created the appearance of so much granularity that you’re making distinctions between things that are relatively similar; you should just adjust your scale."
VL: That sounds like useless decomposition to me.
JK: I like that phrase because it’s absolutely right. It’s precision without accuracy. You can measure something to six significant digits. If you are using an inaccurate scale, though, it’s giving you six digits that are completely wrong. It’s giving you high precision with no accuracy that is completely useless.
VL: Are there downsides to your scorecard?
JK: Absolutely; you can put a lot of effort in and not move your grade. I have few different ways that I acknowledge those bits of progress. I give brownie points on the scorecard like, “investments have been made in this area,” etc. That is one challenge with having a course grading system. What you can’t do is create a scorecard that is a questionnaire or self-assessment. Questions tend to be misunderstood or they are often answered in misleading ways. We’ve had to stay regularly involved with the people who are responsible for implementation. We need to keep them honest because it’s not that they are being maliciously deceptive, they are putting a positive spin on things. The other thing people do is that they give you their optimistic six-months-from-now answer. People need to answer in the present tense.
VL: Can you talk about how you manage security at IAC, the way that it’s structured as a holding company with businesses like OKCupid and Tinder?
JK: We are generally pretty hands-off as a parent company. We have a loosely federated group of companies and only a handful of enterprise roles. What I’ve tried to do is help identify what our businesses need to do, what security improvements they need to make, and help them get support for those improvements from business and enterprise leadership. Last fall, I began taking on more IT infrastructure responsibilities. My staff will sometimes ask me, “Is this CISO or IT talking? Whose message is this?” There is clearly a division between what a CISO wants or a CIO or a CTO wants.
VL: How do you handle the situation where you have trouble communicating to people who are not primed to worry about security?
JK: I don’t think those people exist in 2016. What people do exist are those who feign that they are absolutely committed to security and they tell you everything you want to hear … and then they don’t do anything. I don’t think this is malicious. Security just falls on that long list of things that they want to do and then they have to make business decisions. Your conversation with them was reduced to three line items on their budget.
VL: How have you worked around this?
JK: I told our CEO where I thought that we should do more. And I told him that people say all the right things, but they don’t always follow through. They have good intentions, but those go so far. So he decided to make part of everyone’s bonus dependent on achieving a minimum level on this security scorecard. That got everyone’s attention. That’s what organizations do when they are serious about accomplishing something. When organizations are serious about meeting various earnings targets, they will take similar measures. It’s not necessarily punitive; everybody’s used to having incentives, having numbers that you have to make. The line between an incentive and a punishment is blurred.
VL: So how did you get that crucial buy-in to make that happen from executives? From their perspective, is security ever an asset? Can it provide positive ROI or is it always simply cost avoidance?
JK: I framed it as there is a minimum level of security necessary to run a consumer-facing web company in 2016 and we need to make sure our security practices are up to that level. I explained this to our CEO and the CEO of one of our subsidiaries as well and asked if they see security as a marketable feature. They both said there’s no way to use it, they didn’t see a way to use security strategically from a business or marketing standpoint. Their reasoning was best explained as, “It’s a slippery slope, and dangerous road to go down to say we’re secure because you are creating liability for yourself. If you ever do have an incident, then you have the problem that you claimed you were secure and you were not.”
VL: What does the C-level expect of you? What’s their desired outcome?
JK: One of the things I have been very fortunate about here is that there is an understanding that incidents and breaches happen. The goal of the CISO is not to prevent security incidents from happening. It’s to reduce their likelihood and impact. In this day and age, the primary goal of security is accepting that incidents are inevitable and to excel at detecting, responding, and containing them.
VL: What advice do you have for a CISO or CSO who is moving into a newly created role?
JK: Build relationships. It’s not only with the C-level people; it’s the people who are responsible for implementation, too. You want to be seen by those people as an ally. When they come to me, I always urge them to help me understand where they are having issues. We have to tell the security story together. With the C-level, ask them what they want to see. My other piece of advice is to keep things simple. Only measure something that you can accurately measure. Likewise, only tell a story if you can tell it to the end.
Previous installments of our cybersecurity expert interview series: