With nearly three decades of experience as a leader within the information security industry, Enrique Salem is much sought after for his wisdom and thought leadership. With the novel coronavirus changing the information security landscape, we wanted to know how it may impact security strategy, innovation, and leadership within the industry. Enrique sat down with us for a brief conversation, which has been condensed and edited for clarity.
How do you see COVID-19 changing the role of CISOs in the short term to long term? What should CISOs be focused on to secure companies during this time?
During COVID-19 and after COVID-19, CISOs need to think about the data that needs to be protected and managed. There are more unmanaged devices that are now trying to access applications and data. CISOs need to think about how to handle unmanaged devices when their security technology isn't on the device. Data is important and should be categorized into three sensitivity levels—restricted, private, and public.
CISOs need to understand the situation with COVID-19 and remote work; now is the time to tighten security. You need to tighten controls on restricted and private data. You need to know who is accessing it and from where. CISOs may want to give people access to private or public data, but the point is more controls must be in place, especially since it's leaving their environment.
Finally, a CISO needs to think about new potential attack vectors. Attackers always track activities, especially those that involve a large set of users. For example, hackers can say, “If more people are now using video conferencing, let's figure out how we infiltrate video conferencing.”
Do you see this broadening of the perimeter being permanent? Are the changes of COVID going to be long-lasting, or are they going to go away as the pandemic is resolved?
I do believe that there will be changes to how we work. I think there'll be an increase in remote work, but I don't expect it will be to the level that we are experiencing during COVID-19. I fully expect many more meetings and activities to be done remotely. In fact, I'm looking at my own behavior right now and what I've historically done in person or in an office, and I notice a number of things I can continue to do remotely that will improve my productivity. Again, I don't expect it'll be one or the other. I think how we work will evolve. Video conferencing, for example, and the use of other collaboration tools for geographically distributed teams will become even more prevalent than they already were for sure.
Ultimately, what we'll have to answer is, how do we manage the situation in a way that you get the best of all worlds. Quite frankly, I'm more productive now. I can do more meetings remotely because I go from one meeting to the next without having to change location. But I do think that it's important to spend time with people. When I'm making an investment, for example, I really want to get to know the person. I want to interact with them. I want to see what they're like around other people. How do they work with their team? It's harder to assess that when everybody is in different locations. I may not get as much of a feel for their ability to interact with others effectively or their management style, which are all essential things when you try to make investments or make decisions about projects or opportunities.
What should the security teams that don't really have cloud security processes in place be doing right now to catch up with the new demand for remote work?
The CISO has to figure out what they are responsible for protecting and where the risks are in this new world of remote work because there are some parts that they couldn't protect even if they wanted to. For example, if you're building an application on top of a cloud service, the cloud infrastructure provider is responsible for protecting that infrastructure. That's what we call the shared responsibility model. The controls CISOs need to put in place, in my opinion, continue around this notion of different levels of access to data.
What are some of the biggest blind spots that you think infosec innovators providing value for the customers are facing?
The security practitioner is always very busy. Security professionals want technologies that solve business problems and integrate with the tools they already have. It’s important that innovators think about their service and how it will be operationalized. Does it take a lot of work to integrate it into the environment? Does it require more people? There are lots of alerts coming at you and quite frankly, every security professional has alert fatigue. They don't want another product that alerts them. If a product is going to alert them, they want it to be something meaningful that they should take action on.
That would be the advice I'd give because I've seen a lot of tools that actually are very powerful. But they have a lot of requirements regarding what security teams must do to manage them, and that makes those tools go unused. There's too much friction, too much overhead, and security professionals don't want to spend time trying to integrate them because the value may not be there.
Do you see the pandemic changing the nature of innovation within infosec solutions? How will innovators adapt to the demands that COVID is introducing to the security environment?
All the tools and technologies people are using and how we interact are going to be very important. What the innovators are going to have to think about is, given that the perimeter is dissolving, what are the new sets of problems and the new potential attack vectors. You have to focus on what the attackers are going to do if they wanted to exploit an individual, a business, or a specific set of activities.
More about you, what's the one thing that will get you to say yes to an investment or advisory opportunity? How can a company maximize this factor for you?
I'm looking for a clear problem they solve that is well understood by the buyer. Is the problem that they're solving something that, when I talk to the next potential customer, they can say, "Yes, I understand that and I have that problem." So the first and foremost question is, are you solving a problem that matters to customers? And you have to be able to articulate that very succinctly.
If you look at Nightfall, the reasons that I've been involved with the company since Rohan and Isaac created it in the seed stage is because the problem they set out to solve was something that could be very well understood. People are going to use tools like Slack, JIRA, DynamoDB or S3, and they need a way to protect the information or the content that's in these environments in a way that's easy to implement. As long as I've been in security, I've always thought about how to protect data. The ability to clearly articulate the problem you solve in a way that people understand is what gets me to say yes. The next thing I would say is, is it a nice to have or a must-have. Is it aspirin or is it a vitamin? When I talk to people, do they have a sense of urgency around the need to solve that problem?
Just out of curiosity, do you find that companies that match this criterion tend to be very mission and value-driven?
I would say that they have a centering point. They have a North Star, and everybody can say “Yeah, that is what we're doing,” as companies figure it out. Now, I wouldn't say that they have it all figured out the day they see me. I think they usually figure it out getting through their minimal viable product and then iterating a bit from there.
You have a very impressive background. You were part of Obama's management advisory board, and you have a ton of entrepreneurial experience. How has this all influenced your VC and advisory work today?
I think there are a number of different areas. First and foremost, I did my first startup a year after college, and I did another one about 15 years ago. What I learned is that building a startup is a roller coaster. There are highs and lows, and what you want to keep in mind is that the highs usually aren't necessarily as high and the lows definitely are not as low. You must try to learn how you manage your emotions so that you can continue to move on, persevere and work through the challenges that come, and enjoy when things are working.
The second thing I would say is, you really need to understand people, what motivates them, what are their hopes, aspirations, and what are the things that matter to them. What are they trying to do? I also think, especially in entrepreneurial endeavors, you want to be positive. It doesn't mean don't look at the reality of the situation, but you want to believe you can solve it. I think it's really important because the moment you stop believing, then it gets harder and harder.
The last thing I would say is, and I really strongly believe this, you've got to treat everybody with respect, but you have to treat entrepreneurs with even more respect. They pour their lives into building something. You have to remember that when interacting with entrepreneurs. You have to tell them what you think. You have to be direct and candid and honest, but you also have to understand that this is potentially their life's work. I mean this is what they've taken chances on, and left other jobs to start this new business. You want to treat them and their idea with the respect it deserves.
As a member of a number of boards, how do you manage all of your responsibilities?
What happens is you end up having to work long hours. There isn't a time when an entrepreneur doesn't reach out to me. If it's late at night or on a weekend, you have to be available. You simply have to put in the time. You've also got to stick to your schedule. You want to start meetings on time, and you want to finish on time so you can get to the next thing.
Most importantly, though, you want to understand every company. What does a team really need at that point in the company's life? You're not running the company; there's a leadership team, a CEO, the team that's running the company. What you're trying to figure out is at each phase of the company, what’s important. I have the good fortune to sit on a couple of public boards. For example, I sit on the board of DocuSign, FireEye, and Atlassian which are more mature scale companies. And so here, we're trying to think about what's the long term growth opportunity, what do we need to do to continue to build this business.
With an earlier stage company, let's say like Nightfall, you're thinking about what problem are we solving for which users. You're thinking about how do we bring on the best people and recruit a team. And you're thinking about how to help the leadership team prioritize the work because you can't take everything on simultaneously. And so the idea when you work across a number of companies is you have to understand what matters for that company at that point in time.
More broadly, is there anything that you're currently reading that you think infosec leaders or experts should be reading right now? Or maybe if there's just a book that you would recommend anyone in infosec to read, what would you say it is?
I read a ton. Actually, here on my desk, I just finished this book. It’s called The Hot Zone. It’s about the history of Ebola and I just started reading the Crisis in the Red Zone, that tells the story of the deadliest Ebola Outbreak and of the viruses to come. Something else I think everybody should read, not just for infosec professionals is Radical Candor by Kim Scott. It’s a really good book. It is important to be transparent in everything you do. It makes all interactions more efficient.
Do you have any advice for up and coming infosec leaders hoping to have a career that's as distinguished and successful as yours?
I feel very fortunate. I go back to the things I've always talked about, which is to have a positive attitude and treat people with respect. You have to spend time with people who know more about security than you do. Always believe you can learn more about a topic. You can also learn from interactions with lots of different people. I think that's super important. Security changes very rapidly, and so make sure that you're spending time with people who know a lot about it and you may learn something that you weren't aware of. And so I would say intellectual curiosity is super critical. And then lastly, challenge conventional thinking. We used to put agents on desktop machines to protect them against viruses and use perimeter firewalls. Challenge that. Is that the right way to do security now or is it better to think, “You know what, my endpoint machine may get compromised, but what matters is that I can secure the data.”
One last question. What's the most common misconception of cloud security, and how can we combat this information as infosec experts?
I would say the number one misconception is that the way you've done things in the past and the tools you've used are going to somehow easily translate to working with new applications. As much as existing vendors will try and improve what they do, they weren't built from the ground up for a highly-distributed set of applications outside of IT or security parameters. So it's really important that you objectively look at the technology you're using because a lot of it won't be adaptable to the new paradigm of users or employees having hundreds of different cloud apps that they use every day. The number of applications people use is growing at a very rapid pace. I used to use Word as my word processor. Today, I use Notion to keep track of certain dialogues and discussions. I may still use Word, but I use other tools to complement the traditional tools that I've used. And I think that's going to be the same in security. There's going to have to be a new set of tools that you use to protect all the new applications, all the new places that data is being stored, or you won't do a good job as a security professional.